suricata
detect-engine.h File Reference
#include "detect.h"
#include "tm-threads.h"
#include "flow-private.h"
Include dependency graph for detect-engine.h:

Go to the source code of this file.

Macros

#define DetectEngineGetMaxSigId(de_ctx)   ((de_ctx)->signum)
 

Functions

void InspectionBufferInit (InspectionBuffer *buffer, uint32_t initial_size)
 
void InspectionBufferSetup (InspectionBuffer *buffer, const uint8_t *data, const uint32_t data_len)
 setup the buffer with our initial data More...
 
void InspectionBufferFree (InspectionBuffer *buffer)
 
void InspectionBufferCheckAndExpand (InspectionBuffer *buffer, uint32_t min_size)
 make sure that the buffer has at least 'min_size' bytes Expand the buffer if necessary More...
 
void InspectionBufferCopy (InspectionBuffer *buffer, uint8_t *buf, uint32_t buf_len)
 
void InspectionBufferApplyTransforms (InspectionBuffer *buffer, const DetectEngineTransforms *transforms)
 
bool DetectBufferTypeValidateTransform (DetectEngineCtx *de_ctx, int sm_list, const uint8_t *content, uint16_t content_len, const char **namestr)
 Check content byte array compatibility with transforms. More...
 
void InspectionBufferClean (DetectEngineThreadCtx *det_ctx)
 
InspectionBufferInspectionBufferGet (DetectEngineThreadCtx *det_ctx, const int list_id)
 
InspectionBufferInspectionBufferMultipleForListGet (InspectionBufferMultipleForList *fb, uint32_t local_id)
 for a InspectionBufferMultipleForList get a InspectionBuffer More...
 
InspectionBufferMultipleForListInspectionBufferGetMulti (DetectEngineThreadCtx *det_ctx, const int list_id)
 
int DetectBufferTypeRegister (const char *name)
 
int DetectBufferTypeGetByName (const char *name)
 
void DetectBufferTypeSupportsMpm (const char *name)
 
void DetectBufferTypeSupportsPacket (const char *name)
 
void DetectBufferTypeSupportsTransformations (const char *name)
 
int DetectBufferTypeMaxId (void)
 
void DetectBufferTypeCloseRegistration (void)
 
void DetectBufferTypeSetDescriptionByName (const char *name, const char *desc)
 
const char * DetectBufferTypeGetDescriptionByName (const char *name)
 
void DetectBufferTypeRegisterSetupCallback (const char *name, void(*Callback)(const DetectEngineCtx *, Signature *))
 
void DetectBufferTypeRegisterValidateCallback (const char *name, bool(*ValidateCallback)(const Signature *, const char **sigerror))
 
int DetectBufferTypeGetByIdTransforms (DetectEngineCtx *de_ctx, const int id, TransformData *transforms, int transform_cnt)
 
const char * DetectBufferTypeGetNameById (const DetectEngineCtx *de_ctx, const int id)
 
bool DetectBufferTypeSupportsMpmGetById (const DetectEngineCtx *de_ctx, const int id)
 
bool DetectBufferTypeSupportsPacketGetById (const DetectEngineCtx *de_ctx, const int id)
 
const char * DetectBufferTypeGetDescriptionById (const DetectEngineCtx *de_ctx, const int id)
 
void DetectBufferRunSetupCallback (const DetectEngineCtx *de_ctx, const int id, Signature *s)
 
bool DetectBufferRunValidateCallback (const DetectEngineCtx *de_ctx, const int id, const Signature *s, const char **sigerror)
 
DetectEngineCtxDetectEngineCtxInitWithPrefix (const char *prefix)
 
DetectEngineCtxDetectEngineCtxInit (void)
 
DetectEngineCtxDetectEngineCtxInitStubForDD (void)
 
DetectEngineCtxDetectEngineCtxInitStubForMT (void)
 
void DetectEngineCtxFree (DetectEngineCtx *)
 Free a DetectEngineCtx:: More...
 
int DetectRegisterThreadCtxGlobalFuncs (const char *name, void *(*InitFunc)(void *), void *data, void(*FreeFunc)(void *))
 Register Thread keyword context Funcs (Global) More...
 
void * DetectThreadCtxGetGlobalKeywordThreadCtx (DetectEngineThreadCtx *det_ctx, int id)
 Retrieve thread local keyword ctx by id. More...
 
TmEcode DetectEngineThreadCtxInit (ThreadVars *, void *, void **)
 initialize thread specific detection engine context More...
 
TmEcode DetectEngineThreadCtxDeinit (ThreadVars *, void *)
 
void DetectEngineResetMaxSigId (DetectEngineCtx *)
 
void DetectEngineRegisterTests (void)
 
const char * DetectSigmatchListEnumToString (enum DetectSigmatchListEnum type)
 
uint32_t DetectEngineGetVersion (void)
 
void DetectEngineBumpVersion (void)
 
int DetectEngineAddToMaster (DetectEngineCtx *de_ctx)
 
DetectEngineCtxDetectEngineGetCurrent (void)
 
DetectEngineCtxDetectEngineGetByTenantId (int tenant_id)
 
void DetectEnginePruneFreeList (void)
 
int DetectEngineMoveToFreeList (DetectEngineCtx *de_ctx)
 
DetectEngineCtxDetectEngineReference (DetectEngineCtx *)
 
void DetectEngineDeReference (DetectEngineCtx **de_ctx)
 
int DetectEngineReload (const SCInstance *suri)
 Reload the detection engine. More...
 
int DetectEngineEnabled (void)
 Check if detection is enabled. More...
 
int DetectEngineMTApply (void)
 
int DetectEngineMultiTenantEnabled (void)
 
int DetectEngineMultiTenantSetup (void)
 setup multi-detect / multi-tenancy More...
 
int DetectEngineReloadStart (void)
 
int DetectEngineReloadIsStart (void)
 
void DetectEngineReloadSetIdle (void)
 
int DetectEngineReloadIsIdle (void)
 
int DetectEngineLoadTenantBlocking (uint32_t tenant_id, const char *yaml)
 Load a tenant and wait for loading to complete. More...
 
int DetectEngineReloadTenantBlocking (uint32_t tenant_id, const char *yaml, int reload_cnt)
 Reload a tenant and wait for loading to complete. More...
 
int DetectEngineTentantRegisterLivedev (uint32_t tenant_id, int device_id)
 
int DetectEngineTentantRegisterVlanId (uint32_t tenant_id, uint16_t vlan_id)
 
int DetectEngineTentantUnregisterVlanId (uint32_t tenant_id, uint16_t vlan_id)
 
int DetectEngineTentantRegisterPcapFile (uint32_t tenant_id)
 
int DetectEngineTentantUnregisterPcapFile (uint32_t tenant_id)
 
int DetectEngineInspectGenericList (ThreadVars *, const DetectEngineCtx *, DetectEngineThreadCtx *, const Signature *, const SigMatchData *, Flow *, const uint8_t, void *, void *, uint64_t)
 Do the content inspection & validation for a signature. More...
 
int DetectEngineInspectBufferGeneric (DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const DetectEngineAppInspectionEngine *engine, const Signature *s, Flow *f, uint8_t flags, void *alstate, void *txv, uint64_t tx_id)
 Do the content inspection & validation for a signature. More...
 
int DetectEngineInspectPktBufferGeneric (DetectEngineThreadCtx *det_ctx, const DetectEnginePktInspectionEngine *engine, const Signature *s, Packet *p, uint8_t *alert_flags)
 Do the content inspection & validation for a signature. More...
 
void DetectAppLayerInspectEngineRegister (const char *name, AppProto alproto, uint32_t dir, int progress, InspectEngineFuncPtr Callback)
 Registers an app inspection engine. More...
 
void DetectAppLayerInspectEngineRegister2 (const char *name, AppProto alproto, uint32_t dir, int progress, InspectEngineFuncPtr2 Callback2, InspectionBufferGetDataPtr GetData)
 register inspect engine at start up time More...
 
void DetectPktInspectEngineRegister (const char *name, InspectionBufferGetPktDataPtr GetPktData, InspectionBufferPktInspectFunc Callback)
 register inspect engine at start up time More...
 
int DetectEngineAppInspectionEngine2Signature (DetectEngineCtx *de_ctx, Signature *s)
 
void DetectEngineAppInspectionEngineSignatureFree (DetectEngineCtx *, Signature *s)
 free app inspect engines for a signature More...
 
bool DetectEnginePktInspectionRun (ThreadVars *tv, DetectEngineThreadCtx *det_ctx, const Signature *s, Flow *f, Packet *p, uint8_t *alert_flags)
 
int DetectEnginePktInspectionSetup (Signature *s)
 
void DetectEngineSetParseMetadata (void)
 
void DetectEngineUnsetParseMetadata (void)
 
int DetectEngineMustParseMetadata (void)
 
int WARN_UNUSED DetectBufferSetActiveList (Signature *s, const int list)
 
int DetectBufferGetActiveList (DetectEngineCtx *de_ctx, Signature *s)
 

Detailed Description

Macro Definition Documentation

◆ DetectEngineGetMaxSigId

#define DetectEngineGetMaxSigId (   de_ctx)    ((de_ctx)->signum)

Definition at line 84 of file detect-engine.h.

Function Documentation

◆ DetectAppLayerInspectEngineRegister()

void DetectAppLayerInspectEngineRegister ( const char *  name,
AppProto  alproto,
uint32_t  dir,
int  progress,
InspectEngineFuncPtr  Callback 
)

Registers an app inspection engine.

Parameters
nameName of the detection list
alprotoApp layer protocol for which we will register the engine.
directionThe direction for the engine: SIG_FLAG_TOSERVER or SIG_FLAG_TOCLIENT
progressMinimal progress value for inspect engine to run
CallbackThe engine callback.

Registers an app inspection engine.

Note
errors are fatal

Definition at line 171 of file detect-engine.c.

References DetectEngineAppInspectionEngine_::alproto, ALPROTO_FAILED, AppLayerParserIsEnabled(), AppLayerParserSupportsTxDetectFlags(), AppProtoToString(), BUG_ON, DetectEngineAppInspectionEngine_::Callback, DETECT_SM_LIST_MATCH, DetectBufferTypeGetByName(), DetectBufferTypeRegister(), DetectEngineAppInspectionEngine_::dir, FatalError, DetectEngineAppInspectionEngine_::progress, SC_ERR_INITIALIZATION, SC_ERR_INVALID_ARGUMENTS, SCLogError, SCMalloc, SIG_FLAG_TOCLIENT, SIG_FLAG_TOSERVER, DetectEngineAppInspectionEngine_::sm_list, and unlikely.

Here is the call graph for this function:

◆ DetectAppLayerInspectEngineRegister2()

void DetectAppLayerInspectEngineRegister2 ( const char *  name,
AppProto  alproto,
uint32_t  dir,
int  progress,
InspectEngineFuncPtr2  Callback2,
InspectionBufferGetDataPtr  GetData 
)

register inspect engine at start up time

Note
errors are fatal

Definition at line 232 of file detect-engine.c.

◆ DetectBufferGetActiveList()

◆ DetectBufferRunSetupCallback()

void DetectBufferRunSetupCallback ( const DetectEngineCtx de_ctx,
const int  id,
Signature s 
)

Definition at line 963 of file detect-engine.c.

◆ DetectBufferRunValidateCallback()

bool DetectBufferRunValidateCallback ( const DetectEngineCtx de_ctx,
const int  id,
const Signature s,
const char **  sigerror 
)

Definition at line 982 of file detect-engine.c.

◆ DetectBufferSetActiveList()

int WARN_UNUSED DetectBufferSetActiveList ( Signature s,
const int  list 
)

Definition at line 992 of file detect-engine.c.

◆ DetectBufferTypeCloseRegistration()

void DetectBufferTypeCloseRegistration ( void  )

Definition at line 1300 of file detect-engine.c.

References BUG_ON.

Referenced by SigTableSetup().

Here is the caller graph for this function:

◆ DetectBufferTypeGetByIdTransforms()

int DetectBufferTypeGetByIdTransforms ( DetectEngineCtx de_ctx,
const int  id,
TransformData transforms,
int  transform_cnt 
)

Definition at line 1307 of file detect-engine.c.

Referenced by DetectBufferGetActiveList().

Here is the caller graph for this function:

◆ DetectBufferTypeGetByName()

int DetectBufferTypeGetByName ( const char *  name)

Definition at line 880 of file detect-engine.c.

Referenced by DetectAppLayerInspectEngineRegister(), DetectEngineAppInspectionEngine2Signature(), and DetectPktInspectEngineRegister().

Here is the caller graph for this function:

◆ DetectBufferTypeGetDescriptionById()

const char* DetectBufferTypeGetDescriptionById ( const DetectEngineCtx de_ctx,
const int  id 
)

Definition at line 917 of file detect-engine.c.

◆ DetectBufferTypeGetDescriptionByName()

const char* DetectBufferTypeGetDescriptionByName ( const char *  name)

Definition at line 926 of file detect-engine.c.

◆ DetectBufferTypeGetNameById()

const char* DetectBufferTypeGetNameById ( const DetectEngineCtx de_ctx,
const int  id 
)

◆ DetectBufferTypeMaxId()

int DetectBufferTypeMaxId ( void  )

Definition at line 739 of file detect-engine.c.

Referenced by SigAlloc().

Here is the caller graph for this function:

◆ DetectBufferTypeRegister()

int DetectBufferTypeRegister ( const char *  name)

Definition at line 836 of file detect-engine.c.

References BUG_ON.

Referenced by DetectAppLayerInspectEngineRegister(), and DetectPktInspectEngineRegister().

Here is the caller graph for this function:

◆ DetectBufferTypeRegisterSetupCallback()

void DetectBufferTypeRegisterSetupCallback ( const char *  name,
void(*)(const DetectEngineCtx *, Signature *)  Callback 
)

Definition at line 953 of file detect-engine.c.

References BUG_ON.

◆ DetectBufferTypeRegisterValidateCallback()

void DetectBufferTypeRegisterValidateCallback ( const char *  name,
bool(*)(const Signature *, const char **sigerror)  ValidateCallback 
)

Definition at line 972 of file detect-engine.c.

References BUG_ON.

◆ DetectBufferTypeSetDescriptionByName()

void DetectBufferTypeSetDescriptionByName ( const char *  name,
const char *  desc 
)

Definition at line 908 of file detect-engine.c.

◆ DetectBufferTypeSupportsMpm()

void DetectBufferTypeSupportsMpm ( const char *  name)

Definition at line 860 of file detect-engine.c.

References BUG_ON.

◆ DetectBufferTypeSupportsMpmGetById()

bool DetectBufferTypeSupportsMpmGetById ( const DetectEngineCtx de_ctx,
const int  id 
)

Definition at line 944 of file detect-engine.c.

Referenced by DetectGetLastSMFromMpmLists(), and FastPatternSupportEnabledForSigMatchList().

Here is the caller graph for this function:

◆ DetectBufferTypeSupportsPacket()

void DetectBufferTypeSupportsPacket ( const char *  name)

Definition at line 850 of file detect-engine.c.

References BUG_ON.

◆ DetectBufferTypeSupportsPacketGetById()

bool DetectBufferTypeSupportsPacketGetById ( const DetectEngineCtx de_ctx,
const int  id 
)

Definition at line 935 of file detect-engine.c.

◆ DetectBufferTypeSupportsTransformations()

void DetectBufferTypeSupportsTransformations ( const char *  name)

Definition at line 870 of file detect-engine.c.

References BUG_ON.

◆ DetectBufferTypeValidateTransform()

bool DetectBufferTypeValidateTransform ( DetectEngineCtx de_ctx,
int  sm_list,
const uint8_t *  content,
uint16_t  content_len,
const char **  namestr 
)

Check content byte array compatibility with transforms.

The "content" array is presented to the transforms so that each transform may validate that it's compatible with the transform.

When a transform indicates the byte array is incompatible, none of the subsequent transforms, if any, are invoked. This means the first positive validation result terminates the loop.

Parameters
de_ctxDetection engine context.
sm_listThe SM list id.
contentThe byte array being validated
namestrreturns the name of the transform that is incompatible with content.
Return values
true(false) If any of the transforms indicate the byte array is (is not) compatible.

Definition at line 1186 of file detect-engine.c.

Referenced by DetectContentSetup().

Here is the caller graph for this function:

◆ DetectEngineAddToMaster()

int DetectEngineAddToMaster ( DetectEngineCtx de_ctx)

Definition at line 3957 of file detect-engine.c.

References de_ctx, and SCLogDebug.

◆ DetectEngineAppInspectionEngine2Signature()

int DetectEngineAppInspectionEngine2Signature ( DetectEngineCtx de_ctx,
Signature s 
)
Note
for the file inspect engine, the id DE_STATE_ID_FILE_INSPECT is assigned.

Definition at line 467 of file detect-engine.c.

References DetectEngineAppInspectionEngine_::alproto, Signature_::alproto, ALPROTO_UNKNOWN, Signature_::app_inspect, DetectEngineCtx_::app_inspect_engines, BUG_ON, DetectEngineAppInspectionEngine_::Callback, DetectEnginePktInspectionEngine::Callback, de_ctx, DE_STATE_FLAG_BASE, DE_STATE_ID_FILE_INSPECT, DETECT_SM_LIST_DYNAMIC_START, DETECT_SM_LIST_PMATCH, DetectBufferTypeGetByName(), DetectBufferTypeGetNameById(), DetectEngineAppInspectionEngine_::dir, Signature_::flags, DetectEngineAppInspectionEngine_::GetData, DetectEnginePktInspectionEngine::GetData, DetectEngineAppInspectionEngine_::id, Signature_::id, Signature_::init_data, SignatureInitData_::init_flags, DetectEngineAppInspectionEngine_::mpm, DetectEnginePktInspectionEngine::mpm, SignatureInitData_::mpm_sm, next, DetectEngineAppInspectionEngine_::next, DetectEnginePktInspectionEngine::next, Signature_::pkt_inspect, DetectEngineCtx_::pkt_inspect_engines, DetectEngineAppInspectionEngine_::progress, SCCalloc, SCLogDebug, SIG_FLAG_INIT_STATE_MATCH, SIG_FLAG_TOCLIENT, SIG_FLAG_TOSERVER, SigMatchList2DataArray(), SigMatchListSMBelongsTo(), DetectEngineAppInspectionEngine_::sm_list, DetectEnginePktInspectionEngine::sm_list, DetectEngineAppInspectionEngine_::smd, DetectEnginePktInspectionEngine::smd, SignatureInitData_::smlists, SignatureInitData_::smlists_array_size, DetectEngineAppInspectionEngine_::transforms, DetectEnginePktInspectionEngine::transforms, unlikely, DetectEnginePktInspectionEngine::v1, and DetectEngineAppInspectionEngine_::v2.

Here is the call graph for this function:

◆ DetectEngineAppInspectionEngineSignatureFree()

void DetectEngineAppInspectionEngineSignatureFree ( DetectEngineCtx de_ctx,
Signature s 
)

free app inspect engines for a signature

For lists that are registered multiple times, like http_header and http_cookie, making the engines owner of the lists is complicated. Multiple engines in a sig may be pointing to the same list. To address this the 'free' code needs to be extra careful about not double freeing, so it takes an approach to first fill an array of the to-free pointers before freeing them.

Definition at line 668 of file detect-engine.c.

References Signature_::app_inspect, BUG_ON, SigMatchData_::ctx, de_ctx, SigTableElmt_::Free, SigMatchData_::is_last, MAX, next, DetectEngineAppInspectionEngine_::next, DetectEnginePktInspectionEngine::next, Signature_::pkt_inspect, SCFree, sigmatch_table, DetectEngineAppInspectionEngine_::sm_list, DetectEnginePktInspectionEngine::sm_list, DetectEngineAppInspectionEngine_::smd, DetectEnginePktInspectionEngine::smd, and SigMatchData_::type.

◆ DetectEngineBumpVersion()

void DetectEngineBumpVersion ( void  )

Definition at line 3223 of file detect-engine.c.

◆ DetectEngineCtxFree()

◆ DetectEngineCtxInit()

DetectEngineCtx* DetectEngineCtxInit ( void  )

Definition at line 2048 of file detect-engine.c.

Referenced by DetectEngineCtxInitWithPrefix().

Here is the caller graph for this function:

◆ DetectEngineCtxInitStubForDD()

DetectEngineCtx* DetectEngineCtxInitStubForDD ( void  )

Definition at line 2043 of file detect-engine.c.

◆ DetectEngineCtxInitStubForMT()

DetectEngineCtx* DetectEngineCtxInitStubForMT ( void  )

Definition at line 2038 of file detect-engine.c.

◆ DetectEngineCtxInitWithPrefix()

DetectEngineCtx* DetectEngineCtxInitWithPrefix ( const char *  prefix)

Definition at line 2053 of file detect-engine.c.

References DetectEngineCtxInit().

Here is the call graph for this function:

◆ DetectEngineDeReference()

void DetectEngineDeReference ( DetectEngineCtx **  de_ctx)

Definition at line 3933 of file detect-engine.c.

References BUG_ON, and de_ctx.

◆ DetectEngineEnabled()

int DetectEngineEnabled ( void  )

Check if detection is enabled.

Return values
booltrue or false

Definition at line 3199 of file detect-engine.c.

◆ DetectEngineGetByTenantId()

DetectEngineCtx* DetectEngineGetByTenantId ( int  tenant_id)

Definition at line 3907 of file detect-engine.c.

◆ DetectEngineGetCurrent()

DetectEngineCtx* DetectEngineGetCurrent ( void  )

Definition at line 3232 of file detect-engine.c.

Referenced by DetectEngineThreadCtxInit().

Here is the caller graph for this function:

◆ DetectEngineGetVersion()

uint32_t DetectEngineGetVersion ( void  )

Definition at line 3213 of file detect-engine.c.

References version.

◆ DetectEngineInspectBufferGeneric()

int DetectEngineInspectBufferGeneric ( DetectEngineCtx de_ctx,
DetectEngineThreadCtx det_ctx,
const DetectEngineAppInspectionEngine engine,
const Signature s,
Flow f,
uint8_t  flags,
void *  alstate,
void *  txv,
uint64_t  tx_id 
)

◆ DetectEngineInspectGenericList()

int DetectEngineInspectGenericList ( ThreadVars tv,
const DetectEngineCtx de_ctx,
DetectEngineThreadCtx det_ctx,
const Signature s,
const SigMatchData smd,
Flow f,
const uint8_t  flags,
void *  alstate,
void *  txv,
uint64_t  tx_id 
)

Do the content inspection & validation for a signature.

Parameters
de_ctxDetection engine context
det_ctxDetection engine thread context
sSignature to inspect
smSigMatch to inspect
fFlow
flagsapp layer flags
stateApp layer state
Return values
0no match
1match

Definition at line 1596 of file detect-engine.c.

References SigMatchData_::ctx, DETECT_ENGINE_INSPECT_SIG_CANT_MATCH, DETECT_ENGINE_INSPECT_SIG_MATCH, DETECT_ENGINE_INSPECT_SIG_NO_MATCH, flags, SigMatchData_::is_last, KEYWORD_PROFILING_END, KEYWORD_PROFILING_START, SCLogDebug, sigmatch_table, and SigMatchData_::type.

Referenced by DetectEngineInspectDnsRequest(), and DetectEngineInspectDnsResponse().

Here is the caller graph for this function:

◆ DetectEngineInspectPktBufferGeneric()

◆ DetectEngineLoadTenantBlocking()

int DetectEngineLoadTenantBlocking ( uint32_t  tenant_id,
const char *  yaml 
)

Load a tenant and wait for loading to complete.

Definition at line 3458 of file detect-engine.c.

◆ DetectEngineMoveToFreeList()

int DetectEngineMoveToFreeList ( DetectEngineCtx de_ctx)

Definition at line 3973 of file detect-engine.c.

◆ DetectEngineMTApply()

int DetectEngineMTApply ( void  )

Definition at line 4167 of file detect-engine.c.

◆ DetectEngineMultiTenantEnabled()

int DetectEngineMultiTenantEnabled ( void  )

TODO locking? Not needed if this is a one time setting at startup

Definition at line 3264 of file detect-engine.c.

◆ DetectEngineMultiTenantSetup()

int DetectEngineMultiTenantSetup ( void  )

setup multi-detect / multi-tenancy

See if MT is enabled. If so, setup the selector, tenants and mappings. Tenants and mappings are optional, and can also dynamically be added and removed from the unix socket.

Definition at line 3607 of file detect-engine.c.

References TENANT_SELECTOR_UNKNOWN.

◆ DetectEngineMustParseMetadata()

int DetectEngineMustParseMetadata ( void  )

Definition at line 4232 of file detect-engine.c.

Referenced by DetectMetadataHashInit().

Here is the caller graph for this function:

◆ DetectEnginePktInspectionRun()

bool DetectEnginePktInspectionRun ( ThreadVars tv,
DetectEngineThreadCtx det_ctx,
const Signature s,
Flow f,
Packet p,
uint8_t *  alert_flags 
)

◆ DetectEnginePktInspectionSetup()

int DetectEnginePktInspectionSetup ( Signature s)

◆ DetectEnginePruneFreeList()

void DetectEnginePruneFreeList ( void  )

Definition at line 4024 of file detect-engine.c.

◆ DetectEngineReference()

DetectEngineCtx* DetectEngineReference ( DetectEngineCtx )

Definition at line 3255 of file detect-engine.c.

References de_ctx, and DetectEngineCtx_::ref_cnt.

◆ DetectEngineRegisterTests()

void DetectEngineRegisterTests ( void  )

Definition at line 4533 of file detect-engine.c.

References UtRegisterTest().

Here is the call graph for this function:

◆ DetectEngineReload()

int DetectEngineReload ( const SCInstance suri)

Reload the detection engine.

Parameters
filenameYAML file to load for the detect config
Return values
-1error
0ok

Definition at line 4063 of file detect-engine.c.

References SCInstance_::conf_filename, and SCLogNotice.

◆ DetectEngineReloadIsIdle()

int DetectEngineReloadIsIdle ( void  )

Definition at line 1572 of file detect-engine.c.

References SCMutexLock.

◆ DetectEngineReloadIsStart()

int DetectEngineReloadIsStart ( void  )

Definition at line 1552 of file detect-engine.c.

References SCMutexLock.

◆ DetectEngineReloadSetIdle()

void DetectEngineReloadSetIdle ( void  )

Definition at line 1564 of file detect-engine.c.

References SCMutexLock.

◆ DetectEngineReloadStart()

int DetectEngineReloadStart ( void  )

Definition at line 1538 of file detect-engine.c.

References SCMutexLock.

◆ DetectEngineReloadTenantBlocking()

int DetectEngineReloadTenantBlocking ( uint32_t  tenant_id,
const char *  yaml,
int  reload_cnt 
)

Reload a tenant and wait for loading to complete.

Definition at line 3472 of file detect-engine.c.

◆ DetectEngineResetMaxSigId()

void DetectEngineResetMaxSigId ( DetectEngineCtx )

Definition at line 2474 of file detect-engine.c.

References de_ctx, and DetectEngineCtx_::signum.

Referenced by SigCleanSignatures().

Here is the caller graph for this function:

◆ DetectEngineSetParseMetadata()

void DetectEngineSetParseMetadata ( void  )

Definition at line 4222 of file detect-engine.c.

◆ DetectEngineTentantRegisterLivedev()

int DetectEngineTentantRegisterLivedev ( uint32_t  tenant_id,
int  device_id 
)

Definition at line 3875 of file detect-engine.c.

◆ DetectEngineTentantRegisterPcapFile()

int DetectEngineTentantRegisterPcapFile ( uint32_t  tenant_id)

Definition at line 3890 of file detect-engine.c.

References SCLogInfo, and TENANT_SELECTOR_DIRECT.

◆ DetectEngineTentantRegisterVlanId()

int DetectEngineTentantRegisterVlanId ( uint32_t  tenant_id,
uint16_t  vlan_id 
)

Definition at line 3880 of file detect-engine.c.

◆ DetectEngineTentantUnregisterPcapFile()

int DetectEngineTentantUnregisterPcapFile ( uint32_t  tenant_id)

Definition at line 3896 of file detect-engine.c.

References SCLogInfo, and TENANT_SELECTOR_DIRECT.

◆ DetectEngineTentantUnregisterVlanId()

int DetectEngineTentantUnregisterVlanId ( uint32_t  tenant_id,
uint16_t  vlan_id 
)

Definition at line 3885 of file detect-engine.c.

◆ DetectEngineThreadCtxDeinit()

TmEcode DetectEngineThreadCtxDeinit ( ThreadVars ,
void *   
)

Definition at line 3005 of file detect-engine.c.

References HashTableFree(), DetectEngineThreadCtx_::mt_det_ctxs_hash, SC_ERR_INVALID_ARGUMENTS, SCLogWarning, and TM_ECODE_OK.

Referenced by DetectEngineThreadCtxInit().

Here is the call graph for this function:
Here is the caller graph for this function:

◆ DetectEngineThreadCtxInit()

TmEcode DetectEngineThreadCtxInit ( ThreadVars tv,
void *  initdata,
void **  data 
)

initialize thread specific detection engine context

Note
there is a special case when using delayed detect. In this case the function is called twice per thread. The first time the rules are not yet loaded. de_ctx->delayed_detect_initialized will be 0. The 2nd time they will be loaded. de_ctx->delayed_detect_initialized will be 1. This is needed to do the per thread counter registration before the packet runtime starts. In delayed detect mode, the first call will return a NULL ptr through the data ptr.
Parameters
tvThreadVars for this thread
initdatapointer to de_ctx
data[out]pointer to store our thread detection ctx
Return values
TM_ECODE_OKif all went well
TM_ECODE_FAILEDon serious errors

alert counter setup

Definition at line 2797 of file detect-engine.c.

References DetectEngineThreadCtx_::de_ctx, DETECT_ENGINE_TYPE_NORMAL, DETECT_ENGINE_TYPE_TENANT, DetectEngineGetCurrent(), DetectEngineThreadCtxDeinit(), RunmodeIsUnittests(), SCMalloc, TM_ECODE_FAILED, tv, DetectEngineThreadCtx_::tv, DetectEngineCtx_::type, and unlikely.

Here is the call graph for this function:

◆ DetectEngineUnsetParseMetadata()

void DetectEngineUnsetParseMetadata ( void  )

Definition at line 4227 of file detect-engine.c.

◆ DetectPktInspectEngineRegister()

void DetectPktInspectEngineRegister ( const char *  name,
InspectionBufferGetPktDataPtr  GetPktData,
InspectionBufferPktInspectFunc  Callback 
)

◆ DetectRegisterThreadCtxGlobalFuncs()

int DetectRegisterThreadCtxGlobalFuncs ( const char *  name,
void *(*)(void *)  InitFunc,
void *  data,
void(*)(void *)  FreeFunc 
)

Register Thread keyword context Funcs (Global)

IDs stay static over reloads and between tenants

Parameters
namekeyword name for error printing
InitFuncfunction ptr
FreeFuncfunction ptr
Return values
idfor retrieval of ctx at runtime
-1on error

Definition at line 3143 of file detect-engine.c.

References BUG_ON.

◆ DetectSigmatchListEnumToString()

◆ DetectThreadCtxGetGlobalKeywordThreadCtx()

void* DetectThreadCtxGetGlobalKeywordThreadCtx ( DetectEngineThreadCtx det_ctx,
int  id 
)

Retrieve thread local keyword ctx by id.

Parameters
det_ctxdetection engine thread ctx to retrieve the ctx from
idid of the ctx returned by DetectRegisterThreadCtxInitFunc at keyword init.
Return values
ctxor NULL on error

Definition at line 3187 of file detect-engine.c.

References DetectEngineThreadCtx_::global_keyword_ctxs_array, and DetectEngineThreadCtx_::global_keyword_ctxs_size.

Referenced by HttpHeaderGetBufferSpaceForTXID().

Here is the caller graph for this function:

◆ InspectionBufferApplyTransforms()

◆ InspectionBufferCheckAndExpand()

void InspectionBufferCheckAndExpand ( InspectionBuffer buffer,
uint32_t  min_size 
)

make sure that the buffer has at least 'min_size' bytes Expand the buffer if necessary

Definition at line 1139 of file detect-engine.c.

References InspectionBuffer::buf, likely, SCRealloc, and InspectionBuffer::size.

Referenced by FileSwfDecompression(), and InspectionBufferCopy().

Here is the caller graph for this function:

◆ InspectionBufferClean()

◆ InspectionBufferCopy()

void InspectionBufferCopy ( InspectionBuffer buffer,
uint8_t *  buf,
uint32_t  buf_len 
)

◆ InspectionBufferFree()

void InspectionBufferFree ( InspectionBuffer buffer)

Definition at line 1127 of file detect-engine.c.

References InspectionBuffer::buf, and SCFree.

◆ InspectionBufferGet()

◆ InspectionBufferGetMulti()

◆ InspectionBufferInit()

void InspectionBufferInit ( InspectionBuffer buffer,
uint32_t  initial_size 
)

Definition at line 1110 of file detect-engine.c.

References InspectionBuffer::buf, SCCalloc, and InspectionBuffer::size.

◆ InspectionBufferMultipleForListGet()

InspectionBuffer* InspectionBufferMultipleForListGet ( InspectionBufferMultipleForList fb,
uint32_t  local_id 
)

for a InspectionBufferMultipleForList get a InspectionBuffer

Parameters
fbthe multiple buffer array
local_idthe index to get a buffer
bufferthe inspect buffer or NULL in case of error

Definition at line 1074 of file detect-engine.c.

References InspectionBufferMultipleForList::inspection_buffers, InspectionBufferMultipleForList::max, MAX, SCLogDebug, SCRealloc, and InspectionBufferMultipleForList::size.

◆ InspectionBufferSetup()

void InspectionBufferSetup ( InspectionBuffer buffer,
const uint8_t *  data,
const uint32_t  data_len 
)

setup the buffer with our initial data

Definition at line 1120 of file detect-engine.c.

References InspectionBuffer::inspect, InspectionBuffer::inspect_len, InspectionBuffer::len, InspectionBuffer::orig, and InspectionBuffer::orig_len.