#include "suricata-common.h"#include "detect-engine.h"#include "util-hash.h"#include "util-atomic.h"#include "util-time.h"#include "util-hashlist.h"#include "detect-engine-tag.h"#include "detect-engine-build.h"#include "detect-tag.h"#include "host.h"#include "host-storage.h"#include "flow-storage.h"#include "util-unittest.h"#include "util-unittest-helper.h"#include "flow-util.h"#include "stream-tcp-private.h"
Go to the source code of this file.
Functions | |
| SC_ATOMIC_DECLARE (unsigned int, num_tags) | |
| void | TagInitCtx (void) |
| void | TagDestroyCtx (void) |
| Destroy tag context hash tables. | |
| int | TagHostHasTag (Host *host) |
| int | TagFlowAdd (Packet *p, DetectTagDataEntry *tde) |
| This function is used to add a tag to a session (type session) or update it if it's already installed. The number of times to allow an update is limited by DETECT_TAG_MATCH_LIMIT. This way repetitive matches to the same rule are limited of setting tags, to avoid DOS attacks. | |
| int | TagHashAddTag (DetectTagDataEntry *tde, Packet *p) |
| Add a tag entry for a host. If it already exist, update it. | |
| void | TagHandlePacket (const DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p) |
| Search tags for src and dst. Update entries of the tag, remove if necessary. | |
| int | TagTimeoutCheck (Host *host, SCTime_t ts) |
| Removes the entries exceeding the max timeout value. | |
| void | DetectEngineTagRegisterTests (void) |
| this function registers unit tests for DetectTag | |
Detailed Description
Implements a global context to store data related to hosts flagged tag keyword
Definition in file detect-engine-tag.c.
Function Documentation
◆ DetectEngineTagRegisterTests()
| void DetectEngineTagRegisterTests | ( | void | ) |
this function registers unit tests for DetectTag
Definition at line 1397 of file detect-engine-tag.c.
References UtRegisterTest().
◆ SC_ATOMIC_DECLARE()
| SC_ATOMIC_DECLARE | ( | unsigned int | , |
| num_tags | |||
| ) |
Atomic counter, to know if we have tagged hosts/sessions, to avoid locking
◆ TagDestroyCtx()
| void TagDestroyCtx | ( | void | ) |
Destroy tag context hash tables.
- Parameters
-
tag_ctx Tag Context
Definition at line 72 of file detect-engine-tag.c.
References BUG_ON, and SC_ATOMIC_GET.
Referenced by GlobalsDestroy().
◆ TagFlowAdd()
| int TagFlowAdd | ( | Packet * | p, |
| DetectTagDataEntry * | tde | ||
| ) |
This function is used to add a tag to a session (type session) or update it if it's already installed. The number of times to allow an update is limited by DETECT_TAG_MATCH_LIMIT. This way repetitive matches to the same rule are limited of setting tags, to avoid DOS attacks.
- Parameters
-
p pointer to the current packet tde pointer to the new DetectTagDataEntry
- Return values
-
0 if the tde was added successfully 1 if an entry of this sid/gid already exist and was updated
Definition at line 115 of file detect-engine-tag.c.
References DetectTagDataEntry_::bytes, DetectTagDataEntry_::cnt_match, DETECT_TAG_MATCH_LIMIT, DETECT_TAG_MAX_TAGS, DetectTagDataEntry_::first_ts, Packet_::flow, FlowGetStorageById(), FlowSetStorageById(), DetectTagDataEntry_::gid, DetectTagDataEntry_::last_ts, DetectTagDataEntry_::next, DetectTagDataEntry_::packets, SC_ATOMIC_ADD, SCLogDebug, SCTIME_SECS, and DetectTagDataEntry_::sid.
◆ TagHandlePacket()
| void TagHandlePacket | ( | const DetectEngineCtx * | de_ctx, |
| DetectEngineThreadCtx * | det_ctx, | ||
| Packet * | p | ||
| ) |
Search tags for src and dst. Update entries of the tag, remove if necessary.
- Parameters
-
de_ctx Detect context det_ctx Detect thread context p packet
Definition at line 523 of file detect-engine-tag.c.
References dst, Packet_::flow, HostUnlock(), SC_ATOMIC_GET, SCEnter, SCReturn, src, and TagHostHasTag().
Referenced by PacketAlertFinalize().
◆ TagHashAddTag()
| int TagHashAddTag | ( | DetectTagDataEntry * | tde, |
| Packet * | p | ||
| ) |
Add a tag entry for a host. If it already exist, update it.
- Parameters
-
tag_ctx Tag context for hosts tde Tag data p packet
- Return values
-
0 if it was added, 1 if it was updated
Definition at line 173 of file detect-engine-tag.c.
References DetectTagDataEntry_::bytes, DetectTagDataEntry_::cnt_match, DETECT_TAG_MATCH_LIMIT, DETECT_TAG_MAX_TAGS, Packet_::dst, DetectTagDataEntry_::first_ts, DetectTagDataEntry_::flags, DetectTagDataEntry_::gid, HostGetHostFromHash(), HostGetStorageById(), HostRelease(), HostSetStorageById(), DetectTagDataEntry_::last_ts, DetectTagDataEntry_::next, DetectTagDataEntry_::packets, SC_ATOMIC_ADD, SCEnter, SCLogDebug, SCReturnInt, DetectTagDataEntry_::sid, Packet_::src, tag, TAG_ENTRY_FLAG_DIR_DST, and TAG_ENTRY_FLAG_DIR_SRC.
◆ TagHostHasTag()
| int TagHostHasTag | ( | Host * | host | ) |
Definition at line 79 of file detect-engine-tag.c.
References HostGetStorageById().
Referenced by TagHandlePacket().
◆ TagInitCtx()
| void TagInitCtx | ( | void | ) |
Definition at line 52 of file detect-engine-tag.c.
References DetectTagDataListFree(), FatalError, FlowStorageRegister(), HostStorageRegister(), FlowStorageId::id, HostStorageId_::id, and SC_ATOMIC_INIT.
Referenced by PostConfLoadedSetup(), and RunUnittests().
◆ TagTimeoutCheck()
Removes the entries exceeding the max timeout value.
- Parameters
-
tag_ctx Tag context ts the current time
- Return values
-
1 no tags or tags removed – host is free to go (from tag perspective) 0 still active tags
Definition at line 565 of file detect-engine-tag.c.
References HostGetStorageById(), HostSetStorageById(), DetectTagDataEntry_::last_ts, DetectTagDataEntry_::next, SC_ATOMIC_SUB, SCFree, SCTIME_ADD_SECS, SCTIME_CMP_GTE, TAG_MAX_LAST_TIME_SEEN, and ts.
