suricata  5.0.3
About: Suricata is a high performance Network Intrusion Detection (IDS) and Prevention (IPS) and Network Security Monitoring engine.
  Fossies Dox: suricata-5.0.3.tar.gz  ("unofficial" and yet experimental doxygen-generated source code documentation)  

State support

State is stored in the DetectEngineState structure. This is basically a containter for storage item of type DeStateStore. They contains an array of DeStateStoreItem which store the state of match for an individual signature identified by DeStateStoreItem::sid. More...

Files

file  detect-engine-state.c
 State based signature handling.
 
file  detect-engine-state.h
 Data structures and function prototypes for keeping state for the detection engine.
 

Macros

#define CASE_CODE(E)   case E: return #E
 

Functions

static int StateIsValid (uint16_t alproto, void *alstate)
 
static DeStateStoreDeStateStoreAlloc (void)
 
static void DeStateSignatureAppend (DetectEngineState *state, const Signature *s, uint32_t inspect_flags, uint8_t direction)
 
DetectEngineStateDetectEngineStateAlloc (void)
 Alloc a DetectEngineState object. More...
 
void DetectEngineStateFree (DetectEngineState *state)
 Frees a DetectEngineState object. More...
 
static void StoreFileNoMatchCnt (DetectEngineState *de_state, uint16_t file_no_match, uint8_t direction)
 
static bool StoreFilestoreSigsCantMatch (const SigGroupHead *sgh, const DetectEngineState *de_state, uint8_t direction)
 
static void StoreStateTxHandleFiles (const SigGroupHead *sgh, Flow *f, DetectEngineState *destate, const uint8_t flow_flags, const uint64_t tx_id, const uint16_t file_no_match)
 
void DetectRunStoreStateTx (const SigGroupHead *sgh, Flow *f, void *tx, uint64_t tx_id, const Signature *s, uint32_t inspect_flags, uint8_t flow_flags, const uint16_t file_no_match)
 
void DeStateUpdateInspectTransactionId (Flow *f, const uint8_t flags, const bool tag_txs_as_inspected)
 update flow's inspection id's More...
 
void DetectEngineStateResetTxs (Flow *f)
 Reset de state for active tx' To be used on detect engine reload. More...
 
void DeStateRegisterTests (void)
 

Detailed Description

State is stored in the DetectEngineState structure. This is basically a containter for storage item of type DeStateStore. They contains an array of DeStateStoreItem which store the state of match for an individual signature identified by DeStateStoreItem::sid.

Macro Definition Documentation

◆ CASE_CODE

#define CASE_CODE (   E)    case E: return #E

convert enum to string

Definition at line 71 of file detect-engine-state.c.

Function Documentation

◆ DeStateRegisterTests()

void DeStateRegisterTests ( void  )

Definition at line 1370 of file detect-engine-state.c.

◆ DeStateSignatureAppend()

◆ DeStateStoreAlloc()

static DeStateStore* DeStateStoreAlloc ( void  )
static

Definition at line 87 of file detect-engine-state.c.

References SCMalloc, and unlikely.

Referenced by DeStateSignatureAppend().

◆ DeStateUpdateInspectTransactionId()

void DeStateUpdateInspectTransactionId ( Flow f,
const uint8_t  flags,
const bool  tag_txs_as_inspected 
)

update flow's inspection id's

Update the inspect id.

Parameters
funlocked flow
flagsdirection and disruption flags
tag_txs_as_inspectedif true all 'complete' txs will be marked 'inspected'
Note
it is possible that f->alstate, f->alparser are NULL

Definition at line 253 of file detect-engine-state.c.

References AppLayerParserSetTransactionInspectId(), sock_to_gzip_file::f, and flags.

Referenced by DetectFlow(), and DetectRunPostRules().

◆ DetectEngineStateAlloc()

DetectEngineState* DetectEngineStateAlloc ( void  )

Alloc a DetectEngineState object.

Return values
Alloc'dinstance of DetectEngineState.

Definition at line 166 of file detect-engine-state.c.

References SCMalloc, and unlikely.

Referenced by DetectRunStoreStateTx().

◆ DetectEngineStateFree()

◆ DetectEngineStateResetTxs()

◆ DetectRunStoreStateTx()

void DetectRunStoreStateTx ( const SigGroupHead sgh,
Flow f,
void *  tx,
uint64_t  tx_id,
const Signature s,
uint32_t  inspect_flags,
uint8_t  flow_flags,
const uint16_t  file_no_match 
)

◆ StateIsValid()

static int StateIsValid ( uint16_t  alproto,
void *  alstate 
)
inlinestatic

Definition at line 72 of file detect-engine-state.c.

References ALPROTO_HTTP, and HtpState_::conn.

Referenced by DetectEngineStateResetTxs().

◆ StoreFileNoMatchCnt()

static void StoreFileNoMatchCnt ( DetectEngineState de_state,
uint16_t  file_no_match,
uint8_t  direction 
)
static

◆ StoreFilestoreSigsCantMatch()

static bool StoreFilestoreSigsCantMatch ( const SigGroupHead sgh,
const DetectEngineState de_state,
uint8_t  direction 
)
static

◆ StoreStateTxHandleFiles()

static void StoreStateTxHandleFiles ( const SigGroupHead sgh,
Flow f,
DetectEngineState destate,
const uint8_t  flow_flags,
const uint64_t  tx_id,
const uint16_t  file_no_match 
)
static