suricata
State support

Files

file  detect-engine-state.c
 State based signature handling.
 
file  detect-engine-state.h
 Data structures and function prototypes for keeping state for the detection engine.
 

Macros

#define CASE_CODE(E)   case E: return #E
 
#define MAX_STORED_TXID_OFFSET   127
 

Functions

DetectEngineStateDetectEngineStateAlloc (void)
 Alloc a DetectEngineState object. More...
 
void DetectEngineStateFree (DetectEngineState *state)
 Frees a DetectEngineState object. More...
 
int DeStateFlowHasInspectableState (const Flow *f, const uint8_t flags)
 Check if we need to inspect this state. More...
 
int DeStateDetectStartDetection (ThreadVars *tv, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const Signature *s, Packet *p, Flow *f, uint8_t flags, AppProto alproto)
 Match app layer sig list against app state and store relevant match information. More...
 
void DeStateDetectContinueDetection (ThreadVars *tv, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p, Flow *f, uint8_t flags, AppProto alproto)
 Continue DeState detection of the signatures stored in the state. More...
 
void DeStateUpdateInspectTransactionId (Flow *f, const uint8_t flags)
 update flow's inspection id's More...
 
void DetectEngineStateResetTxs (Flow *f)
 Reset de state for active tx' To be used on detect engine reload. More...
 
void DeStateRegisterTests (void)
 

Detailed Description

It is possible to do matching on reconstructed applicative flow. This is done by this code. It uses the Flow structure to store the list of signatures to match on the reconstructed stream.

The Flow::de_state is a DetectEngineState structure. This is basically a containter for storage item of type DeStateStore. They contains an array of DeStateStoreItem which store the state of match for an individual signature identified by DeStateStoreItem::sid.

The state is constructed by DeStateDetectStartDetection() which also starts the matching. Work is continued by DeStateDetectContinueDetection().

Once a transaction has been analysed DeStateRestartDetection() is used to reset the structures.

Macro Definition Documentation

◆ CASE_CODE

#define CASE_CODE (   E)    case E: return #E

convert enum to string

Definition at line 82 of file detect-engine-state.c.

◆ MAX_STORED_TXID_OFFSET

#define MAX_STORED_TXID_OFFSET   127

The DetectEngineThreadCtx::de_state_sig_array contains 2 separate values:

  1. the first bit tells the prefilter engine to bypass the rule (or not)
  2. the other bits allow 'ContinueDetect' to specify an offset again the base tx id. This offset will then be used by 'StartDetect' to not inspect transactions again for the same signature.

The offset in (2) has a max value due to the limited data type. If it is set to max the code will fall back to a slower path that validates that we're not adding duplicate rules to the detection state.

Definition at line 94 of file detect-engine-state.c.

Function Documentation

◆ DeStateDetectContinueDetection()

void DeStateDetectContinueDetection ( ThreadVars tv,
DetectEngineCtx de_ctx,
DetectEngineThreadCtx det_ctx,
Packet p,
Flow f,
uint8_t  flags,
AppProto  alproto 
)

Continue DeState detection of the signatures stored in the state.

Parameters
tvPointer to the threadvars.
de_ctxDetectEngineCtx instance.
det_ctxDetectEngineThreadCtx instance.
fPointer to the flow.
flagsFlags.
alprotoApp protocol.

Definition at line 727 of file detect-engine-state.c.

References FlowGetAppState(), Packet_::pcap_cnt, SCLogDebug, SigIntId, and STREAM_TOSERVER.

Here is the call graph for this function:

◆ DeStateDetectStartDetection()

int DeStateDetectStartDetection ( ThreadVars tv,
DetectEngineCtx de_ctx,
DetectEngineThreadCtx det_ctx,
const Signature s,
Packet p,
Flow f,
uint8_t  flags,
AppProto  alproto 
)

Match app layer sig list against app state and store relevant match information.

Parameters
tvPointer to the threadvars.
de_ctxDetectEngineCtx instance.
det_ctxDetectEngineThreadCtx instance.
sPointer to the signature.
fPointer to the flow.
flagsFlags.
alprotoApp protocol.
Return values
>=0 An integer value indicating the no of matches.

Definition at line 356 of file detect-engine-state.c.

References FlowGetAppState(), Signature_::id, Signature_::num, SCLogDebug, and unlikely.

Here is the call graph for this function:

◆ DeStateFlowHasInspectableState()

int DeStateFlowHasInspectableState ( const Flow f,
const uint8_t  flags 
)

Check if we need to inspect this state.

Check if a flow already contains(newly updated as well) de state.

State needs to be inspected if:

  1. state has been updated
  2. we already have de_state in progress
Return values
0no inspectable state
1inspectable state

Definition at line 285 of file detect-engine-state.c.

◆ DeStateRegisterTests()

void DeStateRegisterTests ( void  )

Definition at line 1931 of file detect-engine-state.c.

References UtRegisterTest().

Here is the call graph for this function:

◆ DeStateUpdateInspectTransactionId()

void DeStateUpdateInspectTransactionId ( Flow f,
const uint8_t  flags 
)

update flow's inspection id's

Update the inspect id.

Parameters
funlocked flow
flagsdirection and disruption flags
Note
it is possible that f->alstate, f->alparser are NULL

Definition at line 828 of file detect-engine-state.c.

References Flow_::alparser, Flow_::alstate, and AppLayerParserSetTransactionInspectId().

Here is the call graph for this function:

◆ DetectEngineStateAlloc()

DetectEngineState* DetectEngineStateAlloc ( void  )

Alloc a DetectEngineState object.

Return values
Alloc'dinstance of DetectEngineState.

Definition at line 212 of file detect-engine-state.c.

References SCMalloc, and unlikely.

◆ DetectEngineStateFree()

void DetectEngineStateFree ( DetectEngineState state)

Frees a DetectEngineState object.

Parameters
stateDetectEngineState instance to free.

Definition at line 222 of file detect-engine-state.c.

References DetectEngineState_::dir_state, DetectEngineStateDirection_::head, DeStateStore_::next, and SCFree.

◆ DetectEngineStateResetTxs()

void DetectEngineStateResetTxs ( Flow f)

Reset de state for active tx' To be used on detect engine reload.

Parameters
fwrite LOCKED flow

Definition at line 841 of file detect-engine-state.c.

References FlowGetAppState().

Referenced by SigMatchSignatures().

Here is the call graph for this function:
Here is the caller graph for this function: