Files
file	detect-engine-state.c
	State based signature handling.

file	detect-engine-state.h
	Data structures and function prototypes for keeping state for the detection engine.

Macros
#define	CASE_CODE(E) case E: return #E

Functions
DetectEngineState *	DetectEngineStateAlloc (void)
	Alloc a DetectEngineState object. More...

void	DetectEngineStateFree (DetectEngineState *state)
	Frees a DetectEngineState object. More...

void	DetectRunStoreStateTx (const SigGroupHead sgh, Flow f, void tx, uint64_t tx_id, const Signature s, uint32_t inspect_flags, uint8_t flow_flags, const uint16_t file_no_match)

void	DeStateUpdateInspectTransactionId (Flow *f, const uint8_t flags, const bool tag_txs_as_inspected)
	update flow's inspection id's More...

void	DetectEngineStateResetTxs (Flow *f)
	Reset de state for active tx' To be used on detect engine reload. More...

void	DeStateRegisterTests (void)

Detailed Description

State is stored in the DetectEngineState structure. This is basically a containter for storage item of type DeStateStore. They contains an array of DeStateStoreItem which store the state of match for an individual signature identified by DeStateStoreItem::sid.

Macro Definition Documentation

#define CASE_CODE ( E ) case E: return #E

convert enum to string

Definition at line 71 of file detect-engine-state.c.

Function Documentation

void DeStateRegisterTests ( void )

Definition at line 1369 of file detect-engine-state.c.

References UtRegisterTest().

Here is the call graph for this function:

void DeStateUpdateInspectTransactionId	(	Flow *	f,
		const uint8_t	flags,
		const bool	tag_txs_as_inspected
	)

update flow's inspection id's

Update the inspect id.

Parameters

f	unlocked flow
flags	direction and disruption flags
tag_txs_as_inspected	if true all 'complete' txs will be marked 'inspected'

Note: it is possible that f->alstate, f->alparser are NULL

Definition at line 254 of file detect-engine-state.c.

References Flow_::alparser, Flow_::alstate, and AppLayerParserSetTransactionInspectId().

Referenced by DetectSignatureApplyActions(), and SigMatchSignaturesGetSgh().

Here is the call graph for this function:

Here is the caller graph for this function:

DetectEngineState* DetectEngineStateAlloc ( void )

Alloc a DetectEngineState object.

Return values

Alloc'd instance of DetectEngineState.

Definition at line 167 of file detect-engine-state.c.

References SCMalloc, and unlikely.

Referenced by DetectEngineStateResetTxs(), and DetectRunStoreStateTx().

Here is the caller graph for this function:

void DetectEngineStateFree ( DetectEngineState * state )

Frees a DetectEngineState object.

Parameters

state DetectEngineState instance to free.

Definition at line 177 of file detect-engine-state.c.

References DetectEngineState_::dir_state, FileDisableStoringForTransaction(), DetectEngineStateDirection_::filestore_cnt, SigGroupHead_::filestore_cnt, DetectEngineStateDirection_::head, DeStateStore_::next, SCFree, SCLogDebug, STREAM_TOCLIENT, STREAM_TOSERVER, and tx_id.

Referenced by DCERPCCleanup(), DetectEngineStateResetTxs(), DetectRunStoreStateTx(), DNSSetEvent(), isAndX(), main(), SMTPStateAlloc(), and SSLVersionToString().

Here is the call graph for this function:

Here is the caller graph for this function:

void DetectEngineStateResetTxs ( Flow * f )

Reset de state for active tx' To be used on detect engine reload.

Parameters

f	write LOCKED flow

Definition at line 269 of file detect-engine-state.c.

References Flow_::alparser, Flow_::alproto, ALPROTO_HTTP, Flow_::alstate, AppLayerParserGetFiles(), AppLayerParserGetTransactionInspectId(), AppLayerParserGetTx(), AppLayerParserGetTxCnt(), AppLayerParserGetTxDetectState(), AppLayerParserParse(), AppLayerParserThreadCtxAlloc(), AppLayerParserThreadCtxFree(), BIT_U32, DetectEngineStateDirection_::cnt, DE_QUIET, DE_STATE_FLAG_BASE, DetectEngineAppendSig(), DetectEngineCtxFree(), DetectEngineCtxInit(), DetectEngineStateAlloc(), DetectEngineStateFree(), DetectEngineThreadCtxDeinit(), DetectEngineThreadCtxInit(), DetectEngineState_::dir_state, FAIL_IF, FAIL_IF_NOT, FAIL_IF_NULL, FILE_NOSTORE, FILE_STORE, HtpState_::files_ts, DetectEngineStateDirection_::filestore_cnt, File_::flags, DeStateStoreItem_::flags, DetectEngineStateDirection_::flags, Flow_::flags, Packet_::flags, DetectEngineCtx_::flags, Packet_::flow, FLOW_DESTROY, FLOW_INITIALIZE, FLOW_IPV4, FLOW_PKT_ESTABLISHED, FLOW_PKT_TOSERVER, Packet_::flowflags, FlowGetAppState(), DetectEngineStateDirection_::head, FileContainer_::head, MIN, DeStateStore_::next, Signature_::num, PacketAlertCheck(), PASS, PKT_HAS_FLOW, PKT_STREAM_EST, Flow_::proto, Flow_::protoctx, SCLogDebug, DeStateStoreItem_::sid, DetectEngineCtx_::sig_list, SigGroupBuild(), SigInit(), SigMatchSignatures(), DeStateStore_::store, STREAM_EOF, STREAM_START, STREAM_TOCLIENT, STREAM_TOSERVER, StreamTcpFreeConfig(), StreamTcpInitConfig(), TRUE, UTHBuildFlow(), UTHBuildPacket(), UTHFreeFlow(), and UTHFreePacket().

Referenced by SigMatchSignaturesGetSgh().

Here is the call graph for this function:

Here is the caller graph for this function:

void DetectRunStoreStateTx	(	const SigGroupHead *	sgh,
		Flow *	f,
		void *	tx,
		uint64_t	tx_id,
		const Signature *	s,
		uint32_t	inspect_flags,
		uint8_t	flow_flags,
		const uint16_t	file_no_match
	)

Definition at line 222 of file detect-engine-state.c.

References Flow_::alproto, AppLayerParserGetTxDetectState(), AppLayerParserSetTxDetectState(), DetectEngineStateAlloc(), DetectEngineStateFree(), Flow_::proto, and SCLogDebug.

Here is the call graph for this function:

Files

Macros

Functions

Detailed Description

Macro Definition Documentation

Function Documentation