Files
file	detect-engine-state.c
	State based signature handling.

file	detect-engine-state.h
	Data structures and function prototypes for keeping state for the detection engine.

Macros
#define	CASE_CODE(E) case E: return #E

#define	MAX_STORED_TXID_OFFSET 127

Functions
DetectEngineState *	DetectEngineStateAlloc (void)
	Alloc a DetectEngineState object. More...

void	DetectEngineStateFree (DetectEngineState *state)
	Frees a DetectEngineState object. More...

int	DeStateFlowHasInspectableState (const Flow *f, const uint8_t flags)
	Check if we need to inspect this state. More...

int	DeStateDetectStartDetection (ThreadVars tv, DetectEngineCtx de_ctx, DetectEngineThreadCtx det_ctx, const Signature s, Packet p, Flow f, uint8_t flags, AppProto alproto)
	Match app layer sig list against app state and store relevant match information. More...

void	DeStateDetectContinueDetection (ThreadVars tv, DetectEngineCtx de_ctx, DetectEngineThreadCtx det_ctx, Packet p, Flow *f, uint8_t flags, AppProto alproto)
	Continue DeState detection of the signatures stored in the state. More...

void	DeStateUpdateInspectTransactionId (Flow *f, const uint8_t flags)
	update flow's inspection id's More...

void	DetectEngineStateResetTxs (Flow *f)
	Reset de state for active tx' To be used on detect engine reload. More...

void	DeStateRegisterTests (void)

Detailed Description

It is possible to do matching on reconstructed applicative flow. This is done by this code. It uses the Flow structure to store the list of signatures to match on the reconstructed stream.

The Flow::de_state is a DetectEngineState structure. This is basically a containter for storage item of type DeStateStore. They contains an array of DeStateStoreItem which store the state of match for an individual signature identified by DeStateStoreItem::sid.

The state is constructed by DeStateDetectStartDetection() which also starts the matching. Work is continued by DeStateDetectContinueDetection().

Once a transaction has been analysed DeStateRestartDetection() is used to reset the structures.

Macro Definition Documentation

◆ CASE_CODE

#define CASE_CODE ( E ) case E: return #E

convert enum to string

Definition at line 82 of file detect-engine-state.c.

◆ MAX_STORED_TXID_OFFSET

#define MAX_STORED_TXID_OFFSET 127

The DetectEngineThreadCtx::de_state_sig_array contains 2 separate values:

the first bit tells the prefilter engine to bypass the rule (or not)
the other bits allow 'ContinueDetect' to specify an offset again the base tx id. This offset will then be used by 'StartDetect' to not inspect transactions again for the same signature.

The offset in (2) has a max value due to the limited data type. If it is set to max the code will fall back to a slower path that validates that we're not adding duplicate rules to the detection state.

Definition at line 94 of file detect-engine-state.c.

Function Documentation

◆ DeStateDetectContinueDetection()

void DeStateDetectContinueDetection	(	ThreadVars *	tv,
		DetectEngineCtx *	de_ctx,
		DetectEngineThreadCtx *	det_ctx,
		Packet *	p,
		Flow *	f,
		uint8_t	flags,
		AppProto	alproto
	)

Continue DeState detection of the signatures stored in the state.

Parameters

tv	Pointer to the threadvars.
de_ctx	DetectEngineCtx instance.
det_ctx	DetectEngineThreadCtx instance.
f	Pointer to the flow.
flags	Flags.
alproto	App protocol.

Definition at line 727 of file detect-engine-state.c.

References FlowGetAppState(), Packet_::pcap_cnt, SCLogDebug, SigIntId, and STREAM_TOSERVER.

Here is the call graph for this function:

◆ DeStateDetectStartDetection()

int DeStateDetectStartDetection	(	ThreadVars *	tv,
		DetectEngineCtx *	de_ctx,
		DetectEngineThreadCtx *	det_ctx,
		const Signature *	s,
		Packet *	p,
		Flow *	f,
		uint8_t	flags,
		AppProto	alproto
	)

Match app layer sig list against app state and store relevant match information.

Parameters

tv	Pointer to the threadvars.
de_ctx	DetectEngineCtx instance.
det_ctx	DetectEngineThreadCtx instance.
s	Pointer to the signature.
f	Pointer to the flow.
flags	Flags.
alproto	App protocol.

Return values

>=	0 An integer value indicating the no of matches.

Definition at line 356 of file detect-engine-state.c.

References FlowGetAppState(), Signature_::id, Signature_::num, SCLogDebug, and unlikely.

Here is the call graph for this function:

◆ DeStateFlowHasInspectableState()

int DeStateFlowHasInspectableState	(	const Flow *	f,
		const uint8_t	flags
	)

Check if we need to inspect this state.

Check if a flow already contains(newly updated as well) de state.

State needs to be inspected if:

state has been updated
we already have de_state in progress

Return values

0	no inspectable state
1	inspectable state

Definition at line 285 of file detect-engine-state.c.

◆ DeStateRegisterTests()

void DeStateRegisterTests ( void )

Definition at line 1931 of file detect-engine-state.c.

References UtRegisterTest().

Here is the call graph for this function:

◆ DeStateUpdateInspectTransactionId()

void DeStateUpdateInspectTransactionId	(	Flow *	f,
		const uint8_t	flags
	)

update flow's inspection id's

Update the inspect id.

Parameters

f	unlocked flow
flags	direction and disruption flags

Note: it is possible that f->alstate, f->alparser are NULL

Definition at line 828 of file detect-engine-state.c.

References Flow_::alparser, Flow_::alstate, and AppLayerParserSetTransactionInspectId().

Here is the call graph for this function:

◆ DetectEngineStateAlloc()

DetectEngineState* DetectEngineStateAlloc ( void )

Alloc a DetectEngineState object.

Return values

Alloc'd instance of DetectEngineState.

Definition at line 212 of file detect-engine-state.c.

References SCMalloc, and unlikely.

◆ DetectEngineStateFree()

void DetectEngineStateFree ( DetectEngineState * state )

Frees a DetectEngineState object.

Parameters

state DetectEngineState instance to free.

Definition at line 222 of file detect-engine-state.c.

References DetectEngineState_::dir_state, DetectEngineStateDirection_::head, DeStateStore_::next, and SCFree.

◆ DetectEngineStateResetTxs()

void DetectEngineStateResetTxs ( Flow * f )

Reset de state for active tx' To be used on detect engine reload.

Parameters

f	write LOCKED flow

Definition at line 841 of file detect-engine-state.c.

References FlowGetAppState().

Referenced by SigMatchSignatures().

Here is the call graph for this function:

Here is the caller graph for this function:

Files

Macros

Functions

Detailed Description

Macro Definition Documentation

◆ CASE_CODE

◆ MAX_STORED_TXID_OFFSET

Function Documentation

◆ DeStateDetectContinueDetection()

◆ DeStateDetectStartDetection()

◆ DeStateFlowHasInspectableState()

◆ DeStateRegisterTests()

◆ DeStateUpdateInspectTransactionId()

◆ DetectEngineStateAlloc()

◆ DetectEngineStateFree()

◆ DetectEngineStateResetTxs()