detect.c File Reference

#include "suricata-common.h"
#include "suricata.h"
#include "decode.h"
#include "packet.h"
#include "flow.h"
#include "stream-tcp.h"
#include "app-layer.h"
#include "app-layer-parser.h"
#include "app-layer-frames.h"
#include "detect.h"
#include "detect-dsize.h"
#include "detect-engine.h"
#include "detect-engine-build.h"
#include "detect-engine-frame.h"
#include "detect-engine-profile.h"
#include "detect-engine-alert.h"
#include "detect-engine-siggroup.h"
#include "detect-engine-address.h"
#include "detect-engine-proto.h"
#include "detect-engine-port.h"
#include "detect-engine-mpm.h"
#include "detect-engine-iponly.h"
#include "detect-engine-threshold.h"
#include "detect-engine-prefilter.h"
#include "detect-engine-state.h"
#include "detect-engine-analyzer.h"
#include "detect-engine-payload.h"
#include "detect-engine-event.h"
#include "detect-filestore.h"
#include "detect-flowvar.h"
#include "detect-replace.h"
#include "util-validate.h"
#include "util-detect.h"
#include "util-profiling.h"
#include "action-globals.h"
#include "tests/detect.c"

Include dependency graph for detect.c:

Go to the source code of this file.

Data Structures
struct	DetectRunScratchpad

Macros
#define	TRACE_SID_TXS(sid, txs, ...)
#define	NO_TX

Typedefs
typedef struct DetectRunScratchpad	DetectRunScratchpad

Functions
const SigGroupHead *	SigMatchSignaturesGetSgh (const DetectEngineCtx *de_ctx, const Packet *p)
	Get the SigGroupHead for a packet. More...
void	RuleMatchCandidateTxArrayInit (DetectEngineThreadCtx *det_ctx, uint32_t size)
void	RuleMatchCandidateTxArrayFree (DetectEngineThreadCtx *det_ctx)
void *	DetectGetInnerTx (void *tx_ptr, AppProto alproto, AppProto engine_alproto, uint8_t flow_flags)
TmEcode	Detect (ThreadVars *tv, Packet *p, void *data)
	Detection engine thread wrapper. More...
void	DisableDetectFlowFileFlags (Flow *f)
	disable file features we don't need Called if we have no detection engine. More...
void	SigMatchSignatures (ThreadVars *tv, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
	wrapper for old tests More...

Detailed Description

Author

Victor Julien victo.nosp@m.r@in.nosp@m.linia.nosp@m.c.ne.nosp@m.t

Basic detection engine

Definition in file detect.c.

Macro Definition Documentation

NO_TX

#define NO_TX

Value:

    {                                                                                              \
        NULL, 0, NULL, NULL, 0, 0, 0, 0, 0,                                                        \
    }

Definition at line 1280 of file detect.c.

TRACE_SID_TXS

#define TRACE_SID_TXS	(		sid,
			txs,
			...
	)

Definition at line 1064 of file detect.c.

Typedef Documentation

DetectRunScratchpad

typedef struct DetectRunScratchpad DetectRunScratchpad

Function Documentation

Detect()

TmEcode Detect	(	ThreadVars *	tv,
		Packet *	p,
		void *	data
	)

Detection engine thread wrapper.

Parameters

tv	thread vars
p	packet to inspect
data	thread specific data
pq	packet queue

Return values

TM_ECODE_FAILED	error
TM_ECODE_OK	ok

Definition at line 1859 of file detect.c.

References de_ctx, DEBUG_VALIDATE_PACKET, DetectEngineThreadCtx_::mt_det_ctxs_cnt, SC_ATOMIC_GET, SC_ATOMIC_SET, SCLogDebug, Packet_::tenant_id, DetectEngineThreadCtx_::TenantGetId, and unlikely.

DetectGetInnerTx()

void* DetectGetInnerTx	(	void *	tx_ptr,
		AppProto	alproto,
		AppProto	engine_alproto,
		uint8_t	flow_flags
	)

Definition at line 1067 of file detect.c.

References ALPROTO_DNS, ALPROTO_DOH2, ALPROTO_HTTP2, and unlikely.

Referenced by AlertJsonDoh2(), and DetectRunPrefilterTx().

Here is the caller graph for this function:

DisableDetectFlowFileFlags()

void DisableDetectFlowFileFlags

(

Flow *

f

)

disable file features we don't need Called if we have no detection engine.

Definition at line 1928 of file detect.c.

RuleMatchCandidateTxArrayFree()

void RuleMatchCandidateTxArrayFree

(

DetectEngineThreadCtx *

det_ctx

)

Definition at line 1000 of file detect.c.

References SCFree, DetectEngineThreadCtx_::tx_candidates, and DetectEngineThreadCtx_::tx_candidates_size.

RuleMatchCandidateTxArrayInit()

void RuleMatchCandidateTxArrayInit	(	DetectEngineThreadCtx *	det_ctx,
		uint32_t	size
	)

Definition at line 987 of file detect.c.

References DEBUG_VALIDATE_BUG_ON, FatalError, SCCalloc, SCLogDebug, DetectEngineThreadCtx_::tx_candidates, and DetectEngineThreadCtx_::tx_candidates_size.

SigMatchSignatures()

void SigMatchSignatures	(	ThreadVars *	tv,
		DetectEngineCtx *	de_ctx,
		DetectEngineThreadCtx *	det_ctx,
		Packet *	p
	)

wrapper for old tests

Definition at line 1938 of file detect.c.

References Packet_::flow.

Referenced by UTHMatchPackets(), UTHMatchPacketsWithResults(), UTHPacketMatchSig(), and UTHPacketMatchSigMpm().

Here is the caller graph for this function:

SigMatchSignaturesGetSgh()

const SigGroupHead* SigMatchSignaturesGetSgh	(	const DetectEngineCtx *	de_ctx,
		const Packet *	p
	)

Get the SigGroupHead for a packet.

Parameters

de_ctx	detection engine context
p	packet

Return values

sgh	the SigGroupHead or NULL if non applies to the packet

Definition at line 220 of file detect.c.

References PacketEngineEvents_::cnt, de_ctx, DetectEngineCtx_::decoder_event_sgh, Packet_::events, Packet_::proto, SCEnter, and SCReturnPtr.