suricata
|
Go to the source code of this file.
Data Structures | |
struct | DetectParseRegex |
Typedefs | |
typedef struct DetectEngineCtx_ | DetectEngineCtx |
typedef struct Signature_ | Signature |
typedef struct SigMatchCtx_ | SigMatchCtx |
typedef struct SigMatch_ | SigMatch |
typedef struct SigMatchData_ | SigMatchData |
typedef struct DetectParseRegex | DetectParseRegex |
Enumerations | |
enum | { SIG_DIREC_NORMAL, SIG_DIREC_SWITCHED } |
enum | { SIG_DIREC_SRC, SIG_DIREC_DST } |
Functions | |
int | SignatureInitDataBufferCheckExpand (Signature *s) |
check if buffers array still has space left, expand if not More... | |
Signature * | SigAlloc (void) |
void | SigFree (DetectEngineCtx *de_ctx, Signature *s) |
Signature * | SigInit (DetectEngineCtx *, const char *sigstr) |
Parses a signature and adds it to the Detection Engine Context. More... | |
SigMatchData * | SigMatchList2DataArray (SigMatch *head) |
convert SigMatch list to SigMatchData array More... | |
void | SigParseRegisterTests (void) |
Signature * | DetectEngineAppendSig (DetectEngineCtx *, const char *) |
Parse and append a Signature into the Detection Engine Context signature list. More... | |
Signature * | DetectFirewallRuleAppendNew (DetectEngineCtx *, const char *) |
Parse and append a Signature into the Detection Engine Context signature list. More... | |
SigMatch * | SCSigMatchAppendSMToList (DetectEngineCtx *, Signature *, uint16_t, SigMatchCtx *, int) |
Append a SigMatch to the list type. More... | |
void | SigMatchRemoveSMFromList (Signature *, SigMatch *, int) |
int | SigMatchListSMBelongsTo (const Signature *, const SigMatch *) |
int | DetectParseDupSigHashInit (DetectEngineCtx *) |
Initializes the hash table that is used to cull duplicate sigs. More... | |
void | DetectParseDupSigHashFree (DetectEngineCtx *) |
Frees the hash table that is used to cull duplicate sigs. More... | |
int | DetectEngineContentModifierBufferSetup (DetectEngineCtx *de_ctx, Signature *s, const char *arg, int sm_type, int sm_list, AppProto alproto) |
bool | SigMatchSilentErrorEnabled (const DetectEngineCtx *de_ctx, const enum DetectKeywordId id) |
bool | SigMatchStrictEnabled (const enum DetectKeywordId id) |
const char * | DetectListToHumanString (int list) |
const char * | DetectListToString (int list) |
void | SigTableApplyStrictCommandLineOption (const char *str) |
SigMatch * | DetectGetLastSM (const Signature *) |
Returns the sm with the largest index (added latest) from this sig. More... | |
SigMatch * | DetectGetLastSMFromMpmLists (const DetectEngineCtx *de_ctx, const Signature *s) |
get the last SigMatch from lists that support MPM. More... | |
SigMatch * | DetectGetLastSMFromLists (const Signature *s,...) |
Returns the sm with the largest index (added latest) from the lists passed to us. More... | |
SigMatch * | DetectGetLastSMByListPtr (const Signature *s, SigMatch *sm_list,...) |
Returns the sm with the largest index (added last) from the list passed to us as a pointer. More... | |
SigMatch * | DetectGetLastSMByListId (const Signature *s, int list_id,...) |
Returns the sm with the largest index (added last) from the list passed to us as an id. More... | |
int WARN_UNUSED | SCDetectSignatureSetAppProto (Signature *s, AppProto alproto) |
int WARN_UNUSED | DetectSignatureSetMultiAppProto (Signature *s, const AppProto *alprotos) |
this function is used to set multiple possible app-layer protos More... | |
DetectParseRegex * | DetectSetupPCRE2 (const char *parse_str, int opts) |
bool | DetectSetupParseRegexesOpts (const char *parse_str, DetectParseRegex *parse_regex, int opts) |
void | DetectSetupParseRegexes (const char *parse_str, DetectParseRegex *parse_regex) |
void | DetectParseRegexAddToFreeList (DetectParseRegex *parse_regex) |
add regex and/or study to at exit free list More... | |
void | DetectParseFreeRegexes (void) |
void | DetectParseFreeRegex (DetectParseRegex *r) |
int | DetectParsePcreExec (DetectParseRegex *parse_regex, pcre2_match_data **match, const char *str, int start_offset, int options) |
int | SC_Pcre2SubstringCopy (pcre2_match_data *match_data, uint32_t number, PCRE2_UCHAR *buffer, PCRE2_SIZE *bufflen) |
int | SC_Pcre2SubstringGet (pcre2_match_data *match_data, uint32_t number, PCRE2_UCHAR **bufferptr, PCRE2_SIZE *bufflen) |
void | DetectRegisterAppLayerHookLists (void) |
register app hooks as generic lists More... | |
Definition in file detect-parse.h.
typedef struct DetectEngineCtx_ DetectEngineCtx |
Definition at line 1 of file detect-parse.h.
typedef struct DetectParseRegex DetectParseRegex |
Definition at line 1 of file detect-parse.h.
typedef struct SigMatchCtx_ SigMatchCtx |
Definition at line 1 of file detect-parse.h.
typedef struct SigMatchData_ SigMatchData |
Definition at line 1 of file detect-parse.h.
typedef struct Signature_ Signature |
Definition at line 1 of file detect-parse.h.
anonymous enum |
Flags to indicate if the Signature parsing must be done switching the source and dest (for ip addresses and ports) or otherwise as normal
Enumerator | |
---|---|
SIG_DIREC_NORMAL | |
SIG_DIREC_SWITCHED |
Definition at line 39 of file detect-parse.h.
anonymous enum |
Flags to indicate if are referencing the source of the Signature or the destination (for ip addresses and ports)
Enumerator | |
---|---|
SIG_DIREC_SRC | |
SIG_DIREC_DST |
Definition at line 46 of file detect-parse.h.
Signature* DetectEngineAppendSig | ( | DetectEngineCtx * | de_ctx, |
const char * | sigstr | ||
) |
Parse and append a Signature into the Detection Engine Context signature list.
If the signature is bidirectional it should append two signatures (with the addresses switched) into the list. Also handle duplicate signatures. In case of duplicate sigs, use the ones that have the latest revision. We use the sid and the msg to identify duplicate sigs. If 2 sigs have the same sid and gid, they are duplicates.
de_ctx | Pointer to the Detection Engine Context. |
sigstr | Pointer to a character string containing the signature to be parsed. |
sig_file | Pointer to a character string containing the filename from which signature is read |
lineno | Line number from where signature is read |
Pointer | to the head Signature in the detection engine ctx sig_list on success; NULL on failure. |
In DetectEngineAppendSig(), the signatures are prepended and we always return the first one so if the signature is bidirectional, the returned sig will point through "next" ptr to the cloned signatures with the switched addresses
Definition at line 3338 of file detect-parse.c.
References de_ctx, and SigInit().
int DetectEngineContentModifierBufferSetup | ( | DetectEngineCtx * | de_ctx, |
Signature * | s, | ||
const char * | arg, | ||
int | sm_type, | ||
int | sm_list, | ||
AppProto | alproto | ||
) |
arg | NULL or empty string |
Definition at line 146 of file detect-parse.c.
References Signature_::alproto, ALPROTO_UNKNOWN, DETECT_SM_LIST_NOTSET, Signature_::init_data, SignatureInitData_::list, name, SCLogError, and sigmatch_table.
Referenced by DetectHttpUriSetup().
Signature* DetectFirewallRuleAppendNew | ( | DetectEngineCtx * | de_ctx, |
const char * | sigstr | ||
) |
Parse and append a Signature into the Detection Engine Context signature list.
If the signature is bidirectional it should append two signatures (with the addresses switched) into the list. Also handle duplicate signatures. In case of duplicate sigs, use the ones that have the latest revision. We use the sid and the msg to identify duplicate sigs. If 2 sigs have the same sid and gid, they are duplicates.
de_ctx | Pointer to the Detection Engine Context. |
sigstr | Pointer to a character string containing the signature to be parsed. |
sig_file | Pointer to a character string containing the filename from which signature is read |
lineno | Line number from where signature is read |
Pointer | to the head Signature in the detection engine ctx sig_list on success; NULL on failure. |
In DetectEngineAppendSig(), the signatures are prepended and we always return the first one so if the signature is bidirectional, the returned sig will point through "next" ptr to the cloned signatures with the switched addresses
Definition at line 3266 of file detect-parse.c.
Returns the sm with the largest index (added latest) from this sig.
sm_last | Pointer to last sm |
Definition at line 709 of file detect-parse.c.
References SignatureInitData_::buffer_index, SignatureInitData_::buffers, DETECT_SM_LIST_MAX, SigMatch_::idx, Signature_::init_data, SignatureInitData_::smlists_tail, and SignatureInitDataBuffer_::tail.
Returns the sm with the largest index (added last) from the list passed to us as an id.
list_id | id of the list to be searched |
va_args | list of keyword types terminated by -1 |
sm_last | to last sm. |
Definition at line 658 of file detect-parse.c.
References SignatureInitData_::buffer_index, SignatureInitData_::buffers, DETECT_SM_LIST_MAX, Signature_::init_data, and SignatureInitDataBuffer_::tail.
Returns the sm with the largest index (added last) from the list passed to us as a pointer.
sm_list | pointer to the SigMatch we should look before |
va_args | list of keyword types terminated by -1 |
sm_last | to last sm. |
Definition at line 626 of file detect-parse.c.
Referenced by DetectGetLastSMFromMpmLists().
Returns the sm with the largest index (added latest) from the lists passed to us.
Pointer | to Last sm. |
Definition at line 564 of file detect-parse.c.
References SignatureInitData_::buffer_index, SignatureInitData_::buffers, DETECT_SM_LIST_NOTSET, SignatureInitDataBuffer_::id, Signature_::init_data, SignatureInitData_::list, and SCLogDebug.
SigMatch* DetectGetLastSMFromMpmLists | ( | const DetectEngineCtx * | de_ctx, |
const Signature * | s | ||
) |
get the last SigMatch from lists that support MPM.
Definition at line 527 of file detect-parse.c.
References SignatureInitData_::buffer_index, SignatureInitData_::buffers, de_ctx, DETECT_CONTENT, DETECT_SM_LIST_MAX, DetectEngineBufferTypeSupportsMpmGetById(), DetectGetLastSMByListPtr(), SignatureInitDataBuffer_::id, SigMatch_::idx, Signature_::init_data, SignatureInitData_::smlists_tail, and SignatureInitDataBuffer_::tail.
const char* DetectListToHumanString | ( | int | list | ) |
Definition at line 112 of file detect-parse.c.
Referenced by DumpPatterns().
const char* DetectListToString | ( | int | list | ) |
Definition at line 130 of file detect-parse.c.
void DetectParseDupSigHashFree | ( | DetectEngineCtx * | de_ctx | ) |
Frees the hash table that is used to cull duplicate sigs.
de_ctx | Pointer to the detection engine context that holds this table. |
Definition at line 3088 of file detect-parse.c.
References de_ctx, DetectEngineCtx_::dup_sig_hash_table, and HashListTableFree().
Referenced by DetectEngineCtxFree().
int DetectParseDupSigHashInit | ( | DetectEngineCtx * | de_ctx | ) |
Initializes the hash table that is used to cull duplicate sigs.
de_ctx | Pointer to the detection engine context. |
0 | On success. |
-1 | On failure. |
Definition at line 3071 of file detect-parse.c.
References de_ctx, DetectEngineCtx_::dup_sig_hash_table, and HashListTableInit().
void DetectParseFreeRegex | ( | DetectParseRegex * | r | ) |
Definition at line 3402 of file detect-parse.c.
References DetectParseRegex::context, and DetectParseRegex::regex.
void DetectParseFreeRegexes | ( | void | ) |
Definition at line 3412 of file detect-parse.c.
Referenced by GlobalsDestroy().
int DetectParsePcreExec | ( | DetectParseRegex * | parse_regex, |
pcre2_match_data ** | match, | ||
const char * | str, | ||
int | start_offset, | ||
int | options | ||
) |
Definition at line 3392 of file detect-parse.c.
void DetectParseRegexAddToFreeList | ( | DetectParseRegex * | parse_regex | ) |
add regex and/or study to at exit free list
Definition at line 3428 of file detect-parse.c.
References FatalError, DetectParseRegex::next, DetectParseRegex::regex, and SCCalloc.
Referenced by DetectSetupParseRegexesOpts().
void DetectRegisterAppLayerHookLists | ( | void | ) |
register app hooks as generic lists
Register each hook in each app protocol as: <alproto>:<hook name>:generic These lists can be used by lua scripts to hook into.
Definition at line 1152 of file detect-parse.c.
References ALPROTO_FAILED, AppLayerParserGetStateNameById(), AppLayerParserGetStateProgressCompletionStatus(), AppProtoToString(), DetectAppLayerInspectEngineRegister(), DetectEngineInspectGenericList(), g_alproto_max, name, SCLogDebug, SIG_FLAG_TOCLIENT, and SIG_FLAG_TOSERVER.
Referenced by SigTableSetup().
void DetectSetupParseRegexes | ( | const char * | parse_str, |
DetectParseRegex * | parse_regex | ||
) |
Definition at line 3518 of file detect-parse.c.
References DetectSetupParseRegexesOpts(), and FatalError.
bool DetectSetupParseRegexesOpts | ( | const char * | parse_str, |
DetectParseRegex * | parse_regex, | ||
int | opts | ||
) |
Definition at line 3439 of file detect-parse.c.
References DetectParseRegex::context, DetectParseRegexAddToFreeList(), DetectParseRegex::regex, SC_MATCH_LIMIT_DEFAULT, SC_MATCH_LIMIT_RECURSION_DEFAULT, and SCLogError.
Referenced by DetectSetupParseRegexes().
DetectParseRegex* DetectSetupPCRE2 | ( | const char * | parse_str, |
int | opts | ||
) |
Definition at line 3468 of file detect-parse.c.
References DetectParseRegex::next, DetectParseRegex::regex, SCCalloc, SCFree, and SCLogError.
int WARN_UNUSED DetectSignatureSetMultiAppProto | ( | Signature * | s, |
const AppProto * | alprotos | ||
) |
this function is used to set multiple possible app-layer protos
into the current signature (for example ja4 for both tls and quic)
s | pointer to the Current Signature |
alprotos | an array terminated by ALPROTO_UNKNOWN |
0 | on Success |
-1 | on Failure |
Definition at line 2134 of file detect-parse.c.
References Signature_::alproto, ALPROTO_UNKNOWN, SignatureInitData_::alprotos, Signature_::init_data, SCDetectSignatureSetAppProto(), and SIG_ALPROTO_MAX.
int SC_Pcre2SubstringCopy | ( | pcre2_match_data * | match_data, |
uint32_t | number, | ||
PCRE2_UCHAR * | buffer, | ||
PCRE2_SIZE * | bufflen | ||
) |
Definition at line 3494 of file detect-parse.c.
int SC_Pcre2SubstringGet | ( | pcre2_match_data * | match_data, |
uint32_t | number, | ||
PCRE2_UCHAR ** | bufferptr, | ||
PCRE2_SIZE * | bufflen | ||
) |
Definition at line 3506 of file detect-parse.c.
int WARN_UNUSED SCDetectSignatureSetAppProto | ( | Signature * | s, |
AppProto | alproto | ||
) |
Definition at line 2212 of file detect-parse.c.
Referenced by DetectSignatureSetMultiAppProto().
SigMatch* SCSigMatchAppendSMToList | ( | DetectEngineCtx * | de_ctx, |
Signature * | s, | ||
uint16_t | type, | ||
SigMatchCtx * | ctx, | ||
const int | list | ||
) |
Append a SigMatch to the list type.
s | Signature. |
new | The sig match to append. |
list | The list to append to. |
Definition at line 388 of file detect-parse.c.
Referenced by DetectContentSetup(), and DetectFlowvarPostMatchSetup().
Signature* SigAlloc | ( | void | ) |
Definition at line 1920 of file detect-parse.c.
References SignatureInitData_::buffers, SignatureInitData_::buffers_size, DETECT_SM_LIST_NOTSET, Signature_::init_data, SignatureInitData_::is_rule_state_dependant, SignatureInitData_::list, SignatureInitData_::mpm_sm_list, Signature_::prio, SignatureInitData_::rule_state_dependant_sids_idx, SCCalloc, SCFree, and unlikely.
void SigFree | ( | DetectEngineCtx * | de_ctx, |
Signature * | s | ||
) |
Definition at line 2040 of file detect-parse.c.
References SignatureInitData_::buffer_index, SignatureInitData_::buffers, SignatureInitData_::cidr_dst, SignatureInitData_::cidr_src, DetectEngineTransforms::cnt, de_ctx, DETECT_SM_LIST_MAX, SigTableElmt_::Free, SignatureInitDataBuffer_::head, Signature_::init_data, IPOnlyCIDRListFree(), SigMatch_::next, TransformData_::options, SCFree, sigmatch_table, SigMatchFree(), SignatureInitData_::smlists, TransformData_::transform, DetectEngineTransforms::transforms, and SignatureInitData_::transforms.
Signature* SigInit | ( | DetectEngineCtx * | de_ctx, |
const char * | sigstr | ||
) |
Parses a signature and adds it to the Detection Engine Context.
de_ctx | Pointer to the Detection Engine Context. |
sigstr | Pointer to a character string containing the signature to be parsed. |
Pointer | to the Signature instance on success; NULL on failure. |
Definition at line 2996 of file detect-parse.c.
Referenced by DetectEngineAppendSig(), LLVMFuzzerTestOneInput(), UTHPacketMatchSig(), and UTHPacketMatchSigMpm().
SigMatchData* SigMatchList2DataArray | ( | SigMatch * | head | ) |
convert SigMatch list to SigMatchData array
Definition at line 2348 of file detect-parse.c.
References len.
Referenced by DetectEngineAppInspectionEngine2Signature().
Definition at line 763 of file detect-parse.c.
References SignatureInitData_::buffer_index, SignatureInitData_::buffers, SignatureInitDataBuffer_::head, SignatureInitDataBuffer_::id, Signature_::init_data, and SigMatch_::next.
Definition at line 487 of file detect-parse.c.
References Signature_::init_data, SigMatch_::next, SigMatch_::prev, SignatureInitData_::smlists, and SignatureInitData_::smlists_tail.
Referenced by DetectIPProtoRemoveAllSMs().
bool SigMatchSilentErrorEnabled | ( | const DetectEngineCtx * | de_ctx, |
const enum DetectKeywordId | id | ||
) |
Definition at line 330 of file detect-parse.c.
References de_ctx, id, and DetectEngineCtx_::sm_types_silent_error.
bool SigMatchStrictEnabled | ( | const enum DetectKeywordId | id | ) |
Definition at line 336 of file detect-parse.c.
References DETECT_TBLSIZE, flags, SIGMATCH_STRICT_PARSING, and sigmatch_table.
int SignatureInitDataBufferCheckExpand | ( | Signature * | s | ) |
check if buffers array still has space left, expand if not
Definition at line 1900 of file detect-parse.c.
References SignatureInitData_::buffer_index, SignatureInitData_::buffers, SignatureInitData_::buffers_size, Signature_::init_data, and SCRealloc.
Referenced by DetectBufferGetActiveList().
void SigParseRegisterTests | ( | void | ) |
Definition at line 5327 of file detect-parse.c.
References DetectParseRegisterTests(), and UtRegisterTest().
Referenced by SigRegisterTests().
void SigTableApplyStrictCommandLineOption | ( | const char * | str | ) |
Definition at line 344 of file detect-parse.c.
References DETECT_TBLSIZE, FatalError, SigTableElmt_::flags, SCStrdup, SIGMATCH_STRICT_PARSING, sigmatch_table, and str.