#include "suricata-common.h"#include "detect.h"#include "detect-engine.h"#include "detect-parse.h"#include "detect-content.h"#include "detect-engine-build.h"#include "detect-engine-address.h"#include "detect-engine-analyzer.h"#include "detect-engine-iponly.h"#include "detect-engine-mpm.h"#include "detect-engine-siggroup.h"#include "detect-engine-port.h"#include "detect-engine-prefilter.h"#include "detect-engine-proto.h"#include "detect-engine-threshold.h"#include "detect-dsize.h"#include "detect-tcp-flags.h"#include "detect-flow.h"#include "detect-config.h"#include "detect-flowbits.h"#include "app-layer-events.h"#include "util-port-interval-tree.h"#include "util-profiling.h"#include "util-validate.h"#include "util-var-name.h"#include "util-conf.h"
Go to the source code of this file.
Data Structures | |
| struct | UniquePortPoint_ |
Macros | |
| #define | DETECT_PGSCORE_RULE_PORT_PRIORITIZED 111 /* Rule port group contains a priority port */ |
| #define | DETECT_PGSCORE_RULE_MPM_FAST_PATTERN 99 /* Rule contains an MPM fast pattern */ |
| #define | DETECT_PGSCORE_RULE_MPM_NEGATED 77 /* Rule contains a negated MPM */ |
| #define | DETECT_PGSCORE_RULE_NO_MPM 55 /* Rule does not contain MPM */ |
| #define | DETECT_PGSCORE_RULE_SYN_ONLY 33 /* Rule needs SYN check */ |
| #define | MASK_TCP_INITDEINIT_FLAGS (TH_SYN|TH_RST|TH_FIN) |
| #define | MASK_TCP_UNUSUAL_FLAGS (TH_URG|TH_ECN|TH_CWR) |
| #define | UNDEFINED_PORT 0 |
| #define | RANGE_PORT 1 |
| #define | SINGLE_PORT 2 |
Typedefs | |
| typedef struct UniquePortPoint_ | UniquePortPoint |
Functions | |
| void | SigCleanSignatures (DetectEngineCtx *de_ctx) |
| Signature * | SigFindSignatureBySidGid (DetectEngineCtx *de_ctx, uint32_t sid, uint32_t gid) |
| Find a specific signature by sid and gid. | |
| int | SignatureIsFilestoring (const Signature *s) |
| Check if a signature contains the filestore keyword. | |
| int | SignatureIsFilemagicInspecting (const Signature *s) |
| Check if a signature contains the filemagic keyword. | |
| int | SignatureIsFileMd5Inspecting (const Signature *s) |
| Check if a signature contains the filemd5 keyword. | |
| int | SignatureIsFileSha1Inspecting (const Signature *s) |
| Check if a signature contains the filesha1 keyword. | |
| int | SignatureIsFileSha256Inspecting (const Signature *s) |
| Check if a signature contains the filesha256 keyword. | |
| int | SignatureIsFilesizeInspecting (const Signature *s) |
| Check if a signature contains the filesize keyword. | |
| int | SignatureIsIPOnly (DetectEngineCtx *de_ctx, const Signature *s) |
| Test is a initialized signature is IP only. | |
| void | PacketCreateMask (Packet *p, SignatureMask *mask, AppProto alproto, bool app_decoder_events) |
| void | SignatureSetType (DetectEngineCtx *de_ctx, Signature *s) |
| int | SigPrepareStage1 (DetectEngineCtx *de_ctx) |
| Preprocess signature, classify ip-only, etc, build sig array. | |
| int | SigPrepareStage2 (DetectEngineCtx *de_ctx) |
| Fill the global src group head, with the sigs included. | |
| int | SigPrepareStage3 (DetectEngineCtx *de_ctx) |
| int | SigAddressCleanupStage1 (DetectEngineCtx *de_ctx) |
| int | SigPrepareStage4 (DetectEngineCtx *de_ctx) |
| finalize preparing sgh's | |
| int | SigGroupBuild (DetectEngineCtx *de_ctx) |
| Convert the signature list into the runtime match structure. | |
| int | SigGroupCleanup (DetectEngineCtx *de_ctx) |
Variables | |
| bool | rule_engine_analysis_set |
Macro Definition Documentation
◆ DETECT_PGSCORE_RULE_MPM_FAST_PATTERN
| #define DETECT_PGSCORE_RULE_MPM_FAST_PATTERN 99 /* Rule contains an MPM fast pattern */ |
Definition at line 51 of file detect-engine-build.c.
◆ DETECT_PGSCORE_RULE_MPM_NEGATED
| #define DETECT_PGSCORE_RULE_MPM_NEGATED 77 /* Rule contains a negated MPM */ |
Definition at line 52 of file detect-engine-build.c.
◆ DETECT_PGSCORE_RULE_NO_MPM
| #define DETECT_PGSCORE_RULE_NO_MPM 55 /* Rule does not contain MPM */ |
Definition at line 53 of file detect-engine-build.c.
◆ DETECT_PGSCORE_RULE_PORT_PRIORITIZED
| #define DETECT_PGSCORE_RULE_PORT_PRIORITIZED 111 /* Rule port group contains a priority port */ |
Definition at line 50 of file detect-engine-build.c.
◆ DETECT_PGSCORE_RULE_SYN_ONLY
| #define DETECT_PGSCORE_RULE_SYN_ONLY 33 /* Rule needs SYN check */ |
Definition at line 54 of file detect-engine-build.c.
◆ MASK_TCP_INITDEINIT_FLAGS
Definition at line 414 of file detect-engine-build.c.
◆ MASK_TCP_UNUSUAL_FLAGS
Definition at line 415 of file detect-engine-build.c.
◆ RANGE_PORT
| #define RANGE_PORT 1 |
Definition at line 1325 of file detect-engine-build.c.
◆ SINGLE_PORT
| #define SINGLE_PORT 2 |
Definition at line 1326 of file detect-engine-build.c.
◆ UNDEFINED_PORT
| #define UNDEFINED_PORT 0 |
Definition at line 1324 of file detect-engine-build.c.
Typedef Documentation
◆ UniquePortPoint
| typedef struct UniquePortPoint_ UniquePortPoint |
Function Documentation
◆ PacketCreateMask()
| void PacketCreateMask | ( | Packet * | p, |
| SignatureMask * | mask, | ||
| AppProto | alproto, | ||
| bool | app_decoder_events | ||
| ) |
Definition at line 420 of file detect-engine-build.c.
References Packet_::app_layer_events, AppLayerDecoderEvents_::cnt, PacketEngineEvents_::cnt, Packet_::events, Packet_::flags, MASK_TCP_INITDEINIT_FLAGS, MASK_TCP_UNUSUAL_FLAGS, Packet_::payload_len, PKT_DETECT_HAS_STREAMDATA, PKT_HAS_FLOW, PKT_IS_PSEUDOPKT, PKT_NOPAYLOAD_INSPECTION, SCLogDebug, SIG_MASK_REQUIRE_ENGINE_EVENT, SIG_MASK_REQUIRE_FLAGS_INITDEINIT, SIG_MASK_REQUIRE_FLAGS_UNUSUAL, SIG_MASK_REQUIRE_FLOW, SIG_MASK_REQUIRE_NO_PAYLOAD, SIG_MASK_REQUIRE_PAYLOAD, SIG_MASK_REQUIRE_REAL_PKT, and TCPHdr_::th_flags.
◆ SigAddressCleanupStage1()
| int SigAddressCleanupStage1 | ( | DetectEngineCtx * | de_ctx | ) |
Definition at line 1977 of file detect-engine-build.c.
References BUG_ON, de_ctx, DetectEngineCtx_::decoder_event_sgh, DetectPortCleanupList(), DetectEngineCtx_::flow_gh, FLOW_STATES, DetectEngineCtx_::io_ctx, IPOnlyDeinit(), DetectEngineCtx_::pre_flow_sgh, DetectEngineCtx_::pre_stream_sgh, SCFree, SCLogDebug, DetectEngineLookupFlow_::sgh, DetectEngineCtx_::sgh_array, DetectEngineCtx_::sgh_array_cnt, DetectEngineCtx_::sgh_array_size, SigGroupHeadFree(), DetectEngineLookupFlow_::tcp, and DetectEngineLookupFlow_::udp.
Referenced by SigGroupCleanup().
◆ SigCleanSignatures()
| void SigCleanSignatures | ( | DetectEngineCtx * | de_ctx | ) |
Definition at line 56 of file detect-engine-build.c.
References de_ctx, DetectEngineResetMaxSigId(), Signature_::next, DetectEngineCtx_::sig_list, and SigFree().
Referenced by DetectEngineCtxFree(), and UTHPacketMatchSig().
◆ SigFindSignatureBySidGid()
| Signature * SigFindSignatureBySidGid | ( | DetectEngineCtx * | de_ctx, |
| uint32_t | sid, | ||
| uint32_t | gid | ||
| ) |
Find a specific signature by sid and gid.
- Parameters
-
de_ctx detection engine ctx sid the signature id gid the signature group id
- Return values
-
s sig found NULL sig not found
Definition at line 80 of file detect-engine-build.c.
References de_ctx, and DetectEngineCtx_::sig_list.
◆ SigGroupBuild()
| int SigGroupBuild | ( | DetectEngineCtx * | de_ctx | ) |
Convert the signature list into the runtime match structure.
- Parameters
-
de_ctx Pointer to the Detection Engine Context whose Signatures have to be processed
- Return values
-
0 On Success. -1 On failure.
Definition at line 2204 of file detect-engine-build.c.
References de_ctx, DetectEngineMultiTenantEnabled(), DetectMpmPrepareAppMpms(), DetectMpmPrepareBuiltinMpms(), DetectMpmPrepareFrameMpms(), DetectMpmPreparePktMpms(), DetectSetFastPatternAndItsId(), EngineModeIsFirewall(), FatalError, FirewallAnalyzer(), Signature_::iid, Signature_::next, DetectEngineCtx_::profile_match_logging_threshold, SCConfGetInt(), SCProfilingKeywordInitCounters(), SCProfilingPrefilterInitCounters(), DetectEngineCtx_::sig_list, DetectEngineCtx_::signum, SigPrepareStage1(), SigPrepareStage2(), SigPrepareStage3(), SigPrepareStage4(), and VarNameStoreActivate().
Referenced by SigLoadSignatures(), UTHMatchPackets(), UTHMatchPacketsWithResults(), UTHPacketMatchSig(), and UTHPacketMatchSigMpm().
◆ SigGroupCleanup()
| int SigGroupCleanup | ( | DetectEngineCtx * | de_ctx | ) |
Definition at line 2275 of file detect-engine-build.c.
References de_ctx, and SigAddressCleanupStage1().
Referenced by DetectEngineCtxFree(), UTHMatchPackets(), and UTHPacketMatchSig().
◆ SignatureIsFilemagicInspecting()
| int SignatureIsFilemagicInspecting | ( | const Signature * | s | ) |
Check if a signature contains the filemagic keyword.
- Parameters
-
s signature
- Return values
-
0 no 1 yes
Definition at line 120 of file detect-engine-build.c.
References Signature_::file_flags, and FILE_SIG_NEED_MAGIC.
Referenced by SigGroupHeadSetupFiles().
◆ SignatureIsFileMd5Inspecting()
| int SignatureIsFileMd5Inspecting | ( | const Signature * | s | ) |
Check if a signature contains the filemd5 keyword.
- Parameters
-
s signature
- Return values
-
0 no 1 yes
Definition at line 139 of file detect-engine-build.c.
References Signature_::file_flags, and FILE_SIG_NEED_MD5.
Referenced by SigGroupHeadSetupFiles().
◆ SignatureIsFileSha1Inspecting()
| int SignatureIsFileSha1Inspecting | ( | const Signature * | s | ) |
Check if a signature contains the filesha1 keyword.
- Parameters
-
s signature
- Return values
-
0 no 1 yes
Definition at line 155 of file detect-engine-build.c.
References Signature_::file_flags, and FILE_SIG_NEED_SHA1.
Referenced by SigGroupHeadSetupFiles().
◆ SignatureIsFileSha256Inspecting()
| int SignatureIsFileSha256Inspecting | ( | const Signature * | s | ) |
Check if a signature contains the filesha256 keyword.
- Parameters
-
s signature
- Return values
-
0 no 1 yes
Definition at line 171 of file detect-engine-build.c.
References Signature_::file_flags, and FILE_SIG_NEED_SHA256.
Referenced by SigGroupHeadSetupFiles().
◆ SignatureIsFilesizeInspecting()
| int SignatureIsFilesizeInspecting | ( | const Signature * | s | ) |
Check if a signature contains the filesize keyword.
- Parameters
-
s signature
- Return values
-
0 no 1 yes
Definition at line 187 of file detect-engine-build.c.
References Signature_::file_flags, and FILE_SIG_NEED_SIZE.
Referenced by SigGroupHeadSetupFiles().
◆ SignatureIsFilestoring()
| int SignatureIsFilestoring | ( | const Signature * | s | ) |
Check if a signature contains the filestore keyword.
- Parameters
-
s signature
- Return values
-
0 no 1 yes
Definition at line 101 of file detect-engine-build.c.
References Signature_::flags, and SIG_FLAG_FILESTORE.
Referenced by SigGroupHeadSetupFiles().
◆ SignatureIsIPOnly()
| int SignatureIsIPOnly | ( | DetectEngineCtx * | de_ctx, |
| const Signature * | s | ||
| ) |
Test is a initialized signature is IP only.
- Parameters
-
de_ctx detection engine ctx s the signature
- Return values
-
1 sig is ip only 2 sig is like ip only 0 sig is not ip only
Definition at line 210 of file detect-engine-build.c.
References Signature_::alproto, ALPROTO_UNKNOWN, SigMatch_::ctx, de_ctx, DE_QUIET, DETECT_FLOWBITS, DETECT_FLOWBITS_CMD_SET, DETECT_SM_LIST_MATCH, DETECT_SM_LIST_PMATCH, DETECT_SM_LIST_POSTMATCH, SignatureInitData_::dst_contains_negation, Signature_::flags, DetectEngineCtx_::flags, SigTableElmt_::flags, SignatureInitData_::hook, Signature_::id, Signature_::init_data, SigMatch_::next, SCLogDebug, SCReturnInt, SIG_FLAG_APPLAYER, SIG_FLAG_DST_ANY, SIG_FLAG_SRC_ANY, SIG_FLAG_TOCLIENT, SIG_FLAG_TOSERVER, SIGMATCH_IPONLY_COMPAT, sigmatch_table, SIGNATURE_HOOK_TYPE_NOT_SET, SignatureInitData_::smlists, SignatureInitData_::src_contains_negation, SigMatch_::type, and SignatureHook_::type.
Referenced by SignatureSetType().
◆ SignatureSetType()
| void SignatureSetType | ( | DetectEngineCtx * | de_ctx, |
| Signature * | s | ||
| ) |
Definition at line 1655 of file detect-engine-build.c.
References SignatureInitData_::buffer_index, SignatureInitData_::buffers, BUG_ON, de_ctx, DETECT_SM_LIST_MATCH, DETECT_SM_LIST_PMATCH, DetectEngineBufferTypeSupportsFramesGetById(), DetectEngineBufferTypeSupportsPacketGetById(), Signature_::flags, SignatureInitData_::hook, SignatureInitDataBuffer_::id, Signature_::id, Signature_::init_data, SCLogDebug, SCReturn, SIG_FLAG_APPLAYER, SIG_FLAG_REQUIRE_PACKET, SIG_FLAG_REQUIRE_STREAM, SIG_TYPE_APP_TX, SIG_TYPE_APPLAYER, SIG_TYPE_DEONLY, SIG_TYPE_IPONLY, SIG_TYPE_LIKE_IPONLY, SIG_TYPE_NOT_SET, SIG_TYPE_PDONLY, SIG_TYPE_PKT, SIG_TYPE_PKT_STREAM, SIG_TYPE_STREAM, SIGNATURE_HOOK_TYPE_APP, SignatureIsIPOnly(), SignatureInitData_::smlists, SignatureHook_::type, and Signature_::type.
◆ SigPrepareStage1()
| int SigPrepareStage1 | ( | DetectEngineCtx * | de_ctx | ) |
Preprocess signature, classify ip-only, etc, build sig array.
- Parameters
-
de_ctx Pointer to the Detection Engine Context
- Return values
-
0 on success -1 on failure
Definition at line 1733 of file detect-engine-build.c.
References SignatureInitData_::buffer_index, SignatureInitData_::buffers, DetectEngineCtx_::config_prefix, DetectContentData_::content_len, SigMatch_::ctx, de_ctx, DE_QUIET, DETECT_CONTENT, DETECT_SM_LIST_MATCH, DETECT_SM_LIST_MAX, DetectContentPropagateLimits(), DetectEngineBufferRunSetupCallback(), DetectEngineGetMaxSigId, DetectFlowbitsAnalyze(), Signature_::flags, DetectEngineCtx_::flags, SignatureInitDataBuffer_::id, Signature_::id, Signature_::iid, Signature_::init_data, SigMatch_::next, Signature_::next, proto, DetectProto_::proto, Signature_::proto, SCCalloc, SCLogConfig, SCLogDebug, SCLogDebugEnabled(), SCLogInfo, DetectEngineCtx_::sig_array, DetectEngineCtx_::sig_array_len, DetectEngineCtx_::sig_cnt, SIG_FLAG_APPLAYER, SIG_FLAG_MPM_NEG, DetectEngineCtx_::sig_list, SIG_TYPE_DEONLY, SIG_TYPE_IPONLY, SIG_TYPE_PDONLY, SigParseApplyDsizeToContent(), SignatureInitData_::smlists, DetectEngineCtx_::tenant_id, SigMatch_::type, and Signature_::type.
Referenced by SigGroupBuild().
◆ SigPrepareStage2()
| int SigPrepareStage2 | ( | DetectEngineCtx * | de_ctx | ) |
Fill the global src group head, with the sigs included.
- Parameters
-
de_ctx Pointer to the Detection Engine Context whose Signatures have to be processed
- Return values
-
0 On success -1 On failure
Definition at line 1887 of file detect-engine-build.c.
References de_ctx, DetectEngineCtx_::flow_gh, SignatureInitData_::hook, Signature_::id, Signature_::init_data, DetectEngineCtx_::io_ctx, IPOnlyAddSignature(), IPOnlyInit(), IPOnlyPrepare(), IPOnlyPrint(), Signature_::next, SignatureHook_::ph, SignatureHook_::pkt, SCLogDebug, SIG_FLAG_TOCLIENT, SIG_FLAG_TOSERVER, DetectEngineCtx_::sig_list, SIG_TYPE_DEONLY, SIG_TYPE_IPONLY, SIG_TYPE_PKT, SIGNATURE_HOOK_PKT_PRE_FLOW, SIGNATURE_HOOK_PKT_PRE_STREAM, SIGNATURE_HOOK_TYPE_PKT, SignatureHook_::t, DetectEngineLookupFlow_::tcp, SignatureHook_::type, Signature_::type, and DetectEngineLookupFlow_::udp.
Referenced by SigGroupBuild().
◆ SigPrepareStage3()
| int SigPrepareStage3 | ( | DetectEngineCtx * | de_ctx | ) |
Definition at line 1963 of file detect-engine-build.c.
References de_ctx.
Referenced by SigGroupBuild().
◆ SigPrepareStage4()
| int SigPrepareStage4 | ( | DetectEngineCtx * | de_ctx | ) |
finalize preparing sgh's
Definition at line 2060 of file detect-engine-build.c.
References cnt, de_ctx, DetectEngineCtx_::decoder_event_sgh, SigGroupHead_::filestore_cnt, SigGroupHead_::id, SigGroupHead_::init, MpmStoreReportStats(), PrefilterSetupRuleGroup(), SCConfGetBool(), SCEnter, SCLogDebug, SCLogPerf, SCProfilingSghInitCounters(), SCReturnInt, DetectEngineCtx_::sgh_array, DetectEngineCtx_::sgh_array_cnt, SigGroupHeadHashFree(), SigGroupHeadInitDataFree(), and SigGroupHeadSetupFiles().
Referenced by SigGroupBuild().
Variable Documentation
◆ rule_engine_analysis_set
|
extern |
Definition at line 56 of file detect-engine-loader.c.
