suricata
detect.h File Reference
#include "suricata-common.h"
#include "flow.h"
#include "detect-engine-proto.h"
#include "detect-reference.h"
#include "detect-metadata.h"
#include "detect-engine-register.h"
#include "detect-engine-inspect-buffer.h"
#include "util-prefilter.h"
#include "util-mpm.h"
#include "util-spm.h"
#include "util-hash.h"
#include "util-hashlist.h"
#include "util-radix4-tree.h"
#include "util-radix6-tree.h"
#include "util-file.h"
#include "reputation.h"
Include dependency graph for detect.h:

Go to the source code of this file.

Data Structures

struct  SignatureProperties
 
struct  DetectAddress_
 address structure for use in the detection engine. More...
 
struct  DetectAddressHead_
 
struct  DetectMatchAddressIPv4_
 
struct  DetectMatchAddressIPv6_
 
struct  DetectPort_
 Port structure for detection engine. More...
 
struct  IPOnlyCIDRItem_
 
struct  SigMatchCtx_
 Used to start a pointer to SigMatch context Should never be dereferenced without casting to something else. More...
 
struct  SigMatch_
 a single match condition for a signature More...
 
struct  SigMatchData_
 Data needed for Match() More...
 
struct  InspectionBufferMultipleForList
 
struct  TransformData_
 
struct  DetectEngineTransforms
 
struct  DetectEngineAppInspectionEngine_
 
struct  TransformIdData_
 
struct  DetectBufferType_
 
struct  DetectEnginePktInspectionEngine
 
struct  DetectEngineFrameInspectionEngine
 
struct  SignatureInitDataBuffer_
 
struct  SignatureHook_
 
struct  SignatureInitData_
 
struct  Signature_
 Signature container. More...
 
struct  DetectBufferMpmRegistry_
 one time registration of keywords at start up More...
 
struct  DetectPatternTracker
 
struct  DetectReplaceList_
 
struct  DetectVarList_
 
struct  SCFPSupportSMList_
 
struct  DetectEngineIPOnlyCtx_
 IP only rules matching ctx. More...
 
struct  DetectEngineLookupFlow_
 
struct  SigString_
 
struct  SigFileLoaderStat_
 Signature loader statistics. More...
 
struct  DetectEngineThreadKeywordCtxItem_
 
struct  DetectFileDataCfg
 
struct  DetectEngineCtx_
 main detection engine ctx More...
 
struct  SignatureNonPrefilterStore_
 
struct  RuleMatchCandidateTx
 
struct  PostRuleMatchWorkQueueItem
 
struct  PostRuleMatchWorkQueue
 
struct  DetectEngineThreadCtx_
 
struct  SigTableElmt_
 element in sigmatch type table. More...
 
struct  MpmStore_
 
struct  PrefilterEngineList_
 
struct  PrefilterEngine_
 
struct  SigGroupHeadInitData_
 
struct  SigGroupHead_
 Container for matching data for a signature group. More...
 
struct  DetectEngineTenantMapping_
 
struct  DetectEngineMasterCtx_
 

Macros

#define DETECT_MAX_RULE_SIZE   8192
 
#define DETECT_TRANSFORMS_MAX   16
 
#define DETECT_DEFAULT_PRIO   3
 
#define PACKET_ALERT_NOTX   UINT64_MAX
 
#define DETECT_SM_LIST_NOTSET   INT_MAX
 
#define ADDRESS_FLAG_NOT   0x01
 
#define PORT_FLAG_ANY   0x01
 
#define PORT_FLAG_NOT   0x02
 
#define PORT_SIGGROUPHEAD_COPY   0x04
 
#define SIG_FLAG_SRC_ANY   BIT_U32(0)
 
#define SIG_FLAG_DST_ANY   BIT_U32(1)
 
#define SIG_FLAG_SP_ANY   BIT_U32(2)
 
#define SIG_FLAG_DP_ANY   BIT_U32(3)
 
#define SIG_FLAG_FIREWALL   BIT_U32(4)
 
#define SIG_FLAG_DSIZE   BIT_U32(5)
 
#define SIG_FLAG_APPLAYER   BIT_U32(6)
 
#define SIG_FLAG_TXBOTHDIR   BIT_U32(7)
 
#define SIG_FLAG_REQUIRE_PACKET   BIT_U32(9)
 
#define SIG_FLAG_REQUIRE_STREAM   BIT_U32(10)
 
#define SIG_FLAG_MPM_NEG   BIT_U32(11)
 
#define SIG_FLAG_FLUSH   BIT_U32(12)
 
#define SIG_FLAG_REQUIRE_STREAM_ONLY   BIT_U32(13)
 
#define SIG_FLAG_REQUIRE_FLOWVAR   BIT_U32(17)
 
#define SIG_FLAG_FILESTORE   BIT_U32(18)
 
#define SIG_FLAG_TOSERVER   BIT_U32(19)
 
#define SIG_FLAG_TOCLIENT   BIT_U32(20)
 
#define SIG_FLAG_TLSSTORE   BIT_U32(21)
 
#define SIG_FLAG_BYPASS   BIT_U32(22)
 
#define SIG_FLAG_PREFILTER   BIT_U32(23)
 
#define SIG_FLAG_SRC_IS_TARGET   BIT_U32(25)
 
#define SIG_FLAG_DEST_IS_TARGET   BIT_U32(26)
 
#define SIG_FLAG_HAS_TARGET   (SIG_FLAG_DEST_IS_TARGET|SIG_FLAG_SRC_IS_TARGET)
 
#define SIG_FLAG_INIT_PACKET   BIT_U32(1)
 
#define SIG_FLAG_INIT_FLOW   BIT_U32(2)
 
#define SIG_FLAG_INIT_BIDIREC   BIT_U32(3)
 
#define SIG_FLAG_INIT_FIRST_IPPROTO_SEEN   BIT_U32(4) /** < signature has seen the first ip_proto keyword */
 
#define SIG_FLAG_INIT_STATE_MATCH   BIT_U32(6)
 
#define SIG_FLAG_INIT_NEED_FLUSH   BIT_U32(7)
 
#define SIG_FLAG_INIT_PRIO_EXPLICIT   BIT_U32(8)
 
#define SIG_FLAG_INIT_FILEDATA   BIT_U32(9)
 
#define SIG_FLAG_INIT_FORCE_TOCLIENT   BIT_U32(10)
 
#define SIG_FLAG_INIT_FORCE_TOSERVER   BIT_U32(11)
 
#define SIG_FLAG_INIT_TXDIR_STREAMING_TOSERVER   BIT_U32(12)
 
#define SIG_FLAG_INIT_TXDIR_FAST_TOCLIENT   BIT_U32(13)
 
#define SIG_MASK_REQUIRE_PAYLOAD   BIT_U8(0)
 
#define SIG_MASK_REQUIRE_FLOW   BIT_U8(1)
 
#define SIG_MASK_REQUIRE_FLAGS_INITDEINIT   BIT_U8(2) /* SYN, FIN, RST */
 
#define SIG_MASK_REQUIRE_FLAGS_UNUSUAL   BIT_U8(3) /* URG, ECN, CWR */
 
#define SIG_MASK_REQUIRE_NO_PAYLOAD   BIT_U8(4)
 
#define SIG_MASK_REQUIRE_REAL_PKT   BIT_U8(5)
 
#define SIG_MASK_REQUIRE_ENGINE_EVENT   BIT_U8(7)
 
#define FILE_SIG_NEED_FILE   0x01
 
#define FILE_SIG_NEED_FILENAME   0x02
 
#define FILE_SIG_NEED_MAGIC   0x04
 
#define FILE_SIG_NEED_FILECONTENT   0x08
 
#define FILE_SIG_NEED_MD5   0x10
 
#define FILE_SIG_NEED_SHA1   0x20
 
#define FILE_SIG_NEED_SHA256   0x40
 
#define FILE_SIG_NEED_SIZE   0x80
 
#define DE_QUIET   0x01
 
#define DE_HAS_FIREWALL   0x02
 
#define SIG_ALPROTO_MAX   4
 
#define DETECT_VAR_TYPE_FLOW_POSTMATCH   1
 
#define DETECT_VAR_TYPE_PKT_POSTMATCH   2
 
#define FLOW_STATES   2
 
#define ENGINE_SGH_MPM_FACTORY_CONTEXT_START_ID_RANGE   (ENGINE_SGH_MPM_FACTORY_CONTEXT_AUTO + 1)
 
#define DETECT_FILESTORE_MAX   15
 
#define SIG_GROUP_HEAD_HAVERAWSTREAM   BIT_U16(0)
 
#define SIG_GROUP_HEAD_HAVEFILEMD5   BIT_U16(2)
 
#define SIG_GROUP_HEAD_HAVEFILESIZE   BIT_U16(3)
 
#define SIG_GROUP_HEAD_HAVEFILESHA1   BIT_U16(4)
 
#define SIG_GROUP_HEAD_HAVEFILESHA256   BIT_U16(5)
 
#define SIGMATCH_NOOPT   BIT_U16(0)
 
#define SIGMATCH_IPONLY_COMPAT   BIT_U16(1)
 
#define SIGMATCH_DEONLY_COMPAT   BIT_U16(2)
 
#define SIGMATCH_OPTIONAL_OPT   BIT_U16(4)
 
#define SIGMATCH_QUOTES_OPTIONAL   BIT_U16(5)
 
#define SIGMATCH_QUOTES_MANDATORY   BIT_U16(6)
 
#define SIGMATCH_HANDLE_NEGATION   BIT_U16(7)
 
#define SIGMATCH_INFO_CONTENT_MODIFIER   BIT_U16(8)
 
#define SIGMATCH_INFO_STICKY_BUFFER   BIT_U16(9)
 
#define SIGMATCH_INFO_DEPRECATED   BIT_U16(10)
 
#define SIGMATCH_STRICT_PARSING   BIT_U16(11)
 
#define SIGMATCH_SUPPORT_FIREWALL   BIT_U16(12)
 
#define SIGMATCH_SUPPORT_DIR   BIT_U16(13)
 

Typedefs

typedef struct SCDetectRequiresStatus SCDetectRequiresStatus
 
typedef struct DetectAddress_ DetectAddress
 address structure for use in the detection engine. More...
 
typedef struct DetectAddressHead_ DetectAddressHead
 
typedef struct DetectMatchAddressIPv4_ DetectMatchAddressIPv4
 
typedef struct DetectMatchAddressIPv6_ DetectMatchAddressIPv6
 
typedef struct DetectPort_ DetectPort
 Port structure for detection engine. More...
 
typedef struct IPOnlyCIDRItem_ IPOnlyCIDRItem
 
typedef struct SigMatchCtx_ SigMatchCtx
 Used to start a pointer to SigMatch context Should never be dereferenced without casting to something else. More...
 
typedef struct SigMatch_ SigMatch
 a single match condition for a signature More...
 
typedef struct SigMatchData_ SigMatchData
 Data needed for Match() More...
 
typedef struct InspectionBufferMultipleForList InspectionBufferMultipleForList
 
typedef struct TransformData_ TransformData
 
typedef struct DetectEngineTransforms DetectEngineTransforms
 
typedef InspectionBuffer *(* InspectionBufferGetDataPtr) (struct DetectEngineThreadCtx_ *det_ctx, const DetectEngineTransforms *transforms, Flow *f, const uint8_t flow_flags, void *txv, const int list_id)
 
typedef bool(* InspectionSingleBufferGetDataPtr) (const void *txv, const uint8_t flow_flags, const uint8_t **buf, uint32_t *buf_len)
 
typedef bool(* InspectionMultiBufferGetDataPtr) (struct DetectEngineThreadCtx_ *det_ctx, const void *txv, const uint8_t flow_flags, uint32_t local_id, const uint8_t **buf, uint32_t *buf_len)
 
typedef uint8_t(* InspectEngineFuncPtr) (struct DetectEngineCtx_ *de_ctx, struct DetectEngineThreadCtx_ *det_ctx, const struct DetectEngineAppInspectionEngine_ *engine, const struct Signature_ *s, Flow *f, uint8_t flags, void *alstate, void *txv, uint64_t tx_id)
 
typedef struct DetectEngineAppInspectionEngine_ DetectEngineAppInspectionEngine
 
typedef struct TransformIdData_ TransformIdData
 
typedef struct DetectBufferType_ DetectBufferType
 
typedef int(* InspectionBufferPktInspectFunc) (struct DetectEngineThreadCtx_ *, const struct DetectEnginePktInspectionEngine *engine, const struct Signature_ *s, Packet *p, uint8_t *alert_flags)
 
typedef InspectionBuffer *(* InspectionBufferGetPktDataPtr) (struct DetectEngineThreadCtx_ *det_ctx, const DetectEngineTransforms *transforms, Packet *p, const int list_id)
 
typedef struct DetectEnginePktInspectionEngine DetectEnginePktInspectionEngine
 
typedef int(* InspectionBufferFrameInspectFunc) (struct DetectEngineThreadCtx_ *, const struct DetectEngineFrameInspectionEngine *engine, const struct Signature_ *s, Packet *p, const struct Frames *frames, const struct Frame *frame)
 
typedef struct DetectEngineFrameInspectionEngine DetectEngineFrameInspectionEngine
 
typedef struct SignatureInitDataBuffer_ SignatureInitDataBuffer
 
typedef struct SignatureHook_ SignatureHook
 
typedef struct SignatureInitData_ SignatureInitData
 
typedef struct Signature_ Signature
 Signature container. More...
 
typedef struct DetectBufferMpmRegistry_ DetectBufferMpmRegistry
 one time registration of keywords at start up More...
 
typedef struct DetectPatternTracker DetectPatternTracker
 
typedef struct DetectReplaceList_ DetectReplaceList
 
typedef struct DetectVarList_ DetectVarList
 
typedef struct SCFPSupportSMList_ SCFPSupportSMList
 
typedef struct DetectEngineIPOnlyCtx_ DetectEngineIPOnlyCtx
 IP only rules matching ctx. More...
 
typedef struct DetectEngineLookupFlow_ DetectEngineLookupFlow
 
typedef struct SigString_ SigString
 
typedef struct SigFileLoaderStat_ SigFileLoaderStat
 Signature loader statistics. More...
 
typedef struct DetectEngineThreadKeywordCtxItem_ DetectEngineThreadKeywordCtxItem
 
typedef uint8_t(* SCDetectRateFilterFunc) (const Packet *p, uint32_t sid, uint32_t gid, uint32_t rev, uint8_t original_action, uint8_t new_action, void *arg)
 Function type for rate filter callback. More...
 
typedef struct DetectEngineCtx_ DetectEngineCtx
 main detection engine ctx More...
 
typedef struct SignatureNonPrefilterStore_ SignatureNonPrefilterStore
 
typedef struct RuleMatchCandidateTx RuleMatchCandidateTx
 
typedef struct PostRuleMatchWorkQueueItem PostRuleMatchWorkQueueItem
 
typedef struct PostRuleMatchWorkQueue PostRuleMatchWorkQueue
 
typedef struct DetectEngineThreadCtx_ DetectEngineThreadCtx
 
typedef struct SigTableElmt_ SigTableElmt
 element in sigmatch type table. More...
 
typedef struct MpmStore_ MpmStore
 
typedef void(* PrefilterPktFn) (DetectEngineThreadCtx *det_ctx, Packet *p, const void *pectx)
 
typedef void(* PrefilterFrameFn) (DetectEngineThreadCtx *det_ctx, const void *pectx, Packet *p, const struct Frames *frames, const struct Frame *frame)
 
typedef struct AppLayerTxData AppLayerTxData
 
typedef void(* PrefilterTxFn) (DetectEngineThreadCtx *det_ctx, const void *pectx, Packet *p, Flow *f, void *tx, const uint64_t tx_id, const AppLayerTxData *tx_data, const uint8_t flags)
 
typedef struct PrefilterEngineList_ PrefilterEngineList
 
typedef struct PrefilterEngine_ PrefilterEngine
 
typedef struct SigGroupHeadInitData_ SigGroupHeadInitData
 
typedef struct SigGroupHead_ SigGroupHead
 Container for matching data for a signature group. More...
 
typedef struct DetectEngineTenantMapping_ DetectEngineTenantMapping
 
typedef struct DetectEngineMasterCtx_ DetectEngineMasterCtx
 

Enumerations

enum  SignatureType {
  SIG_TYPE_NOT_SET = 0, SIG_TYPE_IPONLY, SIG_TYPE_LIKE_IPONLY, SIG_TYPE_PDONLY,
  SIG_TYPE_DEONLY, SIG_TYPE_PKT, SIG_TYPE_PKT_STREAM, SIG_TYPE_STREAM,
  SIG_TYPE_APPLAYER, SIG_TYPE_APP_TX, SIG_TYPE_MAX
}
 
enum  SignaturePropertyFlowAction { SIG_PROP_FLOW_ACTION_PACKET, SIG_PROP_FLOW_ACTION_FLOW, SIG_PROP_FLOW_ACTION_FLOW_IF_STATEFUL }
 
enum  DetectSigmatchListEnum {
  DETECT_SM_LIST_MATCH = 0, DETECT_SM_LIST_PMATCH, DETECT_SM_LIST_BASE64_DATA, DETECT_SM_LIST_POSTMATCH,
  DETECT_SM_LIST_TMATCH, DETECT_SM_LIST_SUPPRESS, DETECT_SM_LIST_THRESHOLD, DETECT_SM_LIST_MAX,
  DETECT_SM_LIST_DYNAMIC_START = DETECT_SM_LIST_MAX
}
 
enum  {
  ADDRESS_ER = -1, ADDRESS_LT, ADDRESS_LE, ADDRESS_EQ,
  ADDRESS_ES, ADDRESS_EB, ADDRESS_GE, ADDRESS_GT
}
 
enum  {
  PORT_ER = -1, PORT_LT, PORT_LE, PORT_EQ,
  PORT_ES, PORT_EB, PORT_GE, PORT_GT
}
 
enum  SignatureHookPkt { SIGNATURE_HOOK_PKT_NOT_SET, SIGNATURE_HOOK_PKT_FLOW_START, SIGNATURE_HOOK_PKT_ALL }
 
enum  SignatureHookType { SIGNATURE_HOOK_TYPE_NOT_SET, SIGNATURE_HOOK_TYPE_PKT, SIGNATURE_HOOK_TYPE_APP }
 
enum  FirewallTable { FIREWALL_TABLE_PACKET_FILTER, FIREWALL_TABLE_PACKET_TD, FIREWALL_TABLE_APP_FILTER, FIREWALL_TABLE_APP_TD }
 
enum  DetectBufferMpmType { DETECT_BUFFER_MPM_TYPE_PKT, DETECT_BUFFER_MPM_TYPE_APP, DETECT_BUFFER_MPM_TYPE_FRAME, DETECT_BUFFER_MPM_TYPE_SIZE }
 
enum  DetectEnginePrefilterSetting { DETECT_PREFILTER_MPM = 0, DETECT_PREFILTER_AUTO = 1 }
 
enum  DetectEngineType { DETECT_ENGINE_TYPE_NORMAL = 0, DETECT_ENGINE_TYPE_DD_STUB = 1, DETECT_ENGINE_TYPE_MT_STUB = 2, DETECT_ENGINE_TYPE_TENANT = 3 }
 
enum  {
  ENGINE_PROFILE_UNKNOWN, ENGINE_PROFILE_LOW, ENGINE_PROFILE_MEDIUM, ENGINE_PROFILE_HIGH,
  ENGINE_PROFILE_CUSTOM
}
 
enum  { ENGINE_SGH_MPM_FACTORY_CONTEXT_FULL = 0, ENGINE_SGH_MPM_FACTORY_CONTEXT_SINGLE, ENGINE_SGH_MPM_FACTORY_CONTEXT_AUTO }
 
enum  {
  FILE_DECODER_EVENT_NO_MEM, FILE_DECODER_EVENT_INVALID_SWF_LENGTH, FILE_DECODER_EVENT_INVALID_SWF_VERSION, FILE_DECODER_EVENT_Z_DATA_ERROR,
  FILE_DECODER_EVENT_Z_STREAM_ERROR, FILE_DECODER_EVENT_Z_BUF_ERROR, FILE_DECODER_EVENT_Z_UNKNOWN_ERROR, FILE_DECODER_EVENT_LZMA_IO_ERROR,
  FILE_DECODER_EVENT_LZMA_HEADER_TOO_SHORT_ERROR, FILE_DECODER_EVENT_LZMA_DECODER_ERROR, FILE_DECODER_EVENT_LZMA_MEMLIMIT_ERROR, FILE_DECODER_EVENT_LZMA_XZ_ERROR,
  FILE_DECODER_EVENT_LZMA_UNKNOWN_ERROR, DETECT_EVENT_TOO_MANY_BUFFERS, DETECT_EVENT_POST_MATCH_QUEUE_FAILED
}
 
enum  MpmBuiltinBuffers {
  MPMB_TCP_PKT_TS, MPMB_TCP_PKT_TC, MPMB_TCP_STREAM_TS, MPMB_TCP_STREAM_TC,
  MPMB_UDP_TS, MPMB_UDP_TC, MPMB_OTHERIP, MPMB_MAX
}
 
enum  DetectEngineTenantSelectors { TENANT_SELECTOR_UNKNOWN = 0, TENANT_SELECTOR_DIRECT, TENANT_SELECTOR_VLAN, TENANT_SELECTOR_LIVEDEV }
 

Functions

void SCDetectEngineRegisterRateFilterCallback (SCDetectRateFilterFunc cb, void *arg)
 Register a callback when a rate_filter has been applied to an alert. More...
 
TmEcode Detect (ThreadVars *tv, Packet *p, void *data)
 Detection engine thread wrapper. More...
 
SigMatchSigMatchAlloc (void)
 
SignatureSigFindSignatureBySidGid (DetectEngineCtx *, uint32_t, uint32_t)
 Find a specific signature by sid and gid. More...
 
void SigMatchFree (DetectEngineCtx *, SigMatch *sm)
 free a SigMatch More...
 
void SigRegisterTests (void)
 
void DisableDetectFlowFileFlags (Flow *f)
 disable file features we don't need Called if we have no detection engine. More...
 
char * DetectLoadCompleteSigPath (const DetectEngineCtx *, const char *sig_file)
 Create the path if default-rule-path was specified. More...
 
int SigLoadSignatures (DetectEngineCtx *, char *, bool)
 Load signatures. More...
 
void SigMatchSignatures (ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
 wrapper for old tests More...
 
int SignatureIsIPOnly (DetectEngineCtx *de_ctx, const Signature *s)
 Test is a initialized signature is IP only. More...
 
const SigGroupHeadSigMatchSignaturesGetSgh (const DetectEngineCtx *de_ctx, const Packet *p)
 Get the SigGroupHead for a packet. More...
 
int DetectUnregisterThreadCtxFuncs (DetectEngineCtx *, void *data, const char *name)
 Remove Thread keyword context registration. More...
 
int DetectRegisterThreadCtxFuncs (DetectEngineCtx *, const char *name, void *(*InitFunc)(void *), void *data, void(*FreeFunc)(void *), int)
 Register Thread keyword context Funcs. More...
 
void * DetectThreadCtxGetKeywordThreadCtx (DetectEngineThreadCtx *, int)
 Retrieve thread local keyword ctx by id. More...
 
void * DetectGetInnerTx (void *tx_ptr, AppProto alproto, AppProto engine_alproto, uint8_t flow_flags)
 
void RuleMatchCandidateTxArrayInit (DetectEngineThreadCtx *det_ctx, uint32_t size)
 
void RuleMatchCandidateTxArrayFree (DetectEngineThreadCtx *det_ctx)
 
int DetectFlowbitsAnalyze (DetectEngineCtx *de_ctx)
 
int DetectMetadataHashInit (DetectEngineCtx *de_ctx)
 
void DetectMetadataHashFree (DetectEngineCtx *de_ctx)
 
void DetectEngineSetEvent (DetectEngineThreadCtx *det_ctx, uint8_t e)
 
void DumpPatterns (DetectEngineCtx *de_ctx)
 

Variables

const struct SignatureProperties signature_properties [SIG_TYPE_MAX]
 
SigTableElmtsigmatch_table
 

Detailed Description

Author
Victor Julien victo.nosp@m.r@in.nosp@m.linia.nosp@m.c.ne.nosp@m.t

Definition in file detect.h.

Macro Definition Documentation

◆ ADDRESS_FLAG_NOT

#define ADDRESS_FLAG_NOT   0x01

address is negated

Definition at line 163 of file detect.h.

◆ DE_HAS_FIREWALL

#define DE_HAS_FIREWALL   0x02

firewall rules loaded, default policies active

Definition at line 332 of file detect.h.

◆ DE_QUIET

#define DE_QUIET   0x01

DE is quiet (esp for unittests)

Definition at line 331 of file detect.h.

◆ DETECT_DEFAULT_PRIO

#define DETECT_DEFAULT_PRIO   3

default rule priority if not set through priority keyword or via classtype.

Definition at line 53 of file detect.h.

◆ DETECT_FILESTORE_MAX

#define DETECT_FILESTORE_MAX   15

Definition at line 1167 of file detect.h.

◆ DETECT_MAX_RULE_SIZE

#define DETECT_MAX_RULE_SIZE   8192

Definition at line 47 of file detect.h.

◆ DETECT_SM_LIST_NOTSET

#define DETECT_SM_LIST_NOTSET   INT_MAX

Definition at line 145 of file detect.h.

◆ DETECT_TRANSFORMS_MAX

#define DETECT_TRANSFORMS_MAX   16

Definition at line 49 of file detect.h.

◆ DETECT_VAR_TYPE_FLOW_POSTMATCH

#define DETECT_VAR_TYPE_FLOW_POSTMATCH   1

only execute flowvar storage if rule matched

Definition at line 812 of file detect.h.

◆ DETECT_VAR_TYPE_PKT_POSTMATCH

#define DETECT_VAR_TYPE_PKT_POSTMATCH   2

Definition at line 813 of file detect.h.

◆ ENGINE_SGH_MPM_FACTORY_CONTEXT_START_ID_RANGE

#define ENGINE_SGH_MPM_FACTORY_CONTEXT_START_ID_RANGE   (ENGINE_SGH_MPM_FACTORY_CONTEXT_AUTO + 1)

Definition at line 1164 of file detect.h.

◆ FILE_SIG_NEED_FILE

#define FILE_SIG_NEED_FILE   0x01

Definition at line 321 of file detect.h.

◆ FILE_SIG_NEED_FILECONTENT

#define FILE_SIG_NEED_FILECONTENT   0x08

Definition at line 324 of file detect.h.

◆ FILE_SIG_NEED_FILENAME

#define FILE_SIG_NEED_FILENAME   0x02

Definition at line 322 of file detect.h.

◆ FILE_SIG_NEED_MAGIC

#define FILE_SIG_NEED_MAGIC   0x04

need the start of the file

Definition at line 323 of file detect.h.

◆ FILE_SIG_NEED_MD5

#define FILE_SIG_NEED_MD5   0x10

Definition at line 325 of file detect.h.

◆ FILE_SIG_NEED_SHA1

#define FILE_SIG_NEED_SHA1   0x20

Definition at line 326 of file detect.h.

◆ FILE_SIG_NEED_SHA256

#define FILE_SIG_NEED_SHA256   0x40

Definition at line 327 of file detect.h.

◆ FILE_SIG_NEED_SIZE

#define FILE_SIG_NEED_SIZE   0x80

Definition at line 328 of file detect.h.

◆ FLOW_STATES

#define FLOW_STATES   2

Definition at line 902 of file detect.h.

◆ PACKET_ALERT_NOTX

#define PACKET_ALERT_NOTX   UINT64_MAX

Definition at line 56 of file detect.h.

◆ PORT_FLAG_ANY

#define PORT_FLAG_ANY   0x01

'any' special port

Definition at line 216 of file detect.h.

◆ PORT_FLAG_NOT

#define PORT_FLAG_NOT   0x02

negated port

Definition at line 217 of file detect.h.

◆ PORT_SIGGROUPHEAD_COPY

#define PORT_SIGGROUPHEAD_COPY   0x04

sgh is a ptr copy

Definition at line 218 of file detect.h.

◆ SIG_ALPROTO_MAX

#define SIG_ALPROTO_MAX   4

Definition at line 577 of file detect.h.

◆ SIG_FLAG_APPLAYER

#define SIG_FLAG_APPLAYER   BIT_U32(6)

signature applies to app layer instead of packets

Definition at line 250 of file detect.h.

◆ SIG_FLAG_BYPASS

#define SIG_FLAG_BYPASS   BIT_U32(22)

Definition at line 277 of file detect.h.

◆ SIG_FLAG_DEST_IS_TARGET

#define SIG_FLAG_DEST_IS_TARGET   BIT_U32(26)

Info for Source and Target identification

Definition at line 286 of file detect.h.

◆ SIG_FLAG_DP_ANY

#define SIG_FLAG_DP_ANY   BIT_U32(3)

destination port is any

Definition at line 245 of file detect.h.

◆ SIG_FLAG_DSIZE

#define SIG_FLAG_DSIZE   BIT_U32(5)

signature has a dsize setting

Definition at line 249 of file detect.h.

◆ SIG_FLAG_DST_ANY

#define SIG_FLAG_DST_ANY   BIT_U32(1)

destination is any

Definition at line 243 of file detect.h.

◆ SIG_FLAG_FILESTORE

#define SIG_FLAG_FILESTORE   BIT_U32(18)

signature has filestore keyword

Definition at line 270 of file detect.h.

◆ SIG_FLAG_FIREWALL

#define SIG_FLAG_FIREWALL   BIT_U32(4)

sig is a firewall rule

Definition at line 247 of file detect.h.

◆ SIG_FLAG_FLUSH

#define SIG_FLAG_FLUSH   BIT_U32(12)

detection logic needs stream flush notification

Definition at line 260 of file detect.h.

◆ SIG_FLAG_HAS_TARGET

#define SIG_FLAG_HAS_TARGET   (SIG_FLAG_DEST_IS_TARGET|SIG_FLAG_SRC_IS_TARGET)

Definition at line 288 of file detect.h.

◆ SIG_FLAG_INIT_BIDIREC

#define SIG_FLAG_INIT_BIDIREC   BIT_U32(3)

signature has bidirectional operator

Definition at line 294 of file detect.h.

◆ SIG_FLAG_INIT_FILEDATA

#define SIG_FLAG_INIT_FILEDATA   BIT_U32(9)

signature has filedata keyword

Definition at line 301 of file detect.h.

◆ SIG_FLAG_INIT_FIRST_IPPROTO_SEEN

#define SIG_FLAG_INIT_FIRST_IPPROTO_SEEN   BIT_U32(4) /** < signature has seen the first ip_proto keyword */

Definition at line 295 of file detect.h.

◆ SIG_FLAG_INIT_FLOW

#define SIG_FLAG_INIT_FLOW   BIT_U32(2)

signature has a flow setting

Definition at line 293 of file detect.h.

◆ SIG_FLAG_INIT_FORCE_TOCLIENT

#define SIG_FLAG_INIT_FORCE_TOCLIENT   BIT_U32(10)

signature now takes keywords toclient

Definition at line 302 of file detect.h.

◆ SIG_FLAG_INIT_FORCE_TOSERVER

#define SIG_FLAG_INIT_FORCE_TOSERVER   BIT_U32(11)

signature now takes keywords toserver

Definition at line 303 of file detect.h.

◆ SIG_FLAG_INIT_NEED_FLUSH

#define SIG_FLAG_INIT_NEED_FLUSH   BIT_U32(7)

Definition at line 298 of file detect.h.

◆ SIG_FLAG_INIT_PACKET

#define SIG_FLAG_INIT_PACKET   BIT_U32(1)

signature has matches against a packet (as opposed to app layer)

Definition at line 292 of file detect.h.

◆ SIG_FLAG_INIT_PRIO_EXPLICIT

#define SIG_FLAG_INIT_PRIO_EXPLICIT   BIT_U32(8)

priority is explicitly set by the priority keyword

Definition at line 300 of file detect.h.

◆ SIG_FLAG_INIT_STATE_MATCH

#define SIG_FLAG_INIT_STATE_MATCH   BIT_U32(6)

signature has matches that require stateful inspection

Definition at line 297 of file detect.h.

◆ SIG_FLAG_INIT_TXDIR_FAST_TOCLIENT

#define SIG_FLAG_INIT_TXDIR_FAST_TOCLIENT   BIT_U32(13)

transactional signature uses a fast pattern to client

Definition at line 308 of file detect.h.

◆ SIG_FLAG_INIT_TXDIR_STREAMING_TOSERVER

#define SIG_FLAG_INIT_TXDIR_STREAMING_TOSERVER   BIT_U32(12)

transactional signature uses a streaming buffer to server

Definition at line 306 of file detect.h.

◆ SIG_FLAG_MPM_NEG

#define SIG_FLAG_MPM_NEG   BIT_U32(11)

Definition at line 258 of file detect.h.

◆ SIG_FLAG_PREFILTER

#define SIG_FLAG_PREFILTER   BIT_U32(23)

sig is part of a prefilter engine

Definition at line 279 of file detect.h.

◆ SIG_FLAG_REQUIRE_FLOWVAR

#define SIG_FLAG_REQUIRE_FLOWVAR   BIT_U32(17)

signature can only match if a flowbit, flowvar or flowint is available.

Definition at line 268 of file detect.h.

◆ SIG_FLAG_REQUIRE_PACKET

#define SIG_FLAG_REQUIRE_PACKET   BIT_U32(9)

signature is requiring packet match

Definition at line 255 of file detect.h.

◆ SIG_FLAG_REQUIRE_STREAM

#define SIG_FLAG_REQUIRE_STREAM   BIT_U32(10)

signature is requiring stream match

Definition at line 256 of file detect.h.

◆ SIG_FLAG_REQUIRE_STREAM_ONLY

#define SIG_FLAG_REQUIRE_STREAM_ONLY   BIT_U32(13)

signature is requiring stream match. Stream match is not optional, so no \ fallback to packet payload.

Definition at line 264 of file detect.h.

◆ SIG_FLAG_SP_ANY

#define SIG_FLAG_SP_ANY   BIT_U32(2)

source port is any

Definition at line 244 of file detect.h.

◆ SIG_FLAG_SRC_ANY

#define SIG_FLAG_SRC_ANY   BIT_U32(0)
Note
: additions should be added to the rule analyzer as well source is any

Definition at line 242 of file detect.h.

◆ SIG_FLAG_SRC_IS_TARGET

#define SIG_FLAG_SRC_IS_TARGET   BIT_U32(25)

Info for Source and Target identification

Definition at line 284 of file detect.h.

◆ SIG_FLAG_TLSSTORE

#define SIG_FLAG_TLSSTORE   BIT_U32(21)

Definition at line 275 of file detect.h.

◆ SIG_FLAG_TOCLIENT

#define SIG_FLAG_TOCLIENT   BIT_U32(20)

Definition at line 273 of file detect.h.

◆ SIG_FLAG_TOSERVER

#define SIG_FLAG_TOSERVER   BIT_U32(19)

Definition at line 272 of file detect.h.

◆ SIG_FLAG_TXBOTHDIR

#define SIG_FLAG_TXBOTHDIR   BIT_U32(7)

signature needs tx with both directions to match

Definition at line 251 of file detect.h.

◆ SIG_GROUP_HEAD_HAVEFILEMD5

#define SIG_GROUP_HEAD_HAVEFILEMD5   BIT_U16(2)

Definition at line 1453 of file detect.h.

◆ SIG_GROUP_HEAD_HAVEFILESHA1

#define SIG_GROUP_HEAD_HAVEFILESHA1   BIT_U16(4)

Definition at line 1455 of file detect.h.

◆ SIG_GROUP_HEAD_HAVEFILESHA256

#define SIG_GROUP_HEAD_HAVEFILESHA256   BIT_U16(5)

Definition at line 1456 of file detect.h.

◆ SIG_GROUP_HEAD_HAVEFILESIZE

#define SIG_GROUP_HEAD_HAVEFILESIZE   BIT_U16(3)

Definition at line 1454 of file detect.h.

◆ SIG_GROUP_HEAD_HAVERAWSTREAM

#define SIG_GROUP_HEAD_HAVERAWSTREAM   BIT_U16(0)

Definition at line 1449 of file detect.h.

◆ SIG_MASK_REQUIRE_ENGINE_EVENT

#define SIG_MASK_REQUIRE_ENGINE_EVENT   BIT_U8(7)

Definition at line 319 of file detect.h.

◆ SIG_MASK_REQUIRE_FLAGS_INITDEINIT

#define SIG_MASK_REQUIRE_FLAGS_INITDEINIT   BIT_U8(2) /* SYN, FIN, RST */

Definition at line 314 of file detect.h.

◆ SIG_MASK_REQUIRE_FLAGS_UNUSUAL

#define SIG_MASK_REQUIRE_FLAGS_UNUSUAL   BIT_U8(3) /* URG, ECN, CWR */

Definition at line 315 of file detect.h.

◆ SIG_MASK_REQUIRE_FLOW

#define SIG_MASK_REQUIRE_FLOW   BIT_U8(1)

Definition at line 313 of file detect.h.

◆ SIG_MASK_REQUIRE_NO_PAYLOAD

#define SIG_MASK_REQUIRE_NO_PAYLOAD   BIT_U8(4)

Definition at line 316 of file detect.h.

◆ SIG_MASK_REQUIRE_PAYLOAD

#define SIG_MASK_REQUIRE_PAYLOAD   BIT_U8(0)
Note
: additions should be added to the rule analyzer as well

Definition at line 312 of file detect.h.

◆ SIG_MASK_REQUIRE_REAL_PKT

#define SIG_MASK_REQUIRE_REAL_PKT   BIT_U8(5)

Definition at line 317 of file detect.h.

◆ SIGMATCH_DEONLY_COMPAT

#define SIGMATCH_DEONLY_COMPAT   BIT_U16(2)

sigmatch is compatible with a decode event only rule

Definition at line 1616 of file detect.h.

◆ SIGMATCH_HANDLE_NEGATION

#define SIGMATCH_HANDLE_NEGATION   BIT_U16(7)

negation parsing is handled by the rule parser. Signature::init_data::negated will be set to true or false prior to calling the keyword parser. Exclamation mark is stripped from the input to the keyword parser.

Definition at line 1633 of file detect.h.

◆ SIGMATCH_INFO_CONTENT_MODIFIER

#define SIGMATCH_INFO_CONTENT_MODIFIER   BIT_U16(8)

keyword is a content modifier

Definition at line 1635 of file detect.h.

◆ SIGMATCH_INFO_DEPRECATED

#define SIGMATCH_INFO_DEPRECATED   BIT_U16(10)

keyword is deprecated: used to suggest an alternative

Definition at line 1639 of file detect.h.

◆ SIGMATCH_INFO_STICKY_BUFFER

#define SIGMATCH_INFO_STICKY_BUFFER   BIT_U16(9)

keyword is a sticky buffer

Definition at line 1637 of file detect.h.

◆ SIGMATCH_IPONLY_COMPAT

#define SIGMATCH_IPONLY_COMPAT   BIT_U16(1)

sigmatch is compatible with a ip only rule

Definition at line 1614 of file detect.h.

◆ SIGMATCH_NOOPT

#define SIGMATCH_NOOPT   BIT_U16(0)

sigmatch has no options, so the parser shouldn't expect any

Definition at line 1612 of file detect.h.

◆ SIGMATCH_OPTIONAL_OPT

#define SIGMATCH_OPTIONAL_OPT   BIT_U16(4)

sigmatch may have options, so the parser should be ready to deal with both cases

Definition at line 1622 of file detect.h.

◆ SIGMATCH_QUOTES_MANDATORY

#define SIGMATCH_QUOTES_MANDATORY   BIT_U16(6)

input MUST be wrapped in double quotes. They will be stripped before input data is passed to keyword parser. Missing double quotes lead to error and signature invalidation.

Definition at line 1629 of file detect.h.

◆ SIGMATCH_QUOTES_OPTIONAL

#define SIGMATCH_QUOTES_OPTIONAL   BIT_U16(5)

input may be wrapped in double quotes. They will be stripped before input data is passed to keyword parser

Definition at line 1625 of file detect.h.

◆ SIGMATCH_STRICT_PARSING

#define SIGMATCH_STRICT_PARSING   BIT_U16(11)

strict parsing is enabled

Definition at line 1641 of file detect.h.

◆ SIGMATCH_SUPPORT_DIR

#define SIGMATCH_SUPPORT_DIR   BIT_U16(13)

keyword supporting setting an optional direction

Definition at line 1645 of file detect.h.

◆ SIGMATCH_SUPPORT_FIREWALL

#define SIGMATCH_SUPPORT_FIREWALL   BIT_U16(12)

keyword supported by firewall rules

Definition at line 1643 of file detect.h.

Typedef Documentation

◆ AppLayerTxData

Definition at line 1482 of file detect.h.

◆ DetectAddress

typedef struct DetectAddress_ DetectAddress

address structure for use in the detection engine.

Contains the address information and matching information.

◆ DetectAddressHead

Address grouping head. IPv4 and IPv6 are split out

◆ DetectBufferMpmRegistry

one time registration of keywords at start up

◆ DetectBufferType

◆ DetectEngineAppInspectionEngine

◆ DetectEngineCtx

main detection engine ctx

◆ DetectEngineFrameInspectionEngine

◆ DetectEngineIPOnlyCtx

IP only rules matching ctx.

◆ DetectEngineLookupFlow

◆ DetectEngineMasterCtx

◆ DetectEnginePktInspectionEngine

◆ DetectEngineTenantMapping

◆ DetectEngineThreadCtx

Detection engine thread data.

◆ DetectEngineThreadKeywordCtxItem

◆ DetectEngineTransforms

◆ DetectMatchAddressIPv4

◆ DetectMatchAddressIPv6

◆ DetectPatternTracker

◆ DetectPort

typedef struct DetectPort_ DetectPort

Port structure for detection engine.

◆ DetectReplaceList

◆ DetectVarList

typedef struct DetectVarList_ DetectVarList

list for flowvar store candidates, to be stored from post-match function

◆ InspectEngineFuncPtr

typedef uint8_t(* InspectEngineFuncPtr) (struct DetectEngineCtx_ *de_ctx, struct DetectEngineThreadCtx_ *det_ctx, const struct DetectEngineAppInspectionEngine_ *engine, const struct Signature_ *s, Flow *f, uint8_t flags, void *alstate, void *txv, uint64_t tx_id)

Definition at line 412 of file detect.h.

◆ InspectionBufferFrameInspectFunc

typedef int(* InspectionBufferFrameInspectFunc) (struct DetectEngineThreadCtx_ *, const struct DetectEngineFrameInspectionEngine *engine, const struct Signature_ *s, Packet *p, const struct Frames *frames, const struct Frame *frame)
Parameters
alert_flags[out]for setting PACKET_ALERT_FLAG_*

Definition at line 505 of file detect.h.

◆ InspectionBufferGetDataPtr

typedef InspectionBuffer*(* InspectionBufferGetDataPtr) (struct DetectEngineThreadCtx_ *det_ctx, const DetectEngineTransforms *transforms, Flow *f, const uint8_t flow_flags, void *txv, const int list_id)

callback for getting the buffer we need to prefilter/inspect

Definition at line 398 of file detect.h.

◆ InspectionBufferGetPktDataPtr

typedef InspectionBuffer*(* InspectionBufferGetPktDataPtr) (struct DetectEngineThreadCtx_ *det_ctx, const DetectEngineTransforms *transforms, Packet *p, const int list_id)

callback for getting the buffer we need to prefilter/inspect

Definition at line 479 of file detect.h.

◆ InspectionBufferMultipleForList

◆ InspectionBufferPktInspectFunc

typedef int(* InspectionBufferPktInspectFunc) (struct DetectEngineThreadCtx_ *, const struct DetectEnginePktInspectionEngine *engine, const struct Signature_ *s, Packet *p, uint8_t *alert_flags)
Parameters
alert_flags[out]for setting PACKET_ALERT_FLAG_*

Definition at line 472 of file detect.h.

◆ InspectionMultiBufferGetDataPtr

typedef bool(* InspectionMultiBufferGetDataPtr) (struct DetectEngineThreadCtx_ *det_ctx, const void *txv, const uint8_t flow_flags, uint32_t local_id, const uint8_t **buf, uint32_t *buf_len)

Definition at line 407 of file detect.h.

◆ InspectionSingleBufferGetDataPtr

typedef bool(* InspectionSingleBufferGetDataPtr) (const void *txv, const uint8_t flow_flags, const uint8_t **buf, uint32_t *buf_len)

Definition at line 404 of file detect.h.

◆ IPOnlyCIDRItem

◆ MpmStore

typedef struct MpmStore_ MpmStore

◆ PostRuleMatchWorkQueue

◆ PostRuleMatchWorkQueueItem

Stores a single u32 for a rule match of the type sm_type. Used by flowbits prefilter to register DETECT_FLOWBITS,<flowbit id> for post match handling.

◆ PrefilterEngine

◆ PrefilterEngineList

◆ PrefilterFrameFn

typedef void(* PrefilterFrameFn) (DetectEngineThreadCtx *det_ctx, const void *pectx, Packet *p, const struct Frames *frames, const struct Frame *frame)

Definition at line 1482 of file detect.h.

◆ PrefilterPktFn

typedef void(* PrefilterPktFn) (DetectEngineThreadCtx *det_ctx, Packet *p, const void *pectx)

Definition at line 1481 of file detect.h.

◆ PrefilterTxFn

typedef void(* PrefilterTxFn) (DetectEngineThreadCtx *det_ctx, const void *pectx, Packet *p, Flow *f, void *tx, const uint64_t tx_id, const AppLayerTxData *tx_data, const uint8_t flags)

Definition at line 1486 of file detect.h.

◆ RuleMatchCandidateTx

array of TX inspect rule candidates

◆ SCDetectRateFilterFunc

typedef uint8_t(* SCDetectRateFilterFunc) (const Packet *p, uint32_t sid, uint32_t gid, uint32_t rev, uint8_t original_action, uint8_t new_action, void *arg)

Function type for rate filter callback.

This function should return the new action to be applied. If no change to the action is to be made, the callback should return the current action provided in the new_action parameter.

Definition at line 915 of file detect.h.

◆ SCDetectRequiresStatus

Definition at line 1 of file detect.h.

◆ SCFPSupportSMList

◆ SigFileLoaderStat

Signature loader statistics.

◆ SigGroupHead

typedef struct SigGroupHead_ SigGroupHead

Container for matching data for a signature group.

◆ SigGroupHeadInitData

◆ SigMatch

typedef struct SigMatch_ SigMatch

a single match condition for a signature

◆ SigMatchCtx

typedef struct SigMatchCtx_ SigMatchCtx

Used to start a pointer to SigMatch context Should never be dereferenced without casting to something else.

◆ SigMatchData

typedef struct SigMatchData_ SigMatchData

Data needed for Match()

◆ Signature

typedef struct Signature_ Signature

Signature container.

◆ SignatureHook

typedef struct SignatureHook_ SignatureHook

◆ SignatureInitData

◆ SignatureInitDataBuffer

◆ SignatureNonPrefilterStore

◆ SigString

typedef struct SigString_ SigString

◆ SigTableElmt

typedef struct SigTableElmt_ SigTableElmt

element in sigmatch type table.

◆ TransformData

typedef struct TransformData_ TransformData

◆ TransformIdData

Enumeration Type Documentation

◆ anonymous enum

anonymous enum
Enumerator
ADDRESS_ER 

error e.g. compare ipv4 and ipv6

ADDRESS_LT 

smaller [aaa] [bbb]

ADDRESS_LE 

smaller with overlap [aa[bab]bb]

ADDRESS_EQ 

exactly equal [abababab]

ADDRESS_ES 

within [bb[aaa]bb] and [[abab]bbb] and [bbb[abab]]

ADDRESS_EB 

completely overlaps [aa[bbb]aa] and [[baba]aaa] and [aaa[baba]]

ADDRESS_GE 

bigger with overlap [bb[aba]aa]

ADDRESS_GT 

bigger [bbb] [aaa]

Definition at line 151 of file detect.h.

◆ anonymous enum

anonymous enum
Enumerator
PORT_ER 
PORT_LT 
PORT_LE 
PORT_EQ 
PORT_ES 
PORT_EB 
PORT_GE 
PORT_GT 

Definition at line 204 of file detect.h.

◆ anonymous enum

anonymous enum
Enumerator
ENGINE_PROFILE_UNKNOWN 
ENGINE_PROFILE_LOW 
ENGINE_PROFILE_MEDIUM 
ENGINE_PROFILE_HIGH 
ENGINE_PROFILE_CUSTOM 

Definition at line 1150 of file detect.h.

◆ anonymous enum

anonymous enum
Enumerator
ENGINE_SGH_MPM_FACTORY_CONTEXT_FULL 
ENGINE_SGH_MPM_FACTORY_CONTEXT_SINGLE 
ENGINE_SGH_MPM_FACTORY_CONTEXT_AUTO 

Definition at line 1159 of file detect.h.

◆ anonymous enum

anonymous enum
Enumerator
FILE_DECODER_EVENT_NO_MEM 
FILE_DECODER_EVENT_INVALID_SWF_LENGTH 
FILE_DECODER_EVENT_INVALID_SWF_VERSION 
FILE_DECODER_EVENT_Z_DATA_ERROR 
FILE_DECODER_EVENT_Z_STREAM_ERROR 
FILE_DECODER_EVENT_Z_BUF_ERROR 
FILE_DECODER_EVENT_Z_UNKNOWN_ERROR 
FILE_DECODER_EVENT_LZMA_IO_ERROR 
FILE_DECODER_EVENT_LZMA_HEADER_TOO_SHORT_ERROR 
FILE_DECODER_EVENT_LZMA_DECODER_ERROR 
FILE_DECODER_EVENT_LZMA_MEMLIMIT_ERROR 
FILE_DECODER_EVENT_LZMA_XZ_ERROR 
FILE_DECODER_EVENT_LZMA_UNKNOWN_ERROR 
DETECT_EVENT_TOO_MANY_BUFFERS 
DETECT_EVENT_POST_MATCH_QUEUE_FAILED 

Definition at line 1429 of file detect.h.

◆ DetectBufferMpmType

Enumerator
DETECT_BUFFER_MPM_TYPE_PKT 
DETECT_BUFFER_MPM_TYPE_APP 
DETECT_BUFFER_MPM_TYPE_FRAME 
DETECT_BUFFER_MPM_TYPE_SIZE 

Definition at line 742 of file detect.h.

◆ DetectEnginePrefilterSetting

Enumerator
DETECT_PREFILTER_MPM 

use only mpm / fast_pattern

DETECT_PREFILTER_AUTO 

use mpm + keyword prefilters

Definition at line 883 of file detect.h.

◆ DetectEngineTenantSelectors

Enumerator
TENANT_SELECTOR_UNKNOWN 

not set

TENANT_SELECTOR_DIRECT 

method provides direct tenant id

TENANT_SELECTOR_VLAN 

map vlan to tenant id

TENANT_SELECTOR_LIVEDEV 

map livedev to tenant id

Definition at line 1646 of file detect.h.

◆ DetectEngineType

Enumerator
DETECT_ENGINE_TYPE_NORMAL 
DETECT_ENGINE_TYPE_DD_STUB 
DETECT_ENGINE_TYPE_MT_STUB 
DETECT_ENGINE_TYPE_TENANT 

Definition at line 889 of file detect.h.

◆ DetectSigmatchListEnum

Enumerator
DETECT_SM_LIST_MATCH 
DETECT_SM_LIST_PMATCH 
DETECT_SM_LIST_BASE64_DATA 
DETECT_SM_LIST_POSTMATCH 
DETECT_SM_LIST_TMATCH 

post-detection tagging

DETECT_SM_LIST_SUPPRESS 
DETECT_SM_LIST_THRESHOLD 
DETECT_SM_LIST_MAX 
DETECT_SM_LIST_DYNAMIC_START 

Definition at line 115 of file detect.h.

◆ FirewallTable

Enumerator
FIREWALL_TABLE_PACKET_FILTER 
FIREWALL_TABLE_PACKET_TD 
FIREWALL_TABLE_APP_FILTER 
FIREWALL_TABLE_APP_TD 

Definition at line 551 of file detect.h.

◆ MpmBuiltinBuffers

Enumerator
MPMB_TCP_PKT_TS 
MPMB_TCP_PKT_TC 
MPMB_TCP_STREAM_TS 
MPMB_TCP_STREAM_TC 
MPMB_UDP_TS 
MPMB_UDP_TC 
MPMB_OTHERIP 
MPMB_MAX 

Definition at line 1457 of file detect.h.

◆ SignatureHookPkt

Enumerator
SIGNATURE_HOOK_PKT_NOT_SET 
SIGNATURE_HOOK_PKT_FLOW_START 
SIGNATURE_HOOK_PKT_ALL 

match each packet

Definition at line 539 of file detect.h.

◆ SignatureHookType

Enumerator
SIGNATURE_HOOK_TYPE_NOT_SET 
SIGNATURE_HOOK_TYPE_PKT 
SIGNATURE_HOOK_TYPE_APP 

Definition at line 545 of file detect.h.

◆ SignaturePropertyFlowAction

Enumerator
SIG_PROP_FLOW_ACTION_PACKET 
SIG_PROP_FLOW_ACTION_FLOW 
SIG_PROP_FLOW_ACTION_FLOW_IF_STATEFUL 

Definition at line 83 of file detect.h.

◆ SignatureType

Enumerator
SIG_TYPE_NOT_SET 
SIG_TYPE_IPONLY 
SIG_TYPE_LIKE_IPONLY 
SIG_TYPE_PDONLY 

Proto detect only signature. Inspected once per direction when protocol detection is done.

SIG_TYPE_DEONLY 
SIG_TYPE_PKT 
SIG_TYPE_PKT_STREAM 
SIG_TYPE_STREAM 
SIG_TYPE_APPLAYER 
SIG_TYPE_APP_TX 
SIG_TYPE_MAX 

Definition at line 64 of file detect.h.

Function Documentation

◆ Detect()

TmEcode Detect ( ThreadVars tv,
Packet p,
void *  data 
)

Detection engine thread wrapper.

Remember to add the options in SignatureIsIPOnly() at detect.c otherwise it wont be part of a signature group

Parameters
tvthread vars
ppacket to inspect
datathread specific data
pqpacket queue
Return values
TM_ECODE_FAILEDerror
TM_ECODE_OKok

Definition at line 2270 of file detect.c.

◆ DetectEngineSetEvent()

void DetectEngineSetEvent ( DetectEngineThreadCtx det_ctx,
uint8_t  e 
)

◆ DetectFlowbitsAnalyze()

◆ DetectGetInnerTx()

void* DetectGetInnerTx ( void *  tx_ptr,
AppProto  alproto,
AppProto  engine_alproto,
uint8_t  flow_flags 
)

Definition at line 1103 of file detect.c.

References ALPROTO_DNS, ALPROTO_DOH2, ALPROTO_HTTP2, ALPROTO_UNKNOWN, and unlikely.

Referenced by AlertJsonDoh2(), and DetectRunPrefilterTx().

Here is the caller graph for this function:

◆ DetectLoadCompleteSigPath()

char* DetectLoadCompleteSigPath ( const DetectEngineCtx de_ctx,
const char *  sig_file 
)

Create the path if default-rule-path was specified.

Parameters
sig_fileThe name of the file
Return values
strPointer to the string path + sig_file

Definition at line 106 of file detect-engine-loader.c.

◆ DetectMetadataHashFree()

void DetectMetadataHashFree ( DetectEngineCtx de_ctx)

Definition at line 80 of file detect-metadata.c.

References de_ctx, HashTableFree(), and DetectEngineCtx_::metadata_table.

Here is the call graph for this function:

◆ DetectMetadataHashInit()

int DetectMetadataHashInit ( DetectEngineCtx de_ctx)

◆ DetectRegisterThreadCtxFuncs()

int DetectRegisterThreadCtxFuncs ( DetectEngineCtx de_ctx,
const char *  name,
void *(*)(void *)  InitFunc,
void *  data,
void(*)(void *)  FreeFunc,
int  mode 
)

Register Thread keyword context Funcs.

Parameters
de_ctxdetection engine to register in
namekeyword name for error printing
InitFuncfunction ptr
datakeyword init data to pass to Func. Can be NULL.
FreeFuncfunction ptr
mode0 normal (ctx per keyword instance) 1 shared (one ctx per det_ct)
Return values
idfor retrieval of ctx at runtime
-1on error
Note
make sure "data" remains valid and it free'd elsewhere. It's recommended to store it in the keywords global ctx so that it's freed when the de_ctx is freed.

Definition at line 3634 of file detect-engine.c.

References BUG_ON, de_ctx, HashListTableInit(), and DetectEngineCtx_::keyword_hash.

Here is the call graph for this function:

◆ DetectThreadCtxGetKeywordThreadCtx()

void* DetectThreadCtxGetKeywordThreadCtx ( DetectEngineThreadCtx det_ctx,
int  id 
)

Retrieve thread local keyword ctx by id.

Parameters
det_ctxdetection engine thread ctx to retrieve the ctx from
idid of the ctx returned by DetectRegisterThreadCtxInitFunc at keyword init.
Return values
ctxor NULL on error

Definition at line 3704 of file detect-engine.c.

References id, DetectEngineThreadCtx_::keyword_ctxs_array, and DetectEngineThreadCtx_::keyword_ctxs_size.

Referenced by DetectLuaMatchBuffer(), and DetectPcrePayloadMatch().

Here is the caller graph for this function:

◆ DetectUnregisterThreadCtxFuncs()

int DetectUnregisterThreadCtxFuncs ( DetectEngineCtx de_ctx,
void *  data,
const char *  name 
)

Remove Thread keyword context registration.

Parameters
de_ctxdetection engine to deregister from
det_ctxdetection engine thread context to deregister from
datakeyword init data to pass to Func. Can be NULL.
namekeyword name for error printing
Return values
1Item unregistered
0otherwise
Note
make sure "data" remains valid and it free'd elsewhere. It's recommended to store it in the keywords global ctx so that it's freed when the de_ctx is freed.

Definition at line 3686 of file detect-engine.c.

References DetectEngineThreadKeywordCtxItem_::data, de_ctx, HashListTableRemove(), DetectEngineCtx_::keyword_hash, and name.

Here is the call graph for this function:

◆ DisableDetectFlowFileFlags()

void DisableDetectFlowFileFlags ( Flow f)

disable file features we don't need Called if we have no detection engine.

Definition at line 2339 of file detect.c.

◆ DumpPatterns()

◆ RuleMatchCandidateTxArrayFree()

void RuleMatchCandidateTxArrayFree ( DetectEngineThreadCtx det_ctx)

◆ RuleMatchCandidateTxArrayInit()

void RuleMatchCandidateTxArrayInit ( DetectEngineThreadCtx det_ctx,
uint32_t  size 
)

◆ SCDetectEngineRegisterRateFilterCallback()

void SCDetectEngineRegisterRateFilterCallback ( SCDetectRateFilterFunc  cb,
void *  arg 
)

Register a callback when a rate_filter has been applied to an alert.

This callback is added to the current detection engine and will be copied to all future detection engines over rule reloads.

Definition at line 5027 of file detect-engine.c.

References de_ctx, DetectEngineDeReference(), DetectEngineGetCurrent(), DetectEngineCtx_::rate_filter_callback_arg, and DetectEngineCtx_::RateFilterCallback.

Referenced by main().

Here is the call graph for this function:
Here is the caller graph for this function:

◆ SigFindSignatureBySidGid()

Signature* SigFindSignatureBySidGid ( DetectEngineCtx de_ctx,
uint32_t  sid,
uint32_t  gid 
)

Find a specific signature by sid and gid.

Parameters
de_ctxdetection engine ctx
sidthe signature id
gidthe signature group id
Return values
ssig found
NULLsig not found

Definition at line 79 of file detect-engine-build.c.

References de_ctx, Signature_::next, and DetectEngineCtx_::sig_list.

◆ SigLoadSignatures()

int SigLoadSignatures ( DetectEngineCtx de_ctx,
char *  sig_file,
bool  sig_file_exclusive 
)

Load signatures.

Parameters
de_ctxPointer to the detection engine context
sig_fileFilename (or pattern) holding signatures
sig_file_exclusiveFile passed in 'sig_file' should be loaded exclusively.
Return values
-1on error

Definition at line 375 of file detect-engine-loader.c.

References DetectEngineCtx_::config_prefix, de_ctx, RUNMODE_ENGINE_ANALYSIS, SCEnter, SCRunmodeGet(), SetupEngineAnalysis(), and DetectEngineCtx_::sig_stat.

Here is the call graph for this function:

◆ SigMatchAlloc()

SigMatch* SigMatchAlloc ( void  )

Definition at line 274 of file detect-parse.c.

References SigMatch_::next, SigMatch_::prev, SCCalloc, and unlikely.

◆ SigMatchFree()

void SigMatchFree ( DetectEngineCtx de_ctx,
SigMatch sm 
)

free a SigMatch

Parameters
smSigMatch to free.

free the ctx, for that we call the Free func

Definition at line 288 of file detect-parse.c.

References SigMatch_::ctx, de_ctx, SigTableElmt_::Free, SCFree, sigmatch_table, and SigMatch_::type.

Referenced by DetectIPProtoRemoveAllSMs(), and SigFree().

Here is the caller graph for this function:

◆ SigMatchSignatures()

void SigMatchSignatures ( ThreadVars th_v,
DetectEngineCtx de_ctx,
DetectEngineThreadCtx det_ctx,
Packet p 
)

wrapper for old tests

Definition at line 2349 of file detect.c.

References Packet_::flow.

Referenced by UTHMatchPackets(), UTHMatchPacketsWithResults(), UTHPacketMatchSig(), and UTHPacketMatchSigMpm().

Here is the caller graph for this function:

◆ SigMatchSignaturesGetSgh()

const SigGroupHead* SigMatchSignaturesGetSgh ( const DetectEngineCtx de_ctx,
const Packet p 
)

Get the SigGroupHead for a packet.

Parameters
de_ctxdetection engine context
ppacket
Return values
sghthe SigGroupHead or NULL if non applies to the packet

Definition at line 232 of file detect.c.

References PacketEngineEvents_::cnt, de_ctx, DetectEngineCtx_::decoder_event_sgh, Packet_::events, Packet_::proto, SCEnter, and SCReturnPtr.

◆ SignatureIsIPOnly()

int SignatureIsIPOnly ( DetectEngineCtx de_ctx,
const Signature s 
)

Test is a initialized signature is IP only.

Parameters
de_ctxdetection engine ctx
sthe signature
Return values
1sig is ip only
2sig is like ip only
0sig is not ip only

Definition at line 209 of file detect-engine-build.c.

References Signature_::alproto, ALPROTO_UNKNOWN, DETECT_SM_LIST_PMATCH, Signature_::flags, SignatureInitData_::hook, Signature_::init_data, SIG_FLAG_APPLAYER, SIG_FLAG_TOCLIENT, SIG_FLAG_TOSERVER, SIGNATURE_HOOK_TYPE_NOT_SET, SignatureInitData_::smlists, and SignatureHook_::type.

◆ SigRegisterTests()

void SigRegisterTests ( void  )

Definition at line 4960 of file detect.c.

References IPOnlyRegisterTests(), SigParseRegisterTests(), and UtRegisterTest().

Here is the call graph for this function:

Variable Documentation

◆ sigmatch_table

SigTableElmt* sigmatch_table

Definition at line 79 of file detect-parse.c.

Referenced by DetectAckRegister(), DetectAppLayerEventRegister(), DetectAppLayerMpmRegisterByParentId(), DetectAppLayerProtocolRegister(), DetectAppLayerStateRegister(), DetectAsn1Register(), DetectBase64DataRegister(), DetectBase64DecodeRegister(), DetectBsizeRegister(), DetectBypassRegister(), DetectByteExtractRegister(), DetectBytejumpRegister(), DetectBytemathRegister(), DetectBytetestRegister(), DetectClasstypeRegister(), DetectConfigRegister(), DetectContentRegister(), DetectCsumRegister(), DetectDatarepRegister(), DetectDatasetRegister(), DetectDceIfaceRegister(), DetectDceOpnumRegister(), DetectDceStubDataRegister(), DetectDepthRegister(), DetectDetectionFilterRegister(), DetectDistanceRegister(), DetectDnsResponseRegister(), DetectDsizeRegister(), DetectEngineAppInspectionEngineSignatureFree(), DetectEngineBufferTypeValidateTransform(), DetectEngineContentModifierBufferSetup(), DetectEngineEventRegister(), DetectEngineInspectGenericList(), DetectEntropyRegister(), DetectFastPatternRegister(), DetectFiledataRegister(), DetectFilemagicRegister(), DetectFileMd5Register(), DetectFilenameRegister(), DetectFileSha1Register(), DetectFileSha256Register(), DetectFilesizeRegister(), DetectFilestoreRegister(), DetectFlagsRegister(), DetectFlowAgeRegister(), DetectFlowbitsRegister(), DetectFlowBytesRegister(), DetectFlowBytesToClientRegister(), DetectFlowBytesToServerRegister(), DetectFlowintRegister(), DetectFlowPktsRegister(), DetectFlowPktsToClientRegister(), DetectFlowPktsToServerRegister(), DetectFlowRegister(), DetectFlowvarRegister(), DetectFragBitsRegister(), DetectFragOffsetRegister(), DetectFrameRegister(), DetectFtpbounceRegister(), DetectFtpCommandDataRegister(), DetectFtpCommandRegister(), DetectFtpCompletionCodeRegister(), DetectFtpdataRegister(), DetectFtpDynamicPortRegister(), DetectFtpModeRegister(), DetectFtpReplyReceivedRegister(), DetectFtpReplyRegister(), DetectGeoipRegister(), DetectGidRegister(), DetectHostbitsRegister(), DetectHttp2Register(), DetectHttpClientBodyRegister(), DetectHttpCookieRegister(), DetectHttpHeaderNamesRegister(), DetectHttpHeaderRegister(), DetectHttpHHRegister(), DetectHttpMethodRegister(), DetectHttpProtocolRegister(), DetectHttpRawHeaderRegister(), DetectHttpRequestHeaderRegister(), DetectHttpRequestLineRegister(), DetectHttpResponseHeaderRegister(), DetectHttpResponseLineRegister(), DetectHttpServerBodyRegister(), DetectHttpStartRegister(), DetectHttpStatCodeRegister(), DetectHttpStatMsgRegister(), DetectHttpUARegister(), DetectHttpUriRegister(), DetectIcmpIdRegister(), DetectIcmpSeqRegister(), DetectIcmpv4HdrRegister(), DetectICMPv6hdrRegister(), DetectICMPv6mtuRegister(), DetectICodeRegister(), DetectIdRegister(), DetectIkeChosenSaRegister(), DetectIkeExchTypeRegister(), DetectIkeKeyExchangePayloadLengthRegister(), DetectIkeKeyExchangeRegister(), DetectIkeNoncePayloadLengthRegister(), DetectIkeNonceRegister(), DetectIkeSpiRegister(), DetectIkeVendorRegister(), DetectIPAddrBufferRegister(), DetectIpOptsRegister(), DetectIPProtoRegister(), DetectIPRepRegister(), DetectIpv4hdrRegister(), DetectIpv6hdrRegister(), DetectIsdataatRegister(), DetectITypeRegister(), DetectJa4HashRegister(), DetectKrb5CNameRegister(), DetectKrb5ErrCodeRegister(), DetectKrb5MsgTypeRegister(), DetectKrb5SNameRegister(), DetectKrb5TicketEncryptionRegister(), DetectL3ProtoRegister(), DetectLuaRegister(), DetectMarkRegister(), DetectMetadataRegister(), DetectModbusRegister(), DetectMsgRegister(), DetectNfsProcedureRegister(), DetectNfsVersionRegister(), DetectNoalertRegister(), DetectNocaseRegister(), DetectOffsetRegister(), DetectPcreRegister(), DetectPktDataRegister(), DetectPktvarRegister(), DetectPrefilterRegister(), DetectPriorityRegister(), DetectQuicCyuHashRegister(), DetectQuicCyuStringRegister(), DetectQuicSniRegister(), DetectQuicUaRegister(), DetectQuicVersionRegister(), DetectRawbytesRegister(), DetectReferenceRegister(), DetectReplaceRegister(), DetectRequiresRegister(), DetectRevRegister(), DetectRpcRegister(), DetectSameipRegister(), DetectSeqRegister(), DetectSidRegister(), DetectSipMethodRegister(), DetectSipUriRegister(), DetectSmbNamedPipeRegister(), DetectSmbNtlmsspDomainRegister(), DetectSmbNtlmsspUserRegister(), DetectSmbShareRegister(), DetectSmbVersionRegister(), DetectSshHasshRegister(), DetectSshHasshServerRegister(), DetectSshHasshServerStringRegister(), DetectSshHasshStringRegister(), DetectSshProtocolRegister(), DetectSshSoftwareRegister(), DetectSshSoftwareVersionRegister(), DetectSshVersionRegister(), DetectSslStateRegister(), DetectSslVersionRegister(), DetectStreamSizeRegister(), DetectTagRegister(), DetectTargetRegister(), DetectTcphdrRegister(), DetectTcpmssRegister(), DetectTemplate2Register(), DetectTemplateRegister(), DetectThresholdRegister(), DetectTlsAlpnRegister(), DetectTlsCertChainLenRegister(), DetectTlsCertsRegister(), DetectTlsFingerprintRegister(), DetectTlsIssuerRegister(), DetectTlsJa3HashRegister(), DetectTlsJa3SHashRegister(), DetectTlsJa3SStringRegister(), DetectTlsJa3StringRegister(), DetectTlsRandomBytesRegister(), DetectTlsRandomRegister(), DetectTlsRandomTimeRegister(), DetectTlsRegister(), DetectTlsSerialRegister(), DetectTlsSniRegister(), DetectTlsSubjectAltNameRegister(), DetectTlsSubjectRegister(), DetectTlsValidityRegister(), DetectTlsVersionRegister(), DetectTosRegister(), DetectTransformFromBase64DecodeRegister(), DetectTransformLuaxformRegister(), DetectTransformPcrexformRegister(), DetectTtlRegister(), DetectUdphdrRegister(), DetectUricontentRegister(), DetectUrilenRegister(), DetectVlanIdRegister(), DetectVlanLayersRegister(), DetectWindowRegister(), DetectWithinRegister(), DetectXbitsRegister(), EngineAnalysisFP(), EngineAnalysisRules2(), PrefilterSetupRuleGroup(), SCDetectHelperKeywordAliasRegister(), SCDetectHelperKeywordRegister(), SCDetectHelperKeywordSetCleanCString(), SCDetectHelperNewKeywordId(), SCDetectHelperTransformRegister(), SigFree(), SigMatchFree(), SigMatchStrictEnabled(), SigTableApplyStrictCommandLineOption(), SigTableCleanup(), SigTableHasKeyword(), SigTableInit(), SigTableList(), and SigTableRegisterTests().

◆ signature_properties

const struct SignatureProperties signature_properties[SIG_TYPE_MAX]

Definition at line 110 of file detect-engine.c.

Referenced by EngineAnalysisRules2().