#include "suricata-common.h"#include "suricata.h"#include "rust.h"#include "decode.h"#include "detect.h"#include "detect-engine.h"#include "detect-parse.h"#include "detect-engine-content-inspection.h"#include "detect-engine-prefilter.h"#include "detect-engine-state.h"#include "detect-engine-payload.h"#include "detect-engine-build.h"#include "stream.h"#include "stream-tcp.h"#include "util-debug.h"#include "util-print.h"#include "util-unittest.h"#include "util-unittest-helper.h"#include "util-validate.h"#include "util-profiling.h"#include "util-mpm-ac.h"#include "detect-engine-alert.h"
Go to the source code of this file.
Data Structures | |
| struct | StreamMpmData |
| struct | StreamContentInspectData |
| struct | StreamContentInspectEngineData |
Functions | |
| int | PrefilterPktStreamRegister (DetectEngineCtx *de_ctx, SigGroupHead *sgh, MpmCtx *mpm_ctx) |
| int | PrefilterPktPayloadRegister (DetectEngineCtx *de_ctx, SigGroupHead *sgh, MpmCtx *mpm_ctx) |
| uint8_t | DetectEngineInspectPacketPayload (DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const Signature *s, Flow *f, Packet *p) |
| Do the content inspection & validation for a signature. | |
| int | DetectEngineInspectStreamPayload (DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const Signature *s, Flow *f, Packet *p) |
| Do the content inspection & validation for a signature on the raw stream. | |
| uint8_t | DetectEngineInspectStream (DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const struct DetectEngineAppInspectionEngine_ *engine, const Signature *s, Flow *f, uint8_t flags, void *alstate, void *txv, uint64_t tx_id) |
| inspect engine for stateful rules | |
| void | PayloadRegisterTests (void) |
Detailed Description
Performs payload matching functions
Definition in file detect-engine-payload.c.
Function Documentation
◆ DetectEngineInspectPacketPayload()
| uint8_t DetectEngineInspectPacketPayload | ( | DetectEngineCtx * | de_ctx, |
| DetectEngineThreadCtx * | det_ctx, | ||
| const Signature * | s, | ||
| Flow * | f, | ||
| Packet * | p | ||
| ) |
Do the content inspection & validation for a signature.
- Parameters
-
de_ctx Detection engine context det_ctx Detection engine thread context s Signature to inspect f flow (for pcre flowvar storage) p Packet
- Return values
-
0 no match 1 match
Definition at line 152 of file detect-engine-payload.c.
References de_ctx, StreamMpmData::det_ctx, DETECT_CI_FLAGS_SINGLE, DETECT_ENGINE_CONTENT_INSPECTION_MODE_PAYLOAD, DETECT_SM_LIST_PMATCH, DetectEngineContentInspection(), Packet_::payload, Packet_::payload_len, SCEnter, SCReturnInt, and Signature_::sm_arrays.
◆ DetectEngineInspectStream()
| uint8_t DetectEngineInspectStream | ( | DetectEngineCtx * | de_ctx, |
| DetectEngineThreadCtx * | det_ctx, | ||
| const struct DetectEngineAppInspectionEngine_ * | engine, | ||
| const Signature * | s, | ||
| Flow * | f, | ||
| uint8_t | flags, | ||
| void * | alstate, | ||
| void * | txv, | ||
| uint64_t | tx_id | ||
| ) |
inspect engine for stateful rules
Caches results as it may be called multiple times if we inspect multiple transactions in one packet.
Returns "can't match" if depth is reached.
Definition at line 298 of file detect-engine-payload.c.
References TcpSession_::client, de_ctx, StreamContentInspectEngineData::det_ctx, DETECT_ENGINE_INSPECT_SIG_CANT_MATCH, DETECT_ENGINE_INSPECT_SIG_MATCH, DETECT_ENGINE_INSPECT_SIG_NO_MATCH, StreamContentInspectEngineData::f, flags, Signature_::flags, TcpStream_::flags, Signature_::id, DetectEngineThreadCtx_::p, Packet_::pcap_cnt, Packet_::proto, Flow_::protoctx, DetectEngineThreadCtx_::raw_stream_progress, StreamContentInspectEngineData::s, SCLogDebug, TcpSession_::server, SIG_FLAG_FLUSH, DetectEngineAppInspectionEngine_::smd, StreamReassembleRaw(), and STREAMTCP_STREAM_FLAG_DEPTH_REACHED.
◆ DetectEngineInspectStreamPayload()
| int DetectEngineInspectStreamPayload | ( | DetectEngineCtx * | de_ctx, |
| DetectEngineThreadCtx * | det_ctx, | ||
| const Signature * | s, | ||
| Flow * | f, | ||
| Packet * | p | ||
| ) |
Do the content inspection & validation for a signature on the raw stream.
- Parameters
-
de_ctx Detection engine context det_ctx Detection engine thread context s Signature to inspect f flow (for pcre flowvar storage)
- Return values
-
0 no match 1 match
Definition at line 248 of file detect-engine-payload.c.
References de_ctx, StreamContentInspectData::det_ctx, StreamContentInspectData::f, Signature_::flags, Flow_::protoctx, StreamContentInspectData::s, SCEnter, SCLogDebug, SIG_FLAG_FLUSH, and StreamReassembleRaw().
◆ PayloadRegisterTests()
| void PayloadRegisterTests | ( | void | ) |
Definition at line 1142 of file detect-engine-payload.c.
References UtRegisterTest().
◆ PrefilterPktPayloadRegister()
| int PrefilterPktPayloadRegister | ( | DetectEngineCtx * | de_ctx, |
| SigGroupHead * | sgh, | ||
| MpmCtx * | mpm_ctx | ||
| ) |
Definition at line 132 of file detect-engine-payload.c.
References de_ctx, StreamMpmData::mpm_ctx, and PrefilterAppendPayloadEngine().
Referenced by PatternMatchPrepareGroup().
◆ PrefilterPktStreamRegister()
| int PrefilterPktStreamRegister | ( | DetectEngineCtx * | de_ctx, |
| SigGroupHead * | sgh, | ||
| MpmCtx * | mpm_ctx | ||
| ) |
Definition at line 109 of file detect-engine-payload.c.
References de_ctx, StreamMpmData::mpm_ctx, and PrefilterAppendPayloadEngine().
Referenced by PatternMatchPrepareGroup().
