#include "suricata-common.h"#include "suricata.h"#include "debug.h"#include "detect.h"#include "flow.h"#include "flow-private.h"#include "flow-util.h"#include "flow-worker.h"#include "conf.h"#include "conf-yaml-loader.h"#include "datasets.h"#include "app-layer-parser.h"#include "app-layer-htp.h"#include "detect-parse.h"#include "detect-engine-sigorder.h"#include "detect-engine-siggroup.h"#include "detect-engine-address.h"#include "detect-engine-port.h"#include "detect-engine-prefilter.h"#include "detect-engine-mpm.h"#include "detect-engine-iponly.h"#include "detect-engine-tag.h"#include "detect-engine-file.h"#include "detect-engine.h"#include "detect-engine-state.h"#include "detect-engine-payload.h"#include "detect-byte-extract.h"#include "detect-content.h"#include "detect-uricontent.h"#include "detect-tcphdr.h"#include "detect-engine-threshold.h"#include "detect-engine-content-inspection.h"#include "detect-engine-loader.h"#include "util-classification-config.h"#include "util-reference-config.h"#include "util-threshold-config.h"#include "util-error.h"#include "util-hash.h"#include "util-byte.h"#include "util-debug.h"#include "util-unittest.h"#include "util-action.h"#include "util-magic.h"#include "util-signal.h"#include "util-spm.h"#include "util-device.h"#include "util-var-name.h"#include "util-profiling.h"#include "tm-threads.h"#include "runmodes.h"#include "reputation.h"#include "util-hash-lookup3.h"Go to the source code of this file.
Data Structures | |
| struct | DetectEngineSyncer_ |
| struct | TenantLoaderCtx_ |
Macros | |
| #define | DETECT_ENGINE_DEFAULT_INSPECTION_RECURSION_LIMIT 3000 |
Typedefs | |
| typedef struct DetectEngineSyncer_ | DetectEngineSyncer |
| typedef struct TenantLoaderCtx_ | TenantLoaderCtx |
Enumerations | |
| enum | DetectEngineSyncState { IDLE, RELOAD } |
Variables | |
| SCEnumCharMap | det_ctx_event_table [] |
Detailed Description
Definition in file detect-engine.c.
Macro Definition Documentation
◆ DETECT_ENGINE_DEFAULT_INSPECTION_RECURSION_LIMIT
| #define DETECT_ENGINE_DEFAULT_INSPECTION_RECURSION_LIMIT 3000 |
Definition at line 86 of file detect-engine.c.
Typedef Documentation
◆ DetectEngineSyncer
| typedef struct DetectEngineSyncer_ DetectEngineSyncer |
◆ TenantLoaderCtx
| typedef struct TenantLoaderCtx_ TenantLoaderCtx |
Enumeration Type Documentation
◆ DetectEngineSyncState
| Enumerator | |
|---|---|
| IDLE | ready to start a reload |
| RELOAD | command main thread to do the reload |
Definition at line 1524 of file detect-engine.c.
Function Documentation
◆ DetectAppLayerInspectEngineRegister()
| void DetectAppLayerInspectEngineRegister | ( | const char * | name, |
| AppProto | alproto, | ||
| uint32_t | dir, | ||
| int | progress, | ||
| InspectEngineFuncPtr | Callback | ||
| ) |
register inspect engine at start up time
Registers an app inspection engine.
- Note
- errors are fatal
Definition at line 171 of file detect-engine.c.
References DetectEngineAppInspectionEngine_::alproto, ALPROTO_FAILED, AppLayerParserIsEnabled(), AppLayerParserSupportsTxDetectFlags(), AppProtoToString(), BUG_ON, DetectEngineAppInspectionEngine_::Callback, DETECT_SM_LIST_MATCH, DetectBufferTypeGetByName(), DetectBufferTypeRegister(), DetectEngineAppInspectionEngine_::dir, FatalError, DetectEngineAppInspectionEngine_::progress, SC_ERR_INITIALIZATION, SC_ERR_INVALID_ARGUMENTS, SCLogError, SCMalloc, SIG_FLAG_TOCLIENT, SIG_FLAG_TOSERVER, DetectEngineAppInspectionEngine_::sm_list, and unlikely.
◆ DetectAppLayerInspectEngineRegister2()
| void DetectAppLayerInspectEngineRegister2 | ( | const char * | name, |
| AppProto | alproto, | ||
| uint32_t | dir, | ||
| int | progress, | ||
| InspectEngineFuncPtr2 | Callback2, | ||
| InspectionBufferGetDataPtr | GetData | ||
| ) |
register inspect engine at start up time
- Note
- errors are fatal
Definition at line 232 of file detect-engine.c.
◆ DetectBufferGetActiveList()
| int DetectBufferGetActiveList | ( | DetectEngineCtx * | de_ctx, |
| Signature * | s | ||
| ) |
Definition at line 1005 of file detect-engine.c.
References BUG_ON, DetectEngineTransforms::cnt, de_ctx, DETECT_SM_LIST_DYNAMIC_START, DETECT_SM_LIST_NOTSET, DetectBufferTypeGetByIdTransforms(), Signature_::init_data, SignatureInitData_::list, SignatureInitData_::list_set, SC_ERR_INVALID_SIGNATURE, SCLogDebug, SCLogError, SCReturnInt, DetectEngineTransforms::transforms, and SignatureInitData_::transforms.
Referenced by DetectContentSetup().
◆ DetectBufferRunSetupCallback()
| void DetectBufferRunSetupCallback | ( | const DetectEngineCtx * | de_ctx, |
| const int | id, | ||
| Signature * | s | ||
| ) |
Definition at line 963 of file detect-engine.c.
◆ DetectBufferRunValidateCallback()
| bool DetectBufferRunValidateCallback | ( | const DetectEngineCtx * | de_ctx, |
| const int | id, | ||
| const Signature * | s, | ||
| const char ** | sigerror | ||
| ) |
Definition at line 982 of file detect-engine.c.
◆ DetectBufferSetActiveList()
| int DetectBufferSetActiveList | ( | Signature * | s, |
| const int | list | ||
| ) |
Definition at line 992 of file detect-engine.c.
◆ DetectBufferTypeCloseRegistration()
| void DetectBufferTypeCloseRegistration | ( | void | ) |
Definition at line 1300 of file detect-engine.c.
References BUG_ON.
Referenced by SigTableSetup().
◆ DetectBufferTypeGetByIdTransforms()
| int DetectBufferTypeGetByIdTransforms | ( | DetectEngineCtx * | de_ctx, |
| const int | id, | ||
| TransformData * | transforms, | ||
| int | transform_cnt | ||
| ) |
Definition at line 1307 of file detect-engine.c.
Referenced by DetectBufferGetActiveList().
◆ DetectBufferTypeGetByName()
| int DetectBufferTypeGetByName | ( | const char * | name | ) |
Definition at line 880 of file detect-engine.c.
Referenced by DetectAppLayerInspectEngineRegister(), DetectEngineAppInspectionEngine2Signature(), and DetectPktInspectEngineRegister().
◆ DetectBufferTypeGetDescriptionById()
| const char* DetectBufferTypeGetDescriptionById | ( | const DetectEngineCtx * | de_ctx, |
| const int | id | ||
| ) |
Definition at line 917 of file detect-engine.c.
◆ DetectBufferTypeGetDescriptionByName()
| const char* DetectBufferTypeGetDescriptionByName | ( | const char * | name | ) |
Definition at line 926 of file detect-engine.c.
◆ DetectBufferTypeGetNameById()
| const char* DetectBufferTypeGetNameById | ( | const DetectEngineCtx * | de_ctx, |
| const int | id | ||
| ) |
Definition at line 889 of file detect-engine.c.
References DetectEngineCtx_::buffer_type_map, DetectEngineCtx_::buffer_type_map_elements, BUG_ON, de_ctx, and DetectBufferType_::string.
Referenced by DetectEngineAppInspectionEngine2Signature(), EngineAnalysisRules2(), and SignatureIsIPOnly().
◆ DetectBufferTypeMaxId()
| int DetectBufferTypeMaxId | ( | void | ) |
Definition at line 739 of file detect-engine.c.
Referenced by SigAlloc().
◆ DetectBufferTypeRegister()
| int DetectBufferTypeRegister | ( | const char * | name | ) |
Definition at line 836 of file detect-engine.c.
References BUG_ON.
Referenced by DetectAppLayerInspectEngineRegister(), and DetectPktInspectEngineRegister().
◆ DetectBufferTypeRegisterSetupCallback()
| void DetectBufferTypeRegisterSetupCallback | ( | const char * | name, |
| void(*)(const DetectEngineCtx *, Signature *) | SetupCallback | ||
| ) |
Definition at line 953 of file detect-engine.c.
References BUG_ON.
◆ DetectBufferTypeRegisterValidateCallback()
| void DetectBufferTypeRegisterValidateCallback | ( | const char * | name, |
| bool(*)(const Signature *, const char **sigerror) | ValidateCallback | ||
| ) |
Definition at line 972 of file detect-engine.c.
References BUG_ON.
◆ DetectBufferTypeSetDescriptionByName()
| void DetectBufferTypeSetDescriptionByName | ( | const char * | name, |
| const char * | desc | ||
| ) |
Definition at line 908 of file detect-engine.c.
◆ DetectBufferTypeSupportsMpm()
| void DetectBufferTypeSupportsMpm | ( | const char * | name | ) |
Definition at line 860 of file detect-engine.c.
References BUG_ON.
◆ DetectBufferTypeSupportsMpmGetById()
| bool DetectBufferTypeSupportsMpmGetById | ( | const DetectEngineCtx * | de_ctx, |
| const int | id | ||
| ) |
Definition at line 944 of file detect-engine.c.
Referenced by DetectGetLastSMFromMpmLists(), and FastPatternSupportEnabledForSigMatchList().
◆ DetectBufferTypeSupportsPacket()
| void DetectBufferTypeSupportsPacket | ( | const char * | name | ) |
Definition at line 850 of file detect-engine.c.
References BUG_ON.
◆ DetectBufferTypeSupportsPacketGetById()
| bool DetectBufferTypeSupportsPacketGetById | ( | const DetectEngineCtx * | de_ctx, |
| const int | id | ||
| ) |
Definition at line 935 of file detect-engine.c.
◆ DetectBufferTypeSupportsTransformations()
| void DetectBufferTypeSupportsTransformations | ( | const char * | name | ) |
Definition at line 870 of file detect-engine.c.
References BUG_ON.
◆ DetectBufferTypeValidateTransform()
| bool DetectBufferTypeValidateTransform | ( | DetectEngineCtx * | de_ctx, |
| int | sm_list, | ||
| const uint8_t * | content, | ||
| uint16_t | content_len, | ||
| const char ** | namestr | ||
| ) |
Check content byte array compatibility with transforms.
The "content" array is presented to the transforms so that each transform may validate that it's compatible with the transform.
When a transform indicates the byte array is incompatible, none of the subsequent transforms, if any, are invoked. This means the first positive validation result terminates the loop.
- Parameters
-
de_ctx Detection engine context. sm_list The SM list id. content The byte array being validated namestr returns the name of the transform that is incompatible with content.
- Return values
-
true (false) If any of the transforms indicate the byte array is (is not) compatible.
Definition at line 1186 of file detect-engine.c.
Referenced by DetectContentSetup().
◆ DetectEngineAddToMaster()
| int DetectEngineAddToMaster | ( | DetectEngineCtx * | de_ctx | ) |
Definition at line 3957 of file detect-engine.c.
References de_ctx, and SCLogDebug.
◆ DetectEngineAppInspectionEngine2Signature()
| int DetectEngineAppInspectionEngine2Signature | ( | DetectEngineCtx * | de_ctx, |
| Signature * | s | ||
| ) |
- Note
- for the file inspect engine, the id DE_STATE_ID_FILE_INSPECT is assigned.
Definition at line 467 of file detect-engine.c.
References DetectEngineAppInspectionEngine_::alproto, Signature_::alproto, ALPROTO_UNKNOWN, Signature_::app_inspect, DetectEngineCtx_::app_inspect_engines, BUG_ON, DetectEngineAppInspectionEngine_::Callback, DetectEnginePktInspectionEngine::Callback, de_ctx, DE_STATE_FLAG_BASE, DE_STATE_ID_FILE_INSPECT, DETECT_SM_LIST_DYNAMIC_START, DETECT_SM_LIST_PMATCH, DetectBufferTypeGetByName(), DetectBufferTypeGetNameById(), DetectEngineAppInspectionEngine_::dir, Signature_::flags, DetectEngineAppInspectionEngine_::GetData, DetectEnginePktInspectionEngine::GetData, DetectEngineAppInspectionEngine_::id, Signature_::id, Signature_::init_data, SignatureInitData_::init_flags, DetectEngineAppInspectionEngine_::mpm, DetectEnginePktInspectionEngine::mpm, SignatureInitData_::mpm_sm, next, DetectEngineAppInspectionEngine_::next, DetectEnginePktInspectionEngine::next, Signature_::pkt_inspect, DetectEngineCtx_::pkt_inspect_engines, DetectEngineAppInspectionEngine_::progress, SCCalloc, SCLogDebug, SIG_FLAG_INIT_STATE_MATCH, SIG_FLAG_TOCLIENT, SIG_FLAG_TOSERVER, SigMatchList2DataArray(), SigMatchListSMBelongsTo(), DetectEngineAppInspectionEngine_::sm_list, DetectEnginePktInspectionEngine::sm_list, DetectEngineAppInspectionEngine_::smd, DetectEnginePktInspectionEngine::smd, SignatureInitData_::smlists, SignatureInitData_::smlists_array_size, DetectEngineAppInspectionEngine_::transforms, DetectEnginePktInspectionEngine::transforms, unlikely, DetectEnginePktInspectionEngine::v1, and DetectEngineAppInspectionEngine_::v2.
◆ DetectEngineAppInspectionEngineSignatureFree()
| void DetectEngineAppInspectionEngineSignatureFree | ( | DetectEngineCtx * | de_ctx, |
| Signature * | s | ||
| ) |
free app inspect engines for a signature
For lists that are registered multiple times, like http_header and http_cookie, making the engines owner of the lists is complicated. Multiple engines in a sig may be pointing to the same list. To address this the 'free' code needs to be extra careful about not double freeing, so it takes an approach to first fill an array of the to-free pointers before freeing them.
Definition at line 668 of file detect-engine.c.
References Signature_::app_inspect, BUG_ON, SigMatchData_::ctx, de_ctx, SigTableElmt_::Free, SigMatchData_::is_last, MAX, next, DetectEngineAppInspectionEngine_::next, DetectEnginePktInspectionEngine::next, Signature_::pkt_inspect, SCFree, sigmatch_table, DetectEngineAppInspectionEngine_::sm_list, DetectEnginePktInspectionEngine::sm_list, DetectEngineAppInspectionEngine_::smd, DetectEnginePktInspectionEngine::smd, and SigMatchData_::type.
◆ DetectEngineBumpVersion()
| void DetectEngineBumpVersion | ( | void | ) |
Definition at line 3223 of file detect-engine.c.
◆ DetectEngineCtxFree()
| void DetectEngineCtxFree | ( | DetectEngineCtx * | de_ctx | ) |
Free a DetectEngineCtx::
- Parameters
-
de_ctx DetectEngineCtx:: to be freed
Definition at line 2093 of file detect-engine.c.
References de_ctx, DetectParseDupSigHashFree(), MpmFactoryDeRegisterAllMpmCtxProfiles(), MpmStoreFree(), DetectEngineCtx_::profile_ctx, DetectEngineCtx_::profile_keyword_ctx, DetectEngineCtx_::profile_sgh_ctx, SCClassConfDeInitContext(), SCFree, SCProfilingKeywordDestroyCtx(), SCProfilingPrefilterDestroyCtx(), SCProfilingRuleDestroyCtx(), SCProfilingSghDestroyCtx(), SCRConfDeInitContext(), SCSigSignatureOrderingModuleCleanup(), DetectEngineCtx_::sig_array, SigCleanSignatures(), SigGroupCleanup(), SigGroupHeadHashFree(), DetectEngineCtx_::spm_global_thread_ctx, SpmDestroyGlobalThreadCtx(), and ThresholdContextDestroy().
Referenced by UTHGenericTest(), UTHPacketMatchSig(), UTHPacketMatchSigMpm(), and UTHParseSignature().
◆ DetectEngineCtxInit()
| DetectEngineCtx* DetectEngineCtxInit | ( | void | ) |
Definition at line 2048 of file detect-engine.c.
Referenced by DetectEngineCtxInitWithPrefix(), UTHGenericTest(), UTHPacketMatchSig(), UTHPacketMatchSigMpm(), and UTHParseSignature().
◆ DetectEngineCtxInitStubForDD()
| DetectEngineCtx* DetectEngineCtxInitStubForDD | ( | void | ) |
Definition at line 2043 of file detect-engine.c.
◆ DetectEngineCtxInitStubForMT()
| DetectEngineCtx* DetectEngineCtxInitStubForMT | ( | void | ) |
Definition at line 2038 of file detect-engine.c.
◆ DetectEngineCtxInitWithPrefix()
| DetectEngineCtx* DetectEngineCtxInitWithPrefix | ( | const char * | prefix | ) |
Definition at line 2053 of file detect-engine.c.
References DetectEngineCtxInit().
◆ DetectEngineDeReference()
| void DetectEngineDeReference | ( | DetectEngineCtx ** | de_ctx | ) |
Definition at line 3933 of file detect-engine.c.
◆ DetectEngineEnabled()
| int DetectEngineEnabled | ( | void | ) |
Check if detection is enabled.
- Return values
-
bool true or false
Definition at line 3199 of file detect-engine.c.
◆ DetectEngineGetByTenantId()
| DetectEngineCtx* DetectEngineGetByTenantId | ( | int | tenant_id | ) |
Definition at line 3907 of file detect-engine.c.
◆ DetectEngineGetCurrent()
| DetectEngineCtx* DetectEngineGetCurrent | ( | void | ) |
Definition at line 3232 of file detect-engine.c.
Referenced by DetectEngineThreadCtxInit().
◆ DetectEngineGetEventInfo()
| int DetectEngineGetEventInfo | ( | const char * | event_name, |
| int * | event_id, | ||
| AppLayerEventType * | event_type | ||
| ) |
Definition at line 4277 of file detect-engine.c.
References APP_LAYER_EVENT_TYPE_TRANSACTION, det_ctx_event_table, SC_ERR_INVALID_ENUM_MAP, SCLogError, and SCMapEnumNameToValue().
◆ DetectEngineGetEvents()
| AppLayerDecoderEvents* DetectEngineGetEvents | ( | DetectEngineThreadCtx * | det_ctx | ) |
Definition at line 4272 of file detect-engine.c.
References DetectEngineThreadCtx_::decoder_events.
◆ DetectEngineGetVersion()
| uint32_t DetectEngineGetVersion | ( | void | ) |
Definition at line 3213 of file detect-engine.c.
References version.
◆ DetectEngineInspectBufferGeneric()
| int DetectEngineInspectBufferGeneric | ( | DetectEngineCtx * | de_ctx, |
| DetectEngineThreadCtx * | det_ctx, | ||
| const DetectEngineAppInspectionEngine * | engine, | ||
| const Signature * | s, | ||
| Flow * | f, | ||
| uint8_t | flags, | ||
| void * | alstate, | ||
| void * | txv, | ||
| uint64_t | tx_id | ||
| ) |
Do the content inspection & validation for a signature.
- Parameters
-
de_ctx Detection engine context det_ctx Detection engine thread context s Signature to inspect f Flow flags app layer flags state App layer state
- Return values
-
0 no match. 1 match. 2 Sig can't match.
Definition at line 1641 of file detect-engine.c.
References Flow_::alproto, AppLayerParserGetStateProgress(), DetectEngineThreadCtx_::buffer_offset, de_ctx, DETECT_CI_FLAGS_END, DETECT_CI_FLAGS_START, DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE, DETECT_ENGINE_INSPECT_SIG_CANT_MATCH, DETECT_ENGINE_INSPECT_SIG_MATCH, DETECT_ENGINE_INSPECT_SIG_NO_MATCH, DetectEngineContentInspection(), DetectEngineThreadCtx_::discontinue_matching, flags, InspectionBuffer::flags, DetectEngineAppInspectionEngine_::GetData, InspectionBuffer::inspect, InspectionBuffer::inspect_len, InspectionBuffer::inspect_offset, DetectEngineThreadCtx_::inspection_recursion_counter, DetectEngineAppInspectionEngine_::mpm, offset, DetectEngineAppInspectionEngine_::progress, Flow_::proto, SCLogDebug, DetectEngineAppInspectionEngine_::sm_list, DetectEngineAppInspectionEngine_::smd, DetectEngineAppInspectionEngine_::transforms, unlikely, and DetectEngineAppInspectionEngine_::v2.
◆ DetectEngineInspectGenericList()
| int DetectEngineInspectGenericList | ( | ThreadVars * | tv, |
| const DetectEngineCtx * | de_ctx, | ||
| DetectEngineThreadCtx * | det_ctx, | ||
| const Signature * | s, | ||
| const SigMatchData * | smd, | ||
| Flow * | f, | ||
| const uint8_t | flags, | ||
| void * | alstate, | ||
| void * | txv, | ||
| uint64_t | tx_id | ||
| ) |
Do the content inspection & validation for a signature.
- Parameters
-
de_ctx Detection engine context det_ctx Detection engine thread context s Signature to inspect sm SigMatch to inspect f Flow flags app layer flags state App layer state
- Return values
-
0 no match 1 match
Definition at line 1596 of file detect-engine.c.
References SigMatchData_::ctx, DETECT_ENGINE_INSPECT_SIG_CANT_MATCH, DETECT_ENGINE_INSPECT_SIG_MATCH, DETECT_ENGINE_INSPECT_SIG_NO_MATCH, flags, SigMatchData_::is_last, KEYWORD_PROFILING_END, KEYWORD_PROFILING_START, SCLogDebug, sigmatch_table, and SigMatchData_::type.
Referenced by DetectEngineInspectDnsRequest(), and DetectEngineInspectDnsResponse().
◆ DetectEngineInspectPktBufferGeneric()
| int DetectEngineInspectPktBufferGeneric | ( | DetectEngineThreadCtx * | det_ctx, |
| const DetectEnginePktInspectionEngine * | engine, | ||
| const Signature * | s, | ||
| Packet * | p, | ||
| uint8_t * | _alert_flags | ||
| ) |
Do the content inspection & validation for a signature.
- Parameters
-
de_ctx Detection engine context det_ctx Detection engine thread context s Signature to inspect p Packet
- Return values
-
0 no match. 1 match.
Definition at line 1706 of file detect-engine.c.
References DetectEngineThreadCtx_::buffer_offset, DetectEngineThreadCtx_::de_ctx, DETECT_CI_FLAGS_END, DETECT_CI_FLAGS_START, DETECT_ENGINE_CONTENT_INSPECTION_MODE_HEADER, DETECT_ENGINE_INSPECT_SIG_MATCH, DETECT_ENGINE_INSPECT_SIG_NO_MATCH, DetectEngineContentInspection(), DetectEngineThreadCtx_::discontinue_matching, InspectionBuffer::flags, Packet_::flow, DetectEnginePktInspectionEngine::GetData, InspectionBuffer::inspect, InspectionBuffer::inspect_len, DetectEngineThreadCtx_::inspection_recursion_counter, DetectEnginePktInspectionEngine::mpm, offset, SCLogDebug, DetectEnginePktInspectionEngine::sm_list, DetectEnginePktInspectionEngine::smd, DetectEnginePktInspectionEngine::transforms, unlikely, and DetectEnginePktInspectionEngine::v1.
◆ DetectEngineLoadTenantBlocking()
| int DetectEngineLoadTenantBlocking | ( | uint32_t | tenant_id, |
| const char * | yaml | ||
| ) |
Load a tenant and wait for loading to complete.
Definition at line 3458 of file detect-engine.c.
◆ DetectEngineMoveToFreeList()
| int DetectEngineMoveToFreeList | ( | DetectEngineCtx * | de_ctx | ) |
Definition at line 3973 of file detect-engine.c.
◆ DetectEngineMTApply()
| int DetectEngineMTApply | ( | void | ) |
Definition at line 4167 of file detect-engine.c.
◆ DetectEngineMultiTenantEnabled()
| int DetectEngineMultiTenantEnabled | ( | void | ) |
TODO locking? Not needed if this is a one time setting at startup
Definition at line 3264 of file detect-engine.c.
◆ DetectEngineMultiTenantSetup()
| int DetectEngineMultiTenantSetup | ( | void | ) |
setup multi-detect / multi-tenancy
See if MT is enabled. If so, setup the selector, tenants and mappings. Tenants and mappings are optional, and can also dynamically be added and removed from the unix socket.
Definition at line 3607 of file detect-engine.c.
References TENANT_SELECTOR_UNKNOWN.
◆ DetectEngineMustParseMetadata()
| int DetectEngineMustParseMetadata | ( | void | ) |
Definition at line 4232 of file detect-engine.c.
Referenced by DetectMetadataHashInit().
◆ DetectEnginePktInspectionRun()
| bool DetectEnginePktInspectionRun | ( | ThreadVars * | tv, |
| DetectEngineThreadCtx * | det_ctx, | ||
| const Signature * | s, | ||
| Flow * | f, | ||
| Packet * | p, | ||
| uint8_t * | alert_flags | ||
| ) |
Definition at line 1457 of file detect-engine.c.
References Signature_::id, DetectEnginePktInspectionEngine::next, Signature_::pkt_inspect, SCEnter, and SCLogDebug.
◆ DetectEnginePktInspectionSetup()
| int DetectEnginePktInspectionSetup | ( | Signature * | s | ) |
Definition at line 1502 of file detect-engine.c.
References DETECT_SM_LIST_PMATCH, Signature_::init_data, SignatureInitData_::init_flags, SIG_FLAG_INIT_STATE_MATCH, and Signature_::sm_arrays.
◆ DetectEnginePruneFreeList()
| void DetectEnginePruneFreeList | ( | void | ) |
Definition at line 4024 of file detect-engine.c.
◆ DetectEngineReference()
| DetectEngineCtx* DetectEngineReference | ( | DetectEngineCtx * | de_ctx | ) |
Definition at line 3255 of file detect-engine.c.
References de_ctx, and DetectEngineCtx_::ref_cnt.
◆ DetectEngineRegisterTests()
| void DetectEngineRegisterTests | ( | ) |
Definition at line 4533 of file detect-engine.c.
References UtRegisterTest().
◆ DetectEngineReload()
| int DetectEngineReload | ( | const SCInstance * | suri | ) |
Reload the detection engine.
- Parameters
-
filename YAML file to load for the detect config
- Return values
-
-1 error 0 ok
Definition at line 4063 of file detect-engine.c.
References SCInstance_::conf_filename, and SCLogNotice.
◆ DetectEngineReloadIsIdle()
| int DetectEngineReloadIsIdle | ( | void | ) |
Definition at line 1572 of file detect-engine.c.
References SCMutexLock.
◆ DetectEngineReloadIsStart()
| int DetectEngineReloadIsStart | ( | void | ) |
Definition at line 1552 of file detect-engine.c.
References SCMutexLock.
◆ DetectEngineReloadSetIdle()
| void DetectEngineReloadSetIdle | ( | void | ) |
Definition at line 1564 of file detect-engine.c.
References SCMutexLock.
◆ DetectEngineReloadStart()
| int DetectEngineReloadStart | ( | void | ) |
Definition at line 1538 of file detect-engine.c.
References SCMutexLock.
◆ DetectEngineReloadTenantBlocking()
| int DetectEngineReloadTenantBlocking | ( | uint32_t | tenant_id, |
| const char * | yaml, | ||
| int | reload_cnt | ||
| ) |
Reload a tenant and wait for loading to complete.
Definition at line 3472 of file detect-engine.c.
◆ DetectEngineResetMaxSigId()
| void DetectEngineResetMaxSigId | ( | DetectEngineCtx * | de_ctx | ) |
Definition at line 2474 of file detect-engine.c.
References de_ctx, and DetectEngineCtx_::signum.
Referenced by SigCleanSignatures().
◆ DetectEngineSetEvent()
| void DetectEngineSetEvent | ( | DetectEngineThreadCtx * | det_ctx, |
| uint8_t | e | ||
| ) |
Definition at line 4266 of file detect-engine.c.
References AppLayerDecoderEventsSetEventRaw(), DetectEngineThreadCtx_::decoder_events, and DetectEngineThreadCtx_::events.
Referenced by FileSwfDecompression(), FileSwfLzmaDecompression(), and FileSwfZlibDecompression().
◆ DetectEngineSetParseMetadata()
| void DetectEngineSetParseMetadata | ( | void | ) |
Definition at line 4222 of file detect-engine.c.
◆ DetectEngineTentantRegisterLivedev()
| int DetectEngineTentantRegisterLivedev | ( | uint32_t | tenant_id, |
| int | device_id | ||
| ) |
Definition at line 3875 of file detect-engine.c.
◆ DetectEngineTentantRegisterPcapFile()
| int DetectEngineTentantRegisterPcapFile | ( | uint32_t | tenant_id | ) |
Definition at line 3890 of file detect-engine.c.
References SCLogInfo, and TENANT_SELECTOR_DIRECT.
◆ DetectEngineTentantRegisterVlanId()
| int DetectEngineTentantRegisterVlanId | ( | uint32_t | tenant_id, |
| uint16_t | vlan_id | ||
| ) |
Definition at line 3880 of file detect-engine.c.
◆ DetectEngineTentantUnregisterPcapFile()
| int DetectEngineTentantUnregisterPcapFile | ( | uint32_t | tenant_id | ) |
Definition at line 3896 of file detect-engine.c.
References SCLogInfo, and TENANT_SELECTOR_DIRECT.
◆ DetectEngineTentantUnregisterVlanId()
| int DetectEngineTentantUnregisterVlanId | ( | uint32_t | tenant_id, |
| uint16_t | vlan_id | ||
| ) |
Definition at line 3885 of file detect-engine.c.
◆ DetectEngineThreadCtxDeinit()
| TmEcode DetectEngineThreadCtxDeinit | ( | ThreadVars * | tv, |
| void * | data | ||
| ) |
Definition at line 3005 of file detect-engine.c.
References HashTableFree(), DetectEngineThreadCtx_::mt_det_ctxs_hash, SC_ERR_INVALID_ARGUMENTS, SCLogWarning, and TM_ECODE_OK.
Referenced by DetectEngineThreadCtxInit(), UTHMatchPackets(), UTHMatchPacketsWithResults(), UTHPacketMatchSig(), and UTHPacketMatchSigMpm().
◆ DetectEngineThreadCtxInfo()
| void DetectEngineThreadCtxInfo | ( | ThreadVars * | t, |
| DetectEngineThreadCtx * | det_ctx | ||
| ) |
Definition at line 3023 of file detect-engine.c.
References DetectEngineThreadCtx_::de_ctx, DetectEngineCtx_::mpm_matcher, DetectEngineThreadCtx_::mtc, DetectEngineThreadCtx_::mtcu, and PatternMatchThreadPrint().
◆ DetectEngineThreadCtxInit()
| TmEcode DetectEngineThreadCtxInit | ( | ThreadVars * | tv, |
| void * | initdata, | ||
| void ** | data | ||
| ) |
initialize thread specific detection engine context
- Note
- there is a special case when using delayed detect. In this case the function is called twice per thread. The first time the rules are not yet loaded. de_ctx->delayed_detect_initialized will be 0. The 2nd time they will be loaded. de_ctx->delayed_detect_initialized will be 1. This is needed to do the per thread counter registration before the packet runtime starts. In delayed detect mode, the first call will return a NULL ptr through the data ptr.
- Parameters
-
tv ThreadVars for this thread initdata pointer to de_ctx data[out] pointer to store our thread detection ctx
- Return values
-
TM_ECODE_OK if all went well TM_ECODE_FAILED on serious errors
alert counter setup
Definition at line 2797 of file detect-engine.c.
References DetectEngineThreadCtx_::de_ctx, DETECT_ENGINE_TYPE_NORMAL, DETECT_ENGINE_TYPE_TENANT, DetectEngineGetCurrent(), DetectEngineThreadCtxDeinit(), RunmodeIsUnittests(), SCMalloc, TM_ECODE_FAILED, tv, DetectEngineThreadCtx_::tv, DetectEngineCtx_::type, and unlikely.
Referenced by UTHMatchPackets(), UTHMatchPacketsWithResults(), UTHPacketMatchSig(), and UTHPacketMatchSigMpm().
◆ DetectEngineUnsetParseMetadata()
| void DetectEngineUnsetParseMetadata | ( | void | ) |
Definition at line 4227 of file detect-engine.c.
◆ DetectPktInspectEngineRegister()
| void DetectPktInspectEngineRegister | ( | const char * | name, |
| InspectionBufferGetPktDataPtr | GetPktData, | ||
| InspectionBufferPktInspectFunc | Callback | ||
| ) |
register inspect engine at start up time
- Note
- errors are fatal
Definition at line 129 of file detect-engine.c.
References BUG_ON, DetectEnginePktInspectionEngine::Callback, DETECT_SM_LIST_MATCH, DetectBufferTypeGetByName(), DetectBufferTypeRegister(), FatalError, DetectEnginePktInspectionEngine::GetData, SC_ERR_INITIALIZATION, SC_ERR_INVALID_ARGUMENTS, SCCalloc, SCLogError, DetectEnginePktInspectionEngine::sm_list, unlikely, and DetectEnginePktInspectionEngine::v1.
◆ DetectRegisterThreadCtxFuncs()
| int DetectRegisterThreadCtxFuncs | ( | DetectEngineCtx * | de_ctx, |
| const char * | name, | ||
| void *(*)(void *) | InitFunc, | ||
| void * | data, | ||
| void(*)(void *) | FreeFunc, | ||
| int | mode | ||
| ) |
Register Thread keyword context Funcs.
- Parameters
-
de_ctx detection engine to register in name keyword name for error printing InitFunc function ptr data keyword init data to pass to Func. Can be NULL. FreeFunc function ptr mode 0 normal (ctx per keyword instance) 1 shared (one ctx per det_ct)
- Return values
-
id for retrieval of ctx at runtime -1 on error
- Note
- make sure "data" remains valid and it free'd elsewhere. It's recommended to store it in the keywords global ctx so that it's freed when the de_ctx is freed.
Definition at line 3046 of file detect-engine.c.
References BUG_ON, DetectEngineThreadKeywordCtxItem_::data, de_ctx, DetectEngineThreadKeywordCtxItem_::FreeFunc, DetectEngineThreadKeywordCtxItem_::id, DetectEngineThreadKeywordCtxItem_::InitFunc, DetectEngineCtx_::keyword_id, DetectEngineCtx_::keyword_list, DetectEngineThreadKeywordCtxItem_::name, DetectEngineThreadKeywordCtxItem_::next, SCMalloc, and unlikely.
◆ DetectRegisterThreadCtxGlobalFuncs()
| int DetectRegisterThreadCtxGlobalFuncs | ( | const char * | name, |
| void *(*)(void *) | InitFunc, | ||
| void * | data, | ||
| void(*)(void *) | FreeFunc | ||
| ) |
Register Thread keyword context Funcs (Global)
IDs stay static over reloads and between tenants
- Parameters
-
name keyword name for error printing InitFunc function ptr FreeFunc function ptr
- Return values
-
id for retrieval of ctx at runtime -1 on error
Definition at line 3143 of file detect-engine.c.
References BUG_ON.
◆ DetectSigmatchListEnumToString()
| const char* DetectSigmatchListEnumToString | ( | enum DetectSigmatchListEnum | type | ) |
Definition at line 4237 of file detect-engine.c.
References DETECT_SM_LIST_BASE64_DATA, DETECT_SM_LIST_MATCH, DETECT_SM_LIST_MAX, DETECT_SM_LIST_PMATCH, DETECT_SM_LIST_POSTMATCH, DETECT_SM_LIST_SUPPRESS, DETECT_SM_LIST_THRESHOLD, DETECT_SM_LIST_TMATCH, and type.
◆ DetectThreadCtxGetGlobalKeywordThreadCtx()
| void* DetectThreadCtxGetGlobalKeywordThreadCtx | ( | DetectEngineThreadCtx * | det_ctx, |
| int | id | ||
| ) |
Retrieve thread local keyword ctx by id.
- Parameters
-
det_ctx detection engine thread ctx to retrieve the ctx from id id of the ctx returned by DetectRegisterThreadCtxInitFunc at keyword init.
- Return values
-
ctx or NULL on error
Definition at line 3187 of file detect-engine.c.
References DetectEngineThreadCtx_::global_keyword_ctxs_array, and DetectEngineThreadCtx_::global_keyword_ctxs_size.
Referenced by HttpHeaderGetBufferSpaceForTXID().
◆ DetectThreadCtxGetKeywordThreadCtx()
| void* DetectThreadCtxGetKeywordThreadCtx | ( | DetectEngineThreadCtx * | det_ctx, |
| int | id | ||
| ) |
Retrieve thread local keyword ctx by id.
- Parameters
-
det_ctx detection engine thread ctx to retrieve the ctx from id id of the ctx returned by DetectRegisterThreadCtxInitFunc at keyword init.
- Return values
-
ctx or NULL on error
Definition at line 3123 of file detect-engine.c.
References DetectEngineThreadCtx_::keyword_ctxs_array, and DetectEngineThreadCtx_::keyword_ctxs_size.
◆ DetectUnregisterThreadCtxFuncs()
| int DetectUnregisterThreadCtxFuncs | ( | DetectEngineCtx * | de_ctx, |
| DetectEngineThreadCtx * | det_ctx, | ||
| void * | data, | ||
| const char * | name | ||
| ) |
Remove Thread keyword context registration.
- Parameters
-
de_ctx detection engine to deregister from det_ctx detection engine thread context to deregister from data keyword init data to pass to Func. Can be NULL. name keyword name for error printing
- Return values
-
1 Item unregistered 0 otherwise
- Note
- make sure "data" remains valid and it free'd elsewhere. It's recommended to store it in the keywords global ctx so that it's freed when the de_ctx is freed.
Definition at line 3092 of file detect-engine.c.
References BUG_ON, DetectEngineThreadKeywordCtxItem_::data, de_ctx, DetectEngineThreadKeywordCtxItem_::FreeFunc, DetectEngineThreadKeywordCtxItem_::id, DetectEngineThreadCtx_::keyword_ctxs_array, DetectEngineCtx_::keyword_list, DetectEngineThreadKeywordCtxItem_::name, DetectEngineThreadKeywordCtxItem_::next, and SCFree.
◆ InspectionBufferApplyTransforms()
| void InspectionBufferApplyTransforms | ( | InspectionBuffer * | buffer, |
| const DetectEngineTransforms * | transforms | ||
| ) |
Definition at line 1211 of file detect-engine.c.
References BUG_ON, DETECT_TRANSFORMS_MAX, TransformData_::options, SCLogDebug, sigmatch_table, TransformData_::transform, SigTableElmt_::Transform, and DetectEngineTransforms::transforms.
◆ InspectionBufferCheckAndExpand()
| void InspectionBufferCheckAndExpand | ( | InspectionBuffer * | buffer, |
| uint32_t | min_size | ||
| ) |
make sure that the buffer has at least 'min_size' bytes Expand the buffer if necessary
Definition at line 1139 of file detect-engine.c.
References InspectionBuffer::buf, likely, SCRealloc, and InspectionBuffer::size.
Referenced by FileSwfDecompression(), and InspectionBufferCopy().
◆ InspectionBufferClean()
| void InspectionBufferClean | ( | DetectEngineThreadCtx * | det_ctx | ) |
Definition at line 1035 of file detect-engine.c.
References DetectEngineThreadCtx_::buffers, InspectionBufferMultipleForList::init, InspectionBuffer::inspect, DetectEngineThreadCtx_::inspect, InspectionBufferMultipleForList::inspection_buffers, InspectionBufferMultipleForList::max, DetectEngineThreadCtx_::multi_inspect, DetectEngineThreadCtx_::to_clear_idx, and DetectEngineThreadCtx_::to_clear_queue.
◆ InspectionBufferCopy()
| void InspectionBufferCopy | ( | InspectionBuffer * | buffer, |
| uint8_t * | buf, | ||
| uint32_t | buf_len | ||
| ) |
Definition at line 1156 of file detect-engine.c.
References InspectionBuffer::buf, InspectionBuffer::inspect, InspectionBuffer::inspect_len, InspectionBufferCheckAndExpand(), MIN, and InspectionBuffer::size.
◆ InspectionBufferFree()
| void InspectionBufferFree | ( | InspectionBuffer * | buffer | ) |
Definition at line 1127 of file detect-engine.c.
References InspectionBuffer::buf, and SCFree.
◆ InspectionBufferGet()
| InspectionBuffer* InspectionBufferGet | ( | DetectEngineThreadCtx * | det_ctx, |
| const int | list_id | ||
| ) |
Definition at line 1061 of file detect-engine.c.
References DetectEngineThreadCtx_::buffers, InspectionBuffer::inspect, DetectEngineThreadCtx_::inspect, DetectEngineThreadCtx_::to_clear_idx, and DetectEngineThreadCtx_::to_clear_queue.
◆ InspectionBufferGetMulti()
| InspectionBufferMultipleForList* InspectionBufferGetMulti | ( | DetectEngineThreadCtx * | det_ctx, |
| const int | list_id | ||
| ) |
Definition at line 1100 of file detect-engine.c.
References DetectEngineThreadCtx_::buffers, InspectionBufferMultipleForList::init, DetectEngineThreadCtx_::multi_inspect, DetectEngineThreadCtx_::to_clear_idx, and DetectEngineThreadCtx_::to_clear_queue.
◆ InspectionBufferInit()
| void InspectionBufferInit | ( | InspectionBuffer * | buffer, |
| uint32_t | initial_size | ||
| ) |
Definition at line 1110 of file detect-engine.c.
References InspectionBuffer::buf, SCCalloc, and InspectionBuffer::size.
◆ InspectionBufferMultipleForListGet()
| InspectionBuffer* InspectionBufferMultipleForListGet | ( | InspectionBufferMultipleForList * | fb, |
| uint32_t | local_id | ||
| ) |
for a InspectionBufferMultipleForList get a InspectionBuffer
- Parameters
-
fb the multiple buffer array local_id the index to get a buffer buffer the inspect buffer or NULL in case of error
Definition at line 1074 of file detect-engine.c.
References InspectionBufferMultipleForList::inspection_buffers, InspectionBufferMultipleForList::max, MAX, SCLogDebug, SCRealloc, and InspectionBufferMultipleForList::size.
◆ InspectionBufferSetup()
| void InspectionBufferSetup | ( | InspectionBuffer * | buffer, |
| const uint8_t * | data, | ||
| const uint32_t | data_len | ||
| ) |
setup the buffer with our initial data
Definition at line 1120 of file detect-engine.c.
References InspectionBuffer::inspect, InspectionBuffer::inspect_len, InspectionBuffer::len, InspectionBuffer::orig, and InspectionBuffer::orig_len.
Variable Documentation
◆ det_ctx_event_table
| SCEnumCharMap det_ctx_event_table[] |
Definition at line 105 of file detect-engine.c.
Referenced by DetectEngineGetEventInfo().
