#include "suricata-common.h"#include "flow.h"#include "app-layer-events.h"#include "detect-engine-proto.h"#include "detect-reference.h"#include "detect-metadata.h"#include "detect-engine-register.h"#include "util-prefilter.h"#include "util-mpm.h"#include "util-spm.h"#include "util-hash.h"#include "util-hashlist.h"#include "util-radix-tree.h"#include "util-file.h"#include "reputation.h"#include "detect-threshold.h"
Go to the source code of this file.
Variables | |
| SigTableElmt | sigmatch_table [DETECT_TBLSIZE] |
Detailed Description
Definition in file detect.h.
Macro Definition Documentation
◆ ADDRESS_FLAG_NOT
◆ DE_QUIET
◆ DETECT_DEFAULT_PRIO
| #define DETECT_DEFAULT_PRIO 3 |
◆ DETECT_ENGINE_THREAD_CTX_FRAME_ID_SET
◆ DETECT_ENGINE_THREAD_CTX_STREAM_CONTENT_MATCH
| #define DETECT_ENGINE_THREAD_CTX_STREAM_CONTENT_MATCH 0x0004 |
◆ DETECT_FILESTORE_MAX
◆ DETECT_MAX_RULE_SIZE
◆ DETECT_SM_LIST_NOTSET
◆ DETECT_TRANSFORMS_MAX
◆ DETECT_VAR_TYPE_FLOW_POSTMATCH
| #define DETECT_VAR_TYPE_FLOW_POSTMATCH 1 |
◆ DETECT_VAR_TYPE_PKT_POSTMATCH
◆ ENGINE_SGH_MPM_FACTORY_CONTEXT_START_ID_RANGE
| #define ENGINE_SGH_MPM_FACTORY_CONTEXT_START_ID_RANGE (ENGINE_SGH_MPM_FACTORY_CONTEXT_AUTO + 1) |
◆ FILE_SIG_NEED_FILE
◆ FILE_SIG_NEED_FILECONTENT
◆ FILE_SIG_NEED_FILENAME
◆ FILE_SIG_NEED_MAGIC
| #define FILE_SIG_NEED_MAGIC 0x04 |
◆ FILE_SIG_NEED_MD5
◆ FILE_SIG_NEED_SHA1
◆ FILE_SIG_NEED_SHA256
◆ FILE_SIG_NEED_SIZE
◆ FLOW_STATES
◆ PORT_FLAG_ANY
◆ PORT_FLAG_NOT
◆ PORT_SIGGROUPHEAD_COPY
◆ SIG_FLAG_APPLAYER
| #define SIG_FLAG_APPLAYER BIT_U32(6) |
◆ SIG_FLAG_BYPASS
◆ SIG_FLAG_DEST_IS_TARGET
| #define SIG_FLAG_DEST_IS_TARGET BIT_U32(26) |
◆ SIG_FLAG_DP_ANY
◆ SIG_FLAG_DSIZE
| #define SIG_FLAG_DSIZE BIT_U32(5) |
◆ SIG_FLAG_DST_ANY
◆ SIG_FLAG_FILESTORE
| #define SIG_FLAG_FILESTORE BIT_U32(18) |
◆ SIG_FLAG_FLUSH
| #define SIG_FLAG_FLUSH BIT_U32(12) |
◆ SIG_FLAG_HAS_TARGET
| #define SIG_FLAG_HAS_TARGET (SIG_FLAG_DEST_IS_TARGET|SIG_FLAG_SRC_IS_TARGET) |
◆ SIG_FLAG_INIT_BIDIREC
| #define SIG_FLAG_INIT_BIDIREC BIT_U32(3) |
◆ SIG_FLAG_INIT_DEONLY
| #define SIG_FLAG_INIT_DEONLY BIT_U32(0) |
◆ SIG_FLAG_INIT_FILEDATA
| #define SIG_FLAG_INIT_FILEDATA BIT_U32(9) |
◆ SIG_FLAG_INIT_FIRST_IPPROTO_SEEN
| #define SIG_FLAG_INIT_FIRST_IPPROTO_SEEN BIT_U32(4) /** < signature has seen the first ip_proto keyword */ |
◆ SIG_FLAG_INIT_FLOW
| #define SIG_FLAG_INIT_FLOW BIT_U32(2) |
◆ SIG_FLAG_INIT_HAS_TRANSFORM
◆ SIG_FLAG_INIT_JA3
| #define SIG_FLAG_INIT_JA3 BIT_U32(10) |
◆ SIG_FLAG_INIT_NEED_FLUSH
◆ SIG_FLAG_INIT_PACKET
| #define SIG_FLAG_INIT_PACKET BIT_U32(1) |
◆ SIG_FLAG_INIT_PRIO_EXPLICT
| #define SIG_FLAG_INIT_PRIO_EXPLICT BIT_U32(8) |
◆ SIG_FLAG_INIT_STATE_MATCH
| #define SIG_FLAG_INIT_STATE_MATCH BIT_U32(6) |
◆ SIG_FLAG_IPONLY
◆ SIG_FLAG_LIKE_IPONLY
| #define SIG_FLAG_LIKE_IPONLY BIT_U32(8) |
◆ SIG_FLAG_MPM_NEG
◆ SIG_FLAG_NOALERT
◆ SIG_FLAG_PDONLY
| #define SIG_FLAG_PDONLY BIT_U32(24) |
◆ SIG_FLAG_PREFILTER
| #define SIG_FLAG_PREFILTER BIT_U32(23) |
◆ SIG_FLAG_REQUIRE_FLOWVAR
| #define SIG_FLAG_REQUIRE_FLOWVAR BIT_U32(17) |
◆ SIG_FLAG_REQUIRE_PACKET
| #define SIG_FLAG_REQUIRE_PACKET BIT_U32(9) |
◆ SIG_FLAG_REQUIRE_STREAM
| #define SIG_FLAG_REQUIRE_STREAM BIT_U32(10) |
◆ SIG_FLAG_SP_ANY
◆ SIG_FLAG_SRC_ANY
| #define SIG_FLAG_SRC_ANY BIT_U32(0) |
◆ SIG_FLAG_SRC_IS_TARGET
| #define SIG_FLAG_SRC_IS_TARGET BIT_U32(25) |
◆ SIG_FLAG_TLSSTORE
◆ SIG_FLAG_TOCLIENT
◆ SIG_FLAG_TOSERVER
◆ SIG_GROUP_HEAD_HAVEFILEMD5
◆ SIG_GROUP_HEAD_HAVEFILESHA1
◆ SIG_GROUP_HEAD_HAVEFILESHA256
◆ SIG_GROUP_HEAD_HAVEFILESIZE
◆ SIG_GROUP_HEAD_HAVERAWSTREAM
◆ SIG_MASK_REQUIRE_DCERPC
| #define SIG_MASK_REQUIRE_DCERPC BIT_U8(5) /* require either SMB+DCE or raw DCE */ |
◆ SIG_MASK_REQUIRE_ENGINE_EVENT
◆ SIG_MASK_REQUIRE_FLAGS_INITDEINIT
| #define SIG_MASK_REQUIRE_FLAGS_INITDEINIT BIT_U8(2) /* SYN, FIN, RST */ |
◆ SIG_MASK_REQUIRE_FLAGS_UNUSUAL
| #define SIG_MASK_REQUIRE_FLAGS_UNUSUAL BIT_U8(3) /* URG, ECN, CWR */ |
◆ SIG_MASK_REQUIRE_FLOW
◆ SIG_MASK_REQUIRE_NO_PAYLOAD
◆ SIG_MASK_REQUIRE_PAYLOAD
| #define SIG_MASK_REQUIRE_PAYLOAD BIT_U8(0) |
◆ SIGMATCH_DEONLY_COMPAT
| #define SIGMATCH_DEONLY_COMPAT BIT_U16(2) |
◆ SIGMATCH_HANDLE_NEGATION
| #define SIGMATCH_HANDLE_NEGATION BIT_U16(7) |
◆ SIGMATCH_INFO_CONTENT_MODIFIER
| #define SIGMATCH_INFO_CONTENT_MODIFIER BIT_U16(8) |
◆ SIGMATCH_INFO_DEPRECATED
| #define SIGMATCH_INFO_DEPRECATED BIT_U16(10) |
◆ SIGMATCH_INFO_STICKY_BUFFER
| #define SIGMATCH_INFO_STICKY_BUFFER BIT_U16(9) |
◆ SIGMATCH_IPONLY_COMPAT
| #define SIGMATCH_IPONLY_COMPAT BIT_U16(1) |
◆ SIGMATCH_NOOPT
| #define SIGMATCH_NOOPT BIT_U16(0) |
◆ SIGMATCH_NOT_BUILT
◆ SIGMATCH_OPTIONAL_OPT
| #define SIGMATCH_OPTIONAL_OPT BIT_U16(4) |
◆ SIGMATCH_QUOTES_MANDATORY
| #define SIGMATCH_QUOTES_MANDATORY BIT_U16(6) |
◆ SIGMATCH_QUOTES_OPTIONAL
| #define SIGMATCH_QUOTES_OPTIONAL BIT_U16(5) |
◆ SIGMATCH_STRICT_PARSING
| #define SIGMATCH_STRICT_PARSING BIT_U16(11) |
◆ SignatureMask
◆ sm_lists
◆ sm_lists_tail
Typedef Documentation
◆ AppLayerTxData
| typedef struct AppLayerTxData AppLayerTxData |
◆ DetectAddress
| typedef struct DetectAddress_ DetectAddress |
address structure for use in the detection engine.
Contains the address information and matching information.
◆ DetectAddressHead
| typedef struct DetectAddressHead_ DetectAddressHead |
Address grouping head. IPv4 and IPv6 are split out
◆ DetectBufferMpmRegistery
| typedef struct DetectBufferMpmRegistery_ DetectBufferMpmRegistery |
one time registration of keywords at start up
◆ DetectBufferType
| typedef struct DetectBufferType_ DetectBufferType |
◆ DetectEngineAppInspectionEngine
| typedef struct DetectEngineAppInspectionEngine_ DetectEngineAppInspectionEngine |
◆ DetectEngineCtx
| typedef struct DetectEngineCtx_ DetectEngineCtx |
main detection engine ctx
◆ DetectEngineFrameInspectionEngine
◆ DetectEngineIPOnlyCtx
| typedef struct DetectEngineIPOnlyCtx_ DetectEngineIPOnlyCtx |
IP only rules matching ctx.
◆ DetectEngineIPOnlyThreadCtx
| typedef struct DetectEngineIPOnlyThreadCtx_ DetectEngineIPOnlyThreadCtx |
◆ DetectEngineLookupFlow
| typedef struct DetectEngineLookupFlow_ DetectEngineLookupFlow |
◆ DetectEngineMasterCtx
| typedef struct DetectEngineMasterCtx_ DetectEngineMasterCtx |
◆ DetectEnginePktInspectionEngine
| typedef struct DetectEnginePktInspectionEngine DetectEnginePktInspectionEngine |
◆ DetectEngineTenantMapping
| typedef struct DetectEngineTenantMapping_ DetectEngineTenantMapping |
◆ DetectEngineThreadCtx
| typedef struct DetectEngineThreadCtx_ DetectEngineThreadCtx |
Detection engine thread data.
◆ DetectEngineThreadKeywordCtxItem
◆ DetectEngineTransforms
| typedef struct DetectEngineTransforms DetectEngineTransforms |
◆ DetectMatchAddressIPv4
| typedef struct DetectMatchAddressIPv4_ DetectMatchAddressIPv4 |
◆ DetectMatchAddressIPv6
| typedef struct DetectMatchAddressIPv6_ DetectMatchAddressIPv6 |
◆ DetectPatternTracker
| typedef struct DetectPatternTracker DetectPatternTracker |
◆ DetectPort
| typedef struct DetectPort_ DetectPort |
Port structure for detection engine.
◆ DetectReplaceList
| typedef struct DetectReplaceList_ DetectReplaceList |
◆ DetectVarList
| typedef struct DetectVarList_ DetectVarList |
list for flowvar store candidates, to be stored from post-match function
◆ InspectEngineFuncPtr2
| typedef uint8_t(* InspectEngineFuncPtr2) (struct DetectEngineCtx_ *de_ctx, struct DetectEngineThreadCtx_ *det_ctx, const struct DetectEngineAppInspectionEngine_ *engine, const struct Signature_ *s, Flow *f, uint8_t flags, void *alstate, void *txv, uint64_t tx_id) |
◆ InspectionBuffer
| typedef struct InspectionBuffer InspectionBuffer |
◆ InspectionBufferFrameInspectFunc
| typedef int(* InspectionBufferFrameInspectFunc) (struct DetectEngineThreadCtx_ *, const struct DetectEngineFrameInspectionEngine *engine, const struct Signature_ *s, Packet *p, const struct Frames *frames, const struct Frame *frame) |
◆ InspectionBufferGetDataPtr
| typedef InspectionBuffer*(* InspectionBufferGetDataPtr) (struct DetectEngineThreadCtx_ *det_ctx, const DetectEngineTransforms *transforms, Flow *f, const uint8_t flow_flags, void *txv, const int list_id) |
◆ InspectionBufferGetPktDataPtr
| typedef InspectionBuffer*(* InspectionBufferGetPktDataPtr) (struct DetectEngineThreadCtx_ *det_ctx, const DetectEngineTransforms *transforms, Packet *p, const int list_id) |
◆ InspectionBufferMultipleForList
| typedef struct InspectionBufferMultipleForList InspectionBufferMultipleForList |
◆ InspectionBufferPktInspectFunc
| typedef int(* InspectionBufferPktInspectFunc) (struct DetectEngineThreadCtx_ *, const struct DetectEnginePktInspectionEngine *engine, const struct Signature_ *s, Packet *p, uint8_t *alert_flags) |
◆ IPOnlyCIDRItem
| typedef struct IPOnlyCIDRItem_ IPOnlyCIDRItem |
◆ MpmStore
◆ PrefilterEngine
| typedef struct PrefilterEngine_ PrefilterEngine |
◆ PrefilterEngineList
| typedef struct PrefilterEngineList_ PrefilterEngineList |
◆ PrefilterFrameFn
| typedef void(* PrefilterFrameFn) (DetectEngineThreadCtx *det_ctx, const void *pectx, Packet *p, const struct Frames *frames, const struct Frame *frame) |
◆ PrefilterTxFn
| typedef void(* PrefilterTxFn) (DetectEngineThreadCtx *det_ctx, const void *pectx, Packet *p, Flow *f, void *tx, const uint64_t tx_id, const AppLayerTxData *tx_data, const uint8_t flags) |
◆ RuleMatchCandidateTx
| typedef struct RuleMatchCandidateTx RuleMatchCandidateTx |
array of TX inspect rule candidates
◆ SCFPSupportSMList
| typedef struct SCFPSupportSMList_ SCFPSupportSMList |
◆ SigFileLoaderStat
| typedef struct SigFileLoaderStat_ SigFileLoaderStat |
Signature loader statistics.
◆ SigGroupHead
| typedef struct SigGroupHead_ SigGroupHead |
Container for matching data for a signature group.
◆ SigGroupHeadInitData
| typedef struct SigGroupHeadInitData_ SigGroupHeadInitData |
◆ SigMatch
◆ SigMatchCtx
| typedef struct SigMatchCtx_ SigMatchCtx |
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something else.
◆ SigMatchData
| typedef struct SigMatchData_ SigMatchData |
Data needed for Match()
◆ Signature
| typedef struct Signature_ Signature |
Signature container.
◆ SignatureInitData
| typedef struct SignatureInitData_ SignatureInitData |
◆ SignatureNonPrefilterStore
| typedef struct SignatureNonPrefilterStore_ SignatureNonPrefilterStore |
◆ SigString
| typedef struct SigString_ SigString |
◆ SigTableElmt
| typedef struct SigTableElmt_ SigTableElmt |
element in sigmatch type table.
◆ ThresholdCtx
| typedef struct ThresholdCtx_ ThresholdCtx |
threshold ctx
◆ TransformData
| typedef struct TransformData_ TransformData |
Enumeration Type Documentation
◆ anonymous enum
| anonymous enum |
◆ anonymous enum
| anonymous enum |
◆ anonymous enum
| anonymous enum |
◆ anonymous enum
| anonymous enum |
◆ anonymous enum
| anonymous enum |
◆ DetectBufferMpmType
| enum DetectBufferMpmType |
◆ DetectEnginePrefilterSetting
◆ DetectEngineTenantSelectors
◆ DetectEngineType
| enum DetectEngineType |
◆ DetectSigmatchListEnum
◆ MpmBuiltinBuffers
| enum MpmBuiltinBuffers |
Function Documentation
◆ AlertQueueAppend()
| void AlertQueueAppend | ( | DetectEngineThreadCtx * | det_ctx, |
| const Signature * | s, | ||
| Packet * | p, | ||
| uint64_t | tx_id, | ||
| uint8_t | alert_flags | ||
| ) |
Append signature to local packet alert queue for later preprocessing.
Definition at line 283 of file detect-engine-alert.c.
References PacketAlert_::action, Signature_::action, ACTION_DROP, Packet_::alerts, and PacketAlerts_::drop.
◆ AlertQueueFree()
| void AlertQueueFree | ( | DetectEngineThreadCtx * | det_ctx | ) |
Definition at line 235 of file detect-engine-alert.c.
References DetectEngineThreadCtx_::alert_queue, DetectEngineThreadCtx_::alert_queue_capacity, and SCFree.
◆ AlertQueueInit()
| void AlertQueueInit | ( | DetectEngineThreadCtx * | det_ctx | ) |
Definition at line 222 of file detect-engine-alert.c.
References DetectEngineThreadCtx_::alert_queue, DetectEngineThreadCtx_::alert_queue_capacity, DetectEngineThreadCtx_::alert_queue_size, FatalError, packet_alert_max, SCCalloc, and SCLogDebug.
◆ Detect()
| TmEcode Detect | ( | ThreadVars * | tv, |
| Packet * | p, | ||
| void * | data | ||
| ) |
Detection engine thread wrapper.
Remember to add the options in SignatureIsIPOnly() at detect.c otherwise it wont be part of a signature group
- Parameters
-
tv thread vars p packet to inspect data thread specific data pq packet queue
- Return values
-
TM_ECODE_FAILED error TM_ECODE_OK ok
◆ DetectEngineGetEventInfo()
| int DetectEngineGetEventInfo | ( | const char * | event_name, |
| int * | event_id, | ||
| AppLayerEventType * | event_type | ||
| ) |
Definition at line 4671 of file detect-engine.c.
References APP_LAYER_EVENT_TYPE_TRANSACTION, det_ctx_event_table, SCLogError, and SCMapEnumNameToValue().
◆ DetectEngineGetEvents()
| AppLayerDecoderEvents* DetectEngineGetEvents | ( | DetectEngineThreadCtx * | det_ctx | ) |
Definition at line 4666 of file detect-engine.c.
References DetectEngineThreadCtx_::decoder_events.
◆ DetectEngineSetEvent()
| void DetectEngineSetEvent | ( | DetectEngineThreadCtx * | det_ctx, |
| uint8_t | e | ||
| ) |
Definition at line 4660 of file detect-engine.c.
References AppLayerDecoderEventsSetEventRaw(), DetectEngineThreadCtx_::decoder_events, and DetectEngineThreadCtx_::events.
Referenced by FileSwfDecompression(), FileSwfLzmaDecompression(), FileSwfZlibDecompression(), and InspectionBufferMultipleForListGet().
◆ DetectFlowbitsAnalyze()
| int DetectFlowbitsAnalyze | ( | DetectEngineCtx * | de_ctx | ) |
Definition at line 408 of file detect-flowbits.c.
References DetectFlowbitsData_::cmd, FBAnalyze::cnts, SigMatch_::ctx, de_ctx, DETECT_FLOWBITS, DETECT_FLOWBITS_CMD_ISNOTSET, DETECT_FLOWBITS_CMD_ISSET, DETECT_FLOWBITS_CMD_SET, DETECT_FLOWBITS_CMD_TOGGLE, DETECT_FLOWBITS_CMD_UNSET, DETECT_SM_LIST_DYNAMIC_START, DETECT_SM_LIST_MATCH, DETECT_SM_LIST_POSTMATCH, Signature_::id, DetectFlowbitsData_::idx, Signature_::init_data, SignatureInitData_::init_flags, FBAnalyze::isnotset_sids, FBAnalyze::isnotset_sids_idx, FBAnalyze::isnotset_sids_size, FBAnalyze::isset_sids, FBAnalyze::isset_sids_idx, FBAnalyze::isset_sids_size, MAX, DetectEngineCtx_::max_fb_id, MAX_SIDS, SigMatch_::next, Signature_::num, DetectFlowbitsData_::or_list, DetectFlowbitsData_::or_list_size, rule_engine_analysis_set, SCCalloc, SCFree, SCLogDebug, SCLogError, SCLogWarning, SCRealloc, FBAnalyze::set_sids, FBAnalyze::set_sids_idx, FBAnalyze::set_sids_size, DetectEngineCtx_::sig_array, DetectEngineCtx_::sig_array_len, SIG_FLAG_INIT_STATE_MATCH, SignatureInitData_::smlists, SignatureInitData_::smlists_array_size, FBAnalyze::state_cnts, FBAnalyze::toggle_sids, FBAnalyze::toggle_sids_idx, FBAnalyze::toggle_sids_size, SigMatch_::type, FBAnalyze::unset_sids, FBAnalyze::unset_sids_idx, FBAnalyze::unset_sids_size, VAR_TYPE_FLOW_BIT, and VarNameStoreSetupLookup().
◆ DetectGetTagSignature()
| Signature* DetectGetTagSignature | ( | void | ) |
◆ DetectLoadCompleteSigPath()
| char* DetectLoadCompleteSigPath | ( | const DetectEngineCtx * | de_ctx, |
| const char * | sig_file | ||
| ) |
Create the path if default-rule-path was specified.
- Parameters
-
sig_file The name of the file
- Return values
-
str Pointer to the string path + sig_file
Definition at line 61 of file detect-engine-loader.c.
References ConfGetNode(), DetectEngineCtx_::config_prefix, de_ctx, ConfNode_::final, PathIsRelative(), SCLogDebug, SCLogError, SCMalloc, SCStrdup, strlcat(), strlcpy(), unlikely, and ConfNode_::val.
◆ DetectMetadataHashFree()
| void DetectMetadataHashFree | ( | DetectEngineCtx * | de_ctx | ) |
Definition at line 80 of file detect-metadata.c.
References de_ctx, HashTableFree(), and DetectEngineCtx_::metadata_table.
◆ DetectMetadataHashInit()
| int DetectMetadataHashInit | ( | DetectEngineCtx * | de_ctx | ) |
Definition at line 69 of file detect-metadata.c.
References de_ctx, DetectEngineMustParseMetadata(), HashTableInit(), DetectEngineCtx_::metadata_table, StringHashCompareFunc(), StringHashFreeFunc(), and StringHashFunc().
◆ DetectRegisterThreadCtxFuncs()
| int DetectRegisterThreadCtxFuncs | ( | DetectEngineCtx * | de_ctx, |
| const char * | name, | ||
| void *(*)(void *) | InitFunc, | ||
| void * | data, | ||
| void(*)(void *) | FreeFunc, | ||
| int | mode | ||
| ) |
Register Thread keyword context Funcs.
- Parameters
-
de_ctx detection engine to register in name keyword name for error printing InitFunc function ptr data keyword init data to pass to Func. Can be NULL. FreeFunc function ptr mode 0 normal (ctx per keyword instance) 1 shared (one ctx per det_ct)
- Return values
-
id for retrieval of ctx at runtime -1 on error
- Note
- make sure "data" remains valid and it free'd elsewhere. It's recommended to store it in the keywords global ctx so that it's freed when the de_ctx is freed.
Definition at line 3444 of file detect-engine.c.
References BUG_ON, de_ctx, HashListTableInit(), and DetectEngineCtx_::keyword_hash.
◆ DetectThreadCtxGetKeywordThreadCtx()
| void* DetectThreadCtxGetKeywordThreadCtx | ( | DetectEngineThreadCtx * | det_ctx, |
| int | id | ||
| ) |
Retrieve thread local keyword ctx by id.
- Parameters
-
det_ctx detection engine thread ctx to retrieve the ctx from id id of the ctx returned by DetectRegisterThreadCtxInitFunc at keyword init.
- Return values
-
ctx or NULL on error
Definition at line 3514 of file detect-engine.c.
References DetectEngineThreadCtx_::keyword_ctxs_array, and DetectEngineThreadCtx_::keyword_ctxs_size.
Referenced by DetectPcrePayloadMatch().
◆ DetectUnregisterThreadCtxFuncs()
| int DetectUnregisterThreadCtxFuncs | ( | DetectEngineCtx * | de_ctx, |
| void * | data, | ||
| const char * | name | ||
| ) |
Remove Thread keyword context registration.
- Parameters
-
de_ctx detection engine to deregister from det_ctx detection engine thread context to deregister from data keyword init data to pass to Func. Can be NULL. name keyword name for error printing
- Return values
-
1 Item unregistered 0 otherwise
- Note
- make sure "data" remains valid and it free'd elsewhere. It's recommended to store it in the keywords global ctx so that it's freed when the de_ctx is freed.
Definition at line 3496 of file detect-engine.c.
References DetectEngineThreadKeywordCtxItem_::data, de_ctx, HashListTableRemove(), and DetectEngineCtx_::keyword_hash.
◆ DisableDetectFlowFileFlags()
| void DisableDetectFlowFileFlags | ( | Flow * | f | ) |
◆ DumpPatterns()
| void DumpPatterns | ( | DetectEngineCtx * | de_ctx | ) |
Definition at line 1121 of file detect-engine-analyzer.c.
References DetectEngineCtx_::buffer_type_id, DetectPatternTracker::cd, DetectPatternTracker::cnt, ConfigGetLogDirectory(), DetectContentData_::content_len, de_ctx, DETECT_CONTENT_DEPTH, DETECT_CONTENT_ENDS_WITH, DETECT_CONTENT_NEGATED, DETECT_CONTENT_NOCASE, DETECT_CONTENT_OFFSET, DETECT_SM_LIST_DYNAMIC_START, DetectContentPatternPrettyPrint(), DetectEngineBufferTypeGetNameById(), DetectListToHumanString(), DetectContentData_::flags, g_rules_analyzer_write_m, HashListTableFree(), HashListTableGetListData, HashListTableGetListHead(), HashListTableGetListNext, DetectPatternTracker::mpm, DetectEngineCtx_::pattern_hash_table, SCMutexLock, SCMutexUnlock, DetectPatternTracker::sm_list, and str.
◆ RuleMatchCandidateTxArrayFree()
| void RuleMatchCandidateTxArrayFree | ( | DetectEngineThreadCtx * | det_ctx | ) |
Definition at line 981 of file detect.c.
References SCFree, DetectEngineThreadCtx_::tx_candidates, and DetectEngineThreadCtx_::tx_candidates_size.
◆ RuleMatchCandidateTxArrayInit()
| void RuleMatchCandidateTxArrayInit | ( | DetectEngineThreadCtx * | det_ctx, |
| uint32_t | size | ||
| ) |
Definition at line 968 of file detect.c.
References DEBUG_VALIDATE_BUG_ON, FatalError, SCCalloc, SCLogDebug, DetectEngineThreadCtx_::tx_candidates, and DetectEngineThreadCtx_::tx_candidates_size.
◆ SigAddressPrepareBidirectionals()
| void SigAddressPrepareBidirectionals | ( | DetectEngineCtx * | ) |
◆ SigFindSignatureBySidGid()
| Signature* SigFindSignatureBySidGid | ( | DetectEngineCtx * | de_ctx, |
| uint32_t | sid, | ||
| uint32_t | gid | ||
| ) |
Find a specific signature by sid and gid.
- Parameters
-
de_ctx detection engine ctx sid the signature id gid the signature group id
- Return values
-
s sig found NULL sig not found
Definition at line 70 of file detect-engine-build.c.
References de_ctx, Signature_::next, and DetectEngineCtx_::sig_list.
◆ SigLoadSignatures()
| int SigLoadSignatures | ( | DetectEngineCtx * | de_ctx, |
| char * | sig_file, | ||
| int | sig_file_exclusive | ||
| ) |
Load signatures.
- Parameters
-
de_ctx Pointer to the detection engine context sig_file Filename (or pattern) holding signatures sig_file_exclusive File passed in 'sig_file' should be loaded exclusively.
- Return values
-
-1 on error
Definition at line 285 of file detect-engine-loader.c.
References DetectEngineCtx_::config_prefix, de_ctx, RUNMODE_ENGINE_ANALYSIS, RunmodeGetCurrent(), SCEnter, and DetectEngineCtx_::sig_stat.
◆ SigMatchAlloc()
| SigMatch* SigMatchAlloc | ( | void | ) |
Definition at line 241 of file detect-parse.c.
References SigMatch_::next, SigMatch_::prev, SCMalloc, and unlikely.
Referenced by DetectContentSetup(), and DetectFlowvarPostMatchSetup().
◆ SigMatchFree()
| void SigMatchFree | ( | DetectEngineCtx * | de_ctx, |
| SigMatch * | sm | ||
| ) |
free a SigMatch
- Parameters
-
sm SigMatch to free.
free the ctx, for that we call the Free func
Definition at line 256 of file detect-parse.c.
References SigMatch_::ctx, de_ctx, SigTableElmt_::Free, SCFree, sigmatch_table, and SigMatch_::type.
Referenced by DetectIPProtoRemoveAllSMs(), and SigFree().
◆ SigMatchSignatures()
| void SigMatchSignatures | ( | ThreadVars * | th_v, |
| DetectEngineCtx * | de_ctx, | ||
| DetectEngineThreadCtx * | det_ctx, | ||
| Packet * | p | ||
| ) |
wrapper for old tests
Definition at line 1809 of file detect.c.
References Packet_::flow.
Referenced by UTHMatchPackets(), UTHMatchPacketsWithResults(), UTHPacketMatchSig(), and UTHPacketMatchSigMpm().
◆ SigMatchSignaturesBuildMatchArray()
| void SigMatchSignaturesBuildMatchArray | ( | DetectEngineThreadCtx * | , |
| Packet * | , | ||
| SignatureMask | , | ||
| uint16_t | |||
| ) |
◆ SigMatchSignaturesGetSgh()
| const SigGroupHead* SigMatchSignaturesGetSgh | ( | const DetectEngineCtx * | de_ctx, |
| const Packet * | p | ||
| ) |
Get the SigGroupHead for a packet.
- Parameters
-
de_ctx detection engine context p packet
- Return values
-
sgh the SigGroupHead or NULL if non applies to the packet
Definition at line 201 of file detect.c.
References PacketEngineEvents_::cnt, de_ctx, DetectEngineCtx_::decoder_event_sgh, Packet_::events, FLOW_PKT_TOCLIENT, Packet_::flowflags, IP_GET_IPPROTO, PKT_IS_IPV4, PKT_IS_IPV6, proto, Packet_::proto, SCEnter, and SCReturnPtr.
◆ SignatureIsIPOnly()
| int SignatureIsIPOnly | ( | DetectEngineCtx * | de_ctx, |
| const Signature * | s | ||
| ) |
Test is a initialized signature is IP only.
- Parameters
-
de_ctx detection engine ctx s the signature
- Return values
-
1 sig is ip only 2 sig is like ip only 0 sig is not ip only
Definition at line 195 of file detect-engine-build.c.
References Signature_::alproto, ALPROTO_UNKNOWN, SigMatch_::ctx, de_ctx, DE_QUIET, DETECT_FLOWBITS, DETECT_FLOWBITS_CMD_SET, DETECT_SM_LIST_MATCH, DETECT_SM_LIST_PMATCH, DETECT_SM_LIST_POSTMATCH, DetectEngineBufferTypeGetNameById(), SignatureInitData_::dst_contains_negation, Signature_::flags, DetectEngineCtx_::flags, SigTableElmt_::flags, Signature_::id, Signature_::init_data, SigMatch_::next, SCLogDebug, SCReturnInt, SIG_FLAG_APPLAYER, SIG_FLAG_DST_ANY, SIG_FLAG_SRC_ANY, SIG_FLAG_TOCLIENT, SIG_FLAG_TOSERVER, SIGMATCH_IPONLY_COMPAT, sigmatch_table, SignatureInitData_::smlists, SignatureInitData_::smlists_array_size, SignatureInitData_::src_contains_negation, and SigMatch_::type.
◆ SigRegisterTests()
| void SigRegisterTests | ( | void | ) |
Definition at line 5153 of file detect.c.
References IPOnlyRegisterTests(), SigParseRegisterTests(), and UtRegisterTest().
◆ TmModuleDetectRegister()
| void TmModuleDetectRegister | ( | void | ) |
Variable Documentation
◆ sigmatch_table
| SigTableElmt sigmatch_table[DETECT_TBLSIZE] |
Definition at line 76 of file detect-parse.c.
Referenced by DetectAckRegister(), DetectAppLayerEventRegister(), DetectAppLayerMpmRegisterByParentId(), DetectAppLayerProtocolRegister(), DetectAsn1Register(), DetectBase64DataRegister(), DetectBase64DecodeRegister(), DetectBsizeRegister(), DetectBypassRegister(), DetectByteExtractRegister(), DetectBytejumpRegister(), DetectBytemathRegister(), DetectBytetestRegister(), DetectCipServiceRegister(), DetectClasstypeRegister(), DetectConfigRegister(), DetectContentRegister(), DetectCsumRegister(), DetectDatarepRegister(), DetectDatasetRegister(), DetectDceIfaceRegister(), DetectDceOpnumRegister(), DetectDceStubDataRegister(), DetectDepthRegister(), DetectDetectionFilterRegister(), DetectDHCPLeaseTimeRegister(), DetectDHCPRebindingTimeRegister(), DetectDHCPRenewalTimeRegister(), DetectDistanceRegister(), DetectDnsOpcodeRegister(), DetectDnsQueryRegister(), DetectDsizeRegister(), DetectEngineAppInspectionEngineSignatureFree(), DetectEngineBufferTypeValidateTransform(), DetectEngineContentModifierBufferSetup(), DetectEngineEventRegister(), DetectEngineInspectGenericList(), DetectEnipCommandRegister(), DetectFastPatternRegister(), DetectFiledataRegister(), DetectFileextRegister(), DetectFilemagicRegister(), DetectFileMd5Register(), DetectFilenameRegister(), DetectFileSha1Register(), DetectFileSha256Register(), DetectFilesizeRegister(), DetectFilestoreRegister(), DetectFlagsRegister(), DetectFlowAgeRegister(), DetectFlowbitsRegister(), DetectFlowintRegister(), DetectFlowRegister(), DetectFlowvarRegister(), DetectFragBitsRegister(), DetectFragOffsetRegister(), DetectFrameRegister(), DetectFtpbounceRegister(), DetectFtpdataRegister(), DetectGeoipRegister(), DetectGidRegister(), DetectHostbitsRegister(), DetectHttp2Register(), DetectHttpClientBodyRegister(), DetectHttpCookieRegister(), DetectHttpHeaderNamesRegister(), DetectHttpHeaderRegister(), DetectHttpHHRegister(), DetectHttpMethodRegister(), DetectHttpProtocolRegister(), DetectHttpRawHeaderRegister(), DetectHttpRequestLineRegister(), DetectHttpResponseLineRegister(), DetectHttpServerBodyRegister(), DetectHttpStartRegister(), DetectHttpStatCodeRegister(), DetectHttpStatMsgRegister(), DetectHttpUARegister(), DetectHttpUriRegister(), DetectIcmpIdRegister(), DetectIcmpSeqRegister(), DetectIcmpv4HdrRegister(), DetectICMPv6hdrRegister(), DetectICMPv6mtuRegister(), DetectICodeRegister(), DetectIdRegister(), DetectIkeChosenSaRegister(), DetectIkeExchTypeRegister(), DetectIkeKeyExchangePayloadLengthRegister(), DetectIkeKeyExchangeRegister(), DetectIkeNoncePayloadLengthRegister(), DetectIkeNonceRegister(), DetectIkeSpiRegister(), DetectIkeVendorRegister(), DetectIPAddrBufferRegister(), DetectIpOptsRegister(), DetectIPProtoRegister(), DetectIPRepRegister(), DetectIpv4hdrRegister(), DetectIpv6hdrRegister(), DetectIsdataatRegister(), DetectITypeRegister(), DetectKrb5CNameRegister(), DetectKrb5ErrCodeRegister(), DetectKrb5MsgTypeRegister(), DetectKrb5SNameRegister(), DetectKrb5TicketEncryptionRegister(), DetectL3ProtoRegister(), DetectLuaRegister(), DetectMarkRegister(), DetectMetadataRegister(), DetectModbusRegister(), DetectMQTTConnackSessionPresentRegister(), DetectMQTTConnectClientIDRegister(), DetectMQTTConnectFlagsRegister(), DetectMQTTConnectPasswordRegister(), DetectMQTTConnectUsernameRegister(), DetectMQTTConnectWillMessageRegister(), DetectMQTTConnectWillTopicRegister(), DetectMQTTFlagsRegister(), DetectMQTTProtocolVersionRegister(), DetectMQTTPublishMessageRegister(), DetectMQTTPublishTopicRegister(), DetectMQTTQosRegister(), DetectMQTTReasonCodeRegister(), DetectMQTTSubscribeTopicRegister(), DetectMQTTTypeRegister(), DetectMQTTUnsubscribeTopicRegister(), DetectMsgRegister(), DetectNfsProcedureRegister(), DetectNfsVersionRegister(), DetectNoalertRegister(), DetectNocaseRegister(), DetectOffsetRegister(), DetectPcreRegister(), DetectPktDataRegister(), DetectPktvarRegister(), DetectPrefilterRegister(), DetectPriorityRegister(), DetectQuicCyuHashRegister(), DetectQuicCyuStringRegister(), DetectQuicSniRegister(), DetectQuicUaRegister(), DetectQuicVersionRegister(), DetectRawbytesRegister(), DetectReferenceRegister(), DetectReplaceRegister(), DetectRevRegister(), DetectRfbNameRegister(), DetectRfbSecresultRegister(), DetectRfbSectypeRegister(), DetectRpcRegister(), DetectSameipRegister(), DetectSeqRegister(), DetectSidRegister(), DetectSipMethodRegister(), DetectSipProtocolRegister(), DetectSipRequestLineRegister(), DetectSipResponseLineRegister(), DetectSipStatCodeRegister(), DetectSipStatMsgRegister(), DetectSipUriRegister(), DetectSmbNamedPipeRegister(), DetectSmbNtlmsspDomainRegister(), DetectSmbNtlmsspUserRegister(), DetectSmbShareRegister(), DetectSNMPCommunityRegister(), DetectSNMPPduTypeRegister(), DetectSNMPUsmRegister(), DetectSNMPVersionRegister(), DetectSshHasshRegister(), DetectSshHasshServerRegister(), DetectSshHasshServerStringRegister(), DetectSshHasshStringRegister(), DetectSshProtocolRegister(), DetectSshSoftwareRegister(), DetectSshSoftwareVersionRegister(), DetectSshVersionRegister(), DetectSslStateRegister(), DetectSslVersionRegister(), DetectStreamSizeRegister(), DetectTagRegister(), DetectTargetRegister(), DetectTcphdrRegister(), DetectTcpmssRegister(), DetectTemplate2Register(), DetectTemplateRegister(), DetectTemplateRustBufferRegister(), DetectThresholdRegister(), DetectTlsCertChainLenRegister(), DetectTlsCertsRegister(), DetectTlsFingerprintRegister(), DetectTlsIssuerRegister(), DetectTlsJa3HashRegister(), DetectTlsJa3SHashRegister(), DetectTlsJa3SStringRegister(), DetectTlsJa3StringRegister(), DetectTlsRandomBytesRegister(), DetectTlsRandomRegister(), DetectTlsRandomTimeRegister(), DetectTlsRegister(), DetectTlsSerialRegister(), DetectTlsSniRegister(), DetectTlsSubjectRegister(), DetectTlsValidityRegister(), DetectTlsVersionRegister(), DetectTosRegister(), DetectTransformCompressWhitespaceRegister(), DetectTransformDotPrefixRegister(), DetectTransformMd5Register(), DetectTransformPcrexformRegister(), DetectTransformSha1Register(), DetectTransformSha256Register(), DetectTransformStripWhitespaceRegister(), DetectTransformUrlDecodeRegister(), DetectTransformXorRegister(), DetectTtlRegister(), DetectUdphdrRegister(), DetectUricontentRegister(), DetectUrilenRegister(), DetectWindowRegister(), DetectWithinRegister(), DetectXbitsRegister(), EngineAnalysisRules2(), InspectionBufferApplyTransforms(), PrefilterSetupRuleGroup(), SigFree(), SigMatchFree(), SigMatchStrictEnabled(), SignatureIsIPOnly(), SigTableApplyStrictCommandlineOption(), SigTableList(), SigTableRegisterTests(), and SigTableSetup().
