suricata
detect.c File Reference
#include "suricata-common.h"
#include "suricata.h"
#include "conf.h"
#include "decode.h"
#include "flow.h"
#include "stream-tcp.h"
#include "app-layer.h"
#include "app-layer-parser.h"
#include "detect.h"
#include "detect-engine.h"
#include "detect-engine-profile.h"
#include "detect-engine-alert.h"
#include "detect-engine-siggroup.h"
#include "detect-engine-address.h"
#include "detect-engine-proto.h"
#include "detect-engine-port.h"
#include "detect-engine-mpm.h"
#include "detect-engine-iponly.h"
#include "detect-engine-threshold.h"
#include "detect-engine-prefilter.h"
#include "detect-engine-state.h"
#include "detect-engine-analyzer.h"
#include "detect-engine-payload.h"
#include "detect-engine-event.h"
#include "detect-filestore.h"
#include "detect-flowvar.h"
#include "detect-replace.h"
#include "util-validate.h"
#include "util-detect.h"
#include "tests/detect.c"
Include dependency graph for detect.c:

Go to the source code of this file.

Data Structures

struct  DetectRunScratchpad
 

Macros

#define TRACE_SID_TXS(sid, txs, ...)
 

Typedefs

typedef struct DetectRunScratchpad DetectRunScratchpad
 

Functions

const SigGroupHeadSigMatchSignaturesGetSgh (const DetectEngineCtx *de_ctx, const Packet *p)
 Get the SigGroupHead for a packet. More...
 
void RuleMatchCandidateTxArrayInit (DetectEngineThreadCtx *det_ctx, uint32_t size)
 
void RuleMatchCandidateTxArrayFree (DetectEngineThreadCtx *det_ctx)
 
void DetectSignatureApplyActions (Packet *p, const Signature *s, const uint8_t alert_flags)
 Apply action(s) and Set 'drop' sig info, if applicable. More...
 
TmEcode Detect (ThreadVars *tv, Packet *p, void *data, PacketQueue *pq, PacketQueue *postpq)
 Detection engine thread wrapper. More...
 
void DisableDetectFlowFileFlags (Flow *f)
 disable file features we don't need Called if we have no detection engine. More...
 
void SigMatchSignatures (ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
 wrapper for old tests More...
 

Detailed Description

Author
Victor Julien victo.nosp@m.r@in.nosp@m.linia.nosp@m.c.ne.nosp@m.t

Basic detection engine

Definition in file detect.c.

Macro Definition Documentation

#define TRACE_SID_TXS (   sid,
  txs,
  ... 
)

Definition at line 1116 of file detect.c.

Typedef Documentation

Function Documentation

TmEcode Detect ( ThreadVars tv,
Packet p,
void *  data,
PacketQueue pq,
PacketQueue postpq 
)

Detection engine thread wrapper.

Parameters
tvthread vars
ppacket to inspect
datathread specific data
pqpacket queue
Return values
TM_ECODE_FAILEDerror
TM_ECODE_OKok

Definition at line 1684 of file detect.c.

References DetectEngineThreadCtx_::de_ctx, DEBUG_VALIDATE_PACKET, Packet_::flow, DetectEngineThreadCtx_::mt_det_ctxs_cnt, DetectEngineThreadCtx_::mt_det_ctxs_hash, SC_ATOMIC_GET, SC_ATOMIC_SET, SCLogDebug, Packet_::tenant_id, DetectEngineThreadCtx_::TenantGetId, TM_ECODE_FAILED, TM_ECODE_OK, and unlikely.

void DisableDetectFlowFileFlags ( Flow f)

disable file features we don't need Called if we have no detection engine.

Definition at line 1742 of file detect.c.

References STREAM_TOCLIENT, and STREAM_TOSERVER.

void RuleMatchCandidateTxArrayFree ( DetectEngineThreadCtx det_ctx)
void RuleMatchCandidateTxArrayInit ( DetectEngineThreadCtx det_ctx,
uint32_t  size 
)
void SigMatchSignatures ( ThreadVars th_v,
DetectEngineCtx de_ctx,
DetectEngineThreadCtx det_ctx,
Packet p 
)

wrapper for old tests

Definition at line 1752 of file detect.c.

Referenced by AlertFastLogInitCtx(), DetectAckRegister(), DetectBase64DecodeDoMatch(), DetectBypassRegister(), DetectDceGetState(), DetectDceOpnumRegister(), DetectDceStubDataRegister(), DetectDetectionFilterRegister(), DetectDNP3Register(), DetectDnsQueryRegister(), DetectEngineInspectENIP(), DetectEngineInspectModbus(), DetectEngineInspectStream(), DetectEngineStateResetTxs(), DetectFastPatternRegister(), DetectFlowbitsAnalyze(), DetectFlowFree(), DetectFlowintFree(), DetectFragOffsetFree(), DetectFtpbounceRegister(), DetectGeoipRegister(), DetectHostbitFree(), DetectHttpRequestLineRegister(), DetectHttpResponseLineRegister(), DetectIcmpIdFree(), DetectIcmpSeqFree(), DetectICodeFree(), DetectIPProtoRemoveAllSMs(), DetectIPRepFree(), DetectITypeFree(), DetectL3ProtoRegister(), DetectLuaRegister(), DetectPcrePayloadMatch(), DetectProtoContainsProto(), DetectReplaceFreeInternal(), DetectRpcFree(), DetectSameipRegister(), DetectSetupParseRegexes(), DetectSshSoftwareVersionRegister(), DetectSshVersionRegister(), DetectSslStateRegister(), DetectSslVersionRegister(), DetectTemplateRustBufferRegister(), DetectThresholdRegister(), DetectTlsFingerprintRegister(), DetectTlsIssuerRegister(), DetectTlsJa3HashRegister(), DetectTlsJa3StringRegister(), DetectTlsSerialRegister(), DetectTlsSniRegister(), DetectTlsSubjectRegister(), DetectTlsValidityRegister(), DetectTlsVersionRegister(), DetectUricontentRegister(), DetectUrilenValidateContent(), DetectXbitFree(), MpmACRegister(), MpmACTileRegister(), RegisterModbusParsers(), SCACBSPrintInfo(), SCThresholdConfParseFile(), SigParseApplyDsizeToContent(), SMTPParserCleanup(), TagTimeoutCheck(), UTHMatchPackets(), UTHMatchPacketsWithResults(), UTHPacketMatchSig(), and UTHPacketMatchSigMpm().

const SigGroupHead* SigMatchSignaturesGetSgh ( const DetectEngineCtx de_ctx,
const Packet p 
)

Get the SigGroupHead for a packet.

Parameters
de_ctxdetection engine context
ppacket
Return values
sghthe SigGroupHead or NULL if non applies to the packet

Definition at line 184 of file detect.c.

References Signature_::action, ACTION_DROP, Signature_::addr_dst_match4, Signature_::addr_dst_match4_cnt, Signature_::addr_dst_match6, Signature_::addr_dst_match6_cnt, Signature_::addr_src_match4, Signature_::addr_src_match4_cnt, Signature_::addr_src_match6, Signature_::addr_src_match6_cnt, Packet_::alerts, Flow_::alparser, DetectRunScratchpad::alproto, Signature_::alproto, SignatureNonPrefilterStore_::alproto, ALPROTO_DCERPC, ALPROTO_SMB, ALPROTO_SMB2, ALPROTO_UNKNOWN, Flow_::alstate, DetectRunScratchpad::app_decoder_events, Signature_::app_inspect, AppLayerParserHasDecoderEvents(), AppLayerParserProtocolSupportsTxs(), DetectEngineThreadCtx_::base64_decoded_len, BUG_ON, TcpSession_::client, PacketAlerts_::cnt, PacketEngineEvents_::cnt, DetectEngineThreadCtx_::counter_alerts, DetectEngineThreadCtx_::counter_fnonmpm_list, DetectEngineThreadCtx_::counter_match_list, DetectEngineThreadCtx_::counter_mpm_list, DetectEngineThreadCtx_::counter_nonmpm_list, SigMatchData_::ctx, Flow_::de_ctx_version, DEBUG_VALIDATE_BUG_ON, DetectEngineCtx_::decoder_event_sgh, DeStateUpdateInspectTransactionId(), DETECT_ENGINE_THREAD_CTX_STREAM_CONTENT_MATCH, DETECT_PROTO_IPV4, DETECT_PROTO_IPV6, DETECT_SM_LIST_MATCH, DETECT_SM_LIST_PMATCH, DetectAddressMatchIPv4(), DetectAddressMatchIPv6(), DetectEngineInspectPacketPayload(), DetectEngineInspectStreamPayload(), DetectEngineStateResetTxs(), DetectPortLookupGroup(), DetectProtoContainsProto(), DetectSignatureApplyActions(), Packet_::dp, Signature_::dp, Signature_::dsize_high, Signature_::dsize_low, Packet_::dst, Packet_::events, FileDisableFilesize(), FileDisableMagic(), FileDisableMd5(), FileDisableSha1(), FileDisableSha256(), FileDisableStoring(), FileForceFilestore(), FileForceMagic(), FileForceMd5(), FileForceSha1(), FileForceSha256(), DetectEngineThreadCtx_::filestore_cnt, SigGroupHead_::filestore_cnt, DetectProto_::flags, TcpStream_::flags, Flow_::flags, Packet_::flags, Signature_::flags, DetectEngineThreadCtx_::flags, SigGroupHead_::flags, FLOW_ACTION_DROP, DetectRunScratchpad::flow_flags, DetectEngineCtx_::flow_gh, FLOW_PKT_ESTABLISHED, FLOW_PKT_TOCLIENT, FLOW_PKT_TOCLIENT_IPONLY_SET, FLOW_PKT_TOSERVER, FLOW_PKT_TOSERVER_IPONLY_SET, FLOW_SGH_TOCLIENT, FLOW_SGH_TOSERVER, FLOW_TOCLIENT_IPONLY_SET, FLOW_TOSERVER_IPONLY_SET, Packet_::flowflags, FlowGetAppProtocol(), FlowGetDisruptionFlags(), FlowSetIPOnlyFlag(), Flow_::flowvar, GenericVarFree(), ICMPV4_DEST_UNREACH_IS_VALID, Signature_::id, SignatureNonPrefilterStore_::id, DetectEngineCtx_::io_ctx, DetectEngineThreadCtx_::io_ctx, IP_GET_IPPROTO, IPOnlyMatchPacket(), SigMatchData_::is_last, KEYWORD_PROFILING_END, KEYWORD_PROFILING_SET_LIST, KEYWORD_PROFILING_START, likely, m, Signature_::mask, SignatureNonPrefilterStore_::mask, SigTableElmt_::Match, DetectEngineThreadCtx_::match_array, DetectEngineThreadCtx_::match_array_cnt, next, DetectEngineThreadCtx_::non_pf_id_array, DetectEngineThreadCtx_::non_pf_id_cnt, SigGroupHead_::non_pf_other_store_array, SigGroupHead_::non_pf_other_store_cnt, DetectEngineThreadCtx_::non_pf_store_cnt, DetectEngineThreadCtx_::non_pf_store_ptr, SigGroupHead_::non_pf_syn_store_array, SigGroupHead_::non_pf_syn_store_cnt, PACKET_ALERT_FLAG_DROP_FLOW, PACKET_ALERT_FLAG_STREAM_MATCH, PACKET_DROP, PACKET_PROFILING_DETECT_END, PACKET_PROFILING_DETECT_START, PacketAlertAppend(), PacketAlertFinalize(), PacketCreateMask(), PacketPatternCleanup(), pad, Packet_::payload_len, PKT_DETECT_HAS_STREAMDATA, PKT_HAS_FLOW, PKT_IS_FRAGMENT, PKT_IS_ICMPV4, PKT_IS_IPV4, PKT_IS_IPV6, DetectRunScratchpad::pkt_mask, PKT_STREAM_ADD, PKT_STREAM_EOF, PKT_STREAM_EST, DetectEngineThreadCtx_::pmq, Prefilter(), PROF_DETECT_ALERT, PROF_DETECT_CLEANUP, PROF_DETECT_GETSGH, PROF_DETECT_IPONLY, PROF_DETECT_NONMPMLIST, PROF_DETECT_PF_SORT2, PROF_DETECT_SETUP, PROF_DETECT_TX_UPDATE, DetectEngineCtx_::profile_match_logging_threshold, proto, Flow_::proto, Packet_::proto, Signature_::proto, Flow_::protoctx, DetectEngineThreadCtx_::raw_stream_progress, PrefilterRuleStore_::rule_id_array, PrefilterRuleStore_::rule_id_array_cnt, RULE_PROFILING_END, RULE_PROFILING_START, RulesDumpMatchArray(), SCEnter, SCLogDebug, SCReturn, SCReturnPtr, TcpSession_::server, DetectRunScratchpad::sgh, DetectEngineLookupFlow_::sgh, SGH_PROFILING_RECORD, Flow_::sgh_toclient, Flow_::sgh_toserver, DetectPort_::sh, DetectEngineCtx_::sig_array, SIG_FLAG_APPLAYER, SIG_FLAG_DP_ANY, SIG_FLAG_DSIZE, SIG_FLAG_DST_ANY, SIG_FLAG_NOALERT, SIG_FLAG_REQUIRE_FLOWVAR, SIG_FLAG_REQUIRE_PACKET, SIG_FLAG_REQUIRE_STREAM, SIG_FLAG_SP_ANY, SIG_FLAG_SRC_ANY, SIG_GROUP_HEAD_HAVEFILEMD5, SIG_GROUP_HEAD_HAVEFILESHA1, SIG_GROUP_HEAD_HAVEFILESHA256, SIG_GROUP_HEAD_HAVEFILESIZE, SIG_GROUP_HEAD_HAVERAWSTREAM, SigIntId, sigmatch_table, SigMatchSignaturesGetSgh(), SignatureMask, Signature_::sm_arrays, Packet_::sp, Signature_::sp, Packet_::src, StatsAddUI64(), STREAM_EOF, STREAM_FLUSH, STREAM_TOCLIENT, STREAM_TOSERVER, StreamReassembleRawHasDataReady(), StreamReassembleRawUpdateProgress(), STREAMTCP_STREAM_FLAG_DISABLE_RAW, DetectEngineLookupFlow_::tcp, Packet_::tcph, Flow_::tenant_id, Packet_::tenant_id, TH_SYN, DetectEngineThreadCtx_::ticker, SigMatchData_::type, DetectEngineLookupFlow_::udp, unlikely, and DetectEngineCtx_::version.

Referenced by SigGroupHeadContainsSigId(), and SigMatchSignaturesGetSgh().

Here is the call graph for this function:

Here is the caller graph for this function: