aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
main
main-7.0.x
main-8.0.x
master-6.0.x
master-5.0.x
master-4.1.x
master-4.0.x
master-3.2.x
suricata-8.0.5
suricata-7.0.16
suricata-8.0.4
suricata-7.0.15
suricata-8.0.3
suricata-7.0.14
suricata-8.0.2
suricata-7.0.13
suricata-8.0.1
suricata-7.0.12
suricata-8.0.0
suricata-7.0.11
suricata-8.0.0-rc1
suricata-8.0.0-beta1
suricata-7.0.10
suricata-7.0.9
suricata-7.0.8
suricata-7.0.7
suricata-7.0.6
suricata-6.0.20
suricata-7.0.5
suricata-6.0.19
suricata-6.0.18
suricata-7.0.4
suricata-6.0.17
suricata-7.0.3
suricata-6.0.16
suricata-7.0.2
suricata-6.0.15
suricata-7.0.1
suricata-6.0.14
suricata-7.0.0
suricata-7.0.0-rc2
suricata-6.0.13
suricata-6.0.12
suricata-6.0.11
suricata-7.0.0-rc1
suricata-6.0.10
suricata-6.0.9
suricata-7.0.0-beta1
suricata-6.0.8
suricata-6.0.7
suricata-6.0.6
suricata-5.0.10
suricata-6.0.5
suricata-5.0.9
suricata-6.0.4
suricata-5.0.8
suricata-6.0.3
suricata-5.0.7
suricata-6.0.2
suricata-5.0.6
suricata-6.0.1
suricata-5.0.5
suricata-4.1.10
suricata-4.1.9
suricata-5.0.4
suricata-6.0.0
suricata-6.0.0-rc1
suricata-6.0.0-beta1
suricata-5.0.3
suricata-4.1.8
suricata-4.1.7
suricata-5.0.2
suricata-4.1.6
suricata-5.0.1
suricata-5.0.0
suricata-5.0.0-rc1
suricata-4.1.5
suricata-5.0.0-beta1
suricata-4.1.4
suricata-4.1.3
suricata-4.0.7
suricata-4.1.2
suricata-4.1.1
suricata-4.1.0
suricata-4.0.6
suricata-4.1.0-rc2
suricata-4.1.0-rc1
suricata-4.0.5
suricata-4.1.0-beta1
suricata-4.0.4
suricata-4.0.3
suricata-4.0.2
suricata-3.2.5
suricata-4.0.1
suricata-3.2.4
suricata-4.0.0
suricata-4.0.0-rc2
suricata-3.2.3
suricata-4.0.0-rc1
suricata-4.0.0-beta1
suricata-3.2.2
suricata-3.1.4
suricata-3.2.1
suricata-3.2
suricata-3.2RC1
suricata-3.1.3
suricata-3.2beta1
suricata-3.1.2
suricata-3.1.1
suricata-3.1
suricata-3.0.2
suricata-3.1RC1
suricata-3.0.1
suricata-3.0.1RC1
suricata-3.0
suricata-2.0.11
suricata-3.0RC3
suricata-3.0RC2
suricata-3.0RC1
suricata-2.0.10
suricata-2.0.9
suricata-2.1beta4
suricata-2.0.8
suricata-2.0.7
suricata-2.1beta3
suricata-2.0.6
suricata-2.0.5
suricata-2.1beta2
suricata-2.0.4
suricata-2.1beta1
suricata-2.0.3
suricata-2.0.2
suricata-2.0.1
suricata-2.0.1rc1
suricata-2.0
suricata-2.0rc3
suricata-2.0rc2
suricata-2.0rc1
suricata-2.0beta2
suricata-1.4.7
suricata-1.4.6
suricata-1.4.5
suricata-2.0beta1
suricata-1.4.4
suricata-1.4.3
suricata-1.4.2
suricata-1.4.1
suricata-1.3.6
suricata-1.4
suricata-1.3.5
suricata-1.4rc1
suricata-1.3.4
suricata-1.4beta3
suricata-1.3.3
suricata-1.4beta2
suricata-1.3.2
suricata-1.4beta1
suricata-1.3.1
suricata-1.3
suricata-1.3rc1
suricata-1.3beta2
suricata-1.3beta1
suricata-1.2.1
suricata-1.2
suricata-1.2rc1
suricata-1.2beta1
suricata-1.1.1
suricata-0.8.2
suricata-1.0.0
suricata-1.0.1
suricata-1.0.2
suricata-1.0.3
suricata-1.0.4
suricata-1.0.5
suricata-1.1
suricata-1.1beta1
suricata-1.1beta2
suricata-1.1beta3
suricata-1.1rc1
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'bbcf6fe76b'
${ noResults }
suricata/src/detect-engine.h

214 lines
10 KiB
C
Raw Normal View History Unescape Escape

detect: fix multi inspect buffer issue; clean up Fix multi inspect buffer API causing cleanup logic in the single inspect buffer paths. This could lead to a buffer overrun in the "to clear" logic. Multi buffers now use InspectionBufferSetupMulti instead of InspectionBuffer. This is enforced by a check in debug validation. Simplify the multi inspect buffer setup code and update the callers.
5 years ago
/* Copyright (C) 2007-2021 Open Information Security Foundation
Import of GPLv2 Header 050410
16 years ago
*
* You can copy, redistribute or modify this Program under the terms of
* the GNU General Public License version 2 as published by the Free
* Software Foundation.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* version 2 along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
* 02110-1301, USA.
*/
/**
* \file
*
* \author Victor Julien <victor@inliniac.net>
*/
Switch to using a detection engine ctx.
18 years ago
#ifndef __DETECT_ENGINE_H__
#define __DETECT_ENGINE_H__
Put the precooked runmodes in a separate file.
17 years ago
#include "detect.h"
src: rework includes as per cppclean
4 years ago
#include "suricata.h"
detect/engine: support frames Implement the low level detect engine support for inspecting frames, including MPM, transforms and inspect API's.
5 years ago
detect: prefilter/inspect API v2, with transforms Introduce InspectionBuffer a structure for passing data between prefilters, transforms and inspection engines. At rule parsing time, we'll register new unique 'DetectBufferType's for a 'parent' buffer (e.g. pure file_data) with its transformations. Each unique combination of buffer with transformations gets it's own buffer id. Similarly, mpm registration and inspect engine registration will be copied from the 'parent' (again, e.g. pure file_data) to the new id's. The transforms are called from within the prefilter engines themselves. Provide generic MPM matching and setup callbacks. Can be used by keywords to avoid needless code duplication. Supports transformations. Use unique name for profiling, to distinguish between pure buffers and buffers with transformation. Add new registration calls for mpm/prefilters and inspect engines. Inspect engine api v2: Pass engine to itself. Add generic engine that uses GetData callback and other registered settings. The generic engine should be usable for every 'simple' case where there is just a single non-streaming buffer. For example HTTP uri. The v2 API assumes that registered MPM implements transformations. Add util func to set new transform in rule and add util funcs for rule parsing.
8 years ago
void InspectionBufferInit(InspectionBuffer *buffer, uint32_t initial_size);
detect: fix heap overflow issue with buffer setup In some cases, the InspectionBufferGet function would be followed by a failure to set the buffer up, for example due to a HTTP body limit not yet being reached. Yet each call to InspectionBufferGet would lead to the matching list_id to be added to the DetectEngineThreadCtx::inspect.to_clear_queue. This array is sized to add each list only once, but in this case the same id could be added multiple times, potentially overflowing the array.
5 years ago
void InspectionBufferSetup(DetectEngineThreadCtx *det_ctx, const int list_id,
InspectionBuffer *buffer, const uint8_t *data, const uint32_t data_len);
detect: prefilter/inspect API v2, with transforms Introduce InspectionBuffer a structure for passing data between prefilters, transforms and inspection engines. At rule parsing time, we'll register new unique 'DetectBufferType's for a 'parent' buffer (e.g. pure file_data) with its transformations. Each unique combination of buffer with transformations gets it's own buffer id. Similarly, mpm registration and inspect engine registration will be copied from the 'parent' (again, e.g. pure file_data) to the new id's. The transforms are called from within the prefilter engines themselves. Provide generic MPM matching and setup callbacks. Can be used by keywords to avoid needless code duplication. Supports transformations. Use unique name for profiling, to distinguish between pure buffers and buffers with transformation. Add new registration calls for mpm/prefilters and inspect engines. Inspect engine api v2: Pass engine to itself. Add generic engine that uses GetData callback and other registered settings. The generic engine should be usable for every 'simple' case where there is just a single non-streaming buffer. For example HTTP uri. The v2 API assumes that registered MPM implements transformations. Add util func to set new transform in rule and add util funcs for rule parsing.
8 years ago
void InspectionBufferFree(InspectionBuffer *buffer);
void InspectionBufferCheckAndExpand(InspectionBuffer *buffer, uint32_t min_size);
void InspectionBufferCopy(InspectionBuffer *buffer, uint8_t *buf, uint32_t buf_len);
void InspectionBufferApplyTransforms(InspectionBuffer *buffer,
const DetectEngineTransforms *transforms);
detect: improve inspect buffer handling Fix and Optimize cleanup. For the simple single inspect buffer optimize the cleanup by keeping track of the actually used buffers. This avoid looping over unused buffers. Fix the case of cleaning not being done after a tx if the next tx is also inspected in the context of the same packet. Fix cleanup of the multi-inspect buffers. Optimize in 2 ways. First like with single keep track of which multi-inspect buffers have been used. Second, keep a max of the buffers within a multi-inspect buffer. Use this max to limit (nested) looping.
8 years ago
void InspectionBufferClean(DetectEngineThreadCtx *det_ctx);
InspectionBuffer *InspectionBufferGet(DetectEngineThreadCtx *det_ctx, const int list_id);
detect: initialize empty buffers
3 years ago
void InspectionBufferSetupMultiEmpty(InspectionBuffer *buffer);
detect: fix multi inspect buffer issue; clean up Fix multi inspect buffer API causing cleanup logic in the single inspect buffer paths. This could lead to a buffer overrun in the "to clear" logic. Multi buffers now use InspectionBufferSetupMulti instead of InspectionBuffer. This is enforced by a check in debug validation. Simplify the multi inspect buffer setup code and update the callers.
5 years ago
void InspectionBufferSetupMulti(InspectionBuffer *buffer, const DetectEngineTransforms *transforms,
const uint8_t *data, const uint32_t data_len);
InspectionBuffer *InspectionBufferMultipleForListGet(
DetectEngineThreadCtx *det_ctx, const int list_id, uint32_t local_id);
detect: prefilter/inspect API v2, with transforms Introduce InspectionBuffer a structure for passing data between prefilters, transforms and inspection engines. At rule parsing time, we'll register new unique 'DetectBufferType's for a 'parent' buffer (e.g. pure file_data) with its transformations. Each unique combination of buffer with transformations gets it's own buffer id. Similarly, mpm registration and inspect engine registration will be copied from the 'parent' (again, e.g. pure file_data) to the new id's. The transforms are called from within the prefilter engines themselves. Provide generic MPM matching and setup callbacks. Can be used by keywords to avoid needless code duplication. Supports transformations. Use unique name for profiling, to distinguish between pure buffers and buffers with transformation. Add new registration calls for mpm/prefilters and inspect engines. Inspect engine api v2: Pass engine to itself. Add generic engine that uses GetData callback and other registered settings. The generic engine should be usable for every 'simple' case where there is just a single non-streaming buffer. For example HTTP uri. The v2 API assumes that registered MPM implements transformations. Add util func to set new transform in rule and add util funcs for rule parsing.
8 years ago
detect: split register time and detect load time buffer funcs
5 years ago
/* start up registery funcs */
detect: buffer type API To replace the hardcoded SigMatch list id's, use this API to register and query lists by name. Also allow for registering descriptions and whether mpm is supported. Registration is only allowed at startup.
10 years ago
int DetectBufferTypeRegister(const char *name);
int DetectBufferTypeGetByName(const char *name);
void DetectBufferTypeSupportsMpm(const char *name);
void DetectBufferTypeSupportsPacket(const char *name);
detect/engine: support frames Implement the low level detect engine support for inspecting frames, including MPM, transforms and inspect API's.
5 years ago
void DetectBufferTypeSupportsFrames(const char *name);
detect: prefilter/inspect API v2, with transforms Introduce InspectionBuffer a structure for passing data between prefilters, transforms and inspection engines. At rule parsing time, we'll register new unique 'DetectBufferType's for a 'parent' buffer (e.g. pure file_data) with its transformations. Each unique combination of buffer with transformations gets it's own buffer id. Similarly, mpm registration and inspect engine registration will be copied from the 'parent' (again, e.g. pure file_data) to the new id's. The transforms are called from within the prefilter engines themselves. Provide generic MPM matching and setup callbacks. Can be used by keywords to avoid needless code duplication. Supports transformations. Use unique name for profiling, to distinguish between pure buffers and buffers with transformation. Add new registration calls for mpm/prefilters and inspect engines. Inspect engine api v2: Pass engine to itself. Add generic engine that uses GetData callback and other registered settings. The generic engine should be usable for every 'simple' case where there is just a single non-streaming buffer. For example HTTP uri. The v2 API assumes that registered MPM implements transformations. Add util func to set new transform in rule and add util funcs for rule parsing.
8 years ago
void DetectBufferTypeSupportsTransformations(const char *name);
detect: support multi buffer matching Multi buffer matching is implemented as a way for a rule to match on multiple buffers within the same transaction. Before this patch a rule like: dns.query; content:"example"; dns.query; content:".com"; would be equivalent to: dns.query; content:"example"; content:".com"; If a DNS query would request more than one name, e.g.: DNS: [example.net][something.com] Eeach would be inspected to have both patterns present. Otherwise, it would not be a match. So the rule above would not match, as neither example.net and somthing.com satisfy both conditions at the same time. This patch changes this behavior. Instead of the above, each time the sticky buffer is specified, it creates a separate detection unit. Each buffer is a "multi buffer" sticky buffer will now be evaluated against each "instance" of the sticky buffer. To continue with the above example: DNS: [example.net] <- matches 'dns.query; content:"example";' DNS: [something.com] <- matches 'dns.query; content:".com"' So this would now be a match. To make sure both patterns match in a single query string, the expression 'dns.query; content:"example"; content:".com";' still works for this. This patch doesn't yet enable the behavior for the keywords. That is done in a follow up patch. To be able to implement this the internal storage of parsed rules is changed. Until this patch and array of lists was used, where the index was the buffer id (e.g. http_uri, dns_query). Therefore there was only one list of matches per buffer id. As a side effect this array was always very sparsely populated as many buffers could not be mixed. This patch changes the internal representation. The new array is densely packed: dns.query; content:"1"; dns.query; bsize:1; content:"2"; [type: dns_query][list: content:"1";] [type: dns_query][list: bsize:1; content:"2";] The new scheme allows for multiple instances of the same buffer. These lists are then translated into multiple inspection engines during the final setup of the rule. Ticket: #5784.
3 years ago
void DetectBufferTypeSupportsMultiInstance(const char *name);
detect: buffer type API To replace the hardcoded SigMatch list id's, use this API to register and query lists by name. Also allow for registering descriptions and whether mpm is supported. Registration is only allowed at startup.
10 years ago
int DetectBufferTypeMaxId(void);
detect: move buffer type map into detect ctx Move previously global table into detect engine ctx. Now that we can register buffers at rule loading time we need to take concurrency into account. Move DetectBufferType to detect.h and update DetectBufferCtx API calls to include a detect engine ctx reference.
9 years ago
void DetectBufferTypeCloseRegistration(void);
detect: buffer type API To replace the hardcoded SigMatch list id's, use this API to register and query lists by name. Also allow for registering descriptions and whether mpm is supported. Registration is only allowed at startup.
10 years ago
void DetectBufferTypeSetDescriptionByName(const char *name, const char *desc);
const char *DetectBufferTypeGetDescriptionByName(const char *name);
void DetectBufferTypeRegisterSetupCallback(const char *name,
detect-engine: add DetectEngineCtx to setup callback function Add detect engine context as variable to setup callback function in 'DetectBufferTypeRegisterSetupCallback'.
8 years ago
void (*Callback)(const DetectEngineCtx *, Signature *));
detect: buffer type API To replace the hardcoded SigMatch list id's, use this API to register and query lists by name. Also allow for registering descriptions and whether mpm is supported. Registration is only allowed at startup.
10 years ago
void DetectBufferTypeRegisterValidateCallback(const char *name,
general: Convert _Bool to bool This commit addresses task 3167 and changes usages of '_Bool` to `bool`. The latter is included from `suricata-common.h`
7 years ago
bool (*ValidateCallback)(const Signature *, const char **sigerror));
detect: move buffer type map into detect ctx Move previously global table into detect engine ctx. Now that we can register buffers at rule loading time we need to take concurrency into account. Move DetectBufferType to detect.h and update DetectBufferCtx API calls to include a detect engine ctx reference.
9 years ago
detect: split register time and detect load time buffer funcs
5 years ago
/* detect engine related buffer funcs */
detect/engine: support frames Implement the low level detect engine support for inspecting frames, including MPM, transforms and inspect API's.
5 years ago
int DetectEngineBufferTypeRegisterWithFrameEngines(DetectEngineCtx *de_ctx, const char *name,
const int direction, const AppProto alproto, const uint8_t frame_type);
detect: split register time and detect load time buffer funcs
5 years ago
int DetectEngineBufferTypeRegister(DetectEngineCtx *de_ctx, const char *name);
const char *DetectEngineBufferTypeGetNameById(const DetectEngineCtx *de_ctx, const int id);
const DetectBufferType *DetectEngineBufferTypeGetById(const DetectEngineCtx *de_ctx, const int id);
bool DetectEngineBufferTypeSupportsMpmGetById(const DetectEngineCtx *de_ctx, const int id);
bool DetectEngineBufferTypeSupportsPacketGetById(const DetectEngineCtx *de_ctx, const int id);
detect: support multi buffer matching Multi buffer matching is implemented as a way for a rule to match on multiple buffers within the same transaction. Before this patch a rule like: dns.query; content:"example"; dns.query; content:".com"; would be equivalent to: dns.query; content:"example"; content:".com"; If a DNS query would request more than one name, e.g.: DNS: [example.net][something.com] Eeach would be inspected to have both patterns present. Otherwise, it would not be a match. So the rule above would not match, as neither example.net and somthing.com satisfy both conditions at the same time. This patch changes this behavior. Instead of the above, each time the sticky buffer is specified, it creates a separate detection unit. Each buffer is a "multi buffer" sticky buffer will now be evaluated against each "instance" of the sticky buffer. To continue with the above example: DNS: [example.net] <- matches 'dns.query; content:"example";' DNS: [something.com] <- matches 'dns.query; content:".com"' So this would now be a match. To make sure both patterns match in a single query string, the expression 'dns.query; content:"example"; content:".com";' still works for this. This patch doesn't yet enable the behavior for the keywords. That is done in a follow up patch. To be able to implement this the internal storage of parsed rules is changed. Until this patch and array of lists was used, where the index was the buffer id (e.g. http_uri, dns_query). Therefore there was only one list of matches per buffer id. As a side effect this array was always very sparsely populated as many buffers could not be mixed. This patch changes the internal representation. The new array is densely packed: dns.query; content:"1"; dns.query; bsize:1; content:"2"; [type: dns_query][list: content:"1";] [type: dns_query][list: bsize:1; content:"2";] The new scheme allows for multiple instances of the same buffer. These lists are then translated into multiple inspection engines during the final setup of the rule. Ticket: #5784.
3 years ago
bool DetectEngineBufferTypeSupportsMultiInstanceGetById(
const DetectEngineCtx *de_ctx, const int id);
detect: split register time and detect load time buffer funcs
5 years ago
const char *DetectEngineBufferTypeGetDescriptionById(const DetectEngineCtx *de_ctx, const int id);
const DetectBufferType *DetectEngineBufferTypeGetById(const DetectEngineCtx *de_ctx, const int id);
int DetectEngineBufferTypeGetByIdTransforms(
DetectEngineCtx *de_ctx, const int id, TransformData *transforms, int transform_cnt);
void DetectEngineBufferRunSetupCallback(const DetectEngineCtx *de_ctx, const int id, Signature *s);
bool DetectEngineBufferRunValidateCallback(
const DetectEngineCtx *de_ctx, const int id, const Signature *s, const char **sigerror);
bool DetectEngineBufferTypeValidateTransform(DetectEngineCtx *de_ctx, int sm_list,
const uint8_t *content, uint16_t content_len, const char **namestr);
detect/engine: support frames Implement the low level detect engine support for inspecting frames, including MPM, transforms and inspect API's.
5 years ago
void DetectEngineBufferTypeSupportsFrames(DetectEngineCtx *de_ctx, const char *name);
detect: add buffer helper functions
5 years ago
void DetectEngineBufferTypeSupportsPacket(DetectEngineCtx *de_ctx, const char *name);
void DetectEngineBufferTypeSupportsMpm(DetectEngineCtx *de_ctx, const char *name);
void DetectEngineBufferTypeSupportsTransformations(DetectEngineCtx *de_ctx, const char *name);
detect: buffer type API To replace the hardcoded SigMatch list id's, use this API to register and query lists by name. Also allow for registering descriptions and whether mpm is supported. Registration is only allowed at startup.
10 years ago
Switch to using a detection engine ctx.
18 years ago
/* prototypes */
detect: initialize detection engine by prefix Initalize detection engine by configuration prefix. DetectEngineCtxInitWithPrefix(const char *prefix) Takes the detection engine configuration from: <prefix>.<config> If prefix is NULL the regular config will be used. Update sure that DetectLoadCompleteSigPath considers the prefix when retrieving the configuration.
12 years ago
DetectEngineCtx *DetectEngineCtxInitWithPrefix(const char *prefix);
Large detection engine update.
18 years ago
DetectEngineCtx *DetectEngineCtxInit(void);
detect: fix delayed detect Last multi-detect changes broken delayed-detect by refusing to reload a 'stub' detect engine. This patch distinguishes between a stub for multi-tenancy and for delayed detect.
8 years ago
DetectEngineCtx *DetectEngineCtxInitStubForDD(void);
DetectEngineCtx *DetectEngineCtxInitStubForMT(void);
Large detection engine update.
18 years ago
void DetectEngineCtxFree(DetectEngineCtx *);
Switch to using a detection engine ctx.
18 years ago
detect: global registery for keyword thread data Some keywords need a scratch space where they can do store the results of expensive operations that remain valid for the time of a packets journey through the detection engine. An example is the reconstructed 'http_header' field, that is needed in MPM, and then for each rule that manually inspects it. Storing this data in the flow is a waste, and reconstructing multiple times on demand as well. This API allows for registering a keyword with an init and free function. It it mean to be used an initialization time, when the keyword is registered.
10 years ago
int DetectRegisterThreadCtxGlobalFuncs(const char *name,
void *(*InitFunc)(void *), void *data, void (*FreeFunc)(void *));
void *DetectThreadCtxGetGlobalKeywordThreadCtx(DetectEngineThreadCtx *det_ctx, int id);
Adding unittest helper functions for building generic packets, checking arrays of expected match results, perform generic tests, etc. Look at util-unittest-helper.c and detect-ipproto.c for references
17 years ago
TmEcode DetectEngineThreadCtxInit(ThreadVars *, void *, void **);
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *, void *);
Speed up per sgh content maxlen calc. Remove mpm ptrs from mpm ctx. Add unittests testing the detection engine internals.
17 years ago
//inline uint32_t DetectEngineGetMaxSigId(DetectEngineCtx *);
/* faster as a macro than a inline function on my box -- VJ */
#define DetectEngineGetMaxSigId(de_ctx) ((de_ctx)->signum)
Put all globals in the detection engine ctx. Add HashList type, a hash that also stores the items ina list to it can be traversed. Many cleanups.
18 years ago
void DetectEngineResetMaxSigId(DetectEngineCtx *);
define a new conf paramter detect-engine:inspection-recursion-limit; Defines a recursion limit for content inspection code
16 years ago
void DetectEngineRegisterTests(void);
detect: add tostring function for DETECT_SM_LIST_ enum.
13 years ago
const char *DetectSigmatchListEnumToString(enum DetectSigmatchListEnum type);
Put all globals in the detection engine ctx. Add HashList type, a hash that also stores the items ina list to it can be traversed. Many cleanups.
18 years ago
detect: use engine version instead of id Use engine version based on global detect engine master. This is incremented between reloads.
10 years ago
uint32_t DetectEngineGetVersion(void);
void DetectEngineBumpVersion(void);
detect: update detect engine management Update detect engine management to make it easier to reload the detect engine. Core of the new approach is a 'master' ctx, that keeps a list of one or more detect engines. The detect engines will not be passed to any thread directly, but instead will only be accessed through the detect engine thread contexts. As we can replace those atomically, replacing a detect engine becomes easier. Each thread keeps a reference to its detect context. When a detect engine is replaced or removed, it's added to a free list. Once its reference count reaches 0, it is freed.
12 years ago
int DetectEngineAddToMaster(DetectEngineCtx *de_ctx);
DetectEngineCtx *DetectEngineGetCurrent(void);
multi-detect: (un)register-tenant unix socket commands Make available to live mode and unix socket mode. register-tenant: Loads a new YAML, does basic validation. Loads a new detection engine Loads rules Add new de_ctx to master store and stores tenant id in the de_ctx so we can look it up by tenant id later. unregister-tenant: Gets the de_ctx, moves it to the freelist Removes config Introduce DetectEngineGetByTenantId, which gets a reference to the detect engine by tenant id.
12 years ago
DetectEngineCtx *DetectEngineGetByTenantId(int tenant_id);
detect: update detect engine management Update detect engine management to make it easier to reload the detect engine. Core of the new approach is a 'master' ctx, that keeps a list of one or more detect engines. The detect engines will not be passed to any thread directly, but instead will only be accessed through the detect engine thread contexts. As we can replace those atomically, replacing a detect engine becomes easier. Each thread keeps a reference to its detect context. When a detect engine is replaced or removed, it's added to a free list. Once its reference count reaches 0, it is freed.
12 years ago
void DetectEnginePruneFreeList(void);
int DetectEngineMoveToFreeList(DetectEngineCtx *de_ctx);
detect reload: allow master update during reload Add DetectEngineReference, which takes a reference to a detect engine, and make DetectEngineThreadCtxInitForLiveRuleSwap use it. This way reload will not depend on master staying the same. This allows master to be updated in between w/o affecting the reload that is in progress.
11 years ago
DetectEngineCtx *DetectEngineReference(DetectEngineCtx *);
detect: update detect engine management Update detect engine management to make it easier to reload the detect engine. Core of the new approach is a 'master' ctx, that keeps a list of one or more detect engines. The detect engines will not be passed to any thread directly, but instead will only be accessed through the detect engine thread contexts. As we can replace those atomically, replacing a detect engine becomes easier. Each thread keeps a reference to its detect context. When a detect engine is replaced or removed, it's added to a free list. Once its reference count reaches 0, it is freed.
12 years ago
void DetectEngineDeReference(DetectEngineCtx **de_ctx);
detect: minor cleanup
8 years ago
int DetectEngineReload(const SCInstance *suri);
runmodes: remove DetectEngineCtx passing from API No longer pass a pointer to the current detection engine to the runmode API calls. Note: breaks delayed detect. Will be fixed in a future commit.
12 years ago
int DetectEngineEnabled(void);
detect: initial MT lookup logic In the DetectEngineThreadCtx, store another DetectEngineThreadCtx per tenant. Currently it's just a simple array indexed by the tenant id.
11 years ago
int DetectEngineMTApply(void);
detect: make multi tenancy a global switch At start up we will set this flag based on "multi-detect.enabled".
11 years ago
int DetectEngineMultiTenantEnabled(void);
unix-socket: don't print unix socket message twice
4 years ago
int DetectEngineMultiTenantSetup(const bool unix_socket);
detect: update detect engine management Update detect engine management to make it easier to reload the detect engine. Core of the new approach is a 'master' ctx, that keeps a list of one or more detect engines. The detect engines will not be passed to any thread directly, but instead will only be accessed through the detect engine thread contexts. As we can replace those atomically, replacing a detect engine becomes easier. Each thread keeps a reference to its detect context. When a detect engine is replaced or removed, it's added to a free list. Once its reference count reaches 0, it is freed.
12 years ago
unix-socket: implement reload-rules Implement the reload-rules unix socket command. The unix command thread signals the main thread to do the reload and it waits for it to complete.
11 years ago
int DetectEngineReloadStart(void);
int DetectEngineReloadIsStart(void);
detect-engine: remove DONE state Remove the DONE state to fix a problem with state not being changed correctly when multiple reload were done. As DONE was not really useful, we can remove it.
10 years ago
void DetectEngineReloadSetIdle(void);
int DetectEngineReloadIsIdle(void);
unix-socket: implement reload-rules Implement the reload-rules unix socket command. The unix command thread signals the main thread to do the reload and it waits for it to complete.
11 years ago
multi-detect: detect loader for unix socket Move the tenant load and reload commands to be executed by the detect loader thread(s). Limitation: no yaml parsing in parallel. The Conf API is currently not thread safe, so don't load the tenant config (yaml) in parallel.
11 years ago
int DetectEngineLoadTenantBlocking(uint32_t tenant_id, const char *yaml);
int DetectEngineReloadTenantBlocking(uint32_t tenant_id, const char *yaml, int reload_cnt);
multi-detect: cleanup, reuse tenant loading code Reuse tenant loading from YAML code for Unix Socket.
11 years ago
detect: spelling: multi-tenancy fixes
3 years ago
int DetectEngineTenantRegisterLivedev(uint32_t tenant_id, int device_id);
int DetectEngineTenantRegisterVlanId(uint32_t tenant_id, uint16_t vlan_id);
int DetectEngineTenantUnregisterVlanId(uint32_t tenant_id, uint16_t vlan_id);
int DetectEngineTenantRegisterPcapFile(uint32_t tenant_id);
int DetectEngineTenantUnregisterPcapFile(uint32_t tenant_id);
unix-socket: implement register-tenant-handler Register tenant handlers/selectors based on what the unix command "register-tenant-handler" tells. Check traffic id before adding it. No duplicated registrations for a traffic id are allowed.
11 years ago
detect: remove wrappers around DetectEngineInspectGenericList
4 years ago
uint8_t DetectEngineInspectGenericList(DetectEngineCtx *, DetectEngineThreadCtx *,
const struct DetectEngineAppInspectionEngine_ *, const Signature *, Flow *, uint8_t, void *,
void *, uint64_t);
detect-dns: move DetectEngineInspectGenericList to detect-engine.c Move DetectEngineInspectGenericList from detect-engine-dns.c to detect-engine.c to enable it to be used other places as well.
10 years ago
detect: change InspectEngineFuncPtr2 to return uint8_t
4 years ago
uint8_t DetectEngineInspectBufferGeneric(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx,
const DetectEngineAppInspectionEngine *engine, const Signature *s, Flow *f, uint8_t flags,
void *alstate, void *txv, uint64_t tx_id);
detect: prefilter/inspect API v2, with transforms Introduce InspectionBuffer a structure for passing data between prefilters, transforms and inspection engines. At rule parsing time, we'll register new unique 'DetectBufferType's for a 'parent' buffer (e.g. pure file_data) with its transformations. Each unique combination of buffer with transformations gets it's own buffer id. Similarly, mpm registration and inspect engine registration will be copied from the 'parent' (again, e.g. pure file_data) to the new id's. The transforms are called from within the prefilter engines themselves. Provide generic MPM matching and setup callbacks. Can be used by keywords to avoid needless code duplication. Supports transformations. Use unique name for profiling, to distinguish between pure buffers and buffers with transformation. Add new registration calls for mpm/prefilters and inspect engines. Inspect engine api v2: Pass engine to itself. Add generic engine that uses GetData callback and other registered settings. The generic engine should be usable for every 'simple' case where there is just a single non-streaming buffer. For example HTTP uri. The v2 API assumes that registered MPM implements transformations. Add util func to set new transform in rule and add util funcs for rule parsing.
8 years ago
detect: introduce pkt mpm engines Instead of the hardcode L4 matching in MPM that was recently introduced, add an API similar to the AppLayer MPM and inspect engines. Share part of the registration code with the AppLayer. Implement for the tcp.hdr and udp.hdr keywords.
7 years ago
int DetectEngineInspectPktBufferGeneric(
DetectEngineThreadCtx *det_ctx,
const DetectEnginePktInspectionEngine *engine,
const Signature *s, Packet *p, uint8_t *alert_flags);
New app inspection engine introduced. Moved existing inspecting engines to use it.
14 years ago
/**
* \brief Registers an app inspection engine.
*
detect: detect engine registration cleanup
10 years ago
* \param name Name of the detection list
New app inspection engine introduced. Moved existing inspecting engines to use it.
14 years ago
* \param alproto App layer protocol for which we will register the engine.
detect: clean up inspect engine registration
10 years ago
* \param direction The direction for the engine: SIG_FLAG_TOSERVER or
* SIG_FLAG_TOCLIENT
detect: register progress in inspect engines Register required progress so we can stop inspecting as soon as the progress isn't far enough yet.
9 years ago
* \param progress Minimal progress value for inspect engine to run
New app inspection engine introduced. Moved existing inspecting engines to use it.
14 years ago
* \param Callback The engine callback.
*/
detect: prefilter/inspect API v2, with transforms Introduce InspectionBuffer a structure for passing data between prefilters, transforms and inspection engines. At rule parsing time, we'll register new unique 'DetectBufferType's for a 'parent' buffer (e.g. pure file_data) with its transformations. Each unique combination of buffer with transformations gets it's own buffer id. Similarly, mpm registration and inspect engine registration will be copied from the 'parent' (again, e.g. pure file_data) to the new id's. The transforms are called from within the prefilter engines themselves. Provide generic MPM matching and setup callbacks. Can be used by keywords to avoid needless code duplication. Supports transformations. Use unique name for profiling, to distinguish between pure buffers and buffers with transformation. Add new registration calls for mpm/prefilters and inspect engines. Inspect engine api v2: Pass engine to itself. Add generic engine that uses GetData callback and other registered settings. The generic engine should be usable for every 'simple' case where there is just a single non-streaming buffer. For example HTTP uri. The v2 API assumes that registered MPM implements transformations. Add util func to set new transform in rule and add util funcs for rule parsing.
8 years ago
void DetectAppLayerInspectEngineRegister2(const char *name,
AppProto alproto, uint32_t dir, int progress,
InspectEngineFuncPtr2 Callback2,
InspectionBufferGetDataPtr GetData);
detect: remove hardcoded sm_list logic from setup Introduce utility functions to aid this.
10 years ago
detect: introduce pkt mpm engines Instead of the hardcode L4 matching in MPM that was recently introduced, add an API similar to the AppLayer MPM and inspect engines. Share part of the registration code with the AppLayer. Implement for the tcp.hdr and udp.hdr keywords.
7 years ago
void DetectPktInspectEngineRegister(const char *name,
InspectionBufferGetPktDataPtr GetPktData,
InspectionBufferPktInspectFunc Callback);
detect/engine: support frames Implement the low level detect engine support for inspecting frames, including MPM, transforms and inspect API's.
5 years ago
void DetectFrameInspectEngineRegister(const char *name, int dir,
InspectionBufferFrameInspectFunc Callback, AppProto alproto, uint8_t type);
void DetectEngineFrameInspectEngineRegister(DetectEngineCtx *de_ctx, const char *name, int dir,
InspectionBufferFrameInspectFunc Callback, AppProto alproto, uint8_t type);
detect: move buffer type map into detect ctx Move previously global table into detect engine ctx. Now that we can register buffers at rule loading time we need to take concurrency into account. Move DetectBufferType to detect.h and update DetectBufferCtx API calls to include a detect engine ctx reference.
9 years ago
int DetectEngineAppInspectionEngine2Signature(DetectEngineCtx *de_ctx, Signature *s);
detect: Provide `de_ctx` to free functions This commit makes sure that the `DetectEngineCtx *` is available to each detector's "free" function.
6 years ago
void DetectEngineAppInspectionEngineSignatureFree(DetectEngineCtx *, Signature *s);
detect-engine: improved inspect engines Inspect engines are called per signature per sigmatch list. Most wrap around DetectEngineContentInspection, but it's more generic. Until now, the inspect engines were setup in a large per ipproto, per alproto, per direction table. For stateful inspection each engine needed a global flag. This approach had a number of issues: 1. inefficient: each inspection round walked the table and then checked if the inspect engine was even needed for the current rule. 2. clumsy registration with global flag registration. 3. global flag space was approaching the need for 64 bits 4. duplicate registration for alprotos supporting both TCP and TCP (DNS). This patch introduces a new approach. First, it does away with the per ipproto engines. This wasn't used. Second, it adds a per signature list of inspect engine containing only those engines that actually apply to the rule. Third, it gets rid of the global flags and replaces it with flags assigned per rule per engine.
10 years ago
detect/engine: support frames Implement the low level detect engine support for inspecting frames, including MPM, transforms and inspect API's.
5 years ago
bool DetectEngineFrameInspectionRun(ThreadVars *tv, DetectEngineThreadCtx *det_ctx,
const Signature *s, Flow *f, Packet *p, uint8_t *alert_flags);
detect: pkt inspect engines Instead of hard coded calls to the inspection logic for payload inspection and 'MATCH'-list inspection use a callback approach. This will register a callback per 'sm_list' much like how app-layer inspect engines are registered. This will allow for adding more types later without adding runtime overhead. Implement the callback for the PMATCH and MATCH logic.
7 years ago
bool DetectEnginePktInspectionRun(ThreadVars *tv,
DetectEngineThreadCtx *det_ctx, const Signature *s,
Flow *f, Packet *p,
uint8_t *alert_flags);
int DetectEnginePktInspectionSetup(Signature *s);
output-json-alert: conditionaly output metadata Metadata of the signature can now conditionaly put in the alert events. This will allow user to get more context about the events generated by the alert. detect-metadata: conditional parsing Only parses metadata if an output module will use the information. Patch also adds a unittest to check metadata is not parsed if not asked to. output-json-alert: optional output keys as array Update rule metadata configuration to have an option to output value as array. Also adds an option to log only a series of keys as array. This is useful in the case of some ruleset where from instance the `tag` key is used multiple time. (Jason Ish) rule metadata: always log as lists After review of rule metadata, we can't make assumptions on what should be a list or not. So log everything as a list.
9 years ago
void DetectEngineSetParseMetadata(void);
void DetectEngineUnsetParseMetadata(void);
int DetectEngineMustParseMetadata(void);
detect: pass de_ctx to DetectBufferSetActiveList
3 years ago
SigMatch *DetectBufferGetFirstSigMatch(const Signature *s, const uint32_t buf_id);
SigMatch *DetectBufferGetLastSigMatch(const Signature *s, const uint32_t buf_id);
bool DetectBufferIsPresent(const Signature *s, const uint32_t buf_id);
int WARN_UNUSED DetectBufferSetActiveList(DetectEngineCtx *de_ctx, Signature *s, const int list);
detect: move buffer type map into detect ctx Move previously global table into detect engine ctx. Now that we can register buffers at rule loading time we need to take concurrency into account. Move DetectBufferType to detect.h and update DetectBufferCtx API calls to include a detect engine ctx reference.
9 years ago
int DetectBufferGetActiveList(DetectEngineCtx *de_ctx, Signature *s);
detect: add util funcs to get first and last sigmatch for buffer
3 years ago
SigMatch *DetectBufferGetFirstSigMatch(const Signature *s, const uint32_t buf_id);
SigMatch *DetectBufferGetLastSigMatch(const Signature *s, const uint32_t buf_id);
detect: prefilter/inspect API v2, with transforms Introduce InspectionBuffer a structure for passing data between prefilters, transforms and inspection engines. At rule parsing time, we'll register new unique 'DetectBufferType's for a 'parent' buffer (e.g. pure file_data) with its transformations. Each unique combination of buffer with transformations gets it's own buffer id. Similarly, mpm registration and inspect engine registration will be copied from the 'parent' (again, e.g. pure file_data) to the new id's. The transforms are called from within the prefilter engines themselves. Provide generic MPM matching and setup callbacks. Can be used by keywords to avoid needless code duplication. Supports transformations. Use unique name for profiling, to distinguish between pure buffers and buffers with transformation. Add new registration calls for mpm/prefilters and inspect engines. Inspect engine api v2: Pass engine to itself. Add generic engine that uses GetData callback and other registered settings. The generic engine should be usable for every 'simple' case where there is just a single non-streaming buffer. For example HTTP uri. The v2 API assumes that registered MPM implements transformations. Add util func to set new transform in rule and add util funcs for rule parsing.
8 years ago
fuzz: target must use the rules it parsed DetectEngineReloadThreads does not work for the fuzz targets as there is no_of_detect_tvs = 0 as we did not register real threads and slots. So, we force the flow worker module to use the newly detect engine conetxt with all it needs
5 years ago
DetectEngineThreadCtx *DetectEngineThreadCtxInitForReload(
ThreadVars *tv, DetectEngineCtx *new_de_ctx, int mt);
detect: clean up detect-engine-state.h Remove prototypes that are not about purely the data structures.
4 years ago
void DetectRunStoreStateTx(const SigGroupHead *sgh, Flow *f, void *tx, uint64_t tx_id,
const Signature *s, uint32_t inspect_flags, uint8_t flow_flags,
const uint16_t file_no_match);
void DetectRunStoreStateTxFileOnly(const SigGroupHead *sgh, Flow *f, void *tx, uint64_t tx_id,
const uint8_t flow_flags, const uint16_t file_no_match);
void DetectEngineStateResetTxs(Flow *f);
void DeStateRegisterTests(void);
Switch to using a detection engine ctx.
18 years ago
#endif /* __DETECT_ENGINE_H__ */