#include "suricata-common.h"#include "decode.h"#include "action-globals.h"#include "detect.h"#include "threads.h"#include "flow.h"#include "flow-bit.h"#include "flow-util.h"#include "detect-flowbits.h"#include "util-spm.h"#include "app-layer-parser.h"#include "detect-parse.h"#include "detect-engine.h"#include "detect-engine-mpm.h"#include "detect-engine-state.h"#include "detect-engine-build.h"#include "detect-engine-prefilter.h"#include "tree.h"#include "util-var-name.h"#include "util-unittest.h"#include "util-debug.h"#include "util-conf.h"
Go to the source code of this file.
Data Structures | |
| struct | FBAnalyzer |
| struct | FBAnalyze |
| struct | PrefilterFlowbit |
| struct | PrefilterEngineFlowbits |
Macros | |
| #define | PARSE_REGEX "^([a-z]+)(?:,\\s*(.*))?" |
| #define | MAX_TOKENS 100 |
| #define | MAX_SIDS 8 |
| #define | BLOCK_SIZE 8 |
Functions | |
| int | DetectFlowbitMatch (DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *) |
| void | DetectFlowbitFree (DetectEngineCtx *, void *) |
| void | FlowBitsRegisterTests (void) |
| this function registers unit tests for FlowBits More... | |
| void | DetectFlowbitsRegister (void) |
| int | DetectFlowbitsAnalyze (DetectEngineCtx *de_ctx) |
| struct PrefilterFlowbit | __attribute__ ((__packed__)) |
| DNP3 link header. More... | |
| RB_HEAD (PFB, PrefilterFlowbit) | |
| RB_PROTOTYPE (PFB, PrefilterFlowbit, rb, PrefilterFlowbitCompare) | |
| RB_GENERATE (PFB, PrefilterFlowbit, rb, PrefilterFlowbitCompare) | |
Variables | |
| bool | rule_engine_analysis_set |
| SCMutex | g_flowbits_dump_write_m = SCMUTEX_INITIALIZER |
| uint32_t | id |
| uint32_t | rule_id_size |
| uint32_t | rule_id_cnt |
| uint32_t * | rule_id |
| struct PrefilterEngineFlowbits | __attribute__ |
Detailed Description
Implements the flowbits keyword
Definition in file detect-flowbits.c.
Macro Definition Documentation
◆ BLOCK_SIZE
| #define BLOCK_SIZE 8 |
Definition at line 1040 of file detect-flowbits.c.
◆ MAX_SIDS
| #define MAX_SIDS 8 |
Definition at line 466 of file detect-flowbits.c.
◆ MAX_TOKENS
| #define MAX_TOKENS 100 |
Definition at line 58 of file detect-flowbits.c.
◆ PARSE_REGEX
| #define PARSE_REGEX "^([a-z]+)(?:,\\s*(.*))?" |
Definition at line 55 of file detect-flowbits.c.
Function Documentation
◆ DetectFlowbitFree()
| void DetectFlowbitFree | ( | DetectEngineCtx * | de_ctx, |
| void * | ptr | ||
| ) |
Definition at line 393 of file detect-flowbits.c.
References DetectFlowbitsData_::idx, DetectFlowbitsData_::or_list, DetectFlowbitsData_::or_list_size, SCFree, VAR_TYPE_FLOW_BIT, and VarNameStoreUnregister().
◆ DetectFlowbitMatch()
| int DetectFlowbitMatch | ( | DetectEngineThreadCtx * | det_ctx, |
| Packet * | p, | ||
| const Signature * | s, | ||
| const SigMatchCtx * | ctx | ||
| ) |
Definition at line 201 of file detect-flowbits.c.
References DetectFlowbitsData_::cmd, ctx, and DETECT_FLOWBITS_CMD_ISSET.
Referenced by DetectFlowbitsRegister().
◆ DetectFlowbitsAnalyze()
| int DetectFlowbitsAnalyze | ( | DetectEngineCtx * | de_ctx | ) |
Definition at line 564 of file detect-flowbits.c.
References FBAnalyzer::array, FBAnalyzer::array_size, de_ctx, DetectEngineCtx_::max_fb_id, SCCalloc, SCLogDebug, SCLogError, DetectEngineCtx_::sig_array, and DetectEngineCtx_::sig_array_len.
◆ DetectFlowbitsRegister()
| void DetectFlowbitsRegister | ( | void | ) |
Definition at line 70 of file detect-flowbits.c.
References SigTableElmt_::desc, DETECT_FLOWBITS, DetectFlowbitMatch(), SigTableElmt_::Match, SigTableElmt_::name, SigTableElmt_::Setup, sigmatch_table, and SigTableElmt_::url.
Referenced by SigTableSetup().
◆ FlowBitsRegisterTests()
| void FlowBitsRegisterTests | ( | void | ) |
this function registers unit tests for FlowBits
Definition at line 1785 of file detect-flowbits.c.
References UtRegisterTest().
◆ RB_GENERATE()
| RB_GENERATE | ( | PFB | , |
| PrefilterFlowbit | , | ||
| rb | , | ||
| PrefilterFlowbitCompare | |||
| ) |
◆ RB_HEAD()
| RB_HEAD | ( | PFB | , |
| PrefilterFlowbit | |||
| ) |
red-black tree prototype for PFB (Prefilter Flow Bits)
◆ RB_PROTOTYPE()
| RB_PROTOTYPE | ( | PFB | , |
| PrefilterFlowbit | , | ||
| rb | , | ||
| PrefilterFlowbitCompare | |||
| ) |
Variable Documentation
◆ __attribute__
| struct PrefilterEngineFlowbits __attribute__ |
◆ g_flowbits_dump_write_m
| SCMutex g_flowbits_dump_write_m = SCMUTEX_INITIALIZER |
Definition at line 811 of file detect-flowbits.c.
◆ id
| uint32_t id |
flowbit id
Definition at line 933 of file detect-flowbits.c.
Referenced by DetectAppLayerMpmRegisterByParentId(), DetectEngineBufferTypeGetById(), DetectRegisterThreadCtxGlobalFuncs(), DetectThreadCtxGetGlobalKeywordThreadCtx(), DetectThreadCtxGetKeywordThreadCtx(), OutputRegisterPacketModule(), OutputRegisterPacketSubModule(), PktVarAdd(), PoolThreadGetById(), PoolThreadLock(), PoolThreadReturn(), PoolThreadReturnRaw(), PoolThreadUnlock(), SCProfilingKeywordUpdateCounter(), SCProfilingPrefilterUpdateCounter(), SigMatchSilentErrorEnabled(), StatsAddUI64(), StatsDecr(), StatsGetLocalCounterValue(), StatsIncr(), StatsSetUI64(), TmModuleGetById(), and TmqhGetQueueHandlerByID().
◆ rule_engine_analysis_set
| bool rule_engine_analysis_set |
Definition at line 56 of file detect-engine-loader.c.
◆ rule_id
| uint32_t* rule_id |
array of signature iid that are part of this prefilter
Definition at line 936 of file detect-flowbits.c.
◆ rule_id_cnt
| uint32_t rule_id_cnt |
usage in elements of rule_id
Definition at line 935 of file detect-flowbits.c.
◆ rule_id_size
| uint32_t rule_id_size |
size in elements of rule_id
Definition at line 934 of file detect-flowbits.c.
