aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
master
main-7.0.x
master-6.0.x
master-5.0.x
master-4.1.x
master-4.0.x
master-3.2.x
suricata-8.0.0-rc1
suricata-8.0.0-beta1
suricata-7.0.10
suricata-7.0.9
suricata-7.0.8
suricata-7.0.7
suricata-7.0.6
suricata-6.0.20
suricata-7.0.5
suricata-6.0.19
suricata-6.0.18
suricata-7.0.4
suricata-6.0.17
suricata-7.0.3
suricata-6.0.16
suricata-7.0.2
suricata-6.0.15
suricata-7.0.1
suricata-6.0.14
suricata-7.0.0
suricata-7.0.0-rc2
suricata-6.0.13
suricata-6.0.12
suricata-6.0.11
suricata-7.0.0-rc1
suricata-6.0.10
suricata-6.0.9
suricata-7.0.0-beta1
suricata-6.0.8
suricata-6.0.7
suricata-6.0.6
suricata-5.0.10
suricata-6.0.5
suricata-5.0.9
suricata-6.0.4
suricata-5.0.8
suricata-6.0.3
suricata-5.0.7
suricata-6.0.2
suricata-5.0.6
suricata-6.0.1
suricata-5.0.5
suricata-4.1.10
suricata-4.1.9
suricata-5.0.4
suricata-6.0.0
suricata-6.0.0-rc1
suricata-6.0.0-beta1
suricata-5.0.3
suricata-4.1.8
suricata-4.1.7
suricata-5.0.2
suricata-4.1.6
suricata-5.0.1
suricata-5.0.0
suricata-5.0.0-rc1
suricata-4.1.5
suricata-5.0.0-beta1
suricata-4.1.4
suricata-4.1.3
suricata-4.0.7
suricata-4.1.2
suricata-4.1.1
suricata-4.1.0
suricata-4.0.6
suricata-4.1.0-rc2
suricata-4.1.0-rc1
suricata-4.0.5
suricata-4.1.0-beta1
suricata-4.0.4
suricata-4.0.3
suricata-4.0.2
suricata-3.2.5
suricata-4.0.1
suricata-3.2.4
suricata-4.0.0
suricata-4.0.0-rc2
suricata-3.2.3
suricata-4.0.0-rc1
suricata-4.0.0-beta1
suricata-3.2.2
suricata-3.1.4
suricata-3.2.1
suricata-3.2
suricata-3.2RC1
suricata-3.1.3
suricata-3.2beta1
suricata-3.1.2
suricata-3.1.1
suricata-3.1
suricata-3.0.2
suricata-3.1RC1
suricata-3.0.1
suricata-3.0.1RC1
suricata-3.0
suricata-2.0.11
suricata-3.0RC3
suricata-3.0RC2
suricata-3.0RC1
suricata-2.0.10
suricata-2.0.9
suricata-2.1beta4
suricata-2.0.8
suricata-2.0.7
suricata-2.1beta3
suricata-2.0.6
suricata-2.0.5
suricata-2.1beta2
suricata-2.0.4
suricata-2.1beta1
suricata-2.0.3
suricata-2.0.2
suricata-2.0.1
suricata-2.0.1rc1
suricata-2.0
suricata-2.0rc3
suricata-2.0rc2
suricata-2.0rc1
suricata-2.0beta2
suricata-1.4.7
suricata-1.4.6
suricata-1.4.5
suricata-2.0beta1
suricata-1.4.4
suricata-1.4.3
suricata-1.4.2
suricata-1.4.1
suricata-1.3.6
suricata-1.4
suricata-1.3.5
suricata-1.4rc1
suricata-1.3.4
suricata-1.4beta3
suricata-1.3.3
suricata-1.4beta2
suricata-1.3.2
suricata-1.4beta1
suricata-1.3.1
suricata-1.3
suricata-1.3rc1
suricata-1.3beta2
suricata-1.3beta1
suricata-1.2.1
suricata-1.2
suricata-1.2rc1
suricata-1.2beta1
suricata-1.1.1
suricata-0.8.2
suricata-1.0.0
suricata-1.0.1
suricata-1.0.2
suricata-1.0.3
suricata-1.0.4
suricata-1.0.5
suricata-1.1
suricata-1.1beta1
suricata-1.1beta2
suricata-1.1beta3
suricata-1.1rc1
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'fd7927ecd6'
${ noResults }
suricata/src/detect-engine-state.h

162 lines
7.9 KiB
C
Raw Normal View History Unescape Escape

Implement filestore keyword, including a way for the stateful detection engine to conclude that a file will never have to be stored.
14 years ago
/* Copyright (C) 2007-2011 Open Information Security Foundation
GPL and Copyright header updates.
15 years ago
*
* You can copy, redistribute or modify this Program under the terms of
* the GNU General Public License version 2 as published by the Free
* Software Foundation.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* version 2 along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
* 02110-1301, USA.
*/
First stab at creating a stateful detection engine. Stateful detection for app layer detection keywords, except uricontent. Stores it's partial results in the flow structure. Other modifications: - Generalize transaction tracking, logging and inspection. - Adapt http and dcerpc to use the new transaction handling. - Stream engine now always notifies app layer of a stream eof. This commit fixes bug #124.
15 years ago
doc: create doxygen group for state detection.
14 years ago
/**
* \ingroup sigstate
*
* @{
*/
First stab at creating a stateful detection engine. Stateful detection for app layer detection keywords, except uricontent. Stores it's partial results in the flow structure. Other modifications: - Generalize transaction tracking, logging and inspection. - Adapt http and dcerpc to use the new transaction handling. - Stream engine now always notifies app layer of a stream eof. This commit fixes bug #124.
15 years ago
/**
* \file
*
* \brief Data structures and function prototypes for keeping
* state for the detection engine.
*
* \author Victor Julien <victor@inliniac.net>
*/
/* On DeState and locking.
*
* The DeState is part of a flow, but it can't be protected by the flow lock.
* Reason is we need to lock the DeState data for an entire detection run,
* as we're looping through on "continued" detection and rely on only a single
* detection instance setting it up on first run. We can't keep the entire flow
* locked during detection for performance reasons, it would slow us down too
* much.
*
* So a new lock was introduced. The only part of the process where we need
* the flow lock is obviously when we're getting/setting the de_state ptr from
* to the flow.
*/
#ifndef __DETECT_ENGINE_STATE_H__
#define __DETECT_ENGINE_STATE_H__
/** number of DeStateStoreItem's in one DeStateStore object */
Implement filestore keyword, including a way for the stateful detection engine to conclude that a file will never have to be stored.
14 years ago
#define DE_STATE_CHUNK_SIZE 15
/* per stored sig flags */
http user agent keyword + mpm + inspection + fast pattern support added
13 years ago
#define DE_STATE_FLAG_PAYLOAD_MATCH 1 /**< payload part of the sig matched */
#define DE_STATE_FLAG_URI_MATCH 1 << 1 /**< uri part of the sig matched */
#define DE_STATE_FLAG_DCE_MATCH 1 << 2 /**< dce payload inspection part matched */
#define DE_STATE_FLAG_HCBD_MATCH 1 << 3 /**< hcbd payload inspection part matched */
#define DE_STATE_FLAG_HSBD_MATCH 1 << 4 /**< hcbd payload inspection part matched */
#define DE_STATE_FLAG_HHD_MATCH 1 << 5 /**< hhd payload inspection part matched */
#define DE_STATE_FLAG_HRHD_MATCH 1 << 6 /**< hrhd payload inspection part matched */
#define DE_STATE_FLAG_HMD_MATCH 1 << 7 /**< hmd payload inspection part matched */
#define DE_STATE_FLAG_HCD_MATCH 1 << 8 /**< hcd payload inspection part matched */
#define DE_STATE_FLAG_HRUD_MATCH 1 << 9 /**< hrud payload inspection part matched */
#define DE_STATE_FLAG_FILE_TC_MATCH 1 << 10
#define DE_STATE_FLAG_FILE_TS_MATCH 1 << 11
#define DE_STATE_FLAG_FULL_MATCH 1 << 12 /**< sig already fully matched */
#define DE_STATE_FLAG_SIG_CANT_MATCH 1 << 13 /**< signature has no chance of matching */
#define DE_STATE_FLAG_HSMD_MATCH 1 << 14 /**< hsmd payload inspection part matched */
#define DE_STATE_FLAG_HSCD_MATCH 1 << 15 /**< hscd payload inspection part matched */
#define DE_STATE_FLAG_HUAD_MATCH 1 << 16 /**< huad payload inspection part matched */
Add support for a new keyword to inspect http_host header. The corresponding content keyword would now be - http_host. The corresponding pcre modifier would be W.
13 years ago
#define DE_STATE_FLAG_HHHD_MATCH 1 << 17 /**< hhhd payload inspection part matched */
Add support for the new keyword - http_raw_host header. The corresponding pcre modifier would be 'Z'.
13 years ago
#define DE_STATE_FLAG_HRHHD_MATCH 1 << 18 /**< hrhhd payload inspection part matched */
file inspect: stateful inspection split Split stateful detection of the files in a HTTP state between toserver and toclient inspection.
14 years ago
#define DE_STATE_FLAG_URI_INSPECT DE_STATE_FLAG_URI_MATCH /**< uri part of the sig inspected */
#define DE_STATE_FLAG_DCE_INSPECT DE_STATE_FLAG_DCE_MATCH /**< dce payload inspection part inspected */
#define DE_STATE_FLAG_HCBD_INSPECT DE_STATE_FLAG_HCBD_MATCH /**< hcbd payload inspection part inspected */
Introduce http_server_body keyword. The http_server_body content modifier modifies the previous content to inspect the normalized (dechunked, unzipped) http_server_body. The workings are similar to http_client_body. Additionally, a new pcre flag was introduced "/S". To facilitate this change the signature flags field was changed to be 64 bit.
14 years ago
#define DE_STATE_FLAG_HSBD_INSPECT DE_STATE_FLAG_HSBD_MATCH /**< hsbd payload inspection part inspected */
file inspect: stateful inspection split Split stateful detection of the files in a HTTP state between toserver and toclient inspection.
14 years ago
#define DE_STATE_FLAG_HHD_INSPECT DE_STATE_FLAG_HHD_MATCH /**< hhd payload inspection part inspected */
#define DE_STATE_FLAG_HRHD_INSPECT DE_STATE_FLAG_HRHD_MATCH /**< hrhd payload inspection part inspected */
#define DE_STATE_FLAG_HMD_INSPECT DE_STATE_FLAG_HMD_MATCH /**< hmd payload inspection part inspected */
#define DE_STATE_FLAG_HCD_INSPECT DE_STATE_FLAG_HCD_MATCH /**< hcd payload inspection part inspected */
#define DE_STATE_FLAG_HRUD_INSPECT DE_STATE_FLAG_HRUD_MATCH /**< hrud payload inspection part inspected */
#define DE_STATE_FLAG_FILE_TC_INSPECT DE_STATE_FLAG_FILE_TC_MATCH
#define DE_STATE_FLAG_FILE_TS_INSPECT DE_STATE_FLAG_FILE_TS_MATCH
Support http stat msg detection engine, fast pattern(mpm engine included). Fix http stat msg setup function. Fix pcre option for stat msg keyword
14 years ago
#define DE_STATE_FLAG_HSMD_INSPECT DE_STATE_FLAG_HSMD_MATCH /**< hsmd payload inspection part inspected */
Support http stat code detection engine, fast pattern(mpm engine included). Fix http stat code setup function. Fix pcre option for stat msg keyword. With this the pcre options for server_body is Q, for stat_msg is Y and for stat_code is S
14 years ago
#define DE_STATE_FLAG_HSCD_INSPECT DE_STATE_FLAG_HSCD_MATCH /**< hscd payload inspection part inspected */
http user agent keyword + mpm + inspection + fast pattern support added
13 years ago
#define DE_STATE_FLAG_HUAD_INSPECT DE_STATE_FLAG_HUAD_MATCH /**< huad payload inspection part inspected */
Add support for a new keyword to inspect http_host header. The corresponding content keyword would now be - http_host. The corresponding pcre modifier would be W.
13 years ago
#define DE_STATE_FLAG_HHHD_INSPECT DE_STATE_FLAG_HHHD_MATCH /**< hhhd payload inspection part inspected */
Add support for the new keyword - http_raw_host header. The corresponding pcre modifier would be 'Z'.
13 years ago
#define DE_STATE_FLAG_HRHHD_INSPECT DE_STATE_FLAG_HRHHD_MATCH /**< hrhhd payload inspection part inspected */
Clean up stateful detection code.
14 years ago
Implement filestore keyword, including a way for the stateful detection engine to conclude that a file will never have to be stored.
14 years ago
/* state flags */
#define DE_STATE_FILE_STORE_DISABLED 0x0001
file inspect: stateful inspection split Split stateful detection of the files in a HTTP state between toserver and toclient inspection.
14 years ago
#define DE_STATE_FILE_TC_NEW 0x0002
#define DE_STATE_FILE_TS_NEW 0x0004
Clean up stateful detection code.
14 years ago
Change stateful detection engine to be able to start the stateful detection separate from other sigs. Fixes bugs #213, #214, #215.
15 years ago
/** per signature detection engine state */
First stab at creating a stateful detection engine. Stateful detection for app layer detection keywords, except uricontent. Stores it's partial results in the flow structure. Other modifications: - Generalize transaction tracking, logging and inspection. - Adapt http and dcerpc to use the new transaction handling. - Stream engine now always notifies app layer of a stream eof. This commit fixes bug #124.
15 years ago
typedef enum {
Change stateful detection engine to be able to start the stateful detection separate from other sigs. Fixes bugs #213, #214, #215.
15 years ago
DE_STATE_MATCH_NOSTATE = 0, /**< no state for this sig*/
DE_STATE_MATCH_FULL, /**< sig already fully matched */
First stab at creating a stateful detection engine. Stateful detection for app layer detection keywords, except uricontent. Stores it's partial results in the flow structure. Other modifications: - Generalize transaction tracking, logging and inspection. - Adapt http and dcerpc to use the new transaction handling. - Stream engine now always notifies app layer of a stream eof. This commit fixes bug #124.
15 years ago
DE_STATE_MATCH_PARTIAL, /**< partial state match */
Change stateful detection engine to be able to start the stateful detection separate from other sigs. Fixes bugs #213, #214, #215.
15 years ago
DE_STATE_MATCH_NEW, /**< new (full) match this run */
Implement filestore keyword, including a way for the stateful detection engine to conclude that a file will never have to be stored.
14 years ago
DE_STATE_MATCH_NOMATCH, /**< not a match */
First stab at creating a stateful detection engine. Stateful detection for app layer detection keywords, except uricontent. Stores it's partial results in the flow structure. Other modifications: - Generalize transaction tracking, logging and inspection. - Adapt http and dcerpc to use the new transaction handling. - Stream engine now always notifies app layer of a stream eof. This commit fixes bug #124.
15 years ago
} DeStateMatchResult;
/** \brief State storage for a single signature */
typedef struct DeStateStoreItem_ {
SigIntId sid; /**< Signature internal id to store the state for (16 or
* 32 bit depending on how SigIntId is defined). */
http user agent keyword + mpm + inspection + fast pattern support added
13 years ago
uint32_t flags; /**< flags */
First stab at creating a stateful detection engine. Stateful detection for app layer detection keywords, except uricontent. Stores it's partial results in the flow structure. Other modifications: - Generalize transaction tracking, logging and inspection. - Adapt http and dcerpc to use the new transaction handling. - Stream engine now always notifies app layer of a stream eof. This commit fixes bug #124.
15 years ago
SigMatch *nm; /**< next sig match to try, or null if done */
} DeStateStoreItem;
/** \brief State store "chunk" for x number of signature */
typedef struct DeStateStore_ {
DeStateStoreItem store[DE_STATE_CHUNK_SIZE]; /**< array of storage objects */
struct DeStateStore_ *next; /**< ptr to the next array */
} DeStateStore;
/** \brief State store main object */
typedef struct DetectEngineState_ {
Implement filestore keyword, including a way for the stateful detection engine to conclude that a file will never have to be stored.
14 years ago
DeStateStore *head; /**< signature state storage */
DeStateStore *tail; /**< tail item of the storage list */
SigIntId cnt; /**< number of sigs in the storage */
uint16_t toclient_version; /**< app layer state "version" inspected
* last in to client direction */
uint16_t toserver_version; /**< app layer state "version" inspected
* last in to server direction */
uint16_t toclient_filestore_cnt;/**< number of sigs with filestore that
* cannot match in to client direction. */
uint16_t toserver_filestore_cnt;/**< number of sigs with filestore that
* cannot match in to server direction. */
uint16_t flags;
First stab at creating a stateful detection engine. Stateful detection for app layer detection keywords, except uricontent. Stores it's partial results in the flow structure. Other modifications: - Generalize transaction tracking, logging and inspection. - Adapt http and dcerpc to use the new transaction handling. - Stream engine now always notifies app layer of a stream eof. This commit fixes bug #124.
15 years ago
} DetectEngineState;
void DeStateRegisterTests(void);
DeStateStore *DeStateStoreAlloc(void);
void DeStateStoreFree(DeStateStore *);
void DetectEngineStateReset(DetectEngineState *state);
DetectEngineState *DetectEngineStateAlloc(void);
void DetectEngineStateFree(DetectEngineState *);
Simplify flow resetting on de_ctx update. Detect ctx id starts at 1. So in a flow 0 means uninitialized (thus set) and if we detect flow is not equal to detect id, we reset the sgh storage and de_state.
14 years ago
int DeStateFlowHasState(Flow *, uint8_t, uint16_t);
Convert uricontent scanning to use the detect engine state.
15 years ago
int DeStateDetectStartDetection(ThreadVars *, DetectEngineCtx *,
Add a app layer state and stateful detection engine counter that makes sure the stateful inspection is only done when the state changes.
14 years ago
DetectEngineThreadCtx *, Signature *, Flow *, uint8_t, void *,
uint16_t, uint16_t);
Convert uricontent scanning to use the detect engine state.
15 years ago
int DeStateDetectContinueDetection(ThreadVars *, DetectEngineCtx *,
Add a app layer state and stateful detection engine counter that makes sure the stateful inspection is only done when the state changes.
14 years ago
DetectEngineThreadCtx *, Flow *, uint8_t, void *, uint16_t,
uint16_t);
First stab at creating a stateful detection engine. Stateful detection for app layer detection keywords, except uricontent. Stores it's partial results in the flow structure. Other modifications: - Generalize transaction tracking, logging and inspection. - Adapt http and dcerpc to use the new transaction handling. - Stream engine now always notifies app layer of a stream eof. This commit fixes bug #124.
15 years ago
const char *DeStateMatchResultToString(DeStateMatchResult);
Fix tcp connections that are reset (RST packet) not always inspecting the reassembled stream. Update transaction id code to make sure both directions of a transaction are inspected before incrementing the inspect_id.
15 years ago
int DeStateUpdateInspectTransactionId(Flow *, char);
First stab at creating a stateful detection engine. Stateful detection for app layer detection keywords, except uricontent. Stores it's partial results in the flow structure. Other modifications: - Generalize transaction tracking, logging and inspection. - Adapt http and dcerpc to use the new transaction handling. - Stream engine now always notifies app layer of a stream eof. This commit fixes bug #124.
15 years ago
#endif /* __DETECT_ENGINE_STATE_H__ */
doc: create doxygen group for state detection.
14 years ago
/**
* @}
*/