#include "suricata-common.h"#include "flow.h"#include "detect-engine-proto.h"#include "detect-reference.h"#include "detect-metadata.h"#include "detect-engine-register.h"#include "util-prefilter.h"#include "util-mpm.h"#include "util-spm.h"#include "util-hash.h"#include "util-hashlist.h"#include "util-radix-tree.h"#include "util-file.h"#include "reputation.h"
Go to the source code of this file.
Functions | |
| TmEcode | Detect (ThreadVars *tv, Packet *p, void *data) |
| Detection engine thread wrapper. More... | |
| SigMatch * | SigMatchAlloc (void) |
| Signature * | SigFindSignatureBySidGid (DetectEngineCtx *, uint32_t, uint32_t) |
| Find a specific signature by sid and gid. More... | |
| void | SigMatchFree (DetectEngineCtx *, SigMatch *sm) |
| free a SigMatch More... | |
| void | SigRegisterTests (void) |
| void | DisableDetectFlowFileFlags (Flow *f) |
| disable file features we don't need Called if we have no detection engine. More... | |
| char * | DetectLoadCompleteSigPath (const DetectEngineCtx *, const char *sig_file) |
| Create the path if default-rule-path was specified. More... | |
| int | SigLoadSignatures (DetectEngineCtx *, char *, bool) |
| Load signatures. More... | |
| void | SigMatchSignatures (ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p) |
| wrapper for old tests More... | |
| int | SignatureIsIPOnly (DetectEngineCtx *de_ctx, const Signature *s) |
| Test is a initialized signature is IP only. More... | |
| const SigGroupHead * | SigMatchSignaturesGetSgh (const DetectEngineCtx *de_ctx, const Packet *p) |
| Get the SigGroupHead for a packet. More... | |
| int | DetectUnregisterThreadCtxFuncs (DetectEngineCtx *, void *data, const char *name) |
| Remove Thread keyword context registration. More... | |
| int | DetectRegisterThreadCtxFuncs (DetectEngineCtx *, const char *name, void *(*InitFunc)(void *), void *data, void(*FreeFunc)(void *), int) |
| Register Thread keyword context Funcs. More... | |
| void * | DetectThreadCtxGetKeywordThreadCtx (DetectEngineThreadCtx *, int) |
| Retrieve thread local keyword ctx by id. More... | |
| void * | DetectGetInnerTx (void *tx_ptr, AppProto alproto, AppProto engine_alproto, uint8_t flow_flags) |
| void | RuleMatchCandidateTxArrayInit (DetectEngineThreadCtx *det_ctx, uint32_t size) |
| void | RuleMatchCandidateTxArrayFree (DetectEngineThreadCtx *det_ctx) |
| int | DetectFlowbitsAnalyze (DetectEngineCtx *de_ctx) |
| int | DetectMetadataHashInit (DetectEngineCtx *de_ctx) |
| void | DetectMetadataHashFree (DetectEngineCtx *de_ctx) |
| void | DetectEngineSetEvent (DetectEngineThreadCtx *det_ctx, uint8_t e) |
| void | DumpPatterns (DetectEngineCtx *de_ctx) |
Variables | |
| const struct SignatureProperties | signature_properties [SIG_TYPE_MAX] |
| SigTableElmt * | sigmatch_table |
Detailed Description
Definition in file detect.h.
Macro Definition Documentation
◆ ADDRESS_FLAG_NOT
◆ DE_QUIET
◆ DETECT_DEFAULT_PRIO
| #define DETECT_DEFAULT_PRIO 3 |
◆ DETECT_FILESTORE_MAX
◆ DETECT_MAX_RULE_SIZE
◆ DETECT_SM_LIST_NOTSET
◆ DETECT_TRANSFORMS_MAX
◆ DETECT_VAR_TYPE_FLOW_POSTMATCH
| #define DETECT_VAR_TYPE_FLOW_POSTMATCH 1 |
◆ DETECT_VAR_TYPE_PKT_POSTMATCH
◆ ENGINE_SGH_MPM_FACTORY_CONTEXT_START_ID_RANGE
| #define ENGINE_SGH_MPM_FACTORY_CONTEXT_START_ID_RANGE (ENGINE_SGH_MPM_FACTORY_CONTEXT_AUTO + 1) |
◆ FILE_SIG_NEED_FILE
◆ FILE_SIG_NEED_FILECONTENT
◆ FILE_SIG_NEED_FILENAME
◆ FILE_SIG_NEED_MAGIC
| #define FILE_SIG_NEED_MAGIC 0x04 |
◆ FILE_SIG_NEED_MD5
◆ FILE_SIG_NEED_SHA1
◆ FILE_SIG_NEED_SHA256
◆ FILE_SIG_NEED_SIZE
◆ FLOW_STATES
◆ PACKET_ALERT_NOTX
◆ PORT_FLAG_ANY
◆ PORT_FLAG_NOT
◆ PORT_SIGGROUPHEAD_COPY
◆ SIG_FLAG_APPLAYER
| #define SIG_FLAG_APPLAYER BIT_U32(6) |
◆ SIG_FLAG_BYPASS
◆ SIG_FLAG_DEST_IS_TARGET
| #define SIG_FLAG_DEST_IS_TARGET BIT_U32(26) |
◆ SIG_FLAG_DP_ANY
◆ SIG_FLAG_DSIZE
| #define SIG_FLAG_DSIZE BIT_U32(5) |
◆ SIG_FLAG_DST_ANY
◆ SIG_FLAG_FILESTORE
| #define SIG_FLAG_FILESTORE BIT_U32(18) |
◆ SIG_FLAG_FLUSH
| #define SIG_FLAG_FLUSH BIT_U32(12) |
◆ SIG_FLAG_HAS_TARGET
| #define SIG_FLAG_HAS_TARGET (SIG_FLAG_DEST_IS_TARGET|SIG_FLAG_SRC_IS_TARGET) |
◆ SIG_FLAG_INIT_BIDIREC
| #define SIG_FLAG_INIT_BIDIREC BIT_U32(3) |
◆ SIG_FLAG_INIT_FILEDATA
| #define SIG_FLAG_INIT_FILEDATA BIT_U32(9) |
◆ SIG_FLAG_INIT_FIRST_IPPROTO_SEEN
| #define SIG_FLAG_INIT_FIRST_IPPROTO_SEEN BIT_U32(4) /** < signature has seen the first ip_proto keyword */ |
◆ SIG_FLAG_INIT_FLOW
| #define SIG_FLAG_INIT_FLOW BIT_U32(2) |
◆ SIG_FLAG_INIT_JA
| #define SIG_FLAG_INIT_JA BIT_U32(10) |
◆ SIG_FLAG_INIT_NEED_FLUSH
◆ SIG_FLAG_INIT_PACKET
| #define SIG_FLAG_INIT_PACKET BIT_U32(1) |
◆ SIG_FLAG_INIT_PRIO_EXPLICIT
| #define SIG_FLAG_INIT_PRIO_EXPLICIT BIT_U32(8) |
◆ SIG_FLAG_INIT_STATE_MATCH
| #define SIG_FLAG_INIT_STATE_MATCH BIT_U32(6) |
◆ SIG_FLAG_MPM_NEG
◆ SIG_FLAG_PREFILTER
| #define SIG_FLAG_PREFILTER BIT_U32(23) |
◆ SIG_FLAG_REQUIRE_FLOWVAR
| #define SIG_FLAG_REQUIRE_FLOWVAR BIT_U32(17) |
◆ SIG_FLAG_REQUIRE_PACKET
| #define SIG_FLAG_REQUIRE_PACKET BIT_U32(9) |
◆ SIG_FLAG_REQUIRE_STREAM
| #define SIG_FLAG_REQUIRE_STREAM BIT_U32(10) |
◆ SIG_FLAG_REQUIRE_STREAM_ONLY
| #define SIG_FLAG_REQUIRE_STREAM_ONLY BIT_U32(13) |
◆ SIG_FLAG_SP_ANY
◆ SIG_FLAG_SRC_ANY
| #define SIG_FLAG_SRC_ANY BIT_U32(0) |
◆ SIG_FLAG_SRC_IS_TARGET
| #define SIG_FLAG_SRC_IS_TARGET BIT_U32(25) |
◆ SIG_FLAG_TLSSTORE
◆ SIG_FLAG_TOCLIENT
◆ SIG_FLAG_TOSERVER
◆ SIG_GROUP_HEAD_HAVEFILEMD5
◆ SIG_GROUP_HEAD_HAVEFILESHA1
◆ SIG_GROUP_HEAD_HAVEFILESHA256
◆ SIG_GROUP_HEAD_HAVEFILESIZE
◆ SIG_GROUP_HEAD_HAVERAWSTREAM
◆ SIG_MASK_REQUIRE_ENGINE_EVENT
◆ SIG_MASK_REQUIRE_FLAGS_INITDEINIT
| #define SIG_MASK_REQUIRE_FLAGS_INITDEINIT BIT_U8(2) /* SYN, FIN, RST */ |
◆ SIG_MASK_REQUIRE_FLAGS_UNUSUAL
| #define SIG_MASK_REQUIRE_FLAGS_UNUSUAL BIT_U8(3) /* URG, ECN, CWR */ |
◆ SIG_MASK_REQUIRE_FLOW
◆ SIG_MASK_REQUIRE_NO_PAYLOAD
◆ SIG_MASK_REQUIRE_PAYLOAD
| #define SIG_MASK_REQUIRE_PAYLOAD BIT_U8(0) |
◆ SIG_MASK_REQUIRE_REAL_PKT
◆ SIGMATCH_DEONLY_COMPAT
| #define SIGMATCH_DEONLY_COMPAT BIT_U16(2) |
◆ SIGMATCH_HANDLE_NEGATION
| #define SIGMATCH_HANDLE_NEGATION BIT_U16(7) |
◆ SIGMATCH_INFO_CONTENT_MODIFIER
| #define SIGMATCH_INFO_CONTENT_MODIFIER BIT_U16(8) |
◆ SIGMATCH_INFO_DEPRECATED
| #define SIGMATCH_INFO_DEPRECATED BIT_U16(10) |
◆ SIGMATCH_INFO_STICKY_BUFFER
| #define SIGMATCH_INFO_STICKY_BUFFER BIT_U16(9) |
◆ SIGMATCH_IPONLY_COMPAT
| #define SIGMATCH_IPONLY_COMPAT BIT_U16(1) |
◆ SIGMATCH_NOOPT
| #define SIGMATCH_NOOPT BIT_U16(0) |
◆ SIGMATCH_NOT_BUILT
◆ SIGMATCH_OPTIONAL_OPT
| #define SIGMATCH_OPTIONAL_OPT BIT_U16(4) |
◆ SIGMATCH_QUOTES_MANDATORY
| #define SIGMATCH_QUOTES_MANDATORY BIT_U16(6) |
◆ SIGMATCH_QUOTES_OPTIONAL
| #define SIGMATCH_QUOTES_OPTIONAL BIT_U16(5) |
◆ SIGMATCH_STRICT_PARSING
| #define SIGMATCH_STRICT_PARSING BIT_U16(11) |
◆ SignatureMask
Typedef Documentation
◆ AppLayerTxData
| typedef struct AppLayerTxData AppLayerTxData |
◆ DetectAddress
| typedef struct DetectAddress_ DetectAddress |
address structure for use in the detection engine.
Contains the address information and matching information.
◆ DetectAddressHead
| typedef struct DetectAddressHead_ DetectAddressHead |
Address grouping head. IPv4 and IPv6 are split out
◆ DetectBufferMpmRegistry
| typedef struct DetectBufferMpmRegistry_ DetectBufferMpmRegistry |
one time registration of keywords at start up
◆ DetectBufferType
| typedef struct DetectBufferType_ DetectBufferType |
◆ DetectEngineAppInspectionEngine
| typedef struct DetectEngineAppInspectionEngine_ DetectEngineAppInspectionEngine |
◆ DetectEngineCtx
| typedef struct DetectEngineCtx_ DetectEngineCtx |
main detection engine ctx
◆ DetectEngineFrameInspectionEngine
◆ DetectEngineIPOnlyCtx
| typedef struct DetectEngineIPOnlyCtx_ DetectEngineIPOnlyCtx |
IP only rules matching ctx.
◆ DetectEngineLookupFlow
| typedef struct DetectEngineLookupFlow_ DetectEngineLookupFlow |
◆ DetectEngineMasterCtx
| typedef struct DetectEngineMasterCtx_ DetectEngineMasterCtx |
◆ DetectEnginePktInspectionEngine
| typedef struct DetectEnginePktInspectionEngine DetectEnginePktInspectionEngine |
◆ DetectEngineTenantMapping
| typedef struct DetectEngineTenantMapping_ DetectEngineTenantMapping |
◆ DetectEngineThreadCtx
| typedef struct DetectEngineThreadCtx_ DetectEngineThreadCtx |
Detection engine thread data.
◆ DetectEngineThreadKeywordCtxItem
◆ DetectEngineTransforms
| typedef struct DetectEngineTransforms DetectEngineTransforms |
◆ DetectMatchAddressIPv4
| typedef struct DetectMatchAddressIPv4_ DetectMatchAddressIPv4 |
◆ DetectMatchAddressIPv6
| typedef struct DetectMatchAddressIPv6_ DetectMatchAddressIPv6 |
◆ DetectPatternTracker
| typedef struct DetectPatternTracker DetectPatternTracker |
◆ DetectPort
| typedef struct DetectPort_ DetectPort |
Port structure for detection engine.
◆ DetectReplaceList
| typedef struct DetectReplaceList_ DetectReplaceList |
◆ DetectVarList
| typedef struct DetectVarList_ DetectVarList |
list for flowvar store candidates, to be stored from post-match function
◆ InspectEngineFuncPtr
| typedef uint8_t(* InspectEngineFuncPtr) (struct DetectEngineCtx_ *de_ctx, struct DetectEngineThreadCtx_ *det_ctx, const struct DetectEngineAppInspectionEngine_ *engine, const struct Signature_ *s, Flow *f, uint8_t flags, void *alstate, void *txv, uint64_t tx_id) |
◆ InspectionBuffer
| typedef struct InspectionBuffer InspectionBuffer |
◆ InspectionBufferFrameInspectFunc
| typedef int(* InspectionBufferFrameInspectFunc) (struct DetectEngineThreadCtx_ *, const struct DetectEngineFrameInspectionEngine *engine, const struct Signature_ *s, Packet *p, const struct Frames *frames, const struct Frame *frame) |
◆ InspectionBufferGetDataPtr
| typedef InspectionBuffer*(* InspectionBufferGetDataPtr) (struct DetectEngineThreadCtx_ *det_ctx, const DetectEngineTransforms *transforms, Flow *f, const uint8_t flow_flags, void *txv, const int list_id) |
◆ InspectionBufferGetPktDataPtr
| typedef InspectionBuffer*(* InspectionBufferGetPktDataPtr) (struct DetectEngineThreadCtx_ *det_ctx, const DetectEngineTransforms *transforms, Packet *p, const int list_id) |
◆ InspectionBufferMultipleForList
| typedef struct InspectionBufferMultipleForList InspectionBufferMultipleForList |
◆ InspectionBufferPktInspectFunc
| typedef int(* InspectionBufferPktInspectFunc) (struct DetectEngineThreadCtx_ *, const struct DetectEnginePktInspectionEngine *engine, const struct Signature_ *s, Packet *p, uint8_t *alert_flags) |
◆ InspectionMultiBufferGetDataPtr
| typedef InspectionBuffer*(* InspectionMultiBufferGetDataPtr) (struct DetectEngineThreadCtx_ *det_ctx, const DetectEngineTransforms *transforms, Flow *f, const uint8_t flow_flags, void *txv, const int list_id, const uint32_t local_id) |
◆ IPOnlyCIDRItem
| typedef struct IPOnlyCIDRItem_ IPOnlyCIDRItem |
◆ MpmStore
◆ PrefilterEngine
| typedef struct PrefilterEngine_ PrefilterEngine |
◆ PrefilterEngineList
| typedef struct PrefilterEngineList_ PrefilterEngineList |
◆ PrefilterFrameFn
| typedef void(* PrefilterFrameFn) (DetectEngineThreadCtx *det_ctx, const void *pectx, Packet *p, const struct Frames *frames, const struct Frame *frame) |
◆ PrefilterPktFn
| typedef void(* PrefilterPktFn) (DetectEngineThreadCtx *det_ctx, Packet *p, const void *pectx) |
◆ PrefilterTxFn
| typedef void(* PrefilterTxFn) (DetectEngineThreadCtx *det_ctx, const void *pectx, Packet *p, Flow *f, void *tx, const uint64_t tx_id, const AppLayerTxData *tx_data, const uint8_t flags) |
◆ RuleMatchCandidateTx
| typedef struct RuleMatchCandidateTx RuleMatchCandidateTx |
array of TX inspect rule candidates
◆ SCDetectRequiresStatus
| typedef struct SCDetectRequiresStatus SCDetectRequiresStatus |
◆ SCFPSupportSMList
| typedef struct SCFPSupportSMList_ SCFPSupportSMList |
◆ SigFileLoaderStat
| typedef struct SigFileLoaderStat_ SigFileLoaderStat |
Signature loader statistics.
◆ SigGroupHead
| typedef struct SigGroupHead_ SigGroupHead |
Container for matching data for a signature group.
◆ SigGroupHeadInitData
| typedef struct SigGroupHeadInitData_ SigGroupHeadInitData |
◆ SigMatch
◆ SigMatchCtx
| typedef struct SigMatchCtx_ SigMatchCtx |
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something else.
◆ SigMatchData
| typedef struct SigMatchData_ SigMatchData |
Data needed for Match()
◆ Signature
| typedef struct Signature_ Signature |
Signature container.
◆ SignatureInitData
| typedef struct SignatureInitData_ SignatureInitData |
◆ SignatureInitDataBuffer
| typedef struct SignatureInitDataBuffer_ SignatureInitDataBuffer |
◆ SignatureNonPrefilterStore
| typedef struct SignatureNonPrefilterStore_ SignatureNonPrefilterStore |
◆ SigString
| typedef struct SigString_ SigString |
◆ SigTableElmt
| typedef struct SigTableElmt_ SigTableElmt |
element in sigmatch type table.
◆ TransformData
| typedef struct TransformData_ TransformData |
Enumeration Type Documentation
◆ anonymous enum
| anonymous enum |
◆ anonymous enum
| anonymous enum |
◆ anonymous enum
| anonymous enum |
◆ anonymous enum
| anonymous enum |
◆ anonymous enum
| anonymous enum |
◆ DetectBufferMpmType
| enum DetectBufferMpmType |
◆ DetectEnginePrefilterSetting
◆ DetectEngineTenantSelectors
◆ DetectEngineType
| enum DetectEngineType |
◆ DetectSigmatchListEnum
◆ MpmBuiltinBuffers
| enum MpmBuiltinBuffers |
◆ SignaturePropertyFlowAction
◆ SignatureType
| enum SignatureType |
Function Documentation
◆ Detect()
| TmEcode Detect | ( | ThreadVars * | tv, |
| Packet * | p, | ||
| void * | data | ||
| ) |
Detection engine thread wrapper.
Remember to add the options in SignatureIsIPOnly() at detect.c otherwise it wont be part of a signature group
- Parameters
-
tv thread vars p packet to inspect data thread specific data pq packet queue
- Return values
-
TM_ECODE_FAILED error TM_ECODE_OK ok
◆ DetectEngineSetEvent()
| void DetectEngineSetEvent | ( | DetectEngineThreadCtx * | det_ctx, |
| uint8_t | e | ||
| ) |
Definition at line 4973 of file detect-engine.c.
References AppLayerDecoderEventsSetEventRaw(), DetectEngineThreadCtx_::decoder_events, and DetectEngineThreadCtx_::events.
Referenced by FileSwfDecompression(), FileSwfLzmaDecompression(), FileSwfZlibDecompression(), and InspectionBufferMultipleForListGet().
◆ DetectFlowbitsAnalyze()
| int DetectFlowbitsAnalyze | ( | DetectEngineCtx * | de_ctx | ) |
Definition at line 420 of file detect-flowbits.c.
References SignatureInitData_::buffer_index, DetectFlowbitsData_::cmd, FBAnalyze::cnts, de_ctx, DETECT_FLOWBITS, DETECT_FLOWBITS_CMD_ISNOTSET, DETECT_FLOWBITS_CMD_ISSET, DETECT_FLOWBITS_CMD_SET, DETECT_FLOWBITS_CMD_TOGGLE, DETECT_FLOWBITS_CMD_UNSET, DETECT_SM_LIST_MATCH, DETECT_SM_LIST_POSTMATCH, Signature_::id, DetectFlowbitsData_::idx, Signature_::init_data, SignatureInitData_::init_flags, FBAnalyze::isnotset_sids, FBAnalyze::isnotset_sids_idx, FBAnalyze::isnotset_sids_size, FBAnalyze::isset_sids, FBAnalyze::isset_sids_idx, FBAnalyze::isset_sids_size, MAX, DetectEngineCtx_::max_fb_id, MAX_SIDS, SigMatch_::next, Signature_::num, DetectFlowbitsData_::or_list, DetectFlowbitsData_::or_list_size, rule_engine_analysis_set, SCCalloc, SCLogDebug, SCLogError, SCLogWarning, SCRealloc, FBAnalyze::set_sids, FBAnalyze::set_sids_idx, FBAnalyze::set_sids_size, DetectEngineCtx_::sig_array, DetectEngineCtx_::sig_array_len, SIG_FLAG_INIT_STATE_MATCH, SignatureInitData_::smlists, FBAnalyze::state_cnts, FBAnalyze::toggle_sids, FBAnalyze::toggle_sids_idx, FBAnalyze::toggle_sids_size, FBAnalyze::unset_sids, FBAnalyze::unset_sids_idx, FBAnalyze::unset_sids_size, VAR_TYPE_FLOW_BIT, and VarNameStoreSetupLookup().
◆ DetectGetInnerTx()
| void* DetectGetInnerTx | ( | void * | tx_ptr, |
| AppProto | alproto, | ||
| AppProto | engine_alproto, | ||
| uint8_t | flow_flags | ||
| ) |
Definition at line 1067 of file detect.c.
References ALPROTO_DNS, ALPROTO_DOH2, ALPROTO_HTTP2, and unlikely.
Referenced by AlertJsonDoh2(), and DetectRunPrefilterTx().
◆ DetectLoadCompleteSigPath()
| char* DetectLoadCompleteSigPath | ( | const DetectEngineCtx * | de_ctx, |
| const char * | sig_file | ||
| ) |
Create the path if default-rule-path was specified.
- Parameters
-
sig_file The name of the file
- Return values
-
str Pointer to the string path + sig_file
Definition at line 62 of file detect-engine-loader.c.
References ConfGetNode(), DetectEngineCtx_::config_prefix, de_ctx, ConfNode_::final, PathIsRelative(), PathMergeAlloc(), SCLogError, SCStrdup, unlikely, and ConfNode_::val.
◆ DetectMetadataHashFree()
| void DetectMetadataHashFree | ( | DetectEngineCtx * | de_ctx | ) |
Definition at line 80 of file detect-metadata.c.
References de_ctx, HashTableFree(), and DetectEngineCtx_::metadata_table.
◆ DetectMetadataHashInit()
| int DetectMetadataHashInit | ( | DetectEngineCtx * | de_ctx | ) |
Definition at line 69 of file detect-metadata.c.
References de_ctx, DetectEngineMustParseMetadata(), HashTableInit(), DetectEngineCtx_::metadata_table, StringHashCompareFunc(), StringHashFreeFunc(), and StringHashFunc().
◆ DetectRegisterThreadCtxFuncs()
| int DetectRegisterThreadCtxFuncs | ( | DetectEngineCtx * | de_ctx, |
| const char * | name, | ||
| void *(*)(void *) | InitFunc, | ||
| void * | data, | ||
| void(*)(void *) | FreeFunc, | ||
| int | mode | ||
| ) |
Register Thread keyword context Funcs.
- Parameters
-
de_ctx detection engine to register in name keyword name for error printing InitFunc function ptr data keyword init data to pass to Func. Can be NULL. FreeFunc function ptr mode 0 normal (ctx per keyword instance) 1 shared (one ctx per det_ct)
- Return values
-
id for retrieval of ctx at runtime -1 on error
- Note
- make sure "data" remains valid and it free'd elsewhere. It's recommended to store it in the keywords global ctx so that it's freed when the de_ctx is freed.
Definition at line 3631 of file detect-engine.c.
References BUG_ON, de_ctx, HashListTableInit(), and DetectEngineCtx_::keyword_hash.
◆ DetectThreadCtxGetKeywordThreadCtx()
| void* DetectThreadCtxGetKeywordThreadCtx | ( | DetectEngineThreadCtx * | det_ctx, |
| int | id | ||
| ) |
Retrieve thread local keyword ctx by id.
- Parameters
-
det_ctx detection engine thread ctx to retrieve the ctx from id id of the ctx returned by DetectRegisterThreadCtxInitFunc at keyword init.
- Return values
-
ctx or NULL on error
Definition at line 3701 of file detect-engine.c.
References DetectEngineThreadCtx_::keyword_ctxs_array, and DetectEngineThreadCtx_::keyword_ctxs_size.
Referenced by DetectLuaMatchBuffer(), and DetectPcrePayloadMatch().
◆ DetectUnregisterThreadCtxFuncs()
| int DetectUnregisterThreadCtxFuncs | ( | DetectEngineCtx * | de_ctx, |
| void * | data, | ||
| const char * | name | ||
| ) |
Remove Thread keyword context registration.
- Parameters
-
de_ctx detection engine to deregister from det_ctx detection engine thread context to deregister from data keyword init data to pass to Func. Can be NULL. name keyword name for error printing
- Return values
-
1 Item unregistered 0 otherwise
- Note
- make sure "data" remains valid and it free'd elsewhere. It's recommended to store it in the keywords global ctx so that it's freed when the de_ctx is freed.
Definition at line 3683 of file detect-engine.c.
References DetectEngineThreadKeywordCtxItem_::data, de_ctx, HashListTableRemove(), and DetectEngineCtx_::keyword_hash.
◆ DisableDetectFlowFileFlags()
| void DisableDetectFlowFileFlags | ( | Flow * | f | ) |
◆ DumpPatterns()
| void DumpPatterns | ( | DetectEngineCtx * | de_ctx | ) |
Definition at line 1313 of file detect-engine-analyzer.c.
References DetectEngineCtx_::buffer_type_id, DetectPatternTracker::cd, DetectPatternTracker::cnt, ConfigGetLogDirectory(), DetectContentData_::content_len, de_ctx, DETECT_CONTENT_DEPTH, DETECT_CONTENT_ENDS_WITH, DETECT_CONTENT_NEGATED, DETECT_CONTENT_NOCASE, DETECT_CONTENT_OFFSET, DETECT_SM_LIST_DYNAMIC_START, DetectContentPatternPrettyPrint(), DetectEngineBufferTypeGetNameById(), DetectListToHumanString(), DetectEngineCtx_::ea, EngineAnalysisCtx_::file_prefix, DetectContentData_::flags, g_rules_analyzer_write_m, HashListTableFree(), HashListTableGetListData, HashListTableGetListHead(), HashListTableGetListNext, DetectPatternTracker::mpm, DetectEngineCtx_::pattern_hash_table, SCMutexLock, SCMutexUnlock, DetectPatternTracker::sm_list, and str.
◆ RuleMatchCandidateTxArrayFree()
| void RuleMatchCandidateTxArrayFree | ( | DetectEngineThreadCtx * | det_ctx | ) |
Definition at line 1000 of file detect.c.
References SCFree, DetectEngineThreadCtx_::tx_candidates, and DetectEngineThreadCtx_::tx_candidates_size.
◆ RuleMatchCandidateTxArrayInit()
| void RuleMatchCandidateTxArrayInit | ( | DetectEngineThreadCtx * | det_ctx, |
| uint32_t | size | ||
| ) |
Definition at line 987 of file detect.c.
References DEBUG_VALIDATE_BUG_ON, FatalError, SCCalloc, SCLogDebug, DetectEngineThreadCtx_::tx_candidates, and DetectEngineThreadCtx_::tx_candidates_size.
◆ SigFindSignatureBySidGid()
| Signature* SigFindSignatureBySidGid | ( | DetectEngineCtx * | de_ctx, |
| uint32_t | sid, | ||
| uint32_t | gid | ||
| ) |
Find a specific signature by sid and gid.
- Parameters
-
de_ctx detection engine ctx sid the signature id gid the signature group id
- Return values
-
s sig found NULL sig not found
Definition at line 79 of file detect-engine-build.c.
References de_ctx, Signature_::next, and DetectEngineCtx_::sig_list.
◆ SigLoadSignatures()
| int SigLoadSignatures | ( | DetectEngineCtx * | de_ctx, |
| char * | sig_file, | ||
| bool | sig_file_exclusive | ||
| ) |
Load signatures.
- Parameters
-
de_ctx Pointer to the detection engine context sig_file Filename (or pattern) holding signatures sig_file_exclusive File passed in 'sig_file' should be loaded exclusively.
- Return values
-
-1 on error
Definition at line 287 of file detect-engine-loader.c.
References DetectEngineCtx_::config_prefix, de_ctx, RUNMODE_ENGINE_ANALYSIS, SCEnter, SCRunmodeGet(), SetupEngineAnalysis(), and DetectEngineCtx_::sig_stat.
◆ SigMatchAlloc()
| SigMatch* SigMatchAlloc | ( | void | ) |
Definition at line 322 of file detect-parse.c.
References SigMatch_::next, SigMatch_::prev, SCCalloc, and unlikely.
◆ SigMatchFree()
| void SigMatchFree | ( | DetectEngineCtx * | de_ctx, |
| SigMatch * | sm | ||
| ) |
free a SigMatch
- Parameters
-
sm SigMatch to free.
free the ctx, for that we call the Free func
Definition at line 336 of file detect-parse.c.
References SigMatch_::ctx, de_ctx, SigTableElmt_::Free, SCFree, sigmatch_table, and SigMatch_::type.
Referenced by DetectIPProtoRemoveAllSMs(), and SigFree().
◆ SigMatchSignatures()
| void SigMatchSignatures | ( | ThreadVars * | th_v, |
| DetectEngineCtx * | de_ctx, | ||
| DetectEngineThreadCtx * | det_ctx, | ||
| Packet * | p | ||
| ) |
wrapper for old tests
Definition at line 1938 of file detect.c.
References Packet_::flow.
Referenced by UTHMatchPackets(), UTHMatchPacketsWithResults(), UTHPacketMatchSig(), and UTHPacketMatchSigMpm().
◆ SigMatchSignaturesGetSgh()
| const SigGroupHead* SigMatchSignaturesGetSgh | ( | const DetectEngineCtx * | de_ctx, |
| const Packet * | p | ||
| ) |
Get the SigGroupHead for a packet.
- Parameters
-
de_ctx detection engine context p packet
- Return values
-
sgh the SigGroupHead or NULL if non applies to the packet
Definition at line 220 of file detect.c.
References PacketEngineEvents_::cnt, de_ctx, DetectEngineCtx_::decoder_event_sgh, Packet_::events, Packet_::proto, SCEnter, and SCReturnPtr.
◆ SignatureIsIPOnly()
| int SignatureIsIPOnly | ( | DetectEngineCtx * | de_ctx, |
| const Signature * | s | ||
| ) |
Test is a initialized signature is IP only.
- Parameters
-
de_ctx detection engine ctx s the signature
- Return values
-
1 sig is ip only 2 sig is like ip only 0 sig is not ip only
Definition at line 209 of file detect-engine-build.c.
References Signature_::alproto, ALPROTO_UNKNOWN, DETECT_SM_LIST_PMATCH, Signature_::flags, Signature_::init_data, SIG_FLAG_APPLAYER, SIG_FLAG_TOCLIENT, SIG_FLAG_TOSERVER, and SignatureInitData_::smlists.
◆ SigRegisterTests()
| void SigRegisterTests | ( | void | ) |
Definition at line 4961 of file detect.c.
References IPOnlyRegisterTests(), SigParseRegisterTests(), and UtRegisterTest().
Variable Documentation
◆ sigmatch_table
| SigTableElmt* sigmatch_table |
Definition at line 127 of file detect-parse.c.
Referenced by DetectAckRegister(), DetectAppLayerEventRegister(), DetectAppLayerMpmRegisterByParentId(), DetectAppLayerProtocolRegister(), DetectAsn1Register(), DetectBase64DataRegister(), DetectBase64DecodeRegister(), DetectBsizeRegister(), DetectBypassRegister(), DetectByteExtractRegister(), DetectBytejumpRegister(), DetectBytemathRegister(), DetectBytetestRegister(), DetectClasstypeRegister(), DetectConfigRegister(), DetectContentRegister(), DetectCsumRegister(), DetectDatarepRegister(), DetectDatasetRegister(), DetectDceIfaceRegister(), DetectDceOpnumRegister(), DetectDceStubDataRegister(), DetectDepthRegister(), DetectDetectionFilterRegister(), DetectDistanceRegister(), DetectDnsAnswerNameRegister(), DetectDnsOpcodeRegister(), DetectDnsQueryNameRegister(), DetectDnsQueryRegister(), DetectDnsRcodeRegister(), DetectDnsRrtypeRegister(), DetectDsizeRegister(), DetectEngineAppInspectionEngineSignatureFree(), DetectEngineBufferTypeValidateTransform(), DetectEngineContentModifierBufferSetup(), DetectEngineEventRegister(), DetectEngineInspectGenericList(), DetectFastPatternRegister(), DetectFiledataRegister(), DetectFilemagicRegister(), DetectFileMd5Register(), DetectFilenameRegister(), DetectFileSha1Register(), DetectFileSha256Register(), DetectFilesizeRegister(), DetectFilestoreRegister(), DetectFlagsRegister(), DetectFlowAgeRegister(), DetectFlowbitsRegister(), DetectFlowBytesToClientRegister(), DetectFlowBytesToServerRegister(), DetectFlowintRegister(), DetectFlowPktsToClientRegister(), DetectFlowPktsToServerRegister(), DetectFlowRegister(), DetectFlowvarRegister(), DetectFragBitsRegister(), DetectFragOffsetRegister(), DetectFrameRegister(), DetectFtpbounceRegister(), DetectFtpdataRegister(), DetectGeoipRegister(), DetectGidRegister(), DetectHelperKeywordRegister(), DetectHelperTransformRegister(), DetectHostbitsRegister(), DetectHttp2Register(), DetectHttpClientBodyRegister(), DetectHttpCookieRegister(), DetectHttpHeaderNamesRegister(), DetectHttpHeaderRegister(), DetectHttpHHRegister(), DetectHttpMethodRegister(), DetectHttpProtocolRegister(), DetectHttpRawHeaderRegister(), DetectHttpRequestHeaderRegister(), DetectHttpRequestLineRegister(), DetectHttpResponseHeaderRegister(), DetectHttpResponseLineRegister(), DetectHttpServerBodyRegister(), DetectHttpStartRegister(), DetectHttpStatCodeRegister(), DetectHttpStatMsgRegister(), DetectHttpUARegister(), DetectHttpUriRegister(), DetectIcmpIdRegister(), DetectIcmpSeqRegister(), DetectIcmpv4HdrRegister(), DetectICMPv6hdrRegister(), DetectICMPv6mtuRegister(), DetectICodeRegister(), DetectIdRegister(), DetectIkeChosenSaRegister(), DetectIkeExchTypeRegister(), DetectIkeKeyExchangePayloadLengthRegister(), DetectIkeKeyExchangeRegister(), DetectIkeNoncePayloadLengthRegister(), DetectIkeNonceRegister(), DetectIkeSpiRegister(), DetectIkeVendorRegister(), DetectIPAddrBufferRegister(), DetectIpOptsRegister(), DetectIPProtoRegister(), DetectIPRepRegister(), DetectIpv4hdrRegister(), DetectIpv6hdrRegister(), DetectIsdataatRegister(), DetectITypeRegister(), DetectJa4HashRegister(), DetectKrb5CNameRegister(), DetectKrb5ErrCodeRegister(), DetectKrb5MsgTypeRegister(), DetectKrb5SNameRegister(), DetectKrb5TicketEncryptionRegister(), DetectL3ProtoRegister(), DetectLuaRegister(), DetectMarkRegister(), DetectMetadataRegister(), DetectModbusRegister(), DetectMsgRegister(), DetectNfsProcedureRegister(), DetectNfsVersionRegister(), DetectNoalertRegister(), DetectNocaseRegister(), DetectOffsetRegister(), DetectPcreRegister(), DetectPktDataRegister(), DetectPktvarRegister(), DetectPrefilterRegister(), DetectPriorityRegister(), DetectQuicCyuHashRegister(), DetectQuicCyuStringRegister(), DetectQuicSniRegister(), DetectQuicUaRegister(), DetectQuicVersionRegister(), DetectRawbytesRegister(), DetectReferenceRegister(), DetectReplaceRegister(), DetectRequiresRegister(), DetectRevRegister(), DetectRpcRegister(), DetectSameipRegister(), DetectSeqRegister(), DetectSidRegister(), DetectSipMethodRegister(), DetectSipUriRegister(), DetectSmbNamedPipeRegister(), DetectSmbNtlmsspDomainRegister(), DetectSmbNtlmsspUserRegister(), DetectSmbShareRegister(), DetectSmbVersionRegister(), DetectSshHasshRegister(), DetectSshHasshServerRegister(), DetectSshHasshServerStringRegister(), DetectSshHasshStringRegister(), DetectSshProtocolRegister(), DetectSshSoftwareRegister(), DetectSshSoftwareVersionRegister(), DetectSshVersionRegister(), DetectSslStateRegister(), DetectSslVersionRegister(), DetectStreamSizeRegister(), DetectTagRegister(), DetectTargetRegister(), DetectTcphdrRegister(), DetectTcpmssRegister(), DetectTemplate2Register(), DetectTemplateRegister(), DetectThresholdRegister(), DetectTlsAlpnRegister(), DetectTlsCertChainLenRegister(), DetectTlsCertsRegister(), DetectTlsFingerprintRegister(), DetectTlsIssuerRegister(), DetectTlsJa3HashRegister(), DetectTlsJa3SHashRegister(), DetectTlsJa3SStringRegister(), DetectTlsJa3StringRegister(), DetectTlsRandomBytesRegister(), DetectTlsRandomRegister(), DetectTlsRandomTimeRegister(), DetectTlsRegister(), DetectTlsSerialRegister(), DetectTlsSniRegister(), DetectTlsSubjectAltNameRegister(), DetectTlsSubjectRegister(), DetectTlsValidityRegister(), DetectTlsVersionRegister(), DetectTosRegister(), DetectTransformFromBase64DecodeRegister(), DetectTransformPcrexformRegister(), DetectTtlRegister(), DetectUdphdrRegister(), DetectUricontentRegister(), DetectUrilenRegister(), DetectWindowRegister(), DetectWithinRegister(), DetectXbitsRegister(), EngineAnalysisFP(), EngineAnalysisRules2(), InspectionBufferApplyTransforms(), PrefilterSetupRuleGroup(), SigFree(), SigMatchFree(), SigMatchStrictEnabled(), SigTableApplyStrictCommandLineOption(), SigTableCleanup(), SigTableInit(), SigTableList(), and SigTableRegisterTests().
◆ signature_properties
| const struct SignatureProperties signature_properties[SIG_TYPE_MAX] |
Definition at line 110 of file detect-engine.c.
