#include "suricata-common.h"
#include "flow.h"
#include "detect-engine-proto.h"
#include "detect-reference.h"
#include "detect-metadata.h"
#include "detect-engine-register.h"
#include "util-prefilter.h"
#include "util-mpm.h"
#include "util-spm.h"
#include "util-hash.h"
#include "util-hashlist.h"
#include "util-radix-tree.h"
#include "util-file.h"
#include "reputation.h"
#include "detect-threshold.h"

Include dependency graph for detect.h:

Data Structures
struct	SignatureProperties

struct	DetectAddress_
	address structure for use in the detection engine. More...

struct	DetectAddressHead_

struct	DetectMatchAddressIPv4_

struct	DetectMatchAddressIPv6_

struct	DetectPort_
	Port structure for detection engine. More...

struct	IPOnlyCIDRItem_

struct	SigMatchCtx_
	Used to start a pointer to SigMatch context Should never be dereferenced without casting to something else. More...

struct	SigMatch_
	a single match condition for a signature More...

struct	SigMatchData_
	Data needed for Match() More...

struct	InspectionBuffer

struct	InspectionBufferMultipleForList

struct	TransformData_

struct	DetectEngineTransforms

struct	DetectEngineAppInspectionEngine_

struct	DetectBufferType_

struct	DetectEnginePktInspectionEngine

struct	DetectEngineFrameInspectionEngine

struct	SignatureInitDataBuffer_

struct	SignatureInitData_

struct	Signature_
	Signature container. More...

struct	DetectBufferMpmRegistry_
	one time registration of keywords at start up More...

struct	DetectPatternTracker

struct	DetectReplaceList_

struct	DetectVarList_

struct	SCFPSupportSMList_

struct	DetectEngineIPOnlyCtx_
	IP only rules matching ctx. More...

struct	DetectEngineLookupFlow_

struct	ThresholdCtx_
	threshold ctx More...

struct	SigString_

struct	SigFileLoaderStat_
	Signature loader statistics. More...

struct	DetectEngineThreadKeywordCtxItem_

struct	DetectEngineCtx_
	main detection engine ctx More...

struct	SignatureNonPrefilterStore_

struct	RuleMatchCandidateTx

struct	DetectEngineThreadCtx_

struct	SigTableElmt_
	element in sigmatch type table. More...

struct	MpmStore_

struct	PrefilterEngineList_

struct	PrefilterEngine_

struct	SigGroupHeadInitData_

struct	SigGroupHead_
	Container for matching data for a signature group. More...

struct	DetectEngineTenantMapping_

struct	DetectEngineMasterCtx_

Macros
#define	DETECT_MAX_RULE_SIZE 8192

#define	DETECT_TRANSFORMS_MAX 16

#define	DETECT_DEFAULT_PRIO 3

#define	DETECT_SM_LIST_NOTSET INT_MAX

#define	ADDRESS_FLAG_NOT 0x01

#define	PORT_FLAG_ANY 0x01

#define	PORT_FLAG_NOT 0x02

#define	PORT_SIGGROUPHEAD_COPY 0x04

#define	SIG_FLAG_SRC_ANY BIT_U32(0)

#define	SIG_FLAG_DST_ANY BIT_U32(1)

#define	SIG_FLAG_SP_ANY BIT_U32(2)

#define	SIG_FLAG_DP_ANY BIT_U32(3)

#define	SIG_FLAG_NOALERT BIT_U32(4)

#define	SIG_FLAG_DSIZE BIT_U32(5)

#define	SIG_FLAG_APPLAYER BIT_U32(6)

#define	SIG_FLAG_REQUIRE_PACKET BIT_U32(9)

#define	SIG_FLAG_REQUIRE_STREAM BIT_U32(10)

#define	SIG_FLAG_MPM_NEG BIT_U32(11)

#define	SIG_FLAG_FLUSH BIT_U32(12)

#define	SIG_FLAG_REQUIRE_FLOWVAR BIT_U32(17)

#define	SIG_FLAG_FILESTORE BIT_U32(18)

#define	SIG_FLAG_TOSERVER BIT_U32(19)

#define	SIG_FLAG_TOCLIENT BIT_U32(20)

#define	SIG_FLAG_TLSSTORE BIT_U32(21)

#define	SIG_FLAG_BYPASS BIT_U32(22)

#define	SIG_FLAG_PREFILTER BIT_U32(23)

#define	SIG_FLAG_SRC_IS_TARGET BIT_U32(25)

#define	SIG_FLAG_DEST_IS_TARGET BIT_U32(26)

#define	SIG_FLAG_HAS_TARGET (SIG_FLAG_DEST_IS_TARGET\|SIG_FLAG_SRC_IS_TARGET)

#define	SIG_FLAG_INIT_PACKET BIT_U32(1)

#define	SIG_FLAG_INIT_FLOW BIT_U32(2)

#define	SIG_FLAG_INIT_BIDIREC BIT_U32(3)

#define	SIG_FLAG_INIT_FIRST_IPPROTO_SEEN BIT_U32(4) /** < signature has seen the first ip_proto keyword */

#define	SIG_FLAG_INIT_STATE_MATCH BIT_U32(6)

#define	SIG_FLAG_INIT_NEED_FLUSH BIT_U32(7)

#define	SIG_FLAG_INIT_PRIO_EXPLICIT BIT_U32(8)

#define	SIG_FLAG_INIT_FILEDATA BIT_U32(9)

#define	SIG_FLAG_INIT_JA3 BIT_U32(10)

#define	SIG_FLAG_INIT_OVERFLOW BIT_U32(11)

#define	SIG_MASK_REQUIRE_PAYLOAD BIT_U8(0)

#define	SIG_MASK_REQUIRE_FLOW BIT_U8(1)

#define	SIG_MASK_REQUIRE_FLAGS_INITDEINIT BIT_U8(2) /* SYN, FIN, RST */

#define	SIG_MASK_REQUIRE_FLAGS_UNUSUAL BIT_U8(3) /* URG, ECN, CWR */

#define	SIG_MASK_REQUIRE_NO_PAYLOAD BIT_U8(4)

#define	SIG_MASK_REQUIRE_DCERPC BIT_U8(5) /* require either SMB+DCE or raw DCE */

#define	SIG_MASK_REQUIRE_ENGINE_EVENT BIT_U8(7)

#define	SignatureMask uint8_t

#define	DETECT_ENGINE_THREAD_CTX_FRAME_ID_SET 0x0001

#define	DETECT_ENGINE_THREAD_CTX_STREAM_CONTENT_MATCH 0x0004

#define	FILE_SIG_NEED_FILE 0x01

#define	FILE_SIG_NEED_FILENAME 0x02

#define	FILE_SIG_NEED_MAGIC 0x04

#define	FILE_SIG_NEED_FILECONTENT 0x08

#define	FILE_SIG_NEED_MD5 0x10

#define	FILE_SIG_NEED_SHA1 0x20

#define	FILE_SIG_NEED_SHA256 0x40

#define	FILE_SIG_NEED_SIZE 0x80

#define	DE_QUIET 0x01

#define	DETECT_VAR_TYPE_FLOW_POSTMATCH 1

#define	DETECT_VAR_TYPE_PKT_POSTMATCH 2

#define	FLOW_STATES 2

#define	ENGINE_SGH_MPM_FACTORY_CONTEXT_START_ID_RANGE (ENGINE_SGH_MPM_FACTORY_CONTEXT_AUTO + 1)

#define	DETECT_FILESTORE_MAX 15

#define	SIG_GROUP_HEAD_HAVERAWSTREAM BIT_U32(0)

#define	SIG_GROUP_HEAD_HAVEFILEMD5 BIT_U32(21)

#define	SIG_GROUP_HEAD_HAVEFILESIZE BIT_U32(22)

#define	SIG_GROUP_HEAD_HAVEFILESHA1 BIT_U32(23)

#define	SIG_GROUP_HEAD_HAVEFILESHA256 BIT_U32(24)

#define	SIGMATCH_NOOPT BIT_U16(0)

#define	SIGMATCH_IPONLY_COMPAT BIT_U16(1)

#define	SIGMATCH_DEONLY_COMPAT BIT_U16(2)

#define	SIGMATCH_NOT_BUILT BIT_U16(3)

#define	SIGMATCH_OPTIONAL_OPT BIT_U16(4)

#define	SIGMATCH_QUOTES_OPTIONAL BIT_U16(5)

#define	SIGMATCH_QUOTES_MANDATORY BIT_U16(6)

#define	SIGMATCH_HANDLE_NEGATION BIT_U16(7)

#define	SIGMATCH_INFO_CONTENT_MODIFIER BIT_U16(8)

#define	SIGMATCH_INFO_STICKY_BUFFER BIT_U16(9)

#define	SIGMATCH_INFO_DEPRECATED BIT_U16(10)

#define	SIGMATCH_STRICT_PARSING BIT_U16(11)

Typedefs
typedef struct DetectAddress_	DetectAddress
	address structure for use in the detection engine. More...

typedef struct DetectAddressHead_	DetectAddressHead

typedef struct DetectMatchAddressIPv4_	DetectMatchAddressIPv4

typedef struct DetectMatchAddressIPv6_	DetectMatchAddressIPv6

typedef struct DetectPort_	DetectPort
	Port structure for detection engine. More...

typedef struct IPOnlyCIDRItem_	IPOnlyCIDRItem

typedef struct SigMatchCtx_	SigMatchCtx
	Used to start a pointer to SigMatch context Should never be dereferenced without casting to something else. More...

typedef struct SigMatch_	SigMatch
	a single match condition for a signature More...

typedef struct SigMatchData_	SigMatchData
	Data needed for Match() More...

typedef struct InspectionBuffer	InspectionBuffer

typedef struct InspectionBufferMultipleForList	InspectionBufferMultipleForList

typedef struct TransformData_	TransformData

typedef struct DetectEngineTransforms	DetectEngineTransforms

typedef InspectionBuffer (	InspectionBufferGetDataPtr) (struct DetectEngineThreadCtx_ det_ctx, const DetectEngineTransforms transforms, Flow f, const uint8_t flow_flags, void txv, const int list_id)

typedef uint8_t(*	InspectEngineFuncPtr2) (struct DetectEngineCtx_ de_ctx, struct DetectEngineThreadCtx_ det_ctx, const struct DetectEngineAppInspectionEngine_ engine, const struct Signature_ s, Flow f, uint8_t flags, void alstate, void *txv, uint64_t tx_id)

typedef struct DetectEngineAppInspectionEngine_	DetectEngineAppInspectionEngine

typedef struct DetectBufferType_	DetectBufferType

typedef int(*	InspectionBufferPktInspectFunc) (struct DetectEngineThreadCtx_ , const struct DetectEnginePktInspectionEngine engine, const struct Signature_ s, Packet p, uint8_t *alert_flags)

typedef InspectionBuffer (	InspectionBufferGetPktDataPtr) (struct DetectEngineThreadCtx_ det_ctx, const DetectEngineTransforms transforms, Packet *p, const int list_id)

typedef struct DetectEnginePktInspectionEngine	DetectEnginePktInspectionEngine

typedef int(*	InspectionBufferFrameInspectFunc) (struct DetectEngineThreadCtx_ , const struct DetectEngineFrameInspectionEngine engine, const struct Signature_ s, Packet p, const struct Frames frames, const struct Frame frame)

typedef struct DetectEngineFrameInspectionEngine	DetectEngineFrameInspectionEngine

typedef struct SignatureInitDataBuffer_	SignatureInitDataBuffer

typedef struct SignatureInitData_	SignatureInitData

typedef struct Signature_	Signature
	Signature container. More...

typedef struct DetectBufferMpmRegistry_	DetectBufferMpmRegistry
	one time registration of keywords at start up More...

typedef struct DetectPatternTracker	DetectPatternTracker

typedef struct DetectReplaceList_	DetectReplaceList

typedef struct DetectVarList_	DetectVarList

typedef struct SCFPSupportSMList_	SCFPSupportSMList

typedef struct DetectEngineIPOnlyCtx_	DetectEngineIPOnlyCtx
	IP only rules matching ctx. More...

typedef struct DetectEngineLookupFlow_	DetectEngineLookupFlow

typedef struct ThresholdCtx_	ThresholdCtx
	threshold ctx More...

typedef struct SigString_	SigString

typedef struct SigFileLoaderStat_	SigFileLoaderStat
	Signature loader statistics. More...

typedef struct DetectEngineThreadKeywordCtxItem_	DetectEngineThreadKeywordCtxItem

typedef struct DetectEngineCtx_	DetectEngineCtx
	main detection engine ctx More...

typedef struct SignatureNonPrefilterStore_	SignatureNonPrefilterStore

typedef struct RuleMatchCandidateTx	RuleMatchCandidateTx

typedef struct DetectEngineThreadCtx_	DetectEngineThreadCtx

typedef struct SigTableElmt_	SigTableElmt
	element in sigmatch type table. More...

typedef struct MpmStore_	MpmStore

typedef void(*	PrefilterFrameFn) (DetectEngineThreadCtx det_ctx, const void pectx, Packet p, const struct Frames frames, const struct Frame *frame)

typedef struct AppLayerTxData	AppLayerTxData

typedef void(*	PrefilterTxFn) (DetectEngineThreadCtx det_ctx, const void pectx, Packet p, Flow f, void tx, const uint64_t tx_id, const AppLayerTxData tx_data, const uint8_t flags)

typedef struct PrefilterEngineList_	PrefilterEngineList

typedef struct PrefilterEngine_	PrefilterEngine

typedef struct SigGroupHeadInitData_	SigGroupHeadInitData

typedef struct SigGroupHead_	SigGroupHead
	Container for matching data for a signature group. More...

typedef struct DetectEngineTenantMapping_	DetectEngineTenantMapping

typedef struct DetectEngineMasterCtx_	DetectEngineMasterCtx

Enumerations
enum	SignatureType { SIG_TYPE_NOT_SET = 0, SIG_TYPE_IPONLY, SIG_TYPE_LIKE_IPONLY, SIG_TYPE_PDONLY, SIG_TYPE_DEONLY, SIG_TYPE_PKT, SIG_TYPE_PKT_STREAM, SIG_TYPE_STREAM, SIG_TYPE_APPLAYER, SIG_TYPE_APP_TX, SIG_TYPE_MAX }

enum	SignaturePropertyFlowAction { SIG_PROP_FLOW_ACTION_PACKET, SIG_PROP_FLOW_ACTION_FLOW, SIG_PROP_FLOW_ACTION_FLOW_IF_STATEFUL }

enum	DetectSigmatchListEnum { DETECT_SM_LIST_MATCH = 0, DETECT_SM_LIST_PMATCH, DETECT_SM_LIST_BASE64_DATA, DETECT_SM_LIST_POSTMATCH, DETECT_SM_LIST_TMATCH, DETECT_SM_LIST_SUPPRESS, DETECT_SM_LIST_THRESHOLD, DETECT_SM_LIST_MAX, DETECT_SM_LIST_DYNAMIC_START = DETECT_SM_LIST_MAX }

enum	{ ADDRESS_ER = -1, ADDRESS_LT, ADDRESS_LE, ADDRESS_EQ, ADDRESS_ES, ADDRESS_EB, ADDRESS_GE, ADDRESS_GT }

enum	{ PORT_ER = -1, PORT_LT, PORT_LE, PORT_EQ, PORT_ES, PORT_EB, PORT_GE, PORT_GT }

enum	DetectBufferMpmType { DETECT_BUFFER_MPM_TYPE_PKT, DETECT_BUFFER_MPM_TYPE_APP, DETECT_BUFFER_MPM_TYPE_FRAME, DETECT_BUFFER_MPM_TYPE_SIZE }

enum	DetectEnginePrefilterSetting { DETECT_PREFILTER_MPM = 0, DETECT_PREFILTER_AUTO = 1 }

enum	DetectEngineType { DETECT_ENGINE_TYPE_NORMAL = 0, DETECT_ENGINE_TYPE_DD_STUB = 1, DETECT_ENGINE_TYPE_MT_STUB = 2, DETECT_ENGINE_TYPE_TENANT = 3 }

enum	{ ENGINE_PROFILE_UNKNOWN, ENGINE_PROFILE_LOW, ENGINE_PROFILE_MEDIUM, ENGINE_PROFILE_HIGH, ENGINE_PROFILE_CUSTOM }

enum	{ ENGINE_SGH_MPM_FACTORY_CONTEXT_FULL = 0, ENGINE_SGH_MPM_FACTORY_CONTEXT_SINGLE, ENGINE_SGH_MPM_FACTORY_CONTEXT_AUTO }

enum	{ FILE_DECODER_EVENT_NO_MEM, FILE_DECODER_EVENT_INVALID_SWF_LENGTH, FILE_DECODER_EVENT_INVALID_SWF_VERSION, FILE_DECODER_EVENT_Z_DATA_ERROR, FILE_DECODER_EVENT_Z_STREAM_ERROR, FILE_DECODER_EVENT_Z_BUF_ERROR, FILE_DECODER_EVENT_Z_UNKNOWN_ERROR, FILE_DECODER_EVENT_LZMA_IO_ERROR, FILE_DECODER_EVENT_LZMA_HEADER_TOO_SHORT_ERROR, FILE_DECODER_EVENT_LZMA_DECODER_ERROR, FILE_DECODER_EVENT_LZMA_MEMLIMIT_ERROR, FILE_DECODER_EVENT_LZMA_XZ_ERROR, FILE_DECODER_EVENT_LZMA_UNKNOWN_ERROR, DETECT_EVENT_TOO_MANY_BUFFERS }

enum	MpmBuiltinBuffers { MPMB_TCP_PKT_TS, MPMB_TCP_PKT_TC, MPMB_TCP_STREAM_TS, MPMB_TCP_STREAM_TC, MPMB_UDP_TS, MPMB_UDP_TC, MPMB_OTHERIP, MPMB_MAX }

enum	DetectEngineTenantSelectors { TENANT_SELECTOR_UNKNOWN = 0, TENANT_SELECTOR_DIRECT, TENANT_SELECTOR_VLAN, TENANT_SELECTOR_LIVEDEV }

Functions
TmEcode	Detect (ThreadVars tv, Packet p, void *data)
	Detection engine thread wrapper. More...

SigMatch *	SigMatchAlloc (void)

Signature *	SigFindSignatureBySidGid (DetectEngineCtx *, uint32_t, uint32_t)
	Find a specific signature by sid and gid. More...

void	SigMatchFree (DetectEngineCtx , SigMatch sm)
	free a SigMatch More...

void	SigRegisterTests (void)

void	DisableDetectFlowFileFlags (Flow *f)
	disable file features we don't need Called if we have no detection engine. More...

char *	DetectLoadCompleteSigPath (const DetectEngineCtx , const char sig_file)
	Create the path if default-rule-path was specified. More...

int	SigLoadSignatures (DetectEngineCtx , char , int)
	Load signatures. More...

void	SigMatchSignatures (ThreadVars th_v, DetectEngineCtx de_ctx, DetectEngineThreadCtx det_ctx, Packet p)
	wrapper for old tests More...

int	SignatureIsIPOnly (DetectEngineCtx de_ctx, const Signature s)
	Test is a initialized signature is IP only. More...

const SigGroupHead *	SigMatchSignaturesGetSgh (const DetectEngineCtx de_ctx, const Packet p)
	Get the SigGroupHead for a packet. More...

int	DetectUnregisterThreadCtxFuncs (DetectEngineCtx , void data, const char *name)
	Remove Thread keyword context registration. More...

int	DetectRegisterThreadCtxFuncs (DetectEngineCtx , const char name, void (InitFunc)(void ), void data, void(FreeFunc)(void ), int)
	Register Thread keyword context Funcs. More...

void *	DetectThreadCtxGetKeywordThreadCtx (DetectEngineThreadCtx *, int)
	Retrieve thread local keyword ctx by id. More...

void	RuleMatchCandidateTxArrayInit (DetectEngineThreadCtx *det_ctx, uint32_t size)

void	RuleMatchCandidateTxArrayFree (DetectEngineThreadCtx *det_ctx)

void	AlertQueueInit (DetectEngineThreadCtx *det_ctx)

void	AlertQueueFree (DetectEngineThreadCtx *det_ctx)

void	AlertQueueAppend (DetectEngineThreadCtx det_ctx, const Signature s, Packet *p, uint64_t tx_id, uint8_t alert_flags)
	Append signature to local packet alert queue for later preprocessing. More...

int	DetectFlowbitsAnalyze (DetectEngineCtx *de_ctx)

int	DetectMetadataHashInit (DetectEngineCtx *de_ctx)

void	DetectMetadataHashFree (DetectEngineCtx *de_ctx)

void	DetectEngineSetEvent (DetectEngineThreadCtx *det_ctx, uint8_t e)

AppLayerDecoderEvents *	DetectEngineGetEvents (DetectEngineThreadCtx *det_ctx)

void	DumpPatterns (DetectEngineCtx *de_ctx)

Variables
const struct SignatureProperties	signature_properties [SIG_TYPE_MAX]

SigTableElmt	sigmatch_table [DETECT_TBLSIZE]

Detailed Description

Author: Victor Julien victo.nosp@m.r@in.nosp@m.linia.nosp@m.c.ne.nosp@m.t

Definition in file detect.h.

Macro Definition Documentation

◆ ADDRESS_FLAG_NOT

#define ADDRESS_FLAG_NOT 0x01

address is negated

Definition at line 154 of file detect.h.

◆ DE_QUIET

#define DE_QUIET 0x01

DE is quiet (esp for unittests)

Definition at line 316 of file detect.h.

◆ DETECT_DEFAULT_PRIO

#define DETECT_DEFAULT_PRIO 3

default rule priority if not set through priority keyword or via classtype.

Definition at line 51 of file detect.h.

◆ DETECT_ENGINE_THREAD_CTX_FRAME_ID_SET

#define DETECT_ENGINE_THREAD_CTX_FRAME_ID_SET 0x0001

Definition at line 303 of file detect.h.

◆ DETECT_ENGINE_THREAD_CTX_STREAM_CONTENT_MATCH

#define DETECT_ENGINE_THREAD_CTX_STREAM_CONTENT_MATCH 0x0004

Definition at line 304 of file detect.h.

◆ DETECT_FILESTORE_MAX

#define DETECT_FILESTORE_MAX 15

Definition at line 1050 of file detect.h.

◆ DETECT_MAX_RULE_SIZE

#define DETECT_MAX_RULE_SIZE 8192

Definition at line 45 of file detect.h.

◆ DETECT_SM_LIST_NOTSET

#define DETECT_SM_LIST_NOTSET INT_MAX

Definition at line 136 of file detect.h.

◆ DETECT_TRANSFORMS_MAX

#define DETECT_TRANSFORMS_MAX 16

Definition at line 47 of file detect.h.

◆ DETECT_VAR_TYPE_FLOW_POSTMATCH

#define DETECT_VAR_TYPE_FLOW_POSTMATCH 1

only execute flowvar storage if rule matched

Definition at line 726 of file detect.h.

◆ DETECT_VAR_TYPE_PKT_POSTMATCH

#define DETECT_VAR_TYPE_PKT_POSTMATCH 2

Definition at line 727 of file detect.h.

◆ ENGINE_SGH_MPM_FACTORY_CONTEXT_START_ID_RANGE

#define ENGINE_SGH_MPM_FACTORY_CONTEXT_START_ID_RANGE (ENGINE_SGH_MPM_FACTORY_CONTEXT_AUTO + 1)

Definition at line 1047 of file detect.h.

◆ FILE_SIG_NEED_FILE

#define FILE_SIG_NEED_FILE 0x01

Definition at line 306 of file detect.h.

◆ FILE_SIG_NEED_FILECONTENT

#define FILE_SIG_NEED_FILECONTENT 0x08

Definition at line 309 of file detect.h.

◆ FILE_SIG_NEED_FILENAME

#define FILE_SIG_NEED_FILENAME 0x02

Definition at line 307 of file detect.h.

◆ FILE_SIG_NEED_MAGIC

#define FILE_SIG_NEED_MAGIC 0x04

need the start of the file

Definition at line 308 of file detect.h.

◆ FILE_SIG_NEED_MD5

#define FILE_SIG_NEED_MD5 0x10

Definition at line 310 of file detect.h.

◆ FILE_SIG_NEED_SHA1

#define FILE_SIG_NEED_SHA1 0x20

Definition at line 311 of file detect.h.

◆ FILE_SIG_NEED_SHA256

#define FILE_SIG_NEED_SHA256 0x40

Definition at line 312 of file detect.h.

◆ FILE_SIG_NEED_SIZE

#define FILE_SIG_NEED_SIZE 0x80

Definition at line 313 of file detect.h.

◆ FLOW_STATES

#define FLOW_STATES 2

Definition at line 825 of file detect.h.

◆ PORT_FLAG_ANY

#define PORT_FLAG_ANY 0x01

'any' special port

Definition at line 207 of file detect.h.

◆ PORT_FLAG_NOT

#define PORT_FLAG_NOT 0x02

negated port

Definition at line 208 of file detect.h.

◆ PORT_SIGGROUPHEAD_COPY

#define PORT_SIGGROUPHEAD_COPY 0x04

sgh is a ptr copy

Definition at line 209 of file detect.h.

◆ SIG_FLAG_APPLAYER

#define SIG_FLAG_APPLAYER BIT_U32(6)

signature applies to app layer instead of packets

Definition at line 239 of file detect.h.

◆ SIG_FLAG_BYPASS

#define SIG_FLAG_BYPASS BIT_U32(22)

Definition at line 261 of file detect.h.

◆ SIG_FLAG_DEST_IS_TARGET

#define SIG_FLAG_DEST_IS_TARGET BIT_U32(26)

Info for Source and Target identification

Definition at line 270 of file detect.h.

◆ SIG_FLAG_DP_ANY

#define SIG_FLAG_DP_ANY BIT_U32(3)

destination port is any

Definition at line 235 of file detect.h.

◆ SIG_FLAG_DSIZE

#define SIG_FLAG_DSIZE BIT_U32(5)

signature has a dsize setting

Definition at line 238 of file detect.h.

◆ SIG_FLAG_DST_ANY

#define SIG_FLAG_DST_ANY BIT_U32(1)

destination is any

Definition at line 233 of file detect.h.

◆ SIG_FLAG_FILESTORE

#define SIG_FLAG_FILESTORE BIT_U32(18)

signature has filestore keyword

Definition at line 254 of file detect.h.

◆ SIG_FLAG_FLUSH

#define SIG_FLAG_FLUSH BIT_U32(12)

detection logic needs stream flush notification

Definition at line 248 of file detect.h.

◆ SIG_FLAG_HAS_TARGET

#define SIG_FLAG_HAS_TARGET (SIG_FLAG_DEST_IS_TARGET|SIG_FLAG_SRC_IS_TARGET)

Definition at line 272 of file detect.h.

◆ SIG_FLAG_INIT_BIDIREC

#define SIG_FLAG_INIT_BIDIREC BIT_U32(3)

signature has bidirectional operator

Definition at line 278 of file detect.h.

◆ SIG_FLAG_INIT_FILEDATA

#define SIG_FLAG_INIT_FILEDATA BIT_U32(9)

signature has filedata keyword

Definition at line 285 of file detect.h.

◆ SIG_FLAG_INIT_FIRST_IPPROTO_SEEN

#define SIG_FLAG_INIT_FIRST_IPPROTO_SEEN BIT_U32(4) /** < signature has seen the first ip_proto keyword */

Definition at line 279 of file detect.h.

◆ SIG_FLAG_INIT_FLOW

#define SIG_FLAG_INIT_FLOW BIT_U32(2)

signature has a flow setting

Definition at line 277 of file detect.h.

◆ SIG_FLAG_INIT_JA3

#define SIG_FLAG_INIT_JA3 BIT_U32(10)

signature has ja3 keyword

Definition at line 286 of file detect.h.

◆ SIG_FLAG_INIT_NEED_FLUSH

#define SIG_FLAG_INIT_NEED_FLUSH BIT_U32(7)

Definition at line 282 of file detect.h.

◆ SIG_FLAG_INIT_OVERFLOW

#define SIG_FLAG_INIT_OVERFLOW BIT_U32(11)

signature has overflown buffers

Definition at line 287 of file detect.h.

◆ SIG_FLAG_INIT_PACKET

#define SIG_FLAG_INIT_PACKET BIT_U32(1)

signature has matches against a packet (as opposed to app layer)

Definition at line 276 of file detect.h.

◆ SIG_FLAG_INIT_PRIO_EXPLICIT

#define SIG_FLAG_INIT_PRIO_EXPLICIT BIT_U32(8)

priority is explicitly set by the priority keyword

Definition at line 284 of file detect.h.

◆ SIG_FLAG_INIT_STATE_MATCH

#define SIG_FLAG_INIT_STATE_MATCH BIT_U32(6)

signature has matches that require stateful inspection

Definition at line 281 of file detect.h.

◆ SIG_FLAG_MPM_NEG

#define SIG_FLAG_MPM_NEG BIT_U32(11)

Definition at line 246 of file detect.h.

◆ SIG_FLAG_NOALERT

#define SIG_FLAG_NOALERT BIT_U32(4)

no alert flag is set

Definition at line 237 of file detect.h.

◆ SIG_FLAG_PREFILTER

#define SIG_FLAG_PREFILTER BIT_U32(23)

sig is part of a prefilter engine

Definition at line 263 of file detect.h.

◆ SIG_FLAG_REQUIRE_FLOWVAR

#define SIG_FLAG_REQUIRE_FLOWVAR BIT_U32(17)

signature can only match if a flowbit, flowvar or flowint is available.

Definition at line 252 of file detect.h.

◆ SIG_FLAG_REQUIRE_PACKET

#define SIG_FLAG_REQUIRE_PACKET BIT_U32(9)

signature is requiring packet match

Definition at line 243 of file detect.h.

◆ SIG_FLAG_REQUIRE_STREAM

#define SIG_FLAG_REQUIRE_STREAM BIT_U32(10)

signature is requiring stream match

Definition at line 244 of file detect.h.

◆ SIG_FLAG_SP_ANY

#define SIG_FLAG_SP_ANY BIT_U32(2)

source port is any

Definition at line 234 of file detect.h.

◆ SIG_FLAG_SRC_ANY

#define SIG_FLAG_SRC_ANY BIT_U32(0)

Note: : additions should be added to the rule analyzer as well source is any

Definition at line 232 of file detect.h.

◆ SIG_FLAG_SRC_IS_TARGET

#define SIG_FLAG_SRC_IS_TARGET BIT_U32(25)

Info for Source and Target identification

Definition at line 268 of file detect.h.

◆ SIG_FLAG_TLSSTORE

#define SIG_FLAG_TLSSTORE BIT_U32(21)

Definition at line 259 of file detect.h.

◆ SIG_FLAG_TOCLIENT

#define SIG_FLAG_TOCLIENT BIT_U32(20)

Definition at line 257 of file detect.h.

◆ SIG_FLAG_TOSERVER

#define SIG_FLAG_TOSERVER BIT_U32(19)

Definition at line 256 of file detect.h.

◆ SIG_GROUP_HEAD_HAVEFILEMD5

#define SIG_GROUP_HEAD_HAVEFILEMD5 BIT_U32(21)

Definition at line 1316 of file detect.h.

◆ SIG_GROUP_HEAD_HAVEFILESHA1

#define SIG_GROUP_HEAD_HAVEFILESHA1 BIT_U32(23)

Definition at line 1318 of file detect.h.

◆ SIG_GROUP_HEAD_HAVEFILESHA256

#define SIG_GROUP_HEAD_HAVEFILESHA256 BIT_U32(24)

Definition at line 1319 of file detect.h.

◆ SIG_GROUP_HEAD_HAVEFILESIZE

#define SIG_GROUP_HEAD_HAVEFILESIZE BIT_U32(22)

Definition at line 1317 of file detect.h.

◆ SIG_GROUP_HEAD_HAVERAWSTREAM

#define SIG_GROUP_HEAD_HAVERAWSTREAM BIT_U32(0)

Definition at line 1312 of file detect.h.

◆ SIG_MASK_REQUIRE_DCERPC

#define SIG_MASK_REQUIRE_DCERPC BIT_U8(5) /* require either SMB+DCE or raw DCE */

Definition at line 296 of file detect.h.

◆ SIG_MASK_REQUIRE_ENGINE_EVENT

#define SIG_MASK_REQUIRE_ENGINE_EVENT BIT_U8(7)

Definition at line 298 of file detect.h.

◆ SIG_MASK_REQUIRE_FLAGS_INITDEINIT

#define SIG_MASK_REQUIRE_FLAGS_INITDEINIT BIT_U8(2) /* SYN, FIN, RST */

Definition at line 293 of file detect.h.

◆ SIG_MASK_REQUIRE_FLAGS_UNUSUAL

#define SIG_MASK_REQUIRE_FLAGS_UNUSUAL BIT_U8(3) /* URG, ECN, CWR */

Definition at line 294 of file detect.h.

◆ SIG_MASK_REQUIRE_FLOW

#define SIG_MASK_REQUIRE_FLOW BIT_U8(1)

Definition at line 292 of file detect.h.

◆ SIG_MASK_REQUIRE_NO_PAYLOAD

#define SIG_MASK_REQUIRE_NO_PAYLOAD BIT_U8(4)

Definition at line 295 of file detect.h.

◆ SIG_MASK_REQUIRE_PAYLOAD

#define SIG_MASK_REQUIRE_PAYLOAD BIT_U8(0)

Note: : additions should be added to the rule analyzer as well

Definition at line 291 of file detect.h.

◆ SIGMATCH_DEONLY_COMPAT

#define SIGMATCH_DEONLY_COMPAT BIT_U16(2)

sigmatch is compatible with a decode event only rule Flag to indicate that the signature is not built-in

Definition at line 1473 of file detect.h.

◆ SIGMATCH_HANDLE_NEGATION

#define SIGMATCH_HANDLE_NEGATION BIT_U16(7)

negation parsing is handled by the rule parser. Signature::init_data::negated will be set to true or false prior to calling the keyword parser. Exclamation mark is stripped from the input to the keyword parser.

Definition at line 1488 of file detect.h.

◆ SIGMATCH_INFO_CONTENT_MODIFIER

#define SIGMATCH_INFO_CONTENT_MODIFIER BIT_U16(8)

keyword is a content modifier

Definition at line 1490 of file detect.h.

◆ SIGMATCH_INFO_DEPRECATED

#define SIGMATCH_INFO_DEPRECATED BIT_U16(10)

keyword is deprecated: used to suggest an alternative

Definition at line 1494 of file detect.h.

◆ SIGMATCH_INFO_STICKY_BUFFER

#define SIGMATCH_INFO_STICKY_BUFFER BIT_U16(9)

keyword is a sticky buffer

Definition at line 1492 of file detect.h.

◆ SIGMATCH_IPONLY_COMPAT

#define SIGMATCH_IPONLY_COMPAT BIT_U16(1)

sigmatch is compatible with a ip only rule

Definition at line 1470 of file detect.h.

◆ SIGMATCH_NOOPT

#define SIGMATCH_NOOPT BIT_U16(0)

sigmatch has no options, so the parser shouldn't expect any

Definition at line 1468 of file detect.h.

◆ SIGMATCH_NOT_BUILT

#define SIGMATCH_NOT_BUILT BIT_U16(3)

Definition at line 1474 of file detect.h.

◆ SIGMATCH_OPTIONAL_OPT

#define SIGMATCH_OPTIONAL_OPT BIT_U16(4)

sigmatch may have options, so the parser should be ready to deal with both cases

Definition at line 1477 of file detect.h.

◆ SIGMATCH_QUOTES_MANDATORY

#define SIGMATCH_QUOTES_MANDATORY BIT_U16(6)

input MUST be wrapped in double quotes. They will be stripped before input data is passed to keyword parser. Missing double quotes lead to error and signature invalidation.

Definition at line 1484 of file detect.h.

◆ SIGMATCH_QUOTES_OPTIONAL

#define SIGMATCH_QUOTES_OPTIONAL BIT_U16(5)

input may be wrapped in double quotes. They will be stripped before input data is passed to keyword parser

Definition at line 1480 of file detect.h.

◆ SIGMATCH_STRICT_PARSING

#define SIGMATCH_STRICT_PARSING BIT_U16(11)

strict parsing is enabled

Definition at line 1496 of file detect.h.

◆ SignatureMask

#define SignatureMask uint8_t

Definition at line 301 of file detect.h.

Typedef Documentation

◆ AppLayerTxData

typedef struct AppLayerTxData AppLayerTxData

Definition at line 1344 of file detect.h.

◆ DetectAddress

typedef struct DetectAddress_ DetectAddress

address structure for use in the detection engine.

Contains the address information and matching information.

◆ DetectAddressHead

typedef struct DetectAddressHead_ DetectAddressHead

Address grouping head. IPv4 and IPv6 are split out

◆ DetectBufferMpmRegistry

typedef struct DetectBufferMpmRegistry_ DetectBufferMpmRegistry

one time registration of keywords at start up

◆ DetectBufferType

typedef struct DetectBufferType_ DetectBufferType

◆ DetectEngineAppInspectionEngine

typedef struct DetectEngineAppInspectionEngine_ DetectEngineAppInspectionEngine

◆ DetectEngineCtx

typedef struct DetectEngineCtx_ DetectEngineCtx

main detection engine ctx

◆ DetectEngineFrameInspectionEngine

typedef struct DetectEngineFrameInspectionEngine DetectEngineFrameInspectionEngine

◆ DetectEngineIPOnlyCtx

typedef struct DetectEngineIPOnlyCtx_ DetectEngineIPOnlyCtx

IP only rules matching ctx.

◆ DetectEngineLookupFlow

typedef struct DetectEngineLookupFlow_ DetectEngineLookupFlow

◆ DetectEngineMasterCtx

typedef struct DetectEngineMasterCtx_ DetectEngineMasterCtx

◆ DetectEnginePktInspectionEngine

typedef struct DetectEnginePktInspectionEngine DetectEnginePktInspectionEngine

◆ DetectEngineTenantMapping

typedef struct DetectEngineTenantMapping_ DetectEngineTenantMapping

◆ DetectEngineThreadCtx

typedef struct DetectEngineThreadCtx_ DetectEngineThreadCtx

Detection engine thread data.

◆ DetectEngineThreadKeywordCtxItem

typedef struct DetectEngineThreadKeywordCtxItem_ DetectEngineThreadKeywordCtxItem

◆ DetectEngineTransforms

typedef struct DetectEngineTransforms DetectEngineTransforms

◆ DetectMatchAddressIPv4

typedef struct DetectMatchAddressIPv4_ DetectMatchAddressIPv4

◆ DetectMatchAddressIPv6

typedef struct DetectMatchAddressIPv6_ DetectMatchAddressIPv6

◆ DetectPatternTracker

typedef struct DetectPatternTracker DetectPatternTracker

◆ DetectPort

typedef struct DetectPort_ DetectPort

Port structure for detection engine.

◆ DetectReplaceList

typedef struct DetectReplaceList_ DetectReplaceList

◆ DetectVarList

typedef struct DetectVarList_ DetectVarList

list for flowvar store candidates, to be stored from post-match function

◆ InspectEngineFuncPtr2

typedef uint8_t(* InspectEngineFuncPtr2) (struct DetectEngineCtx_ *de_ctx, struct DetectEngineThreadCtx_ *det_ctx, const struct DetectEngineAppInspectionEngine_ *engine, const struct Signature_ *s, Flow *f, uint8_t flags, void *alstate, void *txv, uint64_t tx_id)

Definition at line 413 of file detect.h.

◆ InspectionBuffer

typedef struct InspectionBuffer InspectionBuffer

◆ InspectionBufferFrameInspectFunc

typedef int(* InspectionBufferFrameInspectFunc) (struct DetectEngineThreadCtx_ *, const struct DetectEngineFrameInspectionEngine *engine, const struct Signature_ *s, Packet *p, const struct Frames *frames, const struct Frame *frame)

Parameters

alert_flags[out] for setting PACKET_ALERT_FLAG_*

Definition at line 493 of file detect.h.

◆ InspectionBufferGetDataPtr

typedef InspectionBuffer*(* InspectionBufferGetDataPtr) (struct DetectEngineThreadCtx_ *det_ctx, const DetectEngineTransforms *transforms, Flow *f, const uint8_t flow_flags, void *txv, const int list_id)

callback for getting the buffer we need to prefilter/inspect

Definition at line 406 of file detect.h.

◆ InspectionBufferGetPktDataPtr

typedef InspectionBuffer*(* InspectionBufferGetPktDataPtr) (struct DetectEngineThreadCtx_ *det_ctx, const DetectEngineTransforms *transforms, Packet *p, const int list_id)

callback for getting the buffer we need to prefilter/inspect

Definition at line 467 of file detect.h.

◆ InspectionBufferMultipleForList

typedef struct InspectionBufferMultipleForList InspectionBufferMultipleForList

◆ InspectionBufferPktInspectFunc

typedef int(* InspectionBufferPktInspectFunc) (struct DetectEngineThreadCtx_ *, const struct DetectEnginePktInspectionEngine *engine, const struct Signature_ *s, Packet *p, uint8_t *alert_flags)

Parameters

alert_flags[out] for setting PACKET_ALERT_FLAG_*

Definition at line 460 of file detect.h.

◆ IPOnlyCIDRItem

typedef struct IPOnlyCIDRItem_ IPOnlyCIDRItem

◆ MpmStore

typedef struct MpmStore_ MpmStore

◆ PrefilterEngine

typedef struct PrefilterEngine_ PrefilterEngine

◆ PrefilterEngineList

typedef struct PrefilterEngineList_ PrefilterEngineList

◆ PrefilterFrameFn

typedef void(* PrefilterFrameFn) (DetectEngineThreadCtx *det_ctx, const void *pectx, Packet *p, const struct Frames *frames, const struct Frame *frame)

Definition at line 1344 of file detect.h.

◆ PrefilterTxFn

typedef void(* PrefilterTxFn) (DetectEngineThreadCtx *det_ctx, const void *pectx, Packet *p, Flow *f, void *tx, const uint64_t tx_id, const AppLayerTxData *tx_data, const uint8_t flags)

Definition at line 1348 of file detect.h.

◆ RuleMatchCandidateTx

typedef struct RuleMatchCandidateTx RuleMatchCandidateTx

array of TX inspect rule candidates

◆ SCFPSupportSMList

typedef struct SCFPSupportSMList_ SCFPSupportSMList

◆ SigFileLoaderStat

typedef struct SigFileLoaderStat_ SigFileLoaderStat

Signature loader statistics.

◆ SigGroupHead

typedef struct SigGroupHead_ SigGroupHead

Container for matching data for a signature group.

◆ SigGroupHeadInitData

typedef struct SigGroupHeadInitData_ SigGroupHeadInitData

◆ SigMatch

typedef struct SigMatch_ SigMatch

a single match condition for a signature

◆ SigMatchCtx

typedef struct SigMatchCtx_ SigMatchCtx

Used to start a pointer to SigMatch context Should never be dereferenced without casting to something else.

◆ SigMatchData

typedef struct SigMatchData_ SigMatchData

Data needed for Match()

◆ Signature

typedef struct Signature_ Signature

Signature container.

◆ SignatureInitData

typedef struct SignatureInitData_ SignatureInitData

◆ SignatureInitDataBuffer

typedef struct SignatureInitDataBuffer_ SignatureInitDataBuffer

◆ SignatureNonPrefilterStore

typedef struct SignatureNonPrefilterStore_ SignatureNonPrefilterStore

◆ SigString

typedef struct SigString_ SigString

◆ SigTableElmt

typedef struct SigTableElmt_ SigTableElmt

element in sigmatch type table.

◆ ThresholdCtx

typedef struct ThresholdCtx_ ThresholdCtx

threshold ctx

◆ TransformData

typedef struct TransformData_ TransformData

Enumeration Type Documentation

◆ anonymous enum

anonymous enum

Enumerator
ADDRESS_ER	error e.g. compare ipv4 and ipv6
ADDRESS_LT	smaller [aaa] [bbb]
ADDRESS_LE	smaller with overlap [aa[bab]bb]
ADDRESS_EQ	exactly equal [abababab]
ADDRESS_ES	within [bb[aaa]bb] and [[abab]bbb] and [bbb[abab]]
ADDRESS_EB	completely overlaps [aa[bbb]aa] and [[baba]aaa] and [aaa[baba]]
ADDRESS_GE	bigger with overlap [bb[aba]aa]
ADDRESS_GT	bigger [bbb] [aaa]

Definition at line 142 of file detect.h.

◆ anonymous enum

anonymous enum

Enumerator
PORT_ER
PORT_LT
PORT_LE
PORT_EQ
PORT_ES
PORT_EB
PORT_GE
PORT_GT

Definition at line 195 of file detect.h.

◆ anonymous enum

anonymous enum

Enumerator
ENGINE_PROFILE_UNKNOWN
ENGINE_PROFILE_LOW
ENGINE_PROFILE_MEDIUM
ENGINE_PROFILE_HIGH
ENGINE_PROFILE_CUSTOM

Definition at line 1033 of file detect.h.

◆ anonymous enum

anonymous enum

Enumerator
ENGINE_SGH_MPM_FACTORY_CONTEXT_FULL
ENGINE_SGH_MPM_FACTORY_CONTEXT_SINGLE
ENGINE_SGH_MPM_FACTORY_CONTEXT_AUTO

Definition at line 1042 of file detect.h.

◆ anonymous enum

anonymous enum

Enumerator
FILE_DECODER_EVENT_NO_MEM
FILE_DECODER_EVENT_INVALID_SWF_LENGTH
FILE_DECODER_EVENT_INVALID_SWF_VERSION
FILE_DECODER_EVENT_Z_DATA_ERROR
FILE_DECODER_EVENT_Z_STREAM_ERROR
FILE_DECODER_EVENT_Z_BUF_ERROR
FILE_DECODER_EVENT_Z_UNKNOWN_ERROR
FILE_DECODER_EVENT_LZMA_IO_ERROR
FILE_DECODER_EVENT_LZMA_HEADER_TOO_SHORT_ERROR
FILE_DECODER_EVENT_LZMA_DECODER_ERROR
FILE_DECODER_EVENT_LZMA_MEMLIMIT_ERROR
FILE_DECODER_EVENT_LZMA_XZ_ERROR
FILE_DECODER_EVENT_LZMA_UNKNOWN_ERROR
DETECT_EVENT_TOO_MANY_BUFFERS

Definition at line 1293 of file detect.h.

◆ DetectBufferMpmType

enum DetectBufferMpmType

Enumerator
DETECT_BUFFER_MPM_TYPE_PKT
DETECT_BUFFER_MPM_TYPE_APP
DETECT_BUFFER_MPM_TYPE_FRAME
DETECT_BUFFER_MPM_TYPE_SIZE

Definition at line 660 of file detect.h.

◆ DetectEnginePrefilterSetting

enum DetectEnginePrefilterSetting

Enumerator
DETECT_PREFILTER_MPM	use only mpm / fast_pattern
DETECT_PREFILTER_AUTO	use mpm + keyword prefilters

Definition at line 806 of file detect.h.

◆ DetectEngineTenantSelectors

enum DetectEngineTenantSelectors

Enumerator
TENANT_SELECTOR_UNKNOWN	not set
TENANT_SELECTOR_DIRECT	method provides direct tenant id
TENANT_SELECTOR_VLAN	map vlan to tenant id
TENANT_SELECTOR_LIVEDEV	map livedev to tenant id

Definition at line 1497 of file detect.h.

◆ DetectEngineType

enum DetectEngineType

Enumerator
DETECT_ENGINE_TYPE_NORMAL
DETECT_ENGINE_TYPE_DD_STUB
DETECT_ENGINE_TYPE_MT_STUB
DETECT_ENGINE_TYPE_TENANT

Definition at line 812 of file detect.h.

◆ DetectSigmatchListEnum

enum DetectSigmatchListEnum

Enumerator
DETECT_SM_LIST_MATCH
DETECT_SM_LIST_PMATCH
DETECT_SM_LIST_BASE64_DATA
DETECT_SM_LIST_POSTMATCH
DETECT_SM_LIST_TMATCH	post-detection tagging
DETECT_SM_LIST_SUPPRESS
DETECT_SM_LIST_THRESHOLD
DETECT_SM_LIST_MAX
DETECT_SM_LIST_DYNAMIC_START

Definition at line 106 of file detect.h.

◆ MpmBuiltinBuffers

enum MpmBuiltinBuffers

Enumerator
MPMB_TCP_PKT_TS
MPMB_TCP_PKT_TC
MPMB_TCP_STREAM_TS
MPMB_TCP_STREAM_TC
MPMB_UDP_TS
MPMB_UDP_TC
MPMB_OTHERIP
MPMB_MAX

Definition at line 1320 of file detect.h.

◆ SignaturePropertyFlowAction

enum SignaturePropertyFlowAction

Enumerator
SIG_PROP_FLOW_ACTION_PACKET
SIG_PROP_FLOW_ACTION_FLOW
SIG_PROP_FLOW_ACTION_FLOW_IF_STATEFUL

Definition at line 74 of file detect.h.

◆ SignatureType

enum SignatureType

Enumerator
SIG_TYPE_NOT_SET
SIG_TYPE_IPONLY
SIG_TYPE_LIKE_IPONLY
SIG_TYPE_PDONLY	Proto detect only signature. Inspected once per direction when protocol detection is done.
SIG_TYPE_DEONLY
SIG_TYPE_PKT
SIG_TYPE_PKT_STREAM
SIG_TYPE_STREAM
SIG_TYPE_APPLAYER
SIG_TYPE_APP_TX
SIG_TYPE_MAX

Definition at line 56 of file detect.h.

Function Documentation

◆ AlertQueueAppend()

void AlertQueueAppend	(	DetectEngineThreadCtx *	det_ctx,
		const Signature *	s,
		Packet *	p,
		uint64_t	tx_id,
		uint8_t	alert_flags
	)

Append signature to local packet alert queue for later preprocessing.

Definition at line 283 of file detect-engine-alert.c.

References PacketAlert_::action, Signature_::action, ACTION_DROP, Packet_::alerts, and PacketAlerts_::drop.

◆ AlertQueueFree()

void AlertQueueFree ( DetectEngineThreadCtx * det_ctx )

Definition at line 235 of file detect-engine-alert.c.

References DetectEngineThreadCtx_::alert_queue, DetectEngineThreadCtx_::alert_queue_capacity, and SCFree.

◆ AlertQueueInit()

void AlertQueueInit ( DetectEngineThreadCtx * det_ctx )

Definition at line 222 of file detect-engine-alert.c.

References DetectEngineThreadCtx_::alert_queue, DetectEngineThreadCtx_::alert_queue_capacity, DetectEngineThreadCtx_::alert_queue_size, FatalError, packet_alert_max, SCCalloc, and SCLogDebug.

◆ Detect()

TmEcode Detect	(	ThreadVars *	tv,
		Packet *	p,
		void *	data
	)

Detection engine thread wrapper.

Remember to add the options in SignatureIsIPOnly() at detect.c otherwise it wont be part of a signature group

Parameters

tv	thread vars
p	packet to inspect
data	thread specific data
pq	packet queue

Return values

TM_ECODE_FAILED	error
TM_ECODE_OK	ok

Definition at line 1747 of file detect.c.

◆ DetectEngineGetEvents()

AppLayerDecoderEvents* DetectEngineGetEvents ( DetectEngineThreadCtx * det_ctx )

Definition at line 4922 of file detect-engine.c.

References DetectEngineThreadCtx_::decoder_events.

◆ DetectEngineSetEvent()

void DetectEngineSetEvent	(	DetectEngineThreadCtx *	det_ctx,
		uint8_t	e
	)

Definition at line 4916 of file detect-engine.c.

References AppLayerDecoderEventsSetEventRaw(), DetectEngineThreadCtx_::decoder_events, and DetectEngineThreadCtx_::events.

Referenced by FileSwfDecompression(), FileSwfLzmaDecompression(), FileSwfZlibDecompression(), and InspectionBufferMultipleForListGet().

Here is the call graph for this function:

Here is the caller graph for this function:

◆ DetectFlowbitsAnalyze()

int DetectFlowbitsAnalyze ( DetectEngineCtx * de_ctx )

Definition at line 425 of file detect-flowbits.c.

References SignatureInitData_::buffer_index, DetectFlowbitsData_::cmd, FBAnalyze::cnts, SigMatch_::ctx, de_ctx, DETECT_FLOWBITS, DETECT_FLOWBITS_CMD_ISNOTSET, DETECT_FLOWBITS_CMD_ISSET, DETECT_FLOWBITS_CMD_SET, DETECT_FLOWBITS_CMD_TOGGLE, DETECT_FLOWBITS_CMD_UNSET, DETECT_SM_LIST_MATCH, DETECT_SM_LIST_POSTMATCH, Signature_::id, DetectFlowbitsData_::idx, Signature_::init_data, SignatureInitData_::init_flags, FBAnalyze::isnotset_sids, FBAnalyze::isnotset_sids_idx, FBAnalyze::isnotset_sids_size, FBAnalyze::isset_sids, FBAnalyze::isset_sids_idx, FBAnalyze::isset_sids_size, MAX, DetectEngineCtx_::max_fb_id, MAX_SIDS, SigMatch_::next, Signature_::num, DetectFlowbitsData_::or_list, DetectFlowbitsData_::or_list_size, rule_engine_analysis_set, SCCalloc, SCLogDebug, SCLogError, SCLogWarning, SCRealloc, FBAnalyze::set_sids, FBAnalyze::set_sids_idx, FBAnalyze::set_sids_size, DetectEngineCtx_::sig_array, DetectEngineCtx_::sig_array_len, SIG_FLAG_INIT_STATE_MATCH, SignatureInitData_::smlists, FBAnalyze::state_cnts, FBAnalyze::toggle_sids, FBAnalyze::toggle_sids_idx, FBAnalyze::toggle_sids_size, SigMatch_::type, FBAnalyze::unset_sids, FBAnalyze::unset_sids_idx, FBAnalyze::unset_sids_size, VAR_TYPE_FLOW_BIT, and VarNameStoreSetupLookup().

Here is the call graph for this function:

◆ DetectLoadCompleteSigPath()

char* DetectLoadCompleteSigPath	(	const DetectEngineCtx *	de_ctx,
		const char *	sig_file
	)

Create the path if default-rule-path was specified.

Parameters

sig_file The name of the file

Return values

str	Pointer to the string path + sig_file

Definition at line 61 of file detect-engine-loader.c.

References ConfGetNode(), DetectEngineCtx_::config_prefix, de_ctx, ConfNode_::final, PathIsRelative(), PathMergeAlloc(), SCLogError, SCStrdup, unlikely, and ConfNode_::val.

Here is the call graph for this function:

◆ DetectMetadataHashFree()

void DetectMetadataHashFree ( DetectEngineCtx * de_ctx )

Definition at line 80 of file detect-metadata.c.

References de_ctx, HashTableFree(), and DetectEngineCtx_::metadata_table.

Here is the call graph for this function:

◆ DetectMetadataHashInit()

int DetectMetadataHashInit ( DetectEngineCtx * de_ctx )

Definition at line 69 of file detect-metadata.c.

References de_ctx, DetectEngineMustParseMetadata(), HashTableInit(), DetectEngineCtx_::metadata_table, StringHashCompareFunc(), StringHashFreeFunc(), and StringHashFunc().

Here is the call graph for this function:

◆ DetectRegisterThreadCtxFuncs()

int DetectRegisterThreadCtxFuncs	(	DetectEngineCtx *	de_ctx,
		const char *	name,
		void ()(void *)	InitFunc,
		void *	data,
		void()(void )	FreeFunc,
		int	mode
	)

Register Thread keyword context Funcs.

Parameters

de_ctx	detection engine to register in
name	keyword name for error printing
InitFunc	function ptr
data	keyword init data to pass to Func. Can be NULL.
FreeFunc	function ptr
mode	0 normal (ctx per keyword instance) 1 shared (one ctx per det_ct)

Return values

id	for retrieval of ctx at runtime
-1	on error

Note: make sure "data" remains valid and it free'd elsewhere. It's recommended to store it in the keywords global ctx so that it's freed when the de_ctx is freed.

Definition at line 3586 of file detect-engine.c.

References BUG_ON, de_ctx, HashListTableInit(), and DetectEngineCtx_::keyword_hash.

Here is the call graph for this function:

◆ DetectThreadCtxGetKeywordThreadCtx()

void* DetectThreadCtxGetKeywordThreadCtx	(	DetectEngineThreadCtx *	det_ctx,
		int	id
	)

Retrieve thread local keyword ctx by id.

Parameters

det_ctx	detection engine thread ctx to retrieve the ctx from
id	id of the ctx returned by DetectRegisterThreadCtxInitFunc at keyword init.

Return values

ctx	or NULL on error

Definition at line 3656 of file detect-engine.c.

References DetectEngineThreadCtx_::keyword_ctxs_array, and DetectEngineThreadCtx_::keyword_ctxs_size.

Referenced by DetectPcrePayloadMatch().

Here is the caller graph for this function:

◆ DetectUnregisterThreadCtxFuncs()

int DetectUnregisterThreadCtxFuncs	(	DetectEngineCtx *	de_ctx,
		void *	data,
		const char *	name
	)

Remove Thread keyword context registration.

Parameters

de_ctx	detection engine to deregister from
det_ctx	detection engine thread context to deregister from
data	keyword init data to pass to Func. Can be NULL.
name	keyword name for error printing

Return values

1	Item unregistered
0	otherwise

Note: make sure "data" remains valid and it free'd elsewhere. It's recommended to store it in the keywords global ctx so that it's freed when the de_ctx is freed.

Definition at line 3638 of file detect-engine.c.

References DetectEngineThreadKeywordCtxItem_::data, de_ctx, HashListTableRemove(), and DetectEngineCtx_::keyword_hash.

Here is the call graph for this function:

◆ DisableDetectFlowFileFlags()

void DisableDetectFlowFileFlags ( Flow * f )

disable file features we don't need Called if we have no detection engine.

Definition at line 1814 of file detect.c.

◆ DumpPatterns()

void DumpPatterns ( DetectEngineCtx * de_ctx )

Definition at line 1226 of file detect-engine-analyzer.c.

References DetectEngineCtx_::buffer_type_id, DetectPatternTracker::cd, DetectPatternTracker::cnt, ConfigGetLogDirectory(), DetectContentData_::content_len, de_ctx, DETECT_CONTENT_DEPTH, DETECT_CONTENT_ENDS_WITH, DETECT_CONTENT_NEGATED, DETECT_CONTENT_NOCASE, DETECT_CONTENT_OFFSET, DETECT_SM_LIST_DYNAMIC_START, DetectContentPatternPrettyPrint(), DetectEngineBufferTypeGetNameById(), DetectListToHumanString(), DetectEngineCtx_::ea, EngineAnalysisCtx_::file_prefix, DetectContentData_::flags, g_rules_analyzer_write_m, HashListTableFree(), HashListTableGetListData, HashListTableGetListHead(), HashListTableGetListNext, DetectPatternTracker::mpm, DetectEngineCtx_::pattern_hash_table, SCMutexLock, SCMutexUnlock, DetectPatternTracker::sm_list, and str.

Here is the call graph for this function:

◆ RuleMatchCandidateTxArrayFree()

void RuleMatchCandidateTxArrayFree ( DetectEngineThreadCtx * det_ctx )

Definition at line 979 of file detect.c.

References SCFree, DetectEngineThreadCtx_::tx_candidates, and DetectEngineThreadCtx_::tx_candidates_size.

◆ RuleMatchCandidateTxArrayInit()

void RuleMatchCandidateTxArrayInit	(	DetectEngineThreadCtx *	det_ctx,
		uint32_t	size
	)

Definition at line 966 of file detect.c.

References DEBUG_VALIDATE_BUG_ON, FatalError, SCCalloc, SCLogDebug, DetectEngineThreadCtx_::tx_candidates, and DetectEngineThreadCtx_::tx_candidates_size.

◆ SigFindSignatureBySidGid()

Signature* SigFindSignatureBySidGid	(	DetectEngineCtx *	de_ctx,
		uint32_t	sid,
		uint32_t	gid
	)

Find a specific signature by sid and gid.

Parameters

de_ctx	detection engine ctx
sid	the signature id
gid	the signature group id

Return values

s	sig found
NULL	sig not found

Definition at line 70 of file detect-engine-build.c.

References de_ctx, Signature_::next, and DetectEngineCtx_::sig_list.

◆ SigLoadSignatures()

int SigLoadSignatures	(	DetectEngineCtx *	de_ctx,
		char *	sig_file,
		int	sig_file_exclusive
	)

Load signatures.

Parameters

de_ctx	Pointer to the detection engine context
sig_file	Filename (or pattern) holding signatures
sig_file_exclusive	File passed in 'sig_file' should be loaded exclusively.

Return values

-1 on error

Definition at line 273 of file detect-engine-loader.c.

References DetectEngineCtx_::config_prefix, de_ctx, RUNMODE_ENGINE_ANALYSIS, RunmodeGetCurrent(), SCEnter, SetupEngineAnalysis(), and DetectEngineCtx_::sig_stat.

Here is the call graph for this function:

◆ SigMatchAlloc()

SigMatch* SigMatchAlloc ( void )

Definition at line 322 of file detect-parse.c.

References SigMatch_::next, SigMatch_::prev, SCMalloc, and unlikely.

Referenced by DetectContentSetup(), and DetectFlowvarPostMatchSetup().

Here is the caller graph for this function:

◆ SigMatchFree()

void SigMatchFree	(	DetectEngineCtx *	de_ctx,
		SigMatch *	sm
	)

free a SigMatch

Parameters

sm	SigMatch to free.

free the ctx, for that we call the Free func

Definition at line 337 of file detect-parse.c.

References SigMatch_::ctx, de_ctx, SigTableElmt_::Free, SCFree, sigmatch_table, and SigMatch_::type.

Referenced by DetectIPProtoRemoveAllSMs(), and SigFree().

Here is the caller graph for this function:

◆ SigMatchSignatures()

void SigMatchSignatures	(	ThreadVars *	th_v,
		DetectEngineCtx *	de_ctx,
		DetectEngineThreadCtx *	det_ctx,
		Packet *	p
	)

wrapper for old tests

Definition at line 1824 of file detect.c.

References Packet_::flow.

Referenced by UTHMatchPackets(), UTHMatchPacketsWithResults(), UTHPacketMatchSig(), and UTHPacketMatchSigMpm().

Here is the caller graph for this function:

◆ SigMatchSignaturesGetSgh()

const SigGroupHead* SigMatchSignaturesGetSgh	(	const DetectEngineCtx *	de_ctx,
		const Packet *	p
	)

Get the SigGroupHead for a packet.

Parameters

de_ctx	detection engine context
p	packet

Return values

sgh	the SigGroupHead or NULL if non applies to the packet

Definition at line 201 of file detect.c.

References PacketEngineEvents_::cnt, de_ctx, DetectEngineCtx_::decoder_event_sgh, Packet_::events, FLOW_PKT_TOCLIENT, Packet_::flowflags, IP_GET_IPPROTO, PKT_IS_IPV4, PKT_IS_IPV6, proto, Packet_::proto, SCEnter, and SCReturnPtr.

◆ SignatureIsIPOnly()

int SignatureIsIPOnly	(	DetectEngineCtx *	de_ctx,
		const Signature *	s
	)

Test is a initialized signature is IP only.

Parameters

de_ctx	detection engine ctx
s	the signature

Return values

1	sig is ip only
2	sig is like ip only
0	sig is not ip only

Definition at line 200 of file detect-engine-build.c.

References Signature_::alproto, ALPROTO_UNKNOWN, DETECT_SM_LIST_PMATCH, Signature_::flags, Signature_::init_data, SIG_FLAG_APPLAYER, SIG_FLAG_TOCLIENT, SIG_FLAG_TOSERVER, and SignatureInitData_::smlists.

◆ SigRegisterTests()

void SigRegisterTests ( void )

Definition at line 5042 of file detect.c.

References IPOnlyRegisterTests(), SigParseRegisterTests(), and UtRegisterTest().

Here is the call graph for this function:

Variable Documentation

◆ sigmatch_table

SigTableElmt sigmatch_table[DETECT_TBLSIZE]

Definition at line 129 of file detect-parse.c.

◆ signature_properties

const struct SignatureProperties signature_properties[SIG_TYPE_MAX]

Definition at line 108 of file detect-engine.c.

Data Structures

Macros

Typedefs

Enumerations

Functions

Variables

Detailed Description

Macro Definition Documentation

◆ ADDRESS_FLAG_NOT

◆ DE_QUIET

◆ DETECT_DEFAULT_PRIO

◆ DETECT_ENGINE_THREAD_CTX_FRAME_ID_SET

◆ DETECT_ENGINE_THREAD_CTX_STREAM_CONTENT_MATCH

◆ DETECT_FILESTORE_MAX

◆ DETECT_MAX_RULE_SIZE

◆ DETECT_SM_LIST_NOTSET

◆ DETECT_TRANSFORMS_MAX

◆ DETECT_VAR_TYPE_FLOW_POSTMATCH

◆ DETECT_VAR_TYPE_PKT_POSTMATCH

◆ ENGINE_SGH_MPM_FACTORY_CONTEXT_START_ID_RANGE

◆ FILE_SIG_NEED_FILE

◆ FILE_SIG_NEED_FILECONTENT

◆ FILE_SIG_NEED_FILENAME

◆ FILE_SIG_NEED_MAGIC

◆ FILE_SIG_NEED_MD5

◆ FILE_SIG_NEED_SHA1

◆ FILE_SIG_NEED_SHA256

◆ FILE_SIG_NEED_SIZE

◆ FLOW_STATES

◆ PORT_FLAG_ANY

◆ PORT_FLAG_NOT

◆ PORT_SIGGROUPHEAD_COPY

◆ SIG_FLAG_APPLAYER

◆ SIG_FLAG_BYPASS

◆ SIG_FLAG_DEST_IS_TARGET

◆ SIG_FLAG_DP_ANY

◆ SIG_FLAG_DSIZE

◆ SIG_FLAG_DST_ANY

◆ SIG_FLAG_FILESTORE

◆ SIG_FLAG_FLUSH

◆ SIG_FLAG_HAS_TARGET

◆ SIG_FLAG_INIT_BIDIREC

◆ SIG_FLAG_INIT_FILEDATA

◆ SIG_FLAG_INIT_FIRST_IPPROTO_SEEN

◆ SIG_FLAG_INIT_FLOW

◆ SIG_FLAG_INIT_JA3

◆ SIG_FLAG_INIT_NEED_FLUSH

◆ SIG_FLAG_INIT_OVERFLOW

◆ SIG_FLAG_INIT_PACKET

◆ SIG_FLAG_INIT_PRIO_EXPLICIT

◆ SIG_FLAG_INIT_STATE_MATCH

◆ SIG_FLAG_MPM_NEG

◆ SIG_FLAG_NOALERT

◆ SIG_FLAG_PREFILTER

◆ SIG_FLAG_REQUIRE_FLOWVAR

◆ SIG_FLAG_REQUIRE_PACKET

◆ SIG_FLAG_REQUIRE_STREAM

◆ SIG_FLAG_SP_ANY

◆ SIG_FLAG_SRC_ANY

◆ SIG_FLAG_SRC_IS_TARGET

◆ SIG_FLAG_TLSSTORE

◆ SIG_FLAG_TOCLIENT

◆ SIG_FLAG_TOSERVER

◆ SIG_GROUP_HEAD_HAVEFILEMD5

◆ SIG_GROUP_HEAD_HAVEFILESHA1

◆ SIG_GROUP_HEAD_HAVEFILESHA256

◆ SIG_GROUP_HEAD_HAVEFILESIZE

◆ SIG_GROUP_HEAD_HAVERAWSTREAM

◆ SIG_MASK_REQUIRE_DCERPC

◆ SIG_MASK_REQUIRE_ENGINE_EVENT

◆ SIG_MASK_REQUIRE_FLAGS_INITDEINIT

◆ SIG_MASK_REQUIRE_FLAGS_UNUSUAL

◆ SIG_MASK_REQUIRE_FLOW

◆ SIG_MASK_REQUIRE_NO_PAYLOAD

◆ SIG_MASK_REQUIRE_PAYLOAD

◆ SIGMATCH_DEONLY_COMPAT

◆ SIGMATCH_HANDLE_NEGATION

◆ SIGMATCH_INFO_CONTENT_MODIFIER

◆ SIGMATCH_INFO_DEPRECATED

◆ SIGMATCH_INFO_STICKY_BUFFER