suricata
State support

Files

file  detect-engine-state.c
 State based signature handling.
 
file  detect-engine-state.h
 Data structures and function prototypes for keeping state for the detection engine.
 

Macros

#define CASE_CODE(E)   case E: return #E
 

Functions

DetectEngineStateDetectEngineStateAlloc (void)
 Alloc a DetectEngineState object. More...
 
void DetectEngineStateFree (DetectEngineState *state)
 Frees a DetectEngineState object. More...
 
void DetectRunStoreStateTx (const SigGroupHead *sgh, Flow *f, void *tx, uint64_t tx_id, const Signature *s, uint32_t inspect_flags, uint8_t flow_flags, const uint16_t file_no_match)
 
void DeStateUpdateInspectTransactionId (Flow *f, const uint8_t flags, const bool tag_txs_as_inspected)
 update flow's inspection id's More...
 
void DetectEngineStateResetTxs (Flow *f)
 Reset de state for active tx' To be used on detect engine reload. More...
 
void DeStateRegisterTests (void)
 

Detailed Description

State is stored in the DetectEngineState structure. This is basically a containter for storage item of type DeStateStore. They contains an array of DeStateStoreItem which store the state of match for an individual signature identified by DeStateStoreItem::sid.

Macro Definition Documentation

#define CASE_CODE (   E)    case E: return #E

convert enum to string

Definition at line 71 of file detect-engine-state.c.

Function Documentation

void DeStateRegisterTests ( void  )

Definition at line 1369 of file detect-engine-state.c.

References UtRegisterTest().

Here is the call graph for this function:

void DeStateUpdateInspectTransactionId ( Flow f,
const uint8_t  flags,
const bool  tag_txs_as_inspected 
)

update flow's inspection id's

Update the inspect id.

Parameters
funlocked flow
flagsdirection and disruption flags
tag_txs_as_inspectedif true all 'complete' txs will be marked 'inspected'
Note
it is possible that f->alstate, f->alparser are NULL

Definition at line 254 of file detect-engine-state.c.

References Flow_::alparser, Flow_::alstate, and AppLayerParserSetTransactionInspectId().

Referenced by DetectSignatureApplyActions(), and SigMatchSignaturesGetSgh().

Here is the call graph for this function:

Here is the caller graph for this function:

DetectEngineState* DetectEngineStateAlloc ( void  )

Alloc a DetectEngineState object.

Return values
Alloc'dinstance of DetectEngineState.

Definition at line 167 of file detect-engine-state.c.

References SCMalloc, and unlikely.

Referenced by DetectEngineStateResetTxs(), and DetectRunStoreStateTx().

Here is the caller graph for this function:

void DetectEngineStateFree ( DetectEngineState state)

Frees a DetectEngineState object.

Parameters
stateDetectEngineState instance to free.

Definition at line 177 of file detect-engine-state.c.

References DetectEngineState_::dir_state, FileDisableStoringForTransaction(), DetectEngineStateDirection_::filestore_cnt, SigGroupHead_::filestore_cnt, DetectEngineStateDirection_::head, DeStateStore_::next, SCFree, SCLogDebug, STREAM_TOCLIENT, STREAM_TOSERVER, and tx_id.

Referenced by DCERPCCleanup(), DetectEngineStateResetTxs(), DetectRunStoreStateTx(), DNSSetEvent(), isAndX(), main(), SMTPStateAlloc(), and SSLVersionToString().

Here is the call graph for this function:

Here is the caller graph for this function:

void DetectEngineStateResetTxs ( Flow f)

Reset de state for active tx' To be used on detect engine reload.

Parameters
fwrite LOCKED flow

Definition at line 269 of file detect-engine-state.c.

References Flow_::alparser, Flow_::alproto, ALPROTO_HTTP, Flow_::alstate, AppLayerParserGetFiles(), AppLayerParserGetTransactionInspectId(), AppLayerParserGetTx(), AppLayerParserGetTxCnt(), AppLayerParserGetTxDetectState(), AppLayerParserParse(), AppLayerParserThreadCtxAlloc(), AppLayerParserThreadCtxFree(), BIT_U32, DetectEngineStateDirection_::cnt, DE_QUIET, DE_STATE_FLAG_BASE, DetectEngineAppendSig(), DetectEngineCtxFree(), DetectEngineCtxInit(), DetectEngineStateAlloc(), DetectEngineStateFree(), DetectEngineThreadCtxDeinit(), DetectEngineThreadCtxInit(), DetectEngineState_::dir_state, FAIL_IF, FAIL_IF_NOT, FAIL_IF_NULL, FILE_NOSTORE, FILE_STORE, HtpState_::files_ts, DetectEngineStateDirection_::filestore_cnt, File_::flags, DeStateStoreItem_::flags, DetectEngineStateDirection_::flags, Flow_::flags, Packet_::flags, DetectEngineCtx_::flags, Packet_::flow, FLOW_DESTROY, FLOW_INITIALIZE, FLOW_IPV4, FLOW_PKT_ESTABLISHED, FLOW_PKT_TOSERVER, Packet_::flowflags, FlowGetAppState(), DetectEngineStateDirection_::head, FileContainer_::head, MIN, DeStateStore_::next, Signature_::num, PacketAlertCheck(), PASS, PKT_HAS_FLOW, PKT_STREAM_EST, Flow_::proto, Flow_::protoctx, SCLogDebug, DeStateStoreItem_::sid, DetectEngineCtx_::sig_list, SigGroupBuild(), SigInit(), SigMatchSignatures(), DeStateStore_::store, STREAM_EOF, STREAM_START, STREAM_TOCLIENT, STREAM_TOSERVER, StreamTcpFreeConfig(), StreamTcpInitConfig(), TRUE, UTHBuildFlow(), UTHBuildPacket(), UTHFreeFlow(), and UTHFreePacket().

Referenced by SigMatchSignaturesGetSgh().

Here is the call graph for this function:

Here is the caller graph for this function:

void DetectRunStoreStateTx ( const SigGroupHead sgh,
Flow f,
void *  tx,
uint64_t  tx_id,
const Signature s,
uint32_t  inspect_flags,
uint8_t  flow_flags,
const uint16_t  file_no_match 
)