suricata
detect.h File Reference
#include "suricata-common.h"
#include "flow.h"
#include "detect-engine-proto.h"
#include "detect-reference.h"
#include "detect-metadata.h"
#include "detect-engine-register.h"
#include "packet-queue.h"
#include "util-prefilter.h"
#include "util-mpm.h"
#include "util-spm.h"
#include "util-hash.h"
#include "util-hashlist.h"
#include "util-debug.h"
#include "util-error.h"
#include "util-radix-tree.h"
#include "util-file.h"
#include "reputation.h"
#include "detect-mark.h"
#include "stream.h"
#include "util-var-name.h"
#include "app-layer-events.h"
#include "detect-threshold.h"
#include "detect-engine-build.h"
Include dependency graph for detect.h:

Go to the source code of this file.

Data Structures

struct  DetectAddress_
 address structure for use in the detection engine. More...
 
struct  DetectAddressHead_
 
struct  DetectMatchAddressIPv4_
 
struct  DetectMatchAddressIPv6_
 
struct  DetectPort_
 Port structure for detection engine. More...
 
struct  IPOnlyCIDRItem_
 
struct  SigMatchCtx_
 Used to start a pointer to SigMatch context Should never be dereferenced without casting to something else. More...
 
struct  SigMatch_
 a single match condition for a signature More...
 
struct  SigMatchData_
 Data needed for Match() More...
 
struct  InspectionBuffer
 
struct  InspectionBufferMultipleForList
 
struct  DetectEngineTransforms
 
struct  DetectEngineAppInspectionEngine_
 
struct  DetectBufferType_
 
struct  SignatureInitData_
 
struct  Signature_
 Signature container. More...
 
struct  DetectMpmAppLayerRegistery_
 one time registration of keywords at start up More...
 
struct  DetectMpmAppLayerKeyword_
 structure for storing per detect engine mpm keyword settings More...
 
struct  DetectReplaceList_
 
struct  DetectVarList_
 
struct  DetectEngineIPOnlyThreadCtx_
 
struct  DetectEngineIPOnlyCtx_
 IP only rules matching ctx. More...
 
struct  DetectEngineLookupFlow_
 
struct  ThresholdCtx_
 threshold ctx More...
 
struct  SigString_
 
struct  SigFileLoaderStat_
 Signature loader statistics. More...
 
struct  DetectEngineThreadKeywordCtxItem_
 
struct  DetectEngineCtx_
 main detection engine ctx More...
 
struct  HttpReassembledBody_
 
struct  SignatureNonPrefilterStore_
 
struct  RuleMatchCandidateTx
 
struct  DetectEngineThreadCtx_
 
struct  SigTableElmt_
 element in sigmatch type table. More...
 
struct  MpmStore_
 
struct  PrefilterEngineList_
 
struct  PrefilterEngine_
 
struct  SigGroupHeadInitData_
 
struct  SigGroupHead_
 Container for matching data for a signature group. More...
 
struct  DetectEngineTenantMapping_
 
struct  DetectEngineMasterCtx_
 

Macros

#define DETECT_MAX_RULE_SIZE   8192
 
#define DETECT_TRANSFORMS_MAX   16
 
#define DETECT_SM_LIST_NOTSET   INT_MAX
 
#define ADDRESS_FLAG_NOT   0x01
 
#define PORT_FLAG_ANY   0x01
 
#define PORT_FLAG_NOT   0x02
 
#define PORT_SIGGROUPHEAD_COPY   0x04
 
#define SIG_FLAG_SRC_ANY   BIT_U32(0)
 
#define SIG_FLAG_DST_ANY   BIT_U32(1)
 
#define SIG_FLAG_SP_ANY   BIT_U32(2)
 
#define SIG_FLAG_DP_ANY   BIT_U32(3)
 
#define SIG_FLAG_NOALERT   BIT_U32(4)
 
#define SIG_FLAG_DSIZE   BIT_U32(5)
 
#define SIG_FLAG_APPLAYER   BIT_U32(6)
 
#define SIG_FLAG_IPONLY   BIT_U32(7)
 
#define SIG_FLAG_REQUIRE_PACKET   BIT_U32(9)
 
#define SIG_FLAG_REQUIRE_STREAM   BIT_U32(10)
 
#define SIG_FLAG_MPM_NEG   BIT_U32(11)
 
#define SIG_FLAG_FLUSH   BIT_U32(12)
 
#define SIG_FLAG_REQUIRE_FLOWVAR   BIT_U32(17)
 
#define SIG_FLAG_FILESTORE   BIT_U32(18)
 
#define SIG_FLAG_TOSERVER   BIT_U32(19)
 
#define SIG_FLAG_TOCLIENT   BIT_U32(20)
 
#define SIG_FLAG_TLSSTORE   BIT_U32(21)
 
#define SIG_FLAG_BYPASS   BIT_U32(22)
 
#define SIG_FLAG_PREFILTER   BIT_U32(23)
 
#define SIG_FLAG_PDONLY   BIT_U32(24)
 
#define SIG_FLAG_SRC_IS_TARGET   BIT_U32(25)
 
#define SIG_FLAG_DEST_IS_TARGET   BIT_U32(26)
 
#define SIG_FLAG_HAS_TARGET   (SIG_FLAG_DEST_IS_TARGET|SIG_FLAG_SRC_IS_TARGET)
 
#define SIG_FLAG_INIT_DEONLY   (1<<0)
 
#define SIG_FLAG_INIT_PACKET   (1<<1)
 
#define SIG_FLAG_INIT_FLOW   (1<<2)
 
#define SIG_FLAG_INIT_BIDIREC   (1<<3)
 
#define SIG_FLAG_INIT_FIRST_IPPROTO_SEEN   (1<<4) /** < signature has seen the first ip_proto keyword */
 
#define SIG_FLAG_INIT_HAS_TRANSFORM   (1<<5)
 
#define SIG_FLAG_INIT_STATE_MATCH   (1<<6)
 
#define SIG_FLAG_INIT_NEED_FLUSH   (1<<7)
 
#define SIG_MASK_REQUIRE_PAYLOAD   BIT_U8(0)
 
#define SIG_MASK_REQUIRE_FLOW   BIT_U8(1)
 
#define SIG_MASK_REQUIRE_FLAGS_INITDEINIT   BIT_U8(2) /* SYN, FIN, RST */
 
#define SIG_MASK_REQUIRE_FLAGS_UNUSUAL   BIT_U8(3) /* URG, ECN, CWR */
 
#define SIG_MASK_REQUIRE_NO_PAYLOAD   BIT_U8(4)
 
#define SIG_MASK_REQUIRE_DCERPC   BIT_U8(5) /* require either SMB+DCE or raw DCE */
 
#define SIG_MASK_REQUIRE_ENGINE_EVENT   BIT_U8(7)
 
#define SignatureMask   uint8_t
 
#define DETECT_ENGINE_THREAD_CTX_STREAM_CONTENT_MATCH   0x0004
 
#define FILE_SIG_NEED_FILE   0x01
 
#define FILE_SIG_NEED_FILENAME   0x02
 
#define FILE_SIG_NEED_MAGIC   0x04
 
#define FILE_SIG_NEED_FILECONTENT   0x08
 
#define FILE_SIG_NEED_MD5   0x10
 
#define FILE_SIG_NEED_SHA1   0x20
 
#define FILE_SIG_NEED_SHA256   0x40
 
#define FILE_SIG_NEED_SIZE   0x80
 
#define DE_QUIET   0x01
 
#define sm_lists   init_data->smlists
 
#define sm_lists_tail   init_data->smlists_tail
 
#define DETECT_VAR_TYPE_FLOW_POSTMATCH   1
 
#define DETECT_VAR_TYPE_PKT_POSTMATCH   2
 
#define FLOW_STATES   2
 
#define DETECT_FILESTORE_MAX   15
 
#define SIG_GROUP_HEAD_HAVERAWSTREAM   BIT_U32(0)
 
#define SIG_GROUP_HEAD_HAVEFILEMD5   BIT_U32(21)
 
#define SIG_GROUP_HEAD_HAVEFILESIZE   BIT_U32(22)
 
#define SIG_GROUP_HEAD_HAVEFILESHA1   BIT_U32(23)
 
#define SIG_GROUP_HEAD_HAVEFILESHA256   BIT_U32(24)
 
#define SIGMATCH_NOOPT   BIT_U16(0)
 
#define SIGMATCH_IPONLY_COMPAT   BIT_U16(1)
 
#define SIGMATCH_DEONLY_COMPAT   BIT_U16(2)
 
#define SIGMATCH_NOT_BUILT   BIT_U16(3)
 
#define SIGMATCH_OPTIONAL_OPT   BIT_U16(4)
 
#define SIGMATCH_QUOTES_OPTIONAL   BIT_U16(5)
 
#define SIGMATCH_QUOTES_MANDATORY   BIT_U16(6)
 
#define SIGMATCH_HANDLE_NEGATION   BIT_U16(7)
 
#define SIGMATCH_INFO_CONTENT_MODIFIER   BIT_U16(8)
 
#define SIGMATCH_INFO_STICKY_BUFFER   BIT_U16(9)
 

Typedefs

typedef struct DetectAddress_ DetectAddress
 address structure for use in the detection engine. More...
 
typedef struct DetectAddressHead_ DetectAddressHead
 
typedef struct DetectMatchAddressIPv4_ DetectMatchAddressIPv4
 
typedef struct DetectMatchAddressIPv6_ DetectMatchAddressIPv6
 
typedef struct DetectPort_ DetectPort
 Port structure for detection engine. More...
 
typedef struct IPOnlyCIDRItem_ IPOnlyCIDRItem
 
typedef struct SigMatchCtx_ SigMatchCtx
 Used to start a pointer to SigMatch context Should never be dereferenced without casting to something else. More...
 
typedef struct SigMatch_ SigMatch
 a single match condition for a signature More...
 
typedef struct SigMatchData_ SigMatchData
 Data needed for Match() More...
 
typedef struct InspectionBuffer InspectionBuffer
 
typedef struct InspectionBufferMultipleForList InspectionBufferMultipleForList
 
typedef struct DetectEngineTransforms DetectEngineTransforms
 
typedef InspectionBuffer *(* InspectionBufferGetDataPtr) (struct DetectEngineThreadCtx_ *det_ctx, const DetectEngineTransforms *transforms, Flow *f, const uint8_t flow_flags, void *txv, const int list_id)
 
typedef int(* InspectEngineFuncPtr) (ThreadVars *tv, struct DetectEngineCtx_ *de_ctx, struct DetectEngineThreadCtx_ *det_ctx, const struct Signature_ *sig, const SigMatchData *smd, Flow *f, uint8_t flags, void *alstate, void *tx, uint64_t tx_id)
 
typedef int(* InspectEngineFuncPtr2) (struct DetectEngineCtx_ *de_ctx, struct DetectEngineThreadCtx_ *det_ctx, const struct DetectEngineAppInspectionEngine_ *engine, const struct Signature_ *s, Flow *f, uint8_t flags, void *alstate, void *txv, uint64_t tx_id)
 
typedef struct DetectEngineAppInspectionEngine_ DetectEngineAppInspectionEngine
 
typedef struct DetectBufferType_ DetectBufferType
 
typedef struct SignatureInitData_ SignatureInitData
 
typedef struct Signature_ Signature
 Signature container. More...
 
typedef struct DetectMpmAppLayerRegistery_ DetectMpmAppLayerRegistery
 one time registration of keywords at start up More...
 
typedef struct DetectMpmAppLayerKeyword_ DetectMpmAppLayerKeyword
 structure for storing per detect engine mpm keyword settings More...
 
typedef struct DetectReplaceList_ DetectReplaceList
 
typedef struct DetectVarList_ DetectVarList
 
typedef struct DetectEngineIPOnlyThreadCtx_ DetectEngineIPOnlyThreadCtx
 
typedef struct DetectEngineIPOnlyCtx_ DetectEngineIPOnlyCtx
 IP only rules matching ctx. More...
 
typedef struct DetectEngineLookupFlow_ DetectEngineLookupFlow
 
typedef struct ThresholdCtx_ ThresholdCtx
 threshold ctx More...
 
typedef struct SigString_ SigString
 
typedef struct SigFileLoaderStat_ SigFileLoaderStat
 Signature loader statistics. More...
 
typedef struct DetectEngineThreadKeywordCtxItem_ DetectEngineThreadKeywordCtxItem
 
typedef struct DetectEngineCtx_ DetectEngineCtx
 main detection engine ctx More...
 
typedef struct HttpReassembledBody_ HttpReassembledBody
 
typedef struct SignatureNonPrefilterStore_ SignatureNonPrefilterStore
 
typedef struct RuleMatchCandidateTx RuleMatchCandidateTx
 
typedef struct DetectEngineThreadCtx_ DetectEngineThreadCtx
 
typedef struct SigTableElmt_ SigTableElmt
 element in sigmatch type table. More...
 
typedef struct MpmStore_ MpmStore
 
typedef struct PrefilterEngineList_ PrefilterEngineList
 
typedef struct PrefilterEngine_ PrefilterEngine
 
typedef struct SigGroupHeadInitData_ SigGroupHeadInitData
 
typedef struct SigGroupHead_ SigGroupHead
 Container for matching data for a signature group. More...
 
typedef struct DetectEngineTenantMapping_ DetectEngineTenantMapping
 
typedef struct DetectEngineMasterCtx_ DetectEngineMasterCtx
 

Enumerations

enum  DetectSigmatchListEnum {
  DETECT_SM_LIST_MATCH = 0, DETECT_SM_LIST_PMATCH, DETECT_SM_LIST_BASE64_DATA, DETECT_SM_LIST_POSTMATCH,
  DETECT_SM_LIST_TMATCH, DETECT_SM_LIST_SUPPRESS, DETECT_SM_LIST_THRESHOLD, DETECT_SM_LIST_MAX,
  DETECT_SM_LIST_DYNAMIC_START = DETECT_SM_LIST_MAX
}
 
enum  {
  ADDRESS_ER = -1, ADDRESS_LT, ADDRESS_LE, ADDRESS_EQ,
  ADDRESS_ES, ADDRESS_EB, ADDRESS_GE, ADDRESS_GT
}
 
enum  {
  PORT_ER = -1, PORT_LT, PORT_LE, PORT_EQ,
  PORT_ES, PORT_EB, PORT_GE, PORT_GT
}
 
enum  DetectEnginePrefilterSetting { DETECT_PREFILTER_MPM = 0, DETECT_PREFILTER_AUTO = 1 }
 
enum  DetectEngineType { DETECT_ENGINE_TYPE_NORMAL = 0, DETECT_ENGINE_TYPE_DD_STUB = 1, DETECT_ENGINE_TYPE_MT_STUB = 2, DETECT_ENGINE_TYPE_TENANT = 3 }
 
enum  {
  ENGINE_PROFILE_UNKNOWN, ENGINE_PROFILE_LOW, ENGINE_PROFILE_MEDIUM, ENGINE_PROFILE_HIGH,
  ENGINE_PROFILE_CUSTOM, ENGINE_PROFILE_MAX
}
 
enum  { ENGINE_SGH_MPM_FACTORY_CONTEXT_FULL, ENGINE_SGH_MPM_FACTORY_CONTEXT_SINGLE, ENGINE_SGH_MPM_FACTORY_CONTEXT_AUTO }
 
enum  {
  DET_CTX_EVENT_TEST, FILE_DECODER_EVENT_NO_MEM, FILE_DECODER_EVENT_INVALID_SWF_LENGTH, FILE_DECODER_EVENT_INVALID_SWF_VERSION,
  FILE_DECODER_EVENT_Z_DATA_ERROR, FILE_DECODER_EVENT_Z_STREAM_ERROR, FILE_DECODER_EVENT_Z_BUF_ERROR, FILE_DECODER_EVENT_Z_UNKNOWN_ERROR,
  FILE_DECODER_EVENT_LZMA_DECODER_ERROR, FILE_DECODER_EVENT_LZMA_MEMLIMIT_ERROR, FILE_DECODER_EVENT_LZMA_OPTIONS_ERROR, FILE_DECODER_EVENT_LZMA_FORMAT_ERROR,
  FILE_DECODER_EVENT_LZMA_DATA_ERROR, FILE_DECODER_EVENT_LZMA_BUF_ERROR, FILE_DECODER_EVENT_LZMA_UNKNOWN_ERROR
}
 
enum  MpmBuiltinBuffers {
  MPMB_TCP_PKT_TS, MPMB_TCP_PKT_TC, MPMB_TCP_STREAM_TS, MPMB_TCP_STREAM_TC,
  MPMB_UDP_TS, MPMB_UDP_TC, MPMB_OTHERIP, MPMB_MAX
}
 
enum  DetectEngineTenantSelectors { TENANT_SELECTOR_UNKNOWN = 0, TENANT_SELECTOR_DIRECT, TENANT_SELECTOR_VLAN, TENANT_SELECTOR_LIVEDEV }
 

Functions

TmEcode Detect (ThreadVars *tv, Packet *p, void *data, PacketQueue *pq, PacketQueue *postpq)
 Detection engine thread wrapper. More...
 
SigMatchSigMatchAlloc (void)
 
SignatureSigFindSignatureBySidGid (DetectEngineCtx *, uint32_t, uint32_t)
 Find a specific signature by sid and gid. More...
 
void SigMatchSignaturesBuildMatchArray (DetectEngineThreadCtx *, Packet *, SignatureMask, uint16_t)
 
void SigMatchFree (SigMatch *sm)
 free a SigMatch More...
 
void SigRegisterTests (void)
 
void TmModuleDetectRegister (void)
 
void SigAddressPrepareBidirectionals (DetectEngineCtx *)
 
void DisableDetectFlowFileFlags (Flow *f)
 disable file features we don't need Called if we have no detection engine. More...
 
char * DetectLoadCompleteSigPath (const DetectEngineCtx *, const char *sig_file)
 Create the path if default-rule-path was specified. More...
 
int SigLoadSignatures (DetectEngineCtx *, char *, int)
 Load signatures. More...
 
void SigMatchSignatures (ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
 wrapper for old tests More...
 
int SignatureIsIPOnly (DetectEngineCtx *de_ctx, const Signature *s)
 Test is a initialized signature is IP only. More...
 
const SigGroupHeadSigMatchSignaturesGetSgh (const DetectEngineCtx *de_ctx, const Packet *p)
 Get the SigGroupHead for a packet. More...
 
SignatureDetectGetTagSignature (void)
 
int DetectRegisterThreadCtxFuncs (DetectEngineCtx *, const char *name, void *(*InitFunc)(void *), void *data, void(*FreeFunc)(void *), int)
 Register Thread keyword context Funcs. More...
 
void * DetectThreadCtxGetKeywordThreadCtx (DetectEngineThreadCtx *, int)
 Retrieve thread local keyword ctx by id. More...
 
void DetectSignatureApplyActions (Packet *p, const Signature *s, const uint8_t)
 Apply action(s) and Set 'drop' sig info, if applicable. More...
 
void RuleMatchCandidateTxArrayInit (DetectEngineThreadCtx *det_ctx, uint32_t size)
 
void RuleMatchCandidateTxArrayFree (DetectEngineThreadCtx *det_ctx)
 
void DetectFlowbitsAnalyze (DetectEngineCtx *de_ctx)
 
int DetectMetadataHashInit (DetectEngineCtx *de_ctx)
 
void DetectMetadataHashFree (DetectEngineCtx *de_ctx)
 
void DetectEngineSetEvent (DetectEngineThreadCtx *det_ctx, uint8_t e)
 
AppLayerDecoderEventsDetectEngineGetEvents (DetectEngineThreadCtx *det_ctx)
 
int DetectEngineGetEventInfo (const char *event_name, int *event_id, AppLayerEventType *event_type)
 

Variables

SigTableElmt sigmatch_table [DETECT_TBLSIZE]
 

Detailed Description

Author
Victor Julien victo.nosp@m.r@in.nosp@m.linia.nosp@m.c.ne.nosp@m.t

Definition in file detect.h.

Macro Definition Documentation

#define ADDRESS_FLAG_NOT   0x01

address is negated

Definition at line 136 of file detect.h.

Referenced by DetectAddressParseString().

#define DE_QUIET   0x01

DE is quiet (esp for unittests)

Definition at line 296 of file detect.h.

Referenced by ActionInitConfig(), AlertFastLogInitCtx(), DetectAckRegister(), DetectAppLayerProtocolRegister(), DetectBase64DataDoMatch(), DetectBypassRegister(), DetectByteExtractRetrieveSMVar(), DetectBytejumpDoMatch(), DetectBytetestDoMatch(), DetectDceIfaceRegister(), DetectDceOpnumRegister(), DetectDceStubDataRegister(), DetectDetectionFilterRegister(), DetectDistanceRegister(), DetectDnsQueryRegister(), DetectEngineInspectENIP(), DetectEngineInspectModbus(), DetectEngineInspectStream(), DetectEngineStateResetTxs(), DetectFastPatternRegister(), DetectFilesizeRegister(), DetectFilestoreRegister(), DetectFlowbitsAnalyze(), DetectFlowFree(), DetectFlowintFree(), DetectFragOffsetFree(), DetectFtpbounceRegister(), DetectGeoipRegister(), DetectHostbitFree(), DetectHttpRequestLineRegister(), DetectHttpResponseLineRegister(), DetectIcmpIdFree(), DetectIcmpSeqFree(), DetectICodeFree(), DetectIPProtoRemoveAllSMs(), DetectIPRepFree(), DetectIsdataatFree(), DetectITypeFree(), DetectL3ProtoRegister(), DetectLuaRegister(), DetectModbusRegister(), DetectMpmSetupAppMpms(), DetectPcrePayloadMatch(), DetectPktDataRegister(), DetectProtoContainsProto(), DetectReferenceFree(), DetectReplaceFreeInternal(), DetectRpcFree(), DetectSameipRegister(), DetectSetupParseRegexes(), DetectSshSoftwareVersionRegister(), DetectSshVersionRegister(), DetectSslStateRegister(), DetectSslVersionRegister(), DetectThresholdRegister(), DetectTlsFingerprintRegister(), DetectTlsIssuerRegister(), DetectTlsJa3HashRegister(), DetectTlsJa3StringRegister(), DetectTlsSerialRegister(), DetectTlsSniRegister(), DetectTlsSubjectRegister(), DetectTlsValidityRegister(), DetectTlsVersionRegister(), DetectUricontentRegister(), DetectUrilenValidateContent(), DetectXbitFree(), IPOnlyAddSignature(), MpmACRegister(), MpmACTileRegister(), MpmStoreReportStats(), RegisterModbusParsers(), SCACBSPrintInfo(), SCRuleVarsGetConfVar(), SCSigSignatureOrderingModuleCleanup(), SCThresholdConfParseFile(), SigAddressCleanupStage1(), SigAddressPrepareStage1(), SigAddressPrepareStage2(), SignatureIsIPOnly(), SigParseApplyDsizeToContent(), SMTPParserCleanup(), TagTimeoutCheck(), UTHGenericTest(), UTHPacketMatchSig(), UTHPacketMatchSigMpm(), and UTHParseSignature().

#define DETECT_ENGINE_THREAD_CTX_STREAM_CONTENT_MATCH   0x0004

Definition at line 284 of file detect.h.

Referenced by DetectFlowRegister(), and SigMatchSignaturesGetSgh().

#define DETECT_FILESTORE_MAX   15

Definition at line 939 of file detect.h.

Referenced by DetectFilestoreRegister().

#define DETECT_MAX_RULE_SIZE   8192

Definition at line 56 of file detect.h.

Referenced by DetectLoadCompleteSigPath(), and SigMatchListSMBelongsTo().

#define DETECT_TRANSFORMS_MAX   16

Definition at line 58 of file detect.h.

Referenced by DetectSignatureAddTransform(), and InspectionBufferApplyTransforms().

#define DETECT_VAR_TYPE_FLOW_POSTMATCH   1

only execute flowvar storage if rule matched

Definition at line 610 of file detect.h.

Referenced by DetectFlowvarPostMatchSetup(), and DetectPcrePayloadMatch().

#define DETECT_VAR_TYPE_PKT_POSTMATCH   2

Definition at line 611 of file detect.h.

Referenced by DetectFlowvarPostMatchSetup(), and DetectPcrePayloadMatch().

#define FILE_SIG_NEED_FILE   0x01
#define FILE_SIG_NEED_FILECONTENT   0x08

Definition at line 289 of file detect.h.

#define FILE_SIG_NEED_FILENAME   0x02

Definition at line 287 of file detect.h.

Referenced by DetectFileextRegister(), and DetectFilenameRegister().

#define FILE_SIG_NEED_MAGIC   0x04

need the start of the file

Definition at line 288 of file detect.h.

Referenced by DetectFilemagicRegister(), and SignatureIsFilemagicInspecting().

#define FILE_SIG_NEED_MD5   0x10

Definition at line 290 of file detect.h.

Referenced by SignatureIsFileMd5Inspecting().

#define FILE_SIG_NEED_SHA1   0x20

Definition at line 291 of file detect.h.

Referenced by SignatureIsFileSha1Inspecting().

#define FILE_SIG_NEED_SHA256   0x40

Definition at line 292 of file detect.h.

Referenced by SignatureIsFileSha256Inspecting().

#define FILE_SIG_NEED_SIZE   0x80

Definition at line 293 of file detect.h.

Referenced by DetectFilesizeRegister(), and SignatureIsFilesizeInspecting().

#define FLOW_STATES   2

Definition at line 671 of file detect.h.

Referenced by SigAddressCleanupStage1().

#define PORT_FLAG_ANY   0x01

'any' special port

Definition at line 191 of file detect.h.

Referenced by DetectPortCmp(), DetectPortListsAreEqual(), and DetectPortPrint().

#define PORT_FLAG_NOT   0x02

negated port

Definition at line 192 of file detect.h.

Referenced by DetectPortListsAreEqual(), and PortParse().

#define PORT_SIGGROUPHEAD_COPY   0x04

sgh is a ptr copy

Definition at line 193 of file detect.h.

Referenced by DetectPortFree(), and PacketCreateMask().

#define SIG_FLAG_BYPASS   BIT_U32(22)
#define SIG_FLAG_DEST_IS_TARGET   BIT_U32(26)

Info for Source and Target identification

Definition at line 256 of file detect.h.

Referenced by DetectTargetRegister(), and EngineAnalysisRulesFailure().

#define SIG_FLAG_DP_ANY   BIT_U32(3)
#define SIG_FLAG_FILESTORE   BIT_U32(18)

signature has filestore keyword

Definition at line 239 of file detect.h.

Referenced by DetectBypassRegister(), DetectFilestoreRegister(), EngineAnalysisRulesFailure(), SigMatchList2DataArray(), and SignatureIsFilestoring().

#define SIG_FLAG_FLUSH   BIT_U32(12)

detection logic needs stream flush notification

Definition at line 233 of file detect.h.

Referenced by DetectEngineAppInspectionEngine2Signature(), DetectEngineInspectStream(), DetectEngineInspectStreamPayload(), and EngineAnalysisRulesFailure().

#define SIG_FLAG_HAS_TARGET   (SIG_FLAG_DEST_IS_TARGET|SIG_FLAG_SRC_IS_TARGET)

Definition at line 258 of file detect.h.

#define SIG_FLAG_INIT_BIDIREC   (1<<3)

signature has bidirectional operator

Definition at line 264 of file detect.h.

Referenced by DetectEngineAppendSig(), DetectParseDupSigHashFree(), DetectSetupParseRegexes(), EngineAnalysisRules(), SigInit(), and SigMatchListSMBelongsTo().

#define SIG_FLAG_INIT_DEONLY   (1<<0)

decode event only signature

Definition at line 261 of file detect.h.

Referenced by SigAddressPrepareStage1(), SigAddressPrepareStage2(), and SignatureSetType().

#define SIG_FLAG_INIT_FIRST_IPPROTO_SEEN   (1<<4) /** < signature has seen the first ip_proto keyword */

Definition at line 265 of file detect.h.

Referenced by DetectIPProtoRegister(), and DetectIPProtoRemoveAllSMs().

#define SIG_FLAG_INIT_FLOW   (1<<2)

signature has a flow setting

Definition at line 263 of file detect.h.

Referenced by DetectFlowSetupImplicit(), PacketCreateMask(), and SigMatchList2DataArray().

#define SIG_FLAG_INIT_HAS_TRANSFORM   (1<<5)

Definition at line 266 of file detect.h.

#define SIG_FLAG_INIT_NEED_FLUSH   (1<<7)
#define SIG_FLAG_INIT_PACKET   (1<<1)

signature has matches against a packet (as opposed to app layer)

Definition at line 262 of file detect.h.

Referenced by SigMatchList2DataArray().

#define SIG_FLAG_INIT_STATE_MATCH   (1<<6)

signature has matches that require stateful inspection

Definition at line 267 of file detect.h.

Referenced by DetectEngineAppInspectionEngine2Signature(), DetectFlowbitsAnalyze(), EngineAnalysisRulesFailure(), and SigAddressPrepareStage4().

#define SIG_FLAG_MPM_NEG   BIT_U32(11)
#define SIG_FLAG_PDONLY   BIT_U32(24)

Proto detect only signature. Inspected once per direction when protocol detection is done.

Definition at line 252 of file detect.h.

Referenced by DetectAppLayerProtocolRegister(), EngineAnalysisRules(), EngineAnalysisRulesFailure(), SigAddressPrepareStage1(), and SignatureSetType().

#define SIG_FLAG_PREFILTER   BIT_U32(23)
#define SIG_FLAG_REQUIRE_FLOWVAR   BIT_U32(17)

signature can only match if a flowbit, flowvar or flowint is available.

Definition at line 237 of file detect.h.

Referenced by EngineAnalysisRulesFailure(), PacketCreateMask(), and SigMatchSignaturesGetSgh().

#define SIG_FLAG_SRC_ANY   BIT_U32(0)
Note
: additions should be added to the rule analyzer as well source is any

Definition at line 216 of file detect.h.

Referenced by EngineAnalysisRulesFailure(), IPOnlySigParseAddress(), PacketCreateMask(), SigMatchList2DataArray(), SigMatchListSMBelongsTo(), SigMatchSignaturesGetSgh(), and SignatureIsIPOnly().

#define SIG_FLAG_SRC_IS_TARGET   BIT_U32(25)

Info for Source and Target identification

Definition at line 254 of file detect.h.

Referenced by DetectTargetRegister(), and EngineAnalysisRulesFailure().

#define SIG_FLAG_TLSSTORE   BIT_U32(21)

Definition at line 244 of file detect.h.

Referenced by DetectTlsRegister(), and EngineAnalysisRulesFailure().

#define SIG_FLAG_TOSERVER   BIT_U32(19)

Definition at line 241 of file detect.h.

Referenced by DetectAppLayerEventRegister(), DetectAppLayerInspectEngineRegister(), DetectAppLayerInspectEngineRegister2(), DetectCipServiceRegister(), DetectDceIfaceRegister(), DetectDceStubDataRegister(), DetectDNP3Register(), DetectDnsQueryRegister(), DetectEngineAppInspectionEngine2Signature(), DetectEnipCommandRegister(), DetectFiledataRegister(), DetectFilenameRegister(), DetectFlowSetupImplicit(), DetectFtpbounceRegister(), DetectFtpdataRegister(), DetectHttpClientBodyRegister(), DetectHttpCookieRegister(), DetectHttpHeaderNamesRegister(), DetectHttpHeaderRegister(), DetectHttpHHRegister(), DetectHttpMethodRegister(), DetectHttpProtocolRegister(), DetectHttpRawHeaderRegister(), DetectHttpRequestLineRegister(), DetectHttpStartRegister(), DetectHttpUARegister(), DetectHttpUriRegister(), DetectLuaRegister(), DetectModbusRegister(), DetectMpmPrepareAppMpms(), DetectNfsProcedureRegister(), DetectNfsVersionRegister(), DetectSmbNamedPipeRegister(), DetectSshProtocolRegister(), DetectSshSoftwareRegister(), DetectSshSoftwareVersionRegister(), DetectSslStateRegister(), DetectTemplateBufferRegister(), DetectTemplateRustBufferRegister(), DetectTlsJa3HashRegister(), DetectTlsJa3StringRegister(), DetectTlsSniRegister(), EngineAnalysisRules(), EngineAnalysisRulesFailure(), MpmStoreFree(), MpmStorePrepareBuffer(), MpmStoreReportStats(), PacketCreateMask(), PatternMatchPrepareGroup(), SigAddressPrepareStage2(), SigMatchList2DataArray(), and SignatureIsIPOnly().

#define SIG_GROUP_HEAD_HAVEFILEMD5   BIT_U32(21)

Definition at line 1195 of file detect.h.

Referenced by SigGroupHeadSetFileHashFlag(), and SigMatchSignaturesGetSgh().

#define SIG_GROUP_HEAD_HAVEFILESHA1   BIT_U32(23)

Definition at line 1197 of file detect.h.

Referenced by SigGroupHeadSetFileHashFlag(), and SigMatchSignaturesGetSgh().

#define SIG_GROUP_HEAD_HAVEFILESHA256   BIT_U32(24)

Definition at line 1198 of file detect.h.

Referenced by SigGroupHeadSetFileHashFlag(), and SigMatchSignaturesGetSgh().

#define SIG_GROUP_HEAD_HAVEFILESIZE   BIT_U32(22)

Definition at line 1196 of file detect.h.

Referenced by SigGroupHeadSetFilesizeFlag(), and SigMatchSignaturesGetSgh().

#define SIG_GROUP_HEAD_HAVERAWSTREAM   BIT_U32(0)

Definition at line 1191 of file detect.h.

Referenced by MpmStorePrepareBuffer(), and SigMatchSignaturesGetSgh().

#define SIG_MASK_REQUIRE_DCERPC   BIT_U8(5) /* require either SMB+DCE or raw DCE */

Definition at line 277 of file detect.h.

Referenced by EngineAnalysisRulesFailure(), and PacketCreateMask().

#define SIG_MASK_REQUIRE_ENGINE_EVENT   BIT_U8(7)

Definition at line 279 of file detect.h.

Referenced by EngineAnalysisRulesFailure(), and PacketCreateMask().

#define SIG_MASK_REQUIRE_FLAGS_INITDEINIT   BIT_U8(2) /* SYN, FIN, RST */

Definition at line 274 of file detect.h.

Referenced by EngineAnalysisRulesFailure(), and PacketCreateMask().

#define SIG_MASK_REQUIRE_FLAGS_UNUSUAL   BIT_U8(3) /* URG, ECN, CWR */

Definition at line 275 of file detect.h.

Referenced by EngineAnalysisRulesFailure(), and PacketCreateMask().

#define SIG_MASK_REQUIRE_FLOW   BIT_U8(1)

Definition at line 273 of file detect.h.

Referenced by EngineAnalysisRulesFailure(), and PacketCreateMask().

#define SIG_MASK_REQUIRE_NO_PAYLOAD   BIT_U8(4)

Definition at line 276 of file detect.h.

Referenced by EngineAnalysisRulesFailure(), and PacketCreateMask().

#define SIG_MASK_REQUIRE_PAYLOAD   BIT_U8(0)
Note
: additions should be added to the rule analyzer as well

Definition at line 272 of file detect.h.

Referenced by EngineAnalysisRulesFailure(), and PacketCreateMask().

#define SIGMATCH_DEONLY_COMPAT   BIT_U16(2)

sigmatch is compatible with a decode event only rule Flag to indicate that the signature is not built-in

Definition at line 1335 of file detect.h.

Referenced by DetectEngineEventRegister(), and SignatureIsIPOnly().

#define SIGMATCH_HANDLE_NEGATION   BIT_U16(7)

negation parsing is handled by the rule parser. Signature::init_data::negated will be set to true or false prior to calling the keyword parser. Exclamation mark is stripped from the input to the keyword parser.

Definition at line 1351 of file detect.h.

Referenced by DetectAppLayerProtocolRegister(), DetectContentRegister(), DetectFileextRegister(), DetectFilemagicRegister(), DetectFilenameRegister(), DetectPcreRegister(), DetectReplaceRegister(), DetectTlsRegister(), DetectTosRegister(), DetectUricontentRegister(), and SigMatchListSMBelongsTo().

#define SIGMATCH_INFO_CONTENT_MODIFIER   BIT_U16(8)
#define SIGMATCH_NOOPT   BIT_U16(0)

sigmatch has no options, so the parser shouldn't expect any

Definition at line 1331 of file detect.h.

Referenced by DetectBase64DataRegister(), DetectBypassRegister(), DetectDceStubDataRegister(), DetectDepthRegister(), DetectDnsQueryRegister(), DetectFastPatternRegister(), DetectFiledataRegister(), DetectFilenameRegister(), DetectFtpbounceRegister(), DetectHttpClientBodyRegister(), DetectHttpCookieRegister(), DetectHttpHeaderNamesRegister(), DetectHttpHeaderRegister(), DetectHttpHHRegister(), DetectHttpMethodRegister(), DetectHttpProtocolRegister(), DetectHttpRawHeaderRegister(), DetectHttpRequestLineRegister(), DetectHttpResponseLineRegister(), DetectHttpServerBodyRegister(), DetectHttpStartRegister(), DetectHttpStatCodeRegister(), DetectHttpStatMsgRegister(), DetectHttpUARegister(), DetectHttpUriRegister(), DetectIsdataatRegister(), DetectNoalertRegister(), DetectNocaseRegister(), DetectPktDataRegister(), DetectPrefilterRegister(), DetectRawbytesRegister(), DetectSameipRegister(), DetectSmbNamedPipeRegister(), DetectSshProtocolRegister(), DetectSshSoftwareRegister(), DetectTemplateBufferRegister(), DetectTemplateRustBufferRegister(), DetectTlsFingerprintRegister(), DetectTlsIssuerRegister(), DetectTlsJa3HashRegister(), DetectTlsJa3StringRegister(), DetectTlsRegister(), DetectTlsSerialRegister(), DetectTlsSniRegister(), DetectTlsSubjectRegister(), DetectTlsValidityRegister(), DetectTransformCompressWhitespaceRegister(), DetectTransformMd5Register(), DetectTransformSha1Register(), DetectTransformSha256Register(), DetectTransformStripWhitespaceRegister(), and SigMatchListSMBelongsTo().

#define SIGMATCH_NOT_BUILT   BIT_U16(3)
#define SIGMATCH_OPTIONAL_OPT   BIT_U16(4)

sigmatch may have options, so the parser should be ready to deal with both cases

Definition at line 1340 of file detect.h.

Referenced by DetectBase64DecodeRegister(), DetectFilestoreRegister(), and SigMatchListSMBelongsTo().

#define SIGMATCH_QUOTES_MANDATORY   BIT_U16(6)

input MUST be wrapped in double quotes. They will be stripped before input data is passed to keyword parser. Missing double quotes lead to error and signature invalidation.

Definition at line 1347 of file detect.h.

Referenced by DetectContentRegister(), DetectFilemagicRegister(), DetectMsgRegister(), DetectReplaceRegister(), DetectTlsRegister(), DetectUricontentRegister(), and SigMatchListSMBelongsTo().

#define SIGMATCH_QUOTES_OPTIONAL   BIT_U16(5)

input may be wrapped in double quotes. They will be stripped before input data is passed to keyword parser

Definition at line 1343 of file detect.h.

Referenced by DetectAppLayerProtocolRegister(), DetectFileextRegister(), DetectFilenameRegister(), DetectIPProtoRegister(), DetectPcreRegister(), DetectSshSoftwareVersionRegister(), DetectSshVersionRegister(), DetectTosRegister(), and SigMatchListSMBelongsTo().

#define SignatureMask   uint8_t

Definition at line 282 of file detect.h.

Referenced by SigMatchSignaturesGetSgh().

#define sm_lists   init_data->smlists

Definition at line 441 of file detect.h.

#define sm_lists_tail   init_data->smlists_tail

Definition at line 442 of file detect.h.

Typedef Documentation

typedef struct DetectAddress_ DetectAddress

address structure for use in the detection engine.

Contains the address information and matching information.

Signature grouping head. Here 'any', ipv4 and ipv6 are split out

main detection engine ctx

IP only rules matching ctx.

Detection engine thread data.

structure for storing per detect engine mpm keyword settings

one time registration of keywords at start up

typedef struct DetectPort_ DetectPort

Port structure for detection engine.

typedef struct DetectVarList_ DetectVarList

list for flowvar store candidates, to be stored from post-match function

typedef int(* InspectEngineFuncPtr) (ThreadVars *tv, struct DetectEngineCtx_ *de_ctx, struct DetectEngineThreadCtx_ *det_ctx, const struct Signature_ *sig, const SigMatchData *smd, Flow *f, uint8_t flags, void *alstate, void *tx, uint64_t tx_id)

Definition at line 384 of file detect.h.

typedef int(* InspectEngineFuncPtr2) (struct DetectEngineCtx_ *de_ctx, struct DetectEngineThreadCtx_ *det_ctx, const struct DetectEngineAppInspectionEngine_ *engine, const struct Signature_ *s, Flow *f, uint8_t flags, void *alstate, void *txv, uint64_t tx_id)

Definition at line 392 of file detect.h.

typedef InspectionBuffer*(* InspectionBufferGetDataPtr) (struct DetectEngineThreadCtx_ *det_ctx, const DetectEngineTransforms *transforms, Flow *f, const uint8_t flow_flags, void *txv, const int list_id)

callback for getting the buffer we need to prefilter/inspect

Definition at line 378 of file detect.h.

typedef struct MpmStore_ MpmStore

array of TX inspect rule candidates

Signature loader statistics.

typedef struct SigGroupHead_ SigGroupHead

Container for matching data for a signature group.

typedef struct SigMatch_ SigMatch

a single match condition for a signature

typedef struct SigMatchCtx_ SigMatchCtx

Used to start a pointer to SigMatch context Should never be dereferenced without casting to something else.

typedef struct SigMatchData_ SigMatchData

Data needed for Match()

typedef struct Signature_ Signature

Signature container.

typedef struct SigString_ SigString
typedef struct SigTableElmt_ SigTableElmt

element in sigmatch type table.

typedef struct ThresholdCtx_ ThresholdCtx

threshold ctx

Enumeration Type Documentation

anonymous enum
Enumerator
ADDRESS_ER 

error e.g. compare ipv4 and ipv6

ADDRESS_LT 

smaller [aaa] [bbb]

ADDRESS_LE 

smaller with overlap [aa[bab]bb]

ADDRESS_EQ 

exactly equal [abababab]

ADDRESS_ES 

within [bb[aaa]bb] and [[abab]bbb] and [bbb[abab]]

ADDRESS_EB 

completely overlaps [aa[bbb]aa] and [[baba]aaa] and [aaa[baba]]

ADDRESS_GE 

bigger with overlap [bb[aba]aa]

ADDRESS_GT 

bigger [bbb] [aaa]

Definition at line 125 of file detect.h.

anonymous enum
Enumerator
PORT_ER 
PORT_LT 
PORT_LE 
PORT_EQ 
PORT_ES 
PORT_EB 
PORT_GE 
PORT_GT 

Definition at line 180 of file detect.h.

anonymous enum
Enumerator
ENGINE_PROFILE_UNKNOWN 
ENGINE_PROFILE_LOW 
ENGINE_PROFILE_MEDIUM 
ENGINE_PROFILE_HIGH 
ENGINE_PROFILE_CUSTOM 
ENGINE_PROFILE_MAX 

Definition at line 914 of file detect.h.

anonymous enum
Enumerator
ENGINE_SGH_MPM_FACTORY_CONTEXT_FULL 
ENGINE_SGH_MPM_FACTORY_CONTEXT_SINGLE 
ENGINE_SGH_MPM_FACTORY_CONTEXT_AUTO 

Definition at line 924 of file detect.h.

anonymous enum
Enumerator
DET_CTX_EVENT_TEST 
FILE_DECODER_EVENT_NO_MEM 
FILE_DECODER_EVENT_INVALID_SWF_LENGTH 
FILE_DECODER_EVENT_INVALID_SWF_VERSION 
FILE_DECODER_EVENT_Z_DATA_ERROR 
FILE_DECODER_EVENT_Z_STREAM_ERROR 
FILE_DECODER_EVENT_Z_BUF_ERROR 
FILE_DECODER_EVENT_Z_UNKNOWN_ERROR 
FILE_DECODER_EVENT_LZMA_DECODER_ERROR 
FILE_DECODER_EVENT_LZMA_MEMLIMIT_ERROR 
FILE_DECODER_EVENT_LZMA_OPTIONS_ERROR 
FILE_DECODER_EVENT_LZMA_FORMAT_ERROR 
FILE_DECODER_EVENT_LZMA_DATA_ERROR 
FILE_DECODER_EVENT_LZMA_BUF_ERROR 
FILE_DECODER_EVENT_LZMA_UNKNOWN_ERROR 

Definition at line 1171 of file detect.h.

Enumerator
DETECT_PREFILTER_MPM 

use only mpm / fast_pattern

DETECT_PREFILTER_AUTO 

use mpm + keyword prefilters

Definition at line 708 of file detect.h.

Enumerator
TENANT_SELECTOR_UNKNOWN 

not set

TENANT_SELECTOR_DIRECT 

method provides direct tenant id

TENANT_SELECTOR_VLAN 

map vlan to tenant id

TENANT_SELECTOR_LIVEDEV 

map livedev to tenant id

Definition at line 1357 of file detect.h.

Enumerator
DETECT_ENGINE_TYPE_NORMAL 
DETECT_ENGINE_TYPE_DD_STUB 
DETECT_ENGINE_TYPE_MT_STUB 
DETECT_ENGINE_TYPE_TENANT 

Definition at line 714 of file detect.h.

Enumerator
DETECT_SM_LIST_MATCH 
DETECT_SM_LIST_PMATCH 
DETECT_SM_LIST_BASE64_DATA 
DETECT_SM_LIST_POSTMATCH 
DETECT_SM_LIST_TMATCH 

post-detection tagging

DETECT_SM_LIST_SUPPRESS 
DETECT_SM_LIST_THRESHOLD 
DETECT_SM_LIST_MAX 
DETECT_SM_LIST_DYNAMIC_START 

Definition at line 91 of file detect.h.

Enumerator
MPMB_TCP_PKT_TS 
MPMB_TCP_PKT_TC 
MPMB_TCP_STREAM_TS 
MPMB_TCP_STREAM_TC 
MPMB_UDP_TS 
MPMB_UDP_TC 
MPMB_OTHERIP 
MPMB_MAX 

Definition at line 1200 of file detect.h.

Function Documentation

TmEcode Detect ( ThreadVars tv,
Packet p,
void *  data,
PacketQueue pq,
PacketQueue postpq 
)

Detection engine thread wrapper.

Remember to add the options in SignatureIsIPOnly() at detect.c otherwise it wont be part of a signature group

Parameters
tvthread vars
ppacket to inspect
datathread specific data
pqpacket queue
Return values
TM_ECODE_FAILEDerror
TM_ECODE_OKok

Definition at line 1675 of file detect.c.

AppLayerDecoderEvents* DetectEngineGetEvents ( DetectEngineThreadCtx det_ctx)

Definition at line 3818 of file detect-engine.c.

References DetectEngineThreadCtx_::decoder_events.

void DetectEngineSetEvent ( DetectEngineThreadCtx det_ctx,
uint8_t  e 
)

Definition at line 3812 of file detect-engine.c.

References AppLayerDecoderEventsSetEventRaw(), DetectEngineThreadCtx_::decoder_events, and DetectEngineThreadCtx_::events.

Referenced by FileSwfDecompression(), and FileSwfZlibDecompression().

Here is the call graph for this function:

Here is the caller graph for this function:

void DetectFlowbitsAnalyze ( DetectEngineCtx de_ctx)

Definition at line 338 of file detect-flowbits.c.

References BUG_ON, DetectFlowbitsData_::cmd, FBAnalyze::cnts, ConfigGetLogDirectory(), DE_QUIET, DETECT_FLOWBITS, DETECT_FLOWBITS_CMD_ISNOTSET, DETECT_FLOWBITS_CMD_ISSET, DETECT_FLOWBITS_CMD_SET, DETECT_FLOWBITS_CMD_TOGGLE, DETECT_FLOWBITS_CMD_UNSET, DETECT_SM_LIST_DYNAMIC_START, DETECT_SM_LIST_MATCH, DETECT_SM_LIST_POSTMATCH, DetectEngineCtxFree(), DetectEngineCtxInit(), DetectEngineThreadCtxDeinit(), DetectEngineThreadCtxInit(), Packet_::dst, FAIL_IF, FAIL_IF_NOT, FAIL_IF_NOT_NULL, FAIL_IF_NULL, Address_::family, Packet_::flags, Signature_::flags, DetectEngineCtx_::flags, Packet_::flow, FLOW_DESTROY, FLOW_INITIALIZE, FLOW_PKT_TOSERVER, Packet_::flowflags, Flow_::flowvar, Signature_::id, DetectFlowbitsData_::idx, GenericVar_::idx, Signature_::init_data, SignatureInitData_::init_flags, FBAnalyze::isnotset_sids, FBAnalyze::isnotset_sids_idx, FBAnalyze::isnotset_sids_size, FBAnalyze::isset_sids, FBAnalyze::isset_sids_idx, FBAnalyze::isset_sids_size, MAX, DetectEngineCtx_::max_fb_id, MAX_SIDS, MemBufferCreateNew(), MemBufferFree(), MemBufferPrintToFPAsString, MemBufferWriteString, GenericVar_::next, SigMatch_::next, Signature_::next, Signature_::num, PASS, Packet_::payload, Packet_::payload_len, PKT_HAS_FLOW, Packet_::proto, SC_ERR_SOCKET, SC_WARN_FLOWBIT, SCFree, SCLogDebug, SCLogWarning, SCMalloc, SCMutex, SCMUTEX_INITIALIZER, SCMutexLock, SCMutexUnlock, SCRealloc, FBAnalyze::set_sids, FBAnalyze::set_sids_idx, FBAnalyze::set_sids_size, DetectEngineCtx_::sig_array, DetectEngineCtx_::sig_array_len, SIG_FLAG_INIT_STATE_MATCH, SIG_FLAG_NOALERT, DetectEngineCtx_::sig_list, SigGroupBuild(), SigInit(), SigMatchSignatures(), SIZE_OF_PACKET, SignatureInitData_::smlists, SignatureInitData_::smlists_array_size, Packet_::src, FBAnalyze::state_cnts, FBAnalyze::toggle_sids, FBAnalyze::toggle_sids_idx, FBAnalyze::toggle_sids_size, GenericVar_::type, unlikely, FBAnalyze::unset_sids, FBAnalyze::unset_sids_idx, FBAnalyze::unset_sids_size, VAR_TYPE_FLOW_BIT, VarNameStoreSetupAdd(), and VarNameStoreSetupLookup().

Referenced by SigAddressPrepareStage1().

Here is the call graph for this function:

Here is the caller graph for this function:

Signature* DetectGetTagSignature ( void  )
int DetectMetadataHashInit ( DetectEngineCtx de_ctx)

Definition at line 63 of file detect-metadata.c.

References DetectEngineMustParseMetadata(), HashTableInit(), DetectEngineCtx_::metadata_table, StringHashCompareFunc(), StringHashFreeFunc(), and StringHashFunc().

Referenced by DetectEngineInspectBufferGeneric().

Here is the call graph for this function:

Here is the caller graph for this function:

int DetectRegisterThreadCtxFuncs ( DetectEngineCtx de_ctx,
const char *  name,
void *(*)(void *)  InitFunc,
void *  data,
void(*)(void *)  FreeFunc,
int  mode 
)

Register Thread keyword context Funcs.

Parameters
de_ctxdetection engine to register in
namekeyword name for error printing
InitFuncfunction ptr
datakeyword init data to pass to Func
FreeFuncfunction ptr
mode0 normal (ctx per keyword instance) 1 shared (one ctx per det_ct)
Return values
idfor retrieval of ctx at runtime
-1on error
Note
make sure "data" remains valid and it free'd elsewhere. It's recommended to store it in the keywords global ctx so that it's freed when the de_ctx is freed.

Definition at line 2632 of file detect-engine.c.

References BUG_ON, DetectEngineThreadKeywordCtxItem_::data, DetectEngineThreadKeywordCtxItem_::FreeFunc, DetectEngineThreadKeywordCtxItem_::id, DetectEngineThreadKeywordCtxItem_::InitFunc, DetectEngineCtx_::keyword_id, DetectEngineCtx_::keyword_list, DetectEngineThreadKeywordCtxItem_::name, DetectEngineThreadKeywordCtxItem_::next, SCMalloc, and unlikely.

Referenced by DetectFilemagicRegister(), and DetectLuaRegister().

Here is the caller graph for this function:

void* DetectThreadCtxGetKeywordThreadCtx ( DetectEngineThreadCtx det_ctx,
int  id 
)

Retrieve thread local keyword ctx by id.

Parameters
det_ctxdetection engine thread ctx to retrieve the ctx from
idid of the ctx returned by DetectRegisterThreadCtxInitFunc at keyword init.
Return values
ctxor NULL on error

Definition at line 2672 of file detect-engine.c.

References DetectEngineThreadCtx_::keyword_ctxs_array, and DetectEngineThreadCtx_::keyword_ctxs_size.

Referenced by DetectFilemagicRegister(), and DetectLuaRegister().

Here is the caller graph for this function:

void DisableDetectFlowFileFlags ( Flow f)

disable file features we don't need Called if we have no detection engine.

Definition at line 1733 of file detect.c.

References STREAM_TOCLIENT, and STREAM_TOSERVER.

void RuleMatchCandidateTxArrayFree ( DetectEngineThreadCtx det_ctx)
void RuleMatchCandidateTxArrayInit ( DetectEngineThreadCtx det_ctx,
uint32_t  size 
)
void SigAddressPrepareBidirectionals ( DetectEngineCtx )
Signature* SigFindSignatureBySidGid ( DetectEngineCtx de_ctx,
uint32_t  sid,
uint32_t  gid 
)

Find a specific signature by sid and gid.

Parameters
de_ctxdetection engine ctx
sidthe signature id
gidthe signature group id
Return values
ssig found
NULLsig not found

Definition at line 63 of file detect-engine-build.c.

References Signature_::next, and DetectEngineCtx_::sig_list.

Referenced by SCThresholdConfInitContext().

Here is the caller graph for this function:

SigMatch* SigMatchAlloc ( void  )

Definition at line 232 of file detect-parse.c.

References SigMatch_::next, SigMatch_::prev, SCMalloc, and unlikely.

Referenced by DetectAckRegister(), DetectAppLayerEventRegister(), DetectAsn1Register(), DetectBase64DecodeDoMatch(), DetectBypassRegister(), DetectByteExtractDoMatch(), DetectBytejumpDoMatch(), DetectBytetestDoMatch(), DetectCipServiceRegister(), DetectContentSetup(), DetectCsumRegister(), DetectDceIfaceRegister(), DetectDceOpnumRegister(), DetectDetectionFilterRegister(), DetectDsizeRegister(), DetectEngineEventRegister(), DetectEnipCommandRegister(), DetectFileextRegister(), DetectFilemagicRegister(), DetectFilenameRegister(), DetectFilesizeRegister(), DetectFilestoreRegister(), DetectFlagsRegister(), DetectFlagsSignatureNeedsSynOnlyPackets(), DetectFlowbitMatch(), DetectFlowintMatch(), DetectFlowSetupImplicit(), DetectFlowvarMatch(), DetectFlowvarPostMatchSetup(), DetectFragBitsRegister(), DetectFragOffsetRegister(), DetectFtpbounceRegister(), DetectFtpdataRegister(), DetectGeoipRegister(), DetectIcmpIdRegister(), DetectIcmpSeqRegister(), DetectIdRegister(), DetectIpOptsFree(), DetectIPProtoRegister(), DetectIPRepRegister(), DetectIsdataatSetup(), DetectLuaRegister(), DetectMarkRegister(), DetectNfsProcedureRegister(), DetectNfsVersionRegister(), DetectPcrePayloadMatch(), DetectPktvarRegister(), DetectReplaceRegister(), DetectRpcRegister(), DetectSameipRegister(), DetectSeqRegister(), DetectSshSoftwareVersionRegister(), DetectSshVersionRegister(), DetectSslStateRegister(), DetectSslVersionRegister(), DetectStreamSizeRegister(), DetectTagRegister(), DetectTemplate2Register(), DetectTemplateRegister(), DetectThresholdRegister(), DetectTlsRegister(), DetectTlsValidityRegister(), DetectTlsVersionRegister(), DetectTosRegister(), DetectTtlRegister(), DetectUrilenRegister(), DetectWindowRegister(), DetectXbitMatchHost(), DetectXbitsRegister(), and SCThresholdConfInitContext().

void SigMatchFree ( SigMatch sm)

free a SigMatch

Parameters
smSigMatch to free.

free the ctx, for that we call the Free func

Definition at line 247 of file detect-parse.c.

References SigTableElmt_::alias, SigMatch_::ctx, DETECT_TBLSIZE, SigTableElmt_::Free, SigTableElmt_::name, SCFree, sigmatch_table, and SigMatch_::type.

Referenced by DetectAckRegister(), DetectAppLayerEventRegister(), DetectFlowSetupImplicit(), DetectIPProtoRemoveAllSMs(), DetectSeqRegister(), SCThresholdConfInitContext(), SigAddressPrepareStage4(), and SigFree().

Here is the caller graph for this function:

void SigMatchSignatures ( ThreadVars th_v,
DetectEngineCtx de_ctx,
DetectEngineThreadCtx det_ctx,
Packet p 
)

wrapper for old tests

Definition at line 1743 of file detect.c.

Referenced by AlertFastLogInitCtx(), DetectAckRegister(), DetectBase64DecodeDoMatch(), DetectBypassRegister(), DetectDceIfaceRegister(), DetectDceOpnumRegister(), DetectDceStubDataRegister(), DetectDetectionFilterRegister(), DetectDNP3Register(), DetectDnsQueryRegister(), DetectEngineInspectENIP(), DetectEngineInspectModbus(), DetectEngineInspectStream(), DetectEngineStateResetTxs(), DetectFastPatternRegister(), DetectFlowbitsAnalyze(), DetectFlowFree(), DetectFlowintFree(), DetectFragOffsetFree(), DetectFtpbounceRegister(), DetectGeoipRegister(), DetectHostbitFree(), DetectHttpRequestLineRegister(), DetectHttpResponseLineRegister(), DetectIcmpIdFree(), DetectIcmpSeqFree(), DetectICodeFree(), DetectIPProtoRemoveAllSMs(), DetectIPRepFree(), DetectITypeFree(), DetectL3ProtoRegister(), DetectLuaRegister(), DetectPcrePayloadMatch(), DetectProtoContainsProto(), DetectReplaceFreeInternal(), DetectRpcFree(), DetectSameipRegister(), DetectSetupParseRegexes(), DetectSshSoftwareVersionRegister(), DetectSshVersionRegister(), DetectSslStateRegister(), DetectSslVersionRegister(), DetectTemplateRustBufferRegister(), DetectThresholdRegister(), DetectTlsFingerprintRegister(), DetectTlsIssuerRegister(), DetectTlsJa3HashRegister(), DetectTlsJa3StringRegister(), DetectTlsSerialRegister(), DetectTlsSniRegister(), DetectTlsSubjectRegister(), DetectTlsValidityRegister(), DetectTlsVersionRegister(), DetectUricontentRegister(), DetectUrilenValidateContent(), DetectXbitFree(), MpmACRegister(), MpmACTileRegister(), RegisterModbusParsers(), SCACBSPrintInfo(), SCThresholdConfParseFile(), SigParseApplyDsizeToContent(), SMTPParserCleanup(), TagTimeoutCheck(), UTHMatchPackets(), UTHMatchPacketsWithResults(), UTHPacketMatchSig(), and UTHPacketMatchSigMpm().

void SigMatchSignaturesBuildMatchArray ( DetectEngineThreadCtx ,
Packet ,
SignatureMask  ,
uint16_t   
)
const SigGroupHead* SigMatchSignaturesGetSgh ( const DetectEngineCtx de_ctx,
const Packet p 
)

Get the SigGroupHead for a packet.

Parameters
de_ctxdetection engine context
ppacket
Return values
sghthe SigGroupHead or NULL if non applies to the packet

Definition at line 177 of file detect.c.

References Signature_::action, ACTION_DROP, Signature_::addr_dst_match4, Signature_::addr_dst_match4_cnt, Signature_::addr_dst_match6, Signature_::addr_dst_match6_cnt, Signature_::addr_src_match4, Signature_::addr_src_match4_cnt, Signature_::addr_src_match6, Signature_::addr_src_match6_cnt, Packet_::alerts, Flow_::alparser, DetectRunScratchpad::alproto, Signature_::alproto, SignatureNonPrefilterStore_::alproto, ALPROTO_DCERPC, ALPROTO_SMB, ALPROTO_UNKNOWN, Flow_::alstate, DetectRunScratchpad::app_decoder_events, Signature_::app_inspect, AppLayerParserHasDecoderEvents(), AppLayerParserProtocolSupportsTxs(), DetectEngineThreadCtx_::base64_decoded_len, TcpSession_::client, PacketAlerts_::cnt, PacketEngineEvents_::cnt, DetectEngineThreadCtx_::counter_alerts, DetectEngineThreadCtx_::counter_fnonmpm_list, DetectEngineThreadCtx_::counter_match_list, DetectEngineThreadCtx_::counter_mpm_list, DetectEngineThreadCtx_::counter_nonmpm_list, SigMatchData_::ctx, Flow_::de_ctx_version, DEBUG_VALIDATE_BUG_ON, DetectEngineCtx_::decoder_event_sgh, DeStateUpdateInspectTransactionId(), DETECT_ENGINE_THREAD_CTX_STREAM_CONTENT_MATCH, DETECT_PROTO_IPV4, DETECT_PROTO_IPV6, DETECT_SM_LIST_MATCH, DETECT_SM_LIST_PMATCH, DetectAddressMatchIPv4(), DetectAddressMatchIPv6(), DetectEngineInspectPacketPayload(), DetectEngineInspectStreamPayload(), DetectEngineStateResetTxs(), DetectPortLookupGroup(), DetectProtoContainsProto(), DetectSignatureApplyActions(), Packet_::dp, Signature_::dp, Signature_::dsize_high, Signature_::dsize_low, Packet_::dst, Packet_::events, FileDisableFilesize(), FileDisableMagic(), FileDisableMd5(), FileDisableSha1(), FileDisableSha256(), FileDisableStoring(), FileForceFilestore(), FileForceMagic(), FileForceMd5(), FileForceSha1(), FileForceSha256(), DetectEngineThreadCtx_::filestore_cnt, SigGroupHead_::filestore_cnt, DetectProto_::flags, TcpStream_::flags, Flow_::flags, Packet_::flags, Signature_::flags, DetectEngineThreadCtx_::flags, SigGroupHead_::flags, FLOW_ACTION_DROP, DetectRunScratchpad::flow_flags, DetectEngineCtx_::flow_gh, FLOW_PKT_ESTABLISHED, FLOW_PKT_TOCLIENT, FLOW_PKT_TOCLIENT_IPONLY_SET, FLOW_PKT_TOSERVER, FLOW_PKT_TOSERVER_IPONLY_SET, FLOW_SGH_TOCLIENT, FLOW_SGH_TOSERVER, FLOW_TOCLIENT_IPONLY_SET, FLOW_TOSERVER_IPONLY_SET, Packet_::flowflags, FlowGetAppProtocol(), FlowGetDisruptionFlags(), FlowSetIPOnlyFlag(), Flow_::flowvar, GenericVarFree(), ICMPV4_DEST_UNREACH_IS_VALID, Signature_::id, SignatureNonPrefilterStore_::id, DetectEngineCtx_::io_ctx, DetectEngineThreadCtx_::io_ctx, IP_GET_IPPROTO, IPOnlyMatchPacket(), SigMatchData_::is_last, KEYWORD_PROFILING_END, KEYWORD_PROFILING_SET_LIST, KEYWORD_PROFILING_START, likely, m, Signature_::mask, SignatureNonPrefilterStore_::mask, SigTableElmt_::Match, DetectEngineThreadCtx_::match_array, DetectEngineThreadCtx_::match_array_cnt, next, DetectEngineThreadCtx_::non_pf_id_array, DetectEngineThreadCtx_::non_pf_id_cnt, SigGroupHead_::non_pf_other_store_array, SigGroupHead_::non_pf_other_store_cnt, DetectEngineThreadCtx_::non_pf_store_cnt, DetectEngineThreadCtx_::non_pf_store_ptr, SigGroupHead_::non_pf_syn_store_array, SigGroupHead_::non_pf_syn_store_cnt, PACKET_ALERT_FLAG_DROP_FLOW, PACKET_ALERT_FLAG_STREAM_MATCH, PACKET_DROP, PACKET_PROFILING_DETECT_END, PACKET_PROFILING_DETECT_START, PacketAlertAppend(), PacketAlertFinalize(), PacketCreateMask(), PacketPatternCleanup(), pad, Packet_::payload_len, PKT_DETECT_HAS_STREAMDATA, PKT_HAS_FLOW, PKT_IS_FRAGMENT, PKT_IS_ICMPV4, PKT_IS_IPV4, PKT_IS_IPV6, DetectRunScratchpad::pkt_mask, PKT_STREAM_ADD, PKT_STREAM_EOF, PKT_STREAM_EST, DetectEngineThreadCtx_::pmq, Prefilter(), PROF_DETECT_ALERT, PROF_DETECT_CLEANUP, PROF_DETECT_GETSGH, PROF_DETECT_IPONLY, PROF_DETECT_NONMPMLIST, PROF_DETECT_PF_SORT2, PROF_DETECT_SETUP, PROF_DETECT_TX_UPDATE, DetectEngineCtx_::profile_match_logging_threshold, proto, Flow_::proto, Packet_::proto, Signature_::proto, Flow_::protoctx, DetectEngineThreadCtx_::raw_stream_progress, PrefilterRuleStore_::rule_id_array, PrefilterRuleStore_::rule_id_array_cnt, RULE_PROFILING_END, RULE_PROFILING_START, RulesDumpMatchArray(), SCEnter, SCLogDebug, SCReturn, SCReturnPtr, TcpSession_::server, DetectRunScratchpad::sgh, DetectEngineLookupFlow_::sgh, SGH_PROFILING_RECORD, Flow_::sgh_toclient, Flow_::sgh_toserver, DetectPort_::sh, DetectEngineCtx_::sig_array, SIG_FLAG_APPLAYER, SIG_FLAG_DP_ANY, SIG_FLAG_DSIZE, SIG_FLAG_DST_ANY, SIG_FLAG_NOALERT, SIG_FLAG_REQUIRE_FLOWVAR, SIG_FLAG_REQUIRE_PACKET, SIG_FLAG_REQUIRE_STREAM, SIG_FLAG_SP_ANY, SIG_FLAG_SRC_ANY, SIG_GROUP_HEAD_HAVEFILEMD5, SIG_GROUP_HEAD_HAVEFILESHA1, SIG_GROUP_HEAD_HAVEFILESHA256, SIG_GROUP_HEAD_HAVEFILESIZE, SIG_GROUP_HEAD_HAVERAWSTREAM, SigIntId, sigmatch_table, SigMatchSignaturesGetSgh(), SignatureMask, Signature_::sm_arrays, Packet_::sp, Signature_::sp, Packet_::src, StatsAddUI64(), STREAM_EOF, STREAM_FLUSH, STREAM_TOCLIENT, STREAM_TOSERVER, StreamReassembleRawHasDataReady(), StreamReassembleRawUpdateProgress(), STREAMTCP_STREAM_FLAG_DISABLE_RAW, DetectEngineLookupFlow_::tcp, Packet_::tcph, Flow_::tenant_id, Packet_::tenant_id, TH_SYN, DetectEngineThreadCtx_::ticker, SigMatchData_::type, DetectEngineLookupFlow_::udp, unlikely, and DetectEngineCtx_::version.

Referenced by SigGroupHeadContainsSigId(), and SigMatchSignaturesGetSgh().

Here is the call graph for this function:

Here is the caller graph for this function:

void SigRegisterTests ( void  )

Definition at line 5323 of file detect.c.

References DetectEngineContentInspectionRegisterTests(), IPOnlyRegisterTests(), SigParseRegisterTests(), and UtRegisterTest().

Here is the call graph for this function:

void TmModuleDetectRegister ( void  )

Variable Documentation

SigTableElmt sigmatch_table[DETECT_TBLSIZE]

Definition at line 1406 of file detect.h.

Referenced by DetectAckRegister(), DetectAppLayerEventRegister(), DetectAppLayerProtocolRegister(), DetectAsn1Register(), DetectBase64DataRegister(), DetectBase64DecodeRegister(), DetectBsizeRegister(), DetectBypassRegister(), DetectByteExtractRegister(), DetectBytejumpRegister(), DetectBytetestRegister(), DetectCipServiceRegister(), DetectClasstypeRegister(), DetectContentRegister(), DetectCsumRegister(), DetectDceIfaceRegister(), DetectDceOpnumRegister(), DetectDceStubDataRegister(), DetectDepthRegister(), DetectDetectionFilterRegister(), DetectDistanceRegister(), DetectDnsQueryRegister(), DetectDsizeRegister(), DetectEngineAppInspectionEngineSignatureFree(), DetectEngineContentModifierBufferSetup(), DetectEngineEventRegister(), DetectEngineInspectGenericList(), DetectEngineIPOnlyThreadDeinit(), DetectEnipCommandRegister(), DetectFastPatternRegister(), DetectFiledataRegister(), DetectFileextRegister(), DetectFilemagicRegister(), DetectFileMd5Register(), DetectFilenameRegister(), DetectFileSha1Register(), DetectFileSha256Register(), DetectFilesizeRegister(), DetectFilestoreRegister(), DetectFlagsRegister(), DetectFlowbitsRegister(), DetectFlowintRegister(), DetectFlowRegister(), DetectFlowvarRegister(), DetectFragBitsRegister(), DetectFragOffsetRegister(), DetectFtpbounceRegister(), DetectFtpdataRegister(), DetectGeoipRegister(), DetectGidRegister(), DetectHostbitsRegister(), DetectHttpClientBodyRegister(), DetectHttpCookieRegister(), DetectHttpHeaderNamesRegister(), DetectHttpHeaderRegister(), DetectHttpHHRegister(), DetectHttpMethodRegister(), DetectHttpProtocolRegister(), DetectHttpRawHeaderRegister(), DetectHttpRequestLineRegister(), DetectHttpResponseLineRegister(), DetectHttpServerBodyRegister(), DetectHttpStartRegister(), DetectHttpStatCodeRegister(), DetectHttpStatMsgRegister(), DetectHttpUARegister(), DetectHttpUriRegister(), DetectIcmpIdRegister(), DetectIcmpSeqRegister(), DetectICodeRegister(), DetectIdRegister(), DetectIpOptsRegister(), DetectIPProtoRegister(), DetectIPRepRegister(), DetectIsdataatRegister(), DetectITypeRegister(), DetectL3ProtoRegister(), DetectLuaRegister(), DetectMarkRegister(), DetectMetadataRegister(), DetectModbusRegister(), DetectMsgRegister(), DetectNfsProcedureRegister(), DetectNfsVersionRegister(), DetectNoalertRegister(), DetectNocaseRegister(), DetectOffsetRegister(), DetectPcreRegister(), DetectPktDataRegister(), DetectPktvarRegister(), DetectPrefilterRegister(), DetectPriorityRegister(), DetectRawbytesRegister(), DetectReferenceRegister(), DetectReplaceRegister(), DetectRevRegister(), DetectRpcRegister(), DetectSameipRegister(), DetectSeqRegister(), DetectSidRegister(), DetectSmbNamedPipeRegister(), DetectSshProtocolRegister(), DetectSshSoftwareRegister(), DetectSshSoftwareVersionRegister(), DetectSshVersionRegister(), DetectSslStateRegister(), DetectSslVersionRegister(), DetectStreamSizeRegister(), DetectTagRegister(), DetectTargetRegister(), DetectTemplate2Register(), DetectTemplateBufferRegister(), DetectTemplateRegister(), DetectTemplateRustBufferRegister(), DetectThresholdRegister(), DetectTlsFingerprintRegister(), DetectTlsIssuerRegister(), DetectTlsJa3HashRegister(), DetectTlsJa3StringRegister(), DetectTlsRegister(), DetectTlsSerialRegister(), DetectTlsSniRegister(), DetectTlsSubjectRegister(), DetectTlsValidityRegister(), DetectTlsVersionRegister(), DetectTosRegister(), DetectTransformCompressWhitespaceRegister(), DetectTransformMd5Register(), DetectTransformSha1Register(), DetectTransformSha256Register(), DetectTransformStripWhitespaceRegister(), DetectTtlRegister(), DetectUricontentRegister(), DetectUrilenRegister(), DetectWindowRegister(), DetectWithinRegister(), DetectXbitsRegister(), EngineAnalysisFP(), EngineAnalysisRules(), EngineAnalysisRulesFailure(), InspectionBufferApplyTransforms(), IPOnlyMatchPacket(), PacketAlertFinalize(), PrefilterSetupRuleGroup(), SCProfilingKeywordsGlobalInit(), SigAddressPrepareStage1(), SigAlloc(), SigMatchFree(), SigMatchList2DataArray(), SigMatchSignaturesGetSgh(), SignatureIsIPOnly(), SigTableList(), SigTableRegisterTests(), and SigTableSetup().