aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
main-7.0.x
master
master-6.0.x
master-5.0.x
master-4.1.x
master-4.0.x
master-3.2.x
suricata-8.0.0
suricata-7.0.11
suricata-8.0.0-rc1
suricata-8.0.0-beta1
suricata-7.0.10
suricata-7.0.9
suricata-7.0.8
suricata-7.0.7
suricata-7.0.6
suricata-6.0.20
suricata-7.0.5
suricata-6.0.19
suricata-6.0.18
suricata-7.0.4
suricata-6.0.17
suricata-7.0.3
suricata-6.0.16
suricata-7.0.2
suricata-6.0.15
suricata-7.0.1
suricata-6.0.14
suricata-7.0.0
suricata-7.0.0-rc2
suricata-6.0.13
suricata-6.0.12
suricata-6.0.11
suricata-7.0.0-rc1
suricata-6.0.10
suricata-6.0.9
suricata-7.0.0-beta1
suricata-6.0.8
suricata-6.0.7
suricata-6.0.6
suricata-5.0.10
suricata-6.0.5
suricata-5.0.9
suricata-6.0.4
suricata-5.0.8
suricata-6.0.3
suricata-5.0.7
suricata-6.0.2
suricata-5.0.6
suricata-6.0.1
suricata-5.0.5
suricata-4.1.10
suricata-4.1.9
suricata-5.0.4
suricata-6.0.0
suricata-6.0.0-rc1
suricata-6.0.0-beta1
suricata-5.0.3
suricata-4.1.8
suricata-4.1.7
suricata-5.0.2
suricata-4.1.6
suricata-5.0.1
suricata-5.0.0
suricata-5.0.0-rc1
suricata-4.1.5
suricata-5.0.0-beta1
suricata-4.1.4
suricata-4.1.3
suricata-4.0.7
suricata-4.1.2
suricata-4.1.1
suricata-4.1.0
suricata-4.0.6
suricata-4.1.0-rc2
suricata-4.1.0-rc1
suricata-4.0.5
suricata-4.1.0-beta1
suricata-4.0.4
suricata-4.0.3
suricata-4.0.2
suricata-3.2.5
suricata-4.0.1
suricata-3.2.4
suricata-4.0.0
suricata-4.0.0-rc2
suricata-3.2.3
suricata-4.0.0-rc1
suricata-4.0.0-beta1
suricata-3.2.2
suricata-3.1.4
suricata-3.2.1
suricata-3.2
suricata-3.2RC1
suricata-3.1.3
suricata-3.2beta1
suricata-3.1.2
suricata-3.1.1
suricata-3.1
suricata-3.0.2
suricata-3.1RC1
suricata-3.0.1
suricata-3.0.1RC1
suricata-3.0
suricata-2.0.11
suricata-3.0RC3
suricata-3.0RC2
suricata-3.0RC1
suricata-2.0.10
suricata-2.0.9
suricata-2.1beta4
suricata-2.0.8
suricata-2.0.7
suricata-2.1beta3
suricata-2.0.6
suricata-2.0.5
suricata-2.1beta2
suricata-2.0.4
suricata-2.1beta1
suricata-2.0.3
suricata-2.0.2
suricata-2.0.1
suricata-2.0.1rc1
suricata-2.0
suricata-2.0rc3
suricata-2.0rc2
suricata-2.0rc1
suricata-2.0beta2
suricata-1.4.7
suricata-1.4.6
suricata-1.4.5
suricata-2.0beta1
suricata-1.4.4
suricata-1.4.3
suricata-1.4.2
suricata-1.4.1
suricata-1.3.6
suricata-1.4
suricata-1.3.5
suricata-1.4rc1
suricata-1.3.4
suricata-1.4beta3
suricata-1.3.3
suricata-1.4beta2
suricata-1.3.2
suricata-1.4beta1
suricata-1.3.1
suricata-1.3
suricata-1.3rc1
suricata-1.3beta2
suricata-1.3beta1
suricata-1.2.1
suricata-1.2
suricata-1.2rc1
suricata-1.2beta1
suricata-1.1.1
suricata-0.8.2
suricata-1.0.0
suricata-1.0.1
suricata-1.0.2
suricata-1.0.3
suricata-1.0.4
suricata-1.0.5
suricata-1.1
suricata-1.1beta1
suricata-1.1beta2
suricata-1.1beta3
suricata-1.1rc1
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'e5010d7704'
${ noResults }
suricata/src/detect-engine.c

4477 lines
140 KiB
C
Raw Normal View History Unescape Escape

GPL and Copyright header updates.
15 years ago
/* Copyright (C) 2007-2010 Open Information Security Foundation
Import of GPLv2 Header 050410
16 years ago
*
* You can copy, redistribute or modify this Program under the terms of
* the GNU General Public License version 2 as published by the Free
* Software Foundation.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* version 2 along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
* 02110-1301, USA.
*/
/**
* \file
*
* \author Victor Julien <victor@inliniac.net>
*/
Switch to using a detection engine ctx.
17 years ago
Rename to Suricata.
16 years ago
#include "suricata-common.h"
live rule support added To reload ruleset during engine runtime, send the USR2 signal to the engine, and the ruleset would be reloaded from the same yaml file supplied at engine startup
13 years ago
#include "suricata.h"
Switch to using a detection engine ctx.
17 years ago
#include "debug.h"
#include "detect.h"
#include "flow.h"
App layer API rewritten. The main files in question are: app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch]. Things addressed in this commit: - Brings out a proper separation between protocol detection phase and the parser phase. - The dns app layer now is registered such that we don't use "dnstcp" and "dnsudp" in the rules. A user who previously wrote a rule like this - "alert dnstcp....." or "alert dnsudp....." would now have to use, alert dns (ipproto:tcp;) or alert udp (app-layer-protocol:dns;) or alert ip (ipproto:udp; app-layer-protocol:dns;) The same rules extend to other another such protocol, dcerpc. - The app layer parser api now takes in the ipproto while registering callbacks. - The app inspection/detection engine also takes an ipproto. - All app layer parser functions now take direction as STREAM_TOSERVER or STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the functions. - FlowInitialize() and FlowRecycle() now resets proto to 0. This is needed by unittests, which would try to clean the flow, and that would call the api, AppLayerParserCleanupParserState(), which would try to clean the app state, but the app layer now needs an ipproto to figure out which api to internally call to clean the state, and if the ipproto is 0, it would return without trying to clean the state. - A lot of unittests are now updated where if they are using a flow and they need to use the app layer, we would set a flow ipproto. - The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
#include "flow-private.h"
#include "flow-util.h"
flowworker: initial support Initial version of the 'FlowWorker' thread module. This module combines Flow handling, TCP handling, App layer handling and Detection in a single module. It does all flow related processing under a single flow lock.
9 years ago
#include "flow-worker.h"
Add fatal failures on unittest and siginit failure (using Conf API)
16 years ago
#include "conf.h"
define a new conf paramter detect-engine:inspection-recursion-limit; Defines a recursion limit for content inspection code
15 years ago
#include "conf-yaml-loader.h"
Switch to using a detection engine ctx.
17 years ago
detect: prefilter/inspect API v2, with transforms Introduce InspectionBuffer a structure for passing data between prefilters, transforms and inspection engines. At rule parsing time, we'll register new unique 'DetectBufferType's for a 'parent' buffer (e.g. pure file_data) with its transformations. Each unique combination of buffer with transformations gets it's own buffer id. Similarly, mpm registration and inspect engine registration will be copied from the 'parent' (again, e.g. pure file_data) to the new id's. The transforms are called from within the prefilter engines themselves. Provide generic MPM matching and setup callbacks. Can be used by keywords to avoid needless code duplication. Supports transformations. Use unique name for profiling, to distinguish between pure buffers and buffers with transformation. Add new registration calls for mpm/prefilters and inspect engines. Inspect engine api v2: Pass engine to itself. Add generic engine that uses GetData callback and other registered settings. The generic engine should be usable for every 'simple' case where there is just a single non-streaming buffer. For example HTTP uri. The v2 API assumes that registered MPM implements transformations. Add util func to set new transform in rule and add util funcs for rule parsing.
8 years ago
#include "app-layer-parser.h"
If new ruleset requires any htp callbacks that aren't already set, don't load new ruleset; request user to restart suricata + disable setting fileinsepection flags unconditionally in main
13 years ago
#include "app-layer-htp.h"
Switch to using a detection engine ctx.
17 years ago
#include "detect-parse.h"
Order the signatures based on certain rule parameters like actions, flowbits, flowvar, pktvar, priority etc
16 years ago
#include "detect-engine-sigorder.h"
Switch to using a detection engine ctx.
17 years ago
Large detection engine update.
17 years ago
#include "detect-engine-siggroup.h"
#include "detect-engine-address.h"
Put all globals in the detection engine ctx. Add HashList type, a hash that also stores the items ina list to it can be traversed. Many cleanups.
17 years ago
#include "detect-engine-port.h"
detect/prefilter: move hash into detect engine ctx
8 years ago
#include "detect-engine-prefilter.h"
Cleanups
16 years ago
#include "detect-engine-mpm.h"
#include "detect-engine-iponly.h"
Adding tag keyword support
15 years ago
#include "detect-engine-tag.h"
Put all globals in the detection engine ctx. Add HashList type, a hash that also stores the items ina list to it can be traversed. Many cleanups.
17 years ago
New app inspection engine introduced. Moved existing inspecting engines to use it.
13 years ago
#include "detect-engine-file.h"
Speed up per sgh content maxlen calc. Remove mpm ptrs from mpm ctx. Add unittests testing the detection engine internals.
16 years ago
#include "detect-engine.h"
New app inspection engine introduced. Moved existing inspecting engines to use it.
13 years ago
#include "detect-engine-state.h"
detect: improve stateful detection Now that MPM runs when the TX progress is right, stateful detection operates differently. Changes: 1. raw stream inspection is now also an inspect engine Since this engine doesn't take the transactions into account, it could potentially run multiple times on the same data. To avoid this, basic result caching is in place. 2. the engines are sorted by progress, but the 'MPM' engine is first even if the progress is higher If MPM flags a rule to be inspected, the inspect engine for that buffer runs first. If this step fails, the rule is no longer evaluated. No state is stored.
8 years ago
#include "detect-engine-payload.h"
byte extract added to the engine. Detection support added for packet payload, uri and dce detection engines
14 years ago
#include "detect-byte-extract.h"
Cleanups
16 years ago
#include "detect-content.h"
#include "detect-uricontent.h"
detect: tcp.hdr sticky buffer Sticky buffer to inspect the TCP header.
6 years ago
#include "detect-tcphdr.h"
Threshold Rule
16 years ago
#include "detect-engine-threshold.h"
detect: prefilter/inspect API v2, with transforms Introduce InspectionBuffer a structure for passing data between prefilters, transforms and inspection engines. At rule parsing time, we'll register new unique 'DetectBufferType's for a 'parent' buffer (e.g. pure file_data) with its transformations. Each unique combination of buffer with transformations gets it's own buffer id. Similarly, mpm registration and inspect engine registration will be copied from the 'parent' (again, e.g. pure file_data) to the new id's. The transforms are called from within the prefilter engines themselves. Provide generic MPM matching and setup callbacks. Can be used by keywords to avoid needless code duplication. Supports transformations. Use unique name for profiling, to distinguish between pure buffers and buffers with transformation. Add new registration calls for mpm/prefilters and inspect engines. Inspect engine api v2: Pass engine to itself. Add generic engine that uses GetData callback and other registered settings. The generic engine should be usable for every 'simple' case where there is just a single non-streaming buffer. For example HTTP uri. The v2 API assumes that registered MPM implements transformations. Add util func to set new transform in rule and add util funcs for rule parsing.
8 years ago
#include "detect-engine-content-inspection.h"
Cleanups
16 years ago
detect loader: move to own file
10 years ago
#include "detect-engine-loader.h"
clean classification config API
13 years ago
#include "util-classification-config.h"
clean reference config API
13 years ago
#include "util-reference-config.h"
live rule support added To reload ruleset during engine runtime, send the USR2 signal to the engine, and the ruleset would be reloaded from the same yaml file supplied at engine startup
13 years ago
#include "util-threshold-config.h"
Changed the way cuda dispatcher passes back results. Now each detection thread has it's own queue to which the dispatcher can pump packets back to the detect thread. Also, with cuda enabled and a non-cuda mpm being used, we won't create a dispatcher and instead call the b2g scan/search funtions directly instead of using the dispatcher.
16 years ago
#include "util-error.h"
Put all globals in the detection engine ctx. Add HashList type, a hash that also stores the items ina list to it can be traversed. Many cleanups.
17 years ago
#include "util-hash.h"
Adding settings for detect engine group config
16 years ago
#include "util-byte.h"
Add fatal failures on unittest and siginit failure (using Conf API)
16 years ago
#include "util-debug.h"
define a new conf paramter detect-engine:inspection-recursion-limit; Defines a recursion limit for content inspection code
15 years ago
#include "util-unittest.h"
live rule support added To reload ruleset during engine runtime, send the USR2 signal to the engine, and the ruleset would be reloaded from the same yaml file supplied at engine startup
13 years ago
#include "util-action.h"
#include "util-magic.h"
Introduce util-signal.[ch]. Move our signal setup functions here
13 years ago
#include "util-signal.h"
spm: add SinglePatternMatchDefaultMatcher Allows selecting SPM algorithm with the 'spm-algo' value in the YAML config file.
9 years ago
#include "util-spm.h"
multi-tenant: introduce device selector Add device to tenant mapping support: mappings: - device: ens5f0 tenant-id: 1 - device: ens5f1 tenant-id: 23 Implemented by assigning the tenant id to the 'livedev', which means it's only supported for capture methods that use the livedev API. It's also currently not supported for IPS. In a case like 'eth0 -> eth1' it's unclear which tenant should be used for the return traffic in a flow, where the incoming device is 'eth1'.
8 years ago
#include "util-device.h"
Add support for flowbits.
17 years ago
#include "util-var-name.h"
profiling: fix undefined profiling code use
6 years ago
#include "util-profiling.h"
Add per packet profiling. Per packet profiling uses tick based accounting. It has 2 outputs, a summary and a csv file that contains per packet stats. Stats per packet include: 1) total ticks spent 2) ticks spent per individual thread module 3) "threading overhead" which is simply calculated by subtracting (2) of (1). A number of changes were made to integrate the new code in a clean way: a number of generic enums are now placed in tm-threads-common.h so we can include them from any part of the engine. Code depends on --enable-profiling just like the rule profiling code. New yaml parameters: profiling: # packet profiling packets: # Profiling can be disabled here, but it will still have a # performance impact if compiled in. enabled: yes filename: packet_stats.log append: yes # per packet csv output csv: # Output can be disabled here, but it will still have a # performance impact if compiled in. enabled: no filename: packet_stats.csv Example output of summary stats: IP ver Proto cnt min max avg ------ ----- ------ ------ ---------- ------- IPv4 6 19436 11448 5404365 32993 IPv4 256 4 11511 49968 30575 Per Thread module stats: Thread Module IP ver Proto cnt min max avg ------------------------ ------ ----- ------ ------ ---------- ------- TMM_DECODEPCAPFILE IPv4 6 19434 1242 47889 1770 TMM_DETECT IPv4 6 19436 1107 137241 1504 TMM_ALERTFASTLOG IPv4 6 19436 90 1323 155 TMM_ALERTUNIFIED2ALERT IPv4 6 19436 108 1359 138 TMM_ALERTDEBUGLOG IPv4 6 19436 90 1134 154 TMM_LOGHTTPLOG IPv4 6 19436 414 5392089 7944 TMM_STREAMTCP IPv4 6 19434 828 1299159 19438 The proto 256 is a counter for handling of pseudo/tunnel packets. Example output of csv: pcap_cnt,ipver,ipproto,total,TMM_DECODENFQ,TMM_VERDICTNFQ,TMM_RECEIVENFQ,TMM_RECEIVEPCAP,TMM_RECEIVEPCAPFILE,TMM_DECODEPCAP,TMM_DECODEPCAPFILE,TMM_RECEIVEPFRING,TMM_DECODEPFRING,TMM_DETECT,TMM_ALERTFASTLOG,TMM_ALERTFASTLOG4,TMM_ALERTFASTLOG6,TMM_ALERTUNIFIEDLOG,TMM_ALERTUNIFIEDALERT,TMM_ALERTUNIFIED2ALERT,TMM_ALERTPRELUDE,TMM_ALERTDEBUGLOG,TMM_ALERTSYSLOG,TMM_LOGDROPLOG,TMM_ALERTSYSLOG4,TMM_ALERTSYSLOG6,TMM_RESPONDREJECT,TMM_LOGHTTPLOG,TMM_LOGHTTPLOG4,TMM_LOGHTTPLOG6,TMM_PCAPLOG,TMM_STREAMTCP,TMM_DECODEIPFW,TMM_VERDICTIPFW,TMM_RECEIVEIPFW,TMM_RECEIVEERFFILE,TMM_DECODEERFFILE,TMM_RECEIVEERFDAG,TMM_DECODEERFDAG,threading 1,4,6,172008,0,0,0,0,0,0,47889,0,0,48582,1323,0,0,0,0,1359,0,1134,0,0,0,0,0,8028,0,0,0,49356,0,0,0,0,0,0,0,14337 First line of the file contains labels. 2 example gnuplot scripts added to plot the data.
14 years ago
#include "tm-threads.h"
New app inspection engine introduced. Moved existing inspecting engines to use it.
13 years ago
#include "runmodes.h"
Add support for flowbits.
17 years ago
Simple IP reputation implementation
13 years ago
#include "reputation.h"
change the default recursion limit in the code to 3000, the value which we currently have in the conf file. Also change print modifier for printing timeval
15 years ago
#define DETECT_ENGINE_DEFAULT_INSPECTION_RECURSION_LIMIT 3000
define a new conf paramter detect-engine:inspection-recursion-limit; Defines a recursion limit for content inspection code
15 years ago
detect: reload thread init cleanup Rename the thread init function DetectEngineThreadCtxInitForLiveRuleSwap to DetectEngineThreadCtxInitForReload and change it's logic to take the new detection engine as argument and let it return the DetectEngineThreadCtx or NULL on error. The old approach used the thread init API format, but it wasn't used in that way.
11 years ago
static DetectEngineThreadCtx *DetectEngineThreadCtxInitForReload(
multi-detect: use default tenant The default detect engine can be used as 'default tenant'.
10 years ago
ThreadVars *tv, DetectEngineCtx *new_de_ctx, int mt);
live rule support added To reload ruleset during engine runtime, send the USR2 signal to the engine, and the ruleset would be reloaded from the same yaml file supplied at engine startup
13 years ago
yaml: convert detect-engine to just detect Instead of detect-engine which used a list for no good reason, use a simple map now. detect: profile: medium custom-values: toclient-groups: 3 toserver-groups: 25 sgh-mpm-context: auto inspection-recursion-limit: 3000 # If set to yes, the loading of signatures will be made after the capture # is started. This will limit the downtime in IPS mode. #delayed-detect: yes
10 years ago
static int DetectEngineCtxLoadConf(DetectEngineCtx *);
define a new conf paramter detect-engine:inspection-recursion-limit; Defines a recursion limit for content inspection code
15 years ago
detect: global registery for keyword thread data Some keywords need a scratch space where they can do store the results of expensive operations that remain valid for the time of a packets journey through the detection engine. An example is the reconstructed 'http_header' field, that is needed in MPM, and then for each rule that manually inspects it. Storing this data in the flow is a waste, and reconstructing multiple times on demand as well. This API allows for registering a keyword with an init and free function. It it mean to be used an initialization time, when the keyword is registered.
9 years ago
static DetectEngineMasterCtx g_master_de_ctx = { SCMUTEX_INITIALIZER,
detect: use engine version instead of id Use engine version based on global detect engine master. This is incremented between reloads.
9 years ago
0, 99, NULL, NULL, TENANT_SELECTOR_UNKNOWN, NULL, NULL, 0};
detect: update detect engine management Update detect engine management to make it easier to reload the detect engine. Core of the new approach is a 'master' ctx, that keeps a list of one or more detect engines. The detect engines will not be passed to any thread directly, but instead will only be accessed through the detect engine thread contexts. As we can replace those atomically, replacing a detect engine becomes easier. Each thread keeps a reference to its detect context. When a detect engine is replaced or removed, it's added to a free list. Once its reference count reaches 0, it is freed.
11 years ago
multi-detect: use default tenant The default detect engine can be used as 'default tenant'.
10 years ago
static uint32_t TenantIdHash(HashTable *h, void *data, uint16_t data_len);
static char TenantIdCompare(void *d1, uint16_t d1_len, void *d2, uint16_t d2_len);
static void TenantIdFree(void *d);
multi-tenant: introduce device selector Add device to tenant mapping support: mappings: - device: ens5f0 tenant-id: 1 - device: ens5f1 tenant-id: 23 Implemented by assigning the tenant id to the 'livedev', which means it's only supported for capture methods that use the livedev API. It's also currently not supported for IPS. In a case like 'eth0 -> eth1' it's unclear which tenant should be used for the return traffic in a flow, where the incoming device is 'eth1'.
8 years ago
static uint32_t DetectEngineTentantGetIdFromLivedev(const void *ctx, const Packet *p);
multi-detect: use default tenant The default detect engine can be used as 'default tenant'.
10 years ago
static uint32_t DetectEngineTentantGetIdFromVlanId(const void *ctx, const Packet *p);
static uint32_t DetectEngineTentantGetIdFromPcap(const void *ctx, const Packet *p);
detect: initial MT lookup logic In the DetectEngineThreadCtx, store another DetectEngineThreadCtx per tenant. Currently it's just a simple array indexed by the tenant id.
11 years ago
detect-engine: improved inspect engines Inspect engines are called per signature per sigmatch list. Most wrap around DetectEngineContentInspection, but it's more generic. Until now, the inspect engines were setup in a large per ipproto, per alproto, per direction table. For stateful inspection each engine needed a global flag. This approach had a number of issues: 1. inefficient: each inspection round walked the table and then checked if the inspect engine was even needed for the current rule. 2. clumsy registration with global flag registration. 3. global flag space was approaching the need for 64 bits 4. duplicate registration for alprotos supporting both TCP and TCP (DNS). This patch introduces a new approach. First, it does away with the per ipproto engines. This wasn't used. Second, it adds a per signature list of inspect engine containing only those engines that actually apply to the rule. Third, it gets rid of the global flags and replaces it with flags assigned per rule per engine.
9 years ago
static DetectEngineAppInspectionEngine *g_app_inspect_engines = NULL;
detect: introduce pkt mpm engines Instead of the hardcode L4 matching in MPM that was recently introduced, add an API similar to the AppLayer MPM and inspect engines. Share part of the registration code with the AppLayer. Implement for the tcp.hdr and udp.hdr keywords.
6 years ago
static DetectEnginePktInspectionEngine *g_pkt_inspect_engines = NULL;
New app inspection engine introduced. Moved existing inspecting engines to use it.
13 years ago
detect: set events in inspection phase During the inspection phase actually is not possible to catch an error if it occurs. This patch permits to store events in the detection engine such that we can match on events and catch them.
8 years ago
SCEnumCharMap det_ctx_event_table[ ] = {
#ifdef UNITTESTS
{ "TEST", DET_CTX_EVENT_TEST },
#endif
{ "NO_MEMORY", FILE_DECODER_EVENT_NO_MEM },
{ "INVALID_SWF_LENGTH", FILE_DECODER_EVENT_INVALID_SWF_LENGTH },
{ "INVALID_SWF_VERSION", FILE_DECODER_EVENT_INVALID_SWF_VERSION },
{ "Z_DATA_ERROR", FILE_DECODER_EVENT_Z_DATA_ERROR },
{ "Z_STREAM_ERROR", FILE_DECODER_EVENT_Z_STREAM_ERROR },
{ "Z_BUF_ERROR", FILE_DECODER_EVENT_Z_BUF_ERROR },
{ "Z_UNKNOWN_ERROR", FILE_DECODER_EVENT_Z_UNKNOWN_ERROR },
{ "LZMA_DECODER_ERROR", FILE_DECODER_EVENT_LZMA_DECODER_ERROR },
{ "LZMA_MEMLIMIT_ERROR", FILE_DECODER_EVENT_LZMA_MEMLIMIT_ERROR },
{ "LZMA_OPTIONS_ERROR", FILE_DECODER_EVENT_LZMA_OPTIONS_ERROR },
{ "LZMA_FORMAT_ERROR", FILE_DECODER_EVENT_LZMA_FORMAT_ERROR },
{ "LZMA_DATA_ERROR", FILE_DECODER_EVENT_LZMA_DATA_ERROR },
{ "LZMA_BUF_ERROR", FILE_DECODER_EVENT_LZMA_BUF_ERROR },
{ "LZMA_UNKNOWN_ERROR", FILE_DECODER_EVENT_LZMA_UNKNOWN_ERROR },
{ NULL, -1 },
};
detect: introduce pkt mpm engines Instead of the hardcode L4 matching in MPM that was recently introduced, add an API similar to the AppLayer MPM and inspect engines. Share part of the registration code with the AppLayer. Implement for the tcp.hdr and udp.hdr keywords.
6 years ago
/** \brief register inspect engine at start up time
*
* \note errors are fatal */
void DetectPktInspectEngineRegister(const char *name,
InspectionBufferGetPktDataPtr GetPktData,
InspectionBufferPktInspectFunc Callback)
{
DetectBufferTypeRegister(name);
const int sm_list = DetectBufferTypeGetByName(name);
if (sm_list == -1) {
FatalError(SC_ERR_INITIALIZATION,
"failed to register inspect engine %s", name);
}
if ((sm_list < DETECT_SM_LIST_MATCH) || (sm_list >= SHRT_MAX) ||
(Callback == NULL))
{
SCLogError(SC_ERR_INVALID_ARGUMENTS, "Invalid arguments");
BUG_ON(1);
}
DetectEnginePktInspectionEngine *new_engine = SCCalloc(1, sizeof(*new_engine));
if (unlikely(new_engine == NULL)) {
FatalError(SC_ERR_INITIALIZATION,
"failed to register inspect engine %s: %s", name, strerror(errno));
}
new_engine->sm_list = sm_list;
new_engine->v1.Callback = Callback;
new_engine->v1.GetData = GetPktData;
if (g_pkt_inspect_engines == NULL) {
g_pkt_inspect_engines = new_engine;
} else {
DetectEnginePktInspectionEngine *t = g_pkt_inspect_engines;
while (t->next != NULL) {
t = t->next;
}
t->next = new_engine;
}
}
detect: prefilter/inspect API v2, with transforms Introduce InspectionBuffer a structure for passing data between prefilters, transforms and inspection engines. At rule parsing time, we'll register new unique 'DetectBufferType's for a 'parent' buffer (e.g. pure file_data) with its transformations. Each unique combination of buffer with transformations gets it's own buffer id. Similarly, mpm registration and inspect engine registration will be copied from the 'parent' (again, e.g. pure file_data) to the new id's. The transforms are called from within the prefilter engines themselves. Provide generic MPM matching and setup callbacks. Can be used by keywords to avoid needless code duplication. Supports transformations. Use unique name for profiling, to distinguish between pure buffers and buffers with transformation. Add new registration calls for mpm/prefilters and inspect engines. Inspect engine api v2: Pass engine to itself. Add generic engine that uses GetData callback and other registered settings. The generic engine should be usable for every 'simple' case where there is just a single non-streaming buffer. For example HTTP uri. The v2 API assumes that registered MPM implements transformations. Add util func to set new transform in rule and add util funcs for rule parsing.
8 years ago
/** \brief register inspect engine at start up time
*
* \note errors are fatal */
detect: detect engine registration cleanup
9 years ago
void DetectAppLayerInspectEngineRegister(const char *name,
detect: register progress in inspect engines Register required progress so we can stop inspecting as soon as the progress isn't far enough yet.
8 years ago
AppProto alproto, uint32_t dir,
int progress, InspectEngineFuncPtr Callback)
New app inspection engine introduced. Moved existing inspecting engines to use it.
13 years ago
{
detect-engine: check for tx detect flag support When registing a detection engine, check that the app-layer protocol supports tx detect flags. Exit with a fatal error if it does not as this is a code implementation error that should be resolved during development.
6 years ago
if (AppLayerParserIsTxAware(alproto)) {
if (!AppLayerParserSupportsTxDetectFlags(alproto)) {
FatalError(SC_ERR_INITIALIZATION,
"Inspect engine registered for app-layer protocol without "
"TX detect flag support: %s", AppProtoToString(alproto));
}
}
detect: detect engine registration cleanup
9 years ago
DetectBufferTypeRegister(name);
detect: prefilter/inspect API v2, with transforms Introduce InspectionBuffer a structure for passing data between prefilters, transforms and inspection engines. At rule parsing time, we'll register new unique 'DetectBufferType's for a 'parent' buffer (e.g. pure file_data) with its transformations. Each unique combination of buffer with transformations gets it's own buffer id. Similarly, mpm registration and inspect engine registration will be copied from the 'parent' (again, e.g. pure file_data) to the new id's. The transforms are called from within the prefilter engines themselves. Provide generic MPM matching and setup callbacks. Can be used by keywords to avoid needless code duplication. Supports transformations. Use unique name for profiling, to distinguish between pure buffers and buffers with transformation. Add new registration calls for mpm/prefilters and inspect engines. Inspect engine api v2: Pass engine to itself. Add generic engine that uses GetData callback and other registered settings. The generic engine should be usable for every 'simple' case where there is just a single non-streaming buffer. For example HTTP uri. The v2 API assumes that registered MPM implements transformations. Add util func to set new transform in rule and add util funcs for rule parsing.
8 years ago
const int sm_list = DetectBufferTypeGetByName(name);
if (sm_list == -1) {
FatalError(SC_ERR_INITIALIZATION,
"failed to register inspect engine %s", name);
}
detect: remove hardcoded sm_list logic from setup Introduce utility functions to aid this.
9 years ago
detect app-layer-event: clean up registration Move engine and registration into the keyword file. Register as 'ALPROTO_UNKNOWN' instead of per alproto. The registration will only apply it to those rules that have events set.
9 years ago
if ((alproto >= ALPROTO_FAILED) ||
detect: clean up inspect engine registration
9 years ago
(!(dir == SIG_FLAG_TOSERVER || dir == SIG_FLAG_TOCLIENT)) ||
detect: improve stateful detection Now that MPM runs when the TX progress is right, stateful detection operates differently. Changes: 1. raw stream inspection is now also an inspect engine Since this engine doesn't take the transactions into account, it could potentially run multiple times on the same data. To avoid this, basic result caching is in place. 2. the engines are sorted by progress, but the 'MPM' engine is first even if the progress is higher If MPM flags a rule to be inspected, the inspect engine for that buffer runs first. If this step fails, the rule is no longer evaluated. No state is stored.
8 years ago
(sm_list < DETECT_SM_LIST_MATCH) || (sm_list >= SHRT_MAX) ||
(progress < 0 || progress >= SHRT_MAX) ||
App layer API rewritten. The main files in question are: app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch]. Things addressed in this commit: - Brings out a proper separation between protocol detection phase and the parser phase. - The dns app layer now is registered such that we don't use "dnstcp" and "dnsudp" in the rules. A user who previously wrote a rule like this - "alert dnstcp....." or "alert dnsudp....." would now have to use, alert dns (ipproto:tcp;) or alert udp (app-layer-protocol:dns;) or alert ip (ipproto:udp; app-layer-protocol:dns;) The same rules extend to other another such protocol, dcerpc. - The app layer parser api now takes in the ipproto while registering callbacks. - The app inspection/detection engine also takes an ipproto. - All app layer parser functions now take direction as STREAM_TOSERVER or STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the functions. - FlowInitialize() and FlowRecycle() now resets proto to 0. This is needed by unittests, which would try to clean the flow, and that would call the api, AppLayerParserCleanupParserState(), which would try to clean the app state, but the app layer now needs an ipproto to figure out which api to internally call to clean the state, and if the ipproto is 0, it would return without trying to clean the state. - A lot of unittests are now updated where if they are using a flow and they need to use the app layer, we would set a flow ipproto. - The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
(Callback == NULL))
{
New app inspection engine introduced. Moved existing inspecting engines to use it.
13 years ago
SCLogError(SC_ERR_INVALID_ARGUMENTS, "Invalid arguments");
detect: register progress in inspect engines Register required progress so we can stop inspecting as soon as the progress isn't far enough yet.
8 years ago
BUG_ON(1);
New app inspection engine introduced. Moved existing inspecting engines to use it.
13 years ago
}
detect: clean up inspect engine registration
9 years ago
int direction;
if (dir == SIG_FLAG_TOSERVER) {
direction = 0;
} else {
direction = 1;
}
New app inspection engine introduced. Moved existing inspecting engines to use it.
13 years ago
DetectEngineAppInspectionEngine *new_engine = SCMalloc(sizeof(DetectEngineAppInspectionEngine));
if (unlikely(new_engine == NULL)) {
exit(EXIT_FAILURE);
}
memset(new_engine, 0, sizeof(*new_engine));
new_engine->alproto = alproto;
detect: clean up inspect engine registration
9 years ago
new_engine->dir = direction;
New app inspection engine introduced. Moved existing inspecting engines to use it.
13 years ago
new_engine->sm_list = sm_list;
detect: register progress in inspect engines Register required progress so we can stop inspecting as soon as the progress isn't far enough yet.
8 years ago
new_engine->progress = progress;
New app inspection engine introduced. Moved existing inspecting engines to use it.
13 years ago
new_engine->Callback = Callback;
detect-engine: improved inspect engines Inspect engines are called per signature per sigmatch list. Most wrap around DetectEngineContentInspection, but it's more generic. Until now, the inspect engines were setup in a large per ipproto, per alproto, per direction table. For stateful inspection each engine needed a global flag. This approach had a number of issues: 1. inefficient: each inspection round walked the table and then checked if the inspect engine was even needed for the current rule. 2. clumsy registration with global flag registration. 3. global flag space was approaching the need for 64 bits 4. duplicate registration for alprotos supporting both TCP and TCP (DNS). This patch introduces a new approach. First, it does away with the per ipproto engines. This wasn't used. Second, it adds a per signature list of inspect engine containing only those engines that actually apply to the rule. Third, it gets rid of the global flags and replaces it with flags assigned per rule per engine.
9 years ago
if (g_app_inspect_engines == NULL) {
g_app_inspect_engines = new_engine;
} else {
DetectEngineAppInspectionEngine *t = g_app_inspect_engines;
while (t->next != NULL) {
t = t->next;
}
New app inspection engine introduced. Moved existing inspecting engines to use it.
13 years ago
detect-engine: improved inspect engines Inspect engines are called per signature per sigmatch list. Most wrap around DetectEngineContentInspection, but it's more generic. Until now, the inspect engines were setup in a large per ipproto, per alproto, per direction table. For stateful inspection each engine needed a global flag. This approach had a number of issues: 1. inefficient: each inspection round walked the table and then checked if the inspect engine was even needed for the current rule. 2. clumsy registration with global flag registration. 3. global flag space was approaching the need for 64 bits 4. duplicate registration for alprotos supporting both TCP and TCP (DNS). This patch introduces a new approach. First, it does away with the per ipproto engines. This wasn't used. Second, it adds a per signature list of inspect engine containing only those engines that actually apply to the rule. Third, it gets rid of the global flags and replaces it with flags assigned per rule per engine.
9 years ago
t->next = new_engine;
}
detect-engine: new registration call Make it more in line with MPM registration.
9 years ago
}
detect: prefilter/inspect API v2, with transforms Introduce InspectionBuffer a structure for passing data between prefilters, transforms and inspection engines. At rule parsing time, we'll register new unique 'DetectBufferType's for a 'parent' buffer (e.g. pure file_data) with its transformations. Each unique combination of buffer with transformations gets it's own buffer id. Similarly, mpm registration and inspect engine registration will be copied from the 'parent' (again, e.g. pure file_data) to the new id's. The transforms are called from within the prefilter engines themselves. Provide generic MPM matching and setup callbacks. Can be used by keywords to avoid needless code duplication. Supports transformations. Use unique name for profiling, to distinguish between pure buffers and buffers with transformation. Add new registration calls for mpm/prefilters and inspect engines. Inspect engine api v2: Pass engine to itself. Add generic engine that uses GetData callback and other registered settings. The generic engine should be usable for every 'simple' case where there is just a single non-streaming buffer. For example HTTP uri. The v2 API assumes that registered MPM implements transformations. Add util func to set new transform in rule and add util funcs for rule parsing.
8 years ago
/** \brief register inspect engine at start up time
*
* \note errors are fatal */
void DetectAppLayerInspectEngineRegister2(const char *name,
AppProto alproto, uint32_t dir, int progress,
InspectEngineFuncPtr2 Callback2,
InspectionBufferGetDataPtr GetData)
{
DetectBufferTypeRegister(name);
const int sm_list = DetectBufferTypeGetByName(name);
if (sm_list == -1) {
FatalError(SC_ERR_INITIALIZATION,
"failed to register inspect engine %s", name);
}
if ((alproto >= ALPROTO_FAILED) ||
(!(dir == SIG_FLAG_TOSERVER || dir == SIG_FLAG_TOCLIENT)) ||
(sm_list < DETECT_SM_LIST_MATCH) || (sm_list >= SHRT_MAX) ||
(progress < 0 || progress >= SHRT_MAX) ||
(Callback2 == NULL))
{
SCLogError(SC_ERR_INVALID_ARGUMENTS, "Invalid arguments");
BUG_ON(1);
} else if (Callback2 == DetectEngineInspectBufferGeneric && GetData == NULL) {
SCLogError(SC_ERR_INVALID_ARGUMENTS, "Invalid arguments: must register "
"GetData with DetectEngineInspectBufferGeneric");
BUG_ON(1);
}
int direction;
if (dir == SIG_FLAG_TOSERVER) {
direction = 0;
} else {
direction = 1;
}
DetectEngineAppInspectionEngine *new_engine = SCMalloc(sizeof(DetectEngineAppInspectionEngine));
if (unlikely(new_engine == NULL)) {
exit(EXIT_FAILURE);
}
memset(new_engine, 0, sizeof(*new_engine));
new_engine->alproto = alproto;
new_engine->dir = direction;
new_engine->sm_list = sm_list;
new_engine->progress = progress;
new_engine->v2.Callback = Callback2;
new_engine->v2.GetData = GetData;
if (g_app_inspect_engines == NULL) {
g_app_inspect_engines = new_engine;
} else {
DetectEngineAppInspectionEngine *t = g_app_inspect_engines;
while (t->next != NULL) {
t = t->next;
}
t->next = new_engine;
}
}
detect/inspect engines: copy to detect engine ctx Register rule-time engines in the detect engine. This is necessary now that rule parsing can create new buffers.
8 years ago
/* copy an inspect engine with transforms to a new list id. */
static void DetectAppLayerInspectEngineCopy(
DetectEngineCtx *de_ctx,
int sm_list, int new_list,
detect: prefilter/inspect API v2, with transforms Introduce InspectionBuffer a structure for passing data between prefilters, transforms and inspection engines. At rule parsing time, we'll register new unique 'DetectBufferType's for a 'parent' buffer (e.g. pure file_data) with its transformations. Each unique combination of buffer with transformations gets it's own buffer id. Similarly, mpm registration and inspect engine registration will be copied from the 'parent' (again, e.g. pure file_data) to the new id's. The transforms are called from within the prefilter engines themselves. Provide generic MPM matching and setup callbacks. Can be used by keywords to avoid needless code duplication. Supports transformations. Use unique name for profiling, to distinguish between pure buffers and buffers with transformation. Add new registration calls for mpm/prefilters and inspect engines. Inspect engine api v2: Pass engine to itself. Add generic engine that uses GetData callback and other registered settings. The generic engine should be usable for every 'simple' case where there is just a single non-streaming buffer. For example HTTP uri. The v2 API assumes that registered MPM implements transformations. Add util func to set new transform in rule and add util funcs for rule parsing.
8 years ago
const DetectEngineTransforms *transforms)
{
detect/inspect engines: copy to detect engine ctx Register rule-time engines in the detect engine. This is necessary now that rule parsing can create new buffers.
8 years ago
const DetectEngineAppInspectionEngine *t = g_app_inspect_engines;
detect: prefilter/inspect API v2, with transforms Introduce InspectionBuffer a structure for passing data between prefilters, transforms and inspection engines. At rule parsing time, we'll register new unique 'DetectBufferType's for a 'parent' buffer (e.g. pure file_data) with its transformations. Each unique combination of buffer with transformations gets it's own buffer id. Similarly, mpm registration and inspect engine registration will be copied from the 'parent' (again, e.g. pure file_data) to the new id's. The transforms are called from within the prefilter engines themselves. Provide generic MPM matching and setup callbacks. Can be used by keywords to avoid needless code duplication. Supports transformations. Use unique name for profiling, to distinguish between pure buffers and buffers with transformation. Add new registration calls for mpm/prefilters and inspect engines. Inspect engine api v2: Pass engine to itself. Add generic engine that uses GetData callback and other registered settings. The generic engine should be usable for every 'simple' case where there is just a single non-streaming buffer. For example HTTP uri. The v2 API assumes that registered MPM implements transformations. Add util func to set new transform in rule and add util funcs for rule parsing.
8 years ago
while (t) {
if (t->sm_list == sm_list) {
DetectEngineAppInspectionEngine *new_engine = SCCalloc(1, sizeof(DetectEngineAppInspectionEngine));
if (unlikely(new_engine == NULL)) {
exit(EXIT_FAILURE);
}
new_engine->alproto = t->alproto;
new_engine->dir = t->dir;
detect/inspect engines: copy to detect engine ctx Register rule-time engines in the detect engine. This is necessary now that rule parsing can create new buffers.
8 years ago
new_engine->sm_list = new_list; /* use new list id */
detect: prefilter/inspect API v2, with transforms Introduce InspectionBuffer a structure for passing data between prefilters, transforms and inspection engines. At rule parsing time, we'll register new unique 'DetectBufferType's for a 'parent' buffer (e.g. pure file_data) with its transformations. Each unique combination of buffer with transformations gets it's own buffer id. Similarly, mpm registration and inspect engine registration will be copied from the 'parent' (again, e.g. pure file_data) to the new id's. The transforms are called from within the prefilter engines themselves. Provide generic MPM matching and setup callbacks. Can be used by keywords to avoid needless code duplication. Supports transformations. Use unique name for profiling, to distinguish between pure buffers and buffers with transformation. Add new registration calls for mpm/prefilters and inspect engines. Inspect engine api v2: Pass engine to itself. Add generic engine that uses GetData callback and other registered settings. The generic engine should be usable for every 'simple' case where there is just a single non-streaming buffer. For example HTTP uri. The v2 API assumes that registered MPM implements transformations. Add util func to set new transform in rule and add util funcs for rule parsing.
8 years ago
new_engine->progress = t->progress;
new_engine->Callback = t->Callback;
new_engine->v2 = t->v2;
detect/inspect engines: copy to detect engine ctx Register rule-time engines in the detect engine. This is necessary now that rule parsing can create new buffers.
8 years ago
new_engine->v2.transforms = transforms; /* assign transforms */
if (de_ctx->app_inspect_engines == NULL) {
de_ctx->app_inspect_engines = new_engine;
} else {
DetectEngineAppInspectionEngine *list = de_ctx->app_inspect_engines;
while (list->next != NULL) {
list = list->next;
}
list->next = new_engine;
}
}
t = t->next;
}
}
/* copy inspect engines from global registrations to de_ctx list */
static void DetectAppLayerInspectEngineCopyListToDetectCtx(DetectEngineCtx *de_ctx)
{
const DetectEngineAppInspectionEngine *t = g_app_inspect_engines;
while (t) {
DetectEngineAppInspectionEngine *new_engine = SCCalloc(1, sizeof(DetectEngineAppInspectionEngine));
if (unlikely(new_engine == NULL)) {
exit(EXIT_FAILURE);
}
new_engine->alproto = t->alproto;
new_engine->dir = t->dir;
new_engine->sm_list = t->sm_list;
new_engine->progress = t->progress;
new_engine->Callback = t->Callback;
new_engine->v2 = t->v2;
if (de_ctx->app_inspect_engines == NULL) {
de_ctx->app_inspect_engines = new_engine;
} else {
DetectEngineAppInspectionEngine *list = de_ctx->app_inspect_engines;
while (list->next != NULL) {
list = list->next;
}
list->next = new_engine;
detect: prefilter/inspect API v2, with transforms Introduce InspectionBuffer a structure for passing data between prefilters, transforms and inspection engines. At rule parsing time, we'll register new unique 'DetectBufferType's for a 'parent' buffer (e.g. pure file_data) with its transformations. Each unique combination of buffer with transformations gets it's own buffer id. Similarly, mpm registration and inspect engine registration will be copied from the 'parent' (again, e.g. pure file_data) to the new id's. The transforms are called from within the prefilter engines themselves. Provide generic MPM matching and setup callbacks. Can be used by keywords to avoid needless code duplication. Supports transformations. Use unique name for profiling, to distinguish between pure buffers and buffers with transformation. Add new registration calls for mpm/prefilters and inspect engines. Inspect engine api v2: Pass engine to itself. Add generic engine that uses GetData callback and other registered settings. The generic engine should be usable for every 'simple' case where there is just a single non-streaming buffer. For example HTTP uri. The v2 API assumes that registered MPM implements transformations. Add util func to set new transform in rule and add util funcs for rule parsing.
8 years ago
}
detect/inspect engines: copy to detect engine ctx Register rule-time engines in the detect engine. This is necessary now that rule parsing can create new buffers.
8 years ago
detect: prefilter/inspect API v2, with transforms Introduce InspectionBuffer a structure for passing data between prefilters, transforms and inspection engines. At rule parsing time, we'll register new unique 'DetectBufferType's for a 'parent' buffer (e.g. pure file_data) with its transformations. Each unique combination of buffer with transformations gets it's own buffer id. Similarly, mpm registration and inspect engine registration will be copied from the 'parent' (again, e.g. pure file_data) to the new id's. The transforms are called from within the prefilter engines themselves. Provide generic MPM matching and setup callbacks. Can be used by keywords to avoid needless code duplication. Supports transformations. Use unique name for profiling, to distinguish between pure buffers and buffers with transformation. Add new registration calls for mpm/prefilters and inspect engines. Inspect engine api v2: Pass engine to itself. Add generic engine that uses GetData callback and other registered settings. The generic engine should be usable for every 'simple' case where there is just a single non-streaming buffer. For example HTTP uri. The v2 API assumes that registered MPM implements transformations. Add util func to set new transform in rule and add util funcs for rule parsing.
8 years ago
t = t->next;
}
}
detect: introduce pkt mpm engines Instead of the hardcode L4 matching in MPM that was recently introduced, add an API similar to the AppLayer MPM and inspect engines. Share part of the registration code with the AppLayer. Implement for the tcp.hdr and udp.hdr keywords.
6 years ago
/* copy an inspect engine with transforms to a new list id. */
static void DetectPktInspectEngineCopy(
DetectEngineCtx *de_ctx,
int sm_list, int new_list,
const DetectEngineTransforms *transforms)
{
const DetectEnginePktInspectionEngine *t = g_pkt_inspect_engines;
while (t) {
if (t->sm_list == sm_list) {
DetectEnginePktInspectionEngine *new_engine = SCCalloc(1, sizeof(DetectEnginePktInspectionEngine));
if (unlikely(new_engine == NULL)) {
exit(EXIT_FAILURE);
}
new_engine->sm_list = new_list; /* use new list id */
new_engine->v1 = t->v1;
new_engine->v1.transforms = transforms; /* assign transforms */
if (de_ctx->pkt_inspect_engines == NULL) {
de_ctx->pkt_inspect_engines = new_engine;
} else {
DetectEnginePktInspectionEngine *list = de_ctx->pkt_inspect_engines;
while (list->next != NULL) {
list = list->next;
}
list->next = new_engine;
}
}
t = t->next;
}
}
/* copy inspect engines from global registrations to de_ctx list */
static void DetectPktInspectEngineCopyListToDetectCtx(DetectEngineCtx *de_ctx)
{
const DetectEnginePktInspectionEngine *t = g_pkt_inspect_engines;
while (t) {
SCLogDebug("engine %p", t);
DetectEnginePktInspectionEngine *new_engine = SCCalloc(1, sizeof(DetectEnginePktInspectionEngine));
if (unlikely(new_engine == NULL)) {
exit(EXIT_FAILURE);
}
new_engine->sm_list = t->sm_list;
new_engine->v1 = t->v1;
if (de_ctx->pkt_inspect_engines == NULL) {
de_ctx->pkt_inspect_engines = new_engine;
} else {
DetectEnginePktInspectionEngine *list = de_ctx->pkt_inspect_engines;
while (list->next != NULL) {
list = list->next;
}
list->next = new_engine;
}
t = t->next;
}
}
detect: improve stateful detection Now that MPM runs when the TX progress is right, stateful detection operates differently. Changes: 1. raw stream inspection is now also an inspect engine Since this engine doesn't take the transactions into account, it could potentially run multiple times on the same data. To avoid this, basic result caching is in place. 2. the engines are sorted by progress, but the 'MPM' engine is first even if the progress is higher If MPM flags a rule to be inspected, the inspect engine for that buffer runs first. If this step fails, the rule is no longer evaluated. No state is stored.
8 years ago
/** \internal
* \brief append the stream inspection
*
* If stream inspection is MPM, then prepend it.
*/
static void AppendStreamInspectEngine(Signature *s, SigMatchData *stream, int direction, uint32_t id)
{
bool prepend = false;
DetectEngineAppInspectionEngine *new_engine = SCCalloc(1, sizeof(DetectEngineAppInspectionEngine));
if (unlikely(new_engine == NULL)) {
exit(EXIT_FAILURE);
}
if (SigMatchListSMBelongsTo(s, s->init_data->mpm_sm) == DETECT_SM_LIST_PMATCH) {
SCLogDebug("stream is mpm");
prepend = true;
new_engine->mpm = true;
}
new_engine->alproto = ALPROTO_UNKNOWN; /* all */
new_engine->dir = direction;
detect: rewrite of the detect engine Use per tx detect_flags to track prefilter. Detect flags are used for 2 things: 1. marking tx as fully inspected 2. tracking already run prefilter (incl mpm) engines This supercedes the MpmIDs API for directionless tracking of the prefilter engines. When we have no SGH we have to flag the txs that are 'complete' as inspected as well. Special handling for the stream engine: If a rule mixes TX inspection and STREAM inspection, we can encounter the case where the rule is evaluated against multiple transactions during a single inspection run. As the stream data is exactly the same for each of those runs, it's wasteful to rerun inspection of the stream portion of the rule. This patch enables caching of the stream 'inspect engine' result in the local 'RuleMatchCandidateTx' array. This is valid only during the live of a single inspection run. Remove stateful inspection from 'mask' (SignatureMask). The mask wasn't used in most cases for those rules anyway, as there we rely on the prefilter. Add a alproto check to catch the remaining cases. When building the active non-mpm/non-prefilter list check not just the mask, but also the alproto. This especially helps stateful rules with negated mpm. Simplify AppLayerParserHasDecoderEvents usage in detection to only return true if protocol detection events are set. Other detection is done in inspect engines. Move rule group lookup and handling into it's own function. Handle 'post lookup' tasks immediately, instead of after the first detect run. The tasks were independent of the initial detection. Many cleanups and much refactoring.
8 years ago
new_engine->stream = true;
detect: improve stateful detection Now that MPM runs when the TX progress is right, stateful detection operates differently. Changes: 1. raw stream inspection is now also an inspect engine Since this engine doesn't take the transactions into account, it could potentially run multiple times on the same data. To avoid this, basic result caching is in place. 2. the engines are sorted by progress, but the 'MPM' engine is first even if the progress is higher If MPM flags a rule to be inspected, the inspect engine for that buffer runs first. If this step fails, the rule is no longer evaluated. No state is stored.
8 years ago
new_engine->sm_list = DETECT_SM_LIST_PMATCH;
new_engine->smd = stream;
new_engine->Callback = DetectEngineInspectStream;
new_engine->progress = 0;
/* append */
if (s->app_inspect == NULL) {
s->app_inspect = new_engine;
new_engine->id = DE_STATE_FLAG_BASE; /* id is used as flag in stateful detect */
} else if (prepend) {
new_engine->next = s->app_inspect;
s->app_inspect = new_engine;
new_engine->id = id;
} else {
DetectEngineAppInspectionEngine *a = s->app_inspect;
while (a->next != NULL) {
a = a->next;
}
a->next = new_engine;
new_engine->id = id;
}
SCLogDebug("sid %u: engine %p/%u added", s->id, new_engine, new_engine->id);
}
detect: fix multiple files per tx inspect Fix the inspection of multiple files in a single TX, where new files may be added to the TX after inspection started. Assign the hard coded id DE_STATE_FLAG_FILE_INSPECT to the file inspect engine. Make sure that sigs that do file inspection and don't match on the current file always store a detailed state. This state will include the DE_STATE_FLAG_FILE_INSPECT flag. When the app-layer indicates a new file is available, for each sig that has the DE_STATE_FLAG_FILE_INSPECT flag set, reset part of the state so that the sig is evaluated again.
8 years ago
/**
* \note for the file inspect engine, the id DE_STATE_ID_FILE_INSPECT
* is assigned.
*/
detect: move buffer type map into detect ctx Move previously global table into detect engine ctx. Now that we can register buffers at rule loading time we need to take concurrency into account. Move DetectBufferType to detect.h and update DetectBufferCtx API calls to include a detect engine ctx reference.
8 years ago
int DetectEngineAppInspectionEngine2Signature(DetectEngineCtx *de_ctx, Signature *s)
detect-engine: improved inspect engines Inspect engines are called per signature per sigmatch list. Most wrap around DetectEngineContentInspection, but it's more generic. Until now, the inspect engines were setup in a large per ipproto, per alproto, per direction table. For stateful inspection each engine needed a global flag. This approach had a number of issues: 1. inefficient: each inspection round walked the table and then checked if the inspect engine was even needed for the current rule. 2. clumsy registration with global flag registration. 3. global flag space was approaching the need for 64 bits 4. duplicate registration for alprotos supporting both TCP and TCP (DNS). This patch introduces a new approach. First, it does away with the per ipproto engines. This wasn't used. Second, it adds a per signature list of inspect engine containing only those engines that actually apply to the rule. Third, it gets rid of the global flags and replaces it with flags assigned per rule per engine.
9 years ago
{
detect: register dynamic buffers into de_ctx Register buffers that are created during rule parsing. Currently this means an existing buffer with one or more transformations.
8 years ago
const int nlists = s->init_data->smlists_array_size;
detect: remove hardcoded sm_list logic from setup Introduce utility functions to aid this.
9 years ago
SigMatchData *ptrs[nlists];
memset(&ptrs, 0, (nlists * sizeof(SigMatchData *)));
detect: shrink Signature::sm_arrays Signature::sm_arrays now only contains 'built-in' lists, and so is sized appropriately.
9 years ago
detect: improve stateful detection Now that MPM runs when the TX progress is right, stateful detection operates differently. Changes: 1. raw stream inspection is now also an inspect engine Since this engine doesn't take the transactions into account, it could potentially run multiple times on the same data. To avoid this, basic result caching is in place. 2. the engines are sorted by progress, but the 'MPM' engine is first even if the progress is higher If MPM flags a rule to be inspected, the inspect engine for that buffer runs first. If this step fails, the rule is no longer evaluated. No state is stored.
8 years ago
const int mpm_list = s->init_data->mpm_sm ?
SigMatchListSMBelongsTo(s, s->init_data->mpm_sm) :
-1;
detect: fix multiple files per tx inspect Fix the inspection of multiple files in a single TX, where new files may be added to the TX after inspection started. Assign the hard coded id DE_STATE_FLAG_FILE_INSPECT to the file inspect engine. Make sure that sigs that do file inspection and don't match on the current file always store a detailed state. This state will include the DE_STATE_FLAG_FILE_INSPECT flag. When the app-layer indicates a new file is available, for each sig that has the DE_STATE_FLAG_FILE_INSPECT flag set, reset part of the state so that the sig is evaluated again.
8 years ago
const int files_id = DetectBufferTypeGetByName("files");
detect: shrink Signature::sm_arrays Signature::sm_arrays now only contains 'built-in' lists, and so is sized appropriately.
9 years ago
/* convert lists to SigMatchData arrays */
int i = 0;
detect: cleanup built-in list id's
9 years ago
for (i = DETECT_SM_LIST_DYNAMIC_START; i < nlists; i++) {
detect: shrink Signature::sm_arrays Signature::sm_arrays now only contains 'built-in' lists, and so is sized appropriately.
9 years ago
if (s->init_data->smlists[i] == NULL)
continue;
ptrs[i] = SigMatchList2DataArray(s->init_data->smlists[i]);
detect: prefilter/inspect API v2, with transforms Introduce InspectionBuffer a structure for passing data between prefilters, transforms and inspection engines. At rule parsing time, we'll register new unique 'DetectBufferType's for a 'parent' buffer (e.g. pure file_data) with its transformations. Each unique combination of buffer with transformations gets it's own buffer id. Similarly, mpm registration and inspect engine registration will be copied from the 'parent' (again, e.g. pure file_data) to the new id's. The transforms are called from within the prefilter engines themselves. Provide generic MPM matching and setup callbacks. Can be used by keywords to avoid needless code duplication. Supports transformations. Use unique name for profiling, to distinguish between pure buffers and buffers with transformation. Add new registration calls for mpm/prefilters and inspect engines. Inspect engine api v2: Pass engine to itself. Add generic engine that uses GetData callback and other registered settings. The generic engine should be usable for every 'simple' case where there is just a single non-streaming buffer. For example HTTP uri. The v2 API assumes that registered MPM implements transformations. Add util func to set new transform in rule and add util funcs for rule parsing.
8 years ago
SCLogDebug("ptrs[%d] is set", i);
detect: shrink Signature::sm_arrays Signature::sm_arrays now only contains 'built-in' lists, and so is sized appropriately.
9 years ago
}
detect-engine: memory handling of sm_lists For lists that are registered multiple times, like http_header and http_cookie, making the engines owner of the lists is complicated. Multiple engines in a sig may be pointing to the same list. To address this the 'free' code needs to be extra careful about not double freeing, so it takes an approach to first fill an array of the to-free pointers before freeing them.
9 years ago
detect: introduce pkt mpm engines Instead of the hardcode L4 matching in MPM that was recently introduced, add an API similar to the AppLayer MPM and inspect engines. Share part of the registration code with the AppLayer. Implement for the tcp.hdr and udp.hdr keywords.
6 years ago
/* set up pkt inspect engines */
const DetectEnginePktInspectionEngine *e = de_ctx->pkt_inspect_engines;
while (e != NULL) {
SCLogDebug("e %p sm_list %u nlists %u ptrs[] %p", e, e->sm_list, nlists, e->sm_list < nlists ? ptrs[e->sm_list] : NULL);
if (e->sm_list < nlists && ptrs[e->sm_list] != NULL) {
bool prepend = false;
DetectEnginePktInspectionEngine *new_engine = SCCalloc(1, sizeof(DetectEnginePktInspectionEngine));
if (unlikely(new_engine == NULL)) {
exit(EXIT_FAILURE);
}
if (mpm_list == e->sm_list) {
SCLogDebug("%s is mpm", DetectBufferTypeGetNameById(de_ctx, e->sm_list));
prepend = true;
new_engine->mpm = true;
}
new_engine->sm_list = e->sm_list;
new_engine->smd = ptrs[new_engine->sm_list];
new_engine->v1 = e->v1;
SCLogDebug("sm_list %d new_engine->v1 %p/%p/%p",
new_engine->sm_list, new_engine->v1.Callback,
new_engine->v1.GetData, new_engine->v1.transforms);
if (s->pkt_inspect == NULL) {
s->pkt_inspect = new_engine;
} else if (prepend) {
new_engine->next = s->pkt_inspect;
s->pkt_inspect = new_engine;
} else {
DetectEnginePktInspectionEngine *a = s->pkt_inspect;
while (a->next != NULL) {
a = a->next;
}
new_engine->next = a->next;
a->next = new_engine;
}
}
e = e->next;
}
detect: improve stateful detection Now that MPM runs when the TX progress is right, stateful detection operates differently. Changes: 1. raw stream inspection is now also an inspect engine Since this engine doesn't take the transactions into account, it could potentially run multiple times on the same data. To avoid this, basic result caching is in place. 2. the engines are sorted by progress, but the 'MPM' engine is first even if the progress is higher If MPM flags a rule to be inspected, the inspect engine for that buffer runs first. If this step fails, the rule is no longer evaluated. No state is stored.
8 years ago
bool head_is_mpm = false;
uint32_t last_id = DE_STATE_FLAG_BASE;
detect/inspect engines: copy to detect engine ctx Register rule-time engines in the detect engine. This is necessary now that rule parsing can create new buffers.
8 years ago
const DetectEngineAppInspectionEngine *t = de_ctx->app_inspect_engines;
detect-engine: improved inspect engines Inspect engines are called per signature per sigmatch list. Most wrap around DetectEngineContentInspection, but it's more generic. Until now, the inspect engines were setup in a large per ipproto, per alproto, per direction table. For stateful inspection each engine needed a global flag. This approach had a number of issues: 1. inefficient: each inspection round walked the table and then checked if the inspect engine was even needed for the current rule. 2. clumsy registration with global flag registration. 3. global flag space was approaching the need for 64 bits 4. duplicate registration for alprotos supporting both TCP and TCP (DNS). This patch introduces a new approach. First, it does away with the per ipproto engines. This wasn't used. Second, it adds a per signature list of inspect engine containing only those engines that actually apply to the rule. Third, it gets rid of the global flags and replaces it with flags assigned per rule per engine.
9 years ago
while (t != NULL) {
detect: improve stateful detection Now that MPM runs when the TX progress is right, stateful detection operates differently. Changes: 1. raw stream inspection is now also an inspect engine Since this engine doesn't take the transactions into account, it could potentially run multiple times on the same data. To avoid this, basic result caching is in place. 2. the engines are sorted by progress, but the 'MPM' engine is first even if the progress is higher If MPM flags a rule to be inspected, the inspect engine for that buffer runs first. If this step fails, the rule is no longer evaluated. No state is stored.
8 years ago
bool prepend = false;
detect: register dynamic buffers into de_ctx Register buffers that are created during rule parsing. Currently this means an existing buffer with one or more transformations.
8 years ago
if (t->sm_list >= nlists)
goto next;
detect: shrink Signature::sm_arrays Signature::sm_arrays now only contains 'built-in' lists, and so is sized appropriately.
9 years ago
if (ptrs[t->sm_list] == NULL)
detect-engine: improved inspect engines Inspect engines are called per signature per sigmatch list. Most wrap around DetectEngineContentInspection, but it's more generic. Until now, the inspect engines were setup in a large per ipproto, per alproto, per direction table. For stateful inspection each engine needed a global flag. This approach had a number of issues: 1. inefficient: each inspection round walked the table and then checked if the inspect engine was even needed for the current rule. 2. clumsy registration with global flag registration. 3. global flag space was approaching the need for 64 bits 4. duplicate registration for alprotos supporting both TCP and TCP (DNS). This patch introduces a new approach. First, it does away with the per ipproto engines. This wasn't used. Second, it adds a per signature list of inspect engine containing only those engines that actually apply to the rule. Third, it gets rid of the global flags and replaces it with flags assigned per rule per engine.
9 years ago
goto next;
detect: prefilter/inspect API v2, with transforms Introduce InspectionBuffer a structure for passing data between prefilters, transforms and inspection engines. At rule parsing time, we'll register new unique 'DetectBufferType's for a 'parent' buffer (e.g. pure file_data) with its transformations. Each unique combination of buffer with transformations gets it's own buffer id. Similarly, mpm registration and inspect engine registration will be copied from the 'parent' (again, e.g. pure file_data) to the new id's. The transforms are called from within the prefilter engines themselves. Provide generic MPM matching and setup callbacks. Can be used by keywords to avoid needless code duplication. Supports transformations. Use unique name for profiling, to distinguish between pure buffers and buffers with transformation. Add new registration calls for mpm/prefilters and inspect engines. Inspect engine api v2: Pass engine to itself. Add generic engine that uses GetData callback and other registered settings. The generic engine should be usable for every 'simple' case where there is just a single non-streaming buffer. For example HTTP uri. The v2 API assumes that registered MPM implements transformations. Add util func to set new transform in rule and add util funcs for rule parsing.
8 years ago
SCLogDebug("ptrs[%d] is set", t->sm_list);
detect app-layer-event: clean up registration Move engine and registration into the keyword file. Register as 'ALPROTO_UNKNOWN' instead of per alproto. The registration will only apply it to those rules that have events set.
9 years ago
if (t->alproto == ALPROTO_UNKNOWN) {
/* special case, inspect engine applies to all protocols */
} else if (s->alproto != ALPROTO_UNKNOWN && s->alproto != t->alproto)
detect-engine: improved inspect engines Inspect engines are called per signature per sigmatch list. Most wrap around DetectEngineContentInspection, but it's more generic. Until now, the inspect engines were setup in a large per ipproto, per alproto, per direction table. For stateful inspection each engine needed a global flag. This approach had a number of issues: 1. inefficient: each inspection round walked the table and then checked if the inspect engine was even needed for the current rule. 2. clumsy registration with global flag registration. 3. global flag space was approaching the need for 64 bits 4. duplicate registration for alprotos supporting both TCP and TCP (DNS). This patch introduces a new approach. First, it does away with the per ipproto engines. This wasn't used. Second, it adds a per signature list of inspect engine containing only those engines that actually apply to the rule. Third, it gets rid of the global flags and replaces it with flags assigned per rule per engine.
9 years ago
goto next;
if (s->flags & SIG_FLAG_TOSERVER && !(s->flags & SIG_FLAG_TOCLIENT)) {
if (t->dir == 1)
goto next;
} else if (s->flags & SIG_FLAG_TOCLIENT && !(s->flags & SIG_FLAG_TOSERVER)) {
if (t->dir == 0)
goto next;
}
DetectEngineAppInspectionEngine *new_engine = SCCalloc(1, sizeof(DetectEngineAppInspectionEngine));
if (unlikely(new_engine == NULL)) {
exit(EXIT_FAILURE);
}
detect: improve stateful detection Now that MPM runs when the TX progress is right, stateful detection operates differently. Changes: 1. raw stream inspection is now also an inspect engine Since this engine doesn't take the transactions into account, it could potentially run multiple times on the same data. To avoid this, basic result caching is in place. 2. the engines are sorted by progress, but the 'MPM' engine is first even if the progress is higher If MPM flags a rule to be inspected, the inspect engine for that buffer runs first. If this step fails, the rule is no longer evaluated. No state is stored.
8 years ago
if (mpm_list == t->sm_list) {
detect: move buffer type map into detect ctx Move previously global table into detect engine ctx. Now that we can register buffers at rule loading time we need to take concurrency into account. Move DetectBufferType to detect.h and update DetectBufferCtx API calls to include a detect engine ctx reference.
8 years ago
SCLogDebug("%s is mpm", DetectBufferTypeGetNameById(de_ctx, t->sm_list));
detect: improve stateful detection Now that MPM runs when the TX progress is right, stateful detection operates differently. Changes: 1. raw stream inspection is now also an inspect engine Since this engine doesn't take the transactions into account, it could potentially run multiple times on the same data. To avoid this, basic result caching is in place. 2. the engines are sorted by progress, but the 'MPM' engine is first even if the progress is higher If MPM flags a rule to be inspected, the inspect engine for that buffer runs first. If this step fails, the rule is no longer evaluated. No state is stored.
8 years ago
prepend = true;
head_is_mpm = true;
new_engine->mpm = true;
}
detect-engine: improved inspect engines Inspect engines are called per signature per sigmatch list. Most wrap around DetectEngineContentInspection, but it's more generic. Until now, the inspect engines were setup in a large per ipproto, per alproto, per direction table. For stateful inspection each engine needed a global flag. This approach had a number of issues: 1. inefficient: each inspection round walked the table and then checked if the inspect engine was even needed for the current rule. 2. clumsy registration with global flag registration. 3. global flag space was approaching the need for 64 bits 4. duplicate registration for alprotos supporting both TCP and TCP (DNS). This patch introduces a new approach. First, it does away with the per ipproto engines. This wasn't used. Second, it adds a per signature list of inspect engine containing only those engines that actually apply to the rule. Third, it gets rid of the global flags and replaces it with flags assigned per rule per engine.
9 years ago
new_engine->alproto = t->alproto;
new_engine->dir = t->dir;
new_engine->sm_list = t->sm_list;
detect: inspect engine setup cleanup
9 years ago
new_engine->smd = ptrs[new_engine->sm_list];
detect-engine: improved inspect engines Inspect engines are called per signature per sigmatch list. Most wrap around DetectEngineContentInspection, but it's more generic. Until now, the inspect engines were setup in a large per ipproto, per alproto, per direction table. For stateful inspection each engine needed a global flag. This approach had a number of issues: 1. inefficient: each inspection round walked the table and then checked if the inspect engine was even needed for the current rule. 2. clumsy registration with global flag registration. 3. global flag space was approaching the need for 64 bits 4. duplicate registration for alprotos supporting both TCP and TCP (DNS). This patch introduces a new approach. First, it does away with the per ipproto engines. This wasn't used. Second, it adds a per signature list of inspect engine containing only those engines that actually apply to the rule. Third, it gets rid of the global flags and replaces it with flags assigned per rule per engine.
9 years ago
new_engine->Callback = t->Callback;
detect: improve stateful detection Now that MPM runs when the TX progress is right, stateful detection operates differently. Changes: 1. raw stream inspection is now also an inspect engine Since this engine doesn't take the transactions into account, it could potentially run multiple times on the same data. To avoid this, basic result caching is in place. 2. the engines are sorted by progress, but the 'MPM' engine is first even if the progress is higher If MPM flags a rule to be inspected, the inspect engine for that buffer runs first. If this step fails, the rule is no longer evaluated. No state is stored.
8 years ago
new_engine->progress = t->progress;
detect: prefilter/inspect API v2, with transforms Introduce InspectionBuffer a structure for passing data between prefilters, transforms and inspection engines. At rule parsing time, we'll register new unique 'DetectBufferType's for a 'parent' buffer (e.g. pure file_data) with its transformations. Each unique combination of buffer with transformations gets it's own buffer id. Similarly, mpm registration and inspect engine registration will be copied from the 'parent' (again, e.g. pure file_data) to the new id's. The transforms are called from within the prefilter engines themselves. Provide generic MPM matching and setup callbacks. Can be used by keywords to avoid needless code duplication. Supports transformations. Use unique name for profiling, to distinguish between pure buffers and buffers with transformation. Add new registration calls for mpm/prefilters and inspect engines. Inspect engine api v2: Pass engine to itself. Add generic engine that uses GetData callback and other registered settings. The generic engine should be usable for every 'simple' case where there is just a single non-streaming buffer. For example HTTP uri. The v2 API assumes that registered MPM implements transformations. Add util func to set new transform in rule and add util funcs for rule parsing.
8 years ago
new_engine->v2 = t->v2;
SCLogDebug("sm_list %d new_engine->v2 %p/%p/%p",
new_engine->sm_list, new_engine->v2.Callback,
new_engine->v2.GetData, new_engine->v2.transforms);
detect-engine: improved inspect engines Inspect engines are called per signature per sigmatch list. Most wrap around DetectEngineContentInspection, but it's more generic. Until now, the inspect engines were setup in a large per ipproto, per alproto, per direction table. For stateful inspection each engine needed a global flag. This approach had a number of issues: 1. inefficient: each inspection round walked the table and then checked if the inspect engine was even needed for the current rule. 2. clumsy registration with global flag registration. 3. global flag space was approaching the need for 64 bits 4. duplicate registration for alprotos supporting both TCP and TCP (DNS). This patch introduces a new approach. First, it does away with the per ipproto engines. This wasn't used. Second, it adds a per signature list of inspect engine containing only those engines that actually apply to the rule. Third, it gets rid of the global flags and replaces it with flags assigned per rule per engine.
9 years ago
if (s->app_inspect == NULL) {
s->app_inspect = new_engine;
detect: fix multiple files per tx inspect Fix the inspection of multiple files in a single TX, where new files may be added to the TX after inspection started. Assign the hard coded id DE_STATE_FLAG_FILE_INSPECT to the file inspect engine. Make sure that sigs that do file inspection and don't match on the current file always store a detailed state. This state will include the DE_STATE_FLAG_FILE_INSPECT flag. When the app-layer indicates a new file is available, for each sig that has the DE_STATE_FLAG_FILE_INSPECT flag set, reset part of the state so that the sig is evaluated again.
8 years ago
if (new_engine->sm_list == files_id) {
SCLogDebug("sid %u: engine %p/%u is FILE ENGINE", s->id, new_engine, new_engine->id);
new_engine->id = DE_STATE_ID_FILE_INSPECT;
} else {
new_engine->id = DE_STATE_FLAG_BASE; /* id is used as flag in stateful detect */
}
detect: improve stateful detection Now that MPM runs when the TX progress is right, stateful detection operates differently. Changes: 1. raw stream inspection is now also an inspect engine Since this engine doesn't take the transactions into account, it could potentially run multiple times on the same data. To avoid this, basic result caching is in place. 2. the engines are sorted by progress, but the 'MPM' engine is first even if the progress is higher If MPM flags a rule to be inspected, the inspect engine for that buffer runs first. If this step fails, the rule is no longer evaluated. No state is stored.
8 years ago
/* prepend engine if forced or if our engine has a lower progress. */
} else if (prepend || (!head_is_mpm && s->app_inspect->progress > new_engine->progress)) {
new_engine->next = s->app_inspect;
s->app_inspect = new_engine;
detect: fix multiple files per tx inspect Fix the inspection of multiple files in a single TX, where new files may be added to the TX after inspection started. Assign the hard coded id DE_STATE_FLAG_FILE_INSPECT to the file inspect engine. Make sure that sigs that do file inspection and don't match on the current file always store a detailed state. This state will include the DE_STATE_FLAG_FILE_INSPECT flag. When the app-layer indicates a new file is available, for each sig that has the DE_STATE_FLAG_FILE_INSPECT flag set, reset part of the state so that the sig is evaluated again.
8 years ago
if (new_engine->sm_list == files_id) {
SCLogDebug("sid %u: engine %p/%u is FILE ENGINE", s->id, new_engine, new_engine->id);
new_engine->id = DE_STATE_ID_FILE_INSPECT;
} else {
new_engine->id = ++last_id;
}
detect: improve stateful detection Now that MPM runs when the TX progress is right, stateful detection operates differently. Changes: 1. raw stream inspection is now also an inspect engine Since this engine doesn't take the transactions into account, it could potentially run multiple times on the same data. To avoid this, basic result caching is in place. 2. the engines are sorted by progress, but the 'MPM' engine is first even if the progress is higher If MPM flags a rule to be inspected, the inspect engine for that buffer runs first. If this step fails, the rule is no longer evaluated. No state is stored.
8 years ago
detect-engine: improved inspect engines Inspect engines are called per signature per sigmatch list. Most wrap around DetectEngineContentInspection, but it's more generic. Until now, the inspect engines were setup in a large per ipproto, per alproto, per direction table. For stateful inspection each engine needed a global flag. This approach had a number of issues: 1. inefficient: each inspection round walked the table and then checked if the inspect engine was even needed for the current rule. 2. clumsy registration with global flag registration. 3. global flag space was approaching the need for 64 bits 4. duplicate registration for alprotos supporting both TCP and TCP (DNS). This patch introduces a new approach. First, it does away with the per ipproto engines. This wasn't used. Second, it adds a per signature list of inspect engine containing only those engines that actually apply to the rule. Third, it gets rid of the global flags and replaces it with flags assigned per rule per engine.
9 years ago
} else {
app engines: fix -Wshadow warning
9 years ago
DetectEngineAppInspectionEngine *a = s->app_inspect;
while (a->next != NULL) {
detect: improve stateful detection Now that MPM runs when the TX progress is right, stateful detection operates differently. Changes: 1. raw stream inspection is now also an inspect engine Since this engine doesn't take the transactions into account, it could potentially run multiple times on the same data. To avoid this, basic result caching is in place. 2. the engines are sorted by progress, but the 'MPM' engine is first even if the progress is higher If MPM flags a rule to be inspected, the inspect engine for that buffer runs first. If this step fails, the rule is no longer evaluated. No state is stored.
8 years ago
if (a->next && a->next->progress > new_engine->progress) {
break;
}
app engines: fix -Wshadow warning
9 years ago
a = a->next;
detect-engine: improved inspect engines Inspect engines are called per signature per sigmatch list. Most wrap around DetectEngineContentInspection, but it's more generic. Until now, the inspect engines were setup in a large per ipproto, per alproto, per direction table. For stateful inspection each engine needed a global flag. This approach had a number of issues: 1. inefficient: each inspection round walked the table and then checked if the inspect engine was even needed for the current rule. 2. clumsy registration with global flag registration. 3. global flag space was approaching the need for 64 bits 4. duplicate registration for alprotos supporting both TCP and TCP (DNS). This patch introduces a new approach. First, it does away with the per ipproto engines. This wasn't used. Second, it adds a per signature list of inspect engine containing only those engines that actually apply to the rule. Third, it gets rid of the global flags and replaces it with flags assigned per rule per engine.
9 years ago
}
detect: improve stateful detection Now that MPM runs when the TX progress is right, stateful detection operates differently. Changes: 1. raw stream inspection is now also an inspect engine Since this engine doesn't take the transactions into account, it could potentially run multiple times on the same data. To avoid this, basic result caching is in place. 2. the engines are sorted by progress, but the 'MPM' engine is first even if the progress is higher If MPM flags a rule to be inspected, the inspect engine for that buffer runs first. If this step fails, the rule is no longer evaluated. No state is stored.
8 years ago
new_engine->next = a->next;
app engines: fix -Wshadow warning
9 years ago
a->next = new_engine;
detect: fix multiple files per tx inspect Fix the inspection of multiple files in a single TX, where new files may be added to the TX after inspection started. Assign the hard coded id DE_STATE_FLAG_FILE_INSPECT to the file inspect engine. Make sure that sigs that do file inspection and don't match on the current file always store a detailed state. This state will include the DE_STATE_FLAG_FILE_INSPECT flag. When the app-layer indicates a new file is available, for each sig that has the DE_STATE_FLAG_FILE_INSPECT flag set, reset part of the state so that the sig is evaluated again.
8 years ago
if (new_engine->sm_list == files_id) {
SCLogDebug("sid %u: engine %p/%u is FILE ENGINE", s->id, new_engine, new_engine->id);
new_engine->id = DE_STATE_ID_FILE_INSPECT;
} else {
new_engine->id = ++last_id;
}
detect-engine: improved inspect engines Inspect engines are called per signature per sigmatch list. Most wrap around DetectEngineContentInspection, but it's more generic. Until now, the inspect engines were setup in a large per ipproto, per alproto, per direction table. For stateful inspection each engine needed a global flag. This approach had a number of issues: 1. inefficient: each inspection round walked the table and then checked if the inspect engine was even needed for the current rule. 2. clumsy registration with global flag registration. 3. global flag space was approaching the need for 64 bits 4. duplicate registration for alprotos supporting both TCP and TCP (DNS). This patch introduces a new approach. First, it does away with the per ipproto engines. This wasn't used. Second, it adds a per signature list of inspect engine containing only those engines that actually apply to the rule. Third, it gets rid of the global flags and replaces it with flags assigned per rule per engine.
9 years ago
}
detect: fix multiple files per tx inspect Fix the inspection of multiple files in a single TX, where new files may be added to the TX after inspection started. Assign the hard coded id DE_STATE_FLAG_FILE_INSPECT to the file inspect engine. Make sure that sigs that do file inspection and don't match on the current file always store a detailed state. This state will include the DE_STATE_FLAG_FILE_INSPECT flag. When the app-layer indicates a new file is available, for each sig that has the DE_STATE_FLAG_FILE_INSPECT flag set, reset part of the state so that the sig is evaluated again.
8 years ago
detect-engine: improved inspect engines Inspect engines are called per signature per sigmatch list. Most wrap around DetectEngineContentInspection, but it's more generic. Until now, the inspect engines were setup in a large per ipproto, per alproto, per direction table. For stateful inspection each engine needed a global flag. This approach had a number of issues: 1. inefficient: each inspection round walked the table and then checked if the inspect engine was even needed for the current rule. 2. clumsy registration with global flag registration. 3. global flag space was approaching the need for 64 bits 4. duplicate registration for alprotos supporting both TCP and TCP (DNS). This patch introduces a new approach. First, it does away with the per ipproto engines. This wasn't used. Second, it adds a per signature list of inspect engine containing only those engines that actually apply to the rule. Third, it gets rid of the global flags and replaces it with flags assigned per rule per engine.
9 years ago
SCLogDebug("sid %u: engine %p/%u added", s->id, new_engine, new_engine->id);
detect: simplify SIG_FLAG_STATE_MATCH set logic
9 years ago
detect: remove STATE_MATCH flag use at runtime Instead, use it only at init time and use Signature::app_inspect directly at runtime.
7 years ago
s->init_data->init_flags |= SIG_FLAG_INIT_STATE_MATCH;
detect-engine: improved inspect engines Inspect engines are called per signature per sigmatch list. Most wrap around DetectEngineContentInspection, but it's more generic. Until now, the inspect engines were setup in a large per ipproto, per alproto, per direction table. For stateful inspection each engine needed a global flag. This approach had a number of issues: 1. inefficient: each inspection round walked the table and then checked if the inspect engine was even needed for the current rule. 2. clumsy registration with global flag registration. 3. global flag space was approaching the need for 64 bits 4. duplicate registration for alprotos supporting both TCP and TCP (DNS). This patch introduces a new approach. First, it does away with the per ipproto engines. This wasn't used. Second, it adds a per signature list of inspect engine containing only those engines that actually apply to the rule. Third, it gets rid of the global flags and replaces it with flags assigned per rule per engine.
9 years ago
next:
t = t->next;
}
detect: remove STATE_MATCH flag use at runtime Instead, use it only at init time and use Signature::app_inspect directly at runtime.
7 years ago
if ((s->init_data->init_flags & SIG_FLAG_INIT_STATE_MATCH) &&
s->init_data->smlists[DETECT_SM_LIST_PMATCH] != NULL)
{
detect: improve stateful detection Now that MPM runs when the TX progress is right, stateful detection operates differently. Changes: 1. raw stream inspection is now also an inspect engine Since this engine doesn't take the transactions into account, it could potentially run multiple times on the same data. To avoid this, basic result caching is in place. 2. the engines are sorted by progress, but the 'MPM' engine is first even if the progress is higher If MPM flags a rule to be inspected, the inspect engine for that buffer runs first. If this step fails, the rule is no longer evaluated. No state is stored.
8 years ago
/* if engine is added multiple times, we pass it the same list */
SigMatchData *stream = SigMatchList2DataArray(s->init_data->smlists[DETECT_SM_LIST_PMATCH]);
BUG_ON(stream == NULL);
if (s->flags & SIG_FLAG_TOSERVER && !(s->flags & SIG_FLAG_TOCLIENT)) {
AppendStreamInspectEngine(s, stream, 0, last_id + 1);
} else if (s->flags & SIG_FLAG_TOCLIENT && !(s->flags & SIG_FLAG_TOSERVER)) {
AppendStreamInspectEngine(s, stream, 1, last_id + 1);
} else {
AppendStreamInspectEngine(s, stream, 0, last_id + 1);
AppendStreamInspectEngine(s, stream, 1, last_id + 1);
}
detect: limit flush logic to sigs that need it Limit the early 'flush' logic to sigs that actually need to match on both stream and http bodies.
7 years ago
if (s->init_data->init_flags & SIG_FLAG_INIT_NEED_FLUSH) {
debug: make it easier to trace flush logic
6 years ago
SCLogDebug("set SIG_FLAG_FLUSH on %u", s->id);
detect: limit flush logic to sigs that need it Limit the early 'flush' logic to sigs that actually need to match on both stream and http bodies.
7 years ago
s->flags |= SIG_FLAG_FLUSH;
}
detect: improve stateful detection Now that MPM runs when the TX progress is right, stateful detection operates differently. Changes: 1. raw stream inspection is now also an inspect engine Since this engine doesn't take the transactions into account, it could potentially run multiple times on the same data. To avoid this, basic result caching is in place. 2. the engines are sorted by progress, but the 'MPM' engine is first even if the progress is higher If MPM flags a rule to be inspected, the inspect engine for that buffer runs first. If this step fails, the rule is no longer evaluated. No state is stored.
8 years ago
}
#ifdef DEBUG
detect/inspect engines: copy to detect engine ctx Register rule-time engines in the detect engine. This is necessary now that rule parsing can create new buffers.
8 years ago
const DetectEngineAppInspectionEngine *iter = s->app_inspect;
detect: improve stateful detection Now that MPM runs when the TX progress is right, stateful detection operates differently. Changes: 1. raw stream inspection is now also an inspect engine Since this engine doesn't take the transactions into account, it could potentially run multiple times on the same data. To avoid this, basic result caching is in place. 2. the engines are sorted by progress, but the 'MPM' engine is first even if the progress is higher If MPM flags a rule to be inspected, the inspect engine for that buffer runs first. If this step fails, the rule is no longer evaluated. No state is stored.
8 years ago
while (iter) {
debug: suppress notice message
8 years ago
SCLogDebug("%u: engine %s id %u progress %d %s", s->id,
detect: move buffer type map into detect ctx Move previously global table into detect engine ctx. Now that we can register buffers at rule loading time we need to take concurrency into account. Move DetectBufferType to detect.h and update DetectBufferCtx API calls to include a detect engine ctx reference.
8 years ago
DetectBufferTypeGetNameById(de_ctx, iter->sm_list), iter->id,
detect: improve stateful detection Now that MPM runs when the TX progress is right, stateful detection operates differently. Changes: 1. raw stream inspection is now also an inspect engine Since this engine doesn't take the transactions into account, it could potentially run multiple times on the same data. To avoid this, basic result caching is in place. 2. the engines are sorted by progress, but the 'MPM' engine is first even if the progress is higher If MPM flags a rule to be inspected, the inspect engine for that buffer runs first. If this step fails, the rule is no longer evaluated. No state is stored.
8 years ago
iter->progress,
iter->sm_list == mpm_list ? "MPM":"");
iter = iter->next;
}
#endif
detect-engine: improved inspect engines Inspect engines are called per signature per sigmatch list. Most wrap around DetectEngineContentInspection, but it's more generic. Until now, the inspect engines were setup in a large per ipproto, per alproto, per direction table. For stateful inspection each engine needed a global flag. This approach had a number of issues: 1. inefficient: each inspection round walked the table and then checked if the inspect engine was even needed for the current rule. 2. clumsy registration with global flag registration. 3. global flag space was approaching the need for 64 bits 4. duplicate registration for alprotos supporting both TCP and TCP (DNS). This patch introduces a new approach. First, it does away with the per ipproto engines. This wasn't used. Second, it adds a per signature list of inspect engine containing only those engines that actually apply to the rule. Third, it gets rid of the global flags and replaces it with flags assigned per rule per engine.
9 years ago
return 0;
}
detect-engine: memory handling of sm_lists For lists that are registered multiple times, like http_header and http_cookie, making the engines owner of the lists is complicated. Multiple engines in a sig may be pointing to the same list. To address this the 'free' code needs to be extra careful about not double freeing, so it takes an approach to first fill an array of the to-free pointers before freeing them.
9 years ago
/** \brief free app inspect engines for a signature
*
* For lists that are registered multiple times, like http_header and
* http_cookie, making the engines owner of the lists is complicated.
* Multiple engines in a sig may be pointing to the same list. To
* address this the 'free' code needs to be extra careful about not
* double freeing, so it takes an approach to first fill an array
* of the to-free pointers before freeing them.
*/
void DetectEngineAppInspectionEngineSignatureFree(Signature *s)
{
detect: register dynamic buffers into de_ctx Register buffers that are created during rule parsing. Currently this means an existing buffer with one or more transformations.
8 years ago
int nlists = 0;
DetectEngineAppInspectionEngine *ie = s->app_inspect;
while (ie) {
detect: introduce pkt mpm engines Instead of the hardcode L4 matching in MPM that was recently introduced, add an API similar to the AppLayer MPM and inspect engines. Share part of the registration code with the AppLayer. Implement for the tcp.hdr and udp.hdr keywords.
6 years ago
nlists = MAX(ie->sm_list + 1, nlists);
detect: register dynamic buffers into de_ctx Register buffers that are created during rule parsing. Currently this means an existing buffer with one or more transformations.
8 years ago
ie = ie->next;
}
detect: introduce pkt mpm engines Instead of the hardcode L4 matching in MPM that was recently introduced, add an API similar to the AppLayer MPM and inspect engines. Share part of the registration code with the AppLayer. Implement for the tcp.hdr and udp.hdr keywords.
6 years ago
DetectEnginePktInspectionEngine *e = s->pkt_inspect;
while (e) {
nlists = MAX(e->sm_list + 1, nlists);
e = e->next;
}
if (nlists == 0) {
BUG_ON(s->pkt_inspect);
detect: register dynamic buffers into de_ctx Register buffers that are created during rule parsing. Currently this means an existing buffer with one or more transformations.
8 years ago
return;
detect: introduce pkt mpm engines Instead of the hardcode L4 matching in MPM that was recently introduced, add an API similar to the AppLayer MPM and inspect engines. Share part of the registration code with the AppLayer. Implement for the tcp.hdr and udp.hdr keywords.
6 years ago
}
detect: register dynamic buffers into de_ctx Register buffers that are created during rule parsing. Currently this means an existing buffer with one or more transformations.
8 years ago
detect: remove hardcoded sm_list logic from setup Introduce utility functions to aid this.
9 years ago
SigMatchData *ptrs[nlists];
memset(&ptrs, 0, (nlists * sizeof(SigMatchData *)));
detect-engine: memory handling of sm_lists For lists that are registered multiple times, like http_header and http_cookie, making the engines owner of the lists is complicated. Multiple engines in a sig may be pointing to the same list. To address this the 'free' code needs to be extra careful about not double freeing, so it takes an approach to first fill an array of the to-free pointers before freeing them.
9 years ago
detect: improve memory handling & comments
9 years ago
/* free engines and put smd in the array */
detect: register dynamic buffers into de_ctx Register buffers that are created during rule parsing. Currently this means an existing buffer with one or more transformations.
8 years ago
ie = s->app_inspect;
detect-engine: memory handling of sm_lists For lists that are registered multiple times, like http_header and http_cookie, making the engines owner of the lists is complicated. Multiple engines in a sig may be pointing to the same list. To address this the 'free' code needs to be extra careful about not double freeing, so it takes an approach to first fill an array of the to-free pointers before freeing them.
9 years ago
while (ie) {
DetectEngineAppInspectionEngine *next = ie->next;
detect: pass SigMatchData to inspect functions
9 years ago
BUG_ON(ptrs[ie->sm_list] != NULL && ptrs[ie->sm_list] != ie->smd);
ptrs[ie->sm_list] = ie->smd;
detect-engine: memory handling of sm_lists For lists that are registered multiple times, like http_header and http_cookie, making the engines owner of the lists is complicated. Multiple engines in a sig may be pointing to the same list. To address this the 'free' code needs to be extra careful about not double freeing, so it takes an approach to first fill an array of the to-free pointers before freeing them.
9 years ago
SCFree(ie);
ie = next;
}
detect: introduce pkt mpm engines Instead of the hardcode L4 matching in MPM that was recently introduced, add an API similar to the AppLayer MPM and inspect engines. Share part of the registration code with the AppLayer. Implement for the tcp.hdr and udp.hdr keywords.
6 years ago
e = s->pkt_inspect;
while (e) {
DetectEnginePktInspectionEngine *next = e->next;
ptrs[e->sm_list] = e->smd;
SCFree(e);
e = next;
}
detect-engine: memory handling of sm_lists For lists that are registered multiple times, like http_header and http_cookie, making the engines owner of the lists is complicated. Multiple engines in a sig may be pointing to the same list. To address this the 'free' code needs to be extra careful about not double freeing, so it takes an approach to first fill an array of the to-free pointers before freeing them.
9 years ago
detect: improve memory handling & comments
9 years ago
/* free the smds */
detect: introduce pkt mpm engines Instead of the hardcode L4 matching in MPM that was recently introduced, add an API similar to the AppLayer MPM and inspect engines. Share part of the registration code with the AppLayer. Implement for the tcp.hdr and udp.hdr keywords.
6 years ago
for (int i = 0; i < nlists; i++)
detect-engine: memory handling of sm_lists For lists that are registered multiple times, like http_header and http_cookie, making the engines owner of the lists is complicated. Multiple engines in a sig may be pointing to the same list. To address this the 'free' code needs to be extra careful about not double freeing, so it takes an approach to first fill an array of the to-free pointers before freeing them.
9 years ago
{
detect: improve memory handling & comments
9 years ago
if (ptrs[i] == NULL)
continue;
SigMatchData *smd = ptrs[i];
while(1) {
if (sigmatch_table[smd->type].Free != NULL) {
sigmatch_table[smd->type].Free(smd->ctx);
}
if (smd->is_last)
break;
smd++;
}
detect: pass SigMatchData to inspect functions
9 years ago
SCFree(ptrs[i]);
detect-engine: memory handling of sm_lists For lists that are registered multiple times, like http_header and http_cookie, making the engines owner of the lists is complicated. Multiple engines in a sig may be pointing to the same list. To address this the 'free' code needs to be extra careful about not double freeing, so it takes an approach to first fill an array of the to-free pointers before freeing them.
9 years ago
}
}
detect: buffer type API To replace the hardcoded SigMatch list id's, use this API to register and query lists by name. Also allow for registering descriptions and whether mpm is supported. Registration is only allowed at startup.
9 years ago
/* code for registering buffers */
#include "util-hash-lookup3.h"
static HashListTable *g_buffer_type_hash = NULL;
detect: cleanup built-in list id's
9 years ago
static int g_buffer_type_id = DETECT_SM_LIST_DYNAMIC_START;
detect: buffer type API To replace the hardcoded SigMatch list id's, use this API to register and query lists by name. Also allow for registering descriptions and whether mpm is supported. Registration is only allowed at startup.
9 years ago
static int g_buffer_type_reg_closed = 0;
detect: prefilter/inspect API v2, with transforms Introduce InspectionBuffer a structure for passing data between prefilters, transforms and inspection engines. At rule parsing time, we'll register new unique 'DetectBufferType's for a 'parent' buffer (e.g. pure file_data) with its transformations. Each unique combination of buffer with transformations gets it's own buffer id. Similarly, mpm registration and inspect engine registration will be copied from the 'parent' (again, e.g. pure file_data) to the new id's. The transforms are called from within the prefilter engines themselves. Provide generic MPM matching and setup callbacks. Can be used by keywords to avoid needless code duplication. Supports transformations. Use unique name for profiling, to distinguish between pure buffers and buffers with transformation. Add new registration calls for mpm/prefilters and inspect engines. Inspect engine api v2: Pass engine to itself. Add generic engine that uses GetData callback and other registered settings. The generic engine should be usable for every 'simple' case where there is just a single non-streaming buffer. For example HTTP uri. The v2 API assumes that registered MPM implements transformations. Add util func to set new transform in rule and add util funcs for rule parsing.
8 years ago
static DetectEngineTransforms no_transforms = { .transforms = { 0 }, .cnt = 0, };
detect: buffer type API To replace the hardcoded SigMatch list id's, use this API to register and query lists by name. Also allow for registering descriptions and whether mpm is supported. Registration is only allowed at startup.
9 years ago
int DetectBufferTypeMaxId(void)
{
return g_buffer_type_id;
}
static uint32_t DetectBufferTypeHashFunc(HashListTable *ht, void *data, uint16_t datalen)
{
const DetectBufferType *map = (DetectBufferType *)data;
uint32_t hash = 0;
hash = hashlittle_safe(map->string, strlen(map->string), 0);
detect: prefilter/inspect API v2, with transforms Introduce InspectionBuffer a structure for passing data between prefilters, transforms and inspection engines. At rule parsing time, we'll register new unique 'DetectBufferType's for a 'parent' buffer (e.g. pure file_data) with its transformations. Each unique combination of buffer with transformations gets it's own buffer id. Similarly, mpm registration and inspect engine registration will be copied from the 'parent' (again, e.g. pure file_data) to the new id's. The transforms are called from within the prefilter engines themselves. Provide generic MPM matching and setup callbacks. Can be used by keywords to avoid needless code duplication. Supports transformations. Use unique name for profiling, to distinguish between pure buffers and buffers with transformation. Add new registration calls for mpm/prefilters and inspect engines. Inspect engine api v2: Pass engine to itself. Add generic engine that uses GetData callback and other registered settings. The generic engine should be usable for every 'simple' case where there is just a single non-streaming buffer. For example HTTP uri. The v2 API assumes that registered MPM implements transformations. Add util func to set new transform in rule and add util funcs for rule parsing.
8 years ago
hash += hashlittle_safe((uint8_t *)&map->transforms, sizeof(map->transforms), 0);
detect: buffer type API To replace the hardcoded SigMatch list id's, use this API to register and query lists by name. Also allow for registering descriptions and whether mpm is supported. Registration is only allowed at startup.
9 years ago
hash %= ht->array_size;
return hash;
}
static char DetectBufferTypeCompareFunc(void *data1, uint16_t len1, void *data2,
uint16_t len2)
{
DetectBufferType *map1 = (DetectBufferType *)data1;
DetectBufferType *map2 = (DetectBufferType *)data2;
int r = (strcmp(map1->string, map2->string) == 0);
detect: prefilter/inspect API v2, with transforms Introduce InspectionBuffer a structure for passing data between prefilters, transforms and inspection engines. At rule parsing time, we'll register new unique 'DetectBufferType's for a 'parent' buffer (e.g. pure file_data) with its transformations. Each unique combination of buffer with transformations gets it's own buffer id. Similarly, mpm registration and inspect engine registration will be copied from the 'parent' (again, e.g. pure file_data) to the new id's. The transforms are called from within the prefilter engines themselves. Provide generic MPM matching and setup callbacks. Can be used by keywords to avoid needless code duplication. Supports transformations. Use unique name for profiling, to distinguish between pure buffers and buffers with transformation. Add new registration calls for mpm/prefilters and inspect engines. Inspect engine api v2: Pass engine to itself. Add generic engine that uses GetData callback and other registered settings. The generic engine should be usable for every 'simple' case where there is just a single non-streaming buffer. For example HTTP uri. The v2 API assumes that registered MPM implements transformations. Add util func to set new transform in rule and add util funcs for rule parsing.
8 years ago
r &= (memcmp((uint8_t *)&map1->transforms, (uint8_t *)&map2->transforms, sizeof(map2->transforms)) == 0);
detect: buffer type API To replace the hardcoded SigMatch list id's, use this API to register and query lists by name. Also allow for registering descriptions and whether mpm is supported. Registration is only allowed at startup.
9 years ago
return r;
}
static void DetectBufferTypeFreeFunc(void *data)
{
DetectBufferType *map = (DetectBufferType *)data;
if (map != NULL) {
SCFree(map);
}
}
compiler: more strict compiler warnings Set flags by default: -Wmissing-prototypes -Wmissing-declarations -Wstrict-prototypes -Wwrite-strings -Wcast-align -Wbad-function-cast -Wformat-security -Wno-format-nonliteral -Wmissing-format-attribute -funsigned-char Fix minor compiler warnings for these new flags on gcc and clang.
8 years ago
static int DetectBufferTypeInit(void)
detect: buffer type API To replace the hardcoded SigMatch list id's, use this API to register and query lists by name. Also allow for registering descriptions and whether mpm is supported. Registration is only allowed at startup.
9 years ago
{
BUG_ON(g_buffer_type_hash);
g_buffer_type_hash = HashListTableInit(256,
DetectBufferTypeHashFunc,
DetectBufferTypeCompareFunc,
DetectBufferTypeFreeFunc);
if (g_buffer_type_hash == NULL)
return -1;
return 0;
}
compiler: more strict compiler warnings Set flags by default: -Wmissing-prototypes -Wmissing-declarations -Wstrict-prototypes -Wwrite-strings -Wcast-align -Wbad-function-cast -Wformat-security -Wno-format-nonliteral -Wmissing-format-attribute -funsigned-char Fix minor compiler warnings for these new flags on gcc and clang.
8 years ago
#if 0
static void DetectBufferTypeFree(void)
detect: buffer type API To replace the hardcoded SigMatch list id's, use this API to register and query lists by name. Also allow for registering descriptions and whether mpm is supported. Registration is only allowed at startup.
9 years ago
{
if (g_buffer_type_hash == NULL)
return;
HashListTableFree(g_buffer_type_hash);
g_buffer_type_hash = NULL;
return;
}
compiler: more strict compiler warnings Set flags by default: -Wmissing-prototypes -Wmissing-declarations -Wstrict-prototypes -Wwrite-strings -Wcast-align -Wbad-function-cast -Wformat-security -Wno-format-nonliteral -Wmissing-format-attribute -funsigned-char Fix minor compiler warnings for these new flags on gcc and clang.
8 years ago
#endif
static int DetectBufferTypeAdd(const char *string)
detect: buffer type API To replace the hardcoded SigMatch list id's, use this API to register and query lists by name. Also allow for registering descriptions and whether mpm is supported. Registration is only allowed at startup.
9 years ago
{
DetectBufferType *map = SCCalloc(1, sizeof(*map));
if (map == NULL)
return -1;
map->string = string;
map->id = g_buffer_type_id++;
BUG_ON(HashListTableAdd(g_buffer_type_hash, (void *)map, 0) != 0);
SCLogDebug("buffer %s registered with id %d", map->string, map->id);
return map->id;
}
compiler: more strict compiler warnings Set flags by default: -Wmissing-prototypes -Wmissing-declarations -Wstrict-prototypes -Wwrite-strings -Wcast-align -Wbad-function-cast -Wformat-security -Wno-format-nonliteral -Wmissing-format-attribute -funsigned-char Fix minor compiler warnings for these new flags on gcc and clang.
8 years ago
static DetectBufferType *DetectBufferTypeLookupByName(const char *string)
detect: buffer type API To replace the hardcoded SigMatch list id's, use this API to register and query lists by name. Also allow for registering descriptions and whether mpm is supported. Registration is only allowed at startup.
9 years ago
{
detect: prefilter/inspect API v2, with transforms Introduce InspectionBuffer a structure for passing data between prefilters, transforms and inspection engines. At rule parsing time, we'll register new unique 'DetectBufferType's for a 'parent' buffer (e.g. pure file_data) with its transformations. Each unique combination of buffer with transformations gets it's own buffer id. Similarly, mpm registration and inspect engine registration will be copied from the 'parent' (again, e.g. pure file_data) to the new id's. The transforms are called from within the prefilter engines themselves. Provide generic MPM matching and setup callbacks. Can be used by keywords to avoid needless code duplication. Supports transformations. Use unique name for profiling, to distinguish between pure buffers and buffers with transformation. Add new registration calls for mpm/prefilters and inspect engines. Inspect engine api v2: Pass engine to itself. Add generic engine that uses GetData callback and other registered settings. The generic engine should be usable for every 'simple' case where there is just a single non-streaming buffer. For example HTTP uri. The v2 API assumes that registered MPM implements transformations. Add util func to set new transform in rule and add util funcs for rule parsing.
8 years ago
DetectBufferType map = { (char *)string, NULL, 0, 0, 0, 0, false, NULL, NULL, no_transforms };
detect: buffer type API To replace the hardcoded SigMatch list id's, use this API to register and query lists by name. Also allow for registering descriptions and whether mpm is supported. Registration is only allowed at startup.
9 years ago
DetectBufferType *res = HashListTableLookup(g_buffer_type_hash, &map, 0);
return res;
}
int DetectBufferTypeRegister(const char *name)
{
BUG_ON(g_buffer_type_reg_closed);
if (g_buffer_type_hash == NULL)
DetectBufferTypeInit();
DetectBufferType *exists = DetectBufferTypeLookupByName(name);
if (!exists) {
return DetectBufferTypeAdd(name);
} else {
return exists->id;
}
}
void DetectBufferTypeSupportsPacket(const char *name)
{
BUG_ON(g_buffer_type_reg_closed);
DetectBufferTypeRegister(name);
DetectBufferType *exists = DetectBufferTypeLookupByName(name);
BUG_ON(!exists);
exists->packet = TRUE;
SCLogDebug("%p %s -- %d supports packet inspection", exists, name, exists->id);
}
void DetectBufferTypeSupportsMpm(const char *name)
{
BUG_ON(g_buffer_type_reg_closed);
DetectBufferTypeRegister(name);
DetectBufferType *exists = DetectBufferTypeLookupByName(name);
BUG_ON(!exists);
exists->mpm = TRUE;
SCLogDebug("%p %s -- %d supports mpm", exists, name, exists->id);
}
detect: prefilter/inspect API v2, with transforms Introduce InspectionBuffer a structure for passing data between prefilters, transforms and inspection engines. At rule parsing time, we'll register new unique 'DetectBufferType's for a 'parent' buffer (e.g. pure file_data) with its transformations. Each unique combination of buffer with transformations gets it's own buffer id. Similarly, mpm registration and inspect engine registration will be copied from the 'parent' (again, e.g. pure file_data) to the new id's. The transforms are called from within the prefilter engines themselves. Provide generic MPM matching and setup callbacks. Can be used by keywords to avoid needless code duplication. Supports transformations. Use unique name for profiling, to distinguish between pure buffers and buffers with transformation. Add new registration calls for mpm/prefilters and inspect engines. Inspect engine api v2: Pass engine to itself. Add generic engine that uses GetData callback and other registered settings. The generic engine should be usable for every 'simple' case where there is just a single non-streaming buffer. For example HTTP uri. The v2 API assumes that registered MPM implements transformations. Add util func to set new transform in rule and add util funcs for rule parsing.
8 years ago
void DetectBufferTypeSupportsTransformations(const char *name)
{
BUG_ON(g_buffer_type_reg_closed);
DetectBufferTypeRegister(name);
DetectBufferType *exists = DetectBufferTypeLookupByName(name);
BUG_ON(!exists);
exists->supports_transforms = true;
SCLogDebug("%p %s -- %d supports transformations", exists, name, exists->id);
}
detect: buffer type API To replace the hardcoded SigMatch list id's, use this API to register and query lists by name. Also allow for registering descriptions and whether mpm is supported. Registration is only allowed at startup.
9 years ago
int DetectBufferTypeGetByName(const char *name)
{
DetectBufferType *exists = DetectBufferTypeLookupByName(name);
if (!exists) {
return -1;
}
return exists->id;
}
detect: move buffer type map into detect ctx Move previously global table into detect engine ctx. Now that we can register buffers at rule loading time we need to take concurrency into account. Move DetectBufferType to detect.h and update DetectBufferCtx API calls to include a detect engine ctx reference.
8 years ago
const char *DetectBufferTypeGetNameById(const DetectEngineCtx *de_ctx, const int id)
detect: buffer type API To replace the hardcoded SigMatch list id's, use this API to register and query lists by name. Also allow for registering descriptions and whether mpm is supported. Registration is only allowed at startup.
9 years ago
{
detect: move buffer type map into detect ctx Move previously global table into detect engine ctx. Now that we can register buffers at rule loading time we need to take concurrency into account. Move DetectBufferType to detect.h and update DetectBufferCtx API calls to include a detect engine ctx reference.
8 years ago
BUG_ON(id < 0 || (uint32_t)id >= de_ctx->buffer_type_map_elements);
BUG_ON(de_ctx->buffer_type_map == NULL);
detect: buffer type API To replace the hardcoded SigMatch list id's, use this API to register and query lists by name. Also allow for registering descriptions and whether mpm is supported. Registration is only allowed at startup.
9 years ago
detect: move buffer type map into detect ctx Move previously global table into detect engine ctx. Now that we can register buffers at rule loading time we need to take concurrency into account. Move DetectBufferType to detect.h and update DetectBufferCtx API calls to include a detect engine ctx reference.
8 years ago
if (de_ctx->buffer_type_map[id] == NULL)
detect: buffer type API To replace the hardcoded SigMatch list id's, use this API to register and query lists by name. Also allow for registering descriptions and whether mpm is supported. Registration is only allowed at startup.
9 years ago
return NULL;
detect: move buffer type map into detect ctx Move previously global table into detect engine ctx. Now that we can register buffers at rule loading time we need to take concurrency into account. Move DetectBufferType to detect.h and update DetectBufferCtx API calls to include a detect engine ctx reference.
8 years ago
return de_ctx->buffer_type_map[id]->string;
detect: buffer type API To replace the hardcoded SigMatch list id's, use this API to register and query lists by name. Also allow for registering descriptions and whether mpm is supported. Registration is only allowed at startup.
9 years ago
}
detect: move buffer type map into detect ctx Move previously global table into detect engine ctx. Now that we can register buffers at rule loading time we need to take concurrency into account. Move DetectBufferType to detect.h and update DetectBufferCtx API calls to include a detect engine ctx reference.
8 years ago
static const DetectBufferType *DetectBufferTypeGetById(const DetectEngineCtx *de_ctx, const int id)
detect: buffer type API To replace the hardcoded SigMatch list id's, use this API to register and query lists by name. Also allow for registering descriptions and whether mpm is supported. Registration is only allowed at startup.
9 years ago
{
detect: move buffer type map into detect ctx Move previously global table into detect engine ctx. Now that we can register buffers at rule loading time we need to take concurrency into account. Move DetectBufferType to detect.h and update DetectBufferCtx API calls to include a detect engine ctx reference.
8 years ago
BUG_ON(id < 0 || (uint32_t)id >= de_ctx->buffer_type_map_elements);
BUG_ON(de_ctx->buffer_type_map == NULL);
detect: buffer type API To replace the hardcoded SigMatch list id's, use this API to register and query lists by name. Also allow for registering descriptions and whether mpm is supported. Registration is only allowed at startup.
9 years ago
detect: move buffer type map into detect ctx Move previously global table into detect engine ctx. Now that we can register buffers at rule loading time we need to take concurrency into account. Move DetectBufferType to detect.h and update DetectBufferCtx API calls to include a detect engine ctx reference.
8 years ago
return de_ctx->buffer_type_map[id];
detect: buffer type API To replace the hardcoded SigMatch list id's, use this API to register and query lists by name. Also allow for registering descriptions and whether mpm is supported. Registration is only allowed at startup.
9 years ago
}
void DetectBufferTypeSetDescriptionByName(const char *name, const char *desc)
{
DetectBufferType *exists = DetectBufferTypeLookupByName(name);
if (!exists) {
return;
}
exists->description = desc;
}
detect: move buffer type map into detect ctx Move previously global table into detect engine ctx. Now that we can register buffers at rule loading time we need to take concurrency into account. Move DetectBufferType to detect.h and update DetectBufferCtx API calls to include a detect engine ctx reference.
8 years ago
const char *DetectBufferTypeGetDescriptionById(const DetectEngineCtx *de_ctx, const int id)
detect: buffer type API To replace the hardcoded SigMatch list id's, use this API to register and query lists by name. Also allow for registering descriptions and whether mpm is supported. Registration is only allowed at startup.
9 years ago
{
detect: move buffer type map into detect ctx Move previously global table into detect engine ctx. Now that we can register buffers at rule loading time we need to take concurrency into account. Move DetectBufferType to detect.h and update DetectBufferCtx API calls to include a detect engine ctx reference.
8 years ago
const DetectBufferType *exists = DetectBufferTypeGetById(de_ctx, id);
detect: buffer type API To replace the hardcoded SigMatch list id's, use this API to register and query lists by name. Also allow for registering descriptions and whether mpm is supported. Registration is only allowed at startup.
9 years ago
if (!exists) {
return NULL;
}
return exists->description;
}
const char *DetectBufferTypeGetDescriptionByName(const char *name)
{
const DetectBufferType *exists = DetectBufferTypeLookupByName(name);
if (!exists) {
return NULL;
}
return exists->description;
}
detect: move buffer type map into detect ctx Move previously global table into detect engine ctx. Now that we can register buffers at rule loading time we need to take concurrency into account. Move DetectBufferType to detect.h and update DetectBufferCtx API calls to include a detect engine ctx reference.
8 years ago
bool DetectBufferTypeSupportsPacketGetById(const DetectEngineCtx *de_ctx, const int id)
detect: buffer type API To replace the hardcoded SigMatch list id's, use this API to register and query lists by name. Also allow for registering descriptions and whether mpm is supported. Registration is only allowed at startup.
9 years ago
{
detect: move buffer type map into detect ctx Move previously global table into detect engine ctx. Now that we can register buffers at rule loading time we need to take concurrency into account. Move DetectBufferType to detect.h and update DetectBufferCtx API calls to include a detect engine ctx reference.
8 years ago
const DetectBufferType *map = DetectBufferTypeGetById(de_ctx, id);
detect: buffer type API To replace the hardcoded SigMatch list id's, use this API to register and query lists by name. Also allow for registering descriptions and whether mpm is supported. Registration is only allowed at startup.
9 years ago
if (map == NULL)
return FALSE;
SCLogDebug("map %p id %d packet? %d", map, id, map->packet);
return map->packet;
}
detect: move buffer type map into detect ctx Move previously global table into detect engine ctx. Now that we can register buffers at rule loading time we need to take concurrency into account. Move DetectBufferType to detect.h and update DetectBufferCtx API calls to include a detect engine ctx reference.
8 years ago
bool DetectBufferTypeSupportsMpmGetById(const DetectEngineCtx *de_ctx, const int id)
detect: buffer type API To replace the hardcoded SigMatch list id's, use this API to register and query lists by name. Also allow for registering descriptions and whether mpm is supported. Registration is only allowed at startup.
9 years ago
{
detect: move buffer type map into detect ctx Move previously global table into detect engine ctx. Now that we can register buffers at rule loading time we need to take concurrency into account. Move DetectBufferType to detect.h and update DetectBufferCtx API calls to include a detect engine ctx reference.
8 years ago
const DetectBufferType *map = DetectBufferTypeGetById(de_ctx, id);
detect: buffer type API To replace the hardcoded SigMatch list id's, use this API to register and query lists by name. Also allow for registering descriptions and whether mpm is supported. Registration is only allowed at startup.
9 years ago
if (map == NULL)
return FALSE;
SCLogDebug("map %p id %d mpm? %d", map, id, map->mpm);
return map->mpm;
}
void DetectBufferTypeRegisterSetupCallback(const char *name,
detect-engine: add DetectEngineCtx to setup callback function Add detect engine context as variable to setup callback function in 'DetectBufferTypeRegisterSetupCallback'.
8 years ago
void (*SetupCallback)(const DetectEngineCtx *, Signature *))
detect: buffer type API To replace the hardcoded SigMatch list id's, use this API to register and query lists by name. Also allow for registering descriptions and whether mpm is supported. Registration is only allowed at startup.
9 years ago
{
BUG_ON(g_buffer_type_reg_closed);
DetectBufferTypeRegister(name);
DetectBufferType *exists = DetectBufferTypeLookupByName(name);
BUG_ON(!exists);
exists->SetupCallback = SetupCallback;
}
detect: move buffer type map into detect ctx Move previously global table into detect engine ctx. Now that we can register buffers at rule loading time we need to take concurrency into account. Move DetectBufferType to detect.h and update DetectBufferCtx API calls to include a detect engine ctx reference.
8 years ago
void DetectBufferRunSetupCallback(const DetectEngineCtx *de_ctx,
const int id, Signature *s)
detect: buffer type API To replace the hardcoded SigMatch list id's, use this API to register and query lists by name. Also allow for registering descriptions and whether mpm is supported. Registration is only allowed at startup.
9 years ago
{
detect: move buffer type map into detect ctx Move previously global table into detect engine ctx. Now that we can register buffers at rule loading time we need to take concurrency into account. Move DetectBufferType to detect.h and update DetectBufferCtx API calls to include a detect engine ctx reference.
8 years ago
const DetectBufferType *map = DetectBufferTypeGetById(de_ctx, id);
detect: buffer type API To replace the hardcoded SigMatch list id's, use this API to register and query lists by name. Also allow for registering descriptions and whether mpm is supported. Registration is only allowed at startup.
9 years ago
if (map && map->SetupCallback) {
detect-engine: add DetectEngineCtx to setup callback function Add detect engine context as variable to setup callback function in 'DetectBufferTypeRegisterSetupCallback'.
8 years ago
map->SetupCallback(de_ctx, s);
detect: buffer type API To replace the hardcoded SigMatch list id's, use this API to register and query lists by name. Also allow for registering descriptions and whether mpm is supported. Registration is only allowed at startup.
9 years ago
}
}
void DetectBufferTypeRegisterValidateCallback(const char *name,
detect: save invalid rules This keeps the invalid rules in string format into a list, added in DetectEngineCtx.
10 years ago
_Bool (*ValidateCallback)(const Signature *, const char **sigerror))
detect: buffer type API To replace the hardcoded SigMatch list id's, use this API to register and query lists by name. Also allow for registering descriptions and whether mpm is supported. Registration is only allowed at startup.
9 years ago
{
BUG_ON(g_buffer_type_reg_closed);
DetectBufferTypeRegister(name);
DetectBufferType *exists = DetectBufferTypeLookupByName(name);
BUG_ON(!exists);
exists->ValidateCallback = ValidateCallback;
}
detect: move buffer type map into detect ctx Move previously global table into detect engine ctx. Now that we can register buffers at rule loading time we need to take concurrency into account. Move DetectBufferType to detect.h and update DetectBufferCtx API calls to include a detect engine ctx reference.
8 years ago
bool DetectBufferRunValidateCallback(const DetectEngineCtx *de_ctx,
const int id, const Signature *s, const char **sigerror)
detect: buffer type API To replace the hardcoded SigMatch list id's, use this API to register and query lists by name. Also allow for registering descriptions and whether mpm is supported. Registration is only allowed at startup.
9 years ago
{
detect: move buffer type map into detect ctx Move previously global table into detect engine ctx. Now that we can register buffers at rule loading time we need to take concurrency into account. Move DetectBufferType to detect.h and update DetectBufferCtx API calls to include a detect engine ctx reference.
8 years ago
const DetectBufferType *map = DetectBufferTypeGetById(de_ctx, id);
detect: buffer type API To replace the hardcoded SigMatch list id's, use this API to register and query lists by name. Also allow for registering descriptions and whether mpm is supported. Registration is only allowed at startup.
9 years ago
if (map && map->ValidateCallback) {
detect: save invalid rules This keeps the invalid rules in string format into a list, added in DetectEngineCtx.
10 years ago
return map->ValidateCallback(s, sigerror);
detect: buffer type API To replace the hardcoded SigMatch list id's, use this API to register and query lists by name. Also allow for registering descriptions and whether mpm is supported. Registration is only allowed at startup.
9 years ago
}
return TRUE;
}
detect: prefilter/inspect API v2, with transforms Introduce InspectionBuffer a structure for passing data between prefilters, transforms and inspection engines. At rule parsing time, we'll register new unique 'DetectBufferType's for a 'parent' buffer (e.g. pure file_data) with its transformations. Each unique combination of buffer with transformations gets it's own buffer id. Similarly, mpm registration and inspect engine registration will be copied from the 'parent' (again, e.g. pure file_data) to the new id's. The transforms are called from within the prefilter engines themselves. Provide generic MPM matching and setup callbacks. Can be used by keywords to avoid needless code duplication. Supports transformations. Use unique name for profiling, to distinguish between pure buffers and buffers with transformation. Add new registration calls for mpm/prefilters and inspect engines. Inspect engine api v2: Pass engine to itself. Add generic engine that uses GetData callback and other registered settings. The generic engine should be usable for every 'simple' case where there is just a single non-streaming buffer. For example HTTP uri. The v2 API assumes that registered MPM implements transformations. Add util func to set new transform in rule and add util funcs for rule parsing.
8 years ago
int DetectBufferSetActiveList(Signature *s, const int list)
{
BUG_ON(s->init_data == NULL);
if (s->init_data->list && s->init_data->transform_cnt) {
return -1;
}
s->init_data->list = list;
s->init_data->list_set = true;
return 0;
}
detect: move buffer type map into detect ctx Move previously global table into detect engine ctx. Now that we can register buffers at rule loading time we need to take concurrency into account. Move DetectBufferType to detect.h and update DetectBufferCtx API calls to include a detect engine ctx reference.
8 years ago
int DetectBufferGetActiveList(DetectEngineCtx *de_ctx, Signature *s)
detect: prefilter/inspect API v2, with transforms Introduce InspectionBuffer a structure for passing data between prefilters, transforms and inspection engines. At rule parsing time, we'll register new unique 'DetectBufferType's for a 'parent' buffer (e.g. pure file_data) with its transformations. Each unique combination of buffer with transformations gets it's own buffer id. Similarly, mpm registration and inspect engine registration will be copied from the 'parent' (again, e.g. pure file_data) to the new id's. The transforms are called from within the prefilter engines themselves. Provide generic MPM matching and setup callbacks. Can be used by keywords to avoid needless code duplication. Supports transformations. Use unique name for profiling, to distinguish between pure buffers and buffers with transformation. Add new registration calls for mpm/prefilters and inspect engines. Inspect engine api v2: Pass engine to itself. Add generic engine that uses GetData callback and other registered settings. The generic engine should be usable for every 'simple' case where there is just a single non-streaming buffer. For example HTTP uri. The v2 API assumes that registered MPM implements transformations. Add util func to set new transform in rule and add util funcs for rule parsing.
8 years ago
{
BUG_ON(s->init_data == NULL);
if (s->init_data->list && s->init_data->transform_cnt) {
SCLogDebug("buffer %d has transform(s) registered: %d",
s->init_data->list, s->init_data->transforms[0]);
detect: move buffer type map into detect ctx Move previously global table into detect engine ctx. Now that we can register buffers at rule loading time we need to take concurrency into account. Move DetectBufferType to detect.h and update DetectBufferCtx API calls to include a detect engine ctx reference.
8 years ago
int new_list = DetectBufferTypeGetByIdTransforms(de_ctx, s->init_data->list,
detect: prefilter/inspect API v2, with transforms Introduce InspectionBuffer a structure for passing data between prefilters, transforms and inspection engines. At rule parsing time, we'll register new unique 'DetectBufferType's for a 'parent' buffer (e.g. pure file_data) with its transformations. Each unique combination of buffer with transformations gets it's own buffer id. Similarly, mpm registration and inspect engine registration will be copied from the 'parent' (again, e.g. pure file_data) to the new id's. The transforms are called from within the prefilter engines themselves. Provide generic MPM matching and setup callbacks. Can be used by keywords to avoid needless code duplication. Supports transformations. Use unique name for profiling, to distinguish between pure buffers and buffers with transformation. Add new registration calls for mpm/prefilters and inspect engines. Inspect engine api v2: Pass engine to itself. Add generic engine that uses GetData callback and other registered settings. The generic engine should be usable for every 'simple' case where there is just a single non-streaming buffer. For example HTTP uri. The v2 API assumes that registered MPM implements transformations. Add util func to set new transform in rule and add util funcs for rule parsing.
8 years ago
s->init_data->transforms, s->init_data->transform_cnt);
if (new_list == -1) {
return -1;
}
SCLogDebug("new_list %d", new_list);
s->init_data->list = new_list;
s->init_data->list_set = false;
// reset transforms now that we've set up the list
s->init_data->transform_cnt = 0;
}
return 0;
}
detect: improve inspect buffer handling Fix and Optimize cleanup. For the simple single inspect buffer optimize the cleanup by keeping track of the actually used buffers. This avoid looping over unused buffers. Fix the case of cleaning not being done after a tx if the next tx is also inspected in the context of the same packet. Fix cleanup of the multi-inspect buffers. Optimize in 2 ways. First like with single keep track of which multi-inspect buffers have been used. Second, keep a max of the buffers within a multi-inspect buffer. Use this max to limit (nested) looping.
7 years ago
void InspectionBufferClean(DetectEngineThreadCtx *det_ctx)
{
/* single buffers */
for (uint32_t i = 0; i < det_ctx->inspect.to_clear_idx; i++)
{
const uint32_t idx = det_ctx->inspect.to_clear_queue[i];
InspectionBuffer *buffer = &det_ctx->inspect.buffers[idx];
buffer->inspect = NULL;
}
det_ctx->inspect.to_clear_idx = 0;
/* multi buffers */
for (uint32_t i = 0; i < det_ctx->multi_inspect.to_clear_idx; i++)
{
const uint32_t idx = det_ctx->multi_inspect.to_clear_queue[i];
InspectionBufferMultipleForList *mbuffer = &det_ctx->multi_inspect.buffers[idx];
for (uint32_t x = 0; x <= mbuffer->max; x++) {
InspectionBuffer *buffer = &mbuffer->inspection_buffers[x];
buffer->inspect = NULL;
}
mbuffer->init = 0;
mbuffer->max = 0;
}
det_ctx->multi_inspect.to_clear_idx = 0;
}
InspectionBuffer *InspectionBufferGet(DetectEngineThreadCtx *det_ctx, const int list_id)
{
InspectionBuffer *buffer = &det_ctx->inspect.buffers[list_id];
if (buffer->inspect == NULL) {
det_ctx->inspect.to_clear_queue[det_ctx->inspect.to_clear_idx++] = list_id;
}
return buffer;
}
/** \brief for a InspectionBufferMultipleForList get a InspectionBuffer
* \param fb the multiple buffer array
* \param local_id the index to get a buffer
* \param buffer the inspect buffer or NULL in case of error */
InspectionBuffer *InspectionBufferMultipleForListGet(InspectionBufferMultipleForList *fb, uint32_t local_id)
{
if (local_id >= fb->size) {
uint32_t old_size = fb->size;
uint32_t new_size = local_id + 1;
uint32_t grow_by = new_size - old_size;
SCLogDebug("size is %u, need %u, so growing by %u", old_size, new_size, grow_by);
SCLogDebug("fb->inspection_buffers %p", fb->inspection_buffers);
void *ptr = SCRealloc(fb->inspection_buffers, (local_id + 1) * sizeof(InspectionBuffer));
if (ptr == NULL)
return NULL;
InspectionBuffer *to_zero = (InspectionBuffer *)ptr + old_size;
SCLogDebug("ptr %p to_zero %p", ptr, to_zero);
memset((uint8_t *)to_zero, 0, (grow_by * sizeof(InspectionBuffer)));
fb->inspection_buffers = ptr;
fb->size = new_size;
}
fb->max = MAX(fb->max, local_id);
InspectionBuffer *buffer = &fb->inspection_buffers[local_id];
SCLogDebug("using file_data buffer %p", buffer);
return buffer;
}
InspectionBufferMultipleForList *InspectionBufferGetMulti(DetectEngineThreadCtx *det_ctx, const int list_id)
{
InspectionBufferMultipleForList *buffer = &det_ctx->multi_inspect.buffers[list_id];
if (!buffer->init) {
det_ctx->multi_inspect.to_clear_queue[det_ctx->multi_inspect.to_clear_idx++] = list_id;
buffer->init = 1;
}
return buffer;
}
detect: prefilter/inspect API v2, with transforms Introduce InspectionBuffer a structure for passing data between prefilters, transforms and inspection engines. At rule parsing time, we'll register new unique 'DetectBufferType's for a 'parent' buffer (e.g. pure file_data) with its transformations. Each unique combination of buffer with transformations gets it's own buffer id. Similarly, mpm registration and inspect engine registration will be copied from the 'parent' (again, e.g. pure file_data) to the new id's. The transforms are called from within the prefilter engines themselves. Provide generic MPM matching and setup callbacks. Can be used by keywords to avoid needless code duplication. Supports transformations. Use unique name for profiling, to distinguish between pure buffers and buffers with transformation. Add new registration calls for mpm/prefilters and inspect engines. Inspect engine api v2: Pass engine to itself. Add generic engine that uses GetData callback and other registered settings. The generic engine should be usable for every 'simple' case where there is just a single non-streaming buffer. For example HTTP uri. The v2 API assumes that registered MPM implements transformations. Add util func to set new transform in rule and add util funcs for rule parsing.
8 years ago
void InspectionBufferInit(InspectionBuffer *buffer, uint32_t initial_size)
{
memset(buffer, 0, sizeof(*buffer));
buffer->buf = SCCalloc(initial_size, sizeof(uint8_t));
if (buffer->buf != NULL) {
buffer->size = initial_size;
}
}
/** \brief setup the buffer with our initial data */
void InspectionBufferSetup(InspectionBuffer *buffer, const uint8_t *data, const uint32_t data_len)
{
buffer->inspect = buffer->orig = data;
buffer->inspect_len = buffer->orig_len = data_len;
buffer->len = 0;
}
void InspectionBufferFree(InspectionBuffer *buffer)
{
if (buffer->buf != NULL) {
SCFree(buffer->buf);
}
memset(buffer, 0, sizeof(*buffer));
}
/**
* \brief make sure that the buffer has at least 'min_size' bytes
* Expand the buffer if necessary
*/
void InspectionBufferCheckAndExpand(InspectionBuffer *buffer, uint32_t min_size)
{
if (likely(buffer->size >= min_size))
return;
uint32_t new_size = (buffer->size == 0) ? 4096 : buffer->size;
while (new_size < min_size) {
new_size *= 2;
}
void *ptr = SCRealloc(buffer->buf, new_size);
if (ptr != NULL) {
buffer->buf = ptr;
buffer->size = new_size;
}
}
void InspectionBufferCopy(InspectionBuffer *buffer, uint8_t *buf, uint32_t buf_len)
{
InspectionBufferCheckAndExpand(buffer, buf_len);
if (buffer->size) {
uint32_t copy_size = MIN(buf_len, buffer->size);
memcpy(buffer->buf, buf, copy_size);
buffer->inspect = buffer->buf;
buffer->inspect_len = copy_size;
}
}
void InspectionBufferApplyTransforms(InspectionBuffer *buffer,
const DetectEngineTransforms *transforms)
{
if (transforms) {
for (int i = 0; i < DETECT_TRANSFORMS_MAX; i++) {
const int id = transforms->transforms[i];
if (id == 0)
break;
BUG_ON(sigmatch_table[id].Transform == NULL);
sigmatch_table[id].Transform(buffer);
SCLogDebug("applied transform %s", sigmatch_table[id].name);
}
}
}
detect: move buffer type map into detect ctx Move previously global table into detect engine ctx. Now that we can register buffers at rule loading time we need to take concurrency into account. Move DetectBufferType to detect.h and update DetectBufferCtx API calls to include a detect engine ctx reference.
8 years ago
static void DetectBufferTypeSetupDetectEngine(DetectEngineCtx *de_ctx)
detect: buffer type API To replace the hardcoded SigMatch list id's, use this API to register and query lists by name. Also allow for registering descriptions and whether mpm is supported. Registration is only allowed at startup.
9 years ago
{
const int size = g_buffer_type_id;
BUG_ON(!(size > 0));
detect: move buffer type map into detect ctx Move previously global table into detect engine ctx. Now that we can register buffers at rule loading time we need to take concurrency into account. Move DetectBufferType to detect.h and update DetectBufferCtx API calls to include a detect engine ctx reference.
8 years ago
de_ctx->buffer_type_map = SCCalloc(size, sizeof(DetectBufferType *));
BUG_ON(!de_ctx->buffer_type_map);
de_ctx->buffer_type_map_elements = size;
SCLogDebug("de_ctx->buffer_type_map %p with %u members", de_ctx->buffer_type_map, size);
detect: buffer type API To replace the hardcoded SigMatch list id's, use this API to register and query lists by name. Also allow for registering descriptions and whether mpm is supported. Registration is only allowed at startup.
9 years ago
detect: cleanup built-in list id's
9 years ago
SCLogDebug("DETECT_SM_LIST_DYNAMIC_START %u", DETECT_SM_LIST_DYNAMIC_START);
detect: buffer type API To replace the hardcoded SigMatch list id's, use this API to register and query lists by name. Also allow for registering descriptions and whether mpm is supported. Registration is only allowed at startup.
9 years ago
HashListTableBucket *b = HashListTableGetListHead(g_buffer_type_hash);
while (b) {
DetectBufferType *map = HashListTableGetListData(b);
detect: move buffer type map into detect ctx Move previously global table into detect engine ctx. Now that we can register buffers at rule loading time we need to take concurrency into account. Move DetectBufferType to detect.h and update DetectBufferCtx API calls to include a detect engine ctx reference.
8 years ago
de_ctx->buffer_type_map[map->id] = map;
detect: buffer type API To replace the hardcoded SigMatch list id's, use this API to register and query lists by name. Also allow for registering descriptions and whether mpm is supported. Registration is only allowed at startup.
9 years ago
SCLogDebug("name %s id %d mpm %s packet %s -- %s. "
"Callbacks: Setup %p Validate %p", map->string, map->id,
map->mpm ? "true" : "false", map->packet ? "true" : "false",
map->description, map->SetupCallback, map->ValidateCallback);
b = HashListTableGetListNext(b);
}
detect: register dynamic buffers into de_ctx Register buffers that are created during rule parsing. Currently this means an existing buffer with one or more transformations.
8 years ago
de_ctx->buffer_type_hash = HashListTableInit(256,
DetectBufferTypeHashFunc,
DetectBufferTypeCompareFunc,
DetectBufferTypeFreeFunc);
if (de_ctx->buffer_type_hash == NULL) {
BUG_ON(1);
}
de_ctx->buffer_type_id = g_buffer_type_id;
detect/inspect engines: copy to detect engine ctx Register rule-time engines in the detect engine. This is necessary now that rule parsing can create new buffers.
8 years ago
detect/prefilter: move hash into detect engine ctx
8 years ago
PrefilterInit(de_ctx);
detect: move mpm engines into detect engine ctx This allows safe registration at runtime.
8 years ago
DetectMpmInitializeAppMpms(de_ctx);
detect/inspect engines: copy to detect engine ctx Register rule-time engines in the detect engine. This is necessary now that rule parsing can create new buffers.
8 years ago
DetectAppLayerInspectEngineCopyListToDetectCtx(de_ctx);
detect: introduce pkt mpm engines Instead of the hardcode L4 matching in MPM that was recently introduced, add an API similar to the AppLayer MPM and inspect engines. Share part of the registration code with the AppLayer. Implement for the tcp.hdr and udp.hdr keywords.
6 years ago
DetectMpmInitializePktMpms(de_ctx);
DetectPktInspectEngineCopyListToDetectCtx(de_ctx);
detect: move buffer type map into detect ctx Move previously global table into detect engine ctx. Now that we can register buffers at rule loading time we need to take concurrency into account. Move DetectBufferType to detect.h and update DetectBufferCtx API calls to include a detect engine ctx reference.
8 years ago
}
detect: register dynamic buffers into de_ctx Register buffers that are created during rule parsing. Currently this means an existing buffer with one or more transformations.
8 years ago
detect: move buffer type map into detect ctx Move previously global table into detect engine ctx. Now that we can register buffers at rule loading time we need to take concurrency into account. Move DetectBufferType to detect.h and update DetectBufferCtx API calls to include a detect engine ctx reference.
8 years ago
static void DetectBufferTypeFreeDetectEngine(DetectEngineCtx *de_ctx)
{
detect: register dynamic buffers into de_ctx Register buffers that are created during rule parsing. Currently this means an existing buffer with one or more transformations.
8 years ago
if (de_ctx) {
if (de_ctx->buffer_type_map)
SCFree(de_ctx->buffer_type_map);
if (de_ctx->buffer_type_hash)
HashListTableFree(de_ctx->buffer_type_hash);
detect: move mpm engines into detect engine ctx This allows safe registration at runtime.
8 years ago
DetectEngineAppInspectionEngine *ilist = de_ctx->app_inspect_engines;
while (ilist) {
DetectEngineAppInspectionEngine *next = ilist->next;
SCFree(ilist);
ilist = next;
}
detect: introduce pkt mpm engines Instead of the hardcode L4 matching in MPM that was recently introduced, add an API similar to the AppLayer MPM and inspect engines. Share part of the registration code with the AppLayer. Implement for the tcp.hdr and udp.hdr keywords.
6 years ago
DetectBufferMpmRegistery *mlist = de_ctx->app_mpms_list;
detect: move mpm engines into detect engine ctx This allows safe registration at runtime.
8 years ago
while (mlist) {
detect: introduce pkt mpm engines Instead of the hardcode L4 matching in MPM that was recently introduced, add an API similar to the AppLayer MPM and inspect engines. Share part of the registration code with the AppLayer. Implement for the tcp.hdr and udp.hdr keywords.
6 years ago
DetectBufferMpmRegistery *next = mlist->next;
detect: move mpm engines into detect engine ctx This allows safe registration at runtime.
8 years ago
SCFree(mlist);
mlist = next;
}
detect: introduce pkt mpm engines Instead of the hardcode L4 matching in MPM that was recently introduced, add an API similar to the AppLayer MPM and inspect engines. Share part of the registration code with the AppLayer. Implement for the tcp.hdr and udp.hdr keywords.
6 years ago
DetectEnginePktInspectionEngine *plist = de_ctx->pkt_inspect_engines;
while (plist) {
DetectEnginePktInspectionEngine *next = plist->next;
SCFree(plist);
plist = next;
}
DetectBufferMpmRegistery *pmlist = de_ctx->pkt_mpms_list;
while (pmlist) {
DetectBufferMpmRegistery *next = pmlist->next;
SCFree(pmlist);
pmlist = next;
}
detect/prefilter: move hash into detect engine ctx
8 years ago
PrefilterDeinit(de_ctx);
detect: register dynamic buffers into de_ctx Register buffers that are created during rule parsing. Currently this means an existing buffer with one or more transformations.
8 years ago
}
detect: move buffer type map into detect ctx Move previously global table into detect engine ctx. Now that we can register buffers at rule loading time we need to take concurrency into account. Move DetectBufferType to detect.h and update DetectBufferCtx API calls to include a detect engine ctx reference.
8 years ago
}
void DetectBufferTypeCloseRegistration(void)
{
BUG_ON(g_buffer_type_hash == NULL);
detect: buffer type API To replace the hardcoded SigMatch list id's, use this API to register and query lists by name. Also allow for registering descriptions and whether mpm is supported. Registration is only allowed at startup.
9 years ago
g_buffer_type_reg_closed = 1;
}
detect: move buffer type map into detect ctx Move previously global table into detect engine ctx. Now that we can register buffers at rule loading time we need to take concurrency into account. Move DetectBufferType to detect.h and update DetectBufferCtx API calls to include a detect engine ctx reference.
8 years ago
int DetectBufferTypeGetByIdTransforms(DetectEngineCtx *de_ctx, const int id,
int *transforms, int transform_cnt)
detect: prefilter/inspect API v2, with transforms Introduce InspectionBuffer a structure for passing data between prefilters, transforms and inspection engines. At rule parsing time, we'll register new unique 'DetectBufferType's for a 'parent' buffer (e.g. pure file_data) with its transformations. Each unique combination of buffer with transformations gets it's own buffer id. Similarly, mpm registration and inspect engine registration will be copied from the 'parent' (again, e.g. pure file_data) to the new id's. The transforms are called from within the prefilter engines themselves. Provide generic MPM matching and setup callbacks. Can be used by keywords to avoid needless code duplication. Supports transformations. Use unique name for profiling, to distinguish between pure buffers and buffers with transformation. Add new registration calls for mpm/prefilters and inspect engines. Inspect engine api v2: Pass engine to itself. Add generic engine that uses GetData callback and other registered settings. The generic engine should be usable for every 'simple' case where there is just a single non-streaming buffer. For example HTTP uri. The v2 API assumes that registered MPM implements transformations. Add util func to set new transform in rule and add util funcs for rule parsing.
8 years ago
{
detect: move buffer type map into detect ctx Move previously global table into detect engine ctx. Now that we can register buffers at rule loading time we need to take concurrency into account. Move DetectBufferType to detect.h and update DetectBufferCtx API calls to include a detect engine ctx reference.
8 years ago
const DetectBufferType *base_map = DetectBufferTypeGetById(de_ctx, id);
detect: prefilter/inspect API v2, with transforms Introduce InspectionBuffer a structure for passing data between prefilters, transforms and inspection engines. At rule parsing time, we'll register new unique 'DetectBufferType's for a 'parent' buffer (e.g. pure file_data) with its transformations. Each unique combination of buffer with transformations gets it's own buffer id. Similarly, mpm registration and inspect engine registration will be copied from the 'parent' (again, e.g. pure file_data) to the new id's. The transforms are called from within the prefilter engines themselves. Provide generic MPM matching and setup callbacks. Can be used by keywords to avoid needless code duplication. Supports transformations. Use unique name for profiling, to distinguish between pure buffers and buffers with transformation. Add new registration calls for mpm/prefilters and inspect engines. Inspect engine api v2: Pass engine to itself. Add generic engine that uses GetData callback and other registered settings. The generic engine should be usable for every 'simple' case where there is just a single non-streaming buffer. For example HTTP uri. The v2 API assumes that registered MPM implements transformations. Add util func to set new transform in rule and add util funcs for rule parsing.
8 years ago
if (!base_map) {
return -1;
}
if (!base_map->supports_transforms) {
SCLogError(SC_ERR_INVALID_SIGNATURE, "buffer '%s' does not support transformations",
base_map->string);
return -1;
}
detect: introduce pkt mpm engines Instead of the hardcode L4 matching in MPM that was recently introduced, add an API similar to the AppLayer MPM and inspect engines. Share part of the registration code with the AppLayer. Implement for the tcp.hdr and udp.hdr keywords.
6 years ago
SCLogDebug("base_map %s", base_map->string);
detect: prefilter/inspect API v2, with transforms Introduce InspectionBuffer a structure for passing data between prefilters, transforms and inspection engines. At rule parsing time, we'll register new unique 'DetectBufferType's for a 'parent' buffer (e.g. pure file_data) with its transformations. Each unique combination of buffer with transformations gets it's own buffer id. Similarly, mpm registration and inspect engine registration will be copied from the 'parent' (again, e.g. pure file_data) to the new id's. The transforms are called from within the prefilter engines themselves. Provide generic MPM matching and setup callbacks. Can be used by keywords to avoid needless code duplication. Supports transformations. Use unique name for profiling, to distinguish between pure buffers and buffers with transformation. Add new registration calls for mpm/prefilters and inspect engines. Inspect engine api v2: Pass engine to itself. Add generic engine that uses GetData callback and other registered settings. The generic engine should be usable for every 'simple' case where there is just a single non-streaming buffer. For example HTTP uri. The v2 API assumes that registered MPM implements transformations. Add util func to set new transform in rule and add util funcs for rule parsing.
8 years ago
DetectEngineTransforms t;
memset(&t, 0, sizeof(t));
for (int i = 0; i < transform_cnt; i++) {
t.transforms[i] = transforms[i];
}
t.cnt = transform_cnt;
DetectBufferType lookup_map = { (char *)base_map->string, NULL, 0, 0, 0, 0, false, NULL, NULL, t };
detect: register dynamic buffers into de_ctx Register buffers that are created during rule parsing. Currently this means an existing buffer with one or more transformations.
8 years ago
DetectBufferType *res = HashListTableLookup(de_ctx->buffer_type_hash, &lookup_map, 0);
detect: prefilter/inspect API v2, with transforms Introduce InspectionBuffer a structure for passing data between prefilters, transforms and inspection engines. At rule parsing time, we'll register new unique 'DetectBufferType's for a 'parent' buffer (e.g. pure file_data) with its transformations. Each unique combination of buffer with transformations gets it's own buffer id. Similarly, mpm registration and inspect engine registration will be copied from the 'parent' (again, e.g. pure file_data) to the new id's. The transforms are called from within the prefilter engines themselves. Provide generic MPM matching and setup callbacks. Can be used by keywords to avoid needless code duplication. Supports transformations. Use unique name for profiling, to distinguish between pure buffers and buffers with transformation. Add new registration calls for mpm/prefilters and inspect engines. Inspect engine api v2: Pass engine to itself. Add generic engine that uses GetData callback and other registered settings. The generic engine should be usable for every 'simple' case where there is just a single non-streaming buffer. For example HTTP uri. The v2 API assumes that registered MPM implements transformations. Add util func to set new transform in rule and add util funcs for rule parsing.
8 years ago
SCLogDebug("res %p", res);
if (res != NULL) {
return res->id;
}
DetectBufferType *map = SCCalloc(1, sizeof(*map));
if (map == NULL)
return -1;
map->string = base_map->string;
detect: register dynamic buffers into de_ctx Register buffers that are created during rule parsing. Currently this means an existing buffer with one or more transformations.
8 years ago
map->id = de_ctx->buffer_type_id++;
detect: prefilter/inspect API v2, with transforms Introduce InspectionBuffer a structure for passing data between prefilters, transforms and inspection engines. At rule parsing time, we'll register new unique 'DetectBufferType's for a 'parent' buffer (e.g. pure file_data) with its transformations. Each unique combination of buffer with transformations gets it's own buffer id. Similarly, mpm registration and inspect engine registration will be copied from the 'parent' (again, e.g. pure file_data) to the new id's. The transforms are called from within the prefilter engines themselves. Provide generic MPM matching and setup callbacks. Can be used by keywords to avoid needless code duplication. Supports transformations. Use unique name for profiling, to distinguish between pure buffers and buffers with transformation. Add new registration calls for mpm/prefilters and inspect engines. Inspect engine api v2: Pass engine to itself. Add generic engine that uses GetData callback and other registered settings. The generic engine should be usable for every 'simple' case where there is just a single non-streaming buffer. For example HTTP uri. The v2 API assumes that registered MPM implements transformations. Add util func to set new transform in rule and add util funcs for rule parsing.
8 years ago
map->parent_id = base_map->id;
map->transforms = t;
map->mpm = base_map->mpm;
detect: introduce pkt mpm engines Instead of the hardcode L4 matching in MPM that was recently introduced, add an API similar to the AppLayer MPM and inspect engines. Share part of the registration code with the AppLayer. Implement for the tcp.hdr and udp.hdr keywords.
6 years ago
map->packet = base_map->packet;
detect: prefilter/inspect API v2, with transforms Introduce InspectionBuffer a structure for passing data between prefilters, transforms and inspection engines. At rule parsing time, we'll register new unique 'DetectBufferType's for a 'parent' buffer (e.g. pure file_data) with its transformations. Each unique combination of buffer with transformations gets it's own buffer id. Similarly, mpm registration and inspect engine registration will be copied from the 'parent' (again, e.g. pure file_data) to the new id's. The transforms are called from within the prefilter engines themselves. Provide generic MPM matching and setup callbacks. Can be used by keywords to avoid needless code duplication. Supports transformations. Use unique name for profiling, to distinguish between pure buffers and buffers with transformation. Add new registration calls for mpm/prefilters and inspect engines. Inspect engine api v2: Pass engine to itself. Add generic engine that uses GetData callback and other registered settings. The generic engine should be usable for every 'simple' case where there is just a single non-streaming buffer. For example HTTP uri. The v2 API assumes that registered MPM implements transformations. Add util func to set new transform in rule and add util funcs for rule parsing.
8 years ago
map->SetupCallback = base_map->SetupCallback;
map->ValidateCallback = base_map->ValidateCallback;
detect: introduce pkt mpm engines Instead of the hardcode L4 matching in MPM that was recently introduced, add an API similar to the AppLayer MPM and inspect engines. Share part of the registration code with the AppLayer. Implement for the tcp.hdr and udp.hdr keywords.
6 years ago
if (map->packet) {
DetectPktMpmRegisterByParentId(de_ctx,
map->id, map->parent_id, &map->transforms);
} else {
DetectAppLayerMpmRegisterByParentId(de_ctx,
map->id, map->parent_id, &map->transforms);
}
detect: prefilter/inspect API v2, with transforms Introduce InspectionBuffer a structure for passing data between prefilters, transforms and inspection engines. At rule parsing time, we'll register new unique 'DetectBufferType's for a 'parent' buffer (e.g. pure file_data) with its transformations. Each unique combination of buffer with transformations gets it's own buffer id. Similarly, mpm registration and inspect engine registration will be copied from the 'parent' (again, e.g. pure file_data) to the new id's. The transforms are called from within the prefilter engines themselves. Provide generic MPM matching and setup callbacks. Can be used by keywords to avoid needless code duplication. Supports transformations. Use unique name for profiling, to distinguish between pure buffers and buffers with transformation. Add new registration calls for mpm/prefilters and inspect engines. Inspect engine api v2: Pass engine to itself. Add generic engine that uses GetData callback and other registered settings. The generic engine should be usable for every 'simple' case where there is just a single non-streaming buffer. For example HTTP uri. The v2 API assumes that registered MPM implements transformations. Add util func to set new transform in rule and add util funcs for rule parsing.
8 years ago
detect: register dynamic buffers into de_ctx Register buffers that are created during rule parsing. Currently this means an existing buffer with one or more transformations.
8 years ago
BUG_ON(HashListTableAdd(de_ctx->buffer_type_hash, (void *)map, 0) != 0);
detect: prefilter/inspect API v2, with transforms Introduce InspectionBuffer a structure for passing data between prefilters, transforms and inspection engines. At rule parsing time, we'll register new unique 'DetectBufferType's for a 'parent' buffer (e.g. pure file_data) with its transformations. Each unique combination of buffer with transformations gets it's own buffer id. Similarly, mpm registration and inspect engine registration will be copied from the 'parent' (again, e.g. pure file_data) to the new id's. The transforms are called from within the prefilter engines themselves. Provide generic MPM matching and setup callbacks. Can be used by keywords to avoid needless code duplication. Supports transformations. Use unique name for profiling, to distinguish between pure buffers and buffers with transformation. Add new registration calls for mpm/prefilters and inspect engines. Inspect engine api v2: Pass engine to itself. Add generic engine that uses GetData callback and other registered settings. The generic engine should be usable for every 'simple' case where there is just a single non-streaming buffer. For example HTTP uri. The v2 API assumes that registered MPM implements transformations. Add util func to set new transform in rule and add util funcs for rule parsing.
8 years ago
SCLogDebug("buffer %s registered with id %d, parent %d", map->string, map->id, map->parent_id);
detect: move buffer type map into detect ctx Move previously global table into detect engine ctx. Now that we can register buffers at rule loading time we need to take concurrency into account. Move DetectBufferType to detect.h and update DetectBufferCtx API calls to include a detect engine ctx reference.
8 years ago
if (map->id >= 0 && (uint32_t)map->id >= de_ctx->buffer_type_map_elements) {
void *ptr = SCRealloc(de_ctx->buffer_type_map, (map->id + 1) * sizeof(DetectBufferType *));
detect: prefilter/inspect API v2, with transforms Introduce InspectionBuffer a structure for passing data between prefilters, transforms and inspection engines. At rule parsing time, we'll register new unique 'DetectBufferType's for a 'parent' buffer (e.g. pure file_data) with its transformations. Each unique combination of buffer with transformations gets it's own buffer id. Similarly, mpm registration and inspect engine registration will be copied from the 'parent' (again, e.g. pure file_data) to the new id's. The transforms are called from within the prefilter engines themselves. Provide generic MPM matching and setup callbacks. Can be used by keywords to avoid needless code duplication. Supports transformations. Use unique name for profiling, to distinguish between pure buffers and buffers with transformation. Add new registration calls for mpm/prefilters and inspect engines. Inspect engine api v2: Pass engine to itself. Add generic engine that uses GetData callback and other registered settings. The generic engine should be usable for every 'simple' case where there is just a single non-streaming buffer. For example HTTP uri. The v2 API assumes that registered MPM implements transformations. Add util func to set new transform in rule and add util funcs for rule parsing.
8 years ago
BUG_ON(ptr == NULL);
detect: move buffer type map into detect ctx Move previously global table into detect engine ctx. Now that we can register buffers at rule loading time we need to take concurrency into account. Move DetectBufferType to detect.h and update DetectBufferCtx API calls to include a detect engine ctx reference.
8 years ago
SCLogDebug("de_ctx->buffer_type_map resized to %u (was %u)", (map->id + 1), de_ctx->buffer_type_map_elements);
de_ctx->buffer_type_map = ptr;
de_ctx->buffer_type_map[map->id] = map;
de_ctx->buffer_type_map_elements = map->id + 1;
detect: prefilter/inspect API v2, with transforms Introduce InspectionBuffer a structure for passing data between prefilters, transforms and inspection engines. At rule parsing time, we'll register new unique 'DetectBufferType's for a 'parent' buffer (e.g. pure file_data) with its transformations. Each unique combination of buffer with transformations gets it's own buffer id. Similarly, mpm registration and inspect engine registration will be copied from the 'parent' (again, e.g. pure file_data) to the new id's. The transforms are called from within the prefilter engines themselves. Provide generic MPM matching and setup callbacks. Can be used by keywords to avoid needless code duplication. Supports transformations. Use unique name for profiling, to distinguish between pure buffers and buffers with transformation. Add new registration calls for mpm/prefilters and inspect engines. Inspect engine api v2: Pass engine to itself. Add generic engine that uses GetData callback and other registered settings. The generic engine should be usable for every 'simple' case where there is just a single non-streaming buffer. For example HTTP uri. The v2 API assumes that registered MPM implements transformations. Add util func to set new transform in rule and add util funcs for rule parsing.
8 years ago
detect: introduce pkt mpm engines Instead of the hardcode L4 matching in MPM that was recently introduced, add an API similar to the AppLayer MPM and inspect engines. Share part of the registration code with the AppLayer. Implement for the tcp.hdr and udp.hdr keywords.
6 years ago
if (map->packet) {
DetectPktInspectEngineCopy(de_ctx, map->parent_id, map->id,
&map->transforms);
} else {
DetectAppLayerInspectEngineCopy(de_ctx, map->parent_id, map->id,
&map->transforms);
}
detect: prefilter/inspect API v2, with transforms Introduce InspectionBuffer a structure for passing data between prefilters, transforms and inspection engines. At rule parsing time, we'll register new unique 'DetectBufferType's for a 'parent' buffer (e.g. pure file_data) with its transformations. Each unique combination of buffer with transformations gets it's own buffer id. Similarly, mpm registration and inspect engine registration will be copied from the 'parent' (again, e.g. pure file_data) to the new id's. The transforms are called from within the prefilter engines themselves. Provide generic MPM matching and setup callbacks. Can be used by keywords to avoid needless code duplication. Supports transformations. Use unique name for profiling, to distinguish between pure buffers and buffers with transformation. Add new registration calls for mpm/prefilters and inspect engines. Inspect engine api v2: Pass engine to itself. Add generic engine that uses GetData callback and other registered settings. The generic engine should be usable for every 'simple' case where there is just a single non-streaming buffer. For example HTTP uri. The v2 API assumes that registered MPM implements transformations. Add util func to set new transform in rule and add util funcs for rule parsing.
8 years ago
}
return map->id;
}
detect: pkt inspect engines Instead of hard coded calls to the inspection logic for payload inspection and 'MATCH'-list inspection use a callback approach. This will register a callback per 'sm_list' much like how app-layer inspect engines are registered. This will allow for adding more types later without adding runtime overhead. Implement the callback for the PMATCH and MATCH logic.
6 years ago
/* returns false if no match, true if match */
detect: introduce pkt mpm engines Instead of the hardcode L4 matching in MPM that was recently introduced, add an API similar to the AppLayer MPM and inspect engines. Share part of the registration code with the AppLayer. Implement for the tcp.hdr and udp.hdr keywords.
6 years ago
static int DetectEngineInspectRulePacketMatches(
DetectEngineThreadCtx *det_ctx,
const DetectEnginePktInspectionEngine *engine,
const Signature *s,
Packet *p, uint8_t *_alert_flags)
detect: pkt inspect engines Instead of hard coded calls to the inspection logic for payload inspection and 'MATCH'-list inspection use a callback approach. This will register a callback per 'sm_list' much like how app-layer inspect engines are registered. This will allow for adding more types later without adding runtime overhead. Implement the callback for the PMATCH and MATCH logic.
6 years ago
{
SCEnter();
/* run the packet match functions */
KEYWORD_PROFILING_SET_LIST(det_ctx, DETECT_SM_LIST_MATCH);
detect: introduce pkt mpm engines Instead of the hardcode L4 matching in MPM that was recently introduced, add an API similar to the AppLayer MPM and inspect engines. Share part of the registration code with the AppLayer. Implement for the tcp.hdr and udp.hdr keywords.
6 years ago
const SigMatchData *smd = s->sm_arrays[DETECT_SM_LIST_MATCH];
detect: pkt inspect engines Instead of hard coded calls to the inspection logic for payload inspection and 'MATCH'-list inspection use a callback approach. This will register a callback per 'sm_list' much like how app-layer inspect engines are registered. This will allow for adding more types later without adding runtime overhead. Implement the callback for the PMATCH and MATCH logic.
6 years ago
SCLogDebug("running match functions, sm %p", smd);
while (1) {
KEYWORD_PROFILING_START;
detect: remove Threadvars argument from API calls Remove it as it's (almost) never used. If it is really needed it can be accessed through DetectEngineThreadCtx::tv as well.
6 years ago
if (sigmatch_table[smd->type].Match(det_ctx, p, s, smd->ctx) <= 0) {
detect: pkt inspect engines Instead of hard coded calls to the inspection logic for payload inspection and 'MATCH'-list inspection use a callback approach. This will register a callback per 'sm_list' much like how app-layer inspect engines are registered. This will allow for adding more types later without adding runtime overhead. Implement the callback for the PMATCH and MATCH logic.
6 years ago
KEYWORD_PROFILING_END(det_ctx, smd->type, 0);
SCLogDebug("no match");
return false;
}
KEYWORD_PROFILING_END(det_ctx, smd->type, 1);
if (smd->is_last) {
SCLogDebug("match and is_last");
break;
}
smd++;
}
return true;
}
detect: introduce pkt mpm engines Instead of the hardcode L4 matching in MPM that was recently introduced, add an API similar to the AppLayer MPM and inspect engines. Share part of the registration code with the AppLayer. Implement for the tcp.hdr and udp.hdr keywords.
6 years ago
static int DetectEngineInspectRulePayloadMatches(
DetectEngineThreadCtx *det_ctx,
const DetectEnginePktInspectionEngine *engine,
const Signature *s, Packet *p, uint8_t *alert_flags)
detect: pkt inspect engines Instead of hard coded calls to the inspection logic for payload inspection and 'MATCH'-list inspection use a callback approach. This will register a callback per 'sm_list' much like how app-layer inspect engines are registered. This will allow for adding more types later without adding runtime overhead. Implement the callback for the PMATCH and MATCH logic.
6 years ago
{
SCEnter();
DetectEngineCtx *de_ctx = det_ctx->de_ctx;
KEYWORD_PROFILING_SET_LIST(det_ctx, DETECT_SM_LIST_PMATCH);
/* if we have stream msgs, inspect against those first,
* but not for a "dsize" signature */
if (s->flags & SIG_FLAG_REQUIRE_STREAM) {
int pmatch = 0;
if (p->flags & PKT_DETECT_HAS_STREAMDATA) {
detect: introduce pkt mpm engines Instead of the hardcode L4 matching in MPM that was recently introduced, add an API similar to the AppLayer MPM and inspect engines. Share part of the registration code with the AppLayer. Implement for the tcp.hdr and udp.hdr keywords.
6 years ago
pmatch = DetectEngineInspectStreamPayload(de_ctx, det_ctx, s, p->flow, p);
detect: pkt inspect engines Instead of hard coded calls to the inspection logic for payload inspection and 'MATCH'-list inspection use a callback approach. This will register a callback per 'sm_list' much like how app-layer inspect engines are registered. This will allow for adding more types later without adding runtime overhead. Implement the callback for the PMATCH and MATCH logic.
6 years ago
if (pmatch) {
det_ctx->flags |= DETECT_ENGINE_THREAD_CTX_STREAM_CONTENT_MATCH;
/* Tell the engine that this reassembled stream can drop the
* rest of the pkts with no further inspection */
if (s->action & ACTION_DROP)
*alert_flags |= PACKET_ALERT_FLAG_DROP_FLOW;
*alert_flags |= PACKET_ALERT_FLAG_STREAM_MATCH;
}
}
/* no match? then inspect packet payload */
if (pmatch == 0) {
SCLogDebug("no match in stream, fall back to packet payload");
/* skip if we don't have to inspect the packet and segment was
* added to stream */
if (!(s->flags & SIG_FLAG_REQUIRE_PACKET) && (p->flags & PKT_STREAM_ADD)) {
return false;
}
detect: introduce pkt mpm engines Instead of the hardcode L4 matching in MPM that was recently introduced, add an API similar to the AppLayer MPM and inspect engines. Share part of the registration code with the AppLayer. Implement for the tcp.hdr and udp.hdr keywords.
6 years ago
if (DetectEngineInspectPacketPayload(de_ctx, det_ctx, s, p->flow, p) != 1) {
detect: pkt inspect engines Instead of hard coded calls to the inspection logic for payload inspection and 'MATCH'-list inspection use a callback approach. This will register a callback per 'sm_list' much like how app-layer inspect engines are registered. This will allow for adding more types later without adding runtime overhead. Implement the callback for the PMATCH and MATCH logic.
6 years ago
return false;
}
}
} else {
detect: introduce pkt mpm engines Instead of the hardcode L4 matching in MPM that was recently introduced, add an API similar to the AppLayer MPM and inspect engines. Share part of the registration code with the AppLayer. Implement for the tcp.hdr and udp.hdr keywords.
6 years ago
if (DetectEngineInspectPacketPayload(de_ctx, det_ctx, s, p->flow, p) != 1) {
detect: pkt inspect engines Instead of hard coded calls to the inspection logic for payload inspection and 'MATCH'-list inspection use a callback approach. This will register a callback per 'sm_list' much like how app-layer inspect engines are registered. This will allow for adding more types later without adding runtime overhead. Implement the callback for the PMATCH and MATCH logic.
6 years ago
return false;
}
}
return true;
}
bool DetectEnginePktInspectionRun(ThreadVars *tv,
DetectEngineThreadCtx *det_ctx, const Signature *s,
Flow *f, Packet *p,
uint8_t *alert_flags)
{
SCEnter();
detect: introduce pkt mpm engines Instead of the hardcode L4 matching in MPM that was recently introduced, add an API similar to the AppLayer MPM and inspect engines. Share part of the registration code with the AppLayer. Implement for the tcp.hdr and udp.hdr keywords.
6 years ago
detect: pkt inspect engines Instead of hard coded calls to the inspection logic for payload inspection and 'MATCH'-list inspection use a callback approach. This will register a callback per 'sm_list' much like how app-layer inspect engines are registered. This will allow for adding more types later without adding runtime overhead. Implement the callback for the PMATCH and MATCH logic.
6 years ago
for (DetectEnginePktInspectionEngine *e = s->pkt_inspect; e != NULL; e = e->next) {
detect: introduce pkt mpm engines Instead of the hardcode L4 matching in MPM that was recently introduced, add an API similar to the AppLayer MPM and inspect engines. Share part of the registration code with the AppLayer. Implement for the tcp.hdr and udp.hdr keywords.
6 years ago
if (e->v1.Callback(det_ctx, e, s, p, alert_flags) == false) {
detect: pkt inspect engines Instead of hard coded calls to the inspection logic for payload inspection and 'MATCH'-list inspection use a callback approach. This will register a callback per 'sm_list' much like how app-layer inspect engines are registered. This will allow for adding more types later without adding runtime overhead. Implement the callback for the PMATCH and MATCH logic.
6 years ago
SCLogDebug("sid %u: e %p Callback returned false", s->id, e);
return false;
}
SCLogDebug("sid %u: e %p Callback returned true", s->id, e);
}
detect: introduce pkt mpm engines Instead of the hardcode L4 matching in MPM that was recently introduced, add an API similar to the AppLayer MPM and inspect engines. Share part of the registration code with the AppLayer. Implement for the tcp.hdr and udp.hdr keywords.
6 years ago
detect: pkt inspect engines Instead of hard coded calls to the inspection logic for payload inspection and 'MATCH'-list inspection use a callback approach. This will register a callback per 'sm_list' much like how app-layer inspect engines are registered. This will allow for adding more types later without adding runtime overhead. Implement the callback for the PMATCH and MATCH logic.
6 years ago
SCLogDebug("sid %u: returning true", s->id);
return true;
}
detect: introduce pkt mpm engines Instead of the hardcode L4 matching in MPM that was recently introduced, add an API similar to the AppLayer MPM and inspect engines. Share part of the registration code with the AppLayer. Implement for the tcp.hdr and udp.hdr keywords.
6 years ago
/**
* \param data pointer to SigMatchData. Allowed to be NULL.
*/
detect: pkt inspect engines Instead of hard coded calls to the inspection logic for payload inspection and 'MATCH'-list inspection use a callback approach. This will register a callback per 'sm_list' much like how app-layer inspect engines are registered. This will allow for adding more types later without adding runtime overhead. Implement the callback for the PMATCH and MATCH logic.
6 years ago
static int DetectEnginePktInspectionAppend(Signature *s,
detect: introduce pkt mpm engines Instead of the hardcode L4 matching in MPM that was recently introduced, add an API similar to the AppLayer MPM and inspect engines. Share part of the registration code with the AppLayer. Implement for the tcp.hdr and udp.hdr keywords.
6 years ago
InspectionBufferPktInspectFunc Callback,
detect: pkt inspect engines Instead of hard coded calls to the inspection logic for payload inspection and 'MATCH'-list inspection use a callback approach. This will register a callback per 'sm_list' much like how app-layer inspect engines are registered. This will allow for adding more types later without adding runtime overhead. Implement the callback for the PMATCH and MATCH logic.
6 years ago
SigMatchData *data)
{
DetectEnginePktInspectionEngine *e = SCCalloc(1, sizeof(*e));
if (e == NULL)
return -1;
detect: introduce pkt mpm engines Instead of the hardcode L4 matching in MPM that was recently introduced, add an API similar to the AppLayer MPM and inspect engines. Share part of the registration code with the AppLayer. Implement for the tcp.hdr and udp.hdr keywords.
6 years ago
e->v1.Callback = Callback;
e->smd = data;
detect: pkt inspect engines Instead of hard coded calls to the inspection logic for payload inspection and 'MATCH'-list inspection use a callback approach. This will register a callback per 'sm_list' much like how app-layer inspect engines are registered. This will allow for adding more types later without adding runtime overhead. Implement the callback for the PMATCH and MATCH logic.
6 years ago
if (s->pkt_inspect == NULL) {
s->pkt_inspect = e;
} else {
DetectEnginePktInspectionEngine *a = s->pkt_inspect;
while (a->next != NULL) {
a = a->next;
}
a->next = e;
}
return 0;
}
int DetectEnginePktInspectionSetup(Signature *s)
{
/* only handle PMATCH here if we're not an app inspect rule */
if (s->sm_arrays[DETECT_SM_LIST_PMATCH] && (s->init_data->init_flags & SIG_FLAG_INIT_STATE_MATCH) == 0) {
if (DetectEnginePktInspectionAppend(s, DetectEngineInspectRulePayloadMatches,
detect: introduce pkt mpm engines Instead of the hardcode L4 matching in MPM that was recently introduced, add an API similar to the AppLayer MPM and inspect engines. Share part of the registration code with the AppLayer. Implement for the tcp.hdr and udp.hdr keywords.
6 years ago
NULL) < 0)
detect: pkt inspect engines Instead of hard coded calls to the inspection logic for payload inspection and 'MATCH'-list inspection use a callback approach. This will register a callback per 'sm_list' much like how app-layer inspect engines are registered. This will allow for adding more types later without adding runtime overhead. Implement the callback for the PMATCH and MATCH logic.
6 years ago
return -1;
SCLogDebug("sid %u: DetectEngineInspectRulePayloadMatches appended", s->id);
}
if (s->sm_arrays[DETECT_SM_LIST_MATCH]) {
if (DetectEnginePktInspectionAppend(s, DetectEngineInspectRulePacketMatches,
detect: introduce pkt mpm engines Instead of the hardcode L4 matching in MPM that was recently introduced, add an API similar to the AppLayer MPM and inspect engines. Share part of the registration code with the AppLayer. Implement for the tcp.hdr and udp.hdr keywords.
6 years ago
NULL) < 0)
detect: pkt inspect engines Instead of hard coded calls to the inspection logic for payload inspection and 'MATCH'-list inspection use a callback approach. This will register a callback per 'sm_list' much like how app-layer inspect engines are registered. This will allow for adding more types later without adding runtime overhead. Implement the callback for the PMATCH and MATCH logic.
6 years ago
return -1;
SCLogDebug("sid %u: DetectEngineInspectRulePacketMatches appended", s->id);
}
return 0;
}
unix-socket: implement reload-rules Implement the reload-rules unix socket command. The unix command thread signals the main thread to do the reload and it waits for it to complete.
11 years ago
/* code to control the main thread to do a reload */
enum DetectEngineSyncState {
IDLE, /**< ready to start a reload */
RELOAD, /**< command main thread to do the reload */
};
typedef struct DetectEngineSyncer_ {
SCMutex m;
enum DetectEngineSyncState state;
} DetectEngineSyncer;
static DetectEngineSyncer detect_sync = { SCMUTEX_INITIALIZER, IDLE };
/* tell main to start reloading */
int DetectEngineReloadStart(void)
{
int r = 0;
SCMutexLock(&detect_sync.m);
if (detect_sync.state == IDLE) {
detect_sync.state = RELOAD;
} else {
r = -1;
}
SCMutexUnlock(&detect_sync.m);
return r;
}
/* main thread checks this to see if it should start */
int DetectEngineReloadIsStart(void)
{
int r = 0;
SCMutexLock(&detect_sync.m);
if (detect_sync.state == RELOAD) {
r = 1;
}
SCMutexUnlock(&detect_sync.m);
return r;
}
/* main thread sets done when it's done */
detect-engine: remove DONE state Remove the DONE state to fix a problem with state not being changed correctly when multiple reload were done. As DONE was not really useful, we can remove it.
9 years ago
void DetectEngineReloadSetIdle(void)
unix-socket: implement reload-rules Implement the reload-rules unix socket command. The unix command thread signals the main thread to do the reload and it waits for it to complete.
11 years ago
{
SCMutexLock(&detect_sync.m);
detect-engine: remove DONE state Remove the DONE state to fix a problem with state not being changed correctly when multiple reload were done. As DONE was not really useful, we can remove it.
9 years ago
detect_sync.state = IDLE;
unix-socket: implement reload-rules Implement the reload-rules unix socket command. The unix command thread signals the main thread to do the reload and it waits for it to complete.
11 years ago
SCMutexUnlock(&detect_sync.m);
}
/* caller loops this until it returns 1 */
detect-engine: remove DONE state Remove the DONE state to fix a problem with state not being changed correctly when multiple reload were done. As DONE was not really useful, we can remove it.
9 years ago
int DetectEngineReloadIsIdle(void)
unix-socket: implement reload-rules Implement the reload-rules unix socket command. The unix command thread signals the main thread to do the reload and it waits for it to complete.
11 years ago
{
int r = 0;
SCMutexLock(&detect_sync.m);
detect-engine: remove DONE state Remove the DONE state to fix a problem with state not being changed correctly when multiple reload were done. As DONE was not really useful, we can remove it.
9 years ago
if (detect_sync.state == IDLE) {
unix-socket: implement reload-rules Implement the reload-rules unix socket command. The unix command thread signals the main thread to do the reload and it waits for it to complete.
11 years ago
r = 1;
}
SCMutexUnlock(&detect_sync.m);
return r;
}
detect-dns: move DetectEngineInspectGenericList to detect-engine.c Move DetectEngineInspectGenericList from detect-engine-dns.c to detect-engine.c to enable it to be used other places as well.
9 years ago
/** \brief Do the content inspection & validation for a signature
*
* \param de_ctx Detection engine context
* \param det_ctx Detection engine thread context
* \param s Signature to inspect
* \param sm SigMatch to inspect
* \param f Flow
* \param flags app layer flags
* \param state App layer state
*
* \retval 0 no match
* \retval 1 match
*/
int DetectEngineInspectGenericList(ThreadVars *tv,
const DetectEngineCtx *de_ctx,
DetectEngineThreadCtx *det_ctx,
detect: use detect list passed to generic funcs Until now the GenericList users used hardcoded list id's.
9 years ago
const Signature *s, const SigMatchData *smd,
Flow *f, const uint8_t flags,
void *alstate, void *txv, uint64_t tx_id)
detect-dns: move DetectEngineInspectGenericList to detect-engine.c Move DetectEngineInspectGenericList from detect-engine-dns.c to detect-engine.c to enable it to be used other places as well.
9 years ago
{
SCLogDebug("running match functions, sm %p", smd);
if (smd != NULL) {
while (1) {
int match = 0;
KEYWORD_PROFILING_START;
match = sigmatch_table[smd->type].
detect: remove Threadvars argument from API calls Remove it as it's (almost) never used. If it is really needed it can be accessed through DetectEngineThreadCtx::tv as well.
6 years ago
AppLayerTxMatch(det_ctx, f, flags, alstate, txv, s, smd->ctx);
detect-dns: move DetectEngineInspectGenericList to detect-engine.c Move DetectEngineInspectGenericList from detect-engine-dns.c to detect-engine.c to enable it to be used other places as well.
9 years ago
KEYWORD_PROFILING_END(det_ctx, smd->type, (match == 1));
if (match == 0)
return DETECT_ENGINE_INSPECT_SIG_NO_MATCH;
if (match == 2) {
return DETECT_ENGINE_INSPECT_SIG_CANT_MATCH;
}
if (smd->is_last)
break;
smd++;
}
}
return DETECT_ENGINE_INSPECT_SIG_MATCH;
}
detect: prefilter/inspect API v2, with transforms Introduce InspectionBuffer a structure for passing data between prefilters, transforms and inspection engines. At rule parsing time, we'll register new unique 'DetectBufferType's for a 'parent' buffer (e.g. pure file_data) with its transformations. Each unique combination of buffer with transformations gets it's own buffer id. Similarly, mpm registration and inspect engine registration will be copied from the 'parent' (again, e.g. pure file_data) to the new id's. The transforms are called from within the prefilter engines themselves. Provide generic MPM matching and setup callbacks. Can be used by keywords to avoid needless code duplication. Supports transformations. Use unique name for profiling, to distinguish between pure buffers and buffers with transformation. Add new registration calls for mpm/prefilters and inspect engines. Inspect engine api v2: Pass engine to itself. Add generic engine that uses GetData callback and other registered settings. The generic engine should be usable for every 'simple' case where there is just a single non-streaming buffer. For example HTTP uri. The v2 API assumes that registered MPM implements transformations. Add util func to set new transform in rule and add util funcs for rule parsing.
8 years ago
/**
* \brief Do the content inspection & validation for a signature
*
* \param de_ctx Detection engine context
* \param det_ctx Detection engine thread context
* \param s Signature to inspect
* \param f Flow
* \param flags app layer flags
* \param state App layer state
*
* \retval 0 no match.
* \retval 1 match.
* \retval 2 Sig can't match.
*/
int DetectEngineInspectBufferGeneric(
DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx,
const DetectEngineAppInspectionEngine *engine,
const Signature *s,
Flow *f, uint8_t flags, void *alstate, void *txv, uint64_t tx_id)
{
const int list_id = engine->sm_list;
SCLogDebug("running inspect on %d", list_id);
detect: fix content inspection flags Fix generic inspect function content inspection flags so that streaming buffers work correctly.
7 years ago
const bool eof = (AppLayerParserGetStateProgress(f->proto, f->alproto, txv, flags) > engine->progress);
detect: prefilter/inspect API v2, with transforms Introduce InspectionBuffer a structure for passing data between prefilters, transforms and inspection engines. At rule parsing time, we'll register new unique 'DetectBufferType's for a 'parent' buffer (e.g. pure file_data) with its transformations. Each unique combination of buffer with transformations gets it's own buffer id. Similarly, mpm registration and inspect engine registration will be copied from the 'parent' (again, e.g. pure file_data) to the new id's. The transforms are called from within the prefilter engines themselves. Provide generic MPM matching and setup callbacks. Can be used by keywords to avoid needless code duplication. Supports transformations. Use unique name for profiling, to distinguish between pure buffers and buffers with transformation. Add new registration calls for mpm/prefilters and inspect engines. Inspect engine api v2: Pass engine to itself. Add generic engine that uses GetData callback and other registered settings. The generic engine should be usable for every 'simple' case where there is just a single non-streaming buffer. For example HTTP uri. The v2 API assumes that registered MPM implements transformations. Add util func to set new transform in rule and add util funcs for rule parsing.
8 years ago
SCLogDebug("list %d mpm? %s transforms %p",
engine->sm_list, engine->mpm ? "true" : "false", engine->v2.transforms);
/* if prefilter didn't already run, we need to consider transformations */
const DetectEngineTransforms *transforms = NULL;
if (!engine->mpm) {
transforms = engine->v2.transforms;
}
const InspectionBuffer *buffer = engine->v2.GetData(det_ctx, transforms,
f, flags, txv, list_id);
detect: fix content inspection flags Fix generic inspect function content inspection flags so that streaming buffers work correctly.
7 years ago
if (unlikely(buffer == NULL)) {
return eof ? DETECT_ENGINE_INSPECT_SIG_CANT_MATCH :
DETECT_ENGINE_INSPECT_SIG_NO_MATCH;
detect: prefilter/inspect API v2, with transforms Introduce InspectionBuffer a structure for passing data between prefilters, transforms and inspection engines. At rule parsing time, we'll register new unique 'DetectBufferType's for a 'parent' buffer (e.g. pure file_data) with its transformations. Each unique combination of buffer with transformations gets it's own buffer id. Similarly, mpm registration and inspect engine registration will be copied from the 'parent' (again, e.g. pure file_data) to the new id's. The transforms are called from within the prefilter engines themselves. Provide generic MPM matching and setup callbacks. Can be used by keywords to avoid needless code duplication. Supports transformations. Use unique name for profiling, to distinguish between pure buffers and buffers with transformation. Add new registration calls for mpm/prefilters and inspect engines. Inspect engine api v2: Pass engine to itself. Add generic engine that uses GetData callback and other registered settings. The generic engine should be usable for every 'simple' case where there is just a single non-streaming buffer. For example HTTP uri. The v2 API assumes that registered MPM implements transformations. Add util func to set new transform in rule and add util funcs for rule parsing.
8 years ago
}
const uint32_t data_len = buffer->inspect_len;
const uint8_t *data = buffer->inspect;
const uint64_t offset = buffer->inspect_offset;
detect: fix content inspection flags Fix generic inspect function content inspection flags so that streaming buffers work correctly.
7 years ago
uint8_t ci_flags = eof ? DETECT_CI_FLAGS_END : 0;
ci_flags |= (offset == 0 ? DETECT_CI_FLAGS_START : 0);
detect/inspect: add flags to inspect buffer
6 years ago
ci_flags |= buffer->flags;
detect: fix content inspection flags Fix generic inspect function content inspection flags so that streaming buffers work correctly.
7 years ago
detect: prefilter/inspect API v2, with transforms Introduce InspectionBuffer a structure for passing data between prefilters, transforms and inspection engines. At rule parsing time, we'll register new unique 'DetectBufferType's for a 'parent' buffer (e.g. pure file_data) with its transformations. Each unique combination of buffer with transformations gets it's own buffer id. Similarly, mpm registration and inspect engine registration will be copied from the 'parent' (again, e.g. pure file_data) to the new id's. The transforms are called from within the prefilter engines themselves. Provide generic MPM matching and setup callbacks. Can be used by keywords to avoid needless code duplication. Supports transformations. Use unique name for profiling, to distinguish between pure buffers and buffers with transformation. Add new registration calls for mpm/prefilters and inspect engines. Inspect engine api v2: Pass engine to itself. Add generic engine that uses GetData callback and other registered settings. The generic engine should be usable for every 'simple' case where there is just a single non-streaming buffer. For example HTTP uri. The v2 API assumes that registered MPM implements transformations. Add util func to set new transform in rule and add util funcs for rule parsing.
8 years ago
det_ctx->discontinue_matching = 0;
det_ctx->buffer_offset = 0;
det_ctx->inspection_recursion_counter = 0;
/* Inspect all the uricontents fetched on each
* transaction at the app layer */
int r = DetectEngineContentInspection(de_ctx, det_ctx,
s, engine->smd,
detect/content-inspect: turn void arg into Packet Replace the 'void *data' argument by a 'Packet *p' as this was the only user left of the data pointer.
6 years ago
NULL, f,
detect: fix content inspection flags Fix generic inspect function content inspection flags so that streaming buffers work correctly.
7 years ago
(uint8_t *)data, data_len, offset, ci_flags,
detect/content-inspect: turn void arg into Packet Replace the 'void *data' argument by a 'Packet *p' as this was the only user left of the data pointer.
6 years ago
DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE);
detect: prefilter/inspect API v2, with transforms Introduce InspectionBuffer a structure for passing data between prefilters, transforms and inspection engines. At rule parsing time, we'll register new unique 'DetectBufferType's for a 'parent' buffer (e.g. pure file_data) with its transformations. Each unique combination of buffer with transformations gets it's own buffer id. Similarly, mpm registration and inspect engine registration will be copied from the 'parent' (again, e.g. pure file_data) to the new id's. The transforms are called from within the prefilter engines themselves. Provide generic MPM matching and setup callbacks. Can be used by keywords to avoid needless code duplication. Supports transformations. Use unique name for profiling, to distinguish between pure buffers and buffers with transformation. Add new registration calls for mpm/prefilters and inspect engines. Inspect engine api v2: Pass engine to itself. Add generic engine that uses GetData callback and other registered settings. The generic engine should be usable for every 'simple' case where there is just a single non-streaming buffer. For example HTTP uri. The v2 API assumes that registered MPM implements transformations. Add util func to set new transform in rule and add util funcs for rule parsing.
8 years ago
if (r == 1) {
return DETECT_ENGINE_INSPECT_SIG_MATCH;
} else {
detect: fix content inspection flags Fix generic inspect function content inspection flags so that streaming buffers work correctly.
7 years ago
return eof ? DETECT_ENGINE_INSPECT_SIG_CANT_MATCH :
DETECT_ENGINE_INSPECT_SIG_NO_MATCH;
detect: prefilter/inspect API v2, with transforms Introduce InspectionBuffer a structure for passing data between prefilters, transforms and inspection engines. At rule parsing time, we'll register new unique 'DetectBufferType's for a 'parent' buffer (e.g. pure file_data) with its transformations. Each unique combination of buffer with transformations gets it's own buffer id. Similarly, mpm registration and inspect engine registration will be copied from the 'parent' (again, e.g. pure file_data) to the new id's. The transforms are called from within the prefilter engines themselves. Provide generic MPM matching and setup callbacks. Can be used by keywords to avoid needless code duplication. Supports transformations. Use unique name for profiling, to distinguish between pure buffers and buffers with transformation. Add new registration calls for mpm/prefilters and inspect engines. Inspect engine api v2: Pass engine to itself. Add generic engine that uses GetData callback and other registered settings. The generic engine should be usable for every 'simple' case where there is just a single non-streaming buffer. For example HTTP uri. The v2 API assumes that registered MPM implements transformations. Add util func to set new transform in rule and add util funcs for rule parsing.
8 years ago
}
}
detect: introduce pkt mpm engines Instead of the hardcode L4 matching in MPM that was recently introduced, add an API similar to the AppLayer MPM and inspect engines. Share part of the registration code with the AppLayer. Implement for the tcp.hdr and udp.hdr keywords.
6 years ago
/**
* \brief Do the content inspection & validation for a signature
*
* \param de_ctx Detection engine context
* \param det_ctx Detection engine thread context
* \param s Signature to inspect
* \param p Packet
*
* \retval 0 no match.
* \retval 1 match.
*/
int DetectEngineInspectPktBufferGeneric(
DetectEngineThreadCtx *det_ctx,
const DetectEnginePktInspectionEngine *engine,
const Signature *s, Packet *p, uint8_t *_alert_flags)
{
const int list_id = engine->sm_list;
SCLogDebug("running inspect on %d", list_id);
SCLogDebug("list %d transforms %p",
engine->sm_list, engine->v1.transforms);
/* if prefilter didn't already run, we need to consider transformations */
const DetectEngineTransforms *transforms = NULL;
if (!engine->mpm) {
transforms = engine->v1.transforms;
}
const InspectionBuffer *buffer = engine->v1.GetData(det_ctx, transforms, p,
list_id);
if (unlikely(buffer == NULL)) {
return DETECT_ENGINE_INSPECT_SIG_NO_MATCH;
}
const uint32_t data_len = buffer->inspect_len;
const uint8_t *data = buffer->inspect;
const uint64_t offset = 0;
uint8_t ci_flags = DETECT_CI_FLAGS_START|DETECT_CI_FLAGS_END;
ci_flags |= buffer->flags;
det_ctx->discontinue_matching = 0;
det_ctx->buffer_offset = 0;
det_ctx->inspection_recursion_counter = 0;
/* Inspect all the uricontents fetched on each
* transaction at the app layer */
int r = DetectEngineContentInspection(det_ctx->de_ctx, det_ctx,
s, engine->smd,
p, p->flow,
(uint8_t *)data, data_len, offset, ci_flags,
DETECT_ENGINE_CONTENT_INSPECTION_MODE_HEADER);
if (r == 1) {
return DETECT_ENGINE_INSPECT_SIG_MATCH;
} else {
return DETECT_ENGINE_INSPECT_SIG_NO_MATCH;
}
}
detect: prefilter/inspect API v2, with transforms Introduce InspectionBuffer a structure for passing data between prefilters, transforms and inspection engines. At rule parsing time, we'll register new unique 'DetectBufferType's for a 'parent' buffer (e.g. pure file_data) with its transformations. Each unique combination of buffer with transformations gets it's own buffer id. Similarly, mpm registration and inspect engine registration will be copied from the 'parent' (again, e.g. pure file_data) to the new id's. The transforms are called from within the prefilter engines themselves. Provide generic MPM matching and setup callbacks. Can be used by keywords to avoid needless code duplication. Supports transformations. Use unique name for profiling, to distinguish between pure buffers and buffers with transformation. Add new registration calls for mpm/prefilters and inspect engines. Inspect engine api v2: Pass engine to itself. Add generic engine that uses GetData callback and other registered settings. The generic engine should be usable for every 'simple' case where there is just a single non-streaming buffer. For example HTTP uri. The v2 API assumes that registered MPM implements transformations. Add util func to set new transform in rule and add util funcs for rule parsing.
8 years ago
detect reload: call 'breakloop' on capture method Split wait loop into three steps: - first insert pseudo packets - 2nd nudge all capture threads to break out of their loop - third, wait for the detection thread contexts to be used Interupt capture more than once if needed Move packet injection into util func
10 years ago
/* nudge capture loops to wake up */
static void BreakCapture(void)
{
SCMutexLock(&tv_root_lock);
ThreadVars *tv = tv_root[TVT_PPT];
while (tv) {
/* find the correct slot */
TmSlot *slots = tv->tm_slots;
while (slots != NULL) {
if (suricata_ctl_flags != 0) {
detect: fix potential deadlock during reload If interrupted during the BreakLoop stage during reload, a deadlock could happen.
10 years ago
SCMutexUnlock(&tv_root_lock);
detect reload: call 'breakloop' on capture method Split wait loop into three steps: - first insert pseudo packets - 2nd nudge all capture threads to break out of their loop - third, wait for the detection thread contexts to be used Interupt capture more than once if needed Move packet injection into util func
10 years ago
return;
}
TmModule *tm = TmModuleGetById(slots->tm_id);
if (!(tm->flags & TM_FLAG_RECEIVE_TM)) {
slots = slots->slot_next;
continue;
}
detect reload: generic packet injection for capture Capture methods that are non blocking will still not generate packets that go through the system if there is no traffic. Some maintenance tasks, like rule reloads rely on packets to complete. This patch introduces a new thread flag, THV_CAPTURE_INJECT_PKT, that instructs the capture thread to create a fake packet. The capture implementations can call the TmThreadsCaptureInjectPacket utility function either with the packet they already got from the pool or without a packet. In this case the util func will get it's own packet. Implementations for pcap, AF_PACKET and PF_RING.
10 years ago
/* signal capture method that we need a packet. */
TmThreadsSetFlag(tv, THV_CAPTURE_INJECT_PKT);
/* if the method supports it, BreakLoop. Otherwise we rely on
* the capture method's recv timeout */
detect reload: call 'breakloop' on capture method Split wait loop into three steps: - first insert pseudo packets - 2nd nudge all capture threads to break out of their loop - third, wait for the detection thread contexts to be used Interupt capture more than once if needed Move packet injection into util func
10 years ago
if (tm->PktAcqLoop && tm->PktAcqBreakLoop) {
tm->PktAcqBreakLoop(tv, SC_ATOMIC_GET(slots->slot_data));
}
detect reload: generic packet injection for capture Capture methods that are non blocking will still not generate packets that go through the system if there is no traffic. Some maintenance tasks, like rule reloads rely on packets to complete. This patch introduces a new thread flag, THV_CAPTURE_INJECT_PKT, that instructs the capture thread to create a fake packet. The capture implementations can call the TmThreadsCaptureInjectPacket utility function either with the packet they already got from the pool or without a packet. In this case the util func will get it's own packet. Implementations for pcap, AF_PACKET and PF_RING.
10 years ago
detect reload: call 'breakloop' on capture method Split wait loop into three steps: - first insert pseudo packets - 2nd nudge all capture threads to break out of their loop - third, wait for the detection thread contexts to be used Interupt capture more than once if needed Move packet injection into util func
10 years ago
break;
}
tv = tv->next;
}
SCMutexUnlock(&tv_root_lock);
}
/** \internal
* \brief inject a pseudo packet into each detect thread that doesn't use the
* new det_ctx yet
*/
static void InjectPackets(ThreadVars **detect_tvs,
DetectEngineThreadCtx **new_det_ctx,
int no_of_detect_tvs)
{
/* inject a fake packet if the detect thread isn't using the new ctx yet,
* this speeds up the process */
detect: inject packet cleanup
6 years ago
for (int i = 0; i < no_of_detect_tvs; i++) {
detect reload: call 'breakloop' on capture method Split wait loop into three steps: - first insert pseudo packets - 2nd nudge all capture threads to break out of their loop - third, wait for the detection thread contexts to be used Interupt capture more than once if needed Move packet injection into util func
10 years ago
if (SC_ATOMIC_GET(new_det_ctx[i]->so_far_used_by_detect) != 1) {
if (detect_tvs[i]->inq != NULL) {
Packet *p = PacketGetFromAlloc();
if (p != NULL) {
p->flags |= PKT_PSEUDO_STREAM_END;
packet: set unique pkt_src 'flush' packets Set unique type for capture timeout and for detect reload flush to assist in debugging.
6 years ago
PKT_SET_SRC(p, PKT_SRC_DETECT_RELOAD_FLUSH);
detect reload: call 'breakloop' on capture method Split wait loop into three steps: - first insert pseudo packets - 2nd nudge all capture threads to break out of their loop - third, wait for the detection thread contexts to be used Interupt capture more than once if needed Move packet injection into util func
10 years ago
PacketQueue *q = &trans_q[detect_tvs[i]->inq->id];
SCMutexLock(&q->mutex_q);
PacketEnqueue(q, p);
SCCondSignal(&q->cond_q);
SCMutexUnlock(&q->mutex_q);
}
}
}
}
}
detect-reload: 0 detect threads is no error The reload code would consider 0 detect threads to be an error, but it's not in case of unix socket mode.
11 years ago
/** \internal
* \brief Update detect threads with new detect engine
*
* Atomically update each detect thread with a new thread context
* that is associated to the new detection engine(s).
*
* If called in unix socket mode, it's possible that we don't have
* detect threads yet.
*
* \retval -1 error
* \retval 0 no detection threads
* \retval 1 successful reload
*/
detect: update detect engine management Update detect engine management to make it easier to reload the detect engine. Core of the new approach is a 'master' ctx, that keeps a list of one or more detect engines. The detect engines will not be passed to any thread directly, but instead will only be accessed through the detect engine thread contexts. As we can replace those atomically, replacing a detect engine becomes easier. Each thread keeps a reference to its detect context. When a detect engine is replaced or removed, it's added to a free list. Once its reference count reaches 0, it is freed.
11 years ago
static int DetectEngineReloadThreads(DetectEngineCtx *new_de_ctx)
{
SCEnter();
int i = 0;
int no_of_detect_tvs = 0;
ThreadVars *tv = NULL;
/* count detect threads in use */
SCMutexLock(&tv_root_lock);
tv = tv_root[TVT_PPT];
while (tv) {
/* obtain the slots for this TV */
TmSlot *slots = tv->tm_slots;
while (slots != NULL) {
TmModule *tm = TmModuleGetById(slots->tm_id);
if (suricata_ctl_flags != 0) {
SCLogInfo("rule reload interupted by engine shutdown");
SCMutexUnlock(&tv_root_lock);
return -1;
}
if (!(tm->flags & TM_FLAG_DETECT_TM)) {
slots = slots->slot_next;
continue;
}
no_of_detect_tvs++;
break;
}
tv = tv->next;
}
SCMutexUnlock(&tv_root_lock);
detect-reload: 0 detect threads is no error The reload code would consider 0 detect threads to be an error, but it's not in case of unix socket mode.
11 years ago
/* can be zero in unix socket mode */
detect: update detect engine management Update detect engine management to make it easier to reload the detect engine. Core of the new approach is a 'master' ctx, that keeps a list of one or more detect engines. The detect engines will not be passed to any thread directly, but instead will only be accessed through the detect engine thread contexts. As we can replace those atomically, replacing a detect engine becomes easier. Each thread keeps a reference to its detect context. When a detect engine is replaced or removed, it's added to a free list. Once its reference count reaches 0, it is freed.
11 years ago
if (no_of_detect_tvs == 0) {
detect-reload: 0 detect threads is no error The reload code would consider 0 detect threads to be an error, but it's not in case of unix socket mode.
11 years ago
return 0;
detect: update detect engine management Update detect engine management to make it easier to reload the detect engine. Core of the new approach is a 'master' ctx, that keeps a list of one or more detect engines. The detect engines will not be passed to any thread directly, but instead will only be accessed through the detect engine thread contexts. As we can replace those atomically, replacing a detect engine becomes easier. Each thread keeps a reference to its detect context. When a detect engine is replaced or removed, it's added to a free list. Once its reference count reaches 0, it is freed.
11 years ago
}
/* prepare swap structures */
DetectEngineThreadCtx *old_det_ctx[no_of_detect_tvs];
DetectEngineThreadCtx *new_det_ctx[no_of_detect_tvs];
ThreadVars *detect_tvs[no_of_detect_tvs];
memset(old_det_ctx, 0x00, (no_of_detect_tvs * sizeof(DetectEngineThreadCtx *)));
memset(new_det_ctx, 0x00, (no_of_detect_tvs * sizeof(DetectEngineThreadCtx *)));
memset(detect_tvs, 0x00, (no_of_detect_tvs * sizeof(ThreadVars *)));
/* start the process of swapping detect threads ctxs */
/* get reference to tv's and setup new_det_ctx array */
SCMutexLock(&tv_root_lock);
tv = tv_root[TVT_PPT];
while (tv) {
/* obtain the slots for this TV */
TmSlot *slots = tv->tm_slots;
while (slots != NULL) {
TmModule *tm = TmModuleGetById(slots->tm_id);
if (suricata_ctl_flags != 0) {
SCMutexUnlock(&tv_root_lock);
goto error;
}
if (!(tm->flags & TM_FLAG_DETECT_TM)) {
slots = slots->slot_next;
continue;
}
flowworker: initial support Initial version of the 'FlowWorker' thread module. This module combines Flow handling, TCP handling, App layer handling and Detection in a single module. It does all flow related processing under a single flow lock.
9 years ago
old_det_ctx[i] = FlowWorkerGetDetectCtxPtr(SC_ATOMIC_GET(slots->slot_data));
detect: update detect engine management Update detect engine management to make it easier to reload the detect engine. Core of the new approach is a 'master' ctx, that keeps a list of one or more detect engines. The detect engines will not be passed to any thread directly, but instead will only be accessed through the detect engine thread contexts. As we can replace those atomically, replacing a detect engine becomes easier. Each thread keeps a reference to its detect context. When a detect engine is replaced or removed, it's added to a free list. Once its reference count reaches 0, it is freed.
11 years ago
detect_tvs[i] = tv;
multi-detect: use default tenant The default detect engine can be used as 'default tenant'.
10 years ago
new_det_ctx[i] = DetectEngineThreadCtxInitForReload(tv, new_de_ctx, 1);
detect: reload thread init cleanup Rename the thread init function DetectEngineThreadCtxInitForLiveRuleSwap to DetectEngineThreadCtxInitForReload and change it's logic to take the new detection engine as argument and let it return the DetectEngineThreadCtx or NULL on error. The old approach used the thread init API format, but it wasn't used in that way.
11 years ago
if (new_det_ctx[i] == NULL) {
detect: update detect engine management Update detect engine management to make it easier to reload the detect engine. Core of the new approach is a 'master' ctx, that keeps a list of one or more detect engines. The detect engines will not be passed to any thread directly, but instead will only be accessed through the detect engine thread contexts. As we can replace those atomically, replacing a detect engine becomes easier. Each thread keeps a reference to its detect context. When a detect engine is replaced or removed, it's added to a free list. Once its reference count reaches 0, it is freed.
11 years ago
SCLogError(SC_ERR_LIVE_RULE_SWAP, "Detect engine thread init "
"failure in live rule swap. Let's get out of here");
SCMutexUnlock(&tv_root_lock);
goto error;
}
SCLogDebug("live rule swap created new det_ctx - %p and de_ctx "
detect: reload thread init cleanup Rename the thread init function DetectEngineThreadCtxInitForLiveRuleSwap to DetectEngineThreadCtxInitForReload and change it's logic to take the new detection engine as argument and let it return the DetectEngineThreadCtx or NULL on error. The old approach used the thread init API format, but it wasn't used in that way.
11 years ago
"- %p\n", new_det_ctx[i], new_de_ctx);
i++;
detect: update detect engine management Update detect engine management to make it easier to reload the detect engine. Core of the new approach is a 'master' ctx, that keeps a list of one or more detect engines. The detect engines will not be passed to any thread directly, but instead will only be accessed through the detect engine thread contexts. As we can replace those atomically, replacing a detect engine becomes easier. Each thread keeps a reference to its detect context. When a detect engine is replaced or removed, it's added to a free list. Once its reference count reaches 0, it is freed.
11 years ago
break;
}
tv = tv->next;
}
BUG_ON(i != no_of_detect_tvs);
/* atomicly replace the det_ctx data */
i = 0;
tv = tv_root[TVT_PPT];
while (tv) {
/* find the correct slot */
TmSlot *slots = tv->tm_slots;
while (slots != NULL) {
if (suricata_ctl_flags != 0) {
detect-engine: add missing mutex unlock
8 years ago
SCMutexUnlock(&tv_root_lock);
detect: update detect engine management Update detect engine management to make it easier to reload the detect engine. Core of the new approach is a 'master' ctx, that keeps a list of one or more detect engines. The detect engines will not be passed to any thread directly, but instead will only be accessed through the detect engine thread contexts. As we can replace those atomically, replacing a detect engine becomes easier. Each thread keeps a reference to its detect context. When a detect engine is replaced or removed, it's added to a free list. Once its reference count reaches 0, it is freed.
11 years ago
return -1;
}
TmModule *tm = TmModuleGetById(slots->tm_id);
if (!(tm->flags & TM_FLAG_DETECT_TM)) {
slots = slots->slot_next;
continue;
}
SCLogDebug("swapping new det_ctx - %p with older one - %p",
new_det_ctx[i], SC_ATOMIC_GET(slots->slot_data));
flowworker: initial support Initial version of the 'FlowWorker' thread module. This module combines Flow handling, TCP handling, App layer handling and Detection in a single module. It does all flow related processing under a single flow lock.
9 years ago
FlowWorkerReplaceDetectCtx(SC_ATOMIC_GET(slots->slot_data), new_det_ctx[i++]);
detect: update detect engine management Update detect engine management to make it easier to reload the detect engine. Core of the new approach is a 'master' ctx, that keeps a list of one or more detect engines. The detect engines will not be passed to any thread directly, but instead will only be accessed through the detect engine thread contexts. As we can replace those atomically, replacing a detect engine becomes easier. Each thread keeps a reference to its detect context. When a detect engine is replaced or removed, it's added to a free list. Once its reference count reaches 0, it is freed.
11 years ago
break;
}
tv = tv->next;
}
SCMutexUnlock(&tv_root_lock);
/* threads now all have new data, however they may not have started using
* it and may still use the old data */
detect: suppress debug message for reloads
9 years ago
SCLogDebug("Live rule swap has swapped %d old det_ctx's with new ones, "
"along with the new de_ctx", no_of_detect_tvs);
detect: update detect engine management Update detect engine management to make it easier to reload the detect engine. Core of the new approach is a 'master' ctx, that keeps a list of one or more detect engines. The detect engines will not be passed to any thread directly, but instead will only be accessed through the detect engine thread contexts. As we can replace those atomically, replacing a detect engine becomes easier. Each thread keeps a reference to its detect context. When a detect engine is replaced or removed, it's added to a free list. Once its reference count reaches 0, it is freed.
11 years ago
detect reload: call 'breakloop' on capture method Split wait loop into three steps: - first insert pseudo packets - 2nd nudge all capture threads to break out of their loop - third, wait for the detection thread contexts to be used Interupt capture more than once if needed Move packet injection into util func
10 years ago
InjectPackets(detect_tvs, new_det_ctx, no_of_detect_tvs);
detect: update detect engine management Update detect engine management to make it easier to reload the detect engine. Core of the new approach is a 'master' ctx, that keeps a list of one or more detect engines. The detect engines will not be passed to any thread directly, but instead will only be accessed through the detect engine thread contexts. As we can replace those atomically, replacing a detect engine becomes easier. Each thread keeps a reference to its detect context. When a detect engine is replaced or removed, it's added to a free list. Once its reference count reaches 0, it is freed.
11 years ago
for (i = 0; i < no_of_detect_tvs; i++) {
int break_out = 0;
usleep(1000);
while (SC_ATOMIC_GET(new_det_ctx[i]->so_far_used_by_detect) != 1) {
if (suricata_ctl_flags != 0) {
break_out = 1;
break;
}
detect reload: call 'breakloop' on capture method Split wait loop into three steps: - first insert pseudo packets - 2nd nudge all capture threads to break out of their loop - third, wait for the detection thread contexts to be used Interupt capture more than once if needed Move packet injection into util func
10 years ago
BreakCapture();
detect: update detect engine management Update detect engine management to make it easier to reload the detect engine. Core of the new approach is a 'master' ctx, that keeps a list of one or more detect engines. The detect engines will not be passed to any thread directly, but instead will only be accessed through the detect engine thread contexts. As we can replace those atomically, replacing a detect engine becomes easier. Each thread keeps a reference to its detect context. When a detect engine is replaced or removed, it's added to a free list. Once its reference count reaches 0, it is freed.
11 years ago
usleep(1000);
}
if (break_out)
break;
SCLogDebug("new_det_ctx - %p used by detect engine", new_det_ctx[i]);
}
/* this is to make sure that if someone initiated shutdown during a live
* rule swap, the live rule swap won't clean up the old det_ctx and
* de_ctx, till all detect threads have stopped working and sitting
* silently after setting RUNNING_DONE flag and while waiting for
* THV_DEINIT flag */
if (i != no_of_detect_tvs) { // not all threads we swapped
detect: fix -Wshadow warning
9 years ago
tv = tv_root[TVT_PPT];
detect: update detect engine management Update detect engine management to make it easier to reload the detect engine. Core of the new approach is a 'master' ctx, that keeps a list of one or more detect engines. The detect engines will not be passed to any thread directly, but instead will only be accessed through the detect engine thread contexts. As we can replace those atomically, replacing a detect engine becomes easier. Each thread keeps a reference to its detect context. When a detect engine is replaced or removed, it's added to a free list. Once its reference count reaches 0, it is freed.
11 years ago
while (tv) {
/* obtain the slots for this TV */
TmSlot *slots = tv->tm_slots;
while (slots != NULL) {
TmModule *tm = TmModuleGetById(slots->tm_id);
if (!(tm->flags & TM_FLAG_DETECT_TM)) {
slots = slots->slot_next;
continue;
}
while (!TmThreadsCheckFlag(tv, THV_RUNNING_DONE)) {
usleep(100);
}
slots = slots->slot_next;
}
tv = tv->next;
}
}
/* free all the ctxs */
for (i = 0; i < no_of_detect_tvs; i++) {
SCLogDebug("Freeing old_det_ctx - %p used by detect",
old_det_ctx[i]);
DetectEngineThreadCtxDeinit(NULL, old_det_ctx[i]);
}
SRepReloadComplete();
detect-reload: 0 detect threads is no error The reload code would consider 0 detect threads to be an error, but it's not in case of unix socket mode.
11 years ago
return 1;
detect: update detect engine management Update detect engine management to make it easier to reload the detect engine. Core of the new approach is a 'master' ctx, that keeps a list of one or more detect engines. The detect engines will not be passed to any thread directly, but instead will only be accessed through the detect engine thread contexts. As we can replace those atomically, replacing a detect engine becomes easier. Each thread keeps a reference to its detect context. When a detect engine is replaced or removed, it's added to a free list. Once its reference count reaches 0, it is freed.
11 years ago
error:
for (i = 0; i < no_of_detect_tvs; i++) {
if (new_det_ctx[i] != NULL)
DetectEngineThreadCtxDeinit(NULL, new_det_ctx[i]);
}
return -1;
}
detect: fix delayed detect Last multi-detect changes broken delayed-detect by refusing to reload a 'stub' detect engine. This patch distinguishes between a stub for multi-tenancy and for delayed detect.
7 years ago
static DetectEngineCtx *DetectEngineCtxInitReal(enum DetectEngineType type, const char *prefix)
Enforce function coding standard Functions should be defined as: int foo(void) { } Rather than: int food(void) { } All functions where changed by a script to match this standard.
11 years ago
{
detect: fix delayed detect Last multi-detect changes broken delayed-detect by refusing to reload a 'stub' detect engine. This patch distinguishes between a stub for multi-tenancy and for delayed detect.
7 years ago
DetectEngineCtx *de_ctx = SCMalloc(sizeof(DetectEngineCtx));
Use unlikely for error treatment. When handling error case on SCMallog, SCCalloc or SCStrdup we are in an unlikely case. This patch adds the unlikely() expression to indicate this to gcc. This patch has been obtained via coccinelle. The transformation is the following: @istested@ identifier x; statement S1; identifier func =~ "(SCMalloc|SCStrdup|SCCalloc)"; @@ x = func(...) ... when != x - if (x == NULL) S1 + if (unlikely(x == NULL)) S1
13 years ago
if (unlikely(de_ctx == NULL))
Switch to using a detection engine ctx.
17 years ago
goto error;
memset(de_ctx,0,sizeof(DetectEngineCtx));
detect-engine: add reload time/rules stats This patch adds the following stats for the detect engine: - time of the last reload - number of rules loaded - number of rules failed
10 years ago
memset(&de_ctx->sig_stat, 0, sizeof(SigFileLoaderStat));
detect: save invalid rules This keeps the invalid rules in string format into a list, added in DetectEngineCtx.
10 years ago
TAILQ_INIT(&de_ctx->sig_stat.failed_sigs);
de_ctx->sigerror = NULL;
detect: fix delayed detect Last multi-detect changes broken delayed-detect by refusing to reload a 'stub' detect engine. This patch distinguishes between a stub for multi-tenancy and for delayed detect.
7 years ago
de_ctx->type = type;
Switch to using a detection engine ctx.
17 years ago
detect: fix delayed detect Last multi-detect changes broken delayed-detect by refusing to reload a 'stub' detect engine. This patch distinguishes between a stub for multi-tenancy and for delayed detect.
7 years ago
if (type == DETECT_ENGINE_TYPE_DD_STUB || type == DETECT_ENGINE_TYPE_MT_STUB) {
detect: use engine version instead of id Use engine version based on global detect engine master. This is incremented between reloads.
9 years ago
de_ctx->version = DetectEngineGetVersion();
detect: fix delayed detect Last multi-detect changes broken delayed-detect by refusing to reload a 'stub' detect engine. This patch distinguishes between a stub for multi-tenancy and for delayed detect.
7 years ago
SCLogDebug("stub %u with version %u", type, de_ctx->version);
detect: introduce 'minimal' detect engine The minimal detect engine has only the minimal memory use and setup time. It's to be used for 'delayed' detect where the first detection engine is essentially empty. The threads setup are also minimal.
11 years ago
return de_ctx;
}
detect: initialize detection engine by prefix Initalize detection engine by configuration prefix. DetectEngineCtxInitWithPrefix(const char *prefix) Takes the detection engine configuration from: <prefix>.<config> If prefix is NULL the regular config will be used. Update sure that DetectLoadCompleteSigPath considers the prefix when retrieving the configuration.
11 years ago
if (prefix != NULL) {
strlcpy(de_ctx->config_prefix, prefix, sizeof(de_ctx->config_prefix));
}
Do not use underscored config vars internally.
14 years ago
if (ConfGetBool("engine.init-failure-fatal", (int *)&(de_ctx->failure_fatal)) != 1) {
Add fatal failures on unittest and siginit failure (using Conf API)
16 years ago
SCLogDebug("ConfGetBool could not load the value.");
}
Get rid of global mpm_ctx.
16 years ago
de_ctx->mpm_matcher = PatternMatchDefaultMatcher();
spm: add SinglePatternMatchDefaultMatcher Allows selecting SPM algorithm with the 'spm-algo' value in the YAML config file.
9 years ago
de_ctx->spm_matcher = SinglePatternMatchDefaultMatcher();
output: introduce config and perf output levels Goal is to reduce info output
10 years ago
SCLogConfig("pattern matchers: MPM: %s, SPM: %s",
detect: make pattern matcher messages less verbose
9 years ago
mpm_table[de_ctx->mpm_matcher].name,
spm_table[de_ctx->spm_matcher].name);
spm: add and use new SPM API This new API allows for different SPM implementations, using a function pointer table like that used for MPM. This change also switches over the paths that make use of DetectContentData (which previously used BoyerMoore directly) to the new API.
9 years ago
de_ctx->spm_global_thread_ctx = SpmInitGlobalThreadCtx(de_ctx->spm_matcher);
if (de_ctx->spm_global_thread_ctx == NULL) {
SCLogDebug("Unable to alloc SpmGlobalThreadCtx.");
goto error;
}
detect: error out on invalid detect.profile option Bug #891.
8 years ago
if (DetectEngineCtxLoadConf(de_ctx) == -1) {
goto error;
}
Get rid of global mpm_ctx.
16 years ago
Put all globals in the detection engine ctx. Add HashList type, a hash that also stores the items ina list to it can be traversed. Many cleanups.
17 years ago
SigGroupHeadHashInit(de_ctx);
detect: mpm deduplication Create hash for mpm's that we can reuse. Have packet/stream mpms use this.
10 years ago
MpmStoreInit(de_ctx);
Threshold Rule
16 years ago
ThresholdHashInit(de_ctx);
in case of duplicate signatures used the one with the latest revision
15 years ago
DetectParseDupSigHashInit(de_ctx);
detect: optimize rule address parsing Many rules have the same address vars, so instead of parsing them each time use a hash to store the string and the parsed result. Rules now reference the stored result in the hash table.
9 years ago
DetectAddressMapInit(de_ctx);
detect-metadata: add a string storage to de_ctx To avoid to have a lot of string allocations, we use a hash table stored in de_ctx to point to existing string instead of duplicating them.
8 years ago
DetectMetadataHashInit(de_ctx);
detect: move buffer type map into detect ctx Move previously global table into detect engine ctx. Now that we can register buffers at rule loading time we need to take concurrency into account. Move DetectBufferType to detect.h and update DetectBufferCtx API calls to include a detect engine ctx reference.
8 years ago
DetectBufferTypeSetupDetectEngine(de_ctx);
Share content id's between identical patterns.
16 years ago
Simple IP reputation implementation
13 years ago
/* init iprep... ignore errors for now */
(void)SRepInit(de_ctx);
classification: remove global from parsing Parsing code used a 'fd' global. Remove this.
10 years ago
SCClassConfLoadClassficationConfigFile(de_ctx, NULL);
reference: remove global
10 years ago
SCRConfLoadReferenceConfigFile(de_ctx, NULL);
detect: consolidate more setup into DetectEngineCtxInit Loading of classifications, references and action order was done unconditionally, so can be done in one place.
11 years ago
if (ActionInitConfig() < 0) {
goto error;
}
detect: use engine version instead of id Use engine version based on global detect engine master. This is incremented between reloads.
9 years ago
de_ctx->version = DetectEngineGetVersion();
var-names: expose outside of detect engine Until now variable names, such as flowbit names, were local to a detect engine. This made sense as they were only ever used in that context. For the purpose of logging these names, this needs a different approach. The loggers live outside of the detect engine. Also, in the case of reloads and multi-tenancy, there are even multiple detect engines, so it would be even more tricky to access them from the outside. This patch brings a new approach. A any time, there is a single active hash table mapping the variable names and their id's. For multiple tenants the table is shared between tenants. The table is set up in a 'staging' area, where locking makes sure that multiple loading threads don't mess things up. Then when the preparing of a detection engine is ready, but before the detect threads are made aware of the new detect engine, the active varname hash is swapped with the staging instance. For this to work, all the mappings from the 'current' or active mapping are added to the staging table. After the threads have reloaded and the new detection engine is active, the old table can be freed. For multi tenancy things are similar. The staging area is used for setting up until the new detection engines / tenants are applied to the system. This patch also changes the variable 'id'/'idx' field to uint32_t. Due to data structure padding and alignment, this should have no practical drawback while allowing for a lot more vars.
9 years ago
VarNameStoreSetupStaging(de_ctx->version);
detect: use engine version instead of id Use engine version based on global detect engine master. This is incremented between reloads.
9 years ago
SCLogDebug("dectx with version %u", de_ctx->version);
Switch to using a detection engine ctx.
17 years ago
return de_ctx;
error:
detect-engine: free memory in error conditions (CID 1351210)
10 years ago
if (de_ctx != NULL) {
DetectEngineCtxFree(de_ctx);
}
Switch to using a detection engine ctx.
17 years ago
return NULL;
detect: introduce 'minimal' detect engine The minimal detect engine has only the minimal memory use and setup time. It's to be used for 'delayed' detect where the first detection engine is essentially empty. The threads setup are also minimal.
11 years ago
}
detect: fix delayed detect Last multi-detect changes broken delayed-detect by refusing to reload a 'stub' detect engine. This patch distinguishes between a stub for multi-tenancy and for delayed detect.
7 years ago
DetectEngineCtx *DetectEngineCtxInitStubForMT(void)
detect: introduce 'minimal' detect engine The minimal detect engine has only the minimal memory use and setup time. It's to be used for 'delayed' detect where the first detection engine is essentially empty. The threads setup are also minimal.
11 years ago
{
detect: fix delayed detect Last multi-detect changes broken delayed-detect by refusing to reload a 'stub' detect engine. This patch distinguishes between a stub for multi-tenancy and for delayed detect.
7 years ago
return DetectEngineCtxInitReal(DETECT_ENGINE_TYPE_MT_STUB, NULL);
}
DetectEngineCtx *DetectEngineCtxInitStubForDD(void)
{
return DetectEngineCtxInitReal(DETECT_ENGINE_TYPE_DD_STUB, NULL);
detect: introduce 'minimal' detect engine The minimal detect engine has only the minimal memory use and setup time. It's to be used for 'delayed' detect where the first detection engine is essentially empty. The threads setup are also minimal.
11 years ago
}
DetectEngineCtx *DetectEngineCtxInit(void)
{
detect: fix delayed detect Last multi-detect changes broken delayed-detect by refusing to reload a 'stub' detect engine. This patch distinguishes between a stub for multi-tenancy and for delayed detect.
7 years ago
return DetectEngineCtxInitReal(DETECT_ENGINE_TYPE_NORMAL, NULL);
detect: initialize detection engine by prefix Initalize detection engine by configuration prefix. DetectEngineCtxInitWithPrefix(const char *prefix) Takes the detection engine configuration from: <prefix>.<config> If prefix is NULL the regular config will be used. Update sure that DetectLoadCompleteSigPath considers the prefix when retrieving the configuration.
11 years ago
}
DetectEngineCtx *DetectEngineCtxInitWithPrefix(const char *prefix)
{
detect: remove config at prefix Remove config at prefix when freeing a detect engine.
11 years ago
if (prefix == NULL || strlen(prefix) == 0)
return DetectEngineCtxInit();
else
detect: fix delayed detect Last multi-detect changes broken delayed-detect by refusing to reload a 'stub' detect engine. This patch distinguishes between a stub for multi-tenancy and for delayed detect.
7 years ago
return DetectEngineCtxInitReal(DETECT_ENGINE_TYPE_NORMAL, prefix);
Switch to using a detection engine ctx.
17 years ago
}
Enforce function coding standard Functions should be defined as: int foo(void) { } Rather than: int food(void) { } All functions where changed by a script to match this standard.
11 years ago
static void DetectEngineCtxFreeThreadKeywordData(DetectEngineCtx *de_ctx)
{
Thread local ctx for detection keywords Some detection keywords need thread local ctx storage. Example is the filemagic keyword that has a ctx that is modified with each call. That is not thread safe. This functionality allows registration of thread local ctxs so that each detect thread works on it's own copy.
13 years ago
DetectEngineThreadKeywordCtxItem *item = de_ctx->keyword_list;
while (item) {
DetectEngineThreadKeywordCtxItem *next = item->next;
SCFree(item);
item = next;
}
de_ctx->keyword_list = NULL;
}
detect: save invalid rules This keeps the invalid rules in string format into a list, added in DetectEngineCtx.
10 years ago
static void DetectEngineCtxFreeFailedSigs(DetectEngineCtx *de_ctx)
{
SigString *item = NULL;
SigString *sitem;
TAILQ_FOREACH_SAFE(item, &de_ctx->sig_stat.failed_sigs, next, sitem) {
SCFree(item->filename);
SCFree(item->sig_str);
if (item->sig_error) {
SCFree(item->sig_error);
}
TAILQ_REMOVE(&de_ctx->sig_stat.failed_sigs, item, next);
SCFree(item);
}
}
doxygen: document some functions
12 years ago
/**
* \brief Free a DetectEngineCtx::
*
* \param de_ctx DetectEngineCtx:: to be freed
*/
Enforce function coding standard Functions should be defined as: int foo(void) { } Rather than: int food(void) { } All functions where changed by a script to match this standard.
11 years ago
void DetectEngineCtxFree(DetectEngineCtx *de_ctx)
{
Put all globals in the detection engine ctx. Add HashList type, a hash that also stores the items ina list to it can be traversed. Many cleanups.
17 years ago
Fixes for the fast-pattern tests and a couple of other minor changes
16 years ago
if (de_ctx == NULL)
return;
Bunch of mostly unittest related memleak fixes.
16 years ago
Rule profiling update - Remove usage of counters api. - Store stats in detect engine thread ctx to remove locking - Support rule reloads
13 years ago
#ifdef PROFILING
if (de_ctx->profile_ctx != NULL) {
SCProfilingRuleDestroyCtx(de_ctx->profile_ctx);
de_ctx->profile_ctx = NULL;
}
profiling: introduce per keyword profiling Initial version of per keyword profiling. Prints stats about how ofter a keyword was checked and what the costs were.
13 years ago
if (de_ctx->profile_keyword_ctx != NULL) {
profiling: per buffer profiling
12 years ago
SCProfilingKeywordDestroyCtx(de_ctx);//->profile_keyword_ctx);
// de_ctx->profile_keyword_ctx = NULL;
profiling: introduce per keyword profiling Initial version of per keyword profiling. Prints stats about how ofter a keyword was checked and what the costs were.
13 years ago
}
profiling: initial rulegroup tracking Per rule group tracking of checks, use of lists, mpm matches, post filter counts. Logs SGH id so it can be compared with the rule_group.json output. Implemented both in a human readable text format and a JSON format.
10 years ago
if (de_ctx->profile_sgh_ctx != NULL) {
SCProfilingSghDestroyCtx(de_ctx);
}
detect/prefilter: redo profiling
8 years ago
SCProfilingPrefilterDestroyCtx(de_ctx);
Rule profiling update - Remove usage of counters api. - Store stats in detect engine thread ctx to remove locking - Support rule reloads
13 years ago
#endif
Share content id's between identical patterns.
16 years ago
Put all globals in the detection engine ctx. Add HashList type, a hash that also stores the items ina list to it can be traversed. Many cleanups.
17 years ago
/* Normally the hashes are freed elsewhere, but
* to be sure look at them again here.
*/
SigGroupHeadHashFree(de_ctx);
detect: mpm deduplication Create hash for mpm's that we can reuse. Have packet/stream mpms use this.
10 years ago
MpmStoreFree(de_ctx);
in case of duplicate signatures used the one with the latest revision
15 years ago
DetectParseDupSigHashFree(de_ctx);
Order the signatures based on certain rule parameters like actions, flowbits, flowvar, pktvar, priority etc
16 years ago
SCSigSignatureOrderingModuleCleanup(de_ctx);
Threshold Rule
16 years ago
ThresholdContextDestroy(de_ctx);
Get rid of global mpm_ctx.
16 years ago
SigCleanSignatures(de_ctx);
Bunch of mostly unittest related memleak fixes.
16 years ago
if (de_ctx->sig_array)
Adding mem wrapper to debug runtime alloc()/free() functions. Fixing some memory leaks.
16 years ago
SCFree(de_ctx->sig_array);
More engine init memleaks fixed. HashListTable remove function fixed.
16 years ago
clean classification config API
13 years ago
SCClassConfDeInitContext(de_ctx);
clean reference config API
13 years ago
SCRConfDeInitContext(de_ctx);
clean classification config API
13 years ago
live rule support added To reload ruleset during engine runtime, send the USR2 signal to the engine, and the ruleset would be reloaded from the same yaml file supplied at engine startup
13 years ago
SigGroupCleanup(de_ctx);
spm: add and use new SPM API This new API allows for different SPM implementations, using a function pointer table like that used for MPM. This change also switches over the paths that make use of DetectContentData (which previously used BoyerMoore directly) to the new API.
9 years ago
SpmDestroyGlobalThreadCtx(de_ctx->spm_global_thread_ctx);
mpm: always cleanup factory
10 years ago
MpmFactoryDeRegisterAllMpmCtxProfiles(de_ctx);
DetectEngineCtxFree() cleanup, also in main
13 years ago
Thread local ctx for detection keywords Some detection keywords need thread local ctx storage. Example is the filemagic keyword that has a ctx that is modified with each call. That is not thread safe. This functionality allows registration of thread local ctxs so that each detect thread works on it's own copy.
13 years ago
DetectEngineCtxFreeThreadKeywordData(de_ctx);
iprep: cleanup ctx on shutdown ~~Dr.M~~ Error #1: LEAK 480 direct bytes 0x0aae7fc0-0x0aae81a0 + 0 indirect bytes ~~Dr.M~~ # 0 replace_malloc [/work/drmemory_package/common/alloc_replace.c:2373] ~~Dr.M~~ # 1 SRepInit [.../Suricata/src/reputation.c:594] ~~Dr.M~~ # 2 DetectEngineCtxInit [.../src/detect-engine.c:844] ~~Dr.M~~ # 3 main [.../Suricata/src/suricata.c:2230]
11 years ago
SRepDestroy(de_ctx);
detect: save invalid rules This keeps the invalid rules in string format into a list, added in DetectEngineCtx.
10 years ago
DetectEngineCtxFreeFailedSigs(de_ctx);
detect: remove config at prefix Remove config at prefix when freeing a detect engine.
11 years ago
detect: optimize rule address parsing Many rules have the same address vars, so instead of parsing them each time use a hash to store the string and the parsed result. Rules now reference the stored result in the hash table.
9 years ago
DetectAddressMapFree(de_ctx);
detect-metadata: add a string storage to de_ctx To avoid to have a lot of string allocations, we use a hash table stored in de_ctx to point to existing string instead of duplicating them.
8 years ago
DetectMetadataHashFree(de_ctx);
detect: optimize rule address parsing Many rules have the same address vars, so instead of parsing them each time use a hash to store the string and the parsed result. Rules now reference the stored result in the hash table.
9 years ago
detect: remove config at prefix Remove config at prefix when freeing a detect engine.
11 years ago
/* if we have a config prefix, remove the config from the tree */
if (strlen(de_ctx->config_prefix) > 0) {
/* remove config */
ConfNode *node = ConfGetNode(de_ctx->config_prefix);
if (node != NULL) {
ConfNodeRemove(node); /* frees node */
}
#if 0
ConfDump();
#endif
}
detect/prefilter: move hash into detect engine ctx
8 years ago
DetectPortCleanupList(de_ctx, de_ctx->tcp_whitelist);
DetectPortCleanupList(de_ctx, de_ctx->udp_whitelist);
detect: make port whitelisting configurable Make the port grouping whitelisting configurable. A whitelisted port ends up in it's own port group. detect: grouping: tcp-whitelist: 80, 443 udp-whitelist: 53, 5060 No portranges are allowed at this point.
10 years ago
detect/prefilter: move hash into detect engine ctx
8 years ago
DetectBufferTypeFreeDetectEngine(de_ctx);
var-names: expose outside of detect engine Until now variable names, such as flowbit names, were local to a detect engine. This made sense as they were only ever used in that context. For the purpose of logging these names, this needs a different approach. The loggers live outside of the detect engine. Also, in the case of reloads and multi-tenancy, there are even multiple detect engines, so it would be even more tricky to access them from the outside. This patch brings a new approach. A any time, there is a single active hash table mapping the variable names and their id's. For multiple tenants the table is shared between tenants. The table is set up in a 'staging' area, where locking makes sure that multiple loading threads don't mess things up. Then when the preparing of a detection engine is ready, but before the detect threads are made aware of the new detect engine, the active varname hash is swapped with the staging instance. For this to work, all the mappings from the 'current' or active mapping are added to the staging table. After the threads have reloaded and the new detection engine is active, the old table can be freed. For multi tenancy things are similar. The staging area is used for setting up until the new detection engines / tenants are applied to the system. This patch also changes the variable 'id'/'idx' field to uint32_t. Due to data structure padding and alignment, this should have no practical drawback while allowing for a lot more vars.
9 years ago
/* freed our var name hash */
VarNameStoreFree(de_ctx->version);
Adding mem wrapper to debug runtime alloc()/free() functions. Fixing some memory leaks.
16 years ago
SCFree(de_ctx);
Merge DetectAddressData and DetectAddressGroup
16 years ago
//DetectAddressGroupPrintMemory();
//DetectSigGroupPrintMemory();
//DetectPortPrintMemory();
Large detection engine update.
17 years ago
}
Adding settings for detect engine group config
16 years ago
/** \brief Function that load DetectEngineCtx config for grouping sigs
* used by the engine
* \retval 0 if no config provided, 1 if config was provided
* and loaded successfuly
*/
yaml: convert detect-engine to just detect Instead of detect-engine which used a list for no good reason, use a simple map now. detect: profile: medium custom-values: toclient-groups: 3 toserver-groups: 25 sgh-mpm-context: auto inspection-recursion-limit: 3000 # If set to yes, the loading of signatures will be made after the capture # is started. This will limit the downtime in IPS mode. #delayed-detect: yes
10 years ago
static int DetectEngineCtxLoadConf(DetectEngineCtx *de_ctx)
Enforce function coding standard Functions should be defined as: int foo(void) { } Rather than: int food(void) { } All functions where changed by a script to match this standard.
11 years ago
{
detect: error out on invalid detect.profile option Bug #891.
8 years ago
uint8_t profile = ENGINE_PROFILE_MEDIUM;
compiler: more strict compiler warnings Set flags by default: -Wmissing-prototypes -Wmissing-declarations -Wstrict-prototypes -Wwrite-strings -Wcast-align -Wbad-function-cast -Wformat-security -Wno-format-nonliteral -Wmissing-format-attribute -funsigned-char Fix minor compiler warnings for these new flags on gcc and clang.
8 years ago
const char *max_uniq_toclient_groups_str = NULL;
const char *max_uniq_toserver_groups_str = NULL;
const char *sgh_mpm_context = NULL;
const char *de_ctx_profile = NULL;
Adding settings for detect engine group config
16 years ago
yaml: convert detect-engine to just detect Instead of detect-engine which used a list for no good reason, use a simple map now. detect: profile: medium custom-values: toclient-groups: 3 toserver-groups: 25 sgh-mpm-context: auto inspection-recursion-limit: 3000 # If set to yes, the loading of signatures will be made after the capture # is started. This will limit the downtime in IPS mode. #delayed-detect: yes
10 years ago
(void)ConfGet("detect.profile", &de_ctx_profile);
(void)ConfGet("detect.sgh-mpm-context", &sgh_mpm_context);
suricata.yaml conf update to support single mpm context distribution over multiple sghs + code to parse this conf
15 years ago
Adding settings for detect engine group config
16 years ago
ConfNode *de_ctx_custom = ConfGetNode("detect-engine");
ConfNode *opt = NULL;
if (de_ctx_custom != NULL) {
TAILQ_FOREACH(opt, &de_ctx_custom->head, next) {
yaml: convert detect-engine to just detect Instead of detect-engine which used a list for no good reason, use a simple map now. detect: profile: medium custom-values: toclient-groups: 3 toserver-groups: 25 sgh-mpm-context: auto inspection-recursion-limit: 3000 # If set to yes, the loading of signatures will be made after the capture # is started. This will limit the downtime in IPS mode. #delayed-detect: yes
10 years ago
if (de_ctx_profile == NULL) {
detect: fix crash during startup with malformed yaml detect-engine: custom-values: toclient-groups: 200 toserver-groups: 200 Bug #2745
7 years ago
if (opt->val && strcmp(opt->val, "profile") == 0) {
yaml: convert detect-engine to just detect Instead of detect-engine which used a list for no good reason, use a simple map now. detect: profile: medium custom-values: toclient-groups: 3 toserver-groups: 25 sgh-mpm-context: auto inspection-recursion-limit: 3000 # If set to yes, the loading of signatures will be made after the capture # is started. This will limit the downtime in IPS mode. #delayed-detect: yes
10 years ago
de_ctx_profile = opt->head.tqh_first->val;
}
}
if (sgh_mpm_context == NULL) {
detect: fix crash during startup with malformed yaml detect-engine: custom-values: toclient-groups: 200 toserver-groups: 200 Bug #2745
7 years ago
if (opt->val && strcmp(opt->val, "sgh-mpm-context") == 0) {
yaml: convert detect-engine to just detect Instead of detect-engine which used a list for no good reason, use a simple map now. detect: profile: medium custom-values: toclient-groups: 3 toserver-groups: 25 sgh-mpm-context: auto inspection-recursion-limit: 3000 # If set to yes, the loading of signatures will be made after the capture # is started. This will limit the downtime in IPS mode. #delayed-detect: yes
10 years ago
sgh_mpm_context = opt->head.tqh_first->val;
}
Adding settings for detect engine group config
16 years ago
}
}
}
if (de_ctx_profile != NULL) {
detect: error out on invalid detect.profile option Bug #891.
8 years ago
if (strcmp(de_ctx_profile, "low") == 0 ||
strcmp(de_ctx_profile, "lowest") == 0) { // legacy
Adding settings for detect engine group config
16 years ago
profile = ENGINE_PROFILE_LOW;
Minor parsing cleanups in detect-engine options.
13 years ago
} else if (strcmp(de_ctx_profile, "medium") == 0) {
Adding settings for detect engine group config
16 years ago
profile = ENGINE_PROFILE_MEDIUM;
detect: error out on invalid detect.profile option Bug #891.
8 years ago
} else if (strcmp(de_ctx_profile, "high") == 0 ||
strcmp(de_ctx_profile, "highest") == 0) { // legacy
Adding settings for detect engine group config
16 years ago
profile = ENGINE_PROFILE_HIGH;
Minor parsing cleanups in detect-engine options.
13 years ago
} else if (strcmp(de_ctx_profile, "custom") == 0) {
Adding settings for detect engine group config
16 years ago
profile = ENGINE_PROFILE_CUSTOM;
detect: error out on invalid detect.profile option Bug #891.
8 years ago
} else {
SCLogError(SC_ERR_INVALID_YAML_CONF_ENTRY,
"invalid value for detect.profile: '%s'. "
"Valid options: low, medium, high and custom.",
de_ctx_profile);
return -1;
Adding settings for detect engine group config
16 years ago
}
Make unittests run more quiet.
16 years ago
SCLogDebug("Profile for detection engine groups is \"%s\"", de_ctx_profile);
Adding settings for detect engine group config
16 years ago
} else {
Make unittests run more quiet.
16 years ago
SCLogDebug("Profile for detection engine groups not provided "
suricata.yaml conf update to support single mpm context distribution over multiple sghs + code to parse this conf
15 years ago
"at suricata.yaml. Using default (\"medium\").");
Adding settings for detect engine group config
16 years ago
}
Slightly cleanup detect-engine.sgh-mpm-context option parsing.
15 years ago
/* detect-engine.sgh-mpm-context option parsing */
if (sgh_mpm_context == NULL || strcmp(sgh_mpm_context, "auto") == 0) {
/* for now, since we still haven't implemented any intelligence into
* understanding the patterns and distributing mpm_ctx across sgh */
mpm: rename internal id for ac-tile to ac-ks
7 years ago
if (de_ctx->mpm_matcher == MPM_AC || de_ctx->mpm_matcher == MPM_AC_KS ||
mpm: add Hyperscan integration This adds an MPM implementation that uses the Hyperscan regex engine library from Intel, accessible as the "hs" mpm-algo.
10 years ago
#ifdef BUILD_HYPERSCAN
de_ctx->mpm_matcher == MPM_HS ||
#endif
treate ac-bs auto as single context
14 years ago
de_ctx->mpm_matcher == MPM_AC_BS) {
Slightly cleanup detect-engine.sgh-mpm-context option parsing.
15 years ago
de_ctx->sgh_mpm_context = ENGINE_SGH_MPM_FACTORY_CONTEXT_SINGLE;
treate ac-bs auto as single context
14 years ago
} else {
Slightly cleanup detect-engine.sgh-mpm-context option parsing.
15 years ago
de_ctx->sgh_mpm_context = ENGINE_SGH_MPM_FACTORY_CONTEXT_FULL;
treate ac-bs auto as single context
14 years ago
}
Slightly cleanup detect-engine.sgh-mpm-context option parsing.
15 years ago
} else {
suricata.yaml conf update to support single mpm context distribution over multiple sghs + code to parse this conf
15 years ago
if (strcmp(sgh_mpm_context, "single") == 0) {
support single mpm context distribution across sghs in staging. Also see to it that ac works fine with this setup
15 years ago
de_ctx->sgh_mpm_context = ENGINE_SGH_MPM_FACTORY_CONTEXT_SINGLE;
suricata.yaml conf update to support single mpm context distribution over multiple sghs + code to parse this conf
15 years ago
} else if (strcmp(sgh_mpm_context, "full") == 0) {
support single mpm context distribution across sghs in staging. Also see to it that ac works fine with this setup
15 years ago
de_ctx->sgh_mpm_context = ENGINE_SGH_MPM_FACTORY_CONTEXT_FULL;
suricata.yaml conf update to support single mpm context distribution over multiple sghs + code to parse this conf
15 years ago
} else {
Kill engine during init stage if it fails to load valid value for sgh-mpm-context
13 years ago
SCLogError(SC_ERR_INVALID_YAML_CONF_ENTRY, "You have supplied an "
"invalid conf value for detect-engine.sgh-mpm-context-"
"%s", sgh_mpm_context);
exit(EXIT_FAILURE);
suricata.yaml conf update to support single mpm context distribution over multiple sghs + code to parse this conf
15 years ago
}
}
change default mpm to ac. Also default sgh-mpm-context is full.
13 years ago
if (run_mode == RUNMODE_UNITTEST) {
de_ctx->sgh_mpm_context = ENGINE_SGH_MPM_FACTORY_CONTEXT_FULL;
}
yaml: convert detect-engine to just detect Instead of detect-engine which used a list for no good reason, use a simple map now. detect: profile: medium custom-values: toclient-groups: 3 toserver-groups: 25 sgh-mpm-context: auto inspection-recursion-limit: 3000 # If set to yes, the loading of signatures will be made after the capture # is started. This will limit the downtime in IPS mode. #delayed-detect: yes
10 years ago
/* parse profile custom-values */
Adding settings for detect engine group config
16 years ago
opt = NULL;
switch (profile) {
case ENGINE_PROFILE_LOW:
detect: set new defaults for grouping
10 years ago
de_ctx->max_uniq_toclient_groups = 15;
de_ctx->max_uniq_toserver_groups = 25;
Remove dsize grouping from detection engine grouping reducing memory usage. Store sgh in flow to reduce lookups. Reduce locking in alert handling. Increase default grouping values as we use less memory.
15 years ago
break;
Adding settings for detect engine group config
16 years ago
case ENGINE_PROFILE_HIGH:
detect: set new defaults for grouping
10 years ago
de_ctx->max_uniq_toclient_groups = 75;
de_ctx->max_uniq_toserver_groups = 75;
Remove dsize grouping from detection engine grouping reducing memory usage. Store sgh in flow to reduce lookups. Reduce locking in alert handling. Increase default grouping values as we use less memory.
15 years ago
break;
Adding settings for detect engine group config
16 years ago
case ENGINE_PROFILE_CUSTOM:
yaml: convert detect-engine to just detect Instead of detect-engine which used a list for no good reason, use a simple map now. detect: profile: medium custom-values: toclient-groups: 3 toserver-groups: 25 sgh-mpm-context: auto inspection-recursion-limit: 3000 # If set to yes, the loading of signatures will be made after the capture # is started. This will limit the downtime in IPS mode. #delayed-detect: yes
10 years ago
(void)ConfGet("detect.custom-values.toclient-groups",
&max_uniq_toclient_groups_str);
(void)ConfGet("detect.custom-values.toserver-groups",
&max_uniq_toserver_groups_str);
if (de_ctx_custom != NULL) {
TAILQ_FOREACH(opt, &de_ctx_custom->head, next) {
detect: fix crash during startup with malformed yaml detect-engine: custom-values: toclient-groups: 200 toserver-groups: 200 Bug #2745
7 years ago
if (opt->val && strcmp(opt->val, "custom-values") == 0) {
detect: get proper legacy custom values. Issue #1804
9 years ago
if (max_uniq_toclient_groups_str == NULL) {
max_uniq_toclient_groups_str = (char *)ConfNodeLookupChildValue
(opt->head.tqh_first, "toclient-sp-groups");
}
yaml: convert detect-engine to just detect Instead of detect-engine which used a list for no good reason, use a simple map now. detect: profile: medium custom-values: toclient-groups: 3 toserver-groups: 25 sgh-mpm-context: auto inspection-recursion-limit: 3000 # If set to yes, the loading of signatures will be made after the capture # is started. This will limit the downtime in IPS mode. #delayed-detect: yes
10 years ago
if (max_uniq_toclient_groups_str == NULL) {
max_uniq_toclient_groups_str = (char *)ConfNodeLookupChildValue
(opt->head.tqh_first, "toclient-groups");
}
detect: get proper legacy custom values. Issue #1804
9 years ago
if (max_uniq_toserver_groups_str == NULL) {
max_uniq_toserver_groups_str = (char *)ConfNodeLookupChildValue
(opt->head.tqh_first, "toserver-dp-groups");
}
yaml: convert detect-engine to just detect Instead of detect-engine which used a list for no good reason, use a simple map now. detect: profile: medium custom-values: toclient-groups: 3 toserver-groups: 25 sgh-mpm-context: auto inspection-recursion-limit: 3000 # If set to yes, the loading of signatures will be made after the capture # is started. This will limit the downtime in IPS mode. #delayed-detect: yes
10 years ago
if (max_uniq_toserver_groups_str == NULL) {
max_uniq_toserver_groups_str = (char *)ConfNodeLookupChildValue
(opt->head.tqh_first, "toserver-groups");
}
}
Adding settings for detect engine group config
16 years ago
}
}
detect: rename groupings vars
10 years ago
if (max_uniq_toclient_groups_str != NULL) {
if (ByteExtractStringUint16(&de_ctx->max_uniq_toclient_groups, 10,
strlen(max_uniq_toclient_groups_str),
detect: set new defaults for grouping
10 years ago
(const char *)max_uniq_toclient_groups_str) <= 0)
{
de_ctx->max_uniq_toclient_groups = 20;
Fix parsing of 'custom' detect grouping values Also, add error checking Bug 892
12 years ago
SCLogWarning(SC_ERR_SIZE_PARSE, "parsing '%s' for "
detect: rename groupings vars
10 years ago
"toclient-groups failed, using %u",
max_uniq_toclient_groups_str,
de_ctx->max_uniq_toclient_groups);
Fix parsing of 'custom' detect grouping values Also, add error checking Bug 892
12 years ago
}
Adding settings for detect engine group config
16 years ago
} else {
detect: set new defaults for grouping
10 years ago
de_ctx->max_uniq_toclient_groups = 20;
Adding settings for detect engine group config
16 years ago
}
detect: get proper legacy custom values. Issue #1804
9 years ago
SCLogConfig("toclient-groups %u", de_ctx->max_uniq_toclient_groups);
detect: rename groupings vars
10 years ago
if (max_uniq_toserver_groups_str != NULL) {
if (ByteExtractStringUint16(&de_ctx->max_uniq_toserver_groups, 10,
strlen(max_uniq_toserver_groups_str),
detect: set new defaults for grouping
10 years ago
(const char *)max_uniq_toserver_groups_str) <= 0)
{
de_ctx->max_uniq_toserver_groups = 40;
Fix parsing of 'custom' detect grouping values Also, add error checking Bug 892
12 years ago
SCLogWarning(SC_ERR_SIZE_PARSE, "parsing '%s' for "
detect: rename groupings vars
10 years ago
"toserver-groups failed, using %u",
max_uniq_toserver_groups_str,
de_ctx->max_uniq_toserver_groups);
Fix parsing of 'custom' detect grouping values Also, add error checking Bug 892
12 years ago
}
Adding settings for detect engine group config
16 years ago
} else {
detect: set new defaults for grouping
10 years ago
de_ctx->max_uniq_toserver_groups = 40;
Adding settings for detect engine group config
16 years ago
}
detect: get proper legacy custom values. Issue #1804
9 years ago
SCLogConfig("toserver-groups %u", de_ctx->max_uniq_toserver_groups);
Remove dsize grouping from detection engine grouping reducing memory usage. Store sgh in flow to reduce lookups. Reduce locking in alert handling. Increase default grouping values as we use less memory.
15 years ago
break;
Adding settings for detect engine group config
16 years ago
/* Default (or no config provided) is profile medium */
case ENGINE_PROFILE_MEDIUM:
case ENGINE_PROFILE_UNKNOWN:
default:
detect: set new defaults for grouping
10 years ago
de_ctx->max_uniq_toclient_groups = 20;
de_ctx->max_uniq_toserver_groups = 40;
Remove dsize grouping from detection engine grouping reducing memory usage. Store sgh in flow to reduce lookups. Reduce locking in alert handling. Increase default grouping values as we use less memory.
15 years ago
break;
Adding settings for detect engine group config
16 years ago
}
yaml: convert detect-engine to just detect Instead of detect-engine which used a list for no good reason, use a simple map now. detect: profile: medium custom-values: toclient-groups: 3 toserver-groups: 25 sgh-mpm-context: auto inspection-recursion-limit: 3000 # If set to yes, the loading of signatures will be made after the capture # is started. This will limit the downtime in IPS mode. #delayed-detect: yes
10 years ago
intmax_t value = 0;
if (ConfGetInt("detect.inspection-recursion-limit", &value) == 1)
{
if (value >= 0 && value <= INT_MAX) {
de_ctx->inspection_recursion_limit = (int)value;
}
/* fall back to old config parsing */
} else {
ConfNode *insp_recursion_limit_node = NULL;
char *insp_recursion_limit = NULL;
if (de_ctx_custom != NULL) {
opt = NULL;
TAILQ_FOREACH(opt, &de_ctx_custom->head, next) {
detect: fix crash during startup with malformed yaml detect-engine: custom-values: toclient-groups: 200 toserver-groups: 200 Bug #2745
7 years ago
if (opt->val && strcmp(opt->val, "inspection-recursion-limit") != 0)
yaml: convert detect-engine to just detect Instead of detect-engine which used a list for no good reason, use a simple map now. detect: profile: medium custom-values: toclient-groups: 3 toserver-groups: 25 sgh-mpm-context: auto inspection-recursion-limit: 3000 # If set to yes, the loading of signatures will be made after the capture # is started. This will limit the downtime in IPS mode. #delayed-detect: yes
10 years ago
continue;
insp_recursion_limit_node = ConfNodeLookupChild(opt, opt->val);
if (insp_recursion_limit_node == NULL) {
SCLogError(SC_ERR_INVALID_YAML_CONF_ENTRY, "Error retrieving conf "
"entry for detect-engine:inspection-recursion-limit");
break;
}
insp_recursion_limit = insp_recursion_limit_node->val;
SCLogDebug("Found detect-engine.inspection-recursion-limit - %s:%s",
insp_recursion_limit_node->name, insp_recursion_limit_node->val);
break;
}
if (insp_recursion_limit != NULL) {
de_ctx->inspection_recursion_limit = atoi(insp_recursion_limit);
} else {
de_ctx->inspection_recursion_limit =
DETECT_ENGINE_DEFAULT_INSPECTION_RECURSION_LIMIT;
}
}
}
if (de_ctx->inspection_recursion_limit == 0)
de_ctx->inspection_recursion_limit = -1;
SCLogDebug("de_ctx->inspection_recursion_limit: %d",
de_ctx->inspection_recursion_limit);
detect: make port whitelisting configurable Make the port grouping whitelisting configurable. A whitelisted port ends up in it's own port group. detect: grouping: tcp-whitelist: 80, 443 udp-whitelist: 53, 5060 No portranges are allowed at this point.
10 years ago
/* parse port grouping whitelisting settings */
compiler: more strict compiler warnings Set flags by default: -Wmissing-prototypes -Wmissing-declarations -Wstrict-prototypes -Wwrite-strings -Wcast-align -Wbad-function-cast -Wformat-security -Wno-format-nonliteral -Wmissing-format-attribute -funsigned-char Fix minor compiler warnings for these new flags on gcc and clang.
8 years ago
const char *ports = NULL;
detect: make port whitelisting configurable Make the port grouping whitelisting configurable. A whitelisted port ends up in it's own port group. detect: grouping: tcp-whitelist: 80, 443 udp-whitelist: 53, 5060 No portranges are allowed at this point.
10 years ago
(void)ConfGet("detect.grouping.tcp-whitelist", &ports);
if (ports) {
output: introduce config and perf output levels Goal is to reduce info output
10 years ago
SCLogConfig("grouping: tcp-whitelist %s", ports);
detect: make port whitelisting configurable Make the port grouping whitelisting configurable. A whitelisted port ends up in it's own port group. detect: grouping: tcp-whitelist: 80, 443 udp-whitelist: 53, 5060 No portranges are allowed at this point.
10 years ago
} else {
ports = "53, 80, 139, 443, 445, 1433, 3306, 3389, 6666, 6667, 8080";
output: introduce config and perf output levels Goal is to reduce info output
10 years ago
SCLogConfig("grouping: tcp-whitelist (default) %s", ports);
detect: make port whitelisting configurable Make the port grouping whitelisting configurable. A whitelisted port ends up in it's own port group. detect: grouping: tcp-whitelist: 80, 443 udp-whitelist: 53, 5060 No portranges are allowed at this point.
10 years ago
}
if (DetectPortParse(de_ctx, &de_ctx->tcp_whitelist, ports) != 0) {
SCLogWarning(SC_ERR_INVALID_YAML_CONF_ENTRY, "'%s' is not a valid value "
"for detect.grouping.tcp-whitelist", ports);
}
DetectPort *x = de_ctx->tcp_whitelist;
for ( ; x != NULL; x = x->next) {
if (x->port != x->port2) {
SCLogWarning(SC_ERR_INVALID_YAML_CONF_ENTRY, "'%s' is not a valid value "
"for detect.grouping.tcp-whitelist: only single ports allowed", ports);
detect/prefilter: move hash into detect engine ctx
8 years ago
DetectPortCleanupList(de_ctx, de_ctx->tcp_whitelist);
detect: make port whitelisting configurable Make the port grouping whitelisting configurable. A whitelisted port ends up in it's own port group. detect: grouping: tcp-whitelist: 80, 443 udp-whitelist: 53, 5060 No portranges are allowed at this point.
10 years ago
de_ctx->tcp_whitelist = NULL;
break;
}
}
ports = NULL;
(void)ConfGet("detect.grouping.udp-whitelist", &ports);
if (ports) {
output: introduce config and perf output levels Goal is to reduce info output
10 years ago
SCLogConfig("grouping: udp-whitelist %s", ports);
detect: make port whitelisting configurable Make the port grouping whitelisting configurable. A whitelisted port ends up in it's own port group. detect: grouping: tcp-whitelist: 80, 443 udp-whitelist: 53, 5060 No portranges are allowed at this point.
10 years ago
} else {
ports = "53, 135, 5060";
output: introduce config and perf output levels Goal is to reduce info output
10 years ago
SCLogConfig("grouping: udp-whitelist (default) %s", ports);
detect: make port whitelisting configurable Make the port grouping whitelisting configurable. A whitelisted port ends up in it's own port group. detect: grouping: tcp-whitelist: 80, 443 udp-whitelist: 53, 5060 No portranges are allowed at this point.
10 years ago
}
if (DetectPortParse(de_ctx, &de_ctx->udp_whitelist, ports) != 0) {
SCLogWarning(SC_ERR_INVALID_YAML_CONF_ENTRY, "'%s' is not a valid value "
"forr detect.grouping.udp-whitelist", ports);
}
for (x = de_ctx->udp_whitelist; x != NULL; x = x->next) {
if (x->port != x->port2) {
SCLogWarning(SC_ERR_INVALID_YAML_CONF_ENTRY, "'%s' is not a valid value "
"for detect.grouping.udp-whitelist: only single ports allowed", ports);
detect/prefilter: move hash into detect engine ctx
8 years ago
DetectPortCleanupList(de_ctx, de_ctx->udp_whitelist);
detect: make port whitelisting configurable Make the port grouping whitelisting configurable. A whitelisted port ends up in it's own port group. detect: grouping: tcp-whitelist: 80, 443 udp-whitelist: 53, 5060 No portranges are allowed at this point.
10 years ago
de_ctx->udp_whitelist = NULL;
break;
}
}
detect: config opt to enable keyword prefilters
9 years ago
de_ctx->prefilter_setting = DETECT_PREFILTER_MPM;
compiler: more strict compiler warnings Set flags by default: -Wmissing-prototypes -Wmissing-declarations -Wstrict-prototypes -Wwrite-strings -Wcast-align -Wbad-function-cast -Wformat-security -Wno-format-nonliteral -Wmissing-format-attribute -funsigned-char Fix minor compiler warnings for these new flags on gcc and clang.
8 years ago
const char *pf_setting = NULL;
detect: config opt to enable keyword prefilters
9 years ago
if (ConfGet("detect.prefilter.default", &pf_setting) == 1 && pf_setting) {
if (strcasecmp(pf_setting, "mpm") == 0) {
de_ctx->prefilter_setting = DETECT_PREFILTER_MPM;
} else if (strcasecmp(pf_setting, "auto") == 0) {
de_ctx->prefilter_setting = DETECT_PREFILTER_AUTO;
}
}
switch (de_ctx->prefilter_setting) {
case DETECT_PREFILTER_MPM:
SCLogConfig("prefilter engines: MPM");
break;
case DETECT_PREFILTER_AUTO:
SCLogConfig("prefilter engines: MPM and keywords");
break;
}
yaml: convert detect-engine to just detect Instead of detect-engine which used a list for no good reason, use a simple map now. detect: profile: medium custom-values: toclient-groups: 3 toserver-groups: 25 sgh-mpm-context: auto inspection-recursion-limit: 3000 # If set to yes, the loading of signatures will be made after the capture # is started. This will limit the downtime in IPS mode. #delayed-detect: yes
10 years ago
return 0;
Adding settings for detect engine group config
16 years ago
}
Put all globals in the detection engine ctx. Add HashList type, a hash that also stores the items ina list to it can be traversed. Many cleanups.
17 years ago
/*
* getting & (re)setting the internal sig i
*/
Enforce function coding standard Functions should be defined as: int foo(void) { } Rather than: int food(void) { } All functions where changed by a script to match this standard.
11 years ago
//inline uint32_t DetectEngineGetMaxSigId(DetectEngineCtx *de_ctx)
fixup
11 years ago
//{
Speed up per sgh content maxlen calc. Remove mpm ptrs from mpm ctx. Add unittests testing the detection engine internals.
16 years ago
// return de_ctx->signum;
//}
Put all globals in the detection engine ctx. Add HashList type, a hash that also stores the items ina list to it can be traversed. Many cleanups.
17 years ago
Enforce function coding standard Functions should be defined as: int foo(void) { } Rather than: int food(void) { } All functions where changed by a script to match this standard.
11 years ago
void DetectEngineResetMaxSigId(DetectEngineCtx *de_ctx)
{
Put all globals in the detection engine ctx. Add HashList type, a hash that also stores the items ina list to it can be traversed. Many cleanups.
17 years ago
de_ctx->signum = 0;
}
detect: global registery for keyword thread data Some keywords need a scratch space where they can do store the results of expensive operations that remain valid for the time of a packets journey through the detection engine. An example is the reconstructed 'http_header' field, that is needed in MPM, and then for each rule that manually inspects it. Storing this data in the flow is a waste, and reconstructing multiple times on demand as well. This API allows for registering a keyword with an init and free function. It it mean to be used an initialization time, when the keyword is registered.
9 years ago
static int DetectEngineThreadCtxInitGlobalKeywords(DetectEngineThreadCtx *det_ctx)
{
detect: remove lock from global keyword logic The global keyword registration and per thread init handling used the lock from the DetectEngineMasterCtx. This lead to a dead lock situation at multi-tenancy tenant reloads. The lock was unnecessary however, as the only time the registration list is updated is at engine initialization. At that time Suricata is still running in a single thread. After this, the data structure doesn't change anymore. Bug #2516.
7 years ago
const DetectEngineMasterCtx *master = &g_master_de_ctx;
detect: global registery for keyword thread data Some keywords need a scratch space where they can do store the results of expensive operations that remain valid for the time of a packets journey through the detection engine. An example is the reconstructed 'http_header' field, that is needed in MPM, and then for each rule that manually inspects it. Storing this data in the flow is a waste, and reconstructing multiple times on demand as well. This API allows for registering a keyword with an init and free function. It it mean to be used an initialization time, when the keyword is registered.
9 years ago
if (master->keyword_id > 0) {
coverity: suppress warning for intentional code
7 years ago
// coverity[suspicious_sizeof : FALSE]
coverity: suppress CID 1400648
9 years ago
det_ctx->global_keyword_ctxs_array = (void **)SCCalloc(master->keyword_id, sizeof(void *));
detect: global registery for keyword thread data Some keywords need a scratch space where they can do store the results of expensive operations that remain valid for the time of a packets journey through the detection engine. An example is the reconstructed 'http_header' field, that is needed in MPM, and then for each rule that manually inspects it. Storing this data in the flow is a waste, and reconstructing multiple times on demand as well. This API allows for registering a keyword with an init and free function. It it mean to be used an initialization time, when the keyword is registered.
9 years ago
if (det_ctx->global_keyword_ctxs_array == NULL) {
SCLogError(SC_ERR_DETECT_PREPARE, "setting up thread local detect ctx");
detect: remove lock from global keyword logic The global keyword registration and per thread init handling used the lock from the DetectEngineMasterCtx. This lead to a dead lock situation at multi-tenancy tenant reloads. The lock was unnecessary however, as the only time the registration list is updated is at engine initialization. At that time Suricata is still running in a single thread. After this, the data structure doesn't change anymore. Bug #2516.
7 years ago
return TM_ECODE_FAILED;
detect: global registery for keyword thread data Some keywords need a scratch space where they can do store the results of expensive operations that remain valid for the time of a packets journey through the detection engine. An example is the reconstructed 'http_header' field, that is needed in MPM, and then for each rule that manually inspects it. Storing this data in the flow is a waste, and reconstructing multiple times on demand as well. This API allows for registering a keyword with an init and free function. It it mean to be used an initialization time, when the keyword is registered.
9 years ago
}
det_ctx->global_keyword_ctxs_size = master->keyword_id;
detect: remove lock from global keyword logic The global keyword registration and per thread init handling used the lock from the DetectEngineMasterCtx. This lead to a dead lock situation at multi-tenancy tenant reloads. The lock was unnecessary however, as the only time the registration list is updated is at engine initialization. At that time Suricata is still running in a single thread. After this, the data structure doesn't change anymore. Bug #2516.
7 years ago
const DetectEngineThreadKeywordCtxItem *item = master->keyword_list;
detect: global registery for keyword thread data Some keywords need a scratch space where they can do store the results of expensive operations that remain valid for the time of a packets journey through the detection engine. An example is the reconstructed 'http_header' field, that is needed in MPM, and then for each rule that manually inspects it. Storing this data in the flow is a waste, and reconstructing multiple times on demand as well. This API allows for registering a keyword with an init and free function. It it mean to be used an initialization time, when the keyword is registered.
9 years ago
while (item) {
det_ctx->global_keyword_ctxs_array[item->id] = item->InitFunc(item->data);
if (det_ctx->global_keyword_ctxs_array[item->id] == NULL) {
SCLogError(SC_ERR_DETECT_PREPARE, "setting up thread local detect ctx "
"for keyword \"%s\" failed", item->name);
detect: remove lock from global keyword logic The global keyword registration and per thread init handling used the lock from the DetectEngineMasterCtx. This lead to a dead lock situation at multi-tenancy tenant reloads. The lock was unnecessary however, as the only time the registration list is updated is at engine initialization. At that time Suricata is still running in a single thread. After this, the data structure doesn't change anymore. Bug #2516.
7 years ago
return TM_ECODE_FAILED;
detect: global registery for keyword thread data Some keywords need a scratch space where they can do store the results of expensive operations that remain valid for the time of a packets journey through the detection engine. An example is the reconstructed 'http_header' field, that is needed in MPM, and then for each rule that manually inspects it. Storing this data in the flow is a waste, and reconstructing multiple times on demand as well. This API allows for registering a keyword with an init and free function. It it mean to be used an initialization time, when the keyword is registered.
9 years ago
}
item = item->next;
}
}
return TM_ECODE_OK;
}
static void DetectEngineThreadCtxDeinitGlobalKeywords(DetectEngineThreadCtx *det_ctx)
{
if (det_ctx->global_keyword_ctxs_array == NULL ||
det_ctx->global_keyword_ctxs_size == 0) {
return;
}
detect: remove lock from global keyword logic The global keyword registration and per thread init handling used the lock from the DetectEngineMasterCtx. This lead to a dead lock situation at multi-tenancy tenant reloads. The lock was unnecessary however, as the only time the registration list is updated is at engine initialization. At that time Suricata is still running in a single thread. After this, the data structure doesn't change anymore. Bug #2516.
7 years ago
const DetectEngineMasterCtx *master = &g_master_de_ctx;
detect: global registery for keyword thread data Some keywords need a scratch space where they can do store the results of expensive operations that remain valid for the time of a packets journey through the detection engine. An example is the reconstructed 'http_header' field, that is needed in MPM, and then for each rule that manually inspects it. Storing this data in the flow is a waste, and reconstructing multiple times on demand as well. This API allows for registering a keyword with an init and free function. It it mean to be used an initialization time, when the keyword is registered.
9 years ago
if (master->keyword_id > 0) {
detect: remove lock from global keyword logic The global keyword registration and per thread init handling used the lock from the DetectEngineMasterCtx. This lead to a dead lock situation at multi-tenancy tenant reloads. The lock was unnecessary however, as the only time the registration list is updated is at engine initialization. At that time Suricata is still running in a single thread. After this, the data structure doesn't change anymore. Bug #2516.
7 years ago
const DetectEngineThreadKeywordCtxItem *item = master->keyword_list;
detect: global registery for keyword thread data Some keywords need a scratch space where they can do store the results of expensive operations that remain valid for the time of a packets journey through the detection engine. An example is the reconstructed 'http_header' field, that is needed in MPM, and then for each rule that manually inspects it. Storing this data in the flow is a waste, and reconstructing multiple times on demand as well. This API allows for registering a keyword with an init and free function. It it mean to be used an initialization time, when the keyword is registered.
9 years ago
while (item) {
if (det_ctx->global_keyword_ctxs_array[item->id] != NULL)
item->FreeFunc(det_ctx->global_keyword_ctxs_array[item->id]);
item = item->next;
}
det_ctx->global_keyword_ctxs_size = 0;
SCFree(det_ctx->global_keyword_ctxs_array);
det_ctx->global_keyword_ctxs_array = NULL;
}
}
Enforce function coding standard Functions should be defined as: int foo(void) { } Rather than: int food(void) { } All functions where changed by a script to match this standard.
11 years ago
static int DetectEngineThreadCtxInitKeywords(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx)
{
Thread local ctx for detection keywords Some detection keywords need thread local ctx storage. Example is the filemagic keyword that has a ctx that is modified with each call. That is not thread safe. This functionality allows registration of thread local ctxs so that each detect thread works on it's own copy.
13 years ago
if (de_ctx->keyword_id > 0) {
coverity: suppress warnings
7 years ago
// coverity[suspicious_sizeof : FALSE]
Thread local ctx for detection keywords Some detection keywords need thread local ctx storage. Example is the filemagic keyword that has a ctx that is modified with each call. That is not thread safe. This functionality allows registration of thread local ctxs so that each detect thread works on it's own copy.
13 years ago
det_ctx->keyword_ctxs_array = SCMalloc(de_ctx->keyword_id * sizeof(void *));
if (det_ctx->keyword_ctxs_array == NULL) {
SCLogError(SC_ERR_DETECT_PREPARE, "setting up thread local detect ctx");
return TM_ECODE_FAILED;
}
memset(det_ctx->keyword_ctxs_array, 0x00, de_ctx->keyword_id * sizeof(void *));
det_ctx->keyword_ctxs_size = de_ctx->keyword_id;
DetectEngineThreadKeywordCtxItem *item = de_ctx->keyword_list;
while (item) {
det_ctx->keyword_ctxs_array[item->id] = item->InitFunc(item->data);
if (det_ctx->keyword_ctxs_array[item->id] == NULL) {
SCLogError(SC_ERR_DETECT_PREPARE, "setting up thread local detect ctx "
"for keyword \"%s\" failed", item->name);
return TM_ECODE_FAILED;
}
item = item->next;
}
}
return TM_ECODE_OK;
}
Enforce function coding standard Functions should be defined as: int foo(void) { } Rather than: int food(void) { } All functions where changed by a script to match this standard.
11 years ago
static void DetectEngineThreadCtxDeinitKeywords(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx)
{
Thread local ctx for detection keywords Some detection keywords need thread local ctx storage. Example is the filemagic keyword that has a ctx that is modified with each call. That is not thread safe. This functionality allows registration of thread local ctxs so that each detect thread works on it's own copy.
13 years ago
if (de_ctx->keyword_id > 0) {
DetectEngineThreadKeywordCtxItem *item = de_ctx->keyword_list;
while (item) {
luajit: fix crash at shutdown / rule reload if lua script didn't properly init.
13 years ago
if (det_ctx->keyword_ctxs_array[item->id] != NULL)
item->FreeFunc(det_ctx->keyword_ctxs_array[item->id]);
Thread local ctx for detection keywords Some detection keywords need thread local ctx storage. Example is the filemagic keyword that has a ctx that is modified with each call. That is not thread safe. This functionality allows registration of thread local ctxs so that each detect thread works on it's own copy.
13 years ago
item = item->next;
}
det_ctx->keyword_ctxs_size = 0;
SCFree(det_ctx->keyword_ctxs_array);
det_ctx->keyword_ctxs_array = NULL;
}
}
multi-detect: use default tenant The default detect engine can be used as 'default tenant'.
10 years ago
/** NOTE: master MUST be locked before calling this */
static TmEcode DetectEngineThreadCtxInitForMT(ThreadVars *tv, DetectEngineThreadCtx *det_ctx)
{
DetectEngineMasterCtx *master = &g_master_de_ctx;
DetectEngineTenantMapping *map_array = NULL;
uint32_t map_array_size = 0;
uint32_t map_cnt = 0;
int max_tenant_id = 0;
DetectEngineCtx *list = master->list;
HashTable *mt_det_ctxs_hash = NULL;
if (master->tenant_selector == TENANT_SELECTOR_UNKNOWN) {
SCLogError(SC_ERR_MT_NO_SELECTOR, "no tenant selector set: "
"set using multi-detect.selector");
return TM_ECODE_FAILED;
}
uint32_t tcnt = 0;
while (list) {
if (list->tenant_id > max_tenant_id)
max_tenant_id = list->tenant_id;
list = list->next;
tcnt++;
}
mt_det_ctxs_hash = HashTableInit(tcnt * 2, TenantIdHash, TenantIdCompare, TenantIdFree);
if (mt_det_ctxs_hash == NULL) {
goto error;
}
detect: make detect engine types explicit There are 3 types of detect engine objects: 1. normal The normal detection engine if no multi-tenancy is in use 2. tenant A per tenant detection engine 3. stub A stub (or minimal as it was called before) detect engine that is needed to have something in place when there are only tenants. A stub is also used in case of 'delayed detect', where we need a minimal detect engine to start up which is replaced by a full (normal type) detect engine after startup. This patch adds a new field 'type' to the DetectEngineCtx object to distinguish between the types. This replaces the boolean 'minimal'.
7 years ago
if (tcnt == 0) {
multi-detect: use default tenant The default detect engine can be used as 'default tenant'.
10 years ago
SCLogInfo("no tenants left, or none registered yet");
} else {
max_tenant_id++;
DetectEngineTenantMapping *map = master->tenant_mapping_list;
while (map) {
map_cnt++;
map = map->next;
}
if (map_cnt > 0) {
map_array_size = map_cnt + 1;
map_array = SCCalloc(map_array_size, sizeof(*map_array));
if (map_array == NULL)
goto error;
/* fill the array */
map_cnt = 0;
map = master->tenant_mapping_list;
while (map) {
multi-tenants: improve error handling (CID 1312702)
10 years ago
if (map_cnt >= map_array_size) {
goto error;
}
multi-detect: use default tenant The default detect engine can be used as 'default tenant'.
10 years ago
map_array[map_cnt].traffic_id = map->traffic_id;
map_array[map_cnt].tenant_id = map->tenant_id;
map_cnt++;
map = map->next;
}
}
/* set up hash for tenant lookup */
list = master->list;
while (list) {
multi-tenant: make less verbose
9 years ago
SCLogDebug("tenant-id %u", list->tenant_id);
multi-detect: use default tenant The default detect engine can be used as 'default tenant'.
10 years ago
if (list->tenant_id != 0) {
DetectEngineThreadCtx *mt_det_ctx = DetectEngineThreadCtxInitForReload(tv, list, 0);
if (mt_det_ctx == NULL)
goto error;
multi-tenants: improve error handling (CID 1312702)
10 years ago
if (HashTableAdd(mt_det_ctxs_hash, mt_det_ctx, 0) != 0) {
goto error;
}
multi-detect: use default tenant The default detect engine can be used as 'default tenant'.
10 years ago
}
list = list->next;
}
}
det_ctx->mt_det_ctxs_hash = mt_det_ctxs_hash;
mt_det_ctxs_hash = NULL;
det_ctx->mt_det_ctxs_cnt = max_tenant_id;
det_ctx->tenant_array = map_array;
det_ctx->tenant_array_size = map_array_size;
switch (master->tenant_selector) {
case TENANT_SELECTOR_UNKNOWN:
SCLogDebug("TENANT_SELECTOR_UNKNOWN");
break;
case TENANT_SELECTOR_VLAN:
det_ctx->TenantGetId = DetectEngineTentantGetIdFromVlanId;
SCLogDebug("TENANT_SELECTOR_VLAN");
break;
multi-tenant: introduce device selector Add device to tenant mapping support: mappings: - device: ens5f0 tenant-id: 1 - device: ens5f1 tenant-id: 23 Implemented by assigning the tenant id to the 'livedev', which means it's only supported for capture methods that use the livedev API. It's also currently not supported for IPS. In a case like 'eth0 -> eth1' it's unclear which tenant should be used for the return traffic in a flow, where the incoming device is 'eth1'.
8 years ago
case TENANT_SELECTOR_LIVEDEV:
det_ctx->TenantGetId = DetectEngineTentantGetIdFromLivedev;
SCLogDebug("TENANT_SELECTOR_LIVEDEV");
break;
multi-detect: use default tenant The default detect engine can be used as 'default tenant'.
10 years ago
case TENANT_SELECTOR_DIRECT:
det_ctx->TenantGetId = DetectEngineTentantGetIdFromPcap;
SCLogDebug("TENANT_SELECTOR_DIRECT");
break;
}
return TM_ECODE_OK;
error:
if (map_array != NULL)
SCFree(map_array);
if (mt_det_ctxs_hash != NULL)
HashTableFree(mt_det_ctxs_hash);
return TM_ECODE_FAILED;
}
detection engine: consolidate thread setup DetectEngineThreadCtxInit and DetectEngineThreadCtxInitForLiveRuleSwap did pretty much the same thing, except for a counters registration. As can be predicted with code duplication like this, things got out of sync. To make sure this doesn't happen again, I created a helper function that does the heavy lifting in this function.
13 years ago
/** \internal
* \brief Helper for DetectThread setup functions
*/
Enforce function coding standard Functions should be defined as: int foo(void) { } Rather than: int food(void) { } All functions where changed by a script to match this standard.
11 years ago
static TmEcode ThreadCtxDoInit (DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx)
{
detect/mpm: remove unused max_id param from API
10 years ago
PatternMatchThreadPrepare(&det_ctx->mtc, de_ctx->mpm_matcher);
PatternMatchThreadPrepare(&det_ctx->mtcs, de_ctx->mpm_matcher);
PatternMatchThreadPrepare(&det_ctx->mtcu, de_ctx->mpm_matcher);
Cleanups
16 years ago
mpm: remove pattern id logic
10 years ago
PmqSetup(&det_ctx->pmq);
Cleanups
16 years ago
spm: add and use new SPM API This new API allows for different SPM implementations, using a function pointer table like that used for MPM. This change also switches over the paths that make use of DetectContentData (which previously used BoyerMoore directly) to the new API.
9 years ago
det_ctx->spm_thread_ctx = SpmMakeThreadCtx(de_ctx->spm_global_thread_ctx);
if (det_ctx->spm_thread_ctx == NULL) {
return TM_ECODE_FAILED;
}
detect: properly size det_ctx::non_mpm_id_array Track which sgh has the higest non-mpm sig count and use that value to size the det_ctx::non_mpm_id_array array.
11 years ago
/* sized to the max of our sgh settings. A max setting of 0 implies that all
detect: rename non_mpm lists/vars to non_pf Rename to non_pf: non prefilter.
9 years ago
* sgh's have: sgh->non_pf_store_cnt == 0 */
if (de_ctx->non_pf_store_cnt_max > 0) {
det_ctx->non_pf_id_array = SCCalloc(de_ctx->non_pf_store_cnt_max, sizeof(SigIntId));
BUG_ON(det_ctx->non_pf_id_array == NULL);
detect: properly size det_ctx::non_mpm_id_array Track which sgh has the higest non-mpm sig count and use that value to size the det_ctx::non_mpm_id_array array.
11 years ago
}
Fix live reload detect thread ctx setup Code failed to setup non_mpm_id_array in case of a live reload.
11 years ago
Cleanups
16 years ago
/* IP-ONLY */
DetectEngineIPOnlyThreadInit(de_ctx,&det_ctx->io_ctx);
First stab at creating a stateful detection engine. Stateful detection for app layer detection keywords, except uricontent. Stores it's partial results in the flow structure. Other modifications: - Generalize transaction tracking, logging and inspection. - Adapt http and dcerpc to use the new transaction handling. - Stream engine now always notifies app layer of a stream eof. This commit fixes bug #124.
15 years ago
/* DeState */
if (de_ctx->sig_array_len > 0) {
Improve stateful uri detection code.
15 years ago
det_ctx->match_array_len = de_ctx->sig_array_len;
det_ctx->match_array = SCMalloc(det_ctx->match_array_len * sizeof(Signature *));
if (det_ctx->match_array == NULL) {
return TM_ECODE_FAILED;
}
smtp reply code mpm phase support added
14 years ago
memset(det_ctx->match_array, 0,
det_ctx->match_array_len * sizeof(Signature *));
detect: rewrite of the detect engine Use per tx detect_flags to track prefilter. Detect flags are used for 2 things: 1. marking tx as fully inspected 2. tracking already run prefilter (incl mpm) engines This supercedes the MpmIDs API for directionless tracking of the prefilter engines. When we have no SGH we have to flag the txs that are 'complete' as inspected as well. Special handling for the stream engine: If a rule mixes TX inspection and STREAM inspection, we can encounter the case where the rule is evaluated against multiple transactions during a single inspection run. As the stream data is exactly the same for each of those runs, it's wasteful to rerun inspection of the stream portion of the rule. This patch enables caching of the stream 'inspect engine' result in the local 'RuleMatchCandidateTx' array. This is valid only during the live of a single inspection run. Remove stateful inspection from 'mask' (SignatureMask). The mask wasn't used in most cases for those rules anyway, as there we rely on the prefilter. Add a alproto check to catch the remaining cases. When building the active non-mpm/non-prefilter list check not just the mask, but also the alproto. This especially helps stateful rules with negated mpm. Simplify AppLayerParserHasDecoderEvents usage in detection to only return true if protocol detection events are set. Other detection is done in inspect engines. Move rule group lookup and handling into it's own function. Handle 'post lookup' tasks immediately, instead of after the first detect run. The tasks were independent of the initial detection. Many cleanups and much refactoring.
8 years ago
RuleMatchCandidateTxArrayInit(det_ctx, de_ctx->sig_array_len);
First stab at creating a stateful detection engine. Stateful detection for app layer detection keywords, except uricontent. Stores it's partial results in the flow structure. Other modifications: - Generalize transaction tracking, logging and inspection. - Adapt http and dcerpc to use the new transaction handling. - Stream engine now always notifies app layer of a stream eof. This commit fixes bug #124.
15 years ago
}
detection engine: consolidate thread setup DetectEngineThreadCtxInit and DetectEngineThreadCtxInitForLiveRuleSwap did pretty much the same thing, except for a counters registration. As can be predicted with code duplication like this, things got out of sync. To make sure this doesn't happen again, I created a helper function that does the heavy lifting in this function.
13 years ago
/* byte_extract storage */
live rule support added To reload ruleset during engine runtime, send the USR2 signal to the engine, and the ruleset would be reloaded from the same yaml file supplied at engine startup
13 years ago
det_ctx->bj_values = SCMalloc(sizeof(*det_ctx->bj_values) *
(de_ctx->byte_extract_max_local_id + 1));
if (det_ctx->bj_values == NULL) {
return TM_ECODE_FAILED;
}
base64_decode, base64_data: decode and match base64
10 years ago
/* Allocate space for base64 decoded data. */
if (de_ctx->base64_decode_max_len) {
det_ctx->base64_decoded = SCMalloc(de_ctx->base64_decode_max_len);
if (det_ctx->base64_decoded == NULL) {
return TM_ECODE_FAILED;
}
det_ctx->base64_decoded_len_max = de_ctx->base64_decode_max_len;
det_ctx->base64_decoded_len = 0;
}
detect: improve inspect buffer handling Fix and Optimize cleanup. For the simple single inspect buffer optimize the cleanup by keeping track of the actually used buffers. This avoid looping over unused buffers. Fix the case of cleaning not being done after a tx if the next tx is also inspected in the context of the same packet. Fix cleanup of the multi-inspect buffers. Optimize in 2 ways. First like with single keep track of which multi-inspect buffers have been used. Second, keep a max of the buffers within a multi-inspect buffer. Use this max to limit (nested) looping.
7 years ago
det_ctx->inspect.buffers_size = de_ctx->buffer_type_id;
det_ctx->inspect.buffers = SCCalloc(det_ctx->inspect.buffers_size, sizeof(InspectionBuffer));
if (det_ctx->inspect.buffers == NULL) {
detect: prefilter/inspect API v2, with transforms Introduce InspectionBuffer a structure for passing data between prefilters, transforms and inspection engines. At rule parsing time, we'll register new unique 'DetectBufferType's for a 'parent' buffer (e.g. pure file_data) with its transformations. Each unique combination of buffer with transformations gets it's own buffer id. Similarly, mpm registration and inspect engine registration will be copied from the 'parent' (again, e.g. pure file_data) to the new id's. The transforms are called from within the prefilter engines themselves. Provide generic MPM matching and setup callbacks. Can be used by keywords to avoid needless code duplication. Supports transformations. Use unique name for profiling, to distinguish between pure buffers and buffers with transformation. Add new registration calls for mpm/prefilters and inspect engines. Inspect engine api v2: Pass engine to itself. Add generic engine that uses GetData callback and other registered settings. The generic engine should be usable for every 'simple' case where there is just a single non-streaming buffer. For example HTTP uri. The v2 API assumes that registered MPM implements transformations. Add util func to set new transform in rule and add util funcs for rule parsing.
8 years ago
return TM_ECODE_FAILED;
}
detect: improve inspect buffer handling Fix and Optimize cleanup. For the simple single inspect buffer optimize the cleanup by keeping track of the actually used buffers. This avoid looping over unused buffers. Fix the case of cleaning not being done after a tx if the next tx is also inspected in the context of the same packet. Fix cleanup of the multi-inspect buffers. Optimize in 2 ways. First like with single keep track of which multi-inspect buffers have been used. Second, keep a max of the buffers within a multi-inspect buffer. Use this max to limit (nested) looping.
7 years ago
det_ctx->inspect.to_clear_queue = SCCalloc(det_ctx->inspect.buffers_size, sizeof(uint32_t));
if (det_ctx->inspect.to_clear_queue == NULL) {
detect: prefilter/inspect API v2, with transforms Introduce InspectionBuffer a structure for passing data between prefilters, transforms and inspection engines. At rule parsing time, we'll register new unique 'DetectBufferType's for a 'parent' buffer (e.g. pure file_data) with its transformations. Each unique combination of buffer with transformations gets it's own buffer id. Similarly, mpm registration and inspect engine registration will be copied from the 'parent' (again, e.g. pure file_data) to the new id's. The transforms are called from within the prefilter engines themselves. Provide generic MPM matching and setup callbacks. Can be used by keywords to avoid needless code duplication. Supports transformations. Use unique name for profiling, to distinguish between pure buffers and buffers with transformation. Add new registration calls for mpm/prefilters and inspect engines. Inspect engine api v2: Pass engine to itself. Add generic engine that uses GetData callback and other registered settings. The generic engine should be usable for every 'simple' case where there is just a single non-streaming buffer. For example HTTP uri. The v2 API assumes that registered MPM implements transformations. Add util func to set new transform in rule and add util funcs for rule parsing.
8 years ago
return TM_ECODE_FAILED;
}
detect: improve inspect buffer handling Fix and Optimize cleanup. For the simple single inspect buffer optimize the cleanup by keeping track of the actually used buffers. This avoid looping over unused buffers. Fix the case of cleaning not being done after a tx if the next tx is also inspected in the context of the same packet. Fix cleanup of the multi-inspect buffers. Optimize in 2 ways. First like with single keep track of which multi-inspect buffers have been used. Second, keep a max of the buffers within a multi-inspect buffer. Use this max to limit (nested) looping.
7 years ago
det_ctx->inspect.to_clear_idx = 0;
det_ctx->multi_inspect.buffers_size = de_ctx->buffer_type_id;
det_ctx->multi_inspect.buffers = SCCalloc(det_ctx->multi_inspect.buffers_size, sizeof(InspectionBufferMultipleForList));
if (det_ctx->multi_inspect.buffers == NULL) {
return TM_ECODE_FAILED;
}
det_ctx->multi_inspect.to_clear_queue = SCCalloc(det_ctx->multi_inspect.buffers_size, sizeof(uint32_t));
if (det_ctx->multi_inspect.to_clear_queue == NULL) {
return TM_ECODE_FAILED;
}
det_ctx->multi_inspect.to_clear_idx = 0;
detect: prefilter/inspect API v2, with transforms Introduce InspectionBuffer a structure for passing data between prefilters, transforms and inspection engines. At rule parsing time, we'll register new unique 'DetectBufferType's for a 'parent' buffer (e.g. pure file_data) with its transformations. Each unique combination of buffer with transformations gets it's own buffer id. Similarly, mpm registration and inspect engine registration will be copied from the 'parent' (again, e.g. pure file_data) to the new id's. The transforms are called from within the prefilter engines themselves. Provide generic MPM matching and setup callbacks. Can be used by keywords to avoid needless code duplication. Supports transformations. Use unique name for profiling, to distinguish between pure buffers and buffers with transformation. Add new registration calls for mpm/prefilters and inspect engines. Inspect engine api v2: Pass engine to itself. Add generic engine that uses GetData callback and other registered settings. The generic engine should be usable for every 'simple' case where there is just a single non-streaming buffer. For example HTTP uri. The v2 API assumes that registered MPM implements transformations. Add util func to set new transform in rule and add util funcs for rule parsing.
8 years ago
Thread local ctx for detection keywords Some detection keywords need thread local ctx storage. Example is the filemagic keyword that has a ctx that is modified with each call. That is not thread safe. This functionality allows registration of thread local ctxs so that each detect thread works on it's own copy.
13 years ago
DetectEngineThreadCtxInitKeywords(de_ctx, det_ctx);
detect: global registery for keyword thread data Some keywords need a scratch space where they can do store the results of expensive operations that remain valid for the time of a packets journey through the detection engine. An example is the reconstructed 'http_header' field, that is needed in MPM, and then for each rule that manually inspects it. Storing this data in the flow is a waste, and reconstructing multiple times on demand as well. This API allows for registering a keyword with an init and free function. It it mean to be used an initialization time, when the keyword is registered.
9 years ago
DetectEngineThreadCtxInitGlobalKeywords(det_ctx);
Rule profiling update - Remove usage of counters api. - Store stats in detect engine thread ctx to remove locking - Support rule reloads
13 years ago
#ifdef PROFILING
SCProfilingRuleThreadSetup(de_ctx->profile_ctx, det_ctx);
profiling: introduce per keyword profiling Initial version of per keyword profiling. Prints stats about how ofter a keyword was checked and what the costs were.
13 years ago
SCProfilingKeywordThreadSetup(de_ctx->profile_keyword_ctx, det_ctx);
detect/prefilter: redo profiling
8 years ago
SCProfilingPrefilterThreadSetup(de_ctx->profile_prefilter_ctx, det_ctx);
profiling: initial rulegroup tracking Per rule group tracking of checks, use of lists, mpm matches, post filter counts. Logs SGH id so it can be compared with the rule_group.json output. Implemented both in a human readable text format and a JSON format.
10 years ago
SCProfilingSghThreadSetup(de_ctx->profile_sgh_ctx, det_ctx);
Rule profiling update - Remove usage of counters api. - Store stats in detect engine thread ctx to remove locking - Support rule reloads
13 years ago
#endif
code cleanup for live swap
13 years ago
SC_ATOMIC_INIT(det_ctx->so_far_used_by_detect);
detection engine: consolidate thread setup DetectEngineThreadCtxInit and DetectEngineThreadCtxInitForLiveRuleSwap did pretty much the same thing, except for a counters registration. As can be predicted with code duplication like this, things got out of sync. To make sure this doesn't happen again, I created a helper function that does the heavy lifting in this function.
13 years ago
return TM_ECODE_OK;
}
Counters: fix delayed-detect counter registration Make sure we register the detect.alerts counter before packet runtime starts even in delayed detect mode. The registration of new counters at packet runtime is not supported by the counters api and might lead to crashes as there is no proper locking to allow for this operation. This changes how delayed detect works a bit. Now we call the ThreadInit callback twice. The first call will only register the counter. The 2nd call will do all the other setup. This way the counter is registered before the counters api starts operating in the packet runtime. Fixes the segv reported in ticket #1018.
12 years ago
/** \brief initialize thread specific detection engine context
*
* \note there is a special case when using delayed detect. In this case the
* function is called twice per thread. The first time the rules are not
* yet loaded. de_ctx->delayed_detect_initialized will be 0. The 2nd
* time they will be loaded. de_ctx->delayed_detect_initialized will be 1.
* This is needed to do the per thread counter registration before the
* packet runtime starts. In delayed detect mode, the first call will
* return a NULL ptr through the data ptr.
*
* \param tv ThreadVars for this thread
* \param initdata pointer to de_ctx
* \param data[out] pointer to store our thread detection ctx
*
* \retval TM_ECODE_OK if all went well
* \retval TM_ECODE_FAILED on serious erro
*/
detection engine: consolidate thread setup DetectEngineThreadCtxInit and DetectEngineThreadCtxInitForLiveRuleSwap did pretty much the same thing, except for a counters registration. As can be predicted with code duplication like this, things got out of sync. To make sure this doesn't happen again, I created a helper function that does the heavy lifting in this function.
13 years ago
TmEcode DetectEngineThreadCtxInit(ThreadVars *tv, void *initdata, void **data)
{
DetectEngineThreadCtx *det_ctx = SCMalloc(sizeof(DetectEngineThreadCtx));
if (unlikely(det_ctx == NULL))
return TM_ECODE_FAILED;
memset(det_ctx, 0, sizeof(DetectEngineThreadCtx));
det_ctx->tv = tv;
detect: update detect engine management Update detect engine management to make it easier to reload the detect engine. Core of the new approach is a 'master' ctx, that keeps a list of one or more detect engines. The detect engines will not be passed to any thread directly, but instead will only be accessed through the detect engine thread contexts. As we can replace those atomically, replacing a detect engine becomes easier. Each thread keeps a reference to its detect context. When a detect engine is replaced or removed, it's added to a free list. Once its reference count reaches 0, it is freed.
11 years ago
det_ctx->de_ctx = DetectEngineGetCurrent();
if (det_ctx->de_ctx == NULL) {
unittests: add exception to detect engine setup Add code to allow for unittests not following the complete api. Update replace tests as they don't use the unittests runmode that powers the workaround based on RunmodeIsUnittests().
11 years ago
#ifdef UNITTESTS
if (RunmodeIsUnittests()) {
det_ctx->de_ctx = (DetectEngineCtx *)initdata;
} else {
DetectEngineThreadCtxDeinit(tv, det_ctx);
return TM_ECODE_FAILED;
}
#else
detect: update detect engine management Update detect engine management to make it easier to reload the detect engine. Core of the new approach is a 'master' ctx, that keeps a list of one or more detect engines. The detect engines will not be passed to any thread directly, but instead will only be accessed through the detect engine thread contexts. As we can replace those atomically, replacing a detect engine becomes easier. Each thread keeps a reference to its detect context. When a detect engine is replaced or removed, it's added to a free list. Once its reference count reaches 0, it is freed.
11 years ago
DetectEngineThreadCtxDeinit(tv, det_ctx);
return TM_ECODE_FAILED;
unittests: add exception to detect engine setup Add code to allow for unittests not following the complete api. Update replace tests as they don't use the unittests runmode that powers the workaround based on RunmodeIsUnittests().
11 years ago
#endif
detect: update detect engine management Update detect engine management to make it easier to reload the detect engine. Core of the new approach is a 'master' ctx, that keeps a list of one or more detect engines. The detect engines will not be passed to any thread directly, but instead will only be accessed through the detect engine thread contexts. As we can replace those atomically, replacing a detect engine becomes easier. Each thread keeps a reference to its detect context. When a detect engine is replaced or removed, it's added to a free list. Once its reference count reaches 0, it is freed.
11 years ago
}
detection engine: consolidate thread setup DetectEngineThreadCtxInit and DetectEngineThreadCtxInitForLiveRuleSwap did pretty much the same thing, except for a counters registration. As can be predicted with code duplication like this, things got out of sync. To make sure this doesn't happen again, I created a helper function that does the heavy lifting in this function.
13 years ago
detect: fix delayed detect Last multi-detect changes broken delayed-detect by refusing to reload a 'stub' detect engine. This patch distinguishes between a stub for multi-tenancy and for delayed detect.
7 years ago
if (det_ctx->de_ctx->type == DETECT_ENGINE_TYPE_NORMAL ||
det_ctx->de_ctx->type == DETECT_ENGINE_TYPE_TENANT)
{
detect: introduce 'minimal' detect engine The minimal detect engine has only the minimal memory use and setup time. It's to be used for 'delayed' detect where the first detection engine is essentially empty. The threads setup are also minimal.
11 years ago
if (ThreadCtxDoInit(det_ctx->de_ctx, det_ctx) != TM_ECODE_OK) {
DetectEngineThreadCtxDeinit(tv, det_ctx);
return TM_ECODE_FAILED;
}
detect: update detect engine management Update detect engine management to make it easier to reload the detect engine. Core of the new approach is a 'master' ctx, that keeps a list of one or more detect engines. The detect engines will not be passed to any thread directly, but instead will only be accessed through the detect engine thread contexts. As we can replace those atomically, replacing a detect engine becomes easier. Each thread keeps a reference to its detect context. When a detect engine is replaced or removed, it's added to a free list. Once its reference count reaches 0, it is freed.
11 years ago
}
detection engine: consolidate thread setup DetectEngineThreadCtxInit and DetectEngineThreadCtxInitForLiveRuleSwap did pretty much the same thing, except for a counters registration. As can be predicted with code duplication like this, things got out of sync. To make sure this doesn't happen again, I created a helper function that does the heavy lifting in this function.
13 years ago
/** alert counter setup */
detect: clean up counter registration
7 years ago
det_ctx->counter_alerts = StatsRegisterCounter("detect.alert", tv);
Conditionalize SigMatch performance counters. Only include the counters when PROFILING.
11 years ago
#ifdef PROFILING
detect: clean up counter registration
7 years ago
det_ctx->counter_mpm_list = StatsRegisterAvgCounter("detect.mpm_list", tv);
det_ctx->counter_nonmpm_list = StatsRegisterAvgCounter("detect.nonmpm_list", tv);
det_ctx->counter_fnonmpm_list = StatsRegisterAvgCounter("detect.fnonmpm_list", tv);
det_ctx->counter_match_list = StatsRegisterAvgCounter("detect.match_list", tv);
Conditionalize SigMatch performance counters. Only include the counters when PROFILING.
11 years ago
#endif
detection engine: consolidate thread setup DetectEngineThreadCtxInit and DetectEngineThreadCtxInitForLiveRuleSwap did pretty much the same thing, except for a counters registration. As can be predicted with code duplication like this, things got out of sync. To make sure this doesn't happen again, I created a helper function that does the heavy lifting in this function.
13 years ago
multi-detect: use default tenant The default detect engine can be used as 'default tenant'.
10 years ago
if (DetectEngineMultiTenantEnabled()) {
detect: avoid potential use-after-free in error path
7 years ago
if (DetectEngineThreadCtxInitForMT(tv, det_ctx) != TM_ECODE_OK) {
DetectEngineThreadCtxDeinit(tv, det_ctx);
multi-detect: use default tenant The default detect engine can be used as 'default tenant'.
10 years ago
return TM_ECODE_FAILED;
detect: avoid potential use-after-free in error path
7 years ago
}
multi-detect: use default tenant The default detect engine can be used as 'default tenant'.
10 years ago
}
detect: avoid potential use-after-free in error path
7 years ago
/* pass thread data back to caller */
*data = (void *)det_ctx;
live rule support added To reload ruleset during engine runtime, send the USR2 signal to the engine, and the ruleset would be reloaded from the same yaml file supplied at engine startup
13 years ago
return TM_ECODE_OK;
}
disable live rule swap when -s or -S option's used at startup
13 years ago
/**
* \internal
detect: reload thread init cleanup Rename the thread init function DetectEngineThreadCtxInitForLiveRuleSwap to DetectEngineThreadCtxInitForReload and change it's logic to take the new detection engine as argument and let it return the DetectEngineThreadCtx or NULL on error. The old approach used the thread init API format, but it wasn't used in that way.
11 years ago
* \brief initialize a det_ctx for reload cases
* \param new_de_ctx the new detection engine
multi-detect: use default tenant The default detect engine can be used as 'default tenant'.
10 years ago
* \param mt flag to indicate if MT should be set up for this det_ctx
* this should only be done for the 'root' det_ctx
*
detect: reload thread init cleanup Rename the thread init function DetectEngineThreadCtxInitForLiveRuleSwap to DetectEngineThreadCtxInitForReload and change it's logic to take the new detection engine as argument and let it return the DetectEngineThreadCtx or NULL on error. The old approach used the thread init API format, but it wasn't used in that way.
11 years ago
* \retval det_ctx detection engine thread ctx or NULL in case of error
disable live rule swap when -s or -S option's used at startup
13 years ago
*/
detect: reload thread init cleanup Rename the thread init function DetectEngineThreadCtxInitForLiveRuleSwap to DetectEngineThreadCtxInitForReload and change it's logic to take the new detection engine as argument and let it return the DetectEngineThreadCtx or NULL on error. The old approach used the thread init API format, but it wasn't used in that way.
11 years ago
static DetectEngineThreadCtx *DetectEngineThreadCtxInitForReload(
multi-detect: use default tenant The default detect engine can be used as 'default tenant'.
10 years ago
ThreadVars *tv, DetectEngineCtx *new_de_ctx, int mt)
live rule support added To reload ruleset during engine runtime, send the USR2 signal to the engine, and the ruleset would be reloaded from the same yaml file supplied at engine startup
13 years ago
{
DetectEngineThreadCtx *det_ctx = SCMalloc(sizeof(DetectEngineThreadCtx));
Use unlikely for error treatment. When handling error case on SCMallog, SCCalloc or SCStrdup we are in an unlikely case. This patch adds the unlikely() expression to indicate this to gcc. This patch has been obtained via coccinelle. The transformation is the following: @istested@ identifier x; statement S1; identifier func =~ "(SCMalloc|SCStrdup|SCCalloc)"; @@ x = func(...) ... when != x - if (x == NULL) S1 + if (unlikely(x == NULL)) S1
13 years ago
if (unlikely(det_ctx == NULL))
detect: reload thread init cleanup Rename the thread init function DetectEngineThreadCtxInitForLiveRuleSwap to DetectEngineThreadCtxInitForReload and change it's logic to take the new detection engine as argument and let it return the DetectEngineThreadCtx or NULL on error. The old approach used the thread init API format, but it wasn't used in that way.
11 years ago
return NULL;
live rule support added To reload ruleset during engine runtime, send the USR2 signal to the engine, and the ruleset would be reloaded from the same yaml file supplied at engine startup
13 years ago
memset(det_ctx, 0, sizeof(DetectEngineThreadCtx));
multi-detect: hash lookup for tenants Use hash for storing and looking up det_ctxs.
10 years ago
det_ctx->tenant_id = new_de_ctx->tenant_id;
detection engine: consolidate thread setup DetectEngineThreadCtxInit and DetectEngineThreadCtxInitForLiveRuleSwap did pretty much the same thing, except for a counters registration. As can be predicted with code duplication like this, things got out of sync. To make sure this doesn't happen again, I created a helper function that does the heavy lifting in this function.
13 years ago
det_ctx->tv = tv;
detect: reload thread init cleanup Rename the thread init function DetectEngineThreadCtxInitForLiveRuleSwap to DetectEngineThreadCtxInitForReload and change it's logic to take the new detection engine as argument and let it return the DetectEngineThreadCtx or NULL on error. The old approach used the thread init API format, but it wasn't used in that way.
11 years ago
det_ctx->de_ctx = DetectEngineReference(new_de_ctx);
detect: update detect engine management Update detect engine management to make it easier to reload the detect engine. Core of the new approach is a 'master' ctx, that keeps a list of one or more detect engines. The detect engines will not be passed to any thread directly, but instead will only be accessed through the detect engine thread contexts. As we can replace those atomically, replacing a detect engine becomes easier. Each thread keeps a reference to its detect context. When a detect engine is replaced or removed, it's added to a free list. Once its reference count reaches 0, it is freed.
11 years ago
if (det_ctx->de_ctx == NULL) {
detect: reload thread init cleanup Rename the thread init function DetectEngineThreadCtxInitForLiveRuleSwap to DetectEngineThreadCtxInitForReload and change it's logic to take the new detection engine as argument and let it return the DetectEngineThreadCtx or NULL on error. The old approach used the thread init API format, but it wasn't used in that way.
11 years ago
SCFree(det_ctx);
return NULL;
detect: update detect engine management Update detect engine management to make it easier to reload the detect engine. Core of the new approach is a 'master' ctx, that keeps a list of one or more detect engines. The detect engines will not be passed to any thread directly, but instead will only be accessed through the detect engine thread contexts. As we can replace those atomically, replacing a detect engine becomes easier. Each thread keeps a reference to its detect context. When a detect engine is replaced or removed, it's added to a free list. Once its reference count reaches 0, it is freed.
11 years ago
}
live rule support added To reload ruleset during engine runtime, send the USR2 signal to the engine, and the ruleset would be reloaded from the same yaml file supplied at engine startup
13 years ago
detect: reload thread init cleanup Rename the thread init function DetectEngineThreadCtxInitForLiveRuleSwap to DetectEngineThreadCtxInitForReload and change it's logic to take the new detection engine as argument and let it return the DetectEngineThreadCtx or NULL on error. The old approach used the thread init API format, but it wasn't used in that way.
11 years ago
/* most of the init happens here */
detect: fix delayed detect Last multi-detect changes broken delayed-detect by refusing to reload a 'stub' detect engine. This patch distinguishes between a stub for multi-tenancy and for delayed detect.
7 years ago
if (det_ctx->de_ctx->type == DETECT_ENGINE_TYPE_NORMAL ||
det_ctx->de_ctx->type == DETECT_ENGINE_TYPE_TENANT)
{
detect/tenants: fix crash when adding mapping When no tenants and mappings are defined in 'live' mode, adding a mapping resulted in a crash.
7 years ago
if (ThreadCtxDoInit(det_ctx->de_ctx, det_ctx) != TM_ECODE_OK) {
DetectEngineDeReference(&det_ctx->de_ctx);
SCFree(det_ctx);
return NULL;
}
detect: reload thread init cleanup Rename the thread init function DetectEngineThreadCtxInitForLiveRuleSwap to DetectEngineThreadCtxInitForReload and change it's logic to take the new detection engine as argument and let it return the DetectEngineThreadCtx or NULL on error. The old approach used the thread init API format, but it wasn't used in that way.
11 years ago
}
live rule support added To reload ruleset during engine runtime, send the USR2 signal to the engine, and the ruleset would be reloaded from the same yaml file supplied at engine startup
13 years ago
/** alert counter setup */
counters: rename register API calls Also remove 'type' parameter which was always the same.
10 years ago
det_ctx->counter_alerts = StatsRegisterCounter("detect.alert", tv);
Fix live reload detect counter setup When profiling was compiled in the detect counters were not setup properly after a reload.
11 years ago
#ifdef PROFILING
counters: rename register API calls Also remove 'type' parameter which was always the same.
10 years ago
uint16_t counter_mpm_list = StatsRegisterAvgCounter("detect.mpm_list", tv);
uint16_t counter_nonmpm_list = StatsRegisterAvgCounter("detect.nonmpm_list", tv);
uint16_t counter_fnonmpm_list = StatsRegisterAvgCounter("detect.fnonmpm_list", tv);
uint16_t counter_match_list = StatsRegisterAvgCounter("detect.match_list", tv);
Fix live reload detect counter setup When profiling was compiled in the detect counters were not setup properly after a reload.
11 years ago
det_ctx->counter_mpm_list = counter_mpm_list;
det_ctx->counter_nonmpm_list = counter_nonmpm_list;
det_ctx->counter_fnonmpm_list = counter_fnonmpm_list;
det_ctx->counter_match_list = counter_match_list;
#endif
code cleanup for live swap
13 years ago
multi-detect: use default tenant The default detect engine can be used as 'default tenant'.
10 years ago
if (mt && DetectEngineMultiTenantEnabled()) {
if (DetectEngineThreadCtxInitForMT(tv, det_ctx) != TM_ECODE_OK) {
DetectEngineDeReference(&det_ctx->de_ctx);
SCFree(det_ctx);
return NULL;
}
}
detect: reload thread init cleanup Rename the thread init function DetectEngineThreadCtxInitForLiveRuleSwap to DetectEngineThreadCtxInitForReload and change it's logic to take the new detection engine as argument and let it return the DetectEngineThreadCtx or NULL on error. The old approach used the thread init API format, but it wasn't used in that way.
11 years ago
return det_ctx;
Cleanups
16 years ago
}
compiler: more strict compiler warnings Set flags by default: -Wmissing-prototypes -Wmissing-declarations -Wstrict-prototypes -Wwrite-strings -Wcast-align -Wbad-function-cast -Wformat-security -Wno-format-nonliteral -Wmissing-format-attribute -funsigned-char Fix minor compiler warnings for these new flags on gcc and clang.
8 years ago
static void DetectEngineThreadCtxFree(DetectEngineThreadCtx *det_ctx)
Enforce function coding standard Functions should be defined as: int foo(void) { } Rather than: int food(void) { } All functions where changed by a script to match this standard.
11 years ago
{
detect/debug: suppress noisy info messages
7 years ago
#if DEBUG
SCLogDebug("PACKET PKT_STREAM_ADD: %"PRIu64, det_ctx->pkt_stream_add_cnt);
stream inspection: add debug counters
9 years ago
detect/debug: suppress noisy info messages
7 years ago
SCLogDebug("PAYLOAD MPM %"PRIu64"/%"PRIu64, det_ctx->payload_mpm_cnt, det_ctx->payload_mpm_size);
SCLogDebug("STREAM MPM %"PRIu64"/%"PRIu64, det_ctx->stream_mpm_cnt, det_ctx->stream_mpm_size);
stream inspection: add debug counters
9 years ago
detect/debug: suppress noisy info messages
7 years ago
SCLogDebug("PAYLOAD SIG %"PRIu64"/%"PRIu64, det_ctx->payload_persig_cnt, det_ctx->payload_persig_size);
SCLogDebug("STREAM SIG %"PRIu64"/%"PRIu64, det_ctx->stream_persig_cnt, det_ctx->stream_persig_size);
stream inspection: add debug counters
9 years ago
#endif
multi-detect: initial selectors for tenants The Detection Thread has the TenantGetId pointer which allows it to select a tenant id based on the packet.
11 years ago
if (det_ctx->tenant_array != NULL) {
SCFree(det_ctx->tenant_array);
det_ctx->tenant_array = NULL;
}
Rule profiling update - Remove usage of counters api. - Store stats in detect engine thread ctx to remove locking - Support rule reloads
13 years ago
#ifdef PROFILING
SCProfilingRuleThreadCleanup(det_ctx);
profiling: introduce per keyword profiling Initial version of per keyword profiling. Prints stats about how ofter a keyword was checked and what the costs were.
13 years ago
SCProfilingKeywordThreadCleanup(det_ctx);
detect/prefilter: redo profiling
8 years ago
SCProfilingPrefilterThreadCleanup(det_ctx);
profiling: initial rulegroup tracking Per rule group tracking of checks, use of lists, mpm matches, post filter counts. Logs SGH id so it can be compared with the rule_group.json output. Implemented both in a human readable text format and a JSON format.
10 years ago
SCProfilingSghThreadCleanup(det_ctx);
Rule profiling update - Remove usage of counters api. - Store stats in detect engine thread ctx to remove locking - Support rule reloads
13 years ago
#endif
More engine init memleaks fixed. HashListTable remove function fixed.
16 years ago
DetectEngineIPOnlyThreadDeinit(&det_ctx->io_ctx);
Cleanups
16 years ago
/** \todo get rid of this static */
detect: allow det_ctx->de_ctx to be NULL When freeing det_ctx, allow de_ctx to be NULL.
11 years ago
if (det_ctx->de_ctx != NULL) {
PatternMatchThreadDestroy(&det_ctx->mtc, det_ctx->de_ctx->mpm_matcher);
PatternMatchThreadDestroy(&det_ctx->mtcs, det_ctx->de_ctx->mpm_matcher);
PatternMatchThreadDestroy(&det_ctx->mtcu, det_ctx->de_ctx->mpm_matcher);
}
More engine init memleaks fixed. HashListTable remove function fixed.
16 years ago
memroy leaks fixes in detection module, app layer and counters
15 years ago
PmqFree(&det_ctx->pmq);
spm: add and use new SPM API This new API allows for different SPM implementations, using a function pointer table like that used for MPM. This change also switches over the paths that make use of DetectContentData (which previously used BoyerMoore directly) to the new API.
9 years ago
if (det_ctx->spm_thread_ctx != NULL) {
SpmDestroyThreadCtx(det_ctx->spm_thread_ctx);
}
detect: rename non_mpm lists/vars to non_pf Rename to non_pf: non prefilter.
9 years ago
if (det_ctx->non_pf_id_array != NULL)
SCFree(det_ctx->non_pf_id_array);
detect: add mask check prefilter for non mpm list Add mask array for non_mpm sigs, so that we can exclude many sigs before we merge sort. Shows 50% less non mpm sigs inspected on average.
11 years ago
Fix a reload memleak in thread local detection engine ctx.
13 years ago
if (det_ctx->match_array != NULL)
SCFree(det_ctx->match_array);
memroy leaks fixes in detection module, app layer and counters
15 years ago
detect: rewrite of the detect engine Use per tx detect_flags to track prefilter. Detect flags are used for 2 things: 1. marking tx as fully inspected 2. tracking already run prefilter (incl mpm) engines This supercedes the MpmIDs API for directionless tracking of the prefilter engines. When we have no SGH we have to flag the txs that are 'complete' as inspected as well. Special handling for the stream engine: If a rule mixes TX inspection and STREAM inspection, we can encounter the case where the rule is evaluated against multiple transactions during a single inspection run. As the stream data is exactly the same for each of those runs, it's wasteful to rerun inspection of the stream portion of the rule. This patch enables caching of the stream 'inspect engine' result in the local 'RuleMatchCandidateTx' array. This is valid only during the live of a single inspection run. Remove stateful inspection from 'mask' (SignatureMask). The mask wasn't used in most cases for those rules anyway, as there we rely on the prefilter. Add a alproto check to catch the remaining cases. When building the active non-mpm/non-prefilter list check not just the mask, but also the alproto. This especially helps stateful rules with negated mpm. Simplify AppLayerParserHasDecoderEvents usage in detection to only return true if protocol detection events are set. Other detection is done in inspect engines. Move rule group lookup and handling into it's own function. Handle 'post lookup' tasks immediately, instead of after the first detect run. The tasks were independent of the initial detection. Many cleanups and much refactoring.
8 years ago
RuleMatchCandidateTxArrayFree(det_ctx);
byte extract added to the engine. Detection support added for packet payload, uri and dce detection engines
14 years ago
if (det_ctx->bj_values != NULL)
SCFree(det_ctx->bj_values);
base64_decode, base64_data: decode and match base64
10 years ago
/* Decoded base64 data. */
if (det_ctx->base64_decoded != NULL) {
SCFree(det_ctx->base64_decoded);
}
detect: improve inspect buffer handling Fix and Optimize cleanup. For the simple single inspect buffer optimize the cleanup by keeping track of the actually used buffers. This avoid looping over unused buffers. Fix the case of cleaning not being done after a tx if the next tx is also inspected in the context of the same packet. Fix cleanup of the multi-inspect buffers. Optimize in 2 ways. First like with single keep track of which multi-inspect buffers have been used. Second, keep a max of the buffers within a multi-inspect buffer. Use this max to limit (nested) looping.
7 years ago
if (det_ctx->inspect.buffers) {
for (uint32_t i = 0; i < det_ctx->inspect.buffers_size; i++) {
InspectionBufferFree(&det_ctx->inspect.buffers[i]);
detect: prefilter/inspect API v2, with transforms Introduce InspectionBuffer a structure for passing data between prefilters, transforms and inspection engines. At rule parsing time, we'll register new unique 'DetectBufferType's for a 'parent' buffer (e.g. pure file_data) with its transformations. Each unique combination of buffer with transformations gets it's own buffer id. Similarly, mpm registration and inspect engine registration will be copied from the 'parent' (again, e.g. pure file_data) to the new id's. The transforms are called from within the prefilter engines themselves. Provide generic MPM matching and setup callbacks. Can be used by keywords to avoid needless code duplication. Supports transformations. Use unique name for profiling, to distinguish between pure buffers and buffers with transformation. Add new registration calls for mpm/prefilters and inspect engines. Inspect engine api v2: Pass engine to itself. Add generic engine that uses GetData callback and other registered settings. The generic engine should be usable for every 'simple' case where there is just a single non-streaming buffer. For example HTTP uri. The v2 API assumes that registered MPM implements transformations. Add util func to set new transform in rule and add util funcs for rule parsing.
8 years ago
}
detect: improve inspect buffer handling Fix and Optimize cleanup. For the simple single inspect buffer optimize the cleanup by keeping track of the actually used buffers. This avoid looping over unused buffers. Fix the case of cleaning not being done after a tx if the next tx is also inspected in the context of the same packet. Fix cleanup of the multi-inspect buffers. Optimize in 2 ways. First like with single keep track of which multi-inspect buffers have been used. Second, keep a max of the buffers within a multi-inspect buffer. Use this max to limit (nested) looping.
7 years ago
SCFree(det_ctx->inspect.buffers);
}
if (det_ctx->inspect.to_clear_queue) {
SCFree(det_ctx->inspect.to_clear_queue);
detect: prefilter/inspect API v2, with transforms Introduce InspectionBuffer a structure for passing data between prefilters, transforms and inspection engines. At rule parsing time, we'll register new unique 'DetectBufferType's for a 'parent' buffer (e.g. pure file_data) with its transformations. Each unique combination of buffer with transformations gets it's own buffer id. Similarly, mpm registration and inspect engine registration will be copied from the 'parent' (again, e.g. pure file_data) to the new id's. The transforms are called from within the prefilter engines themselves. Provide generic MPM matching and setup callbacks. Can be used by keywords to avoid needless code duplication. Supports transformations. Use unique name for profiling, to distinguish between pure buffers and buffers with transformation. Add new registration calls for mpm/prefilters and inspect engines. Inspect engine api v2: Pass engine to itself. Add generic engine that uses GetData callback and other registered settings. The generic engine should be usable for every 'simple' case where there is just a single non-streaming buffer. For example HTTP uri. The v2 API assumes that registered MPM implements transformations. Add util func to set new transform in rule and add util funcs for rule parsing.
8 years ago
}
detect: improve inspect buffer handling Fix and Optimize cleanup. For the simple single inspect buffer optimize the cleanup by keeping track of the actually used buffers. This avoid looping over unused buffers. Fix the case of cleaning not being done after a tx if the next tx is also inspected in the context of the same packet. Fix cleanup of the multi-inspect buffers. Optimize in 2 ways. First like with single keep track of which multi-inspect buffers have been used. Second, keep a max of the buffers within a multi-inspect buffer. Use this max to limit (nested) looping.
7 years ago
if (det_ctx->multi_inspect.buffers) {
for (uint32_t i = 0; i < det_ctx->multi_inspect.buffers_size; i++) {
InspectionBufferMultipleForList *fb = &det_ctx->multi_inspect.buffers[i];
detect: prefilter/inspect API v2, with transforms Introduce InspectionBuffer a structure for passing data between prefilters, transforms and inspection engines. At rule parsing time, we'll register new unique 'DetectBufferType's for a 'parent' buffer (e.g. pure file_data) with its transformations. Each unique combination of buffer with transformations gets it's own buffer id. Similarly, mpm registration and inspect engine registration will be copied from the 'parent' (again, e.g. pure file_data) to the new id's. The transforms are called from within the prefilter engines themselves. Provide generic MPM matching and setup callbacks. Can be used by keywords to avoid needless code duplication. Supports transformations. Use unique name for profiling, to distinguish between pure buffers and buffers with transformation. Add new registration calls for mpm/prefilters and inspect engines. Inspect engine api v2: Pass engine to itself. Add generic engine that uses GetData callback and other registered settings. The generic engine should be usable for every 'simple' case where there is just a single non-streaming buffer. For example HTTP uri. The v2 API assumes that registered MPM implements transformations. Add util func to set new transform in rule and add util funcs for rule parsing.
8 years ago
for (uint32_t x = 0; x < fb->size; x++) {
InspectionBufferFree(&fb->inspection_buffers[x]);
}
SCFree(fb->inspection_buffers);
}
detect: improve inspect buffer handling Fix and Optimize cleanup. For the simple single inspect buffer optimize the cleanup by keeping track of the actually used buffers. This avoid looping over unused buffers. Fix the case of cleaning not being done after a tx if the next tx is also inspected in the context of the same packet. Fix cleanup of the multi-inspect buffers. Optimize in 2 ways. First like with single keep track of which multi-inspect buffers have been used. Second, keep a max of the buffers within a multi-inspect buffer. Use this max to limit (nested) looping.
7 years ago
SCFree(det_ctx->multi_inspect.buffers);
}
if (det_ctx->multi_inspect.to_clear_queue) {
SCFree(det_ctx->multi_inspect.to_clear_queue);
detect: prefilter/inspect API v2, with transforms Introduce InspectionBuffer a structure for passing data between prefilters, transforms and inspection engines. At rule parsing time, we'll register new unique 'DetectBufferType's for a 'parent' buffer (e.g. pure file_data) with its transformations. Each unique combination of buffer with transformations gets it's own buffer id. Similarly, mpm registration and inspect engine registration will be copied from the 'parent' (again, e.g. pure file_data) to the new id's. The transforms are called from within the prefilter engines themselves. Provide generic MPM matching and setup callbacks. Can be used by keywords to avoid needless code duplication. Supports transformations. Use unique name for profiling, to distinguish between pure buffers and buffers with transformation. Add new registration calls for mpm/prefilters and inspect engines. Inspect engine api v2: Pass engine to itself. Add generic engine that uses GetData callback and other registered settings. The generic engine should be usable for every 'simple' case where there is just a single non-streaming buffer. For example HTTP uri. The v2 API assumes that registered MPM implements transformations. Add util func to set new transform in rule and add util funcs for rule parsing.
8 years ago
}
detect: global registery for keyword thread data Some keywords need a scratch space where they can do store the results of expensive operations that remain valid for the time of a packets journey through the detection engine. An example is the reconstructed 'http_header' field, that is needed in MPM, and then for each rule that manually inspects it. Storing this data in the flow is a waste, and reconstructing multiple times on demand as well. This API allows for registering a keyword with an init and free function. It it mean to be used an initialization time, when the keyword is registered.
9 years ago
DetectEngineThreadCtxDeinitGlobalKeywords(det_ctx);
detect: allow det_ctx->de_ctx to be NULL When freeing det_ctx, allow de_ctx to be NULL.
11 years ago
if (det_ctx->de_ctx != NULL) {
DetectEngineThreadCtxDeinitKeywords(det_ctx->de_ctx, det_ctx);
unittests: add exception to detect engine setup Add code to allow for unittests not following the complete api. Update replace tests as they don't use the unittests runmode that powers the workaround based on RunmodeIsUnittests().
11 years ago
#ifdef UNITTESTS
detect: allow det_ctx->de_ctx to be NULL When freeing det_ctx, allow de_ctx to be NULL.
11 years ago
if (!RunmodeIsUnittests() || det_ctx->de_ctx->ref_cnt > 0)
DetectEngineDeReference(&det_ctx->de_ctx);
unittests: add exception to detect engine setup Add code to allow for unittests not following the complete api. Update replace tests as they don't use the unittests runmode that powers the workaround based on RunmodeIsUnittests().
11 years ago
#else
detect: allow det_ctx->de_ctx to be NULL When freeing det_ctx, allow de_ctx to be NULL.
11 years ago
DetectEngineDeReference(&det_ctx->de_ctx);
unittests: add exception to detect engine setup Add code to allow for unittests not following the complete api. Update replace tests as they don't use the unittests runmode that powers the workaround based on RunmodeIsUnittests().
11 years ago
#endif
detect: allow det_ctx->de_ctx to be NULL When freeing det_ctx, allow de_ctx to be NULL.
11 years ago
}
detect-engine: free events Events are stored in a detection engine but actually they are not freed.
7 years ago
AppLayerDecoderEventsFreeEvents(&det_ctx->decoder_events);
Adding mem wrapper to debug runtime alloc()/free() functions. Fixing some memory leaks.
16 years ago
SCFree(det_ctx);
detect: clean up thread free code Introduce DetectEngineThreadCtxFree that doesn't need a 'ThreadVars' pointer.
10 years ago
}
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *tv, void *data)
{
DetectEngineThreadCtx *det_ctx = (DetectEngineThreadCtx *)data;
if (det_ctx == NULL) {
SCLogWarning(SC_ERR_INVALID_ARGUMENTS, "argument \"data\" NULL");
return TM_ECODE_OK;
}
multi-detect: hash lookup for tenants Use hash for storing and looking up det_ctxs.
10 years ago
if (det_ctx->mt_det_ctxs_hash != NULL) {
HashTableFree(det_ctx->mt_det_ctxs_hash);
det_ctx->mt_det_ctxs_hash = NULL;
}
detect: clean up thread free code Introduce DetectEngineThreadCtxFree that doesn't need a 'ThreadVars' pointer.
10 years ago
DetectEngineThreadCtxFree(det_ctx);
Cleanups
16 years ago
support for thread exit constants
16 years ago
return TM_ECODE_OK;
Cleanups
16 years ago
}
Enforce function coding standard Functions should be defined as: int foo(void) { } Rather than: int food(void) { } All functions where changed by a script to match this standard.
11 years ago
void DetectEngineThreadCtxInfo(ThreadVars *t, DetectEngineThreadCtx *det_ctx)
{
Cleanups
16 years ago
/* XXX */
Get rid of global mpm_ctx.
16 years ago
PatternMatchThreadPrint(&det_ctx->mtc, det_ctx->de_ctx->mpm_matcher);
PatternMatchThreadPrint(&det_ctx->mtcu, det_ctx->de_ctx->mpm_matcher);
Cleanups
16 years ago
}
Thread local ctx for detection keywords Some detection keywords need thread local ctx storage. Example is the filemagic keyword that has a ctx that is modified with each call. That is not thread safe. This functionality allows registration of thread local ctxs so that each detect thread works on it's own copy.
13 years ago
/** \brief Register Thread keyword context Funcs
*
* \param de_ctx detection engine to register in
* \param name keyword name for error printing
* \param InitFunc function ptr
detect/thread: ctx info is allowed to have NULL data
6 years ago
* \param data keyword init data to pass to Func. Can be NULL.
Thread local ctx for detection keywords Some detection keywords need thread local ctx storage. Example is the filemagic keyword that has a ctx that is modified with each call. That is not thread safe. This functionality allows registration of thread local ctxs so that each detect thread works on it's own copy.
13 years ago
* \param FreeFunc function ptr
Bug 585: use per detect thread libmagic ctx
13 years ago
* \param mode 0 normal (ctx per keyword instance) 1 shared (one ctx per det_ct)
Thread local ctx for detection keywords Some detection keywords need thread local ctx storage. Example is the filemagic keyword that has a ctx that is modified with each call. That is not thread safe. This functionality allows registration of thread local ctxs so that each detect thread works on it's own copy.
13 years ago
*
* \retval id for retrieval of ctx at runtime
* \retval -1 on error
*
* \note make sure "data" remains valid and it free'd elsewhere. It's
* recommended to store it in the keywords global ctx so that
* it's freed when the de_ctx is freed.
*/
Enforce function coding standard Functions should be defined as: int foo(void) { } Rather than: int food(void) { } All functions where changed by a script to match this standard.
11 years ago
int DetectRegisterThreadCtxFuncs(DetectEngineCtx *de_ctx, const char *name, void *(*InitFunc)(void *), void *data, void (*FreeFunc)(void *), int mode)
{
detect/thread: ctx info is allowed to have NULL data
6 years ago
BUG_ON(de_ctx == NULL || InitFunc == NULL || FreeFunc == NULL);
Thread local ctx for detection keywords Some detection keywords need thread local ctx storage. Example is the filemagic keyword that has a ctx that is modified with each call. That is not thread safe. This functionality allows registration of thread local ctxs so that each detect thread works on it's own copy.
13 years ago
Bug 585: use per detect thread libmagic ctx
13 years ago
if (mode) {
DetectEngineThreadKeywordCtxItem *item = de_ctx->keyword_list;
while (item != NULL) {
if (strcmp(name, item->name) == 0) {
return item->id;
}
item = item->next;
}
}
Thread local ctx for detection keywords Some detection keywords need thread local ctx storage. Example is the filemagic keyword that has a ctx that is modified with each call. That is not thread safe. This functionality allows registration of thread local ctxs so that each detect thread works on it's own copy.
13 years ago
DetectEngineThreadKeywordCtxItem *item = SCMalloc(sizeof(DetectEngineThreadKeywordCtxItem));
Use unlikely for error treatment. When handling error case on SCMallog, SCCalloc or SCStrdup we are in an unlikely case. This patch adds the unlikely() expression to indicate this to gcc. This patch has been obtained via coccinelle. The transformation is the following: @istested@ identifier x; statement S1; identifier func =~ "(SCMalloc|SCStrdup|SCCalloc)"; @@ x = func(...) ... when != x - if (x == NULL) S1 + if (unlikely(x == NULL)) S1
13 years ago
if (unlikely(item == NULL))
Thread local ctx for detection keywords Some detection keywords need thread local ctx storage. Example is the filemagic keyword that has a ctx that is modified with each call. That is not thread safe. This functionality allows registration of thread local ctxs so that each detect thread works on it's own copy.
13 years ago
return -1;
memset(item, 0x00, sizeof(DetectEngineThreadKeywordCtxItem));
item->InitFunc = InitFunc;
item->FreeFunc = FreeFunc;
item->data = data;
Bug 585: use per detect thread libmagic ctx
13 years ago
item->name = name;
Thread local ctx for detection keywords Some detection keywords need thread local ctx storage. Example is the filemagic keyword that has a ctx that is modified with each call. That is not thread safe. This functionality allows registration of thread local ctxs so that each detect thread works on it's own copy.
13 years ago
item->next = de_ctx->keyword_list;
de_ctx->keyword_list = item;
item->id = de_ctx->keyword_id++;
return item->id;
}
/** \brief Retrieve thread local keyword ctx by id
*
* \param det_ctx detection engine thread ctx to retrieve the ctx from
* \param id id of the ctx returned by DetectRegisterThreadCtxInitFunc at
* keyword init.
*
* \retval ctx or NULL on error
*/
Enforce function coding standard Functions should be defined as: int foo(void) { } Rather than: int food(void) { } All functions where changed by a script to match this standard.
11 years ago
void *DetectThreadCtxGetKeywordThreadCtx(DetectEngineThreadCtx *det_ctx, int id)
{
Thread local ctx for detection keywords Some detection keywords need thread local ctx storage. Example is the filemagic keyword that has a ctx that is modified with each call. That is not thread safe. This functionality allows registration of thread local ctxs so that each detect thread works on it's own copy.
13 years ago
if (id < 0 || id > det_ctx->keyword_ctxs_size || det_ctx->keyword_ctxs_array == NULL)
return NULL;
return det_ctx->keyword_ctxs_array[id];
}
detect: global registery for keyword thread data Some keywords need a scratch space where they can do store the results of expensive operations that remain valid for the time of a packets journey through the detection engine. An example is the reconstructed 'http_header' field, that is needed in MPM, and then for each rule that manually inspects it. Storing this data in the flow is a waste, and reconstructing multiple times on demand as well. This API allows for registering a keyword with an init and free function. It it mean to be used an initialization time, when the keyword is registered.
9 years ago
/** \brief Register Thread keyword context Funcs (Global)
*
* IDs stay static over reloads and between tenants
*
* \param name keyword name for error printing
* \param InitFunc function ptr
* \param FreeFunc function ptr
*
* \retval id for retrieval of ctx at runtime
* \retval -1 on error
*/
int DetectRegisterThreadCtxGlobalFuncs(const char *name,
void *(*InitFunc)(void *), void *data, void (*FreeFunc)(void *))
{
int id;
BUG_ON(InitFunc == NULL || FreeFunc == NULL);
DetectEngineMasterCtx *master = &g_master_de_ctx;
/* if already registered, return existing id */
DetectEngineThreadKeywordCtxItem *item = master->keyword_list;
while (item != NULL) {
if (strcmp(name, item->name) == 0) {
id = item->id;
return id;
}
item = item->next;
}
item = SCCalloc(1, sizeof(*item));
detect: fix missing unlock in error path
9 years ago
if (unlikely(item == NULL)) {
detect: global registery for keyword thread data Some keywords need a scratch space where they can do store the results of expensive operations that remain valid for the time of a packets journey through the detection engine. An example is the reconstructed 'http_header' field, that is needed in MPM, and then for each rule that manually inspects it. Storing this data in the flow is a waste, and reconstructing multiple times on demand as well. This API allows for registering a keyword with an init and free function. It it mean to be used an initialization time, when the keyword is registered.
9 years ago
return -1;
detect: fix missing unlock in error path
9 years ago
}
detect: global registery for keyword thread data Some keywords need a scratch space where they can do store the results of expensive operations that remain valid for the time of a packets journey through the detection engine. An example is the reconstructed 'http_header' field, that is needed in MPM, and then for each rule that manually inspects it. Storing this data in the flow is a waste, and reconstructing multiple times on demand as well. This API allows for registering a keyword with an init and free function. It it mean to be used an initialization time, when the keyword is registered.
9 years ago
item->InitFunc = InitFunc;
item->FreeFunc = FreeFunc;
item->name = name;
item->data = data;
item->next = master->keyword_list;
master->keyword_list = item;
item->id = master->keyword_id++;
id = item->id;
return id;
}
/** \brief Retrieve thread local keyword ctx by id
*
* \param det_ctx detection engine thread ctx to retrieve the ctx from
* \param id id of the ctx returned by DetectRegisterThreadCtxInitFunc at
* keyword init.
*
* \retval ctx or NULL on error
*/
void *DetectThreadCtxGetGlobalKeywordThreadCtx(DetectEngineThreadCtx *det_ctx, int id)
{
if (id < 0 || id > det_ctx->global_keyword_ctxs_size ||
det_ctx->global_keyword_ctxs_array == NULL) {
return NULL;
}
return det_ctx->global_keyword_ctxs_array[id];
}
runmodes: remove DetectEngineCtx passing from API No longer pass a pointer to the current detection engine to the runmode API calls. Note: breaks delayed detect. Will be fixed in a future commit.
11 years ago
/** \brief Check if detection is enabled
* \retval bool true or false */
int DetectEngineEnabled(void)
{
DetectEngineMasterCtx *master = &g_master_de_ctx;
SCMutexLock(&master->lock);
if (master->list == NULL) {
SCMutexUnlock(&master->lock);
return 0;
}
SCMutexUnlock(&master->lock);
return 1;
}
detect: use engine version instead of id Use engine version based on global detect engine master. This is incremented between reloads.
9 years ago
uint32_t DetectEngineGetVersion(void)
{
uint32_t version;
DetectEngineMasterCtx *master = &g_master_de_ctx;
SCMutexLock(&master->lock);
version = master->version;
SCMutexUnlock(&master->lock);
return version;
}
void DetectEngineBumpVersion(void)
{
DetectEngineMasterCtx *master = &g_master_de_ctx;
SCMutexLock(&master->lock);
master->version++;
SCLogDebug("master version now %u", master->version);
SCMutexUnlock(&master->lock);
}
detect: update detect engine management Update detect engine management to make it easier to reload the detect engine. Core of the new approach is a 'master' ctx, that keeps a list of one or more detect engines. The detect engines will not be passed to any thread directly, but instead will only be accessed through the detect engine thread contexts. As we can replace those atomically, replacing a detect engine becomes easier. Each thread keeps a reference to its detect context. When a detect engine is replaced or removed, it's added to a free list. Once its reference count reaches 0, it is freed.
11 years ago
DetectEngineCtx *DetectEngineGetCurrent(void)
{
DetectEngineMasterCtx *master = &g_master_de_ctx;
SCMutexLock(&master->lock);
detect/multi-tenant: fix mix of default detect engine and tenants
7 years ago
DetectEngineCtx *de_ctx = master->list;
while (de_ctx) {
detect: fix delayed detect Last multi-detect changes broken delayed-detect by refusing to reload a 'stub' detect engine. This patch distinguishes between a stub for multi-tenancy and for delayed detect.
7 years ago
if (de_ctx->type == DETECT_ENGINE_TYPE_NORMAL ||
de_ctx->type == DETECT_ENGINE_TYPE_DD_STUB ||
de_ctx->type == DETECT_ENGINE_TYPE_MT_STUB)
{
detect/multi-tenant: fix mix of default detect engine and tenants
7 years ago
de_ctx->ref_cnt++;
SCLogDebug("de_ctx %p ref_cnt %u", de_ctx, de_ctx->ref_cnt);
SCMutexUnlock(&master->lock);
return de_ctx;
}
de_ctx = de_ctx->next;
detect: update detect engine management Update detect engine management to make it easier to reload the detect engine. Core of the new approach is a 'master' ctx, that keeps a list of one or more detect engines. The detect engines will not be passed to any thread directly, but instead will only be accessed through the detect engine thread contexts. As we can replace those atomically, replacing a detect engine becomes easier. Each thread keeps a reference to its detect context. When a detect engine is replaced or removed, it's added to a free list. Once its reference count reaches 0, it is freed.
11 years ago
}
SCMutexUnlock(&master->lock);
detect/multi-tenant: fix mix of default detect engine and tenants
7 years ago
return NULL;
detect: update detect engine management Update detect engine management to make it easier to reload the detect engine. Core of the new approach is a 'master' ctx, that keeps a list of one or more detect engines. The detect engines will not be passed to any thread directly, but instead will only be accessed through the detect engine thread contexts. As we can replace those atomically, replacing a detect engine becomes easier. Each thread keeps a reference to its detect context. When a detect engine is replaced or removed, it's added to a free list. Once its reference count reaches 0, it is freed.
11 years ago
}
detect reload: allow master update during reload Add DetectEngineReference, which takes a reference to a detect engine, and make DetectEngineThreadCtxInitForLiveRuleSwap use it. This way reload will not depend on master staying the same. This allows master to be updated in between w/o affecting the reload that is in progress.
11 years ago
DetectEngineCtx *DetectEngineReference(DetectEngineCtx *de_ctx)
{
if (de_ctx == NULL)
return NULL;
de_ctx->ref_cnt++;
return de_ctx;
}
detect: make multi tenancy a global switch At start up we will set this flag based on "multi-detect.enabled".
11 years ago
/** TODO locking? Not needed if this is a one time setting at startup */
int DetectEngineMultiTenantEnabled(void)
{
DetectEngineMasterCtx *master = &g_master_de_ctx;
return (master->multi_tenant_enabled);
}
multi-detect: detect loader for unix socket Move the tenant load and reload commands to be executed by the detect loader thread(s). Limitation: no yaml parsing in parallel. The Conf API is currently not thread safe, so don't load the tenant config (yaml) in parallel.
10 years ago
/** \internal
* \brief load a tenant from a yaml file
multi-detect: load tenants from yaml file Load tenants and mappings from the suricata.yaml when available.
11 years ago
*
* \param tenant_id the tenant id by which the config is known
* \param filename full path of a yaml file
detect: create loader threads To speed up startup with many tenants, tenant loading will be parallelized. As no tempary threads should be used for these memory allocation heavy tasks, this patch adds new type of 'command' thread that can be used to load and reload tenants. This patch hardcodes the number of loaders to 4. Future work will make it dynamic. The loader thread essentially sleeps constantly. When a tasks is sent to it, it will wake up and execute it.
10 years ago
* \param loader_id id of loader thread or -1
multi-detect: load tenants from yaml file Load tenants and mappings from the suricata.yaml when available.
11 years ago
*
* \retval 0 ok
* \retval -1 failed
*/
multi-detect: detect loader for unix socket Move the tenant load and reload commands to be executed by the detect loader thread(s). Limitation: no yaml parsing in parallel. The Conf API is currently not thread safe, so don't load the tenant config (yaml) in parallel.
10 years ago
static int DetectEngineMultiTenantLoadTenant(uint32_t tenant_id, const char *filename, int loader_id)
multi-detect: load tenants from yaml file Load tenants and mappings from the suricata.yaml when available.
11 years ago
{
DetectEngineCtx *de_ctx = NULL;
char prefix[64];
snprintf(prefix, sizeof(prefix), "multi-detect.%d", tenant_id);
#ifdef OS_WIN32
struct _stat st;
if(_stat(filename, &st) != 0) {
#else
struct stat st;
if(stat(filename, &st) != 0) {
#endif /* OS_WIN32 */
SCLogError(SC_ERR_FOPEN, "failed to stat file %s", filename);
goto error;
}
multi-detect: refuse to add duplicate tenant Generate error if tentant to be added is already loaded.
11 years ago
de_ctx = DetectEngineGetByTenantId(tenant_id);
if (de_ctx != NULL) {
SCLogError(SC_ERR_MT_DUPLICATE_TENANT, "tenant %u already registered",
tenant_id);
DetectEngineDeReference(&de_ctx);
goto error;
}
multi-detect: load tenants from yaml file Load tenants and mappings from the suricata.yaml when available.
11 years ago
ConfNode *node = ConfGetNode(prefix);
if (node == NULL) {
SCLogError(SC_ERR_CONF_YAML_ERROR, "failed to properly setup yaml %s", filename);
goto error;
}
de_ctx = DetectEngineCtxInitWithPrefix(prefix);
if (de_ctx == NULL) {
SCLogError(SC_ERR_INITIALIZATION, "initializing detection engine "
"context failed.");
goto error;
}
SCLogDebug("de_ctx %p with prefix %s", de_ctx, de_ctx->config_prefix);
detect: make detect engine types explicit There are 3 types of detect engine objects: 1. normal The normal detection engine if no multi-tenancy is in use 2. tenant A per tenant detection engine 3. stub A stub (or minimal as it was called before) detect engine that is needed to have something in place when there are only tenants. A stub is also used in case of 'delayed detect', where we need a minimal detect engine to start up which is replaced by a full (normal type) detect engine after startup. This patch adds a new field 'type' to the DetectEngineCtx object to distinguish between the types. This replaces the boolean 'minimal'.
7 years ago
de_ctx->type = DETECT_ENGINE_TYPE_TENANT;
multi-detect: load tenants from yaml file Load tenants and mappings from the suricata.yaml when available.
11 years ago
de_ctx->tenant_id = tenant_id;
multi-detect: detect loader for unix socket Move the tenant load and reload commands to be executed by the detect loader thread(s). Limitation: no yaml parsing in parallel. The Conf API is currently not thread safe, so don't load the tenant config (yaml) in parallel.
10 years ago
de_ctx->loader_id = loader_id;
multi-detect: load tenants from yaml file Load tenants and mappings from the suricata.yaml when available.
11 years ago
if (SigLoadSignatures(de_ctx, NULL, 0) < 0) {
SCLogError(SC_ERR_NO_RULES_LOADED, "Loading signatures failed.");
goto error;
}
DetectEngineAddToMaster(de_ctx);
return 0;
error:
multi-detect: refuse to add duplicate tenant Generate error if tentant to be added is already loaded.
11 years ago
if (de_ctx != NULL) {
DetectEngineCtxFree(de_ctx);
}
multi-detect: load tenants from yaml file Load tenants and mappings from the suricata.yaml when available.
11 years ago
return -1;
}
multi-detect: detect loader for unix socket Move the tenant load and reload commands to be executed by the detect loader thread(s). Limitation: no yaml parsing in parallel. The Conf API is currently not thread safe, so don't load the tenant config (yaml) in parallel.
10 years ago
static int DetectEngineMultiTenantReloadTenant(uint32_t tenant_id, const char *filename, int reload_cnt)
{
DetectEngineCtx *old_de_ctx = DetectEngineGetByTenantId(tenant_id);
if (old_de_ctx == NULL) {
SCLogError(SC_ERR_INITIALIZATION, "tenant detect engine not found");
return -1;
}
char prefix[64];
snprintf(prefix, sizeof(prefix), "multi-detect.%d.reload.%d", tenant_id, reload_cnt);
reload_cnt++;
multi-tenant: make less verbose
9 years ago
SCLogDebug("prefix %s", prefix);
multi-detect: detect loader for unix socket Move the tenant load and reload commands to be executed by the detect loader thread(s). Limitation: no yaml parsing in parallel. The Conf API is currently not thread safe, so don't load the tenant config (yaml) in parallel.
10 years ago
if (ConfYamlLoadFileWithPrefix(filename, prefix) != 0) {
SCLogError(SC_ERR_INITIALIZATION,"failed to load yaml");
goto error;
}
ConfNode *node = ConfGetNode(prefix);
if (node == NULL) {
SCLogError(SC_ERR_CONF_YAML_ERROR, "failed to properly setup yaml %s", filename);
goto error;
}
DetectEngineCtx *new_de_ctx = DetectEngineCtxInitWithPrefix(prefix);
if (new_de_ctx == NULL) {
SCLogError(SC_ERR_INITIALIZATION, "initializing detection engine "
"context failed.");
goto error;
}
SCLogDebug("de_ctx %p with prefix %s", new_de_ctx, new_de_ctx->config_prefix);
detect: make detect engine types explicit There are 3 types of detect engine objects: 1. normal The normal detection engine if no multi-tenancy is in use 2. tenant A per tenant detection engine 3. stub A stub (or minimal as it was called before) detect engine that is needed to have something in place when there are only tenants. A stub is also used in case of 'delayed detect', where we need a minimal detect engine to start up which is replaced by a full (normal type) detect engine after startup. This patch adds a new field 'type' to the DetectEngineCtx object to distinguish between the types. This replaces the boolean 'minimal'.
7 years ago
new_de_ctx->type = DETECT_ENGINE_TYPE_TENANT;
multi-detect: detect loader for unix socket Move the tenant load and reload commands to be executed by the detect loader thread(s). Limitation: no yaml parsing in parallel. The Conf API is currently not thread safe, so don't load the tenant config (yaml) in parallel.
10 years ago
new_de_ctx->tenant_id = tenant_id;
new_de_ctx->loader_id = old_de_ctx->loader_id;
if (SigLoadSignatures(new_de_ctx, NULL, 0) < 0) {
SCLogError(SC_ERR_NO_RULES_LOADED, "Loading signatures failed.");
goto error;
}
DetectEngineAddToMaster(new_de_ctx);
/* move to free list */
DetectEngineMoveToFreeList(old_de_ctx);
DetectEngineDeReference(&old_de_ctx);
return 0;
error:
DetectEngineDeReference(&old_de_ctx);
return -1;
}
detect: create loader threads To speed up startup with many tenants, tenant loading will be parallelized. As no tempary threads should be used for these memory allocation heavy tasks, this patch adds new type of 'command' thread that can be used to load and reload tenants. This patch hardcodes the number of loaders to 4. Future work will make it dynamic. The loader thread essentially sleeps constantly. When a tasks is sent to it, it will wake up and execute it.
10 years ago
typedef struct TenantLoaderCtx_ {
uint32_t tenant_id;
multi-detect: detect loader for unix socket Move the tenant load and reload commands to be executed by the detect loader thread(s). Limitation: no yaml parsing in parallel. The Conf API is currently not thread safe, so don't load the tenant config (yaml) in parallel.
10 years ago
int reload_cnt; /**< used by reload */
detect: create loader threads To speed up startup with many tenants, tenant loading will be parallelized. As no tempary threads should be used for these memory allocation heavy tasks, this patch adds new type of 'command' thread that can be used to load and reload tenants. This patch hardcodes the number of loaders to 4. Future work will make it dynamic. The loader thread essentially sleeps constantly. When a tasks is sent to it, it will wake up and execute it.
10 years ago
const char *yaml;
} TenantLoaderCtx;
static int DetectLoaderFuncLoadTenant(void *vctx, int loader_id)
{
TenantLoaderCtx *ctx = (TenantLoaderCtx *)vctx;
multi-detect: clean up output
10 years ago
SCLogDebug("loader %d", loader_id);
detect: create loader threads To speed up startup with many tenants, tenant loading will be parallelized. As no tempary threads should be used for these memory allocation heavy tasks, this patch adds new type of 'command' thread that can be used to load and reload tenants. This patch hardcodes the number of loaders to 4. Future work will make it dynamic. The loader thread essentially sleeps constantly. When a tasks is sent to it, it will wake up and execute it.
10 years ago
if (DetectEngineMultiTenantLoadTenant(ctx->tenant_id, ctx->yaml, loader_id) != 0) {
return -1;
}
return 0;
}
compiler: more strict compiler warnings Set flags by default: -Wmissing-prototypes -Wmissing-declarations -Wstrict-prototypes -Wwrite-strings -Wcast-align -Wbad-function-cast -Wformat-security -Wno-format-nonliteral -Wmissing-format-attribute -funsigned-char Fix minor compiler warnings for these new flags on gcc and clang.
8 years ago
static int DetectLoaderSetupLoadTenant(uint32_t tenant_id, const char *yaml)
detect: create loader threads To speed up startup with many tenants, tenant loading will be parallelized. As no tempary threads should be used for these memory allocation heavy tasks, this patch adds new type of 'command' thread that can be used to load and reload tenants. This patch hardcodes the number of loaders to 4. Future work will make it dynamic. The loader thread essentially sleeps constantly. When a tasks is sent to it, it will wake up and execute it.
10 years ago
{
TenantLoaderCtx *t = SCCalloc(1, sizeof(*t));
if (t == NULL)
return -ENOMEM;
t->tenant_id = tenant_id;
t->yaml = yaml;
return DetectLoaderQueueTask(-1, DetectLoaderFuncLoadTenant, t);
}
multi-detect: detect loader for unix socket Move the tenant load and reload commands to be executed by the detect loader thread(s). Limitation: no yaml parsing in parallel. The Conf API is currently not thread safe, so don't load the tenant config (yaml) in parallel.
10 years ago
static int DetectLoaderFuncReloadTenant(void *vctx, int loader_id)
{
TenantLoaderCtx *ctx = (TenantLoaderCtx *)vctx;
SCLogDebug("loader_id %d", loader_id);
if (DetectEngineMultiTenantReloadTenant(ctx->tenant_id, ctx->yaml, ctx->reload_cnt) != 0) {
return -1;
}
return 0;
}
compiler: more strict compiler warnings Set flags by default: -Wmissing-prototypes -Wmissing-declarations -Wstrict-prototypes -Wwrite-strings -Wcast-align -Wbad-function-cast -Wformat-security -Wno-format-nonliteral -Wmissing-format-attribute -funsigned-char Fix minor compiler warnings for these new flags on gcc and clang.
8 years ago
static int DetectLoaderSetupReloadTenant(uint32_t tenant_id, const char *yaml, int reload_cnt)
multi-detect: detect loader for unix socket Move the tenant load and reload commands to be executed by the detect loader thread(s). Limitation: no yaml parsing in parallel. The Conf API is currently not thread safe, so don't load the tenant config (yaml) in parallel.
10 years ago
{
DetectEngineCtx *old_de_ctx = DetectEngineGetByTenantId(tenant_id);
if (old_de_ctx == NULL)
return -ENOENT;
int loader_id = old_de_ctx->loader_id;
DetectEngineDeReference(&old_de_ctx);
TenantLoaderCtx *t = SCCalloc(1, sizeof(*t));
if (t == NULL)
return -ENOMEM;
t->tenant_id = tenant_id;
t->yaml = yaml;
t->reload_cnt = reload_cnt;
SCLogDebug("loader_id %d", loader_id);
return DetectLoaderQueueTask(loader_id, DetectLoaderFuncReloadTenant, t);
}
/** \brief Load a tenant and wait for loading to complete
*/
int DetectEngineLoadTenantBlocking(uint32_t tenant_id, const char *yaml)
{
int r = DetectLoaderSetupLoadTenant(tenant_id, yaml);
if (r < 0)
return r;
if (DetectLoadersSync() != 0)
return -1;
return 0;
}
/** \brief Reload a tenant and wait for loading to complete
*/
int DetectEngineReloadTenantBlocking(uint32_t tenant_id, const char *yaml, int reload_cnt)
{
int r = DetectLoaderSetupReloadTenant(tenant_id, yaml, reload_cnt);
if (r < 0)
return r;
if (DetectLoadersSync() != 0)
return -1;
return 0;
}
multi-tenant: introduce device selector Add device to tenant mapping support: mappings: - device: ens5f0 tenant-id: 1 - device: ens5f1 tenant-id: 23 Implemented by assigning the tenant id to the 'livedev', which means it's only supported for capture methods that use the livedev API. It's also currently not supported for IPS. In a case like 'eth0 -> eth1' it's unclear which tenant should be used for the return traffic in a flow, where the incoming device is 'eth1'.
8 years ago
static int DetectEngineMultiTenantSetupLoadLivedevMappings(const ConfNode *mappings_root_node,
bool failure_fatal)
{
ConfNode *mapping_node = NULL;
int mapping_cnt = 0;
if (mappings_root_node != NULL) {
TAILQ_FOREACH(mapping_node, &mappings_root_node->head, next) {
ConfNode *tenant_id_node = ConfNodeLookupChild(mapping_node, "tenant-id");
if (tenant_id_node == NULL)
goto bad_mapping;
ConfNode *device_node = ConfNodeLookupChild(mapping_node, "device");
if (device_node == NULL)
goto bad_mapping;
uint32_t tenant_id = 0;
if (ByteExtractStringUint32(&tenant_id, 10, strlen(tenant_id_node->val),
tenant_id_node->val) == -1)
{
SCLogError(SC_ERR_INVALID_ARGUMENT, "tenant-id "
"of %s is invalid", tenant_id_node->val);
goto bad_mapping;
}
const char *dev = device_node->val;
LiveDevice *ld = LiveGetDevice(dev);
if (ld == NULL) {
SCLogWarning(SC_ERR_MT_NO_MAPPING, "device %s not found", dev);
goto bad_mapping;
}
if (ld->tenant_id_set) {
SCLogWarning(SC_ERR_MT_NO_MAPPING, "device %s already mapped to tenant-id %u",
dev, ld->tenant_id);
goto bad_mapping;
}
ld->tenant_id = tenant_id;
ld->tenant_id_set = true;
if (DetectEngineTentantRegisterLivedev(tenant_id, ld->id) != 0) {
goto error;
}
SCLogConfig("device %s connected to tenant-id %u", dev, tenant_id);
mapping_cnt++;
continue;
bad_mapping:
if (failure_fatal)
goto error;
}
}
SCLogConfig("%d device - tenant-id mappings defined", mapping_cnt);
return mapping_cnt;
error:
return 0;
}
static int DetectEngineMultiTenantSetupLoadVlanMappings(const ConfNode *mappings_root_node,
bool failure_fatal)
{
ConfNode *mapping_node = NULL;
int mapping_cnt = 0;
if (mappings_root_node != NULL) {
TAILQ_FOREACH(mapping_node, &mappings_root_node->head, next) {
ConfNode *tenant_id_node = ConfNodeLookupChild(mapping_node, "tenant-id");
if (tenant_id_node == NULL)
goto bad_mapping;
ConfNode *vlan_id_node = ConfNodeLookupChild(mapping_node, "vlan-id");
if (vlan_id_node == NULL)
goto bad_mapping;
uint32_t tenant_id = 0;
if (ByteExtractStringUint32(&tenant_id, 10, strlen(tenant_id_node->val),
tenant_id_node->val) == -1)
{
SCLogError(SC_ERR_INVALID_ARGUMENT, "tenant-id "
"of %s is invalid", tenant_id_node->val);
goto bad_mapping;
}
uint16_t vlan_id = 0;
if (ByteExtractStringUint16(&vlan_id, 10, strlen(vlan_id_node->val),
vlan_id_node->val) == -1)
{
SCLogError(SC_ERR_INVALID_ARGUMENT, "vlan-id "
"of %s is invalid", vlan_id_node->val);
goto bad_mapping;
}
if (vlan_id == 0 || vlan_id >= 4095) {
SCLogError(SC_ERR_INVALID_ARGUMENT, "vlan-id "
"of %s is invalid. Valid range 1-4094.", vlan_id_node->val);
goto bad_mapping;
}
if (DetectEngineTentantRegisterVlanId(tenant_id, (uint32_t)vlan_id) != 0) {
goto error;
}
SCLogConfig("vlan %u connected to tenant-id %u", vlan_id, tenant_id);
mapping_cnt++;
continue;
bad_mapping:
if (failure_fatal)
goto error;
}
}
return mapping_cnt;
error:
return 0;
}
multi-detect: load tenants from yaml file Load tenants and mappings from the suricata.yaml when available.
11 years ago
/**
* \brief setup multi-detect / multi-tenancy
*
* See if MT is enabled. If so, setup the selector, tenants and mappings.
* Tenants and mappings are optional, and can also dynamically be added
* and removed from the unix socket.
*/
multi-detect: improve error handling
10 years ago
int DetectEngineMultiTenantSetup(void)
detect: make multi tenancy a global switch At start up we will set this flag based on "multi-detect.enabled".
11 years ago
{
multi-detect: handle missing mappings Notify/warn user about missing mappings depending on other settings like unix socket and init errors fatal.
10 years ago
enum DetectEngineTenantSelectors tenant_selector = TENANT_SELECTOR_UNKNOWN;
detect: make multi tenancy a global switch At start up we will set this flag based on "multi-detect.enabled".
11 years ago
DetectEngineMasterCtx *master = &g_master_de_ctx;
multi-detect: load tenants from yaml file Load tenants and mappings from the suricata.yaml when available.
11 years ago
unix-socket: add auto mode When running in live mode, the new default 'auto' value of unix-command.enabled causes unix-command to be activated. This will allow users of live capture to benefit from the feature and result in no side effect for user running in offline capture.
9 years ago
int unix_socket = ConfUnixSocketIsEnable();
multi-detect: handle missing mappings Notify/warn user about missing mappings depending on other settings like unix socket and init errors fatal.
10 years ago
multi-detect: load tenants from yaml file Load tenants and mappings from the suricata.yaml when available.
11 years ago
int failure_fatal = 0;
(void)ConfGetBool("engine.init-failure-fatal", &failure_fatal);
detect: make multi tenancy a global switch At start up we will set this flag based on "multi-detect.enabled".
11 years ago
int enabled = 0;
(void)ConfGetBool("multi-detect.enabled", &enabled);
if (enabled == 1) {
detect: create loader threads To speed up startup with many tenants, tenant loading will be parallelized. As no tempary threads should be used for these memory allocation heavy tasks, this patch adds new type of 'command' thread that can be used to load and reload tenants. This patch hardcodes the number of loaders to 4. Future work will make it dynamic. The loader thread essentially sleeps constantly. When a tasks is sent to it, it will wake up and execute it.
10 years ago
DetectLoadersInit();
TmModuleDetectLoaderRegister();
DetectLoaderThreadSpawn();
TmThreadContinueDetectLoaderThreads();
multi-detect: load tenants from yaml file Load tenants and mappings from the suricata.yaml when available.
11 years ago
SCMutexLock(&master->lock);
detect: make multi tenancy a global switch At start up we will set this flag based on "multi-detect.enabled".
11 years ago
master->multi_tenant_enabled = 1;
multi-detect: set selector from yaml Yaml setting is: multi-detect.selector Implement 'vlan' and 'direct'.
11 years ago
compiler: more strict compiler warnings Set flags by default: -Wmissing-prototypes -Wmissing-declarations -Wstrict-prototypes -Wwrite-strings -Wcast-align -Wbad-function-cast -Wformat-security -Wno-format-nonliteral -Wmissing-format-attribute -funsigned-char Fix minor compiler warnings for these new flags on gcc and clang.
8 years ago
const char *handler = NULL;
multi-detect: set selector from yaml Yaml setting is: multi-detect.selector Implement 'vlan' and 'direct'.
11 years ago
if (ConfGet("multi-detect.selector", &handler) == 1) {
multi-tenant: make less verbose
9 years ago
SCLogConfig("multi-tenant selector type %s", handler);
multi-detect: set selector from yaml Yaml setting is: multi-detect.selector Implement 'vlan' and 'direct'.
11 years ago
if (strcmp(handler, "vlan") == 0) {
multi-detect: handle missing mappings Notify/warn user about missing mappings depending on other settings like unix socket and init errors fatal.
10 years ago
tenant_selector = master->tenant_selector = TENANT_SELECTOR_VLAN;
multi-detect: consider vlan tracking Refuse to use vlan selector if vlan tracking is disabled.
10 years ago
int vlanbool = 0;
if ((ConfGetBool("vlan.use-for-tracking", &vlanbool)) == 1 && vlanbool == 0) {
SCLogError(SC_ERR_INVALID_VALUE, "vlan tracking is disabled, "
"can't use multi-detect selector 'vlan'");
SCMutexUnlock(&master->lock);
goto error;
}
multi-detect: set selector from yaml Yaml setting is: multi-detect.selector Implement 'vlan' and 'direct'.
11 years ago
} else if (strcmp(handler, "direct") == 0) {
multi-detect: handle missing mappings Notify/warn user about missing mappings depending on other settings like unix socket and init errors fatal.
10 years ago
tenant_selector = master->tenant_selector = TENANT_SELECTOR_DIRECT;
multi-tenant: introduce device selector Add device to tenant mapping support: mappings: - device: ens5f0 tenant-id: 1 - device: ens5f1 tenant-id: 23 Implemented by assigning the tenant id to the 'livedev', which means it's only supported for capture methods that use the livedev API. It's also currently not supported for IPS. In a case like 'eth0 -> eth1' it's unclear which tenant should be used for the return traffic in a flow, where the incoming device is 'eth1'.
8 years ago
} else if (strcmp(handler, "device") == 0) {
tenant_selector = master->tenant_selector = TENANT_SELECTOR_LIVEDEV;
if (EngineModeIsIPS()) {
SCLogWarning(SC_ERR_MT_NO_MAPPING,
"multi-tenant 'device' mode not supported for IPS");
SCMutexUnlock(&master->lock);
goto error;
}
multi-detect: set selector from yaml Yaml setting is: multi-detect.selector Implement 'vlan' and 'direct'.
11 years ago
} else {
SCLogError(SC_ERR_INVALID_VALUE, "unknown value %s "
"multi-detect.selector", handler);
multi-detect: load tenants from yaml file Load tenants and mappings from the suricata.yaml when available.
11 years ago
SCMutexUnlock(&master->lock);
goto error;
multi-detect: set selector from yaml Yaml setting is: multi-detect.selector Implement 'vlan' and 'direct'.
11 years ago
}
}
multi-detect: load tenants from yaml file Load tenants and mappings from the suricata.yaml when available.
11 years ago
SCMutexUnlock(&master->lock);
multi-tenant: make less verbose
9 years ago
SCLogConfig("multi-detect is enabled (multi tenancy). Selector: %s", handler);
multi-detect: load tenants from yaml file Load tenants and mappings from the suricata.yaml when available.
11 years ago
/* traffic -- tenant mappings */
ConfNode *mappings_root_node = ConfGetNode("multi-detect.mappings");
multi-tenant: introduce device selector Add device to tenant mapping support: mappings: - device: ens5f0 tenant-id: 1 - device: ens5f1 tenant-id: 23 Implemented by assigning the tenant id to the 'livedev', which means it's only supported for capture methods that use the livedev API. It's also currently not supported for IPS. In a case like 'eth0 -> eth1' it's unclear which tenant should be used for the return traffic in a flow, where the incoming device is 'eth1'.
8 years ago
if (tenant_selector == TENANT_SELECTOR_VLAN) {
int mapping_cnt = DetectEngineMultiTenantSetupLoadVlanMappings(mappings_root_node,
failure_fatal);
if (mapping_cnt == 0) {
/* no mappings are valid when we're in unix socket mode,
* they can be added on the fly. Otherwise warn/error
* depending on failure_fatal */
if (unix_socket) {
SCLogNotice("no tenant traffic mappings defined, "
"tenants won't be used until mappings are added");
} else {
if (failure_fatal) {
SCLogError(SC_ERR_MT_NO_MAPPING, "no multi-detect mappings defined");
goto error;
} else {
SCLogWarning(SC_ERR_MT_NO_MAPPING, "no multi-detect mappings defined");
}
multi-detect: fix and simplify config instead mappings: - vlan: vlan-id: 1 tenant-id: 2 we'll now use: mappings: - vlan-id: 1 tenant-id: 2 For YAML it pretty much means the same thing. Ticket: 1517
10 years ago
}
multi-detect: load tenants from yaml file Load tenants and mappings from the suricata.yaml when available.
11 years ago
}
multi-tenant: introduce device selector Add device to tenant mapping support: mappings: - device: ens5f0 tenant-id: 1 - device: ens5f1 tenant-id: 23 Implemented by assigning the tenant id to the 'livedev', which means it's only supported for capture methods that use the livedev API. It's also currently not supported for IPS. In a case like 'eth0 -> eth1' it's unclear which tenant should be used for the return traffic in a flow, where the incoming device is 'eth1'.
8 years ago
} else if (tenant_selector == TENANT_SELECTOR_LIVEDEV) {
int mapping_cnt = DetectEngineMultiTenantSetupLoadLivedevMappings(mappings_root_node,
failure_fatal);
if (mapping_cnt == 0) {
multi-detect: improve error handling
10 years ago
if (failure_fatal) {
multi-detect: handle missing mappings Notify/warn user about missing mappings depending on other settings like unix socket and init errors fatal.
10 years ago
SCLogError(SC_ERR_MT_NO_MAPPING, "no multi-detect mappings defined");
goto error;
multi-detect: improve error handling
10 years ago
} else {
SCLogWarning(SC_ERR_MT_NO_MAPPING, "no multi-detect mappings defined");
multi-detect: handle missing mappings Notify/warn user about missing mappings depending on other settings like unix socket and init errors fatal.
10 years ago
}
}
}
multi-detect: load tenants from yaml file Load tenants and mappings from the suricata.yaml when available.
11 years ago
/* tenants */
ConfNode *tenants_root_node = ConfGetNode("multi-detect.tenants");
ConfNode *tenant_node = NULL;
if (tenants_root_node != NULL) {
TAILQ_FOREACH(tenant_node, &tenants_root_node->head, next) {
ConfNode *id_node = ConfNodeLookupChild(tenant_node, "id");
multi-detect: improve error handling
10 years ago
if (id_node == NULL) {
multi-detect: load tenants from yaml file Load tenants and mappings from the suricata.yaml when available.
11 years ago
goto bad_tenant;
multi-detect: improve error handling
10 years ago
}
multi-detect: load tenants from yaml file Load tenants and mappings from the suricata.yaml when available.
11 years ago
ConfNode *yaml_node = ConfNodeLookupChild(tenant_node, "yaml");
multi-detect: improve error handling
10 years ago
if (yaml_node == NULL) {
multi-detect: load tenants from yaml file Load tenants and mappings from the suricata.yaml when available.
11 years ago
goto bad_tenant;
multi-detect: improve error handling
10 years ago
}
multi-detect: load tenants from yaml file Load tenants and mappings from the suricata.yaml when available.
11 years ago
uint32_t tenant_id = 0;
if (ByteExtractStringUint32(&tenant_id, 10, strlen(id_node->val),
id_node->val) == -1)
{
SCLogError(SC_ERR_INVALID_ARGUMENT, "tenant_id "
"of %s is invalid", id_node->val);
goto bad_tenant;
}
multi-tenant: make less verbose
9 years ago
SCLogDebug("tenant id: %u, %s", tenant_id, yaml_node->val);
multi-detect: load tenants from yaml file Load tenants and mappings from the suricata.yaml when available.
11 years ago
multi-detect: detect loader for unix socket Move the tenant load and reload commands to be executed by the detect loader thread(s). Limitation: no yaml parsing in parallel. The Conf API is currently not thread safe, so don't load the tenant config (yaml) in parallel.
10 years ago
/* setup the yaml in this loop so that it's not done by the loader
* threads. ConfYamlLoadFileWithPrefix is not thread safe. */
char prefix[64];
snprintf(prefix, sizeof(prefix), "multi-detect.%d", tenant_id);
if (ConfYamlLoadFileWithPrefix(yaml_node->val, prefix) != 0) {
SCLogError(SC_ERR_CONF_YAML_ERROR, "failed to load yaml %s", yaml_node->val);
goto bad_tenant;
}
multi-detect: improve error handling
10 years ago
int r = DetectLoaderSetupLoadTenant(tenant_id, yaml_node->val);
if (r < 0) {
multi-detect: load tenants from yaml file Load tenants and mappings from the suricata.yaml when available.
11 years ago
/* error logged already */
goto bad_tenant;
}
continue;
bad_tenant:
if (failure_fatal)
goto error;
}
}
detect: create loader threads To speed up startup with many tenants, tenant loading will be parallelized. As no tempary threads should be used for these memory allocation heavy tasks, this patch adds new type of 'command' thread that can be used to load and reload tenants. This patch hardcodes the number of loaders to 4. Future work will make it dynamic. The loader thread essentially sleeps constantly. When a tasks is sent to it, it will wake up and execute it.
10 years ago
/* wait for our loaders to complete their tasks */
multi-detect: improve error handling
10 years ago
if (DetectLoadersSync() != 0) {
detect: create loader threads To speed up startup with many tenants, tenant loading will be parallelized. As no tempary threads should be used for these memory allocation heavy tasks, this patch adds new type of 'command' thread that can be used to load and reload tenants. This patch hardcodes the number of loaders to 4. Future work will make it dynamic. The loader thread essentially sleeps constantly. When a tasks is sent to it, it will wake up and execute it.
10 years ago
goto error;
multi-detect: improve error handling
10 years ago
}
var-names: expose outside of detect engine Until now variable names, such as flowbit names, were local to a detect engine. This made sense as they were only ever used in that context. For the purpose of logging these names, this needs a different approach. The loggers live outside of the detect engine. Also, in the case of reloads and multi-tenancy, there are even multiple detect engines, so it would be even more tricky to access them from the outside. This patch brings a new approach. A any time, there is a single active hash table mapping the variable names and their id's. For multiple tenants the table is shared between tenants. The table is set up in a 'staging' area, where locking makes sure that multiple loading threads don't mess things up. Then when the preparing of a detection engine is ready, but before the detect threads are made aware of the new detect engine, the active varname hash is swapped with the staging instance. For this to work, all the mappings from the 'current' or active mapping are added to the staging table. After the threads have reloaded and the new detection engine is active, the old table can be freed. For multi tenancy things are similar. The staging area is used for setting up until the new detection engines / tenants are applied to the system. This patch also changes the variable 'id'/'idx' field to uint32_t. Due to data structure padding and alignment, this should have no practical drawback while allowing for a lot more vars.
9 years ago
VarNameStoreActivateStaging();
multi-detect: load tenants from yaml file Load tenants and mappings from the suricata.yaml when available.
11 years ago
} else {
SCLogDebug("multi-detect not enabled (multi tenancy)");
detect: make multi tenancy a global switch At start up we will set this flag based on "multi-detect.enabled".
11 years ago
}
multi-detect: improve error handling
10 years ago
return 0;
multi-detect: load tenants from yaml file Load tenants and mappings from the suricata.yaml when available.
11 years ago
error:
multi-detect: improve error handling
10 years ago
return -1;
detect: make multi tenancy a global switch At start up we will set this flag based on "multi-detect.enabled".
11 years ago
}
multi-detect: use default tenant The default detect engine can be used as 'default tenant'.
10 years ago
static uint32_t DetectEngineTentantGetIdFromVlanId(const void *ctx, const Packet *p)
multi-detect: initial selectors for tenants The Detection Thread has the TenantGetId pointer which allows it to select a tenant id based on the packet.
11 years ago
{
const DetectEngineThreadCtx *det_ctx = ctx;
uint32_t x = 0;
uint32_t vlan_id = 0;
if (p->vlan_idx == 0)
return 0;
vlan_id = p->vlan_id[0];
if (det_ctx == NULL || det_ctx->tenant_array == NULL || det_ctx->tenant_array_size == 0)
return 0;
/* not very efficient, but for now we're targeting only limited amounts.
* Can use hash/tree approach later. */
for (x = 0; x < det_ctx->tenant_array_size; x++) {
if (det_ctx->tenant_array[x].traffic_id == vlan_id)
return det_ctx->tenant_array[x].tenant_id;
}
return 0;
}
multi-tenant: introduce device selector Add device to tenant mapping support: mappings: - device: ens5f0 tenant-id: 1 - device: ens5f1 tenant-id: 23 Implemented by assigning the tenant id to the 'livedev', which means it's only supported for capture methods that use the livedev API. It's also currently not supported for IPS. In a case like 'eth0 -> eth1' it's unclear which tenant should be used for the return traffic in a flow, where the incoming device is 'eth1'.
8 years ago
static uint32_t DetectEngineTentantGetIdFromLivedev(const void *ctx, const Packet *p)
{
const DetectEngineThreadCtx *det_ctx = ctx;
const LiveDevice *ld = p->livedev;
if (ld == NULL || det_ctx == NULL)
return 0;
SCLogDebug("using tenant-id %u for packet on device %s", ld->tenant_id, ld->dev);
return ld->tenant_id;
}
multi-detect: initial selectors for tenants The Detection Thread has the TenantGetId pointer which allows it to select a tenant id based on the packet.
11 years ago
static int DetectEngineTentantRegisterSelector(enum DetectEngineTenantSelectors selector,
uint32_t tenant_id, uint32_t traffic_id)
{
DetectEngineMasterCtx *master = &g_master_de_ctx;
SCMutexLock(&master->lock);
if (!(master->tenant_selector == TENANT_SELECTOR_UNKNOWN || master->tenant_selector == selector)) {
SCLogInfo("conflicting selector already set");
SCMutexUnlock(&master->lock);
return -1;
}
unix-socket: implement register-tenant-handler Register tenant handlers/selectors based on what the unix command "register-tenant-handler" tells. Check traffic id before adding it. No duplicated registrations for a traffic id are allowed.
11 years ago
DetectEngineTenantMapping *m = master->tenant_mapping_list;
while (m) {
if (m->traffic_id == traffic_id) {
SCLogInfo("traffic id already registered");
SCMutexUnlock(&master->lock);
return -1;
}
m = m->next;
}
multi-detect: initial selectors for tenants The Detection Thread has the TenantGetId pointer which allows it to select a tenant id based on the packet.
11 years ago
DetectEngineTenantMapping *map = SCCalloc(1, sizeof(*map));
if (map == NULL) {
SCLogInfo("memory fail");
SCMutexUnlock(&master->lock);
return -1;
}
map->traffic_id = traffic_id;
map->tenant_id = tenant_id;
map->next = master->tenant_mapping_list;
master->tenant_mapping_list = map;
master->tenant_selector = selector;
multi-detect: clean up output
10 years ago
SCLogDebug("tenant handler %u %u %u registered", selector, tenant_id, traffic_id);
multi-detect: initial selectors for tenants The Detection Thread has the TenantGetId pointer which allows it to select a tenant id based on the packet.
11 years ago
SCMutexUnlock(&master->lock);
return 0;
}
multi-detect: implement unregister-tenant-handler Remove a tenant handler from the list and apply it.
11 years ago
static int DetectEngineTentantUnregisterSelector(enum DetectEngineTenantSelectors selector,
uint32_t tenant_id, uint32_t traffic_id)
{
DetectEngineMasterCtx *master = &g_master_de_ctx;
SCMutexLock(&master->lock);
if (master->tenant_mapping_list == NULL) {
SCMutexUnlock(&master->lock);
return -1;
}
DetectEngineTenantMapping *prev = NULL;
DetectEngineTenantMapping *map = master->tenant_mapping_list;
while (map) {
if (map->traffic_id == traffic_id &&
map->tenant_id == tenant_id)
{
if (prev != NULL)
prev->next = map->next;
else
master->tenant_mapping_list = map->next;
map->next = NULL;
SCFree(map);
SCLogInfo("tenant handler %u %u %u unregistered", selector, tenant_id, traffic_id);
SCMutexUnlock(&master->lock);
return 0;
}
prev = map;
map = map->next;
}
SCMutexUnlock(&master->lock);
return -1;
}
multi-tenant: introduce device selector Add device to tenant mapping support: mappings: - device: ens5f0 tenant-id: 1 - device: ens5f1 tenant-id: 23 Implemented by assigning the tenant id to the 'livedev', which means it's only supported for capture methods that use the livedev API. It's also currently not supported for IPS. In a case like 'eth0 -> eth1' it's unclear which tenant should be used for the return traffic in a flow, where the incoming device is 'eth1'.
8 years ago
int DetectEngineTentantRegisterLivedev(uint32_t tenant_id, int device_id)
{
return DetectEngineTentantRegisterSelector(TENANT_SELECTOR_LIVEDEV, tenant_id, (uint32_t)device_id);
}
multi-detect: initial selectors for tenants The Detection Thread has the TenantGetId pointer which allows it to select a tenant id based on the packet.
11 years ago
int DetectEngineTentantRegisterVlanId(uint32_t tenant_id, uint16_t vlan_id)
{
return DetectEngineTentantRegisterSelector(TENANT_SELECTOR_VLAN, tenant_id, (uint32_t)vlan_id);
}
multi-detect: implement unregister-tenant-handler Remove a tenant handler from the list and apply it.
11 years ago
int DetectEngineTentantUnregisterVlanId(uint32_t tenant_id, uint16_t vlan_id)
{
return DetectEngineTentantUnregisterSelector(TENANT_SELECTOR_VLAN, tenant_id, (uint32_t)vlan_id);
}
unix-socket: implement register-tenant-handler Register tenant handlers/selectors based on what the unix command "register-tenant-handler" tells. Check traffic id before adding it. No duplicated registrations for a traffic id are allowed.
11 years ago
int DetectEngineTentantRegisterPcapFile(uint32_t tenant_id)
{
SCLogInfo("registering %u %d 0", TENANT_SELECTOR_DIRECT, tenant_id);
return DetectEngineTentantRegisterSelector(TENANT_SELECTOR_DIRECT, tenant_id, 0);
}
multi-detect: implement unregister-tenant-handler Remove a tenant handler from the list and apply it.
11 years ago
int DetectEngineTentantUnregisterPcapFile(uint32_t tenant_id)
{
SCLogInfo("unregistering %u %d 0", TENANT_SELECTOR_DIRECT, tenant_id);
return DetectEngineTentantUnregisterSelector(TENANT_SELECTOR_DIRECT, tenant_id, 0);
}
multi-detect: use default tenant The default detect engine can be used as 'default tenant'.
10 years ago
static uint32_t DetectEngineTentantGetIdFromPcap(const void *ctx, const Packet *p)
detect: select detect engine at Detect entry Limited to Pcap only currently.
11 years ago
{
return p->pcap_v.tenant_id;
}
multi-detect: (un)register-tenant unix socket commands Make available to live mode and unix socket mode. register-tenant: Loads a new YAML, does basic validation. Loads a new detection engine Loads rules Add new de_ctx to master store and stores tenant id in the de_ctx so we can look it up by tenant id later. unregister-tenant: Gets the de_ctx, moves it to the freelist Removes config Introduce DetectEngineGetByTenantId, which gets a reference to the detect engine by tenant id.
11 years ago
DetectEngineCtx *DetectEngineGetByTenantId(int tenant_id)
{
DetectEngineMasterCtx *master = &g_master_de_ctx;
SCMutexLock(&master->lock);
if (master->list == NULL) {
SCMutexUnlock(&master->lock);
return NULL;
}
DetectEngineCtx *de_ctx = master->list;
while (de_ctx) {
detect: make detect engine types explicit There are 3 types of detect engine objects: 1. normal The normal detection engine if no multi-tenancy is in use 2. tenant A per tenant detection engine 3. stub A stub (or minimal as it was called before) detect engine that is needed to have something in place when there are only tenants. A stub is also used in case of 'delayed detect', where we need a minimal detect engine to start up which is replaced by a full (normal type) detect engine after startup. This patch adds a new field 'type' to the DetectEngineCtx object to distinguish between the types. This replaces the boolean 'minimal'.
7 years ago
if (de_ctx->type == DETECT_ENGINE_TYPE_TENANT &&
de_ctx->tenant_id == tenant_id)
{
multi-detect: (un)register-tenant unix socket commands Make available to live mode and unix socket mode. register-tenant: Loads a new YAML, does basic validation. Loads a new detection engine Loads rules Add new de_ctx to master store and stores tenant id in the de_ctx so we can look it up by tenant id later. unregister-tenant: Gets the de_ctx, moves it to the freelist Removes config Introduce DetectEngineGetByTenantId, which gets a reference to the detect engine by tenant id.
11 years ago
de_ctx->ref_cnt++;
break;
}
de_ctx = de_ctx->next;
}
SCMutexUnlock(&master->lock);
return de_ctx;
}
detect: update detect engine management Update detect engine management to make it easier to reload the detect engine. Core of the new approach is a 'master' ctx, that keeps a list of one or more detect engines. The detect engines will not be passed to any thread directly, but instead will only be accessed through the detect engine thread contexts. As we can replace those atomically, replacing a detect engine becomes easier. Each thread keeps a reference to its detect context. When a detect engine is replaced or removed, it's added to a free list. Once its reference count reaches 0, it is freed.
11 years ago
void DetectEngineDeReference(DetectEngineCtx **de_ctx)
{
BUG_ON((*de_ctx)->ref_cnt == 0);
(*de_ctx)->ref_cnt--;
*de_ctx = NULL;
}
static int DetectEngineAddToList(DetectEngineCtx *instance)
{
DetectEngineMasterCtx *master = &g_master_de_ctx;
if (instance == NULL)
return -1;
if (master->list == NULL) {
master->list = instance;
} else {
instance->next = master->list;
master->list = instance;
}
return 0;
}
int DetectEngineAddToMaster(DetectEngineCtx *de_ctx)
{
int r;
if (de_ctx == NULL)
return -1;
SCLogDebug("adding de_ctx %p to master", de_ctx);
DetectEngineMasterCtx *master = &g_master_de_ctx;
SCMutexLock(&master->lock);
r = DetectEngineAddToList(de_ctx);
SCMutexUnlock(&master->lock);
return r;
}
int DetectEngineMoveToFreeList(DetectEngineCtx *de_ctx)
{
DetectEngineMasterCtx *master = &g_master_de_ctx;
SCMutexLock(&master->lock);
DetectEngineCtx *instance = master->list;
if (instance == NULL) {
SCMutexUnlock(&master->lock);
return -1;
}
/* remove from active list */
if (instance == de_ctx) {
master->list = instance->next;
} else {
DetectEngineCtx *prev = instance;
instance = instance->next; /* already checked first element */
while (instance) {
DetectEngineCtx *next = instance->next;
if (instance == de_ctx) {
prev->next = instance->next;
break;
}
prev = instance;
instance = next;
}
if (instance == NULL) {
SCMutexUnlock(&master->lock);
return -1;
}
}
/* instance is now detached from list */
instance->next = NULL;
/* add to free list */
if (master->free_list == NULL) {
master->free_list = instance;
} else {
instance->next = master->free_list;
master->free_list = instance;
}
SCLogDebug("detect engine %p moved to free list (%u refs)", de_ctx, de_ctx->ref_cnt);
SCMutexUnlock(&master->lock);
return 0;
}
void DetectEnginePruneFreeList(void)
{
DetectEngineMasterCtx *master = &g_master_de_ctx;
SCMutexLock(&master->lock);
DetectEngineCtx *prev = NULL;
DetectEngineCtx *instance = master->free_list;
while (instance) {
DetectEngineCtx *next = instance->next;
SCLogDebug("detect engine %p has %u ref(s)", instance, instance->ref_cnt);
if (instance->ref_cnt == 0) {
if (prev == NULL) {
master->free_list = next;
} else {
prev->next = next;
}
SCLogDebug("freeing detect engine %p", instance);
DetectEngineCtxFree(instance);
instance = NULL;
}
prev = instance;
instance = next;
}
SCMutexUnlock(&master->lock);
}
detect reload: load config Load the YAML into a prefix "detect-engine-reloads.N" where N is the reload counter. This way we can load the updated config w/o overwriting the current one.
11 years ago
static int reloads = 0;
/** \brief Reload the detection engine
*
* \param filename YAML file to load for the detect config
*
* \retval -1 error
* \retval 0 ok
*/
detect: minor cleanup
8 years ago
int DetectEngineReload(const SCInstance *suri)
detect: update detect engine management Update detect engine management to make it easier to reload the detect engine. Core of the new approach is a 'master' ctx, that keeps a list of one or more detect engines. The detect engines will not be passed to any thread directly, but instead will only be accessed through the detect engine thread contexts. As we can replace those atomically, replacing a detect engine becomes easier. Each thread keeps a reference to its detect context. When a detect engine is replaced or removed, it's added to a free list. Once its reference count reaches 0, it is freed.
11 years ago
{
DetectEngineCtx *new_de_ctx = NULL;
DetectEngineCtx *old_de_ctx = NULL;
cppcheck: work around snprintf warning Cppcheck 1.72 gives a warning on the following code pattern: char blah[32] = ""; snprintf(blah, sizeof(blah), "something"); The warning is: (error) Buffer is accessed out of bounds. While this appears to be a FP, in most cases the initialization to "" was unnecessary as the snprintf statement immediately follows the variable declaration.
10 years ago
char prefix[128];
memset(prefix, 0, sizeof(prefix));
detect: log earlier that rule reload is happening
9 years ago
SCLogNotice("rule reload starting");
yaml: remove conf_filename global conf_filename was a global pointer to the filename of the yaml. Move into SCInstance. This reduces it's scope and cleans up the code.
9 years ago
if (suri->conf_filename != NULL) {
detect reload: load config Load the YAML into a prefix "detect-engine-reloads.N" where N is the reload counter. This way we can load the updated config w/o overwriting the current one.
11 years ago
snprintf(prefix, sizeof(prefix), "detect-engine-reloads.%d", reloads++);
yaml: remove conf_filename global conf_filename was a global pointer to the filename of the yaml. Move into SCInstance. This reduces it's scope and cleans up the code.
9 years ago
if (ConfYamlLoadFileWithPrefix(suri->conf_filename, prefix) != 0) {
SCLogError(SC_ERR_CONF_YAML_ERROR, "failed to load yaml %s",
suri->conf_filename);
detect reload: load config Load the YAML into a prefix "detect-engine-reloads.N" where N is the reload counter. This way we can load the updated config w/o overwriting the current one.
11 years ago
return -1;
}
detect: fix settings override for reloads
10 years ago
ConfNode *node = ConfGetNode(prefix);
detect reload: load config Load the YAML into a prefix "detect-engine-reloads.N" where N is the reload counter. This way we can load the updated config w/o overwriting the current one.
11 years ago
if (node == NULL) {
yaml: remove conf_filename global conf_filename was a global pointer to the filename of the yaml. Move into SCInstance. This reduces it's scope and cleans up the code.
9 years ago
SCLogError(SC_ERR_CONF_YAML_ERROR, "failed to properly setup yaml %s",
suri->conf_filename);
detect reload: load config Load the YAML into a prefix "detect-engine-reloads.N" where N is the reload counter. This way we can load the updated config w/o overwriting the current one.
11 years ago
return -1;
}
#if 0
ConfDump();
#endif
}
detect: update detect engine management Update detect engine management to make it easier to reload the detect engine. Core of the new approach is a 'master' ctx, that keeps a list of one or more detect engines. The detect engines will not be passed to any thread directly, but instead will only be accessed through the detect engine thread contexts. As we can replace those atomically, replacing a detect engine becomes easier. Each thread keeps a reference to its detect context. When a detect engine is replaced or removed, it's added to a free list. Once its reference count reaches 0, it is freed.
11 years ago
/* get a reference to the current de_ctx */
old_de_ctx = DetectEngineGetCurrent();
if (old_de_ctx == NULL)
return -1;
SCLogDebug("get ref to old_de_ctx %p", old_de_ctx);
detect: fix delayed detect Last multi-detect changes broken delayed-detect by refusing to reload a 'stub' detect engine. This patch distinguishes between a stub for multi-tenancy and for delayed detect.
7 years ago
/* only reload a regular 'normal' and 'delayed detect stub' detect engines */
if (!(old_de_ctx->type == DETECT_ENGINE_TYPE_NORMAL ||
old_de_ctx->type == DETECT_ENGINE_TYPE_DD_STUB))
{
detect: reload-rules shouldn't reload a stub
7 years ago
DetectEngineDeReference(&old_de_ctx);
SCLogNotice("rule reload complete");
return -1;
}
detect: update detect engine management Update detect engine management to make it easier to reload the detect engine. Core of the new approach is a 'master' ctx, that keeps a list of one or more detect engines. The detect engines will not be passed to any thread directly, but instead will only be accessed through the detect engine thread contexts. As we can replace those atomically, replacing a detect engine becomes easier. Each thread keeps a reference to its detect context. When a detect engine is replaced or removed, it's added to a free list. Once its reference count reaches 0, it is freed.
11 years ago
/* get new detection engine */
detect reload: load config Load the YAML into a prefix "detect-engine-reloads.N" where N is the reload counter. This way we can load the updated config w/o overwriting the current one.
11 years ago
new_de_ctx = DetectEngineCtxInitWithPrefix(prefix);
detect: update detect engine management Update detect engine management to make it easier to reload the detect engine. Core of the new approach is a 'master' ctx, that keeps a list of one or more detect engines. The detect engines will not be passed to any thread directly, but instead will only be accessed through the detect engine thread contexts. As we can replace those atomically, replacing a detect engine becomes easier. Each thread keeps a reference to its detect context. When a detect engine is replaced or removed, it's added to a free list. Once its reference count reaches 0, it is freed.
11 years ago
if (new_de_ctx == NULL) {
detect reload: load config Load the YAML into a prefix "detect-engine-reloads.N" where N is the reload counter. This way we can load the updated config w/o overwriting the current one.
11 years ago
SCLogError(SC_ERR_INITIALIZATION, "initializing detection engine "
"context failed.");
detect: update detect engine management Update detect engine management to make it easier to reload the detect engine. Core of the new approach is a 'master' ctx, that keeps a list of one or more detect engines. The detect engines will not be passed to any thread directly, but instead will only be accessed through the detect engine thread contexts. As we can replace those atomically, replacing a detect engine becomes easier. Each thread keeps a reference to its detect context. When a detect engine is replaced or removed, it's added to a free list. Once its reference count reaches 0, it is freed.
11 years ago
DetectEngineDeReference(&old_de_ctx);
return -1;
}
rules-reload: fix reload with -s or -S When using the -S or -s option, the reload was causing the specified rules file to be forgotten and the default rules to be loaded at reload time.
10 years ago
if (SigLoadSignatures(new_de_ctx,
suri->sig_file, suri->sig_file_exclusive) != 0) {
detect: update detect engine management Update detect engine management to make it easier to reload the detect engine. Core of the new approach is a 'master' ctx, that keeps a list of one or more detect engines. The detect engines will not be passed to any thread directly, but instead will only be accessed through the detect engine thread contexts. As we can replace those atomically, replacing a detect engine becomes easier. Each thread keeps a reference to its detect context. When a detect engine is replaced or removed, it's added to a free list. Once its reference count reaches 0, it is freed.
11 years ago
DetectEngineCtxFree(new_de_ctx);
DetectEngineDeReference(&old_de_ctx);
return -1;
}
SCLogDebug("set up new_de_ctx %p", new_de_ctx);
/* add to master */
DetectEngineAddToMaster(new_de_ctx);
/* move to old free list */
DetectEngineMoveToFreeList(old_de_ctx);
DetectEngineDeReference(&old_de_ctx);
SCLogDebug("going to reload the threads to use new_de_ctx %p", new_de_ctx);
/* update the threads */
DetectEngineReloadThreads(new_de_ctx);
SCLogDebug("threads now run new_de_ctx %p", new_de_ctx);
/* walk free list, freeing the old_de_ctx */
DetectEnginePruneFreeList();
detect: use engine version instead of id Use engine version based on global detect engine master. This is incremented between reloads.
9 years ago
DetectEngineBumpVersion();
detect: update detect engine management Update detect engine management to make it easier to reload the detect engine. Core of the new approach is a 'master' ctx, that keeps a list of one or more detect engines. The detect engines will not be passed to any thread directly, but instead will only be accessed through the detect engine thread contexts. As we can replace those atomically, replacing a detect engine becomes easier. Each thread keeps a reference to its detect context. When a detect engine is replaced or removed, it's added to a free list. Once its reference count reaches 0, it is freed.
11 years ago
SCLogDebug("old_de_ctx should have been freed");
detect: log earlier that rule reload is happening
9 years ago
SCLogNotice("rule reload complete");
detect: update detect engine management Update detect engine management to make it easier to reload the detect engine. Core of the new approach is a 'master' ctx, that keeps a list of one or more detect engines. The detect engines will not be passed to any thread directly, but instead will only be accessed through the detect engine thread contexts. As we can replace those atomically, replacing a detect engine becomes easier. Each thread keeps a reference to its detect context. When a detect engine is replaced or removed, it's added to a free list. Once its reference count reaches 0, it is freed.
11 years ago
return 0;
}
multi-detect: hash lookup for tenants Use hash for storing and looking up det_ctxs.
10 years ago
static uint32_t TenantIdHash(HashTable *h, void *data, uint16_t data_len)
{
DetectEngineThreadCtx *det_ctx = (DetectEngineThreadCtx *)data;
return det_ctx->tenant_id % h->array_size;
}
static char TenantIdCompare(void *d1, uint16_t d1_len, void *d2, uint16_t d2_len)
{
DetectEngineThreadCtx *det1 = (DetectEngineThreadCtx *)d1;
DetectEngineThreadCtx *det2 = (DetectEngineThreadCtx *)d2;
return (det1->tenant_id == det2->tenant_id);
}
static void TenantIdFree(void *d)
{
DetectEngineThreadCtxFree(d);
}
detect: initial MT lookup logic In the DetectEngineThreadCtx, store another DetectEngineThreadCtx per tenant. Currently it's just a simple array indexed by the tenant id.
11 years ago
int DetectEngineMTApply(void)
{
DetectEngineMasterCtx *master = &g_master_de_ctx;
SCMutexLock(&master->lock);
multi-detect: initial selectors for tenants The Detection Thread has the TenantGetId pointer which allows it to select a tenant id based on the packet.
11 years ago
if (master->tenant_selector == TENANT_SELECTOR_UNKNOWN) {
SCLogInfo("error, no tenant selector");
SCMutexUnlock(&master->lock);
return -1;
}
detect: make detect engine types explicit There are 3 types of detect engine objects: 1. normal The normal detection engine if no multi-tenancy is in use 2. tenant A per tenant detection engine 3. stub A stub (or minimal as it was called before) detect engine that is needed to have something in place when there are only tenants. A stub is also used in case of 'delayed detect', where we need a minimal detect engine to start up which is replaced by a full (normal type) detect engine after startup. This patch adds a new field 'type' to the DetectEngineCtx object to distinguish between the types. This replaces the boolean 'minimal'.
7 years ago
DetectEngineCtx *stub_de_ctx = NULL;
detect: reload-rules shouldn't reload a stub
7 years ago
DetectEngineCtx *list = master->list;
for ( ; list != NULL; list = list->next) {
SCLogDebug("list %p tenant %u", list, list->tenant_id);
multi-detect: use default tenant The default detect engine can be used as 'default tenant'.
10 years ago
detect: fix delayed detect Last multi-detect changes broken delayed-detect by refusing to reload a 'stub' detect engine. This patch distinguishes between a stub for multi-tenancy and for delayed detect.
7 years ago
if (list->type == DETECT_ENGINE_TYPE_NORMAL ||
list->type == DETECT_ENGINE_TYPE_MT_STUB ||
list->type == DETECT_ENGINE_TYPE_DD_STUB)
{
detect: reload-rules shouldn't reload a stub
7 years ago
stub_de_ctx = list;
break;
}
}
if (stub_de_ctx == NULL) {
detect: fix delayed detect Last multi-detect changes broken delayed-detect by refusing to reload a 'stub' detect engine. This patch distinguishes between a stub for multi-tenancy and for delayed detect.
7 years ago
stub_de_ctx = DetectEngineCtxInitStubForMT();
detect: reload-rules shouldn't reload a stub
7 years ago
if (stub_de_ctx == NULL) {
SCMutexUnlock(&master->lock);
return -1;
}
multi-detect: use default tenant The default detect engine can be used as 'default tenant'.
10 years ago
detect: reload-rules shouldn't reload a stub
7 years ago
if (master->list == NULL) {
master->list = stub_de_ctx;
} else {
stub_de_ctx->next = master->list;
master->list = stub_de_ctx;
multi-detect: use default tenant The default detect engine can be used as 'default tenant'.
10 years ago
}
detect: initial MT lookup logic In the DetectEngineThreadCtx, store another DetectEngineThreadCtx per tenant. Currently it's just a simple array indexed by the tenant id.
11 years ago
}
/* update the threads */
SCLogDebug("MT reload starting");
detect: make detect engine types explicit There are 3 types of detect engine objects: 1. normal The normal detection engine if no multi-tenancy is in use 2. tenant A per tenant detection engine 3. stub A stub (or minimal as it was called before) detect engine that is needed to have something in place when there are only tenants. A stub is also used in case of 'delayed detect', where we need a minimal detect engine to start up which is replaced by a full (normal type) detect engine after startup. This patch adds a new field 'type' to the DetectEngineCtx object to distinguish between the types. This replaces the boolean 'minimal'.
7 years ago
DetectEngineReloadThreads(stub_de_ctx);
detect: initial MT lookup logic In the DetectEngineThreadCtx, store another DetectEngineThreadCtx per tenant. Currently it's just a simple array indexed by the tenant id.
11 years ago
SCLogDebug("MT reload done");
SCMutexUnlock(&master->lock);
/* walk free list, freeing the old_de_ctx */
DetectEnginePruneFreeList();
SCLogDebug("old_de_ctx should have been freed");
return 0;
}
output-json-alert: conditionaly output metadata Metadata of the signature can now conditionaly put in the alert events. This will allow user to get more context about the events generated by the alert. detect-metadata: conditional parsing Only parses metadata if an output module will use the information. Patch also adds a unittest to check metadata is not parsed if not asked to. output-json-alert: optional output keys as array Update rule metadata configuration to have an option to output value as array. Also adds an option to log only a series of keys as array. This is useful in the case of some ruleset where from instance the `tag` key is used multiple time. (Jason Ish) rule metadata: always log as lists After review of rule metadata, we can't make assumptions on what should be a list or not. So log everything as a list.
8 years ago
static int g_parse_metadata = 0;
void DetectEngineSetParseMetadata(void)
{
g_parse_metadata = 1;
}
void DetectEngineUnsetParseMetadata(void)
{
g_parse_metadata = 0;
}
int DetectEngineMustParseMetadata(void)
{
return g_parse_metadata;
}
Enforce function coding standard Functions should be defined as: int foo(void) { } Rather than: int food(void) { } All functions where changed by a script to match this standard.
11 years ago
const char *DetectSigmatchListEnumToString(enum DetectSigmatchListEnum type)
{
detect: add tostring function for DETECT_SM_LIST_ enum.
12 years ago
switch (type) {
case DETECT_SM_LIST_MATCH:
return "packet";
case DETECT_SM_LIST_PMATCH:
return "packet/stream payload";
case DETECT_SM_LIST_TMATCH:
return "tag";
base64_decode, base64_data: decode and match base64
10 years ago
case DETECT_SM_LIST_BASE64_DATA:
return "base64_data";
detect: add tostring function for DETECT_SM_LIST_ enum.
12 years ago
case DETECT_SM_LIST_POSTMATCH:
return "post-match";
case DETECT_SM_LIST_SUPPRESS:
return "suppress";
case DETECT_SM_LIST_THRESHOLD:
return "threshold";
case DETECT_SM_LIST_MAX:
return "max (internal)";
}
return "error";
}
detect: set events in inspection phase During the inspection phase actually is not possible to catch an error if it occurs. This patch permits to store events in the detection engine such that we can match on events and catch them.
8 years ago
/* events api */
void DetectEngineSetEvent(DetectEngineThreadCtx *det_ctx, uint8_t e)
{
AppLayerDecoderEventsSetEventRaw(&det_ctx->decoder_events, e);
det_ctx->events++;
}
AppLayerDecoderEvents *DetectEngineGetEvents(DetectEngineThreadCtx *det_ctx)
{
return det_ctx->decoder_events;
}
int DetectEngineGetEventInfo(const char *event_name, int *event_id,
AppLayerEventType *event_type)
{
*event_id = SCMapEnumNameToValue(event_name, det_ctx_event_table);
if (*event_id == -1) {
SCLogError(SC_ERR_INVALID_ENUM_MAP, "event \"%s\" not present in "
"det_ctx's enum map table.", event_name);
/* this should be treated as fatal */
return -1;
}
*event_type = APP_LAYER_EVENT_TYPE_TRANSACTION;
return 0;
}
Thread local ctx for detection keywords Some detection keywords need thread local ctx storage. Example is the filemagic keyword that has a ctx that is modified with each call. That is not thread safe. This functionality allows registration of thread local ctxs so that each detect thread works on it's own copy.
13 years ago
define a new conf paramter detect-engine:inspection-recursion-limit; Defines a recursion limit for content inspection code
15 years ago
/*************************************Unittest*********************************/
#ifdef UNITTESTS
compiler: more strict compiler warnings Set flags by default: -Wmissing-prototypes -Wmissing-declarations -Wstrict-prototypes -Wwrite-strings -Wcast-align -Wbad-function-cast -Wformat-security -Wno-format-nonliteral -Wmissing-format-attribute -funsigned-char Fix minor compiler warnings for these new flags on gcc and clang.
8 years ago
static int DetectEngineInitYamlConf(const char *conf)
define a new conf paramter detect-engine:inspection-recursion-limit; Defines a recursion limit for content inspection code
15 years ago
{
ConfCreateContextBackup();
ConfInit();
return ConfYamlLoadString(conf, strlen(conf));
}
static void DetectEngineDeInitYamlConf(void)
{
ConfDeInit();
ConfRestoreContextBackup();
return;
}
static int DetectEngineTest01(void)
{
compiler: more strict compiler warnings Set flags by default: -Wmissing-prototypes -Wmissing-declarations -Wstrict-prototypes -Wwrite-strings -Wcast-align -Wbad-function-cast -Wformat-security -Wno-format-nonliteral -Wmissing-format-attribute -funsigned-char Fix minor compiler warnings for these new flags on gcc and clang.
8 years ago
const char *conf =
define a new conf paramter detect-engine:inspection-recursion-limit; Defines a recursion limit for content inspection code
15 years ago
"%YAML 1.1\n"
"---\n"
"detect-engine:\n"
" - profile: medium\n"
" - custom-values:\n"
" toclient_src_groups: 2\n"
" toclient_dst_groups: 2\n"
" toclient_sp_groups: 2\n"
" toclient_dp_groups: 3\n"
" toserver_src_groups: 2\n"
" toserver_dst_groups: 4\n"
" toserver_sp_groups: 2\n"
" toserver_dp_groups: 25\n"
" - inspection-recursion-limit: 0\n";
DetectEngineCtx *de_ctx = NULL;
int result = 0;
if (DetectEngineInitYamlConf(conf) == -1)
return 0;
de_ctx = DetectEngineCtxInit();
if (de_ctx == NULL)
goto end;
result = (de_ctx->inspection_recursion_limit == -1);
end:
if (de_ctx != NULL)
DetectEngineCtxFree(de_ctx);
DetectEngineDeInitYamlConf();
return result;
}
static int DetectEngineTest02(void)
{
compiler: more strict compiler warnings Set flags by default: -Wmissing-prototypes -Wmissing-declarations -Wstrict-prototypes -Wwrite-strings -Wcast-align -Wbad-function-cast -Wformat-security -Wno-format-nonliteral -Wmissing-format-attribute -funsigned-char Fix minor compiler warnings for these new flags on gcc and clang.
8 years ago
const char *conf =
define a new conf paramter detect-engine:inspection-recursion-limit; Defines a recursion limit for content inspection code
15 years ago
"%YAML 1.1\n"
"---\n"
"detect-engine:\n"
" - profile: medium\n"
" - custom-values:\n"
" toclient_src_groups: 2\n"
" toclient_dst_groups: 2\n"
" toclient_sp_groups: 2\n"
" toclient_dp_groups: 3\n"
" toserver_src_groups: 2\n"
" toserver_dst_groups: 4\n"
" toserver_sp_groups: 2\n"
" toserver_dp_groups: 25\n"
" - inspection-recursion-limit:\n";
DetectEngineCtx *de_ctx = NULL;
int result = 0;
if (DetectEngineInitYamlConf(conf) == -1)
return 0;
de_ctx = DetectEngineCtxInit();
if (de_ctx == NULL)
goto end;
result = (de_ctx->inspection_recursion_limit == -1);
end:
if (de_ctx != NULL)
DetectEngineCtxFree(de_ctx);
DetectEngineDeInitYamlConf();
return result;
}
static int DetectEngineTest03(void)
{
compiler: more strict compiler warnings Set flags by default: -Wmissing-prototypes -Wmissing-declarations -Wstrict-prototypes -Wwrite-strings -Wcast-align -Wbad-function-cast -Wformat-security -Wno-format-nonliteral -Wmissing-format-attribute -funsigned-char Fix minor compiler warnings for these new flags on gcc and clang.
8 years ago
const char *conf =
define a new conf paramter detect-engine:inspection-recursion-limit; Defines a recursion limit for content inspection code
15 years ago
"%YAML 1.1\n"
"---\n"
"detect-engine:\n"
" - profile: medium\n"
" - custom-values:\n"
" toclient_src_groups: 2\n"
" toclient_dst_groups: 2\n"
" toclient_sp_groups: 2\n"
" toclient_dp_groups: 3\n"
" toserver_src_groups: 2\n"
" toserver_dst_groups: 4\n"
" toserver_sp_groups: 2\n"
" toserver_dp_groups: 25\n";
DetectEngineCtx *de_ctx = NULL;
int result = 0;
if (DetectEngineInitYamlConf(conf) == -1)
return 0;
de_ctx = DetectEngineCtxInit();
if (de_ctx == NULL)
goto end;
result = (de_ctx->inspection_recursion_limit ==
DETECT_ENGINE_DEFAULT_INSPECTION_RECURSION_LIMIT);
end:
if (de_ctx != NULL)
DetectEngineCtxFree(de_ctx);
DetectEngineDeInitYamlConf();
return result;
}
static int DetectEngineTest04(void)
{
compiler: more strict compiler warnings Set flags by default: -Wmissing-prototypes -Wmissing-declarations -Wstrict-prototypes -Wwrite-strings -Wcast-align -Wbad-function-cast -Wformat-security -Wno-format-nonliteral -Wmissing-format-attribute -funsigned-char Fix minor compiler warnings for these new flags on gcc and clang.
8 years ago
const char *conf =
define a new conf paramter detect-engine:inspection-recursion-limit; Defines a recursion limit for content inspection code
15 years ago
"%YAML 1.1\n"
"---\n"
"detect-engine:\n"
" - profile: medium\n"
" - custom-values:\n"
" toclient_src_groups: 2\n"
" toclient_dst_groups: 2\n"
" toclient_sp_groups: 2\n"
" toclient_dp_groups: 3\n"
" toserver_src_groups: 2\n"
" toserver_dst_groups: 4\n"
" toserver_sp_groups: 2\n"
" toserver_dp_groups: 25\n"
" - inspection-recursion-limit: 10\n";
DetectEngineCtx *de_ctx = NULL;
int result = 0;
if (DetectEngineInitYamlConf(conf) == -1)
return 0;
de_ctx = DetectEngineCtxInit();
if (de_ctx == NULL)
goto end;
result = (de_ctx->inspection_recursion_limit == 10);
end:
if (de_ctx != NULL)
DetectEngineCtxFree(de_ctx);
DetectEngineDeInitYamlConf();
return result;
}
Fix parsing of 'custom' detect grouping values Also, add error checking Bug 892
12 years ago
static int DetectEngineTest08(void)
{
compiler: more strict compiler warnings Set flags by default: -Wmissing-prototypes -Wmissing-declarations -Wstrict-prototypes -Wwrite-strings -Wcast-align -Wbad-function-cast -Wformat-security -Wno-format-nonliteral -Wmissing-format-attribute -funsigned-char Fix minor compiler warnings for these new flags on gcc and clang.
8 years ago
const char *conf =
Fix parsing of 'custom' detect grouping values Also, add error checking Bug 892
12 years ago
"%YAML 1.1\n"
"---\n"
"detect-engine:\n"
" - profile: custom\n"
" - custom-values:\n"
detect: rename groupings vars
10 years ago
" toclient-groups: 23\n"
" toserver-groups: 27\n";
Fix parsing of 'custom' detect grouping values Also, add error checking Bug 892
12 years ago
DetectEngineCtx *de_ctx = NULL;
int result = 0;
if (DetectEngineInitYamlConf(conf) == -1)
return 0;
de_ctx = DetectEngineCtxInit();
if (de_ctx == NULL)
goto end;
detect: rename groupings vars
10 years ago
if (de_ctx->max_uniq_toclient_groups == 23 &&
de_ctx->max_uniq_toserver_groups == 27)
Fix parsing of 'custom' detect grouping values Also, add error checking Bug 892
12 years ago
result = 1;
end:
if (de_ctx != NULL)
DetectEngineCtxFree(de_ctx);
DetectEngineDeInitYamlConf();
return result;
}
/** \test bug 892 bad values */
static int DetectEngineTest09(void)
{
compiler: more strict compiler warnings Set flags by default: -Wmissing-prototypes -Wmissing-declarations -Wstrict-prototypes -Wwrite-strings -Wcast-align -Wbad-function-cast -Wformat-security -Wno-format-nonliteral -Wmissing-format-attribute -funsigned-char Fix minor compiler warnings for these new flags on gcc and clang.
8 years ago
const char *conf =
Fix parsing of 'custom' detect grouping values Also, add error checking Bug 892
12 years ago
"%YAML 1.1\n"
"---\n"
"detect-engine:\n"
" - profile: custom\n"
" - custom-values:\n"
detect: rename groupings vars
10 years ago
" toclient-groups: BA\n"
" toserver-groups: BA\n"
Fix parsing of 'custom' detect grouping values Also, add error checking Bug 892
12 years ago
" - inspection-recursion-limit: 10\n";
DetectEngineCtx *de_ctx = NULL;
int result = 0;
if (DetectEngineInitYamlConf(conf) == -1)
return 0;
de_ctx = DetectEngineCtxInit();
if (de_ctx == NULL)
goto end;
detect: set new defaults for grouping
10 years ago
if (de_ctx->max_uniq_toclient_groups == 20 &&
de_ctx->max_uniq_toserver_groups == 40)
Fix parsing of 'custom' detect grouping values Also, add error checking Bug 892
12 years ago
result = 1;
end:
if (de_ctx != NULL)
DetectEngineCtxFree(de_ctx);
DetectEngineDeInitYamlConf();
return result;
}
define a new conf paramter detect-engine:inspection-recursion-limit; Defines a recursion limit for content inspection code
15 years ago
#endif
void DetectEngineRegisterTests()
{
#ifdef UNITTESTS
tests: no longer necessary to provide successful return code 1 pass, 0 is fail.
9 years ago
UtRegisterTest("DetectEngineTest01", DetectEngineTest01);
UtRegisterTest("DetectEngineTest02", DetectEngineTest02);
UtRegisterTest("DetectEngineTest03", DetectEngineTest03);
UtRegisterTest("DetectEngineTest04", DetectEngineTest04);
UtRegisterTest("DetectEngineTest08", DetectEngineTest08);
UtRegisterTest("DetectEngineTest09", DetectEngineTest09);
define a new conf paramter detect-engine:inspection-recursion-limit; Defines a recursion limit for content inspection code
15 years ago
#endif
return;
}