suricata
Data Structures | Macros | Typedefs | Functions | Variables
detect-engine-analyzer.c File Reference
#include "suricata-common.h"
#include "suricata.h"
#include "rust.h"
#include "action-globals.h"
#include "detect.h"
#include "detect-parse.h"
#include "detect-engine.h"
#include "detect-engine-analyzer.h"
#include "detect-engine-mpm.h"
#include "detect-engine-uint.h"
#include "conf.h"
#include "detect-content.h"
#include "detect-pcre.h"
#include "detect-bytejump.h"
#include "detect-bytetest.h"
#include "detect-isdataat.h"
#include "detect-flow.h"
#include "detect-tcp-flags.h"
#include "detect-tcp-ack.h"
#include "detect-ipopts.h"
#include "detect-tcp-seq.h"
#include "feature.h"
#include "util-print.h"
#include "util-time.h"
#include "util-validate.h"
#include "util-conf.h"
#include "detect-flowbits.h"
#include "util-var-name.h"
#include "detect-icmp-id.h"
#include "detect-tcp-window.h"
#include "app-layer-parser.h"
Include dependency graph for detect-engine-analyzer.c:

Go to the source code of this file.

Data Structures

struct  DetectEngineAnalyzerItems
 
struct  FpPatternStats_
 
struct  ExposedItemSeen
 
struct  EngineAnalysisCtx_
 
struct  RuleAnalyzer
 

Macros

#define DETECT_PERCENT_ENCODING_REGEX   "%[0-9|a-f|A-F]{2}"
 
#define CHECK(pat)   if (strlen((pat)) <= len && memcmp((pat), buf, MIN(len, strlen((pat)))) == 0) return true;
 

Typedefs

typedef struct DetectEngineAnalyzerItems DetectEngineAnalyzerItems
 
typedef struct FpPatternStats_ FpPatternStats
 
typedef struct EngineAnalysisCtx_ EngineAnalysisCtx
 
typedef struct RuleAnalyzer RuleAnalyzer
 

Functions

void EngineAnalysisFP (const DetectEngineCtx *de_ctx, const Signature *s, const char *line)
 
void SetupEngineAnalysis (DetectEngineCtx *de_ctx, bool *fp_analysis, bool *rule_analysis)
 
void CleanupEngineAnalysis (DetectEngineCtx *de_ctx)
 
void EngineAnalysisRulesFailure (const DetectEngineCtx *de_ctx, const char *line, const char *file, int lineno)
 
void EngineAnalysisRules2 (const DetectEngineCtx *de_ctx, const Signature *s)
 
void DumpPatterns (DetectEngineCtx *de_ctx)
 
void EngineAnalysisRules (const DetectEngineCtx *de_ctx, const Signature *s, const char *line)
 Prints analysis of loaded rules.
 
int FirewallAnalyzer (const DetectEngineCtx *de_ctx)
 

Variables

const DetectEngineAnalyzerItems analyzer_items []
 
SCMutex g_rules_analyzer_write_m = SCMUTEX_INITIALIZER
 

Detailed Description

Author
Eileen Donlon emdon.nosp@m.lo@g.nosp@m.mail..nosp@m.com
Victor Julien victo.nosp@m.r@in.nosp@m.linia.nosp@m.c.ne.nosp@m.t

Rule analyzers for the detection engine

Definition in file detect-engine-analyzer.c.

Macro Definition Documentation

◆ CHECK

#define CHECK (   pat)    if (strlen((pat)) <= len && memcmp((pat), buf, MIN(len, strlen((pat)))) == 0) return true;

Definition at line 670 of file detect-engine-analyzer.c.

◆ DETECT_PERCENT_ENCODING_REGEX

#define DETECT_PERCENT_ENCODING_REGEX   "%[0-9|a-f|A-F]{2}"

Typedef Documentation

◆ DetectEngineAnalyzerItems

typedef struct DetectEngineAnalyzerItems DetectEngineAnalyzerItems

◆ EngineAnalysisCtx

typedef struct EngineAnalysisCtx_ EngineAnalysisCtx

◆ FpPatternStats

typedef struct FpPatternStats_ FpPatternStats

◆ RuleAnalyzer

typedef struct RuleAnalyzer RuleAnalyzer

Function Documentation

◆ CleanupEngineAnalysis()

void CleanupEngineAnalysis ( DetectEngineCtx de_ctx)

Definition at line 510 of file detect-engine-analyzer.c.

References EngineAnalysisCtx_::analyzer_items, de_ctx, DetectEngineCtx_::ea, EngineAnalysisCtx_::file_prefix, and SCFree.

Referenced by SigLoadSignatures().

Here is the caller graph for this function:

◆ DumpPatterns()

void DumpPatterns ( DetectEngineCtx de_ctx)

Definition at line 1432 of file detect-engine-analyzer.c.

References DetectEngineCtx_::buffer_type_id, DetectPatternTracker::cd, DetectPatternTracker::cnt, DetectContentData_::content_len, de_ctx, DETECT_CONTENT_DEPTH, DETECT_CONTENT_ENDS_WITH, DETECT_CONTENT_NEGATED, DETECT_CONTENT_NOCASE, DETECT_CONTENT_OFFSET, DETECT_SM_LIST_DYNAMIC_START, DetectContentPatternPrettyPrint(), DetectEngineBufferTypeGetNameById(), DetectListToHumanString(), DetectEngineCtx_::ea, EngineAnalysisCtx_::file_prefix, DetectContentData_::flags, g_rules_analyzer_write_m, HashListTableFree(), HashListTableGetListData, HashListTableGetListHead(), HashListTableGetListNext, DetectPatternTracker::mpm, name, DetectEngineCtx_::pattern_hash_table, SCConfigGetLogDirectory(), SCMutexLock, SCMutexUnlock, DetectPatternTracker::sm_list, and str.

Here is the call graph for this function:

◆ EngineAnalysisFP()

void EngineAnalysisFP ( const DetectEngineCtx de_ctx,
const Signature s,
const char *  line 
)

Definition at line 169 of file detect-engine-analyzer.c.

References DetectContentData_::content, DetectContentData_::content_len, SigMatch_::ctx, de_ctx, DETECT_CONTENT_DEPTH, DETECT_CONTENT_DISTANCE, DETECT_CONTENT_FAST_PATTERN, DETECT_CONTENT_FAST_PATTERN_CHOP, DETECT_CONTENT_FAST_PATTERN_ONLY, DETECT_CONTENT_NEGATED, DETECT_CONTENT_NOCASE, DETECT_CONTENT_OFFSET, DETECT_CONTENT_WITHIN, DETECT_SM_LIST_PMATCH, DetectEngineBufferTypeGetDescriptionById(), DetectEngineBufferTypeGetNameById(), DetectEngineCtx_::ea, FatalError, DetectContentData_::flags, DetectContentData_::fp_chop_len, DetectContentData_::fp_chop_offset, EngineAnalysisCtx_::fp_pattern_stats, Signature_::id, Signature_::init_data, SignatureInitData_::mpm_sm, SignatureInitData_::mpm_sm_list, SigTableElmt_::name, name, SignatureInitData_::prefilter_sm, PrintRawUriFp(), EngineAnalysisCtx_::rule_engine_analysis_fp, SCFree, SCMalloc, sigmatch_table, SigMatch_::type, and unlikely.

Here is the call graph for this function:

◆ EngineAnalysisRules()

void EngineAnalysisRules ( const DetectEngineCtx de_ctx,
const Signature s,
const char *  line 
)

Prints analysis of loaded rules. 

   Warns if potential rule issues are detected. For example,
   warns if a rule uses a construct that may perform poorly,
   e.g. pcre without content or with http_method content only;
   warns if a rule uses a construct that may not be consistent with intent,
   e.g. client side ports only, http and content without any http_* modifiers, etc.
Parameters
sPointer to the signature.

Definition at line 1573 of file detect-engine-analyzer.c.

References Signature_::alproto, ALPROTO_HTTP1, ALPROTO_UNKNOWN, EngineAnalysisCtx_::analyzer_item_map, EngineAnalysisCtx_::analyzer_items, analyzer_items, AppProtoToString(), ARRAY_SIZE, DetectEngineAnalyzerItems::check_encoding_match, DetectContentData_::content, DetectContentData_::content_len, SigMatch_::ctx, de_ctx, DETECT_CONTENT, DETECT_CONTENT_DEPTH, DETECT_CONTENT_OFFSET, DETECT_FLAGS, DETECT_FLOW, DETECT_FLOW_FLAG_NOSTREAM, DETECT_FLOWBITS, DETECT_FLOWINT, DETECT_PCRE, DETECT_PROTO_ANY, DETECT_PROTO_IPV4, DETECT_PROTO_IPV6, DETECT_SM_LIST_MATCH, DETECT_SM_LIST_MAX, DETECT_SM_LIST_PMATCH, DetectProtoContainsProto(), DetectEngineAnalyzerItems::display_name, DetectEngineCtx_::ea, EngineAnalysisCtx_::exposed_item_seen_list, DetectContentData_::flags, DetectProto_::flags, DetectFlowData_::flags, Signature_::flags, Signature_::id, Signature_::init_data, SignatureInitData_::init_flags, DetectEngineAnalyzerItems::item_seen, ExposedItemSeen::item_seen_ptr, SignatureInitData_::mpm_sm, SignatureInitData_::mpm_sm_list, SigTableElmt_::name, SigMatch_::next, SignatureInitData_::prefilter_sm, Signature_::proto, RequiresFeature(), EngineAnalysisCtx_::rule_engine_analysis_fp, SIG_FLAG_DP_ANY, SIG_FLAG_FILESTORE, SIG_FLAG_INIT_BIDIREC, SIG_FLAG_REQUIRE_PACKET, SIG_FLAG_REQUIRE_STREAM, SIG_FLAG_SP_ANY, SIG_FLAG_TOCLIENT, SIG_FLAG_TOSERVER, SIG_TYPE_APP_TX, SIG_TYPE_APPLAYER, SIG_TYPE_DEONLY, SIG_TYPE_IPONLY, SIG_TYPE_LIKE_IPONLY, SIG_TYPE_MAX, SIG_TYPE_NOT_SET, SIG_TYPE_PDONLY, SIG_TYPE_PKT, SIG_TYPE_PKT_STREAM, SIG_TYPE_STREAM, sigmatch_table, SignatureInitData_::smlists, SigMatch_::type, and Signature_::type.

Here is the call graph for this function:

◆ EngineAnalysisRules2()

void EngineAnalysisRules2 ( const DetectEngineCtx de_ctx,
const Signature s 
)

Definition at line 985 of file detect-engine-analyzer.c.

References Signature_::action, ACTION_ACCEPT, ACTION_ALERT, ACTION_CONFIG, ACTION_DROP, ACTION_PASS, ACTION_REJECT, ACTION_REJECT_BOTH, ACTION_REJECT_DST, Signature_::action_scope, ACTION_SCOPE_AUTO, ACTION_SCOPE_FLOW, ACTION_SCOPE_HOOK, ACTION_SCOPE_PACKET, ACTION_SCOPE_TX, DetectEngineAppInspectionEngine_::alproto, Signature_::alproto, Signature_::app_inspect, AppProtoToString(), DetectEngineTransforms::cnt, ctx, SigMatchData_::ctx, de_ctx, DETECT_CONTENT, DETECT_CONTENT_MPM, DETECT_SM_LIST_DYNAMIC_START, DETECT_SM_LIST_MATCH, DETECT_SM_LIST_MAX, DETECT_SM_LIST_PMATCH, DetectEngineBufferTypeGetNameById(), DetectListToHumanString(), DetectEngineAppInspectionEngine_::dir, DetectEngineCtx_::ea, EngineAnalysisCtx_::file_prefix, SignatureInitData_::firewall_rule, DetectContentData_::flags, Signature_::flags, SignatureProperties::flow_action, Signature_::frame_inspect, g_rules_analyzer_write_m, Signature_::gid, Signature_::id, Signature_::init_data, SignatureInitData_::init_flags, SigMatchData_::is_last, SignatureInitData_::is_rule_state_dependant, JB_SET_STRING, Signature_::mask, DetectEngineAppInspectionEngine_::mpm, DetectEnginePktInspectionEngine::mpm, DetectEngineFrameInspectionEngine::mpm, Signature_::msg, SigTableElmt_::name, name, DetectEngineAppInspectionEngine_::next, DetectEnginePktInspectionEngine::next, DetectEngineFrameInspectionEngine::next, Signature_::pkt_inspect, SignatureInitData_::prefilter_sm, DetectEngineAppInspectionEngine_::progress, Signature_::rev, SignatureInitData_::rule_state_dependant_sids_array, SignatureInitData_::rule_state_dependant_sids_idx, SignatureInitData_::rule_state_dependant_sids_size, SignatureInitData_::rule_state_flowbits_ids_array, SignatureInitData_::rule_state_flowbits_ids_size, SCConfigGetLogDirectory(), SCEnter, SCMutexLock, SCMutexUnlock, SCReturn, SIG_FLAG_APPLAYER, SIG_FLAG_BYPASS, SIG_FLAG_DEST_IS_TARGET, SIG_FLAG_DP_ANY, SIG_FLAG_DSIZE, SIG_FLAG_DST_ANY, SIG_FLAG_FILESTORE, SIG_FLAG_FLUSH, SIG_FLAG_INIT_STATE_MATCH, SIG_FLAG_MPM_NEG, SIG_FLAG_PREFILTER, SIG_FLAG_REQUIRE_FLOWVAR, SIG_FLAG_REQUIRE_PACKET, SIG_FLAG_REQUIRE_STREAM, SIG_FLAG_SP_ANY, SIG_FLAG_SRC_ANY, SIG_FLAG_SRC_IS_TARGET, SIG_FLAG_TLSSTORE, SIG_FLAG_TOCLIENT, SIG_FLAG_TOSERVER, SIG_MASK_REQUIRE_ENGINE_EVENT, SIG_MASK_REQUIRE_FLAGS_INITDEINIT, SIG_MASK_REQUIRE_FLAGS_UNUSUAL, SIG_MASK_REQUIRE_FLOW, SIG_MASK_REQUIRE_NO_PAYLOAD, SIG_MASK_REQUIRE_PAYLOAD, SIG_MASK_REQUIRE_REAL_PKT, SIG_PROP_FLOW_ACTION_FLOW, SIG_PROP_FLOW_ACTION_FLOW_IF_STATEFUL, SIG_PROP_FLOW_ACTION_PACKET, Signature_::sig_str, SIG_TYPE_APP_TX, SIG_TYPE_APPLAYER, SIG_TYPE_DEONLY, SIG_TYPE_IPONLY, SIG_TYPE_LIKE_IPONLY, SIG_TYPE_MAX, SIG_TYPE_NOT_SET, SIG_TYPE_PDONLY, SIG_TYPE_PKT, SIG_TYPE_PKT_STREAM, SIG_TYPE_STREAM, sigmatch_table, SigMatchListSMBelongsTo(), signature_properties, Signature_::sm_arrays, DetectEngineAppInspectionEngine_::sm_list, DetectEnginePktInspectionEngine::sm_list, DetectEngineFrameInspectionEngine::sm_list, DetectEngineAppInspectionEngine_::smd, DetectEnginePktInspectionEngine::smd, DetectEngineFrameInspectionEngine::smd, TransformData_::transform, DetectEngineTransforms::transforms, DetectEngineAppInspectionEngine_::transforms, DetectEnginePktInspectionEngine::transforms, DetectEngineFrameInspectionEngine::transforms, SigMatch_::type, SigMatchData_::type, Signature_::type, DetectEnginePktInspectionEngine::v1, DetectEngineFrameInspectionEngine::v1, DetectEngineAppInspectionEngine_::v2, VAR_TYPE_FLOW_BIT, and VarNameStoreSetupLookup().

Here is the call graph for this function:

◆ EngineAnalysisRulesFailure()

void EngineAnalysisRulesFailure ( const DetectEngineCtx de_ctx,
const char *  line,
const char *  file,
int  lineno 
)

Definition at line 622 of file detect-engine-analyzer.c.

References de_ctx, DetectEngineCtx_::ea, and EngineAnalysisCtx_::fp_engine_analysis_fp.

◆ FirewallAnalyzer()

int FirewallAnalyzer ( const DetectEngineCtx de_ctx)

Definition at line 2015 of file detect-engine-analyzer.c.

References Signature_::action, ACTION_ACCEPT, AppLayerParserGetStateNameById(), AppLayerParserGetStateProgressCompletionStatus(), AppProtoToString(), ctx, de_ctx, Signature_::flags, g_alproto_max, g_rules_analyzer_write_m, Signature_::id, name, Signature_::next, SCConfigGetLogDirectory(), SCMutexLock, SCMutexUnlock, SIG_FLAG_FIREWALL, DetectEngineCtx_::sig_list, Signature_::sig_str, SIG_TYPE_APP_TX, SIG_TYPE_PKT, and Signature_::type.

Referenced by SigGroupBuild().

Here is the call graph for this function:
Here is the caller graph for this function:

◆ SetupEngineAnalysis()

void SetupEngineAnalysis ( DetectEngineCtx de_ctx,
bool *  fp_analysis,
bool *  rule_analysis 
)

Definition at line 474 of file detect-engine-analyzer.c.

References EngineAnalysisCtx_::analyzer_items, DetectEngineCtx_::config_prefix, de_ctx, DetectEngineCtx_::ea, FatalError, EngineAnalysisCtx_::file_prefix, SCCalloc, and SCFree.

Referenced by SigLoadSignatures().

Here is the caller graph for this function:

Variable Documentation

◆ analyzer_items

const DetectEngineAnalyzerItems analyzer_items[]

Definition at line 112 of file detect-engine-analyzer.c.

Referenced by EngineAnalysisRules().

◆ g_rules_analyzer_write_m

SCMutex g_rules_analyzer_write_m = SCMUTEX_INITIALIZER

Definition at line 984 of file detect-engine-analyzer.c.

Referenced by DumpPatterns(), EngineAnalysisRules2(), and FirewallAnalyzer().