suricata/src/detect-engine-build.h

/* Copyright (C) 2007-2017 Open Information Security Foundation
 *
 * You can copy, redistribute or modify this Program under the terms of
 * the GNU General Public License version 2 as published by the Free
 * Software Foundation.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * version 2 along with this program; if not, write to the Free Software
 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
 * 02110-1301, USA.
 */

#ifndef __DETECT_ENGINE_BUILD_H__
#define __DETECT_ENGINE_BUILD_H__

void PacketCreateMask(Packet *p, SignatureMask *mask, AppProto alproto,
        bool app_decoder_events);

int SignatureIsFilestoring(const Signature *);
int SignatureIsFilemagicInspecting(const Signature *);
int SignatureIsFileMd5Inspecting(const Signature *);
int SignatureIsFileSha1Inspecting(const Signature *s);
int SignatureIsFileSha256Inspecting(const Signature *s);
int SignatureIsFilesizeInspecting(const Signature *);
void SignatureSetType(DetectEngineCtx *de_ctx, Signature *s);

int SigAddressPrepareStage1(DetectEngineCtx *de_ctx);
int SigAddressPrepareStage2(DetectEngineCtx *de_ctx);
int SigAddressPrepareStage3(DetectEngineCtx *de_ctx);
int SigAddressPrepareStage4(DetectEngineCtx *de_ctx);
int SigAddressCleanupStage1(DetectEngineCtx *de_ctx);

void SigCleanSignatures(DetectEngineCtx *);

int SigGroupBuild(DetectEngineCtx *);
int SigGroupCleanup (DetectEngineCtx *de_ctx);

#endif /* __DETECT_ENGINE_BUILD_H__ */
detect: move grouping/building code into own file Clean up main detect.c file by moving things related to rule grouping out. 8 years ago			`/* Copyright (C) 2007-2017 Open Information Security Foundation`
			`*`
			`* You can copy, redistribute or modify this Program under the terms of`
			`* the GNU General Public License version 2 as published by the Free`
			`* Software Foundation.`
			`*`
			`* This program is distributed in the hope that it will be useful,`
			`* but WITHOUT ANY WARRANTY; without even the implied warranty of`
			`* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the`
			`* GNU General Public License for more details.`
			`*`
			`* You should have received a copy of the GNU General Public License`
			`* version 2 along with this program; if not, write to the Free Software`
			`* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA`
			`* 02110-1301, USA.`
			`*/`

			`#ifndef __DETECT_ENGINE_BUILD_H__`
			`#define __DETECT_ENGINE_BUILD_H__`

			`void PacketCreateMask(Packet p, SignatureMask mask, AppProto alproto,`
detect: rewrite of the detect engine Use per tx detect_flags to track prefilter. Detect flags are used for 2 things: 1. marking tx as fully inspected 2. tracking already run prefilter (incl mpm) engines This supercedes the MpmIDs API for directionless tracking of the prefilter engines. When we have no SGH we have to flag the txs that are 'complete' as inspected as well. Special handling for the stream engine: If a rule mixes TX inspection and STREAM inspection, we can encounter the case where the rule is evaluated against multiple transactions during a single inspection run. As the stream data is exactly the same for each of those runs, it's wasteful to rerun inspection of the stream portion of the rule. This patch enables caching of the stream 'inspect engine' result in the local 'RuleMatchCandidateTx' array. This is valid only during the live of a single inspection run. Remove stateful inspection from 'mask' (SignatureMask). The mask wasn't used in most cases for those rules anyway, as there we rely on the prefilter. Add a alproto check to catch the remaining cases. When building the active non-mpm/non-prefilter list check not just the mask, but also the alproto. This especially helps stateful rules with negated mpm. Simplify AppLayerParserHasDecoderEvents usage in detection to only return true if protocol detection events are set. Other detection is done in inspect engines. Move rule group lookup and handling into it's own function. Handle 'post lookup' tasks immediately, instead of after the first detect run. The tasks were independent of the initial detection. Many cleanups and much refactoring. 8 years ago			`bool app_decoder_events);`
detect: move grouping/building code into own file Clean up main detect.c file by moving things related to rule grouping out. 8 years ago
			`int SignatureIsFilestoring(const Signature *);`
			`int SignatureIsFilemagicInspecting(const Signature *);`
			`int SignatureIsFileMd5Inspecting(const Signature *);`
			`int SignatureIsFileSha1Inspecting(const Signature *s);`
			`int SignatureIsFileSha256Inspecting(const Signature *s);`
			`int SignatureIsFilesizeInspecting(const Signature *);`
detect/parse: set the type of signature early This way we can know much sooner if the rule is ip-only or not. 6 years ago			`void SignatureSetType(DetectEngineCtx de_ctx, Signature s);`
detect: move grouping/building code into own file Clean up main detect.c file by moving things related to rule grouping out. 8 years ago
			`int SigAddressPrepareStage1(DetectEngineCtx *de_ctx);`
			`int SigAddressPrepareStage2(DetectEngineCtx *de_ctx);`
			`int SigAddressPrepareStage3(DetectEngineCtx *de_ctx);`
			`int SigAddressPrepareStage4(DetectEngineCtx *de_ctx);`
			`int SigAddressCleanupStage1(DetectEngineCtx *de_ctx);`

			`void SigCleanSignatures(DetectEngineCtx *);`

			`int SigGroupBuild(DetectEngineCtx *);`
			`int SigGroupCleanup (DetectEngineCtx *de_ctx);`

			`#endif /* __DETECT_ENGINE_BUILD_H__ */`