Go to the documentation of this file.
1 /* Copyright (C) 2007-2010 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
18 /**
19  * \file
20  *
21  * \author Victor Julien <>
22  */
24 #ifndef __DETECT_ENGINE_H__
25 #define __DETECT_ENGINE_H__
27 #include "detect.h"
28 #include "tm-threads.h"
29 #include "flow-private.h"
31 void InspectionBufferInit(InspectionBuffer *buffer, uint32_t initial_size);
32 void InspectionBufferSetup(InspectionBuffer *buffer, const uint8_t *data, const uint32_t data_len);
34 void InspectionBufferCheckAndExpand(InspectionBuffer *buffer, uint32_t min_size);
35 void InspectionBufferCopy(InspectionBuffer *buffer, uint8_t *buf, uint32_t buf_len);
37  const DetectEngineTransforms *transforms);
39 InspectionBuffer *InspectionBufferGet(DetectEngineThreadCtx *det_ctx, const int list_id);
43 int DetectBufferTypeRegister(const char *name);
44 int DetectBufferTypeGetByName(const char *name);
45 void DetectBufferTypeSupportsMpm(const char *name);
46 void DetectBufferTypeSupportsPacket(const char *name);
47 void DetectBufferTypeSupportsTransformations(const char *name);
48 int DetectBufferTypeMaxId(void);
50 void DetectBufferTypeSetDescriptionByName(const char *name, const char *desc);
51 const char *DetectBufferTypeGetDescriptionByName(const char *name);
52 void DetectBufferTypeRegisterSetupCallback(const char *name,
53  void (*Callback)(const DetectEngineCtx *, Signature *));
54 void DetectBufferTypeRegisterValidateCallback(const char *name,
55  _Bool (*ValidateCallback)(const Signature *, const char **sigerror));
57 int DetectBufferTypeGetByIdTransforms(DetectEngineCtx *de_ctx, const int id,
58  int *transforms, int transform_cnt);
59 const char *DetectBufferTypeGetNameById(const DetectEngineCtx *de_ctx, const int id);
60 bool DetectBufferTypeSupportsMpmGetById(const DetectEngineCtx *de_ctx, const int id);
61 bool DetectBufferTypeSupportsPacketGetById(const DetectEngineCtx *de_ctx, const int id);
62 const char *DetectBufferTypeGetDescriptionById(const DetectEngineCtx *de_ctx, const int id);
63 void DetectBufferRunSetupCallback(const DetectEngineCtx *de_ctx, const int id, Signature *s);
64 bool DetectBufferRunValidateCallback(const DetectEngineCtx *de_ctx, const int id, const Signature *s, const char **sigerror);
66 /* prototypes */
73 int DetectRegisterThreadCtxGlobalFuncs(const char *name,
74  void *(*InitFunc)(void *), void *data, void (*FreeFunc)(void *));
77 TmEcode DetectEngineThreadCtxInit(ThreadVars *, void *, void **);
79 //inline uint32_t DetectEngineGetMaxSigId(DetectEngineCtx *);
80 /* faster as a macro than a inline function on my box -- VJ */
81 #define DetectEngineGetMaxSigId(de_ctx) ((de_ctx)->signum)
83 void DetectEngineRegisterTests(void);
86 uint32_t DetectEngineGetVersion(void);
87 void DetectEngineBumpVersion(void);
91 void DetectEnginePruneFreeList(void);
95 int DetectEngineReload(const SCInstance *suri);
96 int DetectEngineEnabled(void);
97 int DetectEngineMTApply(void);
101 int DetectEngineReloadStart(void);
102 int DetectEngineReloadIsStart(void);
103 void DetectEngineReloadSetIdle(void);
104 int DetectEngineReloadIsIdle(void);
106 int DetectEngineLoadTenantBlocking(uint32_t tenant_id, const char *yaml);
107 int DetectEngineReloadTenantBlocking(uint32_t tenant_id, const char *yaml, int reload_cnt);
109 int DetectEngineTentantRegisterLivedev(uint32_t tenant_id, int device_id);
110 int DetectEngineTentantRegisterVlanId(uint32_t tenant_id, uint16_t vlan_id);
111 int DetectEngineTentantUnregisterVlanId(uint32_t tenant_id, uint16_t vlan_id);
112 int DetectEngineTentantRegisterPcapFile(uint32_t tenant_id);
113 int DetectEngineTentantUnregisterPcapFile(uint32_t tenant_id);
117  const Signature *, const SigMatchData *,
118  Flow *, const uint8_t, void *, void *,
119  uint64_t);
122  DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx,
123  const DetectEngineAppInspectionEngine *engine,
124  const Signature *s,
125  Flow *f, uint8_t flags, void *alstate, void *txv, uint64_t tx_id);
128  DetectEngineThreadCtx *det_ctx,
129  const DetectEnginePktInspectionEngine *engine,
130  const Signature *s, Packet *p, uint8_t *alert_flags);
132 /**
133  * \brief Registers an app inspection engine.
134  *
135  * \param name Name of the detection list
136  * \param alproto App layer protocol for which we will register the engine.
137  * \param direction The direction for the engine: SIG_FLAG_TOSERVER or
139  * \param progress Minimal progress value for inspect engine to run
140  * \param Callback The engine callback.
141  */
142 void DetectAppLayerInspectEngineRegister(const char *name,
143  AppProto alproto, uint32_t dir,
144  int progress, InspectEngineFuncPtr Callback);
145 void DetectAppLayerInspectEngineRegister2(const char *name,
146  AppProto alproto, uint32_t dir, int progress,
147  InspectEngineFuncPtr2 Callback2,
150 void DetectPktInspectEngineRegister(const char *name,
158  DetectEngineThreadCtx *det_ctx, const Signature *s,
159  Flow *f, Packet *p,
160  uint8_t *alert_flags);
167 int WARN_UNUSED DetectBufferSetActiveList(Signature *s, const int list);
170 #endif /* __DETECT_ENGINE_H__ */
int DetectBufferTypeRegister(const char *name)
uint16_t flags
InspectionBuffer * InspectionBufferGet(DetectEngineThreadCtx *det_ctx, const int list_id)
int DetectEngineTentantRegisterVlanId(uint32_t tenant_id, uint16_t vlan_id)
bool DetectEnginePktInspectionRun(ThreadVars *tv, DetectEngineThreadCtx *det_ctx, const Signature *s, Flow *f, Packet *p, uint8_t *alert_flags)
void DetectBufferTypeSetDescriptionByName(const char *name, const char *desc)
int WARN_UNUSED DetectBufferSetActiveList(Signature *s, const int list)
InspectionBuffer *(* InspectionBufferGetPktDataPtr)(struct DetectEngineThreadCtx_ *det_ctx, const DetectEngineTransforms *transforms, Packet *p, const int list_id)
Definition: detect.h:449
int DetectEngineReloadIsIdle(void)
int(* InspectionBufferPktInspectFunc)(struct DetectEngineThreadCtx_ *, const struct DetectEnginePktInspectionEngine *engine, const struct Signature_ *s, Packet *p, uint8_t *alert_flags)
Definition: detect.h:442
int DetectEngineAppInspectionEngine2Signature(DetectEngineCtx *de_ctx, Signature *s)
void InspectionBufferFree(InspectionBuffer *buffer)
void * DetectThreadCtxGetGlobalKeywordThreadCtx(DetectEngineThreadCtx *det_ctx, int id)
Retrieve thread local keyword ctx by id.
void InspectionBufferSetup(InspectionBuffer *buffer, const uint8_t *data, const uint32_t data_len)
setup the buffer with our initial data
void DetectEngineAppInspectionEngineSignatureFree(Signature *s)
free app inspect engines for a signature
int DetectEngineReloadIsStart(void)
int DetectBufferTypeGetByName(const char *name)
const char * DetectBufferTypeGetNameById(const DetectEngineCtx *de_ctx, const int id)
void DetectEngineResetMaxSigId(DetectEngineCtx *)
void InspectionBufferClean(DetectEngineThreadCtx *det_ctx)
InspectionBufferMultipleForList * InspectionBufferGetMulti(DetectEngineThreadCtx *det_ctx, const int list_id)
Data needed for Match()
Definition: detect.h:327
DetectEngineCtx * DetectEngineReference(DetectEngineCtx *)
int DetectEngineLoadTenantBlocking(uint32_t tenant_id, const char *yaml)
Load a tenant and wait for loading to complete.
DetectEngineCtx * DetectEngineCtxInit(void)
void DetectAppLayerInspectEngineRegister2(const char *name, AppProto alproto, uint32_t dir, int progress, InspectEngineFuncPtr2 Callback2, InspectionBufferGetDataPtr GetData)
register inspect engine at start up time
uint16_t AppProto
Signature container.
Definition: detect.h:522
void DetectBufferTypeRegisterSetupCallback(const char *name, void(*Callback)(const DetectEngineCtx *, Signature *))
void DetectEnginePruneFreeList(void)
int(* InspectEngineFuncPtr)(ThreadVars *tv, struct DetectEngineCtx_ *de_ctx, struct DetectEngineThreadCtx_ *det_ctx, const struct Signature_ *sig, const SigMatchData *smd, Flow *f, uint8_t flags, void *alstate, void *tx, uint64_t tx_id)
Definition: detect.h:381
int DetectEnginePktInspectionSetup(Signature *s)
DetectEngineCtx * DetectEngineGetByTenantId(int tenant_id)
main detection engine ctx
Definition: detect.h:761
bool DetectBufferTypeSupportsPacketGetById(const DetectEngineCtx *de_ctx, const int id)
InspectionBuffer * InspectionBufferMultipleForListGet(InspectionBufferMultipleForList *fb, uint32_t local_id)
for a InspectionBufferMultipleForList get a InspectionBuffer
const char * DetectSigmatchListEnumToString(enum DetectSigmatchListEnum type)
int DetectEngineReload(const SCInstance *suri)
Reload the detection engine.
int(* InspectEngineFuncPtr2)(struct DetectEngineCtx_ *de_ctx, struct DetectEngineThreadCtx_ *det_ctx, const struct DetectEngineAppInspectionEngine_ *engine, const struct Signature_ *s, Flow *f, uint8_t flags, void *alstate, void *txv, uint64_t tx_id)
Definition: detect.h:389
int DetectBufferTypeGetByIdTransforms(DetectEngineCtx *de_ctx, const int id, int *transforms, int transform_cnt)
int DetectEngineTentantUnregisterPcapFile(uint32_t tenant_id)
DetectEngineCtx * DetectEngineGetCurrent(void)
const char * DetectBufferTypeGetDescriptionById(const DetectEngineCtx *de_ctx, const int id)
const char * DetectBufferTypeGetDescriptionByName(const char *name)
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
DetectEngineCtx * DetectEngineCtxInitStubForMT(void)
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *, void *)
void DetectEngineUnsetParseMetadata(void)
TmEcode DetectEngineThreadCtxInit(ThreadVars *, void *, void **)
initialize thread specific detection engine context
int DetectEngineMustParseMetadata(void)
uint8_t type
int DetectEngineReloadTenantBlocking(uint32_t tenant_id, const char *yaml, int reload_cnt)
Reload a tenant and wait for loading to complete.
void InspectionBufferCopy(InspectionBuffer *buffer, uint8_t *buf, uint32_t buf_len)
void DetectEngineReloadSetIdle(void)
void DetectBufferTypeSupportsTransformations(const char *name)
void DetectBufferTypeSupportsPacket(const char *name)
bool DetectBufferTypeSupportsMpmGetById(const DetectEngineCtx *de_ctx, const int id)
void InspectionBufferApplyTransforms(InspectionBuffer *buffer, const DetectEngineTransforms *transforms)
void DetectEngineDeReference(DetectEngineCtx **de_ctx)
void InspectionBufferInit(InspectionBuffer *buffer, uint32_t initial_size)
uint32_t DetectEngineGetVersion(void)
void DetectAppLayerInspectEngineRegister(const char *name, AppProto alproto, uint32_t dir, int progress, InspectEngineFuncPtr Callback)
Registers an app inspection engine.
int DetectBufferGetActiveList(DetectEngineCtx *de_ctx, Signature *s)
int DetectEngineTentantUnregisterVlanId(uint32_t tenant_id, uint16_t vlan_id)
int DetectEngineInspectGenericList(ThreadVars *, const DetectEngineCtx *, DetectEngineThreadCtx *, const Signature *, const SigMatchData *, Flow *, const uint8_t, void *, void *, uint64_t)
Do the content inspection & validation for a signature.
bool DetectBufferRunValidateCallback(const DetectEngineCtx *de_ctx, const int id, const Signature *s, const char **sigerror)
int DetectEngineReloadStart(void)
void DetectBufferRunSetupCallback(const DetectEngineCtx *de_ctx, const int id, Signature *s)
void InspectionBufferCheckAndExpand(InspectionBuffer *buffer, uint32_t min_size)
make sure that the buffer has at least &#39;min_size&#39; bytes Expand the buffer if necessary ...
int DetectEngineTentantRegisterLivedev(uint32_t tenant_id, int device_id)
void DetectEngineSetParseMetadata(void)
void DetectBufferTypeRegisterValidateCallback(const char *name, _Bool(*ValidateCallback)(const Signature *, const char **sigerror))
DetectEngineCtx * DetectEngineCtxInitStubForDD(void)
int DetectEngineAddToMaster(DetectEngineCtx *de_ctx)
void DetectBufferTypeCloseRegistration(void)
int DetectRegisterThreadCtxGlobalFuncs(const char *name, void *(*InitFunc)(void *), void *data, void(*FreeFunc)(void *))
Register Thread keyword context Funcs (Global)
int DetectEngineTentantRegisterPcapFile(uint32_t tenant_id)
void DetectPktInspectEngineRegister(const char *name, InspectionBufferGetPktDataPtr GetPktData, InspectionBufferPktInspectFunc Callback)
register inspect engine at start up time
int DetectEngineMultiTenantEnabled(void)
uint16_t tx_id
int DetectBufferTypeMaxId(void)
int DetectEngineEnabled(void)
Check if detection is enabled.
int DetectEngineMTApply(void)
DetectEngineCtx * DetectEngineCtxInitWithPrefix(const char *prefix)
int DetectEngineInspectPktBufferGeneric(DetectEngineThreadCtx *det_ctx, const DetectEnginePktInspectionEngine *engine, const Signature *s, Packet *p, uint8_t *alert_flags)
Do the content inspection & validation for a signature.
void DetectBufferTypeSupportsMpm(const char *name)
int DetectEngineMoveToFreeList(DetectEngineCtx *de_ctx)
void DetectEngineBumpVersion(void)
Per thread variable structure.
Definition: threadvars.h:57
void DetectEngineRegisterTests(void)
int DetectEngineMultiTenantSetup(void)
setup multi-detect / multi-tenancy
InspectionBuffer *(* InspectionBufferGetDataPtr)(struct DetectEngineThreadCtx_ *det_ctx, const DetectEngineTransforms *transforms, Flow *f, const uint8_t flow_flags, void *txv, const int list_id)
Definition: detect.h:375
Flow data structure.
Definition: flow.h:325
Definition: detect.h:88
int DetectEngineInspectBufferGeneric(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const DetectEngineAppInspectionEngine *engine, const Signature *s, Flow *f, uint8_t flags, void *alstate, void *txv, uint64_t tx_id)
Do the content inspection & validation for a signature.