#include "suricata-common.h"#include "decode.h"#include "action-globals.h"#include "detect.h"#include "threads.h"#include "flow.h"#include "flow-bit.h"#include "flow-util.h"#include "detect-flowbits.h"#include "util-spm.h"#include "rust.h"#include "app-layer-parser.h"#include "detect-parse.h"#include "detect-engine.h"#include "detect-engine-mpm.h"#include "detect-engine-state.h"#include "detect-engine-build.h"#include "detect-engine-prefilter.h"#include "tree.h"#include "util-var-name.h"#include "util-unittest.h"#include "util-debug.h"#include "util-conf.h"
Go to the source code of this file.
Data Structures | |
| struct | FBAnalyzer |
| struct | FBAnalyze |
| struct | PrefilterFlowbit |
| struct | PrefilterEngineFlowbits |
Macros | |
| #define | PARSE_REGEX "^([a-z]+)(?:,\\s*(.*))?" |
| #define | MAX_TOKENS 100 |
| #define | MAX_SIDS 8 |
| #define | BLOCK_SIZE 8 |
Functions | |
| int | DetectFlowbitMatch (DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *) |
| void | DetectFlowbitFree (DetectEngineCtx *, void *) |
| void | FlowBitsRegisterTests (void) |
| this function registers unit tests for FlowBits | |
| void | DetectFlowbitsRegister (void) |
| int | DetectFlowbitsAnalyze (DetectEngineCtx *de_ctx) |
| struct PrefilterFlowbit | __attribute__ ((__packed__)) |
| DNP3 link header. | |
| RB_HEAD (PFB, PrefilterFlowbit) | |
| RB_PROTOTYPE (PFB, PrefilterFlowbit, rb, PrefilterFlowbitCompare) | |
| RB_GENERATE (PFB, PrefilterFlowbit, rb, PrefilterFlowbitCompare) | |
Variables | |
| bool | rule_engine_analysis_set |
| SCMutex | g_flowbits_dump_write_m = SCMUTEX_INITIALIZER |
| uint32_t | id |
| uint32_t | rule_id_size |
| uint32_t | rule_id_cnt |
| uint32_t * | rule_id |
| struct PrefilterEngineFlowbits | __attribute__ |
| DNP3 application header. | |
Detailed Description
Implements the flowbits keyword
Definition in file detect-flowbits.c.
Macro Definition Documentation
◆ BLOCK_SIZE
| #define BLOCK_SIZE 8 |
Definition at line 1044 of file detect-flowbits.c.
◆ MAX_SIDS
| #define MAX_SIDS 8 |
Definition at line 470 of file detect-flowbits.c.
◆ MAX_TOKENS
| #define MAX_TOKENS 100 |
Definition at line 58 of file detect-flowbits.c.
◆ PARSE_REGEX
| #define PARSE_REGEX "^([a-z]+)(?:,\\s*(.*))?" |
Definition at line 55 of file detect-flowbits.c.
Function Documentation
◆ DetectFlowbitFree()
| void DetectFlowbitFree | ( | DetectEngineCtx * | de_ctx, |
| void * | ptr | ||
| ) |
Definition at line 398 of file detect-flowbits.c.
References DetectFlowbitsData_::idx, DetectFlowbitsData_::or_list, DetectFlowbitsData_::or_list_size, SCFree, VAR_TYPE_FLOW_BIT, and VarNameStoreUnregister().
Referenced by DetectFlowbitsRegister().
◆ DetectFlowbitMatch()
| int DetectFlowbitMatch | ( | DetectEngineThreadCtx * | det_ctx, |
| Packet * | p, | ||
| const Signature * | s, | ||
| const SigMatchCtx * | ctx | ||
| ) |
Definition at line 206 of file detect-flowbits.c.
References DetectFlowbitsData_::cmd, ctx, DETECT_FLOWBITS, DETECT_FLOWBITS_CMD_ISNOTSET, DETECT_FLOWBITS_CMD_ISSET, DETECT_FLOWBITS_CMD_SET, DETECT_FLOWBITS_CMD_TOGGLE, DETECT_FLOWBITS_CMD_UNSET, DetectFlowbitsData_::idx, DetectFlowbitsData_::post_rule_match_prefilter, PostRuleMatchWorkQueueAppend(), SCLogDebug, and SCLogError.
Referenced by DetectFlowbitsRegister().
◆ DetectFlowbitsAnalyze()
| int DetectFlowbitsAnalyze | ( | DetectEngineCtx * | de_ctx | ) |
Definition at line 569 of file detect-flowbits.c.
References FBAnalyzer::array, FBAnalyzer::array_size, FBAnalyze::cnts, de_ctx, DETECT_FLOWBITS_CMD_ISNOTSET, DETECT_FLOWBITS_CMD_ISSET, DETECT_FLOWBITS_CMD_SET, DETECT_FLOWBITS_CMD_TOGGLE, DETECT_FLOWBITS_CMD_UNSET, Signature_::id, Signature_::init_data, SignatureInitData_::init_flags, SignatureInitData_::is_rule_state_dependant, FBAnalyze::isset_sids, FBAnalyze::isset_sids_idx, DetectEngineCtx_::max_fb_id, rule_engine_analysis_set, SignatureInitData_::rule_state_dependant_sids_array, SignatureInitData_::rule_state_dependant_sids_idx, SignatureInitData_::rule_state_dependant_sids_size, SignatureInitData_::rule_state_flowbits_ids_array, SignatureInitData_::rule_state_flowbits_ids_size, SCCalloc, SCLogDebug, SCLogError, SCLogWarning, SCRealloc, FBAnalyze::set_sids, FBAnalyze::set_sids_idx, DetectEngineCtx_::sig_array, DetectEngineCtx_::sig_array_len, SIG_FLAG_INIT_STATE_MATCH, FBAnalyze::state_cnts, VAR_TYPE_FLOW_BIT, and VarNameStoreSetupLookup().
Referenced by SigPrepareStage1().
◆ DetectFlowbitsRegister()
| void DetectFlowbitsRegister | ( | void | ) |
Definition at line 71 of file detect-flowbits.c.
References SigTableElmt_::desc, DETECT_FLOWBITS, DETECT_TABLE_APP_FILTER_FLAG, DETECT_TABLE_APP_TD_FLAG, DETECT_TABLE_PACKET_FILTER_FLAG, DETECT_TABLE_PACKET_PRE_STREAM_FLAG, DETECT_TABLE_PACKET_TD_FLAG, DetectFlowbitFree(), DetectFlowbitMatch(), DetectSetupParseRegexes(), SigTableElmt_::flags, FlowBitsRegisterTests(), SigTableElmt_::Free, SigTableElmt_::Match, SigTableElmt_::name, PARSE_REGEX, SigTableElmt_::RegisterTests, SigTableElmt_::Setup, SigTableElmt_::SetupPrefilter, SIGMATCH_IPONLY_COMPAT, SIGMATCH_SUPPORT_FIREWALL, sigmatch_table, SigTableElmt_::SupportsPrefilter, SigTableElmt_::tables, and SigTableElmt_::url.
Referenced by SigTableSetup().
◆ FlowBitsRegisterTests()
| void FlowBitsRegisterTests | ( | void | ) |
this function registers unit tests for FlowBits
Definition at line 1790 of file detect-flowbits.c.
References UtRegisterTest().
Referenced by DetectFlowbitsRegister().
◆ RB_GENERATE()
| RB_GENERATE | ( | PFB | , |
| PrefilterFlowbit | , | ||
| rb | , | ||
| PrefilterFlowbitCompare | |||
| ) |
◆ RB_HEAD()
| RB_HEAD | ( | PFB | , |
| PrefilterFlowbit | |||
| ) |
red-black tree prototype for PFB (Prefilter Flow Bits)
◆ RB_PROTOTYPE()
| RB_PROTOTYPE | ( | PFB | , |
| PrefilterFlowbit | , | ||
| rb | , | ||
| PrefilterFlowbitCompare | |||
| ) |
Variable Documentation
◆ __attribute__
| struct StreamingBufferSegment_ __attribute__ |
DNP3 application header.
DNP3 internal indicators.
Part of the application header for responses only.
◆ g_flowbits_dump_write_m
| SCMutex g_flowbits_dump_write_m = SCMUTEX_INITIALIZER |
Definition at line 816 of file detect-flowbits.c.
◆ id
| uint32_t id |
flowbit id
Definition at line 938 of file detect-flowbits.c.
Referenced by AppLayerProtoDetectDeSetup(), DetectAppLayerMpmRegisterByParentId(), DetectEngineBufferTypeGetById(), DetectRegisterThreadCtxGlobalFuncs(), DetectThreadCtxGetGlobalKeywordThreadCtx(), DetectThreadCtxGetKeywordThreadCtx(), PktVarAdd(), PoolThreadGetById(), PoolThreadLock(), PoolThreadReturn(), PoolThreadReturnRaw(), PoolThreadUnlock(), SCDetectHelperKeywordSetCleanCString(), SCOutputRegisterFiledataLogger(), SCOutputRegisterFileLogger(), SCOutputRegisterStreamingLogger(), SCOutputRegisterTxLogger(), SCProfilingKeywordUpdateCounter(), SCProfilingPrefilterUpdateCounter(), SigMatchSilentErrorEnabled(), StatsAddUI64(), StatsDecr(), StatsGetLocalCounterValue(), StatsIncr(), StatsRegisterAvgCounter(), StatsRegisterCounter(), StatsRegisterGlobalCounter(), StatsRegisterMaxCounter(), StatsSetUI64(), StorageAllocByIdPrealloc(), StorageFreeById(), StorageGetById(), StorageSetById(), TmModuleGetById(), TmqhGetQueueHandlerByID(), and VarNameStoreRegister().
◆ rule_engine_analysis_set
|
extern |
Definition at line 56 of file detect-engine-loader.c.
Referenced by DetectFlowbitsAnalyze(), and SigLoadSignatures().
◆ rule_id
| uint32_t* rule_id |
array of signature iid that are part of this prefilter
Definition at line 941 of file detect-flowbits.c.
◆ rule_id_cnt
| uint32_t rule_id_cnt |
usage in elements of rule_id
Definition at line 940 of file detect-flowbits.c.
◆ rule_id_size
| uint32_t rule_id_size |
size in elements of rule_id
Definition at line 939 of file detect-flowbits.c.
