[Oisf-users] Version 4.1.0-beta1, DetectRunTx(): Why traverse through the tx list in f->alstate? It's difficult to understand the mechanism.

Ma Allen mazhh at outlook.com
Wed Sep 18 09:16:39 UTC 2019


Packets in Suricata are defragmented, finally becoming stream. So it's impossible to relate the specific packet to tx.
And I wander why DetectRunTx() traverses through the tx list in f->alstate. Any suggestion is appreciated. Thanks in advance.

packet -> flow -> alstate -> tx
      n      :      1     :      1      :    m


static void DetectRunTx(ThreadVars *tv,
                    DetectEngineCtx *de_ctx,​
                    DetectEngineThreadCtx *det_ctx,​
                    Packet *p,​
                    Flow *f,​
                    DetectRunScratchpad *scratch)​
{​
    const uint8_t flow_flags = scratch->flow_flags;​
    const SigGroupHead * const sgh = scratch->sgh;​
    void * const alstate = f->alstate;​
    const uint8_t ipproto = f->proto;​
    const AppProto alproto = f->alproto;​
​
    const uint64_t total_txs = AppLayerParserGetTxCnt(f, alstate);​
    uint64_t tx_id_min = AppLayerParserGetTransactionInspectId(f->alparser, flow_flags);​
    const int tx_end_state = AppLayerParserGetStateProgressCompletionStatus(alproto, flow_flags);​
​
    AppLayerGetTxIteratorFunc IterFunc = AppLayerGetTxIterator(ipproto, alproto);​
    AppLayerGetTxIterState state;​
    memset(&state, 0, sizeof(state));​
​
    while (1) {​
        AppLayerGetTxIterTuple ires = IterFunc(ipproto, alproto, alstate, tx_id_min, total_txs, &state);​
        if (ires.tx_ptr == NULL)​
            break;​
​
        DetectTransaction tx = GetDetectTx(ipproto, alproto,​
                alstate, ires.tx_id, ires.tx_ptr, tx_end_state, flow_flags);​
        if (tx.tx_ptr == NULL) {​
            SCLogDebug("%p/%"PRIu64" no transaction to inspect",​
                    tx.tx_ptr, tx_id_min);
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20190918/0825adfd/attachment.html>


More information about the Oisf-users mailing list