|
suricata
|
|
suricata
|
Flow data structure. More...
#include <flow.h>
Public Member Functions | |
| SC_ATOMIC_DECLARE (FlowStateType, flow_state) | |
| SC_ATOMIC_DECLARE (FlowRefCount, use_cnt) | |
Flow data structure.
The flow is a global data structure that is created for new packets of a flow and then looked up for the following packets of a flow.
Locking
The flow is updated/used by multiple packets at the same time. This is why there is a flow-mutex. It's a mutex and not a spinlock because some operations on the flow can be quite expensive, thus spinning would be too expensive.
The flow "header" (addresses, ports, proto, recursion level) are static after the initialization and remain read-only throughout the entire live of a flow. This is why we can access those without protection of the lock.
| Flow_::SC_ATOMIC_DECLARE | ( | FlowStateType | , |
| flow_state | |||
| ) |
| Flow_::SC_ATOMIC_DECLARE | ( | FlowRefCount | , |
| use_cnt | |||
| ) |
how many pkts and stream msgs are using the flow right now. This variable is atomic so not protected by the Flow mutex "m".
On receiving a packet the counter is incremented while the flow bucked is locked, which is also the case on timeout pruning.
| union { ... } |
| union { ... } |
| AppLayerParserState* Flow_::alparser |
application level storage ptrs.parser internal state
Definition at line 437 of file flow.h.
Referenced by AppLayerDecoderEventsSetEvent(), AppLayerParserParse(), AppLayerParserTransactionsCleanup(), AppLayerProtoDetectReset(), DeStateUpdateInspectTransactionId(), DetectEngineStateResetTxs(), DetectLuaRegister(), FlowCleanupAppLayer(), FlowForceReassemblyNeedReassembly(), HtpConfigRestoreBackup(), HttpHeaderGetBufferSpaceForTXID(), OutputRegisterTxLogger(), RegisterSMBParsers(), RegisterSSHParsers(), and SigMatchSignaturesGetSgh().
| AppProto Flow_::alproto |
application level protocol
Definition at line 409 of file flow.h.
Referenced by AppLayerHandleTCPData(), AppLayerHandleUdp(), AppLayerIncTxCounter(), AppLayerParserGetStreamDepth(), AppLayerParserGetTransactionActive(), AppLayerParserGetTxCnt(), AppLayerParserGetTxLogged(), AppLayerParserParse(), AppLayerParserRestoreParserTable(), AppLayerParserSetTransactionInspectId(), AppLayerParserSetTxDetectState(), AppLayerParserStateCleanup(), AppLayerParserStreamTruncated(), AppLayerParserTransactionsCleanup(), AppLayerProtoDetectReset(), DetectAppLayerEventRegister(), DetectBypassRegister(), DetectDceIfaceRegister(), DetectDceOpnumRegister(), DetectDceStubDataRegister(), DetectDNP3Register(), DetectDnsQueryRegister(), DetectEngineInspectBufferGeneric(), DetectEngineInspectENIP(), DetectEngineInspectModbus(), DetectEngineStateResetTxs(), DetectFileInspectGeneric(), DetectFilemagicRegister(), DetectFilenameRegister(), DetectFilestoreRegister(), DetectFtpbounceRegister(), DetectHttpRequestLineRegister(), DetectHttpResponseLineRegister(), DetectLuaRegister(), DetectPcrePayloadMatch(), DetectRunStoreStateTx(), DetectSshSoftwareVersionRegister(), DetectSshVersionRegister(), DetectTemplateRustBufferRegister(), DetectUricontentRegister(), DetectUrilenValidateContent(), FileDisableFilesize(), FileDisableMagic(), FileDisableMd5(), FileDisableSha1(), FileDisableSha256(), FileDisableStoring(), FileDisableStoringForTransaction(), FlowForceReassemblyNeedReassembly(), FlowGetAppProtocol(), FTPAtExitPrintStats(), HtpConfigRestoreBackup(), HTPFileClose(), JsonBuildFileInfoRecord(), OutputRegisterFiledataLogger(), OutputRegisterFileLogger(), OutputRegisterTxLogger(), RegisterDCERPCParsers(), RegisterDCERPCUDPParsers(), RegisterDNP3Parsers(), RegisterENIPTCPParsers(), RegisterModbusParsers(), RegisterSMBParsers(), RegisterSSHParsers(), RegisterSSLParsers(), SCSigSignatureOrderingModuleCleanup(), SMTPParserCleanup(), and StreamTcpPacket().
| AppProto Flow_::alproto_expect |
expected app protocol: used in protocol change/upgrade like in STARTTLS.
Definition at line 418 of file flow.h.
Referenced by AppLayerHandleTCPData(), and AppLayerRequestProtocolChange().
| AppProto Flow_::alproto_orig |
original application level protocol. Used to indicate the previous protocol when changing to another protocol , e.g. with STARTTLS.
Definition at line 415 of file flow.h.
Referenced by AppLayerHandleTCPData().
| AppProto Flow_::alproto_tc |
Definition at line 411 of file flow.h.
Referenced by AppLayerExpectationHandle(), AppLayerHandleTCPData(), AppLayerIncTxCounter(), AppLayerProtoDetectReset(), and FlowSwap().
| AppProto Flow_::alproto_ts |
Definition at line 410 of file flow.h.
Referenced by AppLayerExpectationHandle(), AppLayerHandleTCPData(), AppLayerIncTxCounter(), AppLayerProtoDetectReset(), and FlowSwap().
| void* Flow_::alstate |
application layer state
Definition at line 438 of file flow.h.
Referenced by AppLayerParserParse(), AppLayerParserTransactionsCleanup(), AppLayerProtoDetectReset(), DeStateUpdateInspectTransactionId(), DetectBypassRegister(), DetectDceIfaceRegister(), DetectDceOpnumRegister(), DetectDceStubDataRegister(), DetectDNP3Register(), DetectDnsQueryRegister(), DetectEngineInspectENIP(), DetectEngineInspectModbus(), DetectEngineStateResetTxs(), DetectFilemagicRegister(), DetectFilenameRegister(), DetectFilestoreRegister(), DetectFtpbounceRegister(), DetectHttpClientBodyRegister(), DetectHttpRequestLineRegister(), DetectHttpResponseLineRegister(), DetectLuaRegister(), DetectPcrePayloadMatch(), DetectSshSoftwareVersionRegister(), DetectSshVersionRegister(), DetectTemplateRustBufferRegister(), DetectTlsCertsRegister(), DetectTlsFingerprintRegister(), DetectTlsIssuerRegister(), DetectTlsJa3HashRegister(), DetectTlsJa3SHashRegister(), DetectTlsJa3SStringRegister(), DetectTlsJa3StringRegister(), DetectTlsSerialRegister(), DetectTlsSniRegister(), DetectTlsSubjectRegister(), DetectUricontentRegister(), DetectUrilenValidateContent(), FileDisableFilesize(), FileDisableMagic(), FileDisableMd5(), FileDisableSha1(), FileDisableSha256(), FileDisableStoring(), FileDisableStoringForTransaction(), FlowCleanupAppLayer(), FlowForceReassemblyNeedReassembly(), FlowGetAppState(), FTPAtExitPrintStats(), HtpConfigRestoreBackup(), HTPFileClose(), OutputRegisterFiledataLogger(), OutputRegisterFileLogger(), OutputRegisterTxLogger(), RegisterDCERPCParsers(), RegisterDCERPCUDPParsers(), RegisterDNP3Parsers(), RegisterENIPTCPParsers(), RegisterModbusParsers(), RegisterSSHParsers(), RegisterSSLParsers(), SigMatchSignaturesGetSgh(), SMTPParserCleanup(), and SMTPProcessDataChunk().
| uint32_t Flow_::de_ctx_version |
detection engine ctx version used to inspect this flow. Set at initial inspection. If it doesn't match the currently in use de_ctx, the stored sgh ptrs are reset.
Definition at line 423 of file flow.h.
Referenced by SigMatchSignaturesGetSgh().
| Port Flow_::dp |
tcp/udp destination port
Definition at line 338 of file flow.h.
Referenced by AppLayerExpectationHandle(), AppLayerParserStreamTruncated(), FlowGetFromFlowKey(), FlowInit(), OutputJsonRegister(), and StreamTcpPseudoPacketCreateStreamEndPacket().
| FlowAddress Flow_::dst |
Definition at line 329 of file flow.h.
Referenced by AppLayerExpectationSetup(), AppLayerParserStreamTruncated(), FlowGetFromFlowKey(), FlowInit(), HtpConfigRestoreBackup(), OutputJsonRegister(), StreamTcpPseudoPacketCreateStreamEndPacket(), and TagTimeoutCheck().
| struct FlowBucket_* Flow_::fb |
Definition at line 453 of file flow.h.
Referenced by FlowDisableFlowManagerThread(), FlowGetExistingFlowFromHash(), FlowGetFlowFromHash(), FlowGetFromFlowKey(), FlowSetupPacket(), FlowUpdateState(), and TmModuleFlowRecyclerRegister().
| uint16_t Flow_::file_flags |
file tracking/extraction flags
Definition at line 381 of file flow.h.
Referenced by FileDisableFilesize(), FileDisableMagic(), FileDisableMd5(), FileDisableSha1(), FileDisableSha256(), FileDisableStoring(), FileFlowToFlags(), FlowChangeProto(), HTPFileOpen(), and SMTPParserCleanup().
| uint32_t Flow_::flags |
generic flags
Definition at line 379 of file flow.h.
Referenced by AppLayerIncTxCounter(), AppLayerParserParse(), AppLayerParserStreamTruncated(), DetectBypassRegister(), DetectDNP3Register(), DetectDnsQueryRegister(), DetectEngineInspectENIP(), DetectEngineInspectModbus(), DetectEngineStateResetTxs(), DetectHttpRequestLineRegister(), DetectHttpResponseLineRegister(), DetectLuaRegister(), DetectPcrePayloadMatch(), DetectSignatureApplyActions(), DetectTemplateRustBufferRegister(), DetectUricontentRegister(), DetectUrilenValidateContent(), FlowChangeProto(), FlowDisableFlowManagerThread(), FlowForceReassemblyForFlow(), FlowGetFromFlowKey(), FlowGetPacketDirection(), FlowHandlePacketUpdate(), FlowHasAlerts(), FlowInit(), FlowSetChangeProtoFlag(), FlowSetHasAlertsFlag(), FlowSetIPOnlyFlag(), FlowSetupPacket(), FlowSwap(), FlowUnsetChangeProtoFlag(), OutputJsonRegister(), PacketAlertFinalize(), RegisterModbusParsers(), RegisterSSLParsers(), SCSigSignatureOrderingModuleCleanup(), SigMatchSignaturesGetSgh(), SMTPParserCleanup(), StreamTcpPacket(), StreamTcpPseudoPacketCreateStreamEndPacket(), TagTimeoutCheck(), and TmModuleFlowRecyclerRegister().
| uint8_t Flow_::flow_end_flags |
Definition at line 406 of file flow.h.
Referenced by FlowDisableFlowManagerThread(), and FlowGetExistingFlowFromHash().
| uint32_t Flow_::flow_hash |
flow hash - the flow hash before hash table size mod.
Definition at line 353 of file flow.h.
Referenced by FlowGetFlowFromHash(), FlowGetFromFlowKey(), and FlowSetupPacket().
| GenericVar* Flow_::flowvar |
Definition at line 448 of file flow.h.
Referenced by DetectFlowbitsAnalyze(), DetectHostbitFree(), FlowBitFree(), FlowVarAddIdValue(), FlowVarAddIntNoLock(), FlowVarAddKeyValue(), FlowVarGet(), FlowVarGetByKey(), IPOnlyAddSignature(), OutputJsonRegister(), and SigMatchSignaturesGetSgh().
| struct Flow_* Flow_::hnext |
hash list pointers, protected by fb->s
Definition at line 451 of file flow.h.
Referenced by FlowDisableFlowManagerThread(), FlowForceReassemblyForFlow(), FlowGetExistingFlowFromHash(), FlowGetFlowFromHash(), FlowGetFromFlowKey(), FlowSetupPacket(), and FlowShutdown().
| struct Flow_* Flow_::hprev |
Definition at line 452 of file flow.h.
Referenced by FlowDisableFlowManagerThread(), FlowGetExistingFlowFromHash(), FlowGetFlowFromHash(), FlowGetFromFlowKey(), and FlowSetupPacket().
| struct { ... } Flow_::icmp_d |
Referenced by FlowGetReverseProtoMapping(), and OutputJsonRegister().
| struct { ... } Flow_::icmp_s |
Referenced by FlowGetReverseProtoMapping(), FlowInit(), and OutputJsonRegister().
| struct timeval Flow_::lastts |
Definition at line 358 of file flow.h.
Referenced by AppLayerExpectationCreate(), AppLayerExpectationHandle(), DetectTlsValidityRegister(), FlowDisableFlowManagerThread(), FlowGetFromFlowKey(), FlowHandlePacketUpdate(), and TmModuleFlowRecyclerRegister().
| struct LiveDevice_* Flow_::livedev |
Incoming interface
Definition at line 350 of file flow.h.
Referenced by FlowDisableFlowManagerThread(), FlowInit(), and StreamTcpPseudoPacketCreateStreamEndPacket().
| struct Flow_* Flow_::lnext |
queue list pointers, protected by queue mutex
Definition at line 456 of file flow.h.
Referenced by FlowDequeue(), FlowEnqueue(), and FlowMoveToSpare().
| struct Flow_* Flow_::lprev |
Definition at line 457 of file flow.h.
Referenced by FlowDequeue(), FlowEnqueue(), and FlowMoveToSpare().
| SCMutex Flow_::m |
Definition at line 394 of file flow.h.
Referenced by DetectDNP3Register(), and RegisterDNP3Parsers().
| uint8_t Flow_::max_ttl_toclient |
Definition at line 432 of file flow.h.
Referenced by FlowGetPacketDirection(), and FlowSwap().
| uint8_t Flow_::max_ttl_toserver |
Definition at line 430 of file flow.h.
Referenced by FlowGetPacketDirection(), FlowInit(), and FlowSwap().
| uint8_t Flow_::min_ttl_toclient |
Definition at line 431 of file flow.h.
Referenced by FlowGetPacketDirection(), and FlowSwap().
| uint8_t Flow_::min_ttl_toserver |
ttl tracking
Definition at line 429 of file flow.h.
Referenced by FlowGetPacketDirection(), FlowInit(), and FlowSwap().
| int64_t Flow_::parent_id |
Definition at line 389 of file flow.h.
Referenced by OutputJsonRegister().
| uint32_t Flow_::probing_parser_toclient_alproto_masks |
Definition at line 377 of file flow.h.
Referenced by AppLayerProtoDetectReset(), and FlowSwap().
| uint32_t Flow_::probing_parser_toserver_alproto_masks |
Definition at line 376 of file flow.h.
Referenced by AppLayerProtoDetectReset(), and FlowSwap().
| uint8_t Flow_::proto |
Definition at line 344 of file flow.h.
Referenced by AppLayerIncTxCounter(), AppLayerParserParse(), AppLayerParserRestoreParserTable(), AppLayerParserSetTransactionInspectId(), AppLayerParserStreamTruncated(), AppLayerParserTransactionsCleanup(), DetectAppLayerEventRegister(), DetectBypassRegister(), DetectDceIfaceRegister(), DetectDceOpnumRegister(), DetectDceStubDataRegister(), DetectDNP3Register(), DetectDnsQueryRegister(), DetectEngineInspectBufferGeneric(), DetectEngineInspectENIP(), DetectEngineInspectModbus(), DetectEngineStateResetTxs(), DetectFileInspectGeneric(), DetectFilemagicRegister(), DetectFilenameRegister(), DetectFilestoreRegister(), DetectFlowintFree(), DetectFtpbounceRegister(), DetectHttpRequestLineRegister(), DetectHttpResponseLineRegister(), DetectLuaRegister(), DetectPcrePayloadMatch(), DetectRunStoreStateTx(), DetectSshSoftwareVersionRegister(), DetectSshVersionRegister(), DetectTemplateRustBufferRegister(), DetectUricontentRegister(), DetectUrilenValidateContent(), FileDisableFilesize(), FileDisableMagic(), FileDisableMd5(), FileDisableSha1(), FileDisableSha256(), FileDisableStoring(), FileDisableStoringForTransaction(), FlowCleanupAppLayer(), FlowGetDisruptionFlags(), FlowGetFlowFromHash(), FlowGetFromFlowKey(), FlowHandlePacketUpdate(), FlowInit(), FlowShutdown(), FlowSwap(), FTPAtExitPrintStats(), HtpConfigRestoreBackup(), HTPFileClose(), HttpXFFGetIPFromTx(), OutputJsonRegister(), OutputRegisterTxLogger(), RegisterDCERPCParsers(), RegisterDCERPCUDPParsers(), RegisterDNP3Parsers(), RegisterENIPTCPParsers(), RegisterModbusParsers(), RegisterSMBParsers(), RegisterSSLParsers(), SCSigSignatureOrderingModuleCleanup(), SigMatchSignaturesGetSgh(), SMTPParserCleanup(), StreamTcpAppLayerIsDisabled(), TagTimeoutCheck(), TmModuleFlowRecyclerRegister(), UTHAddStreamToFlow(), and UTHRemoveSessionFromFlow().
| void* Flow_::protoctx |
protocol specific data pointer, e.g. for TcpSession
Definition at line 400 of file flow.h.
Referenced by AppLayerIncTxCounter(), AppLayerParserParse(), AppLayerParserRestoreParserTable(), AppLayerParserStreamTruncated(), AppLayerParserTriggerRawStreamReassembly(), DetectBypassRegister(), DetectDceIfaceRegister(), DetectDceOpnumRegister(), DetectDceStubDataRegister(), DetectDNP3Register(), DetectDnsQueryRegister(), DetectEngineInspectENIP(), DetectEngineInspectModbus(), DetectEngineInspectStream(), DetectEngineStateResetTxs(), DetectFilestoreRegister(), DetectFtpbounceRegister(), DetectHttpRequestLineRegister(), DetectHttpResponseLineRegister(), DetectLuaRegister(), DetectPcrePayloadMatch(), DetectSshSoftwareVersionRegister(), DetectSshVersionRegister(), DetectStreamSizeFree(), DetectStreamSizeRegister(), DetectTemplateRustBufferRegister(), DetectUricontentRegister(), DetectUrilenValidateContent(), FlowChangeProto(), FlowClearMemory(), FlowForceReassemblyForFlow(), FlowForceReassemblyNeedReassembly(), FlowGetDisruptionFlags(), FlowGetFlowFromHash(), FTPAtExitPrintStats(), HtpConfigRestoreBackup(), HTPFileClose(), HTPFreeConfig(), RegisterDCERPCParsers(), RegisterDCERPCUDPParsers(), RegisterDNP3Parsers(), RegisterENIPTCPParsers(), RegisterModbusParsers(), RegisterSMBParsers(), RegisterSSHParsers(), RegisterSSLParsers(), SigMatchSignaturesGetSgh(), SMTPParserCleanup(), StreamTcpAppLayerIsDisabled(), StreamTcpDetectLogFlush(), StreamTcpDisableAppLayer(), StreamTcpFreeConfig(), StreamTcpPacket(), StreamTcpPruneSession(), StreamTcpReassembleDepthReached(), StreamTcpSegmentForEach(), StreamTcpSessionPktFree(), TagTimeoutCheck(), TmModuleFlowRecyclerRegister(), UTHAddSessionToFlow(), UTHAddStreamToFlow(), and UTHRemoveSessionFromFlow().
| uint16_t Flow_::protodetect_dp |
destination port to be used in protocol detection. This is meant for use with STARTTLS and HTTP CONNECT detection 0 if not used
Definition at line 386 of file flow.h.
Referenced by AppLayerRequestProtocolChange().
| uint8_t Flow_::protomap |
mapping to Flow's protocol specific protocols for timeouts and state and free functions.
Definition at line 404 of file flow.h.
Referenced by AppLayerIncTxCounter(), AppLayerParserGetStreamDepth(), AppLayerParserGetTransactionActive(), AppLayerParserGetTxCnt(), AppLayerParserGetTxLogged(), AppLayerParserParse(), AppLayerParserRestoreParserTable(), AppLayerParserSetTxDetectState(), AppLayerParserStateCleanup(), AppLayerParserStreamTruncated(), AppLayerParserTransactionsCleanup(), AppLayerProtoDetectUnittestCtxRestore(), DetectDnsQueryRegister(), FlowDisableFlowManagerThread(), FlowGetExistingFlowFromHash(), FlowGetFromFlowKey(), FlowInit(), and RegisterDCERPCUDPParsers().
| uint8_t Flow_::recursion_level |
Definition at line 345 of file flow.h.
Referenced by FlowGetFromFlowKey(), and FlowInit().
| const struct SigGroupHead_* Flow_::sgh_toclient |
toclient sgh for this flow. Only use when FLOW_SGH_TOCLIENT flow flag has been set.
Definition at line 442 of file flow.h.
Referenced by AppLayerParserTransactionsCleanup(), FlowSwap(), and SigMatchSignaturesGetSgh().
| const struct SigGroupHead_* Flow_::sgh_toserver |
toserver sgh for this flow. Only use when FLOW_SGH_TOSERVER flow flag has been set.
Definition at line 445 of file flow.h.
Referenced by AppLayerParserTransactionsCleanup(), FlowSwap(), and SigMatchSignaturesGetSgh().
| Port Flow_::sp |
tcp/udp source port
Definition at line 331 of file flow.h.
Referenced by AppLayerExpectationHandle(), AppLayerParserStreamTruncated(), FlowGetFromFlowKey(), FlowGetPacketDirection(), FlowInit(), OutputJsonRegister(), and StreamTcpPseudoPacketCreateStreamEndPacket().
| FlowAddress Flow_::src |
Definition at line 329 of file flow.h.
Referenced by AppLayerExpectationSetup(), AppLayerParserStreamTruncated(), DetectFtpbounceRegister(), FlowGetFromFlowKey(), FlowGetPacketDirection(), FlowInit(), OutputJsonRegister(), StreamTcpPseudoPacketCreateStreamEndPacket(), and TagTimeoutCheck().
| struct timeval Flow_::startts |
Definition at line 458 of file flow.h.
Referenced by FlowGetFromFlowKey(), and FlowInit().
| uint32_t Flow_::tenant_id |
flow tenant id, used to setup flow timeout and stream pseudo packets with the correct tenant id set
Definition at line 374 of file flow.h.
Referenced by SigMatchSignaturesGetSgh(), and StreamTcpPseudoPacketCreateStreamEndPacket().
| FlowThreadId Flow_::thread_id |
Thread ID for the stream/detect portion of this flow
Definition at line 426 of file flow.h.
Referenced by FlowForceReassemblyForFlow(), FlowSetupPacket(), and StreamTcpPacket().
| uint64_t Flow_::todstbytecnt |
Definition at line 462 of file flow.h.
Referenced by FlowHandlePacketUpdate(), and FlowSwap().
| uint32_t Flow_::todstpktcnt |
Definition at line 460 of file flow.h.
Referenced by FlowHandlePacketUpdate(), and FlowSwap().
| uint64_t Flow_::tosrcbytecnt |
Definition at line 463 of file flow.h.
Referenced by FlowHandlePacketUpdate(), and FlowSwap().
| uint32_t Flow_::tosrcpktcnt |
Definition at line 461 of file flow.h.
Referenced by FlowHandlePacketUpdate(), and FlowSwap().
| uint16_t Flow_::vlan_id[2] |
Definition at line 346 of file flow.h.
Referenced by FlowGetFromFlowKey(), FlowInit(), and StreamTcpPseudoPacketCreateStreamEndPacket().
| uint8_t Flow_::vlan_idx |
Definition at line 347 of file flow.h.
Referenced by FlowInit(), and StreamTcpPseudoPacketCreateStreamEndPacket().
1.8.11 
