suricata
detect.h File Reference
#include "suricata-common.h"
#include "flow.h"
#include "detect-engine-proto.h"
#include "detect-reference.h"
#include "detect-metadata.h"
#include "detect-engine-register.h"
#include "util-prefilter.h"
#include "util-mpm.h"
#include "util-spm.h"
#include "util-hash.h"
#include "util-hashlist.h"
#include "util-radix-tree.h"
#include "util-file.h"
#include "reputation.h"
#include "detect-threshold.h"
Include dependency graph for detect.h:

Go to the source code of this file.

Data Structures

struct  SignatureProperties
 
struct  DetectAddress_
 address structure for use in the detection engine. More...
 
struct  DetectAddressHead_
 
struct  DetectMatchAddressIPv4_
 
struct  DetectMatchAddressIPv6_
 
struct  DetectPort_
 Port structure for detection engine. More...
 
struct  IPOnlyCIDRItem_
 
struct  SigMatchCtx_
 Used to start a pointer to SigMatch context Should never be dereferenced without casting to something else. More...
 
struct  SigMatch_
 a single match condition for a signature More...
 
struct  SigMatchData_
 Data needed for Match() More...
 
struct  InspectionBuffer
 
struct  InspectionBufferMultipleForList
 
struct  TransformData_
 
struct  DetectEngineTransforms
 
struct  DetectEngineAppInspectionEngine_
 
struct  DetectBufferType_
 
struct  DetectEnginePktInspectionEngine
 
struct  DetectEngineFrameInspectionEngine
 
struct  SignatureInitDataBuffer_
 
struct  SignatureInitData_
 
struct  Signature_
 Signature container. More...
 
struct  DetectBufferMpmRegistry_
 one time registration of keywords at start up More...
 
struct  DetectPatternTracker
 
struct  DetectReplaceList_
 
struct  DetectVarList_
 
struct  SCFPSupportSMList_
 
struct  DetectEngineIPOnlyCtx_
 IP only rules matching ctx. More...
 
struct  DetectEngineLookupFlow_
 
struct  ThresholdCtx_
 threshold ctx More...
 
struct  SigString_
 
struct  SigFileLoaderStat_
 Signature loader statistics. More...
 
struct  DetectEngineThreadKeywordCtxItem_
 
struct  DetectEngineCtx_
 main detection engine ctx More...
 
struct  SignatureNonPrefilterStore_
 
struct  RuleMatchCandidateTx
 
struct  DetectEngineThreadCtx_
 
struct  SigTableElmt_
 element in sigmatch type table. More...
 
struct  MpmStore_
 
struct  PrefilterEngineList_
 
struct  PrefilterEngine_
 
struct  SigGroupHeadInitData_
 
struct  SigGroupHead_
 Container for matching data for a signature group. More...
 
struct  DetectEngineTenantMapping_
 
struct  DetectEngineMasterCtx_
 

Macros

#define DETECT_MAX_RULE_SIZE   8192
 
#define DETECT_TRANSFORMS_MAX   16
 
#define DETECT_DEFAULT_PRIO   3
 
#define DETECT_SM_LIST_NOTSET   INT_MAX
 
#define ADDRESS_FLAG_NOT   0x01
 
#define PORT_FLAG_ANY   0x01
 
#define PORT_FLAG_NOT   0x02
 
#define PORT_SIGGROUPHEAD_COPY   0x04
 
#define SIG_FLAG_SRC_ANY   BIT_U32(0)
 
#define SIG_FLAG_DST_ANY   BIT_U32(1)
 
#define SIG_FLAG_SP_ANY   BIT_U32(2)
 
#define SIG_FLAG_DP_ANY   BIT_U32(3)
 
#define SIG_FLAG_NOALERT   BIT_U32(4)
 
#define SIG_FLAG_DSIZE   BIT_U32(5)
 
#define SIG_FLAG_APPLAYER   BIT_U32(6)
 
#define SIG_FLAG_REQUIRE_PACKET   BIT_U32(9)
 
#define SIG_FLAG_REQUIRE_STREAM   BIT_U32(10)
 
#define SIG_FLAG_MPM_NEG   BIT_U32(11)
 
#define SIG_FLAG_FLUSH   BIT_U32(12)
 
#define SIG_FLAG_REQUIRE_STREAM_ONLY   BIT_U32(13)
 
#define SIG_FLAG_REQUIRE_FLOWVAR   BIT_U32(17)
 
#define SIG_FLAG_FILESTORE   BIT_U32(18)
 
#define SIG_FLAG_TOSERVER   BIT_U32(19)
 
#define SIG_FLAG_TOCLIENT   BIT_U32(20)
 
#define SIG_FLAG_TLSSTORE   BIT_U32(21)
 
#define SIG_FLAG_BYPASS   BIT_U32(22)
 
#define SIG_FLAG_PREFILTER   BIT_U32(23)
 
#define SIG_FLAG_SRC_IS_TARGET   BIT_U32(25)
 
#define SIG_FLAG_DEST_IS_TARGET   BIT_U32(26)
 
#define SIG_FLAG_HAS_TARGET   (SIG_FLAG_DEST_IS_TARGET|SIG_FLAG_SRC_IS_TARGET)
 
#define SIG_FLAG_INIT_PACKET   BIT_U32(1)
 
#define SIG_FLAG_INIT_FLOW   BIT_U32(2)
 
#define SIG_FLAG_INIT_BIDIREC   BIT_U32(3)
 
#define SIG_FLAG_INIT_FIRST_IPPROTO_SEEN   BIT_U32(4) /** < signature has seen the first ip_proto keyword */
 
#define SIG_FLAG_INIT_STATE_MATCH   BIT_U32(6)
 
#define SIG_FLAG_INIT_NEED_FLUSH   BIT_U32(7)
 
#define SIG_FLAG_INIT_PRIO_EXPLICIT   BIT_U32(8)
 
#define SIG_FLAG_INIT_FILEDATA   BIT_U32(9)
 
#define SIG_FLAG_INIT_JA3   BIT_U32(10)
 
#define SIG_MASK_REQUIRE_PAYLOAD   BIT_U8(0)
 
#define SIG_MASK_REQUIRE_FLOW   BIT_U8(1)
 
#define SIG_MASK_REQUIRE_FLAGS_INITDEINIT   BIT_U8(2) /* SYN, FIN, RST */
 
#define SIG_MASK_REQUIRE_FLAGS_UNUSUAL   BIT_U8(3) /* URG, ECN, CWR */
 
#define SIG_MASK_REQUIRE_NO_PAYLOAD   BIT_U8(4)
 
#define SIG_MASK_REQUIRE_ENGINE_EVENT   BIT_U8(7)
 
#define SignatureMask   uint8_t
 
#define DETECT_ENGINE_THREAD_CTX_FRAME_ID_SET   0x0001
 
#define DETECT_ENGINE_THREAD_CTX_STREAM_CONTENT_MATCH   0x0004
 
#define FILE_SIG_NEED_FILE   0x01
 
#define FILE_SIG_NEED_FILENAME   0x02
 
#define FILE_SIG_NEED_MAGIC   0x04
 
#define FILE_SIG_NEED_FILECONTENT   0x08
 
#define FILE_SIG_NEED_MD5   0x10
 
#define FILE_SIG_NEED_SHA1   0x20
 
#define FILE_SIG_NEED_SHA256   0x40
 
#define FILE_SIG_NEED_SIZE   0x80
 
#define DE_QUIET   0x01
 
#define DETECT_VAR_TYPE_FLOW_POSTMATCH   1
 
#define DETECT_VAR_TYPE_PKT_POSTMATCH   2
 
#define FLOW_STATES   2
 
#define ENGINE_SGH_MPM_FACTORY_CONTEXT_START_ID_RANGE   (ENGINE_SGH_MPM_FACTORY_CONTEXT_AUTO + 1)
 
#define DETECT_FILESTORE_MAX   15
 
#define SIG_GROUP_HEAD_HAVERAWSTREAM   BIT_U16(0)
 
#define SIG_GROUP_HEAD_HAVEFILEMD5   BIT_U16(2)
 
#define SIG_GROUP_HEAD_HAVEFILESIZE   BIT_U16(3)
 
#define SIG_GROUP_HEAD_HAVEFILESHA1   BIT_U16(4)
 
#define SIG_GROUP_HEAD_HAVEFILESHA256   BIT_U16(5)
 
#define SIGMATCH_NOOPT   BIT_U16(0)
 
#define SIGMATCH_IPONLY_COMPAT   BIT_U16(1)
 
#define SIGMATCH_DEONLY_COMPAT   BIT_U16(2)
 
#define SIGMATCH_NOT_BUILT   BIT_U16(3)
 
#define SIGMATCH_OPTIONAL_OPT   BIT_U16(4)
 
#define SIGMATCH_QUOTES_OPTIONAL   BIT_U16(5)
 
#define SIGMATCH_QUOTES_MANDATORY   BIT_U16(6)
 
#define SIGMATCH_HANDLE_NEGATION   BIT_U16(7)
 
#define SIGMATCH_INFO_CONTENT_MODIFIER   BIT_U16(8)
 
#define SIGMATCH_INFO_STICKY_BUFFER   BIT_U16(9)
 
#define SIGMATCH_INFO_DEPRECATED   BIT_U16(10)
 
#define SIGMATCH_STRICT_PARSING   BIT_U16(11)
 

Typedefs

typedef struct SCDetectRequiresStatus SCDetectRequiresStatus
 
typedef struct DetectAddress_ DetectAddress
 address structure for use in the detection engine. More...
 
typedef struct DetectAddressHead_ DetectAddressHead
 
typedef struct DetectMatchAddressIPv4_ DetectMatchAddressIPv4
 
typedef struct DetectMatchAddressIPv6_ DetectMatchAddressIPv6
 
typedef struct DetectPort_ DetectPort
 Port structure for detection engine. More...
 
typedef struct IPOnlyCIDRItem_ IPOnlyCIDRItem
 
typedef struct SigMatchCtx_ SigMatchCtx
 Used to start a pointer to SigMatch context Should never be dereferenced without casting to something else. More...
 
typedef struct SigMatch_ SigMatch
 a single match condition for a signature More...
 
typedef struct SigMatchData_ SigMatchData
 Data needed for Match() More...
 
typedef struct InspectionBuffer InspectionBuffer
 
typedef struct InspectionBufferMultipleForList InspectionBufferMultipleForList
 
typedef struct TransformData_ TransformData
 
typedef struct DetectEngineTransforms DetectEngineTransforms
 
typedef InspectionBuffer *(* InspectionBufferGetDataPtr) (struct DetectEngineThreadCtx_ *det_ctx, const DetectEngineTransforms *transforms, Flow *f, const uint8_t flow_flags, void *txv, const int list_id)
 
typedef uint8_t(* InspectEngineFuncPtr) (struct DetectEngineCtx_ *de_ctx, struct DetectEngineThreadCtx_ *det_ctx, const struct DetectEngineAppInspectionEngine_ *engine, const struct Signature_ *s, Flow *f, uint8_t flags, void *alstate, void *txv, uint64_t tx_id)
 
typedef struct DetectEngineAppInspectionEngine_ DetectEngineAppInspectionEngine
 
typedef struct DetectBufferType_ DetectBufferType
 
typedef int(* InspectionBufferPktInspectFunc) (struct DetectEngineThreadCtx_ *, const struct DetectEnginePktInspectionEngine *engine, const struct Signature_ *s, Packet *p, uint8_t *alert_flags)
 
typedef InspectionBuffer *(* InspectionBufferGetPktDataPtr) (struct DetectEngineThreadCtx_ *det_ctx, const DetectEngineTransforms *transforms, Packet *p, const int list_id)
 
typedef struct DetectEnginePktInspectionEngine DetectEnginePktInspectionEngine
 
typedef int(* InspectionBufferFrameInspectFunc) (struct DetectEngineThreadCtx_ *, const struct DetectEngineFrameInspectionEngine *engine, const struct Signature_ *s, Packet *p, const struct Frames *frames, const struct Frame *frame)
 
typedef struct DetectEngineFrameInspectionEngine DetectEngineFrameInspectionEngine
 
typedef struct SignatureInitDataBuffer_ SignatureInitDataBuffer
 
typedef struct SignatureInitData_ SignatureInitData
 
typedef struct Signature_ Signature
 Signature container. More...
 
typedef struct DetectBufferMpmRegistry_ DetectBufferMpmRegistry
 one time registration of keywords at start up More...
 
typedef struct DetectPatternTracker DetectPatternTracker
 
typedef struct DetectReplaceList_ DetectReplaceList
 
typedef struct DetectVarList_ DetectVarList
 
typedef struct SCFPSupportSMList_ SCFPSupportSMList
 
typedef struct DetectEngineIPOnlyCtx_ DetectEngineIPOnlyCtx
 IP only rules matching ctx. More...
 
typedef struct DetectEngineLookupFlow_ DetectEngineLookupFlow
 
typedef struct ThresholdCtx_ ThresholdCtx
 threshold ctx More...
 
typedef struct SigString_ SigString
 
typedef struct SigFileLoaderStat_ SigFileLoaderStat
 Signature loader statistics. More...
 
typedef struct DetectEngineThreadKeywordCtxItem_ DetectEngineThreadKeywordCtxItem
 
typedef struct DetectEngineCtx_ DetectEngineCtx
 main detection engine ctx More...
 
typedef struct SignatureNonPrefilterStore_ SignatureNonPrefilterStore
 
typedef struct RuleMatchCandidateTx RuleMatchCandidateTx
 
typedef struct DetectEngineThreadCtx_ DetectEngineThreadCtx
 
typedef struct SigTableElmt_ SigTableElmt
 element in sigmatch type table. More...
 
typedef struct MpmStore_ MpmStore
 
typedef void(* PrefilterFrameFn) (DetectEngineThreadCtx *det_ctx, const void *pectx, Packet *p, const struct Frames *frames, const struct Frame *frame)
 
typedef struct AppLayerTxData AppLayerTxData
 
typedef void(* PrefilterTxFn) (DetectEngineThreadCtx *det_ctx, const void *pectx, Packet *p, Flow *f, void *tx, const uint64_t tx_id, const AppLayerTxData *tx_data, const uint8_t flags)
 
typedef struct PrefilterEngineList_ PrefilterEngineList
 
typedef struct PrefilterEngine_ PrefilterEngine
 
typedef struct SigGroupHeadInitData_ SigGroupHeadInitData
 
typedef struct SigGroupHead_ SigGroupHead
 Container for matching data for a signature group. More...
 
typedef struct DetectEngineTenantMapping_ DetectEngineTenantMapping
 
typedef struct DetectEngineMasterCtx_ DetectEngineMasterCtx
 

Enumerations

enum  SignatureType {
  SIG_TYPE_NOT_SET = 0, SIG_TYPE_IPONLY, SIG_TYPE_LIKE_IPONLY, SIG_TYPE_PDONLY,
  SIG_TYPE_DEONLY, SIG_TYPE_PKT, SIG_TYPE_PKT_STREAM, SIG_TYPE_STREAM,
  SIG_TYPE_APPLAYER, SIG_TYPE_APP_TX, SIG_TYPE_MAX
}
 
enum  SignaturePropertyFlowAction { SIG_PROP_FLOW_ACTION_PACKET, SIG_PROP_FLOW_ACTION_FLOW, SIG_PROP_FLOW_ACTION_FLOW_IF_STATEFUL }
 
enum  DetectSigmatchListEnum {
  DETECT_SM_LIST_MATCH = 0, DETECT_SM_LIST_PMATCH, DETECT_SM_LIST_BASE64_DATA, DETECT_SM_LIST_POSTMATCH,
  DETECT_SM_LIST_TMATCH, DETECT_SM_LIST_SUPPRESS, DETECT_SM_LIST_THRESHOLD, DETECT_SM_LIST_MAX,
  DETECT_SM_LIST_DYNAMIC_START = DETECT_SM_LIST_MAX
}
 
enum  {
  ADDRESS_ER = -1, ADDRESS_LT, ADDRESS_LE, ADDRESS_EQ,
  ADDRESS_ES, ADDRESS_EB, ADDRESS_GE, ADDRESS_GT
}
 
enum  {
  PORT_ER = -1, PORT_LT, PORT_LE, PORT_EQ,
  PORT_ES, PORT_EB, PORT_GE, PORT_GT
}
 
enum  DetectBufferMpmType { DETECT_BUFFER_MPM_TYPE_PKT, DETECT_BUFFER_MPM_TYPE_APP, DETECT_BUFFER_MPM_TYPE_FRAME, DETECT_BUFFER_MPM_TYPE_SIZE }
 
enum  DetectEnginePrefilterSetting { DETECT_PREFILTER_MPM = 0, DETECT_PREFILTER_AUTO = 1 }
 
enum  DetectEngineType { DETECT_ENGINE_TYPE_NORMAL = 0, DETECT_ENGINE_TYPE_DD_STUB = 1, DETECT_ENGINE_TYPE_MT_STUB = 2, DETECT_ENGINE_TYPE_TENANT = 3 }
 
enum  {
  ENGINE_PROFILE_UNKNOWN, ENGINE_PROFILE_LOW, ENGINE_PROFILE_MEDIUM, ENGINE_PROFILE_HIGH,
  ENGINE_PROFILE_CUSTOM
}
 
enum  { ENGINE_SGH_MPM_FACTORY_CONTEXT_FULL = 0, ENGINE_SGH_MPM_FACTORY_CONTEXT_SINGLE, ENGINE_SGH_MPM_FACTORY_CONTEXT_AUTO }
 
enum  {
  FILE_DECODER_EVENT_NO_MEM, FILE_DECODER_EVENT_INVALID_SWF_LENGTH, FILE_DECODER_EVENT_INVALID_SWF_VERSION, FILE_DECODER_EVENT_Z_DATA_ERROR,
  FILE_DECODER_EVENT_Z_STREAM_ERROR, FILE_DECODER_EVENT_Z_BUF_ERROR, FILE_DECODER_EVENT_Z_UNKNOWN_ERROR, FILE_DECODER_EVENT_LZMA_IO_ERROR,
  FILE_DECODER_EVENT_LZMA_HEADER_TOO_SHORT_ERROR, FILE_DECODER_EVENT_LZMA_DECODER_ERROR, FILE_DECODER_EVENT_LZMA_MEMLIMIT_ERROR, FILE_DECODER_EVENT_LZMA_XZ_ERROR,
  FILE_DECODER_EVENT_LZMA_UNKNOWN_ERROR, DETECT_EVENT_TOO_MANY_BUFFERS
}
 
enum  MpmBuiltinBuffers {
  MPMB_TCP_PKT_TS, MPMB_TCP_PKT_TC, MPMB_TCP_STREAM_TS, MPMB_TCP_STREAM_TC,
  MPMB_UDP_TS, MPMB_UDP_TC, MPMB_OTHERIP, MPMB_MAX
}
 
enum  DetectEngineTenantSelectors { TENANT_SELECTOR_UNKNOWN = 0, TENANT_SELECTOR_DIRECT, TENANT_SELECTOR_VLAN, TENANT_SELECTOR_LIVEDEV }
 

Functions

TmEcode Detect (ThreadVars *tv, Packet *p, void *data)
 Detection engine thread wrapper. More...
 
SigMatchSigMatchAlloc (void)
 
SignatureSigFindSignatureBySidGid (DetectEngineCtx *, uint32_t, uint32_t)
 Find a specific signature by sid and gid. More...
 
void SigMatchFree (DetectEngineCtx *, SigMatch *sm)
 free a SigMatch More...
 
void SigRegisterTests (void)
 
void DisableDetectFlowFileFlags (Flow *f)
 disable file features we don't need Called if we have no detection engine. More...
 
char * DetectLoadCompleteSigPath (const DetectEngineCtx *, const char *sig_file)
 Create the path if default-rule-path was specified. More...
 
int SigLoadSignatures (DetectEngineCtx *, char *, bool)
 Load signatures. More...
 
void SigMatchSignatures (ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
 wrapper for old tests More...
 
int SignatureIsIPOnly (DetectEngineCtx *de_ctx, const Signature *s)
 Test is a initialized signature is IP only. More...
 
const SigGroupHeadSigMatchSignaturesGetSgh (const DetectEngineCtx *de_ctx, const Packet *p)
 Get the SigGroupHead for a packet. More...
 
int DetectUnregisterThreadCtxFuncs (DetectEngineCtx *, void *data, const char *name)
 Remove Thread keyword context registration. More...
 
int DetectRegisterThreadCtxFuncs (DetectEngineCtx *, const char *name, void *(*InitFunc)(void *), void *data, void(*FreeFunc)(void *), int)
 Register Thread keyword context Funcs. More...
 
void * DetectThreadCtxGetKeywordThreadCtx (DetectEngineThreadCtx *, int)
 Retrieve thread local keyword ctx by id. More...
 
void RuleMatchCandidateTxArrayInit (DetectEngineThreadCtx *det_ctx, uint32_t size)
 
void RuleMatchCandidateTxArrayFree (DetectEngineThreadCtx *det_ctx)
 
void AlertQueueInit (DetectEngineThreadCtx *det_ctx)
 
void AlertQueueFree (DetectEngineThreadCtx *det_ctx)
 
void AlertQueueAppend (DetectEngineThreadCtx *det_ctx, const Signature *s, Packet *p, uint64_t tx_id, uint8_t alert_flags)
 Append signature to local packet alert queue for later preprocessing. More...
 
int DetectFlowbitsAnalyze (DetectEngineCtx *de_ctx)
 
int DetectMetadataHashInit (DetectEngineCtx *de_ctx)
 
void DetectMetadataHashFree (DetectEngineCtx *de_ctx)
 
void DetectEngineSetEvent (DetectEngineThreadCtx *det_ctx, uint8_t e)
 
AppLayerDecoderEventsDetectEngineGetEvents (DetectEngineThreadCtx *det_ctx)
 
void DumpPatterns (DetectEngineCtx *de_ctx)
 

Variables

const struct SignatureProperties signature_properties [SIG_TYPE_MAX]
 
SigTableElmt sigmatch_table [DETECT_TBLSIZE]
 

Detailed Description

Author
Victor Julien victo.nosp@m.r@in.nosp@m.linia.nosp@m.c.ne.nosp@m.t

Definition in file detect.h.

Macro Definition Documentation

◆ ADDRESS_FLAG_NOT

#define ADDRESS_FLAG_NOT   0x01

address is negated

Definition at line 157 of file detect.h.

◆ DE_QUIET

#define DE_QUIET   0x01

DE is quiet (esp for unittests)

Definition at line 321 of file detect.h.

◆ DETECT_DEFAULT_PRIO

#define DETECT_DEFAULT_PRIO   3

default rule priority if not set through priority keyword or via classtype.

Definition at line 51 of file detect.h.

◆ DETECT_ENGINE_THREAD_CTX_FRAME_ID_SET

#define DETECT_ENGINE_THREAD_CTX_FRAME_ID_SET   0x0001

Definition at line 308 of file detect.h.

◆ DETECT_ENGINE_THREAD_CTX_STREAM_CONTENT_MATCH

#define DETECT_ENGINE_THREAD_CTX_STREAM_CONTENT_MATCH   0x0004

Definition at line 309 of file detect.h.

◆ DETECT_FILESTORE_MAX

#define DETECT_FILESTORE_MAX   15

Definition at line 1066 of file detect.h.

◆ DETECT_MAX_RULE_SIZE

#define DETECT_MAX_RULE_SIZE   8192

Definition at line 45 of file detect.h.

◆ DETECT_SM_LIST_NOTSET

#define DETECT_SM_LIST_NOTSET   INT_MAX

Definition at line 139 of file detect.h.

◆ DETECT_TRANSFORMS_MAX

#define DETECT_TRANSFORMS_MAX   16

Definition at line 47 of file detect.h.

◆ DETECT_VAR_TYPE_FLOW_POSTMATCH

#define DETECT_VAR_TYPE_FLOW_POSTMATCH   1

only execute flowvar storage if rule matched

Definition at line 733 of file detect.h.

◆ DETECT_VAR_TYPE_PKT_POSTMATCH

#define DETECT_VAR_TYPE_PKT_POSTMATCH   2

Definition at line 734 of file detect.h.

◆ ENGINE_SGH_MPM_FACTORY_CONTEXT_START_ID_RANGE

#define ENGINE_SGH_MPM_FACTORY_CONTEXT_START_ID_RANGE   (ENGINE_SGH_MPM_FACTORY_CONTEXT_AUTO + 1)

Definition at line 1063 of file detect.h.

◆ FILE_SIG_NEED_FILE

#define FILE_SIG_NEED_FILE   0x01

Definition at line 311 of file detect.h.

◆ FILE_SIG_NEED_FILECONTENT

#define FILE_SIG_NEED_FILECONTENT   0x08

Definition at line 314 of file detect.h.

◆ FILE_SIG_NEED_FILENAME

#define FILE_SIG_NEED_FILENAME   0x02

Definition at line 312 of file detect.h.

◆ FILE_SIG_NEED_MAGIC

#define FILE_SIG_NEED_MAGIC   0x04

need the start of the file

Definition at line 313 of file detect.h.

◆ FILE_SIG_NEED_MD5

#define FILE_SIG_NEED_MD5   0x10

Definition at line 315 of file detect.h.

◆ FILE_SIG_NEED_SHA1

#define FILE_SIG_NEED_SHA1   0x20

Definition at line 316 of file detect.h.

◆ FILE_SIG_NEED_SHA256

#define FILE_SIG_NEED_SHA256   0x40

Definition at line 317 of file detect.h.

◆ FILE_SIG_NEED_SIZE

#define FILE_SIG_NEED_SIZE   0x80

Definition at line 318 of file detect.h.

◆ FLOW_STATES

#define FLOW_STATES   2

Definition at line 833 of file detect.h.

◆ PORT_FLAG_ANY

#define PORT_FLAG_ANY   0x01

'any' special port

Definition at line 210 of file detect.h.

◆ PORT_FLAG_NOT

#define PORT_FLAG_NOT   0x02

negated port

Definition at line 211 of file detect.h.

◆ PORT_SIGGROUPHEAD_COPY

#define PORT_SIGGROUPHEAD_COPY   0x04

sgh is a ptr copy

Definition at line 212 of file detect.h.

◆ SIG_FLAG_APPLAYER

#define SIG_FLAG_APPLAYER   BIT_U32(6)

signature applies to app layer instead of packets

Definition at line 242 of file detect.h.

◆ SIG_FLAG_BYPASS

#define SIG_FLAG_BYPASS   BIT_U32(22)

Definition at line 268 of file detect.h.

◆ SIG_FLAG_DEST_IS_TARGET

#define SIG_FLAG_DEST_IS_TARGET   BIT_U32(26)

Info for Source and Target identification

Definition at line 277 of file detect.h.

◆ SIG_FLAG_DP_ANY

#define SIG_FLAG_DP_ANY   BIT_U32(3)

destination port is any

Definition at line 238 of file detect.h.

◆ SIG_FLAG_DSIZE

#define SIG_FLAG_DSIZE   BIT_U32(5)

signature has a dsize setting

Definition at line 241 of file detect.h.

◆ SIG_FLAG_DST_ANY

#define SIG_FLAG_DST_ANY   BIT_U32(1)

destination is any

Definition at line 236 of file detect.h.

◆ SIG_FLAG_FILESTORE

#define SIG_FLAG_FILESTORE   BIT_U32(18)

signature has filestore keyword

Definition at line 261 of file detect.h.

◆ SIG_FLAG_FLUSH

#define SIG_FLAG_FLUSH   BIT_U32(12)

detection logic needs stream flush notification

Definition at line 251 of file detect.h.

◆ SIG_FLAG_HAS_TARGET

#define SIG_FLAG_HAS_TARGET   (SIG_FLAG_DEST_IS_TARGET|SIG_FLAG_SRC_IS_TARGET)

Definition at line 279 of file detect.h.

◆ SIG_FLAG_INIT_BIDIREC

#define SIG_FLAG_INIT_BIDIREC   BIT_U32(3)

signature has bidirectional operator

Definition at line 285 of file detect.h.

◆ SIG_FLAG_INIT_FILEDATA

#define SIG_FLAG_INIT_FILEDATA   BIT_U32(9)

signature has filedata keyword

Definition at line 292 of file detect.h.

◆ SIG_FLAG_INIT_FIRST_IPPROTO_SEEN

#define SIG_FLAG_INIT_FIRST_IPPROTO_SEEN   BIT_U32(4) /** < signature has seen the first ip_proto keyword */

Definition at line 286 of file detect.h.

◆ SIG_FLAG_INIT_FLOW

#define SIG_FLAG_INIT_FLOW   BIT_U32(2)

signature has a flow setting

Definition at line 284 of file detect.h.

◆ SIG_FLAG_INIT_JA3

#define SIG_FLAG_INIT_JA3   BIT_U32(10)

signature has ja3 keyword

Definition at line 293 of file detect.h.

◆ SIG_FLAG_INIT_NEED_FLUSH

#define SIG_FLAG_INIT_NEED_FLUSH   BIT_U32(7)

Definition at line 289 of file detect.h.

◆ SIG_FLAG_INIT_PACKET

#define SIG_FLAG_INIT_PACKET   BIT_U32(1)

signature has matches against a packet (as opposed to app layer)

Definition at line 283 of file detect.h.

◆ SIG_FLAG_INIT_PRIO_EXPLICIT

#define SIG_FLAG_INIT_PRIO_EXPLICIT   BIT_U32(8)

priority is explicitly set by the priority keyword

Definition at line 291 of file detect.h.

◆ SIG_FLAG_INIT_STATE_MATCH

#define SIG_FLAG_INIT_STATE_MATCH   BIT_U32(6)

signature has matches that require stateful inspection

Definition at line 288 of file detect.h.

◆ SIG_FLAG_MPM_NEG

#define SIG_FLAG_MPM_NEG   BIT_U32(11)

Definition at line 249 of file detect.h.

◆ SIG_FLAG_NOALERT

#define SIG_FLAG_NOALERT   BIT_U32(4)

no alert flag is set

Definition at line 240 of file detect.h.

◆ SIG_FLAG_PREFILTER

#define SIG_FLAG_PREFILTER   BIT_U32(23)

sig is part of a prefilter engine

Definition at line 270 of file detect.h.

◆ SIG_FLAG_REQUIRE_FLOWVAR

#define SIG_FLAG_REQUIRE_FLOWVAR   BIT_U32(17)

signature can only match if a flowbit, flowvar or flowint is available.

Definition at line 259 of file detect.h.

◆ SIG_FLAG_REQUIRE_PACKET

#define SIG_FLAG_REQUIRE_PACKET   BIT_U32(9)

signature is requiring packet match

Definition at line 246 of file detect.h.

◆ SIG_FLAG_REQUIRE_STREAM

#define SIG_FLAG_REQUIRE_STREAM   BIT_U32(10)

signature is requiring stream match

Definition at line 247 of file detect.h.

◆ SIG_FLAG_REQUIRE_STREAM_ONLY

#define SIG_FLAG_REQUIRE_STREAM_ONLY   BIT_U32(13)

signature is requiring stream match. Stream match is not optional, so no \ fallback to packet payload.

Definition at line 255 of file detect.h.

◆ SIG_FLAG_SP_ANY

#define SIG_FLAG_SP_ANY   BIT_U32(2)

source port is any

Definition at line 237 of file detect.h.

◆ SIG_FLAG_SRC_ANY

#define SIG_FLAG_SRC_ANY   BIT_U32(0)
Note
: additions should be added to the rule analyzer as well source is any

Definition at line 235 of file detect.h.

◆ SIG_FLAG_SRC_IS_TARGET

#define SIG_FLAG_SRC_IS_TARGET   BIT_U32(25)

Info for Source and Target identification

Definition at line 275 of file detect.h.

◆ SIG_FLAG_TLSSTORE

#define SIG_FLAG_TLSSTORE   BIT_U32(21)

Definition at line 266 of file detect.h.

◆ SIG_FLAG_TOCLIENT

#define SIG_FLAG_TOCLIENT   BIT_U32(20)

Definition at line 264 of file detect.h.

◆ SIG_FLAG_TOSERVER

#define SIG_FLAG_TOSERVER   BIT_U32(19)

Definition at line 263 of file detect.h.

◆ SIG_GROUP_HEAD_HAVEFILEMD5

#define SIG_GROUP_HEAD_HAVEFILEMD5   BIT_U16(2)

Definition at line 1323 of file detect.h.

◆ SIG_GROUP_HEAD_HAVEFILESHA1

#define SIG_GROUP_HEAD_HAVEFILESHA1   BIT_U16(4)

Definition at line 1325 of file detect.h.

◆ SIG_GROUP_HEAD_HAVEFILESHA256

#define SIG_GROUP_HEAD_HAVEFILESHA256   BIT_U16(5)

Definition at line 1326 of file detect.h.

◆ SIG_GROUP_HEAD_HAVEFILESIZE

#define SIG_GROUP_HEAD_HAVEFILESIZE   BIT_U16(3)

Definition at line 1324 of file detect.h.

◆ SIG_GROUP_HEAD_HAVERAWSTREAM

#define SIG_GROUP_HEAD_HAVERAWSTREAM   BIT_U16(0)

Definition at line 1319 of file detect.h.

◆ SIG_MASK_REQUIRE_ENGINE_EVENT

#define SIG_MASK_REQUIRE_ENGINE_EVENT   BIT_U8(7)

Definition at line 303 of file detect.h.

◆ SIG_MASK_REQUIRE_FLAGS_INITDEINIT

#define SIG_MASK_REQUIRE_FLAGS_INITDEINIT   BIT_U8(2) /* SYN, FIN, RST */

Definition at line 299 of file detect.h.

◆ SIG_MASK_REQUIRE_FLAGS_UNUSUAL

#define SIG_MASK_REQUIRE_FLAGS_UNUSUAL   BIT_U8(3) /* URG, ECN, CWR */

Definition at line 300 of file detect.h.

◆ SIG_MASK_REQUIRE_FLOW

#define SIG_MASK_REQUIRE_FLOW   BIT_U8(1)

Definition at line 298 of file detect.h.

◆ SIG_MASK_REQUIRE_NO_PAYLOAD

#define SIG_MASK_REQUIRE_NO_PAYLOAD   BIT_U8(4)

Definition at line 301 of file detect.h.

◆ SIG_MASK_REQUIRE_PAYLOAD

#define SIG_MASK_REQUIRE_PAYLOAD   BIT_U8(0)
Note
: additions should be added to the rule analyzer as well

Definition at line 297 of file detect.h.

◆ SIGMATCH_DEONLY_COMPAT

#define SIGMATCH_DEONLY_COMPAT   BIT_U16(2)

sigmatch is compatible with a decode event only rule Flag to indicate that the signature is not built-in

Definition at line 1478 of file detect.h.

◆ SIGMATCH_HANDLE_NEGATION

#define SIGMATCH_HANDLE_NEGATION   BIT_U16(7)

negation parsing is handled by the rule parser. Signature::init_data::negated will be set to true or false prior to calling the keyword parser. Exclamation mark is stripped from the input to the keyword parser.

Definition at line 1493 of file detect.h.

◆ SIGMATCH_INFO_CONTENT_MODIFIER

#define SIGMATCH_INFO_CONTENT_MODIFIER   BIT_U16(8)

keyword is a content modifier

Definition at line 1495 of file detect.h.

◆ SIGMATCH_INFO_DEPRECATED

#define SIGMATCH_INFO_DEPRECATED   BIT_U16(10)

keyword is deprecated: used to suggest an alternative

Definition at line 1499 of file detect.h.

◆ SIGMATCH_INFO_STICKY_BUFFER

#define SIGMATCH_INFO_STICKY_BUFFER   BIT_U16(9)

keyword is a sticky buffer

Definition at line 1497 of file detect.h.

◆ SIGMATCH_IPONLY_COMPAT

#define SIGMATCH_IPONLY_COMPAT   BIT_U16(1)

sigmatch is compatible with a ip only rule

Definition at line 1475 of file detect.h.

◆ SIGMATCH_NOOPT

#define SIGMATCH_NOOPT   BIT_U16(0)

sigmatch has no options, so the parser shouldn't expect any

Definition at line 1473 of file detect.h.

◆ SIGMATCH_NOT_BUILT

#define SIGMATCH_NOT_BUILT   BIT_U16(3)

Definition at line 1479 of file detect.h.

◆ SIGMATCH_OPTIONAL_OPT

#define SIGMATCH_OPTIONAL_OPT   BIT_U16(4)

sigmatch may have options, so the parser should be ready to deal with both cases

Definition at line 1482 of file detect.h.

◆ SIGMATCH_QUOTES_MANDATORY

#define SIGMATCH_QUOTES_MANDATORY   BIT_U16(6)

input MUST be wrapped in double quotes. They will be stripped before input data is passed to keyword parser. Missing double quotes lead to error and signature invalidation.

Definition at line 1489 of file detect.h.

◆ SIGMATCH_QUOTES_OPTIONAL

#define SIGMATCH_QUOTES_OPTIONAL   BIT_U16(5)

input may be wrapped in double quotes. They will be stripped before input data is passed to keyword parser

Definition at line 1485 of file detect.h.

◆ SIGMATCH_STRICT_PARSING

#define SIGMATCH_STRICT_PARSING   BIT_U16(11)

strict parsing is enabled

Definition at line 1501 of file detect.h.

◆ SignatureMask

#define SignatureMask   uint8_t

Definition at line 306 of file detect.h.

Typedef Documentation

◆ AppLayerTxData

Definition at line 1351 of file detect.h.

◆ DetectAddress

typedef struct DetectAddress_ DetectAddress

address structure for use in the detection engine.

Contains the address information and matching information.

◆ DetectAddressHead

Address grouping head. IPv4 and IPv6 are split out

◆ DetectBufferMpmRegistry

one time registration of keywords at start up

◆ DetectBufferType

◆ DetectEngineAppInspectionEngine

◆ DetectEngineCtx

main detection engine ctx

◆ DetectEngineFrameInspectionEngine

◆ DetectEngineIPOnlyCtx

IP only rules matching ctx.

◆ DetectEngineLookupFlow

◆ DetectEngineMasterCtx

◆ DetectEnginePktInspectionEngine

◆ DetectEngineTenantMapping

◆ DetectEngineThreadCtx

Detection engine thread data.

◆ DetectEngineThreadKeywordCtxItem

◆ DetectEngineTransforms

◆ DetectMatchAddressIPv4

◆ DetectMatchAddressIPv6

◆ DetectPatternTracker

◆ DetectPort

typedef struct DetectPort_ DetectPort

Port structure for detection engine.

◆ DetectReplaceList

◆ DetectVarList

typedef struct DetectVarList_ DetectVarList

list for flowvar store candidates, to be stored from post-match function

◆ InspectEngineFuncPtr

typedef uint8_t(* InspectEngineFuncPtr) (struct DetectEngineCtx_ *de_ctx, struct DetectEngineThreadCtx_ *det_ctx, const struct DetectEngineAppInspectionEngine_ *engine, const struct Signature_ *s, Flow *f, uint8_t flags, void *alstate, void *txv, uint64_t tx_id)

Definition at line 418 of file detect.h.

◆ InspectionBuffer

◆ InspectionBufferFrameInspectFunc

typedef int(* InspectionBufferFrameInspectFunc) (struct DetectEngineThreadCtx_ *, const struct DetectEngineFrameInspectionEngine *engine, const struct Signature_ *s, Packet *p, const struct Frames *frames, const struct Frame *frame)
Parameters
alert_flags[out]for setting PACKET_ALERT_FLAG_*

Definition at line 498 of file detect.h.

◆ InspectionBufferGetDataPtr

typedef InspectionBuffer*(* InspectionBufferGetDataPtr) (struct DetectEngineThreadCtx_ *det_ctx, const DetectEngineTransforms *transforms, Flow *f, const uint8_t flow_flags, void *txv, const int list_id)

callback for getting the buffer we need to prefilter/inspect

Definition at line 411 of file detect.h.

◆ InspectionBufferGetPktDataPtr

typedef InspectionBuffer*(* InspectionBufferGetPktDataPtr) (struct DetectEngineThreadCtx_ *det_ctx, const DetectEngineTransforms *transforms, Packet *p, const int list_id)

callback for getting the buffer we need to prefilter/inspect

Definition at line 472 of file detect.h.

◆ InspectionBufferMultipleForList

◆ InspectionBufferPktInspectFunc

typedef int(* InspectionBufferPktInspectFunc) (struct DetectEngineThreadCtx_ *, const struct DetectEnginePktInspectionEngine *engine, const struct Signature_ *s, Packet *p, uint8_t *alert_flags)
Parameters
alert_flags[out]for setting PACKET_ALERT_FLAG_*

Definition at line 465 of file detect.h.

◆ IPOnlyCIDRItem

◆ MpmStore

typedef struct MpmStore_ MpmStore

◆ PrefilterEngine

◆ PrefilterEngineList

◆ PrefilterFrameFn

typedef void(* PrefilterFrameFn) (DetectEngineThreadCtx *det_ctx, const void *pectx, Packet *p, const struct Frames *frames, const struct Frame *frame)

Definition at line 1351 of file detect.h.

◆ PrefilterTxFn

typedef void(* PrefilterTxFn) (DetectEngineThreadCtx *det_ctx, const void *pectx, Packet *p, Flow *f, void *tx, const uint64_t tx_id, const AppLayerTxData *tx_data, const uint8_t flags)

Definition at line 1355 of file detect.h.

◆ RuleMatchCandidateTx

array of TX inspect rule candidates

◆ SCDetectRequiresStatus

Definition at line 1 of file detect.h.

◆ SCFPSupportSMList

◆ SigFileLoaderStat

Signature loader statistics.

◆ SigGroupHead

typedef struct SigGroupHead_ SigGroupHead

Container for matching data for a signature group.

◆ SigGroupHeadInitData

◆ SigMatch

typedef struct SigMatch_ SigMatch

a single match condition for a signature

◆ SigMatchCtx

typedef struct SigMatchCtx_ SigMatchCtx

Used to start a pointer to SigMatch context Should never be dereferenced without casting to something else.

◆ SigMatchData

typedef struct SigMatchData_ SigMatchData

Data needed for Match()

◆ Signature

typedef struct Signature_ Signature

Signature container.

◆ SignatureInitData

◆ SignatureInitDataBuffer

◆ SignatureNonPrefilterStore

◆ SigString

typedef struct SigString_ SigString

◆ SigTableElmt

typedef struct SigTableElmt_ SigTableElmt

element in sigmatch type table.

◆ ThresholdCtx

typedef struct ThresholdCtx_ ThresholdCtx

threshold ctx

◆ TransformData

typedef struct TransformData_ TransformData

Enumeration Type Documentation

◆ anonymous enum

anonymous enum
Enumerator
ADDRESS_ER 

error e.g. compare ipv4 and ipv6

ADDRESS_LT 

smaller [aaa] [bbb]

ADDRESS_LE 

smaller with overlap [aa[bab]bb]

ADDRESS_EQ 

exactly equal [abababab]

ADDRESS_ES 

within [bb[aaa]bb] and [[abab]bbb] and [bbb[abab]]

ADDRESS_EB 

completely overlaps [aa[bbb]aa] and [[baba]aaa] and [aaa[baba]]

ADDRESS_GE 

bigger with overlap [bb[aba]aa]

ADDRESS_GT 

bigger [bbb] [aaa]

Definition at line 145 of file detect.h.

◆ anonymous enum

anonymous enum
Enumerator
PORT_ER 
PORT_LT 
PORT_LE 
PORT_EQ 
PORT_ES 
PORT_EB 
PORT_GE 
PORT_GT 

Definition at line 198 of file detect.h.

◆ anonymous enum

anonymous enum
Enumerator
ENGINE_PROFILE_UNKNOWN 
ENGINE_PROFILE_LOW 
ENGINE_PROFILE_MEDIUM 
ENGINE_PROFILE_HIGH 
ENGINE_PROFILE_CUSTOM 

Definition at line 1049 of file detect.h.

◆ anonymous enum

anonymous enum
Enumerator
ENGINE_SGH_MPM_FACTORY_CONTEXT_FULL 
ENGINE_SGH_MPM_FACTORY_CONTEXT_SINGLE 
ENGINE_SGH_MPM_FACTORY_CONTEXT_AUTO 

Definition at line 1058 of file detect.h.

◆ anonymous enum

anonymous enum
Enumerator
FILE_DECODER_EVENT_NO_MEM 
FILE_DECODER_EVENT_INVALID_SWF_LENGTH 
FILE_DECODER_EVENT_INVALID_SWF_VERSION 
FILE_DECODER_EVENT_Z_DATA_ERROR 
FILE_DECODER_EVENT_Z_STREAM_ERROR 
FILE_DECODER_EVENT_Z_BUF_ERROR 
FILE_DECODER_EVENT_Z_UNKNOWN_ERROR 
FILE_DECODER_EVENT_LZMA_IO_ERROR 
FILE_DECODER_EVENT_LZMA_HEADER_TOO_SHORT_ERROR 
FILE_DECODER_EVENT_LZMA_DECODER_ERROR 
FILE_DECODER_EVENT_LZMA_MEMLIMIT_ERROR 
FILE_DECODER_EVENT_LZMA_XZ_ERROR 
FILE_DECODER_EVENT_LZMA_UNKNOWN_ERROR 
DETECT_EVENT_TOO_MANY_BUFFERS 

Definition at line 1300 of file detect.h.

◆ DetectBufferMpmType

Enumerator
DETECT_BUFFER_MPM_TYPE_PKT 
DETECT_BUFFER_MPM_TYPE_APP 
DETECT_BUFFER_MPM_TYPE_FRAME 
DETECT_BUFFER_MPM_TYPE_SIZE 

Definition at line 667 of file detect.h.

◆ DetectEnginePrefilterSetting

Enumerator
DETECT_PREFILTER_MPM 

use only mpm / fast_pattern

DETECT_PREFILTER_AUTO 

use mpm + keyword prefilters

Definition at line 814 of file detect.h.

◆ DetectEngineTenantSelectors

Enumerator
TENANT_SELECTOR_UNKNOWN 

not set

TENANT_SELECTOR_DIRECT 

method provides direct tenant id

TENANT_SELECTOR_VLAN 

map vlan to tenant id

TENANT_SELECTOR_LIVEDEV 

map livedev to tenant id

Definition at line 1502 of file detect.h.

◆ DetectEngineType

Enumerator
DETECT_ENGINE_TYPE_NORMAL 
DETECT_ENGINE_TYPE_DD_STUB 
DETECT_ENGINE_TYPE_MT_STUB 
DETECT_ENGINE_TYPE_TENANT 

Definition at line 820 of file detect.h.

◆ DetectSigmatchListEnum

Enumerator
DETECT_SM_LIST_MATCH 
DETECT_SM_LIST_PMATCH 
DETECT_SM_LIST_BASE64_DATA 
DETECT_SM_LIST_POSTMATCH 
DETECT_SM_LIST_TMATCH 

post-detection tagging

DETECT_SM_LIST_SUPPRESS 
DETECT_SM_LIST_THRESHOLD 
DETECT_SM_LIST_MAX 
DETECT_SM_LIST_DYNAMIC_START 

Definition at line 109 of file detect.h.

◆ MpmBuiltinBuffers

Enumerator
MPMB_TCP_PKT_TS 
MPMB_TCP_PKT_TC 
MPMB_TCP_STREAM_TS 
MPMB_TCP_STREAM_TC 
MPMB_UDP_TS 
MPMB_UDP_TC 
MPMB_OTHERIP 
MPMB_MAX 

Definition at line 1327 of file detect.h.

◆ SignaturePropertyFlowAction

Enumerator
SIG_PROP_FLOW_ACTION_PACKET 
SIG_PROP_FLOW_ACTION_FLOW 
SIG_PROP_FLOW_ACTION_FLOW_IF_STATEFUL 

Definition at line 77 of file detect.h.

◆ SignatureType

Enumerator
SIG_TYPE_NOT_SET 
SIG_TYPE_IPONLY 
SIG_TYPE_LIKE_IPONLY 
SIG_TYPE_PDONLY 

Proto detect only signature. Inspected once per direction when protocol detection is done.

SIG_TYPE_DEONLY 
SIG_TYPE_PKT 
SIG_TYPE_PKT_STREAM 
SIG_TYPE_STREAM 
SIG_TYPE_APPLAYER 
SIG_TYPE_APP_TX 
SIG_TYPE_MAX 

Definition at line 59 of file detect.h.

Function Documentation

◆ AlertQueueAppend()

void AlertQueueAppend ( DetectEngineThreadCtx det_ctx,
const Signature s,
Packet p,
uint64_t  tx_id,
uint8_t  alert_flags 
)

Append signature to local packet alert queue for later preprocessing.

Definition at line 283 of file detect-engine-alert.c.

References PacketAlert_::action, Signature_::action, ACTION_DROP, Packet_::alerts, and PacketAlerts_::drop.

◆ AlertQueueFree()

void AlertQueueFree ( DetectEngineThreadCtx det_ctx)

◆ AlertQueueInit()

◆ Detect()

TmEcode Detect ( ThreadVars tv,
Packet p,
void *  data 
)

Detection engine thread wrapper.

Remember to add the options in SignatureIsIPOnly() at detect.c otherwise it wont be part of a signature group

Parameters
tvthread vars
ppacket to inspect
datathread specific data
pqpacket queue
Return values
TM_ECODE_FAILEDerror
TM_ECODE_OKok

Definition at line 1803 of file detect.c.

◆ DetectEngineGetEvents()

AppLayerDecoderEvents* DetectEngineGetEvents ( DetectEngineThreadCtx det_ctx)

Definition at line 4909 of file detect-engine.c.

References DetectEngineThreadCtx_::decoder_events.

◆ DetectEngineSetEvent()

void DetectEngineSetEvent ( DetectEngineThreadCtx det_ctx,
uint8_t  e 
)

Definition at line 4903 of file detect-engine.c.

References AppLayerDecoderEventsSetEventRaw(), DetectEngineThreadCtx_::decoder_events, and DetectEngineThreadCtx_::events.

Referenced by FileSwfDecompression(), FileSwfLzmaDecompression(), FileSwfZlibDecompression(), and InspectionBufferMultipleForListGet().

Here is the call graph for this function:
Here is the caller graph for this function:

◆ DetectFlowbitsAnalyze()

◆ DetectLoadCompleteSigPath()

char* DetectLoadCompleteSigPath ( const DetectEngineCtx de_ctx,
const char *  sig_file 
)

Create the path if default-rule-path was specified.

Parameters
sig_fileThe name of the file
Return values
strPointer to the string path + sig_file

Definition at line 63 of file detect-engine-loader.c.

References ConfGetNode(), DetectEngineCtx_::config_prefix, de_ctx, ConfNode_::final, PathIsRelative(), PathMergeAlloc(), SCLogError, SCStrdup, unlikely, and ConfNode_::val.

Here is the call graph for this function:

◆ DetectMetadataHashFree()

void DetectMetadataHashFree ( DetectEngineCtx de_ctx)

Definition at line 80 of file detect-metadata.c.

References de_ctx, HashTableFree(), and DetectEngineCtx_::metadata_table.

Here is the call graph for this function:

◆ DetectMetadataHashInit()

int DetectMetadataHashInit ( DetectEngineCtx de_ctx)

◆ DetectRegisterThreadCtxFuncs()

int DetectRegisterThreadCtxFuncs ( DetectEngineCtx de_ctx,
const char *  name,
void *(*)(void *)  InitFunc,
void *  data,
void(*)(void *)  FreeFunc,
int  mode 
)

Register Thread keyword context Funcs.

Parameters
de_ctxdetection engine to register in
namekeyword name for error printing
InitFuncfunction ptr
datakeyword init data to pass to Func. Can be NULL.
FreeFuncfunction ptr
mode0 normal (ctx per keyword instance) 1 shared (one ctx per det_ct)
Return values
idfor retrieval of ctx at runtime
-1on error
Note
make sure "data" remains valid and it free'd elsewhere. It's recommended to store it in the keywords global ctx so that it's freed when the de_ctx is freed.

Definition at line 3564 of file detect-engine.c.

References BUG_ON, de_ctx, HashListTableInit(), and DetectEngineCtx_::keyword_hash.

Here is the call graph for this function:

◆ DetectThreadCtxGetKeywordThreadCtx()

void* DetectThreadCtxGetKeywordThreadCtx ( DetectEngineThreadCtx det_ctx,
int  id 
)

Retrieve thread local keyword ctx by id.

Parameters
det_ctxdetection engine thread ctx to retrieve the ctx from
idid of the ctx returned by DetectRegisterThreadCtxInitFunc at keyword init.
Return values
ctxor NULL on error

Definition at line 3634 of file detect-engine.c.

References DetectEngineThreadCtx_::keyword_ctxs_array, and DetectEngineThreadCtx_::keyword_ctxs_size.

Referenced by DetectPcrePayloadMatch().

Here is the caller graph for this function:

◆ DetectUnregisterThreadCtxFuncs()

int DetectUnregisterThreadCtxFuncs ( DetectEngineCtx de_ctx,
void *  data,
const char *  name 
)

Remove Thread keyword context registration.

Parameters
de_ctxdetection engine to deregister from
det_ctxdetection engine thread context to deregister from
datakeyword init data to pass to Func. Can be NULL.
namekeyword name for error printing
Return values
1Item unregistered
0otherwise
Note
make sure "data" remains valid and it free'd elsewhere. It's recommended to store it in the keywords global ctx so that it's freed when the de_ctx is freed.

Definition at line 3616 of file detect-engine.c.

References DetectEngineThreadKeywordCtxItem_::data, de_ctx, HashListTableRemove(), and DetectEngineCtx_::keyword_hash.

Here is the call graph for this function:

◆ DisableDetectFlowFileFlags()

void DisableDetectFlowFileFlags ( Flow f)

disable file features we don't need Called if we have no detection engine.

Definition at line 1872 of file detect.c.

◆ DumpPatterns()

◆ RuleMatchCandidateTxArrayFree()

void RuleMatchCandidateTxArrayFree ( DetectEngineThreadCtx det_ctx)

◆ RuleMatchCandidateTxArrayInit()

void RuleMatchCandidateTxArrayInit ( DetectEngineThreadCtx det_ctx,
uint32_t  size 
)

◆ SigFindSignatureBySidGid()

Signature* SigFindSignatureBySidGid ( DetectEngineCtx de_ctx,
uint32_t  sid,
uint32_t  gid 
)

Find a specific signature by sid and gid.

Parameters
de_ctxdetection engine ctx
sidthe signature id
gidthe signature group id
Return values
ssig found
NULLsig not found

Definition at line 77 of file detect-engine-build.c.

References de_ctx, Signature_::next, and DetectEngineCtx_::sig_list.

◆ SigLoadSignatures()

int SigLoadSignatures ( DetectEngineCtx de_ctx,
char *  sig_file,
bool  sig_file_exclusive 
)

Load signatures.

Parameters
de_ctxPointer to the detection engine context
sig_fileFilename (or pattern) holding signatures
sig_file_exclusiveFile passed in 'sig_file' should be loaded exclusively.
Return values
-1on error

Definition at line 288 of file detect-engine-loader.c.

References DetectEngineCtx_::config_prefix, de_ctx, RUNMODE_ENGINE_ANALYSIS, RunmodeGetCurrent(), SCEnter, SetupEngineAnalysis(), and DetectEngineCtx_::sig_stat.

Here is the call graph for this function:

◆ SigMatchAlloc()

SigMatch* SigMatchAlloc ( void  )

Definition at line 333 of file detect-parse.c.

References SigMatch_::next, SigMatch_::prev, SCCalloc, and unlikely.

◆ SigMatchFree()

void SigMatchFree ( DetectEngineCtx de_ctx,
SigMatch sm 
)

free a SigMatch

Parameters
smSigMatch to free.

free the ctx, for that we call the Free func

Definition at line 347 of file detect-parse.c.

References SigMatch_::ctx, de_ctx, SigTableElmt_::Free, SCFree, sigmatch_table, and SigMatch_::type.

Referenced by DetectIPProtoRemoveAllSMs(), and SigFree().

Here is the caller graph for this function:

◆ SigMatchSignatures()

void SigMatchSignatures ( ThreadVars th_v,
DetectEngineCtx de_ctx,
DetectEngineThreadCtx det_ctx,
Packet p 
)

wrapper for old tests

Definition at line 1882 of file detect.c.

References Packet_::flow.

Referenced by UTHMatchPackets(), UTHMatchPacketsWithResults(), UTHPacketMatchSig(), and UTHPacketMatchSigMpm().

Here is the caller graph for this function:

◆ SigMatchSignaturesGetSgh()

const SigGroupHead* SigMatchSignaturesGetSgh ( const DetectEngineCtx de_ctx,
const Packet p 
)

Get the SigGroupHead for a packet.

Parameters
de_ctxdetection engine context
ppacket
Return values
sghthe SigGroupHead or NULL if non applies to the packet

Definition at line 212 of file detect.c.

References PacketEngineEvents_::cnt, de_ctx, DetectEngineCtx_::decoder_event_sgh, Packet_::events, FLOW_PKT_TOCLIENT, Packet_::flowflags, IP_GET_IPPROTO, PKT_IS_IPV4, PKT_IS_IPV6, proto, Packet_::proto, SCEnter, and SCReturnPtr.

◆ SignatureIsIPOnly()

int SignatureIsIPOnly ( DetectEngineCtx de_ctx,
const Signature s 
)

Test is a initialized signature is IP only.

Parameters
de_ctxdetection engine ctx
sthe signature
Return values
1sig is ip only
2sig is like ip only
0sig is not ip only

Definition at line 207 of file detect-engine-build.c.

References Signature_::alproto, ALPROTO_UNKNOWN, DETECT_SM_LIST_PMATCH, Signature_::flags, Signature_::init_data, SIG_FLAG_APPLAYER, SIG_FLAG_TOCLIENT, SIG_FLAG_TOSERVER, and SignatureInitData_::smlists.

◆ SigRegisterTests()

void SigRegisterTests ( void  )

Definition at line 4997 of file detect.c.

References IPOnlyRegisterTests(), SigParseRegisterTests(), and UtRegisterTest().

Here is the call graph for this function:

Variable Documentation

◆ sigmatch_table

SigTableElmt sigmatch_table[DETECT_TBLSIZE]

Definition at line 127 of file detect-parse.c.

Referenced by DetectAckRegister(), DetectAppLayerEventRegister(), DetectAppLayerMpmRegisterByParentId(), DetectAppLayerProtocolRegister(), DetectAsn1Register(), DetectBase64DataRegister(), DetectBase64DecodeRegister(), DetectBsizeRegister(), DetectBypassRegister(), DetectByteExtractRegister(), DetectBytejumpRegister(), DetectBytemathRegister(), DetectBytetestRegister(), DetectCipServiceRegister(), DetectClasstypeRegister(), DetectConfigRegister(), DetectContentRegister(), DetectCsumRegister(), DetectDatarepRegister(), DetectDatasetRegister(), DetectDceIfaceRegister(), DetectDceOpnumRegister(), DetectDceStubDataRegister(), DetectDepthRegister(), DetectDetectionFilterRegister(), DetectDHCPLeaseTimeRegister(), DetectDHCPRebindingTimeRegister(), DetectDHCPRenewalTimeRegister(), DetectDistanceRegister(), DetectDnsAnswerNameRegister(), DetectDnsOpcodeRegister(), DetectDnsQueryNameRegister(), DetectDnsQueryRegister(), DetectDsizeRegister(), DetectEngineAppInspectionEngineSignatureFree(), DetectEngineBufferTypeValidateTransform(), DetectEngineContentModifierBufferSetup(), DetectEngineEventRegister(), DetectEngineInspectGenericList(), DetectEnipCommandRegister(), DetectFastPatternRegister(), DetectFiledataRegister(), DetectFilemagicRegister(), DetectFileMd5Register(), DetectFilenameRegister(), DetectFileSha1Register(), DetectFileSha256Register(), DetectFilesizeRegister(), DetectFilestoreRegister(), DetectFlagsRegister(), DetectFlowAgeRegister(), DetectFlowbitsRegister(), DetectFlowBytesToClientRegister(), DetectFlowBytesToServerRegister(), DetectFlowintRegister(), DetectFlowPktsToClientRegister(), DetectFlowPktsToServerRegister(), DetectFlowRegister(), DetectFlowvarRegister(), DetectFragBitsRegister(), DetectFragOffsetRegister(), DetectFrameRegister(), DetectFtpbounceRegister(), DetectFtpdataRegister(), DetectGeoipRegister(), DetectGidRegister(), DetectHostbitsRegister(), DetectHttp2Register(), DetectHttpClientBodyRegister(), DetectHttpCookieRegister(), DetectHttpHeaderNamesRegister(), DetectHttpHeaderRegister(), DetectHttpHHRegister(), DetectHttpMethodRegister(), DetectHttpProtocolRegister(), DetectHttpRawHeaderRegister(), DetectHttpRequestHeaderRegister(), DetectHttpRequestLineRegister(), DetectHttpResponseHeaderRegister(), DetectHttpResponseLineRegister(), DetectHttpServerBodyRegister(), DetectHttpStartRegister(), DetectHttpStatCodeRegister(), DetectHttpStatMsgRegister(), DetectHttpUARegister(), DetectHttpUriRegister(), DetectIcmpIdRegister(), DetectIcmpSeqRegister(), DetectIcmpv4HdrRegister(), DetectICMPv6hdrRegister(), DetectICMPv6mtuRegister(), DetectICodeRegister(), DetectIdRegister(), DetectIkeChosenSaRegister(), DetectIkeExchTypeRegister(), DetectIkeKeyExchangePayloadLengthRegister(), DetectIkeKeyExchangeRegister(), DetectIkeNoncePayloadLengthRegister(), DetectIkeNonceRegister(), DetectIkeSpiRegister(), DetectIkeVendorRegister(), DetectIPAddrBufferRegister(), DetectIpOptsRegister(), DetectIPProtoRegister(), DetectIPRepRegister(), DetectIpv4hdrRegister(), DetectIpv6hdrRegister(), DetectIsdataatRegister(), DetectITypeRegister(), DetectKrb5CNameRegister(), DetectKrb5ErrCodeRegister(), DetectKrb5MsgTypeRegister(), DetectKrb5SNameRegister(), DetectKrb5TicketEncryptionRegister(), DetectL3ProtoRegister(), DetectLuaRegister(), DetectMarkRegister(), DetectMetadataRegister(), DetectModbusRegister(), DetectMQTTConnackSessionPresentRegister(), DetectMQTTConnectClientIDRegister(), DetectMQTTConnectFlagsRegister(), DetectMQTTConnectPasswordRegister(), DetectMQTTConnectProtocolStringRegister(), DetectMQTTConnectUsernameRegister(), DetectMQTTConnectWillMessageRegister(), DetectMQTTConnectWillTopicRegister(), DetectMQTTFlagsRegister(), DetectMQTTProtocolVersionRegister(), DetectMQTTPublishMessageRegister(), DetectMQTTPublishTopicRegister(), DetectMQTTQosRegister(), DetectMQTTReasonCodeRegister(), DetectMQTTSubscribeTopicRegister(), DetectMQTTTypeRegister(), DetectMQTTUnsubscribeTopicRegister(), DetectMsgRegister(), DetectNfsProcedureRegister(), DetectNfsVersionRegister(), DetectNoalertRegister(), DetectNocaseRegister(), DetectOffsetRegister(), DetectPcreRegister(), DetectPktDataRegister(), DetectPktvarRegister(), DetectPrefilterRegister(), DetectPriorityRegister(), DetectQuicCyuHashRegister(), DetectQuicCyuStringRegister(), DetectQuicSniRegister(), DetectQuicUaRegister(), DetectQuicVersionRegister(), DetectRawbytesRegister(), DetectReferenceRegister(), DetectReplaceRegister(), DetectRequiresRegister(), DetectRevRegister(), DetectRfbNameRegister(), DetectRfbSecresultRegister(), DetectRfbSectypeRegister(), DetectRpcRegister(), DetectSameipRegister(), DetectSeqRegister(), DetectSidRegister(), DetectSipMethodRegister(), DetectSipProtocolRegister(), DetectSipRequestLineRegister(), DetectSipResponseLineRegister(), DetectSipStatCodeRegister(), DetectSipStatMsgRegister(), DetectSipUriRegister(), DetectSmbNamedPipeRegister(), DetectSmbNtlmsspDomainRegister(), DetectSmbNtlmsspUserRegister(), DetectSmbShareRegister(), DetectSmbVersionRegister(), DetectSNMPCommunityRegister(), DetectSNMPPduTypeRegister(), DetectSNMPUsmRegister(), DetectSNMPVersionRegister(), DetectSshHasshRegister(), DetectSshHasshServerRegister(), DetectSshHasshServerStringRegister(), DetectSshHasshStringRegister(), DetectSshProtocolRegister(), DetectSshSoftwareRegister(), DetectSshSoftwareVersionRegister(), DetectSshVersionRegister(), DetectSslStateRegister(), DetectSslVersionRegister(), DetectStreamSizeRegister(), DetectTagRegister(), DetectTargetRegister(), DetectTcphdrRegister(), DetectTcpmssRegister(), DetectTemplate2Register(), DetectTemplateRegister(), DetectTemplateRustBufferRegister(), DetectThresholdRegister(), DetectTlsCertChainLenRegister(), DetectTlsCertsRegister(), DetectTlsFingerprintRegister(), DetectTlsIssuerRegister(), DetectTlsJa3HashRegister(), DetectTlsJa3SHashRegister(), DetectTlsJa3SStringRegister(), DetectTlsJa3StringRegister(), DetectTlsRandomBytesRegister(), DetectTlsRandomRegister(), DetectTlsRandomTimeRegister(), DetectTlsRegister(), DetectTlsSerialRegister(), DetectTlsSniRegister(), DetectTlsSubjectRegister(), DetectTlsValidityRegister(), DetectTlsVersionRegister(), DetectTosRegister(), DetectTransformCompressWhitespaceRegister(), DetectTransformDotPrefixRegister(), DetectTransformHeaderLowercaseRegister(), DetectTransformMd5Register(), DetectTransformPcrexformRegister(), DetectTransformSha1Register(), DetectTransformSha256Register(), DetectTransformStripPseudoHeadersRegister(), DetectTransformStripWhitespaceRegister(), DetectTransformToLowerRegister(), DetectTransformToUpperRegister(), DetectTransformUrlDecodeRegister(), DetectTransformXorRegister(), DetectTtlRegister(), DetectUdphdrRegister(), DetectUricontentRegister(), DetectUrilenRegister(), DetectWindowRegister(), DetectWithinRegister(), DetectXbitsRegister(), EngineAnalysisFP(), EngineAnalysisRules2(), InspectionBufferApplyTransforms(), PrefilterSetupRuleGroup(), SigFree(), SigMatchFree(), SigMatchStrictEnabled(), SigTableApplyStrictCommandLineOption(), SigTableList(), SigTableRegisterTests(), and SigTableSetup().

◆ signature_properties

const struct SignatureProperties signature_properties[SIG_TYPE_MAX]

Definition at line 108 of file detect-engine.c.