suricata
detect.c File Reference
#include "suricata-common.h"
#include "suricata.h"
#include "conf.h"
#include "decode.h"
#include "flow.h"
#include "stream-tcp.h"
#include "app-layer.h"
#include "app-layer-parser.h"
#include "detect.h"
#include "detect-engine.h"
#include "detect-engine-profile.h"
#include "detect-engine-alert.h"
#include "detect-engine-siggroup.h"
#include "detect-engine-address.h"
#include "detect-engine-proto.h"
#include "detect-engine-port.h"
#include "detect-engine-mpm.h"
#include "detect-engine-iponly.h"
#include "detect-engine-threshold.h"
#include "detect-engine-prefilter.h"
#include "detect-engine-state.h"
#include "detect-engine-analyzer.h"
#include "detect-engine-payload.h"
#include "detect-engine-event.h"
#include "detect-filestore.h"
#include "detect-flowvar.h"
#include "detect-replace.h"
#include "util-validate.h"
#include "util-detect.h"
#include "tests/detect.c"
Include dependency graph for detect.c:

Go to the source code of this file.

Data Structures

struct  DetectRunScratchpad
 

Macros

#define TRACE_SID_TXS(sid, txs, ...)
 

Typedefs

typedef struct DetectRunScratchpad DetectRunScratchpad
 

Functions

const SigGroupHeadSigMatchSignaturesGetSgh (const DetectEngineCtx *de_ctx, const Packet *p)
 Get the SigGroupHead for a packet. More...
 
void RuleMatchCandidateTxArrayInit (DetectEngineThreadCtx *det_ctx, uint32_t size)
 
void RuleMatchCandidateTxArrayFree (DetectEngineThreadCtx *det_ctx)
 
void DetectSignatureApplyActions (Packet *p, const Signature *s, const uint8_t alert_flags)
 Apply action(s) and Set 'drop' sig info, if applicable. More...
 
TmEcode Detect (ThreadVars *tv, Packet *p, void *data, PacketQueue *pq, PacketQueue *postpq)
 Detection engine thread wrapper. More...
 
void DisableDetectFlowFileFlags (Flow *f)
 disable file features we don't need Called if we have no detection engine. More...
 
void SigMatchSignatures (ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
 wrapper for old tests More...
 

Detailed Description

Author
Victor Julien victo.nosp@m.r@in.nosp@m.linia.nosp@m.c.ne.nosp@m.t

Basic detection engine

Definition in file detect.c.

Macro Definition Documentation

#define TRACE_SID_TXS (   sid,
  txs,
  ... 
)

Definition at line 1033 of file detect.c.

Typedef Documentation

Function Documentation

TmEcode Detect ( ThreadVars tv,
Packet p,
void *  data,
PacketQueue pq,
PacketQueue postpq 
)

Detection engine thread wrapper.

Parameters
tvthread vars
ppacket to inspect
datathread specific data
pqpacket queue
Return values
TM_ECODE_FAILEDerror
TM_ECODE_OKok

Definition at line 1601 of file detect.c.

References DetectEngineThreadCtx_::de_ctx, DEBUG_VALIDATE_PACKET, Packet_::flow, DetectEngineThreadCtx_::mt_det_ctxs_cnt, DetectEngineThreadCtx_::mt_det_ctxs_hash, SC_ATOMIC_GET, SC_ATOMIC_SET, SCLogDebug, Packet_::tenant_id, DetectEngineThreadCtx_::TenantGetId, TM_ECODE_FAILED, TM_ECODE_OK, and unlikely.

void DisableDetectFlowFileFlags ( Flow f)

disable file features we don't need Called if we have no detection engine.

Definition at line 1659 of file detect.c.

References STREAM_TOCLIENT, and STREAM_TOSERVER.

void RuleMatchCandidateTxArrayFree ( DetectEngineThreadCtx det_ctx)
void RuleMatchCandidateTxArrayInit ( DetectEngineThreadCtx det_ctx,
uint32_t  size 
)
void SigMatchSignatures ( ThreadVars th_v,
DetectEngineCtx de_ctx,
DetectEngineThreadCtx det_ctx,
Packet p 
)
const SigGroupHead* SigMatchSignaturesGetSgh ( const DetectEngineCtx de_ctx,
const Packet p 
)

Get the SigGroupHead for a packet.

Parameters
de_ctxdetection engine context
ppacket
Return values
sghthe SigGroupHead or NULL if non applies to the packet

Definition at line 177 of file detect.c.

References Signature_::addr_dst_match4, Signature_::addr_dst_match4_cnt, Signature_::addr_dst_match6, Signature_::addr_dst_match6_cnt, Signature_::addr_src_match4, Signature_::addr_src_match4_cnt, Signature_::addr_src_match6, Signature_::addr_src_match6_cnt, Packet_::alerts, Flow_::alparser, DetectRunScratchpad::alproto, Signature_::alproto, SignatureNonPrefilterStore_::alproto, ALPROTO_DCERPC, ALPROTO_SMB, ALPROTO_UNKNOWN, Flow_::alstate, DetectRunScratchpad::app_decoder_events, Signature_::app_inspect, AppLayerParserHasDecoderEvents(), DetectEngineThreadCtx_::base64_decoded_len, TcpSession_::client, PacketAlerts_::cnt, PacketEngineEvents_::cnt, DetectEngineThreadCtx_::counter_alerts, DetectEngineThreadCtx_::counter_fnonmpm_list, DetectEngineThreadCtx_::counter_match_list, DetectEngineThreadCtx_::counter_mpm_list, DetectEngineThreadCtx_::counter_nonmpm_list, Flow_::de_ctx_version, DEBUG_VALIDATE_BUG_ON, DetectEngineCtx_::decoder_event_sgh, DeStateUpdateInspectTransactionId(), DETECT_PROTO_IPV4, DETECT_PROTO_IPV6, DetectAddressMatchIPv4(), DetectAddressMatchIPv6(), DetectEnginePktInspectionRun(), DetectEngineStateResetTxs(), DetectPortLookupGroup(), DetectProtoContainsProto(), DetectSignatureApplyActions(), Packet_::dp, Signature_::dp, Signature_::dsize_high, Signature_::dsize_low, Packet_::dst, Packet_::events, FileDisableFilesize(), FileDisableMagic(), FileDisableMd5(), FileDisableSha1(), FileDisableSha256(), FileDisableStoring(), FileForceFilestore(), FileForceMagic(), FileForceMd5(), FileForceSha1(), FileForceSha256(), DetectEngineThreadCtx_::filestore_cnt, SigGroupHead_::filestore_cnt, DetectProto_::flags, TcpStream_::flags, Flow_::flags, Packet_::flags, Signature_::flags, DetectEngineThreadCtx_::flags, SigGroupHead_::flags, FLOW_ACTION_DROP, DetectRunScratchpad::flow_flags, DetectEngineCtx_::flow_gh, FLOW_PKT_ESTABLISHED, FLOW_PKT_TOCLIENT, FLOW_PKT_TOCLIENT_IPONLY_SET, FLOW_PKT_TOSERVER, FLOW_PKT_TOSERVER_IPONLY_SET, FLOW_SGH_TOCLIENT, FLOW_SGH_TOSERVER, FLOW_TOCLIENT_IPONLY_SET, FLOW_TOSERVER_IPONLY_SET, Packet_::flowflags, FlowGetAppProtocol(), FlowGetDisruptionFlags(), FlowSetIPOnlyFlag(), Flow_::flowvar, GenericVarFree(), ICMPV4_DEST_UNREACH_IS_VALID, Signature_::id, SignatureNonPrefilterStore_::id, DetectEngineCtx_::io_ctx, DetectEngineThreadCtx_::io_ctx, IP_GET_IPPROTO, IPOnlyMatchPacket(), likely, m, Signature_::mask, SignatureNonPrefilterStore_::mask, DetectEngineThreadCtx_::match_array, DetectEngineThreadCtx_::match_array_cnt, next, DetectEngineThreadCtx_::non_pf_id_array, DetectEngineThreadCtx_::non_pf_id_cnt, SigGroupHead_::non_pf_other_store_array, SigGroupHead_::non_pf_other_store_cnt, DetectEngineThreadCtx_::non_pf_store_cnt, DetectEngineThreadCtx_::non_pf_store_ptr, SigGroupHead_::non_pf_syn_store_array, SigGroupHead_::non_pf_syn_store_cnt, PACKET_DROP, PACKET_PROFILING_DETECT_END, PACKET_PROFILING_DETECT_START, PacketAlertAppend(), PacketAlertFinalize(), PacketCreateMask(), PacketPatternCleanup(), pad, Packet_::payload_len, PKT_DETECT_HAS_STREAMDATA, PKT_HAS_FLOW, PKT_IS_FRAGMENT, PKT_IS_ICMPV4, PKT_IS_IPV4, PKT_IS_IPV6, DetectRunScratchpad::pkt_mask, PKT_STREAM_ADD, PKT_STREAM_EOF, PKT_STREAM_EST, DetectEngineThreadCtx_::pmq, Prefilter(), PROF_DETECT_ALERT, PROF_DETECT_CLEANUP, PROF_DETECT_GETSGH, PROF_DETECT_IPONLY, PROF_DETECT_NONMPMLIST, PROF_DETECT_PF_SORT2, PROF_DETECT_SETUP, PROF_DETECT_TX_UPDATE, DetectEngineCtx_::profile_match_logging_threshold, proto, Flow_::proto, Packet_::proto, Signature_::proto, Flow_::protoctx, DetectEngineThreadCtx_::raw_stream_progress, PrefilterRuleStore_::rule_id_array, PrefilterRuleStore_::rule_id_array_cnt, RULE_PROFILING_END, RULE_PROFILING_START, RulesDumpMatchArray(), SCEnter, SCLogDebug, SCReturn, SCReturnPtr, TcpSession_::server, DetectRunScratchpad::sgh, DetectEngineLookupFlow_::sgh, SGH_PROFILING_RECORD, Flow_::sgh_toclient, Flow_::sgh_toserver, DetectPort_::sh, DetectEngineCtx_::sig_array, SIG_FLAG_APPLAYER, SIG_FLAG_DP_ANY, SIG_FLAG_DSIZE, SIG_FLAG_DST_ANY, SIG_FLAG_NOALERT, SIG_FLAG_REQUIRE_FLOWVAR, SIG_FLAG_SP_ANY, SIG_FLAG_SRC_ANY, SIG_GROUP_HEAD_HAVEFILEMD5, SIG_GROUP_HEAD_HAVEFILESHA1, SIG_GROUP_HEAD_HAVEFILESHA256, SIG_GROUP_HEAD_HAVEFILESIZE, SIG_GROUP_HEAD_HAVERAWSTREAM, SigIntId, SigMatchSignaturesGetSgh(), SignatureMask, Packet_::sp, Signature_::sp, Packet_::src, StatsAddUI64(), STREAM_EOF, STREAM_FLUSH, STREAM_TOCLIENT, STREAM_TOSERVER, StreamReassembleRawHasDataReady(), StreamReassembleRawUpdateProgress(), STREAMTCP_STREAM_FLAG_DISABLE_RAW, DetectEngineLookupFlow_::tcp, Packet_::tcph, Flow_::tenant_id, Packet_::tenant_id, TH_SYN, DetectEngineThreadCtx_::ticker, DetectEngineLookupFlow_::udp, unlikely, and DetectEngineCtx_::version.

Referenced by SigGroupHeadContainsSigId(), and SigMatchSignaturesGetSgh().

Here is the call graph for this function:

Here is the caller graph for this function: