suricata
detect.h File Reference
#include "suricata-common.h"
#include "flow.h"
#include "app-layer-events.h"
#include "detect-engine-proto.h"
#include "detect-reference.h"
#include "detect-metadata.h"
#include "detect-engine-register.h"
#include "util-prefilter.h"
#include "util-mpm.h"
#include "util-spm.h"
#include "util-hash.h"
#include "util-hashlist.h"
#include "util-radix-tree.h"
#include "util-file.h"
#include "reputation.h"
#include "detect-threshold.h"
Include dependency graph for detect.h:

Go to the source code of this file.

Data Structures

struct  DetectAddress_
 address structure for use in the detection engine. More...
 
struct  DetectAddressHead_
 
struct  DetectMatchAddressIPv4_
 
struct  DetectMatchAddressIPv6_
 
struct  DetectPort_
 Port structure for detection engine. More...
 
struct  IPOnlyCIDRItem_
 
struct  SigMatchCtx_
 Used to start a pointer to SigMatch context Should never be dereferenced without casting to something else. More...
 
struct  SigMatch_
 a single match condition for a signature More...
 
struct  SigMatchData_
 Data needed for Match() More...
 
struct  InspectionBuffer
 
struct  InspectionBufferMultipleForList
 
struct  TransformData_
 
struct  DetectEngineTransforms
 
struct  DetectEngineAppInspectionEngine_
 
struct  DetectBufferType_
 
struct  DetectEnginePktInspectionEngine
 
struct  DetectEngineFrameInspectionEngine
 
struct  SignatureInitData_
 
struct  Signature_
 Signature container. More...
 
struct  DetectBufferMpmRegistery_
 one time registration of keywords at start up More...
 
struct  DetectPatternTracker
 
struct  DetectReplaceList_
 
struct  DetectVarList_
 
struct  SCFPSupportSMList_
 
struct  DetectEngineIPOnlyThreadCtx_
 
struct  DetectEngineIPOnlyCtx_
 IP only rules matching ctx. More...
 
struct  DetectEngineLookupFlow_
 
struct  ThresholdCtx_
 threshold ctx More...
 
struct  SigString_
 
struct  SigFileLoaderStat_
 Signature loader statistics. More...
 
struct  DetectEngineThreadKeywordCtxItem_
 
struct  DetectEngineCtx_
 main detection engine ctx More...
 
struct  SignatureNonPrefilterStore_
 
struct  RuleMatchCandidateTx
 
struct  DetectEngineThreadCtx_
 
struct  SigTableElmt_
 element in sigmatch type table. More...
 
struct  MpmStore_
 
struct  PrefilterEngineList_
 
struct  PrefilterEngine_
 
struct  SigGroupHeadInitData_
 
struct  SigGroupHead_
 Container for matching data for a signature group. More...
 
struct  DetectEngineTenantMapping_
 
struct  DetectEngineMasterCtx_
 

Macros

#define DETECT_MAX_RULE_SIZE   8192
 
#define DETECT_TRANSFORMS_MAX   16
 
#define DETECT_DEFAULT_PRIO   3
 
#define DETECT_SM_LIST_NOTSET   INT_MAX
 
#define ADDRESS_FLAG_NOT   0x01
 
#define PORT_FLAG_ANY   0x01
 
#define PORT_FLAG_NOT   0x02
 
#define PORT_SIGGROUPHEAD_COPY   0x04
 
#define SIG_FLAG_SRC_ANY   BIT_U32(0)
 
#define SIG_FLAG_DST_ANY   BIT_U32(1)
 
#define SIG_FLAG_SP_ANY   BIT_U32(2)
 
#define SIG_FLAG_DP_ANY   BIT_U32(3)
 
#define SIG_FLAG_NOALERT   BIT_U32(4)
 
#define SIG_FLAG_DSIZE   BIT_U32(5)
 
#define SIG_FLAG_APPLAYER   BIT_U32(6)
 
#define SIG_FLAG_IPONLY   BIT_U32(7)
 
#define SIG_FLAG_LIKE_IPONLY   BIT_U32(8)
 
#define SIG_FLAG_REQUIRE_PACKET   BIT_U32(9)
 
#define SIG_FLAG_REQUIRE_STREAM   BIT_U32(10)
 
#define SIG_FLAG_MPM_NEG   BIT_U32(11)
 
#define SIG_FLAG_FLUSH   BIT_U32(12)
 
#define SIG_FLAG_REQUIRE_FLOWVAR   BIT_U32(17)
 
#define SIG_FLAG_FILESTORE   BIT_U32(18)
 
#define SIG_FLAG_TOSERVER   BIT_U32(19)
 
#define SIG_FLAG_TOCLIENT   BIT_U32(20)
 
#define SIG_FLAG_TLSSTORE   BIT_U32(21)
 
#define SIG_FLAG_BYPASS   BIT_U32(22)
 
#define SIG_FLAG_PREFILTER   BIT_U32(23)
 
#define SIG_FLAG_PDONLY   BIT_U32(24)
 
#define SIG_FLAG_SRC_IS_TARGET   BIT_U32(25)
 
#define SIG_FLAG_DEST_IS_TARGET   BIT_U32(26)
 
#define SIG_FLAG_HAS_TARGET   (SIG_FLAG_DEST_IS_TARGET|SIG_FLAG_SRC_IS_TARGET)
 
#define SIG_FLAG_INIT_DEONLY   BIT_U32(0)
 
#define SIG_FLAG_INIT_PACKET   BIT_U32(1)
 
#define SIG_FLAG_INIT_FLOW   BIT_U32(2)
 
#define SIG_FLAG_INIT_BIDIREC   BIT_U32(3)
 
#define SIG_FLAG_INIT_FIRST_IPPROTO_SEEN   BIT_U32(4) /** < signature has seen the first ip_proto keyword */
 
#define SIG_FLAG_INIT_HAS_TRANSFORM   BIT_U32(5)
 
#define SIG_FLAG_INIT_STATE_MATCH   BIT_U32(6)
 
#define SIG_FLAG_INIT_NEED_FLUSH   BIT_U32(7)
 
#define SIG_FLAG_INIT_PRIO_EXPLICT   BIT_U32(8)
 
#define SIG_FLAG_INIT_FILEDATA   BIT_U32(9)
 
#define SIG_FLAG_INIT_JA3   BIT_U32(10)
 
#define SIG_MASK_REQUIRE_PAYLOAD   BIT_U8(0)
 
#define SIG_MASK_REQUIRE_FLOW   BIT_U8(1)
 
#define SIG_MASK_REQUIRE_FLAGS_INITDEINIT   BIT_U8(2) /* SYN, FIN, RST */
 
#define SIG_MASK_REQUIRE_FLAGS_UNUSUAL   BIT_U8(3) /* URG, ECN, CWR */
 
#define SIG_MASK_REQUIRE_NO_PAYLOAD   BIT_U8(4)
 
#define SIG_MASK_REQUIRE_DCERPC   BIT_U8(5) /* require either SMB+DCE or raw DCE */
 
#define SIG_MASK_REQUIRE_ENGINE_EVENT   BIT_U8(7)
 
#define SignatureMask   uint8_t
 
#define DETECT_ENGINE_THREAD_CTX_FRAME_ID_SET   0x0001
 
#define DETECT_ENGINE_THREAD_CTX_STREAM_CONTENT_MATCH   0x0004
 
#define FILE_SIG_NEED_FILE   0x01
 
#define FILE_SIG_NEED_FILENAME   0x02
 
#define FILE_SIG_NEED_MAGIC   0x04
 
#define FILE_SIG_NEED_FILECONTENT   0x08
 
#define FILE_SIG_NEED_MD5   0x10
 
#define FILE_SIG_NEED_SHA1   0x20
 
#define FILE_SIG_NEED_SHA256   0x40
 
#define FILE_SIG_NEED_SIZE   0x80
 
#define DE_QUIET   0x01
 
#define sm_lists   init_data->smlists
 
#define sm_lists_tail   init_data->smlists_tail
 
#define DETECT_VAR_TYPE_FLOW_POSTMATCH   1
 
#define DETECT_VAR_TYPE_PKT_POSTMATCH   2
 
#define FLOW_STATES   2
 
#define ENGINE_SGH_MPM_FACTORY_CONTEXT_START_ID_RANGE   (ENGINE_SGH_MPM_FACTORY_CONTEXT_AUTO + 1)
 
#define DETECT_FILESTORE_MAX   15
 
#define SIG_GROUP_HEAD_HAVERAWSTREAM   BIT_U32(0)
 
#define SIG_GROUP_HEAD_HAVEFILEMD5   BIT_U32(21)
 
#define SIG_GROUP_HEAD_HAVEFILESIZE   BIT_U32(22)
 
#define SIG_GROUP_HEAD_HAVEFILESHA1   BIT_U32(23)
 
#define SIG_GROUP_HEAD_HAVEFILESHA256   BIT_U32(24)
 
#define SIGMATCH_NOOPT   BIT_U16(0)
 
#define SIGMATCH_IPONLY_COMPAT   BIT_U16(1)
 
#define SIGMATCH_DEONLY_COMPAT   BIT_U16(2)
 
#define SIGMATCH_NOT_BUILT   BIT_U16(3)
 
#define SIGMATCH_OPTIONAL_OPT   BIT_U16(4)
 
#define SIGMATCH_QUOTES_OPTIONAL   BIT_U16(5)
 
#define SIGMATCH_QUOTES_MANDATORY   BIT_U16(6)
 
#define SIGMATCH_HANDLE_NEGATION   BIT_U16(7)
 
#define SIGMATCH_INFO_CONTENT_MODIFIER   BIT_U16(8)
 
#define SIGMATCH_INFO_STICKY_BUFFER   BIT_U16(9)
 
#define SIGMATCH_INFO_DEPRECATED   BIT_U16(10)
 
#define SIGMATCH_STRICT_PARSING   BIT_U16(11)
 

Typedefs

typedef struct DetectAddress_ DetectAddress
 address structure for use in the detection engine. More...
 
typedef struct DetectAddressHead_ DetectAddressHead
 
typedef struct DetectMatchAddressIPv4_ DetectMatchAddressIPv4
 
typedef struct DetectMatchAddressIPv6_ DetectMatchAddressIPv6
 
typedef struct DetectPort_ DetectPort
 Port structure for detection engine. More...
 
typedef struct IPOnlyCIDRItem_ IPOnlyCIDRItem
 
typedef struct SigMatchCtx_ SigMatchCtx
 Used to start a pointer to SigMatch context Should never be dereferenced without casting to something else. More...
 
typedef struct SigMatch_ SigMatch
 a single match condition for a signature More...
 
typedef struct SigMatchData_ SigMatchData
 Data needed for Match() More...
 
typedef struct InspectionBuffer InspectionBuffer
 
typedef struct InspectionBufferMultipleForList InspectionBufferMultipleForList
 
typedef struct TransformData_ TransformData
 
typedef struct DetectEngineTransforms DetectEngineTransforms
 
typedef InspectionBuffer *(* InspectionBufferGetDataPtr) (struct DetectEngineThreadCtx_ *det_ctx, const DetectEngineTransforms *transforms, Flow *f, const uint8_t flow_flags, void *txv, const int list_id)
 
typedef uint8_t(* InspectEngineFuncPtr2) (struct DetectEngineCtx_ *de_ctx, struct DetectEngineThreadCtx_ *det_ctx, const struct DetectEngineAppInspectionEngine_ *engine, const struct Signature_ *s, Flow *f, uint8_t flags, void *alstate, void *txv, uint64_t tx_id)
 
typedef struct DetectEngineAppInspectionEngine_ DetectEngineAppInspectionEngine
 
typedef struct DetectBufferType_ DetectBufferType
 
typedef int(* InspectionBufferPktInspectFunc) (struct DetectEngineThreadCtx_ *, const struct DetectEnginePktInspectionEngine *engine, const struct Signature_ *s, Packet *p, uint8_t *alert_flags)
 
typedef InspectionBuffer *(* InspectionBufferGetPktDataPtr) (struct DetectEngineThreadCtx_ *det_ctx, const DetectEngineTransforms *transforms, Packet *p, const int list_id)
 
typedef struct DetectEnginePktInspectionEngine DetectEnginePktInspectionEngine
 
typedef int(* InspectionBufferFrameInspectFunc) (struct DetectEngineThreadCtx_ *, const struct DetectEngineFrameInspectionEngine *engine, const struct Signature_ *s, Packet *p, const struct Frames *frames, const struct Frame *frame)
 
typedef struct DetectEngineFrameInspectionEngine DetectEngineFrameInspectionEngine
 
typedef struct SignatureInitData_ SignatureInitData
 
typedef struct Signature_ Signature
 Signature container. More...
 
typedef struct DetectBufferMpmRegistery_ DetectBufferMpmRegistery
 one time registration of keywords at start up More...
 
typedef struct DetectPatternTracker DetectPatternTracker
 
typedef struct DetectReplaceList_ DetectReplaceList
 
typedef struct DetectVarList_ DetectVarList
 
typedef struct SCFPSupportSMList_ SCFPSupportSMList
 
typedef struct DetectEngineIPOnlyThreadCtx_ DetectEngineIPOnlyThreadCtx
 
typedef struct DetectEngineIPOnlyCtx_ DetectEngineIPOnlyCtx
 IP only rules matching ctx. More...
 
typedef struct DetectEngineLookupFlow_ DetectEngineLookupFlow
 
typedef struct ThresholdCtx_ ThresholdCtx
 threshold ctx More...
 
typedef struct SigString_ SigString
 
typedef struct SigFileLoaderStat_ SigFileLoaderStat
 Signature loader statistics. More...
 
typedef struct DetectEngineThreadKeywordCtxItem_ DetectEngineThreadKeywordCtxItem
 
typedef struct DetectEngineCtx_ DetectEngineCtx
 main detection engine ctx More...
 
typedef struct SignatureNonPrefilterStore_ SignatureNonPrefilterStore
 
typedef struct RuleMatchCandidateTx RuleMatchCandidateTx
 
typedef struct DetectEngineThreadCtx_ DetectEngineThreadCtx
 
typedef struct SigTableElmt_ SigTableElmt
 element in sigmatch type table. More...
 
typedef struct MpmStore_ MpmStore
 
typedef void(* PrefilterFrameFn) (DetectEngineThreadCtx *det_ctx, const void *pectx, Packet *p, const struct Frames *frames, const struct Frame *frame)
 
typedef struct AppLayerTxData AppLayerTxData
 
typedef void(* PrefilterTxFn) (DetectEngineThreadCtx *det_ctx, const void *pectx, Packet *p, Flow *f, void *tx, const uint64_t tx_id, const AppLayerTxData *tx_data, const uint8_t flags)
 
typedef struct PrefilterEngineList_ PrefilterEngineList
 
typedef struct PrefilterEngine_ PrefilterEngine
 
typedef struct SigGroupHeadInitData_ SigGroupHeadInitData
 
typedef struct SigGroupHead_ SigGroupHead
 Container for matching data for a signature group. More...
 
typedef struct DetectEngineTenantMapping_ DetectEngineTenantMapping
 
typedef struct DetectEngineMasterCtx_ DetectEngineMasterCtx
 

Enumerations

enum  DetectSigmatchListEnum {
  DETECT_SM_LIST_MATCH = 0, DETECT_SM_LIST_PMATCH, DETECT_SM_LIST_BASE64_DATA, DETECT_SM_LIST_POSTMATCH,
  DETECT_SM_LIST_TMATCH, DETECT_SM_LIST_SUPPRESS, DETECT_SM_LIST_THRESHOLD, DETECT_SM_LIST_MAX,
  DETECT_SM_LIST_DYNAMIC_START = DETECT_SM_LIST_MAX
}
 
enum  {
  ADDRESS_ER = -1, ADDRESS_LT, ADDRESS_LE, ADDRESS_EQ,
  ADDRESS_ES, ADDRESS_EB, ADDRESS_GE, ADDRESS_GT
}
 
enum  {
  PORT_ER = -1, PORT_LT, PORT_LE, PORT_EQ,
  PORT_ES, PORT_EB, PORT_GE, PORT_GT
}
 
enum  DetectBufferMpmType { DETECT_BUFFER_MPM_TYPE_PKT, DETECT_BUFFER_MPM_TYPE_APP, DETECT_BUFFER_MPM_TYPE_FRAME, DETECT_BUFFER_MPM_TYPE_SIZE }
 
enum  DetectEnginePrefilterSetting { DETECT_PREFILTER_MPM = 0, DETECT_PREFILTER_AUTO = 1 }
 
enum  DetectEngineType { DETECT_ENGINE_TYPE_NORMAL = 0, DETECT_ENGINE_TYPE_DD_STUB = 1, DETECT_ENGINE_TYPE_MT_STUB = 2, DETECT_ENGINE_TYPE_TENANT = 3 }
 
enum  {
  ENGINE_PROFILE_UNKNOWN, ENGINE_PROFILE_LOW, ENGINE_PROFILE_MEDIUM, ENGINE_PROFILE_HIGH,
  ENGINE_PROFILE_CUSTOM, ENGINE_PROFILE_MAX
}
 
enum  { ENGINE_SGH_MPM_FACTORY_CONTEXT_FULL = 0, ENGINE_SGH_MPM_FACTORY_CONTEXT_SINGLE, ENGINE_SGH_MPM_FACTORY_CONTEXT_AUTO }
 
enum  {
  DET_CTX_EVENT_TEST, FILE_DECODER_EVENT_NO_MEM, FILE_DECODER_EVENT_INVALID_SWF_LENGTH, FILE_DECODER_EVENT_INVALID_SWF_VERSION,
  FILE_DECODER_EVENT_Z_DATA_ERROR, FILE_DECODER_EVENT_Z_STREAM_ERROR, FILE_DECODER_EVENT_Z_BUF_ERROR, FILE_DECODER_EVENT_Z_UNKNOWN_ERROR,
  FILE_DECODER_EVENT_LZMA_IO_ERROR, FILE_DECODER_EVENT_LZMA_HEADER_TOO_SHORT_ERROR, FILE_DECODER_EVENT_LZMA_DECODER_ERROR, FILE_DECODER_EVENT_LZMA_MEMLIMIT_ERROR,
  FILE_DECODER_EVENT_LZMA_XZ_ERROR, FILE_DECODER_EVENT_LZMA_UNKNOWN_ERROR, DETECT_EVENT_TOO_MANY_BUFFERS
}
 
enum  MpmBuiltinBuffers {
  MPMB_TCP_PKT_TS, MPMB_TCP_PKT_TC, MPMB_TCP_STREAM_TS, MPMB_TCP_STREAM_TC,
  MPMB_UDP_TS, MPMB_UDP_TC, MPMB_OTHERIP, MPMB_MAX
}
 
enum  DetectEngineTenantSelectors { TENANT_SELECTOR_UNKNOWN = 0, TENANT_SELECTOR_DIRECT, TENANT_SELECTOR_VLAN, TENANT_SELECTOR_LIVEDEV }
 

Functions

TmEcode Detect (ThreadVars *tv, Packet *p, void *data)
 Detection engine thread wrapper. More...
 
SigMatchSigMatchAlloc (void)
 
SignatureSigFindSignatureBySidGid (DetectEngineCtx *, uint32_t, uint32_t)
 Find a specific signature by sid and gid. More...
 
void SigMatchSignaturesBuildMatchArray (DetectEngineThreadCtx *, Packet *, SignatureMask, uint16_t)
 
void SigMatchFree (DetectEngineCtx *, SigMatch *sm)
 free a SigMatch More...
 
void SigRegisterTests (void)
 
void TmModuleDetectRegister (void)
 
void SigAddressPrepareBidirectionals (DetectEngineCtx *)
 
void DisableDetectFlowFileFlags (Flow *f)
 disable file features we don't need Called if we have no detection engine. More...
 
char * DetectLoadCompleteSigPath (const DetectEngineCtx *, const char *sig_file)
 Create the path if default-rule-path was specified. More...
 
int SigLoadSignatures (DetectEngineCtx *, char *, int)
 Load signatures. More...
 
void SigMatchSignatures (ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
 wrapper for old tests More...
 
int SignatureIsIPOnly (DetectEngineCtx *de_ctx, const Signature *s)
 Test is a initialized signature is IP only. More...
 
const SigGroupHeadSigMatchSignaturesGetSgh (const DetectEngineCtx *de_ctx, const Packet *p)
 Get the SigGroupHead for a packet. More...
 
SignatureDetectGetTagSignature (void)
 
int DetectUnregisterThreadCtxFuncs (DetectEngineCtx *, void *data, const char *name)
 Remove Thread keyword context registration. More...
 
int DetectRegisterThreadCtxFuncs (DetectEngineCtx *, const char *name, void *(*InitFunc)(void *), void *data, void(*FreeFunc)(void *), int)
 Register Thread keyword context Funcs. More...
 
void * DetectThreadCtxGetKeywordThreadCtx (DetectEngineThreadCtx *, int)
 Retrieve thread local keyword ctx by id. More...
 
void RuleMatchCandidateTxArrayInit (DetectEngineThreadCtx *det_ctx, uint32_t size)
 
void RuleMatchCandidateTxArrayFree (DetectEngineThreadCtx *det_ctx)
 
void AlertQueueInit (DetectEngineThreadCtx *det_ctx)
 
void AlertQueueFree (DetectEngineThreadCtx *det_ctx)
 
void AlertQueueAppend (DetectEngineThreadCtx *det_ctx, const Signature *s, Packet *p, uint64_t tx_id, uint8_t alert_flags)
 Append signature to local packet alert queue for later preprocessing. More...
 
int DetectFlowbitsAnalyze (DetectEngineCtx *de_ctx)
 
int DetectMetadataHashInit (DetectEngineCtx *de_ctx)
 
void DetectMetadataHashFree (DetectEngineCtx *de_ctx)
 
void DetectEngineSetEvent (DetectEngineThreadCtx *det_ctx, uint8_t e)
 
AppLayerDecoderEventsDetectEngineGetEvents (DetectEngineThreadCtx *det_ctx)
 
int DetectEngineGetEventInfo (const char *event_name, int *event_id, AppLayerEventType *event_type)
 
void DumpPatterns (DetectEngineCtx *de_ctx)
 

Variables

SigTableElmt sigmatch_table [DETECT_TBLSIZE]
 

Detailed Description

Author
Victor Julien victo.nosp@m.r@in.nosp@m.linia.nosp@m.c.ne.nosp@m.t

Definition in file detect.h.

Macro Definition Documentation

◆ ADDRESS_FLAG_NOT

#define ADDRESS_FLAG_NOT   0x01

address is negated

Definition at line 125 of file detect.h.

◆ DE_QUIET

#define DE_QUIET   0x01

DE is quiet (esp for unittests)

Definition at line 290 of file detect.h.

◆ DETECT_DEFAULT_PRIO

#define DETECT_DEFAULT_PRIO   3

default rule priority if not set through priority keyword or via classtype.

Definition at line 52 of file detect.h.

◆ DETECT_ENGINE_THREAD_CTX_FRAME_ID_SET

#define DETECT_ENGINE_THREAD_CTX_FRAME_ID_SET   0x0001

Definition at line 277 of file detect.h.

◆ DETECT_ENGINE_THREAD_CTX_STREAM_CONTENT_MATCH

#define DETECT_ENGINE_THREAD_CTX_STREAM_CONTENT_MATCH   0x0004

Definition at line 278 of file detect.h.

◆ DETECT_FILESTORE_MAX

#define DETECT_FILESTORE_MAX   15

Definition at line 1002 of file detect.h.

◆ DETECT_MAX_RULE_SIZE

#define DETECT_MAX_RULE_SIZE   8192

Definition at line 46 of file detect.h.

◆ DETECT_SM_LIST_NOTSET

#define DETECT_SM_LIST_NOTSET   INT_MAX

Definition at line 107 of file detect.h.

◆ DETECT_TRANSFORMS_MAX

#define DETECT_TRANSFORMS_MAX   16

Definition at line 48 of file detect.h.

◆ DETECT_VAR_TYPE_FLOW_POSTMATCH

#define DETECT_VAR_TYPE_FLOW_POSTMATCH   1

only execute flowvar storage if rule matched

Definition at line 686 of file detect.h.

◆ DETECT_VAR_TYPE_PKT_POSTMATCH

#define DETECT_VAR_TYPE_PKT_POSTMATCH   2

Definition at line 687 of file detect.h.

◆ ENGINE_SGH_MPM_FACTORY_CONTEXT_START_ID_RANGE

#define ENGINE_SGH_MPM_FACTORY_CONTEXT_START_ID_RANGE   (ENGINE_SGH_MPM_FACTORY_CONTEXT_AUTO + 1)

Definition at line 999 of file detect.h.

◆ FILE_SIG_NEED_FILE

#define FILE_SIG_NEED_FILE   0x01

Definition at line 280 of file detect.h.

◆ FILE_SIG_NEED_FILECONTENT

#define FILE_SIG_NEED_FILECONTENT   0x08

Definition at line 283 of file detect.h.

◆ FILE_SIG_NEED_FILENAME

#define FILE_SIG_NEED_FILENAME   0x02

Definition at line 281 of file detect.h.

◆ FILE_SIG_NEED_MAGIC

#define FILE_SIG_NEED_MAGIC   0x04

need the start of the file

Definition at line 282 of file detect.h.

◆ FILE_SIG_NEED_MD5

#define FILE_SIG_NEED_MD5   0x10

Definition at line 284 of file detect.h.

◆ FILE_SIG_NEED_SHA1

#define FILE_SIG_NEED_SHA1   0x20

Definition at line 285 of file detect.h.

◆ FILE_SIG_NEED_SHA256

#define FILE_SIG_NEED_SHA256   0x40

Definition at line 286 of file detect.h.

◆ FILE_SIG_NEED_SIZE

#define FILE_SIG_NEED_SIZE   0x80

Definition at line 287 of file detect.h.

◆ FLOW_STATES

#define FLOW_STATES   2

Definition at line 785 of file detect.h.

◆ PORT_FLAG_ANY

#define PORT_FLAG_ANY   0x01

'any' special port

Definition at line 178 of file detect.h.

◆ PORT_FLAG_NOT

#define PORT_FLAG_NOT   0x02

negated port

Definition at line 179 of file detect.h.

◆ PORT_SIGGROUPHEAD_COPY

#define PORT_SIGGROUPHEAD_COPY   0x04

sgh is a ptr copy

Definition at line 180 of file detect.h.

◆ SIG_FLAG_APPLAYER

#define SIG_FLAG_APPLAYER   BIT_U32(6)

signature applies to app layer instead of packets

Definition at line 210 of file detect.h.

◆ SIG_FLAG_BYPASS

#define SIG_FLAG_BYPASS   BIT_U32(22)

Definition at line 236 of file detect.h.

◆ SIG_FLAG_DEST_IS_TARGET

#define SIG_FLAG_DEST_IS_TARGET   BIT_U32(26)

Info for Source and Target identification

Definition at line 246 of file detect.h.

◆ SIG_FLAG_DP_ANY

#define SIG_FLAG_DP_ANY   BIT_U32(3)

destination port is any

Definition at line 206 of file detect.h.

◆ SIG_FLAG_DSIZE

#define SIG_FLAG_DSIZE   BIT_U32(5)

signature has a dsize setting

Definition at line 209 of file detect.h.

◆ SIG_FLAG_DST_ANY

#define SIG_FLAG_DST_ANY   BIT_U32(1)

destination is any

Definition at line 204 of file detect.h.

◆ SIG_FLAG_FILESTORE

#define SIG_FLAG_FILESTORE   BIT_U32(18)

signature has filestore keyword

Definition at line 229 of file detect.h.

◆ SIG_FLAG_FLUSH

#define SIG_FLAG_FLUSH   BIT_U32(12)

detection logic needs stream flush notification

Definition at line 223 of file detect.h.

◆ SIG_FLAG_HAS_TARGET

#define SIG_FLAG_HAS_TARGET   (SIG_FLAG_DEST_IS_TARGET|SIG_FLAG_SRC_IS_TARGET)

Definition at line 248 of file detect.h.

◆ SIG_FLAG_INIT_BIDIREC

#define SIG_FLAG_INIT_BIDIREC   BIT_U32(3)

signature has bidirectional operator

Definition at line 254 of file detect.h.

◆ SIG_FLAG_INIT_DEONLY

#define SIG_FLAG_INIT_DEONLY   BIT_U32(0)

decode event only signature

Definition at line 251 of file detect.h.

◆ SIG_FLAG_INIT_FILEDATA

#define SIG_FLAG_INIT_FILEDATA   BIT_U32(9)

signature has filedata keyword

Definition at line 260 of file detect.h.

◆ SIG_FLAG_INIT_FIRST_IPPROTO_SEEN

#define SIG_FLAG_INIT_FIRST_IPPROTO_SEEN   BIT_U32(4) /** < signature has seen the first ip_proto keyword */

Definition at line 255 of file detect.h.

◆ SIG_FLAG_INIT_FLOW

#define SIG_FLAG_INIT_FLOW   BIT_U32(2)

signature has a flow setting

Definition at line 253 of file detect.h.

◆ SIG_FLAG_INIT_HAS_TRANSFORM

#define SIG_FLAG_INIT_HAS_TRANSFORM   BIT_U32(5)

Definition at line 256 of file detect.h.

◆ SIG_FLAG_INIT_JA3

#define SIG_FLAG_INIT_JA3   BIT_U32(10)

signature has ja3 keyword

Definition at line 261 of file detect.h.

◆ SIG_FLAG_INIT_NEED_FLUSH

#define SIG_FLAG_INIT_NEED_FLUSH   BIT_U32(7)

Definition at line 258 of file detect.h.

◆ SIG_FLAG_INIT_PACKET

#define SIG_FLAG_INIT_PACKET   BIT_U32(1)

signature has matches against a packet (as opposed to app layer)

Definition at line 252 of file detect.h.

◆ SIG_FLAG_INIT_PRIO_EXPLICT

#define SIG_FLAG_INIT_PRIO_EXPLICT   BIT_U32(8)

priority is explicitly set by the priority keyword

Definition at line 259 of file detect.h.

◆ SIG_FLAG_INIT_STATE_MATCH

#define SIG_FLAG_INIT_STATE_MATCH   BIT_U32(6)

signature has matches that require stateful inspection

Definition at line 257 of file detect.h.

◆ SIG_FLAG_IPONLY

#define SIG_FLAG_IPONLY   BIT_U32(7)

ip only signature

Definition at line 211 of file detect.h.

◆ SIG_FLAG_LIKE_IPONLY

#define SIG_FLAG_LIKE_IPONLY   BIT_U32(8)

signature that is almost ip only, but contains negation prevening some iponly \ optimizations

Definition at line 214 of file detect.h.

◆ SIG_FLAG_MPM_NEG

#define SIG_FLAG_MPM_NEG   BIT_U32(11)

Definition at line 221 of file detect.h.

◆ SIG_FLAG_NOALERT

#define SIG_FLAG_NOALERT   BIT_U32(4)

no alert flag is set

Definition at line 208 of file detect.h.

◆ SIG_FLAG_PDONLY

#define SIG_FLAG_PDONLY   BIT_U32(24)

Proto detect only signature. Inspected once per direction when protocol detection is done.

Definition at line 242 of file detect.h.

◆ SIG_FLAG_PREFILTER

#define SIG_FLAG_PREFILTER   BIT_U32(23)

sig is part of a prefilter engine

Definition at line 238 of file detect.h.

◆ SIG_FLAG_REQUIRE_FLOWVAR

#define SIG_FLAG_REQUIRE_FLOWVAR   BIT_U32(17)

signature can only match if a flowbit, flowvar or flowint is available.

Definition at line 227 of file detect.h.

◆ SIG_FLAG_REQUIRE_PACKET

#define SIG_FLAG_REQUIRE_PACKET   BIT_U32(9)

signature is requiring packet match

Definition at line 218 of file detect.h.

◆ SIG_FLAG_REQUIRE_STREAM

#define SIG_FLAG_REQUIRE_STREAM   BIT_U32(10)

signature is requiring stream match

Definition at line 219 of file detect.h.

◆ SIG_FLAG_SP_ANY

#define SIG_FLAG_SP_ANY   BIT_U32(2)

source port is any

Definition at line 205 of file detect.h.

◆ SIG_FLAG_SRC_ANY

#define SIG_FLAG_SRC_ANY   BIT_U32(0)
Note
: additions should be added to the rule analyzer as well source is any

Definition at line 203 of file detect.h.

◆ SIG_FLAG_SRC_IS_TARGET

#define SIG_FLAG_SRC_IS_TARGET   BIT_U32(25)

Info for Source and Target identification

Definition at line 244 of file detect.h.

◆ SIG_FLAG_TLSSTORE

#define SIG_FLAG_TLSSTORE   BIT_U32(21)

Definition at line 234 of file detect.h.

◆ SIG_FLAG_TOCLIENT

#define SIG_FLAG_TOCLIENT   BIT_U32(20)

Definition at line 232 of file detect.h.

◆ SIG_FLAG_TOSERVER

#define SIG_FLAG_TOSERVER   BIT_U32(19)

Definition at line 231 of file detect.h.

◆ SIG_GROUP_HEAD_HAVEFILEMD5

#define SIG_GROUP_HEAD_HAVEFILEMD5   BIT_U32(21)

Definition at line 1274 of file detect.h.

◆ SIG_GROUP_HEAD_HAVEFILESHA1

#define SIG_GROUP_HEAD_HAVEFILESHA1   BIT_U32(23)

Definition at line 1276 of file detect.h.

◆ SIG_GROUP_HEAD_HAVEFILESHA256

#define SIG_GROUP_HEAD_HAVEFILESHA256   BIT_U32(24)

Definition at line 1277 of file detect.h.

◆ SIG_GROUP_HEAD_HAVEFILESIZE

#define SIG_GROUP_HEAD_HAVEFILESIZE   BIT_U32(22)

Definition at line 1275 of file detect.h.

◆ SIG_GROUP_HEAD_HAVERAWSTREAM

#define SIG_GROUP_HEAD_HAVERAWSTREAM   BIT_U32(0)

Definition at line 1270 of file detect.h.

◆ SIG_MASK_REQUIRE_DCERPC

#define SIG_MASK_REQUIRE_DCERPC   BIT_U8(5) /* require either SMB+DCE or raw DCE */

Definition at line 270 of file detect.h.

◆ SIG_MASK_REQUIRE_ENGINE_EVENT

#define SIG_MASK_REQUIRE_ENGINE_EVENT   BIT_U8(7)

Definition at line 272 of file detect.h.

◆ SIG_MASK_REQUIRE_FLAGS_INITDEINIT

#define SIG_MASK_REQUIRE_FLAGS_INITDEINIT   BIT_U8(2) /* SYN, FIN, RST */

Definition at line 267 of file detect.h.

◆ SIG_MASK_REQUIRE_FLAGS_UNUSUAL

#define SIG_MASK_REQUIRE_FLAGS_UNUSUAL   BIT_U8(3) /* URG, ECN, CWR */

Definition at line 268 of file detect.h.

◆ SIG_MASK_REQUIRE_FLOW

#define SIG_MASK_REQUIRE_FLOW   BIT_U8(1)

Definition at line 266 of file detect.h.

◆ SIG_MASK_REQUIRE_NO_PAYLOAD

#define SIG_MASK_REQUIRE_NO_PAYLOAD   BIT_U8(4)

Definition at line 269 of file detect.h.

◆ SIG_MASK_REQUIRE_PAYLOAD

#define SIG_MASK_REQUIRE_PAYLOAD   BIT_U8(0)
Note
: additions should be added to the rule analyzer as well

Definition at line 265 of file detect.h.

◆ SIGMATCH_DEONLY_COMPAT

#define SIGMATCH_DEONLY_COMPAT   BIT_U16(2)

sigmatch is compatible with a decode event only rule Flag to indicate that the signature is not built-in

Definition at line 1431 of file detect.h.

◆ SIGMATCH_HANDLE_NEGATION

#define SIGMATCH_HANDLE_NEGATION   BIT_U16(7)

negation parsing is handled by the rule parser. Signature::init_data::negated will be set to true or false prior to calling the keyword parser. Exclamation mark is stripped from the input to the keyword parser.

Definition at line 1446 of file detect.h.

◆ SIGMATCH_INFO_CONTENT_MODIFIER

#define SIGMATCH_INFO_CONTENT_MODIFIER   BIT_U16(8)

keyword is a content modifier

Definition at line 1448 of file detect.h.

◆ SIGMATCH_INFO_DEPRECATED

#define SIGMATCH_INFO_DEPRECATED   BIT_U16(10)

keyword is deprecated: used to suggest an alternative

Definition at line 1452 of file detect.h.

◆ SIGMATCH_INFO_STICKY_BUFFER

#define SIGMATCH_INFO_STICKY_BUFFER   BIT_U16(9)

keyword is a sticky buffer

Definition at line 1450 of file detect.h.

◆ SIGMATCH_IPONLY_COMPAT

#define SIGMATCH_IPONLY_COMPAT   BIT_U16(1)

sigmatch is compatible with a ip only rule

Definition at line 1428 of file detect.h.

◆ SIGMATCH_NOOPT

#define SIGMATCH_NOOPT   BIT_U16(0)

sigmatch has no options, so the parser shouldn't expect any

Definition at line 1426 of file detect.h.

◆ SIGMATCH_NOT_BUILT

#define SIGMATCH_NOT_BUILT   BIT_U16(3)

Definition at line 1432 of file detect.h.

◆ SIGMATCH_OPTIONAL_OPT

#define SIGMATCH_OPTIONAL_OPT   BIT_U16(4)

sigmatch may have options, so the parser should be ready to deal with both cases

Definition at line 1435 of file detect.h.

◆ SIGMATCH_QUOTES_MANDATORY

#define SIGMATCH_QUOTES_MANDATORY   BIT_U16(6)

input MUST be wrapped in double quotes. They will be stripped before input data is passed to keyword parser. Missing double quotes lead to error and signature invalidation.

Definition at line 1442 of file detect.h.

◆ SIGMATCH_QUOTES_OPTIONAL

#define SIGMATCH_QUOTES_OPTIONAL   BIT_U16(5)

input may be wrapped in double quotes. They will be stripped before input data is passed to keyword parser

Definition at line 1438 of file detect.h.

◆ SIGMATCH_STRICT_PARSING

#define SIGMATCH_STRICT_PARSING   BIT_U16(11)

strict parsing is enabled

Definition at line 1454 of file detect.h.

◆ SignatureMask

#define SignatureMask   uint8_t

Definition at line 275 of file detect.h.

◆ sm_lists

#define sm_lists   init_data->smlists

Definition at line 488 of file detect.h.

◆ sm_lists_tail

#define sm_lists_tail   init_data->smlists_tail

Definition at line 489 of file detect.h.

Typedef Documentation

◆ AppLayerTxData

Definition at line 1302 of file detect.h.

◆ DetectAddress

typedef struct DetectAddress_ DetectAddress

address structure for use in the detection engine.

Contains the address information and matching information.

◆ DetectAddressHead

Address grouping head. IPv4 and IPv6 are split out

◆ DetectBufferMpmRegistery

one time registration of keywords at start up

◆ DetectBufferType

◆ DetectEngineAppInspectionEngine

◆ DetectEngineCtx

main detection engine ctx

◆ DetectEngineFrameInspectionEngine

◆ DetectEngineIPOnlyCtx

IP only rules matching ctx.

◆ DetectEngineIPOnlyThreadCtx

◆ DetectEngineLookupFlow

◆ DetectEngineMasterCtx

◆ DetectEnginePktInspectionEngine

◆ DetectEngineTenantMapping

◆ DetectEngineThreadCtx

Detection engine thread data.

◆ DetectEngineThreadKeywordCtxItem

◆ DetectEngineTransforms

◆ DetectMatchAddressIPv4

◆ DetectMatchAddressIPv6

◆ DetectPatternTracker

◆ DetectPort

typedef struct DetectPort_ DetectPort

Port structure for detection engine.

◆ DetectReplaceList

◆ DetectVarList

typedef struct DetectVarList_ DetectVarList

list for flowvar store candidates, to be stored from post-match function

◆ InspectEngineFuncPtr2

typedef uint8_t(* InspectEngineFuncPtr2) (struct DetectEngineCtx_ *de_ctx, struct DetectEngineThreadCtx_ *det_ctx, const struct DetectEngineAppInspectionEngine_ *engine, const struct Signature_ *s, Flow *f, uint8_t flags, void *alstate, void *txv, uint64_t tx_id)

Definition at line 387 of file detect.h.

◆ InspectionBuffer

◆ InspectionBufferFrameInspectFunc

typedef int(* InspectionBufferFrameInspectFunc) (struct DetectEngineThreadCtx_ *, const struct DetectEngineFrameInspectionEngine *engine, const struct Signature_ *s, Packet *p, const struct Frames *frames, const struct Frame *frame)
Parameters
alert_flags[out]for setting PACKET_ALERT_FLAG_*

Definition at line 466 of file detect.h.

◆ InspectionBufferGetDataPtr

typedef InspectionBuffer*(* InspectionBufferGetDataPtr) (struct DetectEngineThreadCtx_ *det_ctx, const DetectEngineTransforms *transforms, Flow *f, const uint8_t flow_flags, void *txv, const int list_id)

callback for getting the buffer we need to prefilter/inspect

Definition at line 380 of file detect.h.

◆ InspectionBufferGetPktDataPtr

typedef InspectionBuffer*(* InspectionBufferGetPktDataPtr) (struct DetectEngineThreadCtx_ *det_ctx, const DetectEngineTransforms *transforms, Packet *p, const int list_id)

callback for getting the buffer we need to prefilter/inspect

Definition at line 440 of file detect.h.

◆ InspectionBufferMultipleForList

◆ InspectionBufferPktInspectFunc

typedef int(* InspectionBufferPktInspectFunc) (struct DetectEngineThreadCtx_ *, const struct DetectEnginePktInspectionEngine *engine, const struct Signature_ *s, Packet *p, uint8_t *alert_flags)
Parameters
alert_flags[out]for setting PACKET_ALERT_FLAG_*

Definition at line 433 of file detect.h.

◆ IPOnlyCIDRItem

◆ MpmStore

typedef struct MpmStore_ MpmStore

◆ PrefilterEngine

◆ PrefilterEngineList

◆ PrefilterFrameFn

typedef void(* PrefilterFrameFn) (DetectEngineThreadCtx *det_ctx, const void *pectx, Packet *p, const struct Frames *frames, const struct Frame *frame)

Definition at line 1302 of file detect.h.

◆ PrefilterTxFn

typedef void(* PrefilterTxFn) (DetectEngineThreadCtx *det_ctx, const void *pectx, Packet *p, Flow *f, void *tx, const uint64_t tx_id, const AppLayerTxData *tx_data, const uint8_t flags)

Definition at line 1306 of file detect.h.

◆ RuleMatchCandidateTx

array of TX inspect rule candidates

◆ SCFPSupportSMList

◆ SigFileLoaderStat

Signature loader statistics.

◆ SigGroupHead

typedef struct SigGroupHead_ SigGroupHead

Container for matching data for a signature group.

◆ SigGroupHeadInitData

◆ SigMatch

typedef struct SigMatch_ SigMatch

a single match condition for a signature

◆ SigMatchCtx

typedef struct SigMatchCtx_ SigMatchCtx

Used to start a pointer to SigMatch context Should never be dereferenced without casting to something else.

◆ SigMatchData

typedef struct SigMatchData_ SigMatchData

Data needed for Match()

◆ Signature

typedef struct Signature_ Signature

Signature container.

◆ SignatureInitData

◆ SignatureNonPrefilterStore

◆ SigString

typedef struct SigString_ SigString

◆ SigTableElmt

typedef struct SigTableElmt_ SigTableElmt

element in sigmatch type table.

◆ ThresholdCtx

typedef struct ThresholdCtx_ ThresholdCtx

threshold ctx

◆ TransformData

typedef struct TransformData_ TransformData

Enumeration Type Documentation

◆ anonymous enum

anonymous enum
Enumerator
ADDRESS_ER 

error e.g. compare ipv4 and ipv6

ADDRESS_LT 

smaller [aaa] [bbb]

ADDRESS_LE 

smaller with overlap [aa[bab]bb]

ADDRESS_EQ 

exactly equal [abababab]

ADDRESS_ES 

within [bb[aaa]bb] and [[abab]bbb] and [bbb[abab]]

ADDRESS_EB 

completely overlaps [aa[bbb]aa] and [[baba]aaa] and [aaa[baba]]

ADDRESS_GE 

bigger with overlap [bb[aba]aa]

ADDRESS_GT 

bigger [bbb] [aaa]

Definition at line 113 of file detect.h.

◆ anonymous enum

anonymous enum
Enumerator
PORT_ER 
PORT_LT 
PORT_LE 
PORT_EQ 
PORT_ES 
PORT_EB 
PORT_GE 
PORT_GT 

Definition at line 166 of file detect.h.

◆ anonymous enum

anonymous enum
Enumerator
ENGINE_PROFILE_UNKNOWN 
ENGINE_PROFILE_LOW 
ENGINE_PROFILE_MEDIUM 
ENGINE_PROFILE_HIGH 
ENGINE_PROFILE_CUSTOM 
ENGINE_PROFILE_MAX 

Definition at line 984 of file detect.h.

◆ anonymous enum

anonymous enum
Enumerator
ENGINE_SGH_MPM_FACTORY_CONTEXT_FULL 
ENGINE_SGH_MPM_FACTORY_CONTEXT_SINGLE 
ENGINE_SGH_MPM_FACTORY_CONTEXT_AUTO 

Definition at line 994 of file detect.h.

◆ anonymous enum

anonymous enum
Enumerator
DET_CTX_EVENT_TEST 
FILE_DECODER_EVENT_NO_MEM 
FILE_DECODER_EVENT_INVALID_SWF_LENGTH 
FILE_DECODER_EVENT_INVALID_SWF_VERSION 
FILE_DECODER_EVENT_Z_DATA_ERROR 
FILE_DECODER_EVENT_Z_STREAM_ERROR 
FILE_DECODER_EVENT_Z_BUF_ERROR 
FILE_DECODER_EVENT_Z_UNKNOWN_ERROR 
FILE_DECODER_EVENT_LZMA_IO_ERROR 
FILE_DECODER_EVENT_LZMA_HEADER_TOO_SHORT_ERROR 
FILE_DECODER_EVENT_LZMA_DECODER_ERROR 
FILE_DECODER_EVENT_LZMA_MEMLIMIT_ERROR 
FILE_DECODER_EVENT_LZMA_XZ_ERROR 
FILE_DECODER_EVENT_LZMA_UNKNOWN_ERROR 
DETECT_EVENT_TOO_MANY_BUFFERS 

Definition at line 1248 of file detect.h.

◆ DetectBufferMpmType

Enumerator
DETECT_BUFFER_MPM_TYPE_PKT 
DETECT_BUFFER_MPM_TYPE_APP 
DETECT_BUFFER_MPM_TYPE_FRAME 
DETECT_BUFFER_MPM_TYPE_SIZE 

Definition at line 619 of file detect.h.

◆ DetectEnginePrefilterSetting

Enumerator
DETECT_PREFILTER_MPM 

use only mpm / fast_pattern

DETECT_PREFILTER_AUTO 

use mpm + keyword prefilters

Definition at line 766 of file detect.h.

◆ DetectEngineTenantSelectors

Enumerator
TENANT_SELECTOR_UNKNOWN 

not set

TENANT_SELECTOR_DIRECT 

method provides direct tenant id

TENANT_SELECTOR_VLAN 

map vlan to tenant id

TENANT_SELECTOR_LIVEDEV 

map livedev to tenant id

Definition at line 1455 of file detect.h.

◆ DetectEngineType

Enumerator
DETECT_ENGINE_TYPE_NORMAL 
DETECT_ENGINE_TYPE_DD_STUB 
DETECT_ENGINE_TYPE_MT_STUB 
DETECT_ENGINE_TYPE_TENANT 

Definition at line 772 of file detect.h.

◆ DetectSigmatchListEnum

Enumerator
DETECT_SM_LIST_MATCH 
DETECT_SM_LIST_PMATCH 
DETECT_SM_LIST_BASE64_DATA 
DETECT_SM_LIST_POSTMATCH 
DETECT_SM_LIST_TMATCH 

post-detection tagging

DETECT_SM_LIST_SUPPRESS 
DETECT_SM_LIST_THRESHOLD 
DETECT_SM_LIST_MAX 
DETECT_SM_LIST_DYNAMIC_START 

Definition at line 77 of file detect.h.

◆ MpmBuiltinBuffers

Enumerator
MPMB_TCP_PKT_TS 
MPMB_TCP_PKT_TC 
MPMB_TCP_STREAM_TS 
MPMB_TCP_STREAM_TC 
MPMB_UDP_TS 
MPMB_UDP_TC 
MPMB_OTHERIP 
MPMB_MAX 

Definition at line 1278 of file detect.h.

Function Documentation

◆ AlertQueueAppend()

void AlertQueueAppend ( DetectEngineThreadCtx det_ctx,
const Signature s,
Packet p,
uint64_t  tx_id,
uint8_t  alert_flags 
)

Append signature to local packet alert queue for later preprocessing.

Definition at line 283 of file detect-engine-alert.c.

References PacketAlert_::action, Signature_::action, ACTION_DROP, Packet_::alerts, and PacketAlerts_::drop.

◆ AlertQueueFree()

void AlertQueueFree ( DetectEngineThreadCtx det_ctx)

◆ AlertQueueInit()

◆ Detect()

TmEcode Detect ( ThreadVars tv,
Packet p,
void *  data 
)

Detection engine thread wrapper.

Remember to add the options in SignatureIsIPOnly() at detect.c otherwise it wont be part of a signature group

Parameters
tvthread vars
ppacket to inspect
datathread specific data
pqpacket queue
Return values
TM_ECODE_FAILEDerror
TM_ECODE_OKok

Definition at line 1741 of file detect.c.

◆ DetectEngineGetEventInfo()

int DetectEngineGetEventInfo ( const char *  event_name,
int *  event_id,
AppLayerEventType event_type 
)

Definition at line 4671 of file detect-engine.c.

References APP_LAYER_EVENT_TYPE_TRANSACTION, det_ctx_event_table, SCLogError, and SCMapEnumNameToValue().

Here is the call graph for this function:

◆ DetectEngineGetEvents()

AppLayerDecoderEvents* DetectEngineGetEvents ( DetectEngineThreadCtx det_ctx)

Definition at line 4666 of file detect-engine.c.

References DetectEngineThreadCtx_::decoder_events.

◆ DetectEngineSetEvent()

void DetectEngineSetEvent ( DetectEngineThreadCtx det_ctx,
uint8_t  e 
)

Definition at line 4660 of file detect-engine.c.

References AppLayerDecoderEventsSetEventRaw(), DetectEngineThreadCtx_::decoder_events, and DetectEngineThreadCtx_::events.

Referenced by FileSwfDecompression(), FileSwfLzmaDecompression(), FileSwfZlibDecompression(), and InspectionBufferMultipleForListGet().

Here is the call graph for this function:
Here is the caller graph for this function:

◆ DetectFlowbitsAnalyze()

◆ DetectGetTagSignature()

Signature* DetectGetTagSignature ( void  )

◆ DetectLoadCompleteSigPath()

char* DetectLoadCompleteSigPath ( const DetectEngineCtx de_ctx,
const char *  sig_file 
)

Create the path if default-rule-path was specified.

Parameters
sig_fileThe name of the file
Return values
strPointer to the string path + sig_file

Definition at line 61 of file detect-engine-loader.c.

References ConfGetNode(), DetectEngineCtx_::config_prefix, de_ctx, ConfNode_::final, PathIsRelative(), SCLogDebug, SCLogError, SCMalloc, SCStrdup, strlcat(), strlcpy(), unlikely, and ConfNode_::val.

Here is the call graph for this function:

◆ DetectMetadataHashFree()

void DetectMetadataHashFree ( DetectEngineCtx de_ctx)

Definition at line 80 of file detect-metadata.c.

References de_ctx, HashTableFree(), and DetectEngineCtx_::metadata_table.

Here is the call graph for this function:

◆ DetectMetadataHashInit()

int DetectMetadataHashInit ( DetectEngineCtx de_ctx)

◆ DetectRegisterThreadCtxFuncs()

int DetectRegisterThreadCtxFuncs ( DetectEngineCtx de_ctx,
const char *  name,
void *(*)(void *)  InitFunc,
void *  data,
void(*)(void *)  FreeFunc,
int  mode 
)

Register Thread keyword context Funcs.

Parameters
de_ctxdetection engine to register in
namekeyword name for error printing
InitFuncfunction ptr
datakeyword init data to pass to Func. Can be NULL.
FreeFuncfunction ptr
mode0 normal (ctx per keyword instance) 1 shared (one ctx per det_ct)
Return values
idfor retrieval of ctx at runtime
-1on error
Note
make sure "data" remains valid and it free'd elsewhere. It's recommended to store it in the keywords global ctx so that it's freed when the de_ctx is freed.

Definition at line 3444 of file detect-engine.c.

References BUG_ON, de_ctx, HashListTableInit(), and DetectEngineCtx_::keyword_hash.

Here is the call graph for this function:

◆ DetectThreadCtxGetKeywordThreadCtx()

void* DetectThreadCtxGetKeywordThreadCtx ( DetectEngineThreadCtx det_ctx,
int  id 
)

Retrieve thread local keyword ctx by id.

Parameters
det_ctxdetection engine thread ctx to retrieve the ctx from
idid of the ctx returned by DetectRegisterThreadCtxInitFunc at keyword init.
Return values
ctxor NULL on error

Definition at line 3514 of file detect-engine.c.

References DetectEngineThreadCtx_::keyword_ctxs_array, and DetectEngineThreadCtx_::keyword_ctxs_size.

Referenced by DetectPcrePayloadMatch().

Here is the caller graph for this function:

◆ DetectUnregisterThreadCtxFuncs()

int DetectUnregisterThreadCtxFuncs ( DetectEngineCtx de_ctx,
void *  data,
const char *  name 
)

Remove Thread keyword context registration.

Parameters
de_ctxdetection engine to deregister from
det_ctxdetection engine thread context to deregister from
datakeyword init data to pass to Func. Can be NULL.
namekeyword name for error printing
Return values
1Item unregistered
0otherwise
Note
make sure "data" remains valid and it free'd elsewhere. It's recommended to store it in the keywords global ctx so that it's freed when the de_ctx is freed.

Definition at line 3496 of file detect-engine.c.

References DetectEngineThreadKeywordCtxItem_::data, de_ctx, HashListTableRemove(), and DetectEngineCtx_::keyword_hash.

Here is the call graph for this function:

◆ DisableDetectFlowFileFlags()

void DisableDetectFlowFileFlags ( Flow f)

disable file features we don't need Called if we have no detection engine.

Definition at line 1799 of file detect.c.

◆ DumpPatterns()

◆ RuleMatchCandidateTxArrayFree()

void RuleMatchCandidateTxArrayFree ( DetectEngineThreadCtx det_ctx)

◆ RuleMatchCandidateTxArrayInit()

void RuleMatchCandidateTxArrayInit ( DetectEngineThreadCtx det_ctx,
uint32_t  size 
)

◆ SigAddressPrepareBidirectionals()

void SigAddressPrepareBidirectionals ( DetectEngineCtx )

◆ SigFindSignatureBySidGid()

Signature* SigFindSignatureBySidGid ( DetectEngineCtx de_ctx,
uint32_t  sid,
uint32_t  gid 
)

Find a specific signature by sid and gid.

Parameters
de_ctxdetection engine ctx
sidthe signature id
gidthe signature group id
Return values
ssig found
NULLsig not found

Definition at line 70 of file detect-engine-build.c.

References de_ctx, Signature_::next, and DetectEngineCtx_::sig_list.

◆ SigLoadSignatures()

int SigLoadSignatures ( DetectEngineCtx de_ctx,
char *  sig_file,
int  sig_file_exclusive 
)

Load signatures.

Parameters
de_ctxPointer to the detection engine context
sig_fileFilename (or pattern) holding signatures
sig_file_exclusiveFile passed in 'sig_file' should be loaded exclusively.
Return values
-1on error

Definition at line 285 of file detect-engine-loader.c.

References DetectEngineCtx_::config_prefix, de_ctx, RUNMODE_ENGINE_ANALYSIS, RunmodeGetCurrent(), SCEnter, and DetectEngineCtx_::sig_stat.

Here is the call graph for this function:

◆ SigMatchAlloc()

SigMatch* SigMatchAlloc ( void  )

Definition at line 241 of file detect-parse.c.

References SigMatch_::next, SigMatch_::prev, SCMalloc, and unlikely.

Referenced by DetectContentSetup(), and DetectFlowvarPostMatchSetup().

Here is the caller graph for this function:

◆ SigMatchFree()

void SigMatchFree ( DetectEngineCtx de_ctx,
SigMatch sm 
)

free a SigMatch

Parameters
smSigMatch to free.

free the ctx, for that we call the Free func

Definition at line 256 of file detect-parse.c.

References SigMatch_::ctx, de_ctx, SigTableElmt_::Free, SCFree, sigmatch_table, and SigMatch_::type.

Referenced by DetectIPProtoRemoveAllSMs(), and SigFree().

Here is the caller graph for this function:

◆ SigMatchSignatures()

void SigMatchSignatures ( ThreadVars th_v,
DetectEngineCtx de_ctx,
DetectEngineThreadCtx det_ctx,
Packet p 
)

wrapper for old tests

Definition at line 1809 of file detect.c.

References Packet_::flow.

Referenced by UTHMatchPackets(), UTHMatchPacketsWithResults(), UTHPacketMatchSig(), and UTHPacketMatchSigMpm().

Here is the caller graph for this function:

◆ SigMatchSignaturesBuildMatchArray()

void SigMatchSignaturesBuildMatchArray ( DetectEngineThreadCtx ,
Packet ,
SignatureMask  ,
uint16_t   
)

◆ SigMatchSignaturesGetSgh()

const SigGroupHead* SigMatchSignaturesGetSgh ( const DetectEngineCtx de_ctx,
const Packet p 
)

Get the SigGroupHead for a packet.

Parameters
de_ctxdetection engine context
ppacket
Return values
sghthe SigGroupHead or NULL if non applies to the packet

Definition at line 201 of file detect.c.

References PacketEngineEvents_::cnt, de_ctx, DetectEngineCtx_::decoder_event_sgh, Packet_::events, FLOW_PKT_TOCLIENT, Packet_::flowflags, IP_GET_IPPROTO, PKT_IS_IPV4, PKT_IS_IPV6, proto, Packet_::proto, SCEnter, and SCReturnPtr.

◆ SignatureIsIPOnly()

◆ SigRegisterTests()

void SigRegisterTests ( void  )

Definition at line 5153 of file detect.c.

References IPOnlyRegisterTests(), SigParseRegisterTests(), and UtRegisterTest().

Here is the call graph for this function:

◆ TmModuleDetectRegister()

void TmModuleDetectRegister ( void  )

Variable Documentation

◆ sigmatch_table

SigTableElmt sigmatch_table[DETECT_TBLSIZE]

Definition at line 76 of file detect-parse.c.

Referenced by DetectAckRegister(), DetectAppLayerEventRegister(), DetectAppLayerMpmRegisterByParentId(), DetectAppLayerProtocolRegister(), DetectAsn1Register(), DetectBase64DataRegister(), DetectBase64DecodeRegister(), DetectBsizeRegister(), DetectBypassRegister(), DetectByteExtractRegister(), DetectBytejumpRegister(), DetectBytemathRegister(), DetectBytetestRegister(), DetectCipServiceRegister(), DetectClasstypeRegister(), DetectConfigRegister(), DetectContentRegister(), DetectCsumRegister(), DetectDatarepRegister(), DetectDatasetRegister(), DetectDceIfaceRegister(), DetectDceOpnumRegister(), DetectDceStubDataRegister(), DetectDepthRegister(), DetectDetectionFilterRegister(), DetectDHCPLeaseTimeRegister(), DetectDHCPRebindingTimeRegister(), DetectDHCPRenewalTimeRegister(), DetectDistanceRegister(), DetectDnsOpcodeRegister(), DetectDnsQueryRegister(), DetectDsizeRegister(), DetectEngineAppInspectionEngineSignatureFree(), DetectEngineBufferTypeValidateTransform(), DetectEngineContentModifierBufferSetup(), DetectEngineEventRegister(), DetectEngineInspectGenericList(), DetectEnipCommandRegister(), DetectFastPatternRegister(), DetectFiledataRegister(), DetectFileextRegister(), DetectFilemagicRegister(), DetectFileMd5Register(), DetectFilenameRegister(), DetectFileSha1Register(), DetectFileSha256Register(), DetectFilesizeRegister(), DetectFilestoreRegister(), DetectFlagsRegister(), DetectFlowAgeRegister(), DetectFlowbitsRegister(), DetectFlowintRegister(), DetectFlowRegister(), DetectFlowvarRegister(), DetectFragBitsRegister(), DetectFragOffsetRegister(), DetectFrameRegister(), DetectFtpbounceRegister(), DetectFtpdataRegister(), DetectGeoipRegister(), DetectGidRegister(), DetectHostbitsRegister(), DetectHttp2Register(), DetectHttpClientBodyRegister(), DetectHttpCookieRegister(), DetectHttpHeaderNamesRegister(), DetectHttpHeaderRegister(), DetectHttpHHRegister(), DetectHttpMethodRegister(), DetectHttpProtocolRegister(), DetectHttpRawHeaderRegister(), DetectHttpRequestLineRegister(), DetectHttpResponseLineRegister(), DetectHttpServerBodyRegister(), DetectHttpStartRegister(), DetectHttpStatCodeRegister(), DetectHttpStatMsgRegister(), DetectHttpUARegister(), DetectHttpUriRegister(), DetectIcmpIdRegister(), DetectIcmpSeqRegister(), DetectIcmpv4HdrRegister(), DetectICMPv6hdrRegister(), DetectICMPv6mtuRegister(), DetectICodeRegister(), DetectIdRegister(), DetectIkeChosenSaRegister(), DetectIkeExchTypeRegister(), DetectIkeKeyExchangePayloadLengthRegister(), DetectIkeKeyExchangeRegister(), DetectIkeNoncePayloadLengthRegister(), DetectIkeNonceRegister(), DetectIkeSpiRegister(), DetectIkeVendorRegister(), DetectIPAddrBufferRegister(), DetectIpOptsRegister(), DetectIPProtoRegister(), DetectIPRepRegister(), DetectIpv4hdrRegister(), DetectIpv6hdrRegister(), DetectIsdataatRegister(), DetectITypeRegister(), DetectKrb5CNameRegister(), DetectKrb5ErrCodeRegister(), DetectKrb5MsgTypeRegister(), DetectKrb5SNameRegister(), DetectKrb5TicketEncryptionRegister(), DetectL3ProtoRegister(), DetectLuaRegister(), DetectMarkRegister(), DetectMetadataRegister(), DetectModbusRegister(), DetectMQTTConnackSessionPresentRegister(), DetectMQTTConnectClientIDRegister(), DetectMQTTConnectFlagsRegister(), DetectMQTTConnectPasswordRegister(), DetectMQTTConnectUsernameRegister(), DetectMQTTConnectWillMessageRegister(), DetectMQTTConnectWillTopicRegister(), DetectMQTTFlagsRegister(), DetectMQTTProtocolVersionRegister(), DetectMQTTPublishMessageRegister(), DetectMQTTPublishTopicRegister(), DetectMQTTQosRegister(), DetectMQTTReasonCodeRegister(), DetectMQTTSubscribeTopicRegister(), DetectMQTTTypeRegister(), DetectMQTTUnsubscribeTopicRegister(), DetectMsgRegister(), DetectNfsProcedureRegister(), DetectNfsVersionRegister(), DetectNoalertRegister(), DetectNocaseRegister(), DetectOffsetRegister(), DetectPcreRegister(), DetectPktDataRegister(), DetectPktvarRegister(), DetectPrefilterRegister(), DetectPriorityRegister(), DetectQuicCyuHashRegister(), DetectQuicCyuStringRegister(), DetectQuicSniRegister(), DetectQuicUaRegister(), DetectQuicVersionRegister(), DetectRawbytesRegister(), DetectReferenceRegister(), DetectReplaceRegister(), DetectRevRegister(), DetectRfbNameRegister(), DetectRfbSecresultRegister(), DetectRfbSectypeRegister(), DetectRpcRegister(), DetectSameipRegister(), DetectSeqRegister(), DetectSidRegister(), DetectSipMethodRegister(), DetectSipProtocolRegister(), DetectSipRequestLineRegister(), DetectSipResponseLineRegister(), DetectSipStatCodeRegister(), DetectSipStatMsgRegister(), DetectSipUriRegister(), DetectSmbNamedPipeRegister(), DetectSmbNtlmsspDomainRegister(), DetectSmbNtlmsspUserRegister(), DetectSmbShareRegister(), DetectSNMPCommunityRegister(), DetectSNMPPduTypeRegister(), DetectSNMPUsmRegister(), DetectSNMPVersionRegister(), DetectSshHasshRegister(), DetectSshHasshServerRegister(), DetectSshHasshServerStringRegister(), DetectSshHasshStringRegister(), DetectSshProtocolRegister(), DetectSshSoftwareRegister(), DetectSshSoftwareVersionRegister(), DetectSshVersionRegister(), DetectSslStateRegister(), DetectSslVersionRegister(), DetectStreamSizeRegister(), DetectTagRegister(), DetectTargetRegister(), DetectTcphdrRegister(), DetectTcpmssRegister(), DetectTemplate2Register(), DetectTemplateRegister(), DetectTemplateRustBufferRegister(), DetectThresholdRegister(), DetectTlsCertChainLenRegister(), DetectTlsCertsRegister(), DetectTlsFingerprintRegister(), DetectTlsIssuerRegister(), DetectTlsJa3HashRegister(), DetectTlsJa3SHashRegister(), DetectTlsJa3SStringRegister(), DetectTlsJa3StringRegister(), DetectTlsRandomBytesRegister(), DetectTlsRandomRegister(), DetectTlsRandomTimeRegister(), DetectTlsRegister(), DetectTlsSerialRegister(), DetectTlsSniRegister(), DetectTlsSubjectRegister(), DetectTlsValidityRegister(), DetectTlsVersionRegister(), DetectTosRegister(), DetectTransformCompressWhitespaceRegister(), DetectTransformDotPrefixRegister(), DetectTransformMd5Register(), DetectTransformPcrexformRegister(), DetectTransformSha1Register(), DetectTransformSha256Register(), DetectTransformStripWhitespaceRegister(), DetectTransformUrlDecodeRegister(), DetectTransformXorRegister(), DetectTtlRegister(), DetectUdphdrRegister(), DetectUricontentRegister(), DetectUrilenRegister(), DetectWindowRegister(), DetectWithinRegister(), DetectXbitsRegister(), EngineAnalysisRules2(), InspectionBufferApplyTransforms(), PrefilterSetupRuleGroup(), SigFree(), SigMatchFree(), SigMatchStrictEnabled(), SignatureIsIPOnly(), SigTableApplyStrictCommandlineOption(), SigTableList(), SigTableRegisterTests(), and SigTableSetup().