aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

detect/alert: remove unused functions

Browse Source 
Since we now only copy the PacketAlerts to the Packet's queue after
processing them, we no longer do packet alert appending from
detect-engine-alert, nor do we remove PacketAlerts from the queue (if
they're discarded by overflow or thresholding, they're not copied to the
final alert queue).

Task #4943
pull/7349/head
Juliana Fajardini 4 years ago committed by Victor Julien
parent 185b43edff
commit e4e688a9b0
2 changed files with 0 additions and 81 deletions
Show Stats Download Patch File Download Diff File

78
src/detect-engine-alert.c
Unescape Escape View File

@ -151,84 +151,6 @@ int PacketAlertCheck(Packet *p, uint32_t sid)
return match;
}
/**
* \brief Remove alert from the p->alerts.alerts array at pos
* \param p Pointer to the Packet
* \param pos Position in the array
* \retval 0 if the number of alerts is less than pos
* 1 if all goes well
*/
int PacketAlertRemove(Packet *p, uint16_t pos)
{
uint16_t i = 0;
int match = 0;
if (pos > p->alerts.cnt) {
SCLogDebug("removing %u failed, pos > cnt %u", pos, p->alerts.cnt);
return 0;
}
for (i = pos; i <= p->alerts.cnt - 1; i++) {
memcpy(&p->alerts.alerts[i], &p->alerts.alerts[i + 1], sizeof(PacketAlert));
}
// Update it, since we removed 1
p->alerts.cnt--;
return match;
}
/** \brief append a signature match to a packet
*
* \param det_ctx thread detection engine ctx
* \param s the signature that matched
* \param p packet
* \param flags alert flags
*/
int PacketAlertAppend(DetectEngineThreadCtx *det_ctx, const Signature *s,
Packet *p, uint64_t tx_id, uint8_t flags)
{
int i = 0;
if (p->alerts.cnt == PACKET_ALERT_MAX)
return 0;
SCLogDebug("sid %"PRIu32"", s->id);
/* It should be usually the last, so check it before iterating */
if (p->alerts.cnt == 0 || (p->alerts.cnt > 0 &&
p->alerts.alerts[p->alerts.cnt - 1].num < s->num)) {
/* We just add it */
p->alerts.alerts[p->alerts.cnt].num = s->num;
p->alerts.alerts[p->alerts.cnt].action = s->action;
p->alerts.alerts[p->alerts.cnt].flags = flags;
p->alerts.alerts[p->alerts.cnt].s = s;
p->alerts.alerts[p->alerts.cnt].tx_id = tx_id;
p->alerts.alerts[p->alerts.cnt].frame_id =
(flags & PACKET_ALERT_FLAG_FRAME) ? det_ctx->frame_id : 0;
} else {
/* We need to make room for this s->num
(a bit ugly with memcpy but we are planning changes here)*/
for (i = p->alerts.cnt - 1; i >= 0 && p->alerts.alerts[i].num > s->num; i--) {
memcpy(&p->alerts.alerts[i + 1], &p->alerts.alerts[i], sizeof(PacketAlert));
}
i++; /* The right place to store the alert */
p->alerts.alerts[i].num = s->num;
p->alerts.alerts[i].action = s->action;
p->alerts.alerts[i].flags = flags;
p->alerts.alerts[i].s = s;
p->alerts.alerts[i].tx_id = tx_id;
p->alerts.alerts[i].frame_id = (flags & PACKET_ALERT_FLAG_FRAME) ? det_ctx->frame_id : 0;
}
/* Update the count */
p->alerts.cnt++;
return 0;
}
static inline void RuleActionToFlow(const uint8_t action, Flow *f)
{
if (action & (ACTION_DROP | ACTION_REJECT_ANY | ACTION_PASS)) {

3
src/detect-engine-alert.h
Unescape Escape View File

@ -33,10 +33,7 @@ void AlertQueueFree(DetectEngineThreadCtx *det_ctx);
void AlertQueueAppend(DetectEngineThreadCtx *det_ctx, const Signature *s, Packet *p, uint64_t tx_id,
uint8_t alert_flags);
void PacketAlertFinalize(DetectEngineCtx *, DetectEngineThreadCtx *, Packet *);
int PacketAlertAppend(DetectEngineThreadCtx *, const Signature *,
Packet *, uint64_t tx_id, uint8_t);
int PacketAlertCheck(Packet *, uint32_t);
int PacketAlertRemove(Packet *, uint16_t);
void PacketAlertTagInit(void);
PacketAlert *PacketAlertGetTag(void);

Write Preview
Loading…
Cancel
Save