suricata的InspectEngine

1.结构

//报文检测引擎，有检测指针，检测模式等等信息，是链表节点
typedef struct DetectEnginePktInspectionEngine {
    SigMatchData *smd;
    bool mpm;
    uint16_t sm_list;
    uint16_t sm_list_base;
    struct {
        InspectionBufferGetPktDataPtr GetData;
        InspectionBufferPktInspectFunc Callback;
        /** pointer to the transforms in the 'DetectBuffer entry for this list */
        const DetectEngineTransforms *transforms;
    } v1;
    struct DetectEnginePktInspectionEngine *next;
} DetectEnginePktInspectionEngine;

// 存放着检测该流的应用层一切的信息，包括该报文的检测回调函数
// 检测模式，是什么协议等等，是一个链表节点
typedef struct DetectEngineAppInspectionEngine_ {
    AppProto alproto;
    uint8_t dir; // 方向
    uint8_t id;     /**< per sig id used in state keeping */
    bool mpm;
    bool stream;
    uint16_t sm_list;
    uint16_t sm_list_base; /**< base buffer being transformed */
    int16_t progress;
 
    /* \retval 0 No match.  Don't discontinue matching yet.  We need more data.
     *         1 Match.
     *         2 Sig can't match.
     *         3 Special value used by filestore sigs to indicate disabling
     *           filestore for the tx.
     */
    InspectEngineFuncPtr Callback;
 
    struct {
        InspectionBufferGetDataPtr GetData;
        InspectEngineFuncPtr2 Callback;
        /** pointer to the transforms in the 'DetectBuffer entry for this list */
        const DetectEngineTransforms *transforms;
    } v2;
    SigMatchData *smd;
    struct DetectEngineAppInspectionEngine_ *next;
} DetectEngineAppInspectionEngine;

// 里面放着检测函数指针，要检测的id，要检测的内容等等，是一个节点
typedef struct DetectBufferType_ {
    const char *string;
    const char *description;
    int id;
    int parent_id;
    bool mpm;
    bool packet; /**< compat to packet matches */
    bool supports_transforms;
    void (*SetupCallback)(const struct DetectEngineCtx_ *, struct Signature_ *);
    bool (*ValidateCallback)(const struct Signature_ *, const char **sigerror);
    DetectEngineTransforms transforms;
} DetectBufferType;

这个检测节点作为data放在HashListTable *g_buffer_type_hash，这个hash链表中。

2.操作函数

// 增加一个名字为name新DetectEnginePktInspectionEngine节点,放在老的

// DetectEnginePktInspectionEngine链表末尾

// 这个节点的回调函数Callback，就要包的检测函数

DetectPktInspectEngineRegister

DetectAppLayerInspectEngineRegister

DetectAppLayerInspectEngineRegister2

DetectAppLayerInspectEngineCopy

DetectAppLayerInspectEngineCopyListToDetectCtx

DetectPktInspectEngineCopyListToDetectCtx        

AppendStreamInspectEngine

DetectEngineAppInspectionEngine2Signature

DetectEngineAppInspectionEngineSignatureFree

3.解释

InspectEngine的功能及作用？

这是检测引擎，一些注册之类的操作。。。。