suricata
detect-engine-build.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2025 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 #include "suricata-common.h"
19 #include "detect.h"
20 #include "detect-engine.h"
21 #include "detect-parse.h"
22 #include "detect-content.h"
23 
24 #include "detect-engine-build.h"
25 #include "detect-engine-address.h"
26 #include "detect-engine-analyzer.h"
27 #include "detect-engine-iponly.h"
28 #include "detect-engine-mpm.h"
29 #include "detect-engine-siggroup.h"
30 #include "detect-engine-port.h"
31 #include "detect-engine-prefilter.h"
32 #include "detect-engine-proto.h"
33 #include "detect-engine-threshold.h"
34 
35 #include "detect-dsize.h"
36 #include "detect-tcp-flags.h"
37 #include "detect-flow.h"
38 #include "detect-config.h"
39 #include "detect-flowbits.h"
40 
41 #include "app-layer-events.h"
42 
43 #include "util-port-interval-tree.h"
44 #include "util-profiling.h"
45 #include "util-validate.h"
46 #include "util-var-name.h"
47 #include "util-conf.h"
48 
49 /* Magic numbers to make the rules of a certain order fall in the same group */
50 #define DETECT_PGSCORE_RULE_PORT_PRIORITIZED 111 /* Rule port group contains a priority port */
51 #define DETECT_PGSCORE_RULE_MPM_FAST_PATTERN 99 /* Rule contains an MPM fast pattern */
52 #define DETECT_PGSCORE_RULE_MPM_NEGATED 77 /* Rule contains a negated MPM */
53 #define DETECT_PGSCORE_RULE_NO_MPM 55 /* Rule does not contain MPM */
54 #define DETECT_PGSCORE_RULE_SYN_ONLY 33 /* Rule needs SYN check */
55 
56 void SigCleanSignatures(DetectEngineCtx *de_ctx)
57 {
58  if (de_ctx == NULL)
59  return;
60 
61  for (Signature *s = de_ctx->sig_list; s != NULL;) {
62  Signature *ns = s->next;
63  SigFree(de_ctx, s);
64  s = ns;
65  }
66  de_ctx->sig_list = NULL;
67 
68  DetectEngineResetMaxSigId(de_ctx);
69  de_ctx->sig_list = NULL;
70 }
71 
72 /** \brief Find a specific signature by sid and gid
73  * \param de_ctx detection engine ctx
74  * \param sid the signature id
75  * \param gid the signature group id
76  *
77  * \retval s sig found
78  * \retval NULL sig not found
79  */
80 Signature *SigFindSignatureBySidGid(DetectEngineCtx *de_ctx, uint32_t sid, uint32_t gid)
81 {
82  if (de_ctx == NULL)
83  return NULL;
84 
85  for (Signature *s = de_ctx->sig_list; s != NULL; s = s->next) {
86  if (s->id == sid && s->gid == gid)
87  return s;
88  }
89 
90  return NULL;
91 }
92 
93 /**
94  * \brief Check if a signature contains the filestore keyword.
95  *
96  * \param s signature
97  *
98  * \retval 0 no
99  * \retval 1 yes
100  */
101 int SignatureIsFilestoring(const Signature *s)
102 {
103  if (s == NULL)
104  return 0;
105 
106  if (s->flags & SIG_FLAG_FILESTORE)
107  return 1;
108 
109  return 0;
110 }
111 
112 /**
113  * \brief Check if a signature contains the filemagic keyword.
114  *
115  * \param s signature
116  *
117  * \retval 0 no
118  * \retval 1 yes
119  */
120 int SignatureIsFilemagicInspecting(const Signature *s)
121 {
122  if (s == NULL)
123  return 0;
124 
125  if (s->file_flags & FILE_SIG_NEED_MAGIC)
126  return 1;
127 
128  return 0;
129 }
130 
131 /**
132  * \brief Check if a signature contains the filemd5 keyword.
133  *
134  * \param s signature
135  *
136  * \retval 0 no
137  * \retval 1 yes
138  */
139 int SignatureIsFileMd5Inspecting(const Signature *s)
140 {
141  if ((s != NULL) && (s->file_flags & FILE_SIG_NEED_MD5))
142  return 1;
143 
144  return 0;
145 }
146 
147 /**
148  * \brief Check if a signature contains the filesha1 keyword.
149  *
150  * \param s signature
151  *
152  * \retval 0 no
153  * \retval 1 yes
154  */
155 int SignatureIsFileSha1Inspecting(const Signature *s)
156 {
157  if ((s != NULL) && (s->file_flags & FILE_SIG_NEED_SHA1))
158  return 1;
159 
160  return 0;
161 }
162 
163 /**
164  * \brief Check if a signature contains the filesha256 keyword.
165  *
166  * \param s signature
167  *
168  * \retval 0 no
169  * \retval 1 yes
170  */
171 int SignatureIsFileSha256Inspecting(const Signature *s)
172 {
173  if ((s != NULL) && (s->file_flags & FILE_SIG_NEED_SHA256))
174  return 1;
175 
176  return 0;
177 }
178 
179 static bool SignatureInspectsBuffers(const Signature *s)
180 {
181  return (s->init_data->buffer_index > 0);
182 }
183 
184 /** \brief Test is a initialized signature is IP only
185  * \param de_ctx detection engine ctx
186  * \param s the signature
187  * \retval 1 sig is ip only
188  * \retval 2 sig is like ip only
189  * \retval 0 sig is not ip only
190  */
191 int SignatureIsIPOnly(DetectEngineCtx *de_ctx, const Signature *s)
192 {
193  /* explicit hook means no IP-only */
194  if (s->init_data->hook.type != SIGNATURE_HOOK_TYPE_NOT_SET)
195  return 0;
196 
197  if (s->alproto != ALPROTO_UNKNOWN)
198  return 0;
199 
200  if (s->init_data->smlists[DETECT_SM_LIST_PMATCH] != NULL)
201  return 0;
202 
203  // may happen for 'config' keyword, postmatch
204  if (s->flags & SIG_FLAG_APPLAYER)
205  return 0;
206 
207  /* if flow dir is set we can't process it in ip-only */
208  if (!(((s->flags & (SIG_FLAG_TOSERVER|SIG_FLAG_TOCLIENT)) == 0) ||
209  (s->flags & (SIG_FLAG_TOSERVER|SIG_FLAG_TOCLIENT)) ==
210  (SIG_FLAG_TOSERVER|SIG_FLAG_TOCLIENT)))
211  return 0;
212 
213  /* for now assume that all registered buffer types are incompatible */
214  if (SignatureInspectsBuffers(s)) {
215  SCReturnInt(0);
216  }
217 
218  /* TMATCH list can be ignored, it contains TAGs and
219  * tags are compatible to IP-only. */
220 
221  SigMatch *sm = s->init_data->smlists[DETECT_SM_LIST_MATCH];
222  for (; sm != NULL; sm = sm->next) {
223  if (!(sigmatch_table[sm->type].flags & SIGMATCH_IPONLY_COMPAT))
224  return 0;
225  /* we have enabled flowbits to be compatible with ip only sigs, as long
226  * as the sig only has a "set" flowbits */
227  if (sm->type == DETECT_FLOWBITS &&
228  (((DetectFlowbitsData *)sm->ctx)->cmd != DETECT_FLOWBITS_CMD_SET)) {
229  return 0;
230  }
231  }
232  sm = s->init_data->smlists[DETECT_SM_LIST_POSTMATCH];
233  for ( ; sm != NULL; sm = sm->next) {
234  if ( !(sigmatch_table[sm->type].flags & SIGMATCH_IPONLY_COMPAT))
235  return 0;
236  /* we have enabled flowbits to be compatible with ip only sigs, as long
237  * as the sig only has a "set" flowbits */
238  if (sm->type == DETECT_FLOWBITS &&
239  (((DetectFlowbitsData *)sm->ctx)->cmd != DETECT_FLOWBITS_CMD_SET) ) {
240  return 0;
241  }
242  }
243 
244  if (s->init_data->src_contains_negation || s->init_data->dst_contains_negation) {
245  /* Rule is IP only, but contains negated addresses. */
246  return 2;
247  }
248  if (!(de_ctx->flags & DE_QUIET)) {
249  SCLogDebug("IP-ONLY (%" PRIu32 "): source %s, dest %s", s->id,
250  s->flags & SIG_FLAG_SRC_ANY ? "ANY" : "SET",
251  s->flags & SIG_FLAG_DST_ANY ? "ANY" : "SET");
252  }
253  return 1;
254 }
255 
256 /** \internal
257  * \brief Test is a initialized signature is inspecting protocol detection only
258  * \param de_ctx detection engine ctx
259  * \param s the signature
260  * \retval 1 sig is dp only
261  * \retval 0 sig is not dp only
262  */
263 static int SignatureIsPDOnly(const DetectEngineCtx *de_ctx, const Signature *s)
264 {
265  /* explicit hook means no PD-only */
266  if (s->init_data->hook.type != SIGNATURE_HOOK_TYPE_NOT_SET)
267  return 0;
268 
269  if (s->alproto != ALPROTO_UNKNOWN)
270  return 0;
271 
272  if (s->init_data->smlists[DETECT_SM_LIST_PMATCH] != NULL)
273  return 0;
274 
275  /* for now assume that all registered buffer types are incompatible */
276  if (SignatureInspectsBuffers(s)) {
277  SCReturnInt(0);
278  }
279 
280  /* TMATCH list can be ignored, it contains TAGs and
281  * tags are compatible to DP-only. */
282 
283  /* match list matches may be compatible to DP only. We follow the same
284  * logic as IP-only so we can use that flag */
285 
286  SigMatch *sm = s->init_data->smlists[DETECT_SM_LIST_MATCH];
287  if (sm == NULL)
288  return 0;
289 
290  int pd = 0;
291  for ( ; sm != NULL; sm = sm->next) {
292  if (sm->type == DETECT_APP_LAYER_PROTOCOL) {
293  pd = 1;
294  } else {
295  /* flowbits are supported for dp only sigs, as long
296  * as the sig only has a "set" flowbits */
297  if (sm->type == DETECT_FLOWBITS) {
298  if ((((DetectFlowbitsData *)sm->ctx)->cmd != DETECT_FLOWBITS_CMD_SET) ) {
299  SCLogDebug("%u: not PD-only: flowbit settings other than 'set'", s->id);
300  return 0;
301  }
302  } else if (sm->type == DETECT_FLOW) {
303  if (((DetectFlowData *)sm->ctx)->flags & ~(DETECT_FLOW_FLAG_TOSERVER|DETECT_FLOW_FLAG_TOCLIENT)) {
304  SCLogDebug("%u: not PD-only: flow settings other than toserver/toclient", s->id);
305  return 0;
306  }
307  } else if ( !(sigmatch_table[sm->type].flags & SIGMATCH_IPONLY_COMPAT)) {
308  SCLogDebug("%u: not PD-only: %s not PD/IP-only compat", s->id, sigmatch_table[sm->type].name);
309  return 0;
310  }
311  }
312  }
313 
314  if (pd) {
315  SCLogDebug("PD-ONLY (%" PRIu32 ")", s->id);
316  }
317  return pd;
318 }
319 
320 /**
321  * \internal
322  * \brief Check if the initialized signature is inspecting the packet payload
323  * \param de_ctx detection engine ctx
324  * \param s the signature
325  * \retval 1 sig is inspecting the payload
326  * \retval 0 sig is not inspecting the payload
327  */
328 static int SignatureIsInspectingPayload(DetectEngineCtx *de_ctx, const Signature *s)
329 {
330 
331  if (s->init_data->smlists[DETECT_SM_LIST_PMATCH] != NULL) {
332  return 1;
333  }
334  return 0;
335 }
336 
337 /**
338  * \internal
339  * \brief check if a signature is decoder event matching only
340  * \param de_ctx detection engine
341  * \param s the signature to test
342  * \retval 0 not a DEOnly sig
343  * \retval 1 DEOnly sig
344  */
345 static int SignatureIsDEOnly(DetectEngineCtx *de_ctx, const Signature *s)
346 {
347  /* explicit hook means no DE-only */
348  if (s->init_data->hook.type != SIGNATURE_HOOK_TYPE_NOT_SET)
349  SCReturnInt(0);
350 
351  if (s->alproto != ALPROTO_UNKNOWN) {
352  SCReturnInt(0);
353  }
354 
355  if (s->init_data->smlists[DETECT_SM_LIST_PMATCH] != NULL)
356  {
357  SCReturnInt(0);
358  }
359 
360  /* for now assume that all registered buffer types are incompatible */
361  if (SignatureInspectsBuffers(s)) {
362  SCReturnInt(0);
363  }
364 
365  /* check for conflicting keywords */
366  SigMatch *sm = s->init_data->smlists[DETECT_SM_LIST_MATCH];
367  for ( ;sm != NULL; sm = sm->next) {
368  if ( !(sigmatch_table[sm->type].flags & SIGMATCH_DEONLY_COMPAT))
369  SCReturnInt(0);
370  }
371 
372  /* need at least one decode event keyword to be considered decode event. */
373  sm = s->init_data->smlists[DETECT_SM_LIST_MATCH];
374  for ( ;sm != NULL; sm = sm->next) {
375  if (sm->type == DETECT_DECODE_EVENT)
376  goto deonly;
377  if (sm->type == DETECT_ENGINE_EVENT)
378  goto deonly;
379  if (sm->type == DETECT_STREAM_EVENT)
380  goto deonly;
381  }
382 
383  SCReturnInt(0);
384 
385 deonly:
386  if (!(de_ctx->flags & DE_QUIET)) {
387  SCLogDebug("DE-ONLY (%" PRIu32 "): source %s, dest %s", s->id,
388  s->flags & SIG_FLAG_SRC_ANY ? "ANY" : "SET",
389  s->flags & SIG_FLAG_DST_ANY ? "ANY" : "SET");
390  }
391 
392  SCReturnInt(1);
393 }
394 
395 #define MASK_TCP_INITDEINIT_FLAGS (TH_SYN|TH_RST|TH_FIN)
396 #define MASK_TCP_UNUSUAL_FLAGS (TH_URG|TH_ECN|TH_CWR)
397 
398 /* Create mask for this packet + it's flow if it has one
399  */
400 void
401 PacketCreateMask(Packet *p, SignatureMask *mask, AppProto alproto,
402  bool app_decoder_events)
403 {
404  if (!(PKT_IS_PSEUDOPKT(p))) {
405  (*mask) |= SIG_MASK_REQUIRE_REAL_PKT;
406  }
407  if (!(p->flags & PKT_NOPAYLOAD_INSPECTION) && p->payload_len > 0) {
408  SCLogDebug("packet has payload");
409  (*mask) |= SIG_MASK_REQUIRE_PAYLOAD;
410  } else if (p->flags & PKT_DETECT_HAS_STREAMDATA) {
411  SCLogDebug("stream data available");
412  (*mask) |= SIG_MASK_REQUIRE_PAYLOAD;
413  } else {
414  SCLogDebug("packet has no payload");
415  (*mask) |= SIG_MASK_REQUIRE_NO_PAYLOAD;
416  }
417 
418  if (p->events.cnt > 0 || app_decoder_events != 0 ||
419  (p->app_layer_events != NULL && p->app_layer_events->cnt)) {
420  SCLogDebug("packet/flow has events set");
421  (*mask) |= SIG_MASK_REQUIRE_ENGINE_EVENT;
422  }
423 
424  if (!(PKT_IS_PSEUDOPKT(p)) && PacketIsTCP(p)) {
425  const TCPHdr *tcph = PacketGetTCP(p);
426  if ((tcph->th_flags & MASK_TCP_INITDEINIT_FLAGS) != 0) {
427  (*mask) |= SIG_MASK_REQUIRE_FLAGS_INITDEINIT;
428  }
429  if ((tcph->th_flags & MASK_TCP_UNUSUAL_FLAGS) != 0) {
430  (*mask) |= SIG_MASK_REQUIRE_FLAGS_UNUSUAL;
431  }
432  }
433 
434  if (p->flags & PKT_HAS_FLOW) {
435  SCLogDebug("packet has flow");
436  (*mask) |= SIG_MASK_REQUIRE_FLOW;
437  }
438 }
439 
440 static int SignatureCreateMask(Signature *s)
441 {
442  SCEnter();
443 
444  if ((s->flags & (SIG_FLAG_REQUIRE_PACKET | SIG_FLAG_REQUIRE_STREAM)) ==
445  SIG_FLAG_REQUIRE_PACKET) {
446  s->mask |= SIG_MASK_REQUIRE_REAL_PKT;
447  }
448  if (s->init_data->smlists[DETECT_SM_LIST_PMATCH] != NULL) {
449  s->mask |= SIG_MASK_REQUIRE_PAYLOAD;
450  SCLogDebug("sig requires payload");
451  }
452 
453  SigMatch *sm;
454  for (sm = s->init_data->smlists[DETECT_SM_LIST_MATCH] ; sm != NULL; sm = sm->next) {
455  switch(sm->type) {
456  case DETECT_FLOWBITS:
457  {
458  /* figure out what flowbit action */
459  DetectFlowbitsData *fb = (DetectFlowbitsData *)sm->ctx;
460  if (fb->cmd == DETECT_FLOWBITS_CMD_ISSET) {
461  /* not a mask flag, but still set it here */
462  s->flags |= SIG_FLAG_REQUIRE_FLOWVAR;
463 
464  SCLogDebug("SIG_FLAG_REQUIRE_FLOWVAR set as sig has "
465  "flowbit isset option.");
466  }
467 
468  /* flow is required for any flowbit manipulation */
469  s->mask |= SIG_MASK_REQUIRE_FLOW;
470  SCLogDebug("sig requires flow to be able to manipulate "
471  "flowbit(s)");
472  break;
473  }
474  case DETECT_FLOWINT:
475  /* flow is required for any flowint manipulation */
476  s->mask |= SIG_MASK_REQUIRE_FLOW;
477  SCLogDebug("sig requires flow to be able to manipulate "
478  "flowint(s)");
479  break;
480  case DETECT_FLAGS:
481  {
482  DetectU8Data *fl = (DetectU8Data *)sm->ctx;
483 
484  uint8_t arg = 0;
485  if (fl->mode == DetectUintModeBitmask) {
486  arg = fl->arg2;
487  } else if (fl->mode == DetectUintModeNegBitmask && fl->arg2 == 0) {
488  arg = fl->arg1;
489  } else if (fl->mode == DetectUintModeEqual) {
490  arg = fl->arg1;
491  }
492  if (arg & MASK_TCP_INITDEINIT_FLAGS) {
493  s->mask |= SIG_MASK_REQUIRE_FLAGS_INITDEINIT;
494  SCLogDebug("sig requires SIG_MASK_REQUIRE_FLAGS_INITDEINIT");
495  }
496  if (arg & MASK_TCP_UNUSUAL_FLAGS) {
497  s->mask |= SIG_MASK_REQUIRE_FLAGS_UNUSUAL;
498  SCLogDebug("sig requires SIG_MASK_REQUIRE_FLAGS_UNUSUAL");
499  }
500 
501  break;
502  }
503  case DETECT_DSIZE:
504  {
505  DetectU16Data *ds = (DetectU16Data *)sm->ctx;
506  /* LT will include 0, so no payload.
507  * if GT is used in the same rule the
508  * flag will be set anyway. */
509  if (ds->mode == DETECT_UINT_RA || ds->mode == DETECT_UINT_GT ||
510  ds->mode == DETECT_UINT_NE || ds->mode == DETECT_UINT_GTE) {
511 
512  s->mask |= SIG_MASK_REQUIRE_PAYLOAD;
513  SCLogDebug("sig requires payload");
514 
515  } else if (ds->mode == DETECT_UINT_EQ) {
516  if (ds->arg1 > 0) {
517  s->mask |= SIG_MASK_REQUIRE_PAYLOAD;
518  SCLogDebug("sig requires payload");
519  } else {
520  s->mask |= SIG_MASK_REQUIRE_NO_PAYLOAD;
521  SCLogDebug("sig requires no payload");
522  }
523  }
524  break;
525  }
526  case DETECT_DECODE_EVENT:
527  // fallthrough
528  case DETECT_STREAM_EVENT:
529  // fallthrough
530  case DETECT_APP_LAYER_EVENT:
531  // fallthrough
532  case DETECT_ENGINE_EVENT:
533  s->mask |= SIG_MASK_REQUIRE_ENGINE_EVENT;
534  break;
535  }
536  }
537 
538  for (sm = s->init_data->smlists[DETECT_SM_LIST_POSTMATCH]; sm != NULL; sm = sm->next) {
539  switch (sm->type) {
540  case DETECT_CONFIG: {
541  DetectConfigData *fd = (DetectConfigData *)sm->ctx;
542  if (fd->scope == CONFIG_SCOPE_FLOW) {
543  s->mask |= SIG_MASK_REQUIRE_FLOW;
544  }
545  break;
546  }
547  }
548  }
549 
550  if (s->init_data->init_flags & SIG_FLAG_INIT_FLOW) {
551  s->mask |= SIG_MASK_REQUIRE_FLOW;
552  SCLogDebug("sig requires flow");
553  }
554 
555  if (s->flags & SIG_FLAG_APPLAYER) {
556  s->mask |= SIG_MASK_REQUIRE_FLOW;
557  SCLogDebug("sig requires flow");
558  }
559 
560  SCLogDebug("mask %02X", s->mask);
561  SCReturnInt(0);
562 }
563 
564 static void SigInitStandardMpmFactoryContexts(DetectEngineCtx *de_ctx)
565 {
566  DetectMpmInitializeBuiltinMpms(de_ctx);
567 }
568 
569 /** \brief Pure-PCRE or bytetest rule */
570 static bool RuleInspectsPayloadHasNoMpm(const Signature *s)
571 {
572  return s->init_data->mpm_sm == NULL && s->init_data->smlists[DETECT_SM_LIST_PMATCH] != NULL;
573 }
574 
575 static int RuleGetMpmPatternSize(const Signature *s)
576 {
577  if (s->init_data->mpm_sm == NULL)
578  return -1;
579  int mpm_list = s->init_data->mpm_sm_list;
580  if (mpm_list < 0)
581  return -1;
582  const DetectContentData *cd = (const DetectContentData *)s->init_data->mpm_sm->ctx;
583  if (cd == NULL)
584  return -1;
585  return (int)cd->content_len;
586 }
587 
588 static bool RuleMpmIsNegated(const Signature *s)
589 {
590  if (s->flags & SIG_FLAG_MPM_NEG)
591  return true;
592  if (s->init_data->mpm_sm == NULL)
593  return false;
594  int mpm_list = s->init_data->mpm_sm_list;
595  if (mpm_list < 0)
596  return false;
597  const DetectContentData *cd = (const DetectContentData *)s->init_data->mpm_sm->ctx;
598  if (cd == NULL)
599  return false;
600  return (cd->flags & DETECT_CONTENT_NEGATED) != 0;
601 }
602 
603 typedef struct MpmStat {
604  uint32_t total;
605  uint32_t cnt;
606  uint32_t min;
607  uint32_t max;
608 } MpmStat;
609 
610 static SCJsonBuilder *RulesGroupPrintSghStats(const DetectEngineCtx *de_ctx,
611  const SigGroupHead *sgh, const int add_rules, const int add_mpm_stats)
612 {
613  uint32_t prefilter_cnt = 0;
614  uint32_t mpm_cnt = 0;
615  uint32_t nonmpm_cnt = 0;
616  uint32_t mpm_depth_cnt = 0;
617  uint32_t mpm_endswith_cnt = 0;
618  uint32_t negmpm_cnt = 0;
619  uint32_t any5_cnt = 0;
620  uint32_t payload_no_mpm_cnt = 0;
621  uint32_t syn_cnt = 0;
622 
623  uint32_t mpms_min = 0;
624  uint32_t mpms_max = 0;
625 
626  int max_buffer_type_id = de_ctx->buffer_type_id;
627 
628  MpmStat *mpm_stats = NULL;
629  if (add_mpm_stats) {
630  mpm_stats = SCCalloc(max_buffer_type_id, sizeof(MpmStat));
631  if (mpm_stats == NULL)
632  return NULL;
633  }
634 
635  uint32_t alstats[g_alproto_max];
636  memset(alstats, 0, g_alproto_max * sizeof(uint32_t));
637  uint32_t mpm_sizes[max_buffer_type_id][256];
638  memset(mpm_sizes, 0, sizeof(mpm_sizes));
639  uint32_t alproto_mpm_bufs[g_alproto_max][max_buffer_type_id];
640  memset(alproto_mpm_bufs, 0, sizeof(alproto_mpm_bufs));
641 
642  DEBUG_VALIDATE_BUG_ON(sgh->init == NULL);
643  if (sgh->init == NULL) {
644  SCFree(mpm_stats);
645  return NULL;
646  }
647 
648  SCJsonBuilder *js = SCJbNewObject();
649  if (unlikely(js == NULL)) {
650  SCFree(mpm_stats);
651  return NULL;
652  }
653 
654  SCJbSetUint(js, "id", sgh->id);
655 
656  SCJbOpenArray(js, "rules");
657  for (uint32_t x = 0; x < sgh->init->sig_cnt; x++) {
658  const Signature *s = sgh->init->match_array[x];
659  if (s == NULL)
660  continue;
661 
662  int any = 0;
663  if (s->proto == NULL || s->proto->flags & DETECT_PROTO_ANY) {
664  any++;
665  }
666  if (s->flags & SIG_FLAG_DST_ANY) {
667  any++;
668  }
669  if (s->flags & SIG_FLAG_SRC_ANY) {
670  any++;
671  }
672  if (s->flags & SIG_FLAG_DP_ANY) {
673  any++;
674  }
675  if (s->flags & SIG_FLAG_SP_ANY) {
676  any++;
677  }
678  if (any == 5) {
679  any5_cnt++;
680  }
681 
682  prefilter_cnt += (s->init_data->prefilter_sm != NULL);
683  if (s->init_data->mpm_sm == NULL) {
684  nonmpm_cnt++;
685 
686  if (s->sm_arrays[DETECT_SM_LIST_MATCH] != NULL) {
687  SCLogDebug("SGH %p Non-MPM inspecting only packets. Rule %u", sgh, s->id);
688  }
689 
690  DetectPort *sp = s->sp;
691  DetectPort *dp = s->dp;
692 
693  if (s->flags & SIG_FLAG_TOSERVER && (dp->port == 0 && dp->port2 == 65535)) {
694  SCLogDebug("SGH %p Non-MPM toserver and to 'any'. Rule %u", sgh, s->id);
695  }
696  if (s->flags & SIG_FLAG_TOCLIENT && (sp->port == 0 && sp->port2 == 65535)) {
697  SCLogDebug("SGH %p Non-MPM toclient and to 'any'. Rule %u", sgh, s->id);
698  }
699 
700  if (DetectFlagsSignatureNeedsSynPackets(s)) {
701  syn_cnt++;
702  }
703 
704  } else {
705  int mpm_list = s->init_data->mpm_sm_list;
706  BUG_ON(mpm_list < 0);
707  const DetectContentData *cd = (const DetectContentData *)s->init_data->mpm_sm->ctx;
708  uint32_t size = cd->content_len < 256 ? cd->content_len : 255;
709 
710  mpm_sizes[mpm_list][size]++;
711  alproto_mpm_bufs[s->alproto][mpm_list]++;
712 
713  if (mpm_list == DETECT_SM_LIST_PMATCH) {
714  if (size == 1) {
715  DetectPort *sp = s->sp;
716  DetectPort *dp = s->dp;
717  if (s->flags & SIG_FLAG_TOSERVER) {
718  if (dp->port == 0 && dp->port2 == 65535) {
719  SCLogDebug("SGH %p toserver 1byte fast_pattern to ANY. Rule %u", sgh, s->id);
720  } else {
721  SCLogDebug("SGH %p toserver 1byte fast_pattern to port(s) %u-%u. Rule %u", sgh, dp->port, dp->port2, s->id);
722  }
723  }
724  if (s->flags & SIG_FLAG_TOCLIENT) {
725  if (sp->port == 0 && sp->port2 == 65535) {
726  SCLogDebug("SGH %p toclient 1byte fast_pattern to ANY. Rule %u", sgh, s->id);
727  } else {
728  SCLogDebug("SGH %p toclient 1byte fast_pattern to port(s) %u-%u. Rule %u", sgh, sp->port, sp->port2, s->id);
729  }
730  }
731  }
732  }
733 
734  uint32_t w = PatternStrength(cd->content, cd->content_len);
735  if (mpms_min == 0)
736  mpms_min = w;
737  if (w < mpms_min)
738  mpms_min = w;
739  if (w > mpms_max)
740  mpms_max = w;
741 
742  BUG_ON(mpm_list >= max_buffer_type_id);
743  if (mpm_stats != NULL) {
744  mpm_stats[mpm_list].total += w;
745  mpm_stats[mpm_list].cnt++;
746  if (mpm_stats[mpm_list].min == 0 || w < mpm_stats[mpm_list].min)
747  mpm_stats[mpm_list].min = w;
748  if (w > mpm_stats[mpm_list].max)
749  mpm_stats[mpm_list].max = w;
750  }
751  mpm_cnt++;
752 
753  if (w < 10) {
754  SCLogDebug("SGH %p Weak MPM Pattern on %s. Rule %u", sgh, DetectListToString(mpm_list), s->id);
755  }
756  if (w < 10 && any == 5) {
757  SCLogDebug("SGH %p Weak MPM Pattern on %s, rule is 5xAny. Rule %u", sgh, DetectListToString(mpm_list), s->id);
758  }
759 
760  if (cd->flags & DETECT_CONTENT_NEGATED) {
761  SCLogDebug("SGH %p MPM Pattern on %s, is negated. Rule %u", sgh, DetectListToString(mpm_list), s->id);
762  negmpm_cnt++;
763  }
764  if (cd->flags & DETECT_CONTENT_ENDS_WITH) {
765  mpm_endswith_cnt++;
766  }
767  if (cd->flags & DETECT_CONTENT_DEPTH) {
768  mpm_depth_cnt++;
769  }
770  }
771 
772  if (RuleInspectsPayloadHasNoMpm(s)) {
773  SCLogDebug("SGH %p No MPM. Payload inspecting. Rule %u", sgh, s->id);
774  payload_no_mpm_cnt++;
775  }
776 
777  alstats[s->alproto]++;
778 
779  if (add_rules) {
780  SCJsonBuilder *e = SCJbNewObject();
781  if (e != NULL) {
782  SCJbSetUint(e, "sig_id", s->id);
783  SCJbClose(e);
784  SCJbAppendObject(js, e);
785  SCJbFree(e);
786  }
787  }
788  }
789  SCJbClose(js);
790 
791  SCJbOpenObject(js, "stats");
792  SCJbSetUint(js, "total", sgh->init->sig_cnt);
793 
794  SCJbOpenObject(js, "types");
795  SCJbSetUint(js, "mpm", mpm_cnt);
796  SCJbSetUint(js, "non_mpm", nonmpm_cnt);
797  SCJbSetUint(js, "mpm_depth", mpm_depth_cnt);
798  SCJbSetUint(js, "mpm_endswith", mpm_endswith_cnt);
799  SCJbSetUint(js, "negated_mpm", negmpm_cnt);
800  SCJbSetUint(js, "payload_but_no_mpm", payload_no_mpm_cnt);
801  SCJbSetUint(js, "prefilter", prefilter_cnt);
802  SCJbSetUint(js, "syn", syn_cnt);
803  SCJbSetUint(js, "any5", any5_cnt);
804  SCJbClose(js);
805 
806  for (AppProto i = 0; i < g_alproto_max; i++) {
807  if (alstats[i] > 0) {
808  const char *proto_name = (i == ALPROTO_UNKNOWN) ? "payload" : AppProtoToString(i);
809  SCJbOpenObject(js, proto_name);
810  SCJbSetUint(js, "total", alstats[i]);
811 
812  for (int y = 0; y < max_buffer_type_id; y++) {
813  if (alproto_mpm_bufs[i][y] == 0)
814  continue;
815 
816  const char *name;
817  if (y < DETECT_SM_LIST_DYNAMIC_START)
818  name = DetectListToHumanString(y);
819  else
820  name = DetectEngineBufferTypeGetNameById(de_ctx, y);
821 
822  SCJbSetUint(js, name, alproto_mpm_bufs[i][y]);
823  }
824  SCJbClose(js);
825  }
826  }
827 
828  if (add_mpm_stats) {
829  SCJbOpenObject(js, "mpm");
830 
831  for (int i = 0; i < max_buffer_type_id; i++) {
832  if (mpm_stats[i].cnt > 0) {
833  const char *name;
834  if (i < DETECT_SM_LIST_DYNAMIC_START)
835  name = DetectListToHumanString(i);
836  else
837  name = DetectEngineBufferTypeGetNameById(de_ctx, i);
838 
839  SCJbOpenArray(js, name);
840 
841  for (int y = 0; y < 256; y++) {
842  if (mpm_sizes[i][y] == 0)
843  continue;
844 
845  SCJsonBuilder *e = SCJbNewObject();
846  if (e != NULL) {
847  SCJbSetUint(e, "size", y);
848  SCJbSetUint(e, "count", mpm_sizes[i][y]);
849  SCJbClose(e);
850  SCJbAppendObject(js, e);
851  SCJbFree(e);
852  }
853  }
854 
855  SCJsonBuilder *e = SCJbNewObject();
856  if (e != NULL) {
857  SCJbSetUint(e, "total", mpm_stats[i].cnt);
858  SCJbSetUint(e, "avg_strength", mpm_stats[i].total / mpm_stats[i].cnt);
859  SCJbSetUint(e, "min_strength", mpm_stats[i].min);
860  SCJbSetUint(e, "max_strength", mpm_stats[i].max);
861  SCJbClose(e);
862  SCJbAppendObject(js, e);
863  SCJbFree(e);
864  }
865 
866  SCJbClose(js);
867  }
868  }
869  SCJbClose(js);
870  }
871  SCJbClose(js);
872 
873  SCJbSetUint(js, "score", sgh->init->score);
874  SCJbClose(js);
875  SCFree(mpm_stats);
876 
877  return js;
878 }
879 
880 static void RulesDumpGrouping(const DetectEngineCtx *de_ctx,
881  const int add_rules, const int add_mpm_stats)
882 {
883  SCJsonBuilder *js = SCJbNewObject();
884  if (unlikely(js == NULL))
885  return;
886 
887  for (int p = 0; p < 256; p++) {
888  if (p == IPPROTO_TCP || p == IPPROTO_UDP) {
889  const char *name = (p == IPPROTO_TCP) ? "tcp" : "udp";
890 
891  SCJbOpenObject(js, name);
892  SCJbOpenArray(js, "toserver");
893  const DetectPort *list =
894  (p == IPPROTO_TCP) ? de_ctx->flow_gh[1].tcp : de_ctx->flow_gh[1].udp;
895  while (list != NULL) {
896  SCJsonBuilder *port = SCJbNewObject();
897  SCJbSetUint(port, "port", list->port);
898  SCJbSetUint(port, "port2", list->port2);
899 
900  SCJsonBuilder *stats =
901  RulesGroupPrintSghStats(de_ctx, list->sh, add_rules, add_mpm_stats);
902  SCJbSetObject(port, "rulegroup", stats);
903  SCJbFree(stats);
904  SCJbClose(port);
905  SCJbAppendObject(js, port);
906  SCJbFree(port);
907 
908  list = list->next;
909  }
910  SCJbClose(js); // toserver array
911 
912  SCJbOpenArray(js, "toclient");
913  list = (p == IPPROTO_TCP) ? de_ctx->flow_gh[0].tcp :
914  de_ctx->flow_gh[0].udp;
915  while (list != NULL) {
916  SCJsonBuilder *port = SCJbNewObject();
917  SCJbSetUint(port, "port", list->port);
918  SCJbSetUint(port, "port2", list->port2);
919 
920  SCJsonBuilder *stats =
921  RulesGroupPrintSghStats(de_ctx, list->sh, add_rules, add_mpm_stats);
922  SCJbSetObject(port, "rulegroup", stats);
923  SCJbFree(stats);
924  SCJbClose(port);
925  SCJbAppendObject(js, port);
926  SCJbFree(port);
927 
928  list = list->next;
929  }
930  SCJbClose(js); // toclient array
931  SCJbClose(js);
932  } else if (p == IPPROTO_ICMP || p == IPPROTO_ICMPV6) {
933  const char *name = (p == IPPROTO_ICMP) ? "icmpv4" : "icmpv6";
934  SCJbOpenObject(js, name);
935  if (de_ctx->flow_gh[1].sgh[p]) {
936  SCJbOpenObject(js, "toserver");
937  SCJsonBuilder *stats = RulesGroupPrintSghStats(
938  de_ctx, de_ctx->flow_gh[1].sgh[p], add_rules, add_mpm_stats);
939  SCJbSetObject(js, "rulegroup", stats);
940  SCJbFree(stats);
941  SCJbClose(js);
942  }
943  if (de_ctx->flow_gh[0].sgh[p]) {
944  SCJbOpenObject(js, "toclient");
945  SCJsonBuilder *stats = RulesGroupPrintSghStats(
946  de_ctx, de_ctx->flow_gh[0].sgh[p], add_rules, add_mpm_stats);
947  SCJbSetObject(js, "rulegroup", stats);
948  SCJbFree(stats);
949  SCJbClose(js);
950  }
951  SCJbClose(js);
952  }
953  }
954  SCJbClose(js);
955 
956  const char *filename = "rule_group.json";
957  const char *log_dir = SCConfigGetLogDirectory();
958  char log_path[PATH_MAX] = "";
959  snprintf(log_path, sizeof(log_path), "%s/%s", log_dir, filename);
960 
961  FILE *fp = fopen(log_path, "w");
962  if (fp != NULL) {
963  fwrite(SCJbPtr(js), SCJbLen(js), 1, fp);
964  (void)fclose(fp);
965  }
966  SCJbFree(js);
967 }
968 
969 static int RulesGroupByIPProto(DetectEngineCtx *de_ctx)
970 {
971  Signature *s = de_ctx->sig_list;
972 
973  SigGroupHead *sgh_ts[256] = {NULL};
974  SigGroupHead *sgh_tc[256] = {NULL};
975 
976  for ( ; s != NULL; s = s->next) {
977  if (s->type == SIG_TYPE_IPONLY)
978  continue;
979 
980  /* traverse over IP protocol list from libc */
981  for (int p = 0; p < 256; p++) {
982  if (p == IPPROTO_TCP || p == IPPROTO_UDP) {
983  continue;
984  }
985 
986  if (!DetectProtoContainsProto(&s->init_data->proto, p)) {
987  continue;
988  }
989 
990  /* Signatures that are ICMP, SCTP, not IP only are handled here */
991  if (s->flags & SIG_FLAG_TOCLIENT) {
992  SigGroupHeadAppendSig(de_ctx, &sgh_tc[p], s);
993  }
994  if (s->flags & SIG_FLAG_TOSERVER) {
995  SigGroupHeadAppendSig(de_ctx, &sgh_ts[p], s);
996  }
997  }
998  }
999 
1000  /* lets look at deduplicating this list */
1001  SigGroupHeadHashFree(de_ctx);
1002  SigGroupHeadHashInit(de_ctx);
1003 
1004  uint32_t cnt = 0;
1005  uint32_t own = 0;
1006  uint32_t ref = 0;
1007  int p;
1008  for (p = 0; p < 256; p++) {
1009  if (p == IPPROTO_TCP || p == IPPROTO_UDP)
1010  continue;
1011  if (sgh_ts[p] == NULL)
1012  continue;
1013 
1014  cnt++;
1015 
1016  SigGroupHead *lookup_sgh = SigGroupHeadHashLookup(de_ctx, sgh_ts[p]);
1017  if (lookup_sgh == NULL) {
1018  SCLogDebug("proto group %d sgh %p is the original", p, sgh_ts[p]);
1019 
1020  SigGroupHeadSetSigCnt(sgh_ts[p], 0);
1021  SigGroupHeadBuildMatchArray(de_ctx, sgh_ts[p], 0);
1022 
1023  SigGroupHeadHashAdd(de_ctx, sgh_ts[p]);
1024  SigGroupHeadStore(de_ctx, sgh_ts[p]);
1025  own++;
1026  } else {
1027  SCLogDebug("proto group %d sgh %p is a copy", p, sgh_ts[p]);
1028 
1029  SigGroupHeadFree(de_ctx, sgh_ts[p]);
1030  sgh_ts[p] = lookup_sgh;
1031  ref++;
1032  }
1033  }
1034  SCLogPerf("OTHER %s: %u proto groups, %u unique SGH's, %u copies",
1035  "toserver", cnt, own, ref);
1036 
1037  cnt = 0;
1038  own = 0;
1039  ref = 0;
1040  for (p = 0; p < 256; p++) {
1041  if (p == IPPROTO_TCP || p == IPPROTO_UDP)
1042  continue;
1043  if (sgh_tc[p] == NULL)
1044  continue;
1045 
1046  cnt++;
1047 
1048  SigGroupHead *lookup_sgh = SigGroupHeadHashLookup(de_ctx, sgh_tc[p]);
1049  if (lookup_sgh == NULL) {
1050  SCLogDebug("proto group %d sgh %p is the original", p, sgh_tc[p]);
1051 
1052  SigGroupHeadSetSigCnt(sgh_tc[p], 0);
1053  SigGroupHeadBuildMatchArray(de_ctx, sgh_tc[p], 0);
1054 
1055  SigGroupHeadHashAdd(de_ctx, sgh_tc[p]);
1056  SigGroupHeadStore(de_ctx, sgh_tc[p]);
1057  own++;
1058 
1059  } else {
1060  SCLogDebug("proto group %d sgh %p is a copy", p, sgh_tc[p]);
1061 
1062  SigGroupHeadFree(de_ctx, sgh_tc[p]);
1063  sgh_tc[p] = lookup_sgh;
1064  ref++;
1065  }
1066  }
1067  SCLogPerf("OTHER %s: %u proto groups, %u unique SGH's, %u copies",
1068  "toclient", cnt, own, ref);
1069 
1070  for (p = 0; p < 256; p++) {
1071  if (p == IPPROTO_TCP || p == IPPROTO_UDP)
1072  continue;
1073 
1074  de_ctx->flow_gh[0].sgh[p] = sgh_tc[p];
1075  de_ctx->flow_gh[1].sgh[p] = sgh_ts[p];
1076  }
1077 
1078  return 0;
1079 }
1080 
1081 static int PortIsPriority(const DetectEngineCtx *de_ctx, const DetectPort *a, int ipproto)
1082 {
1083  DetectPort *w = de_ctx->tcp_priorityports;
1084  if (ipproto == IPPROTO_UDP)
1085  w = de_ctx->udp_priorityports;
1086 
1087  while (w) {
1088  /* Make sure the priority port falls in the port range of a */
1089  DEBUG_VALIDATE_BUG_ON(a->port > a->port2);
1090  if (a->port == w->port && w->port2 == a->port2) {
1091  return 1;
1092  }
1093  w = w->next;
1094  }
1095 
1096  return 0;
1097 }
1098 
1099 static int RuleSetScore(Signature *s)
1100 {
1101  DetectPort *p = NULL;
1102  if (s->flags & SIG_FLAG_TOSERVER)
1103  p = s->dp;
1104  else if (s->flags & SIG_FLAG_TOCLIENT)
1105  p = s->sp;
1106  else
1107  return 0;
1108 
1109  /* for sigs that don't use 'any' as port, see if we want to
1110  * prioritize poor sigs */
1111  int wl = 0;
1112  if (!(p->port == 0 && p->port2 == 65535)) {
1113  /* pure pcre, bytetest, etc rules */
1114  if (RuleInspectsPayloadHasNoMpm(s)) {
1115  SCLogDebug("Rule %u MPM has 1 byte fast_pattern. Prioritizing SGH's.", s->id);
1116  wl = DETECT_PGSCORE_RULE_MPM_FAST_PATTERN;
1117 
1118  } else if (RuleMpmIsNegated(s)) {
1119  SCLogDebug("Rule %u MPM is negated. Prioritizing SGH's.", s->id);
1120  wl = DETECT_PGSCORE_RULE_MPM_NEGATED;
1121 
1122  /* one byte pattern in packet/stream payloads */
1123  } else if (s->init_data->mpm_sm != NULL &&
1124  s->init_data->mpm_sm_list == DETECT_SM_LIST_PMATCH &&
1125  RuleGetMpmPatternSize(s) == 1) {
1126  SCLogDebug("Rule %u No MPM. Payload inspecting. Prioritizing SGH's.", s->id);
1127  wl = DETECT_PGSCORE_RULE_NO_MPM;
1128 
1129  } else if (DetectFlagsSignatureNeedsSynOnlyPackets(s)) {
1130  SCLogDebug("Rule %u Needs SYN, so inspected often. Prioritizing SGH's.", s->id);
1131  wl = DETECT_PGSCORE_RULE_SYN_ONLY;
1132  }
1133  }
1134 
1135  s->init_data->score = wl;
1136  return wl;
1137 }
1138 
1139 static int SortCompare(const void *a, const void *b)
1140 {
1141  const DetectPort *pa = *(const DetectPort **)a;
1142  const DetectPort *pb = *(const DetectPort **)b;
1143 
1144  if (pa->sh->init->score < pb->sh->init->score) {
1145  return 1;
1146  } else if (pa->sh->init->score > pb->sh->init->score) {
1147  return -1;
1148  }
1149 
1150  if (pa->sh->init->sig_cnt < pb->sh->init->sig_cnt) {
1151  return 1;
1152  } else if (pa->sh->init->sig_cnt > pb->sh->init->sig_cnt) {
1153  return -1;
1154  }
1155 
1156  /* Hack to make the qsort output deterministic across platforms.
1157  * This had to be done because the order of equal elements sorted
1158  * by qsort is undeterministic and showed different output on BSD,
1159  * MacOS and Windows. Sorting based on id makes it deterministic. */
1160  if (pa->sh->id < pb->sh->id)
1161  return -1;
1162 
1163  return 1;
1164 }
1165 
1166 static inline void SortGroupList(
1167  uint32_t *groups, DetectPort **list, int (*CompareFunc)(const void *, const void *))
1168 {
1169  int cnt = 0;
1170  for (DetectPort *x = *list; x != NULL; x = x->next) {
1171  DEBUG_VALIDATE_BUG_ON(x->port > x->port2);
1172  cnt++;
1173  }
1174  if (cnt <= 1)
1175  return;
1176 
1177  /* build temporary array to sort with qsort */
1178  DetectPort **array = (DetectPort **)SCCalloc(cnt, sizeof(DetectPort *));
1179  if (array == NULL)
1180  return;
1181 
1182  int idx = 0;
1183  for (DetectPort *x = *list; x != NULL;) {
1184  /* assign a temporary id to resolve otherwise equal groups */
1185  x->sh->id = idx + 1;
1186  SigGroupHeadSetSigCnt(x->sh, 0);
1187  DetectPort *next = x->next;
1188  x->next = x->prev = x->last = NULL;
1189  DEBUG_VALIDATE_BUG_ON(x->port > x->port2);
1190  array[idx++] = x;
1191  x = next;
1192  }
1193  DEBUG_VALIDATE_BUG_ON(cnt != idx);
1194 
1195  qsort(array, idx, sizeof(DetectPort *), SortCompare);
1196 
1197  /* rebuild the list based on the qsort-ed array */
1198  DetectPort *new_list = NULL, *tail = NULL;
1199  for (int i = 0; i < idx; i++) {
1200  DetectPort *p = array[i];
1201  /* unset temporary group id */
1202  p->sh->id = 0;
1203 
1204  if (new_list == NULL) {
1205  new_list = p;
1206  }
1207  if (tail != NULL) {
1208  tail->next = p;
1209  }
1210  p->prev = tail;
1211  tail = p;
1212  }
1213 
1214  *list = new_list;
1215  *groups = idx;
1216 
1217 #if DEBUG
1218  int dbgcnt = 0;
1219  SCLogDebug("SORTED LIST:");
1220  for (DetectPort *tmp = *list; tmp != NULL; tmp = tmp->next) {
1221  SCLogDebug("item:= [%u:%u]; score: %d; sig_cnt: %d", tmp->port, tmp->port2,
1222  tmp->sh->init->score, tmp->sh->init->sig_cnt);
1223  dbgcnt++;
1224  BUG_ON(dbgcnt > cnt);
1225  }
1226 #endif
1227  SCFree(array);
1228 }
1229 /** \internal
1230  * \brief Create a list of DetectPort objects sorted based on CompareFunc's
1231  * logic.
1232  *
1233  * List can limit the number of groups. In this case an extra "join" group
1234  * is created that contains the sigs belonging to that. It's *appended* to
1235  * the list, meaning that if the list is walked linearly it's found last.
1236  * The joingr is meant to be a catch all.
1237  *
1238  */
1239 static int CreateGroupedPortList(DetectEngineCtx *de_ctx, DetectPort *port_list,
1240  DetectPort **newhead, uint32_t unique_groups,
1241  int (*CompareFunc)(const void *, const void *))
1242 {
1243  DetectPort *tmplist = NULL, *joingr = NULL;
1244  uint32_t groups = 0;
1245 
1246  /* insert the ports into the tmplist, where it will
1247  * be sorted descending on 'cnt' and on whether a group
1248  * is prioritized. */
1249  tmplist = port_list;
1250  SortGroupList(&groups, &tmplist, SortCompare);
1251  uint32_t left = unique_groups;
1252  if (left == 0)
1253  left = groups;
1254 
1255  /* create another list: take the port groups from above
1256  * and add them to the 2nd list until we have met our
1257  * count. The rest is added to the 'join' group. */
1258  DetectPort *tmplist2 = NULL, *tmplist2_tail = NULL;
1259  DetectPort *gr, *next_gr;
1260  for (gr = tmplist; gr != NULL;) {
1261  next_gr = gr->next;
1262 
1263  SCLogDebug("temp list gr %p %u:%u", gr, gr->port, gr->port2);
1264  DetectPortPrint(gr);
1265 
1266  /* if we've set up all the unique groups, add the rest to the
1267  * catch-all joingr */
1268  if (left == 0) {
1269  if (joingr == NULL) {
1270  DetectPortParse(de_ctx, &joingr, "0:65535");
1271  if (joingr == NULL) {
1272  goto error;
1273  }
1274  SCLogDebug("joingr => %u-%u", joingr->port, joingr->port2);
1275  joingr->next = NULL;
1276  }
1277  SigGroupHeadCopySigs(de_ctx, gr->sh, &joingr->sh);
1278 
1279  /* when a group's sigs are added to the joingr, we can free it */
1280  gr->next = NULL;
1281  DetectPortFree(de_ctx, gr);
1282  /* append */
1283  } else {
1284  gr->next = NULL;
1285 
1286  if (tmplist2 == NULL) {
1287  tmplist2 = gr;
1288  tmplist2_tail = gr;
1289  } else {
1290  tmplist2_tail->next = gr;
1291  tmplist2_tail = gr;
1292  }
1293  }
1294 
1295  if (left > 0)
1296  left--;
1297 
1298  gr = next_gr;
1299  }
1300 
1301  /* if present, append the joingr that covers the rest */
1302  if (joingr != NULL) {
1303  SCLogDebug("appending joingr %p %u:%u", joingr, joingr->port, joingr->port2);
1304 
1305  if (tmplist2 == NULL) {
1306  tmplist2 = joingr;
1307  // tmplist2_tail = joingr;
1308  } else {
1309  tmplist2_tail->next = joingr;
1310  // tmplist2_tail = joingr;
1311  }
1312  } else {
1313  SCLogDebug("no joingr");
1314  }
1315 
1316  /* pass back our new list to the caller */
1317  *newhead = tmplist2;
1318  DetectPortPrintList(*newhead);
1319 
1320  return 0;
1321 error:
1322  return -1;
1323 }
1324 
1325 #define UNDEFINED_PORT 0
1326 #define RANGE_PORT 1
1327 #define SINGLE_PORT 2
1328 
1329 typedef struct UniquePortPoint_ {
1330  uint16_t port; /* value of the port */
1331  bool single; /* is the port single or part of a range */
1332 } UniquePortPoint;
1333 
1334 /**
1335  * \brief Function to set unique port points. Consider all the ports
1336  * flattened out on one line, set the points that correspond
1337  * to a valid port. Also store whether the port point stored
1338  * was a single port or part of a range.
1339  *
1340  * \param p Port object to be set
1341  * \param unique_list List of unique port points to be updated
1342  * \param size_list Current size of the list
1343  *
1344  * \return Updated size of the list
1345  */
1346 static inline uint32_t SetUniquePortPoints(
1347  const DetectPort *p, uint8_t *unique_list, uint32_t size_list)
1348 {
1349  if (unique_list[p->port] == UNDEFINED_PORT) {
1350  if (p->port == p->port2) {
1351  unique_list[p->port] = SINGLE_PORT;
1352  } else {
1353  unique_list[p->port] = RANGE_PORT;
1354  }
1355  size_list++;
1356  } else if (((unique_list[p->port] == SINGLE_PORT) && (p->port != p->port2)) ||
1357  ((unique_list[p->port] == RANGE_PORT) && (p->port == p->port2))) {
1358  if ((p->port != UINT16_MAX) && (unique_list[p->port + 1] == UNDEFINED_PORT)) {
1359  unique_list[p->port + 1] = RANGE_PORT;
1360  size_list++;
1361  }
1362  }
1363 
1364  /* Treat right boundary as single point to avoid creating unneeded
1365  * ranges later on */
1366  if (unique_list[p->port2] == UNDEFINED_PORT) {
1367  size_list++;
1368  }
1369  unique_list[p->port2] = SINGLE_PORT;
1370  return size_list;
1371 }
1372 
1373 /**
1374  * \brief Function to set the *final* unique port points and save them
1375  * for later use. The points are already sorted because of the way
1376  * they have been retrieved and saved earlier for use at this point.
1377  *
1378  * \param unique_list List of the unique port points to be used
1379  * \param size_unique_arr Number of unique port points
1380  * \param final_arr List of the final unique port points to be created
1381  */
1382 static inline void SetFinalUniquePortPoints(
1383  const uint8_t *unique_list, const uint32_t size_unique_arr, UniquePortPoint *final_arr)
1384 {
1385  for (uint32_t i = 0, j = 0; i < (UINT16_MAX + 1); i++) {
1386  DEBUG_VALIDATE_BUG_ON(j > size_unique_arr);
1387  if (unique_list[i] == RANGE_PORT) {
1388  final_arr[j].port = (uint16_t)i;
1389  final_arr[j++].single = false;
1390  } else if (unique_list[i] == SINGLE_PORT) {
1391  final_arr[j].port = (uint16_t)i;
1392  final_arr[j++].single = true;
1393  }
1394  }
1395 }
1396 
1397 /**
1398  * \brief Function to create the list of ports with the smallest ranges
1399  * by resolving overlaps and end point conditions. These contain the
1400  * correct SGHs as well after going over the interval tree to find
1401  * any range overlaps.
1402  *
1403  * \param de_ctx Detection Engine Context
1404  * \param unique_list Final list of unique port points
1405  * \param size_list Size of the unique_list
1406  * \param it Pointer to the interval tree
1407  * \param list Pointer to the list where final ports will be stored
1408  *
1409  * \return 0 on success, -1 otherwise
1410  */
1411 static inline int CreatePortList(DetectEngineCtx *de_ctx, const uint8_t *unique_list,
1412  const uint32_t size_list, SCPortIntervalTree *it, DetectPort **list)
1413 {
1414  /* Only do the operations if there is at least one unique port */
1415  if (size_list == 0)
1416  return 0;
1417  UniquePortPoint *final_unique_points =
1418  (UniquePortPoint *)SCCalloc(size_list, sizeof(UniquePortPoint));
1419  if (final_unique_points == NULL)
1420  return -1;
1421  SetFinalUniquePortPoints(unique_list, size_list, final_unique_points);
1422  /* Handle edge case when there is just one unique port */
1423  if (size_list == 1) {
1424  SCPortIntervalFindOverlappingRanges(
1425  de_ctx, final_unique_points[0].port, final_unique_points[0].port, &it->tree, list);
1426  } else {
1427  UniquePortPoint *p1 = &final_unique_points[0];
1428  UniquePortPoint *p2 = &final_unique_points[1];
1429  uint16_t port = p1 ? p1->port : 0; // just for cppcheck
1430  uint16_t port2 = p2->port;
1431  for (uint32_t i = 1; i < size_list; i++) {
1432  DEBUG_VALIDATE_BUG_ON(port > port2);
1433  if ((p1 && p1->single) && p2->single) {
1434  SCPortIntervalFindOverlappingRanges(de_ctx, port, port, &it->tree, list);
1435  SCPortIntervalFindOverlappingRanges(de_ctx, port2, port2, &it->tree, list);
1436  port = port2 + 1;
1437  } else if (p1 && p1->single) {
1438  SCPortIntervalFindOverlappingRanges(de_ctx, port, port, &it->tree, list);
1439  if ((port2 > port + 1)) {
1440  SCPortIntervalFindOverlappingRanges(
1441  de_ctx, port + 1, port2 - 1, &it->tree, list);
1442  port = port2;
1443  } else {
1444  port = port + 1;
1445  }
1446  } else if (p2->single) {
1447  /* If port2 is boundary and less or equal to port + 1, create a range
1448  * keeping the boundary away as it is single port */
1449  if ((port2 >= port + 1)) {
1450  SCPortIntervalFindOverlappingRanges(de_ctx, port, port2 - 1, &it->tree, list);
1451  }
1452  /* Deal with port2 as it is a single port */
1453  SCPortIntervalFindOverlappingRanges(de_ctx, port2, port2, &it->tree, list);
1454  port = port2 + 1;
1455  } else {
1456  if ((port2 > port + 1)) {
1457  SCPortIntervalFindOverlappingRanges(de_ctx, port, port2 - 1, &it->tree, list);
1458  port = port2;
1459  } else {
1460  SCPortIntervalFindOverlappingRanges(de_ctx, port, port2, &it->tree, list);
1461  port = port2 + 1;
1462  }
1463  }
1464  /* if the current port matches the p2->port, assign it to p1 so that
1465  * there is a UniquePortPoint object to check other info like whether
1466  * the port with this value is single */
1467  if (port == p2->port) {
1468  p1 = p2;
1469  } else {
1470  p1 = NULL;
1471  }
1472  if (i + 1 < size_list) {
1473  p2 = &final_unique_points[i + 1];
1474  port2 = p2->port;
1475  }
1476  }
1477  }
1478  /* final_unique_points array is no longer needed */
1479  SCFree(final_unique_points);
1480  return 0;
1481 }
1482 
1483 static bool SigIsEthernet(const Signature *s)
1484 {
1485  return ((s->init_data->proto.flags & DETECT_PROTO_ETHERNET));
1486 }
1487 
1488 static bool SigIsEthernetAddToIP(const Signature *s)
1489 {
1490  /* ARP and IP are mutually exclusive, so don't add an ARP rule
1491  * to IP groups. */
1492  if (s->init_data->proto.flags & DETECT_PROTO_ARP) {
1493  SCLogDebug("rule %u: ARP is not for IP", s->id);
1494  return false;
1495  }
1496 
1497  /* all other Ethernet may be IP as well, so add to these groups. */
1498  return true;
1499 }
1500 
1501 static bool SigIsEthernetAddToNonIP(const Signature *s)
1502 {
1503  /* add all Ethernet sigs to the Non IP group as there isn't enough
1504  * info to know for sure if they are looking for IP traffic or not. */
1505  return (SigIsEthernet(s));
1506 }
1507 
1508 static DetectPort *RulesGroupByPorts(DetectEngineCtx *de_ctx, uint8_t ipproto, uint32_t direction)
1509 {
1510  /* step 1: create a hash of 'DetectPort' objects based on all the
1511  * rules. Each object will have a SGH with the sigs added
1512  * that belong to the SGH. */
1513  DetectPortHashInit(de_ctx);
1514 
1515  uint32_t size_unique_port_arr = 0;
1516  const Signature *s = de_ctx->sig_list;
1517  DetectPort *list = NULL;
1518 
1519  uint8_t *unique_port_points = (uint8_t *)SCCalloc(UINT16_MAX + 1, sizeof(uint8_t));
1520  if (unique_port_points == NULL)
1521  return NULL;
1522 
1523  while (s) {
1524  /* IP Only rules are handled separately */
1525  if (s->type == SIG_TYPE_IPONLY)
1526  goto next;
1527 
1528  if (SigIsEthernet(s)) {
1529  if (!SigIsEthernetAddToIP(s)) {
1530  SCLogDebug("rule %u: not for IP", s->id);
1531  goto next;
1532  }
1533  SCLogDebug("rule %u: add ethernet rule to IP group", s->id);
1534  } else {
1535  /* Protocol does not match the Signature protocol and is non of IP, pkthdr */
1536  if (!DetectProtoContainsProto(&s->init_data->proto, ipproto)) {
1537  SCLogDebug("skip");
1538  goto next;
1539  }
1540  /* Direction does not match Signature direction */
1541  if (direction == SIG_FLAG_TOSERVER) {
1542  if (!(s->flags & SIG_FLAG_TOSERVER))
1543  goto next;
1544  } else if (direction == SIG_FLAG_TOCLIENT) {
1545  if (!(s->flags & SIG_FLAG_TOCLIENT))
1546  goto next;
1547  }
1548 
1549  /* see if we want to exclude directionless sigs that really care only for
1550  * to_server syn scans/floods */
1551  if ((direction == SIG_FLAG_TOCLIENT) && DetectFlagsSignatureNeedsSynOnlyPackets(s) &&
1552  ((s->flags & (SIG_FLAG_TOSERVER | SIG_FLAG_TOCLIENT)) ==
1553  (SIG_FLAG_TOSERVER | SIG_FLAG_TOCLIENT)) &&
1554  (!(s->dp->port == 0 && s->dp->port2 == 65535))) {
1555  SCLogWarning("rule %u: SYN-only to port(s) %u:%u "
1556  "w/o direction specified, disabling for toclient direction",
1557  s->id, s->dp->port, s->dp->port2);
1558  goto next;
1559  }
1560  }
1561 
1562  DetectPort *p = NULL;
1563  if (direction == SIG_FLAG_TOSERVER)
1564  p = s->dp;
1565  else if (direction == SIG_FLAG_TOCLIENT)
1566  p = s->sp;
1567  else
1568  BUG_ON(1);
1569 
1570  int wl = s->init_data->score;
1571  while (p) {
1572  int pwl = PortIsPriority(de_ctx, p, ipproto) ? DETECT_PGSCORE_RULE_PORT_PRIORITIZED : 0;
1573  pwl = MAX(wl,pwl);
1574 
1575  DetectPort *lookup = DetectPortHashLookup(de_ctx, p);
1576  if (lookup) {
1577  SigGroupHeadAppendSig(de_ctx, &lookup->sh, s);
1578  lookup->sh->init->score = MAX(lookup->sh->init->score, pwl);
1579  } else {
1580  DetectPort *tmp2 = DetectPortCopySingle(de_ctx, p);
1581  BUG_ON(tmp2 == NULL);
1582  SigGroupHeadAppendSig(de_ctx, &tmp2->sh, s);
1583  tmp2->sh->init->score = pwl;
1584  DetectPortHashAdd(de_ctx, tmp2);
1585  size_unique_port_arr =
1586  SetUniquePortPoints(tmp2, unique_port_points, size_unique_port_arr);
1587  }
1588 
1589  p = p->next;
1590  }
1591  next:
1592  s = s->next;
1593  }
1594 
1595  /* step 2: create a list of the smallest port ranges with
1596  * appropriate SGHs */
1597 
1598  /* Create an interval tree of all the given ports to make the search
1599  * for overlaps later on easier */
1600  SCPortIntervalTree *it = SCPortIntervalTreeInit();
1601  if (it == NULL)
1602  goto error;
1603 
1604  HashListTableBucket *htb = NULL;
1605  for (htb = HashListTableGetListHead(de_ctx->dport_hash_table); htb != NULL;
1606  htb = HashListTableGetListNext(htb)) {
1607  DetectPort *p = HashListTableGetListData(htb);
1608  if (SCPortIntervalInsert(de_ctx, it, p) != SC_OK) {
1609  SCLogDebug("Port was not inserted in the tree");
1610  goto error;
1611  }
1612  }
1613 
1614  /* Create a sorted list of ports in ascending order after resolving overlaps
1615  * and corresponding SGHs */
1616  if (CreatePortList(de_ctx, unique_port_points, size_unique_port_arr, it, &list) < 0)
1617  goto error;
1618 
1619  /* unique_port_points array is no longer needed */
1620  SCFree(unique_port_points);
1621 
1622  /* Port hashes are no longer needed */
1623  DetectPortHashFree(de_ctx);
1624 
1625  SCLogDebug("rules analyzed");
1626 
1627  /* step 3: group the list and shrink it if necessary */
1628  DetectPort *newlist = NULL;
1629  uint16_t groupmax = (direction == SIG_FLAG_TOCLIENT) ? de_ctx->max_uniq_toclient_groups :
1630  de_ctx->max_uniq_toserver_groups;
1631  CreateGroupedPortList(de_ctx, list, &newlist, groupmax, SortCompare);
1632  list = newlist;
1633 
1634  /* step 4: deduplicate the SGH's */
1635  SigGroupHeadHashFree(de_ctx);
1636  SigGroupHeadHashInit(de_ctx);
1637 
1638  uint32_t cnt = 0;
1639  uint32_t own = 0;
1640  uint32_t ref = 0;
1641  DetectPort *iter;
1642  for (iter = list ; iter != NULL; iter = iter->next) {
1643  BUG_ON (iter->sh == NULL);
1644  DEBUG_VALIDATE_BUG_ON(own + ref != cnt);
1645  cnt++;
1646 
1647  SigGroupHead *lookup_sgh = SigGroupHeadHashLookup(de_ctx, iter->sh);
1648  if (lookup_sgh == NULL) {
1649  SCLogDebug("port group %p sgh %p is the original", iter, iter->sh);
1650 
1651  SigGroupHeadSetSigCnt(iter->sh, 0);
1652  SigGroupHeadBuildMatchArray(de_ctx, iter->sh, 0);
1653  SigGroupHeadSetProtoAndDirection(iter->sh, ipproto, direction);
1654  SigGroupHeadHashAdd(de_ctx, iter->sh);
1655  SigGroupHeadStore(de_ctx, iter->sh);
1656  iter->flags |= PORT_SIGGROUPHEAD_COPY;
1657  own++;
1658  } else {
1659  SCLogDebug("port group %p sgh %p is a copy", iter, iter->sh);
1660 
1661  SigGroupHeadFree(de_ctx, iter->sh);
1662  iter->sh = lookup_sgh;
1663  iter->flags |= PORT_SIGGROUPHEAD_COPY;
1664  ref++;
1665  }
1666  }
1667 #if 0
1668  for (iter = list ; iter != NULL; iter = iter->next) {
1669  SCLogInfo("PORT %u-%u %p (sgh=%s, prioritized=%s/%d)",
1670  iter->port, iter->port2, iter->sh,
1671  iter->flags & PORT_SIGGROUPHEAD_COPY ? "ref" : "own",
1672  iter->sh->init->score ? "true" : "false",
1673  iter->sh->init->score);
1674  }
1675 #endif
1676  SCLogPerf("%s %s: %u port groups, %u unique SGH's, %u copies",
1677  ipproto == 6 ? "TCP" : "UDP",
1678  direction == SIG_FLAG_TOSERVER ? "toserver" : "toclient",
1679  cnt, own, ref);
1680  SCPortIntervalTreeFree(de_ctx, it);
1681  return list;
1682 
1683 error:
1684  if (unique_port_points != NULL)
1685  SCFree(unique_port_points);
1686  if (it != NULL)
1687  SCPortIntervalTreeFree(de_ctx, it);
1688 
1689  return NULL;
1690 }
1691 
1692 void SignatureSetType(DetectEngineCtx *de_ctx, Signature *s)
1693 {
1694  BUG_ON(s->type != SIG_TYPE_NOT_SET);
1695  int iponly = 0;
1696 
1697  if (s->init_data->hook.type == SIGNATURE_HOOK_TYPE_APP) {
1698  s->type = SIG_TYPE_APP_TX;
1699  SCLogDebug("%u: set to app_tx due to hook type app", s->id);
1700  SCReturn;
1701  }
1702 
1703  if (s->init_data->proto.flags & DETECT_PROTO_ETHERNET) {
1704  s->type = SIG_TYPE_PKT;
1705 
1706  /* see if the sig is dp only */
1707  } else if (SignatureIsPDOnly(de_ctx, s) == 1) {
1708  s->type = SIG_TYPE_PDONLY;
1709 
1710  /* see if the sig is ip only */
1711  } else if ((iponly = SignatureIsIPOnly(de_ctx, s)) > 0) {
1712  if (iponly == 1) {
1713  s->type = SIG_TYPE_IPONLY;
1714  } else if (iponly == 2) {
1715  s->type = SIG_TYPE_LIKE_IPONLY;
1716  }
1717  } else if (SignatureIsDEOnly(de_ctx, s) == 1) {
1718  s->type = SIG_TYPE_DEONLY;
1719 
1720  } else {
1721  const bool has_match = s->init_data->smlists[DETECT_SM_LIST_MATCH] != NULL;
1722  const bool has_pmatch = s->init_data->smlists[DETECT_SM_LIST_PMATCH] != NULL;
1723  bool has_buffer_frame_engine = false;
1724  bool has_buffer_packet_engine = false;
1725  bool has_buffer_app_engine = false;
1726 
1727  for (uint32_t x = 0; x < s->init_data->buffer_index; x++) {
1728  const uint32_t id = s->init_data->buffers[x].id;
1729 
1730  if (DetectEngineBufferTypeSupportsPacketGetById(de_ctx, id)) {
1731  has_buffer_packet_engine = true;
1732  } else if (DetectEngineBufferTypeSupportsFramesGetById(de_ctx, id)) {
1733  has_buffer_frame_engine = true;
1734  } else {
1735  has_buffer_app_engine = true;
1736  }
1737  }
1738 
1739  if (has_buffer_packet_engine) {
1740  s->type = SIG_TYPE_PKT;
1741  } else if (has_buffer_frame_engine || has_buffer_app_engine) {
1742  s->type = SIG_TYPE_APP_TX;
1743  } else if (has_pmatch) {
1744  if ((s->flags & (SIG_FLAG_REQUIRE_PACKET | SIG_FLAG_REQUIRE_STREAM)) ==
1745  SIG_FLAG_REQUIRE_PACKET) {
1746  s->type = SIG_TYPE_PKT;
1747  } else if ((s->flags & (SIG_FLAG_REQUIRE_PACKET | SIG_FLAG_REQUIRE_STREAM)) ==
1748  SIG_FLAG_REQUIRE_STREAM) {
1749  s->type = SIG_TYPE_STREAM;
1750  } else {
1751  s->type = SIG_TYPE_PKT_STREAM;
1752  }
1753  } else if (has_match) {
1754  s->type = SIG_TYPE_PKT;
1755 
1756  /* app-layer but no inspect engines */
1757  } else if (s->flags & SIG_FLAG_APPLAYER) {
1758  s->type = SIG_TYPE_APPLAYER;
1759  } else {
1760  s->type = SIG_TYPE_PKT;
1761  }
1762  }
1763 }
1764 
1765 /**
1766  * \brief Preprocess signature, classify ip-only, etc, build sig array
1767  *
1768  * \param de_ctx Pointer to the Detection Engine Context
1769  *
1770  * \retval 0 on success
1771  * \retval -1 on failure
1772  */
1773 int SigPrepareStage1(DetectEngineCtx *de_ctx)
1774 {
1775  uint32_t cnt_iponly = 0;
1776  uint32_t cnt_payload = 0;
1777  uint32_t cnt_packet = 0;
1778  uint32_t cnt_packet_stream = 0;
1779  uint32_t cnt_applayer = 0;
1780  uint32_t cnt_deonly = 0;
1781 
1782  if (!(de_ctx->flags & DE_QUIET)) {
1783  SCLogDebug("building signature grouping structure, stage 1: "
1784  "preprocessing rules...");
1785  }
1786 
1787  de_ctx->sig_array_len = DetectEngineGetMaxSigId(de_ctx);
1788  de_ctx->sig_array = (Signature **)SCCalloc(de_ctx->sig_array_len, sizeof(Signature *));
1789  if (de_ctx->sig_array == NULL)
1790  goto error;
1791 
1792  /* now for every rule add the source group */
1793  for (Signature *s = de_ctx->sig_list; s != NULL; s = s->next) {
1794  de_ctx->sig_array[s->iid] = s;
1795 
1796  SCLogDebug("Signature %" PRIu32 ", internal id %" PRIu32 ", ptrs %p %p ", s->id, s->iid, s,
1797  de_ctx->sig_array[s->iid]);
1798 
1799  if (s->type == SIG_TYPE_PDONLY) {
1800  SCLogDebug("Signature %"PRIu32" is considered \"PD only\"", s->id);
1801  } else if (s->type == SIG_TYPE_IPONLY) {
1802  SCLogDebug("Signature %"PRIu32" is considered \"IP only\"", s->id);
1803  cnt_iponly++;
1804  } else if (SignatureIsInspectingPayload(de_ctx, s) == 1) {
1805  SCLogDebug("Signature %"PRIu32" is considered \"Payload inspecting\"", s->id);
1806  cnt_payload++;
1807  } else if (s->type == SIG_TYPE_PKT) {
1808  SCLogDebug("Signature %" PRIu32 " is considered \"Packet inspecting\"", s->id);
1809  cnt_packet++;
1810  } else if (s->type == SIG_TYPE_PKT_STREAM) {
1811  SCLogDebug("Signature %" PRIu32 " is considered \"Packet-stream inspecting\"", s->id);
1812  cnt_packet_stream++;
1813  } else if (s->type == SIG_TYPE_DEONLY) {
1814  SCLogDebug("Signature %"PRIu32" is considered \"Decoder Event only\"", s->id);
1815  cnt_deonly++;
1816  } else if (s->flags & SIG_FLAG_APPLAYER) {
1817  SCLogDebug("Signature %"PRIu32" is considered \"Applayer inspecting\"", s->id);
1818  cnt_applayer++;
1819  }
1820 
1821 #ifdef DEBUG
1822  if (SCLogDebugEnabled()) {
1823  uint16_t colen = 0;
1824  char copresent = 0;
1825  SigMatch *sm;
1826  DetectContentData *co;
1827  for (sm = s->init_data->smlists[DETECT_SM_LIST_MATCH]; sm != NULL; sm = sm->next) {
1828  if (sm->type != DETECT_CONTENT)
1829  continue;
1830 
1831  copresent = 1;
1832  co = (DetectContentData *)sm->ctx;
1833  if (co->content_len > colen)
1834  colen = co->content_len;
1835  }
1836 
1837  if (copresent && colen == 1) {
1838  SCLogDebug("signature %8u content maxlen 1", s->id);
1839  for (int proto = 0; proto < 256; proto++) {
1840  if (s->init_data->proto.proto[(proto / 8)] & (1 << (proto % 8)))
1841  SCLogDebug("=> proto %" PRId32 "", proto);
1842  }
1843  }
1844  }
1845 #endif /* DEBUG */
1846 
1847  if (RuleMpmIsNegated(s)) {
1848  s->flags |= SIG_FLAG_MPM_NEG;
1849  }
1850 
1851  SignatureCreateMask(s);
1852  DetectContentPropagateLimits(s);
1853  SigParseApplyDsizeToContent(s);
1854 
1855  RuleSetScore(s);
1856 
1857  /* run buffer type callbacks if any */
1858  for (int x = 0; x < DETECT_SM_LIST_MAX; x++) {
1859  if (s->init_data->smlists[x])
1860  DetectEngineBufferRunSetupCallback(de_ctx, x, s);
1861  }
1862  for (uint32_t x = 0; x < s->init_data->buffer_index; x++) {
1863  DetectEngineBufferRunSetupCallback(de_ctx, s->init_data->buffers[x].id, s);
1864  }
1865 
1866  de_ctx->sig_cnt++;
1867  }
1868 
1869  if (!(de_ctx->flags & DE_QUIET)) {
1870  if (strlen(de_ctx->config_prefix) > 0)
1871  SCLogInfo("tenant id %d: %" PRIu32 " signatures processed. %" PRIu32 " are IP-only "
1872  "rules, %" PRIu32 " are inspecting packet payload, %" PRIu32
1873  " inspect application layer, %" PRIu32 " are decoder event only, %" PRIu32
1874  " are packet inspecting,"
1875  " %" PRIu32 " are packet-stream inspecting",
1876  de_ctx->tenant_id, de_ctx->sig_cnt, cnt_iponly, cnt_payload, cnt_applayer,
1877  cnt_deonly, cnt_packet, cnt_packet_stream);
1878  else
1879  SCLogInfo("%" PRIu32 " signatures processed. %" PRIu32 " are IP-only "
1880  "rules, %" PRIu32 " are inspecting packet payload, %" PRIu32
1881  " inspect application layer, %" PRIu32 " are decoder event only %" PRIu32
1882  " are packet inspecting,"
1883  " %" PRIu32 " are packet-stream inspecting",
1884  de_ctx->sig_cnt, cnt_iponly, cnt_payload, cnt_applayer, cnt_deonly, cnt_packet,
1885  cnt_packet_stream);
1886 
1887  SCLogConfig("building signature grouping structure, stage 1: "
1888  "preprocessing rules... complete");
1889  }
1890 
1891  if (DetectFlowbitsAnalyze(de_ctx) != 0)
1892  goto error;
1893 
1894  return 0;
1895 
1896 error:
1897  return -1;
1898 }
1899 
1900 /**
1901  * \internal
1902  * \brief add a decoder event signature to the detection engine ctx
1903  */
1904 static void DetectEngineAddDecoderEventSig(DetectEngineCtx *de_ctx, Signature *s)
1905 {
1906  SCLogDebug("adding signature %"PRIu32" to the decoder event sgh", s->id);
1907  SigGroupHeadAppendSig(de_ctx, &de_ctx->decoder_event_sgh, s);
1908 }
1909 
1910 static void DetectEngineAddEthernetSig(DetectEngineCtx *de_ctx, Signature *s)
1911 {
1912  SCLogDebug("adding signature %" PRIu32 " to the eth non ip sgh", s->id);
1913  SigGroupHeadAppendSig(de_ctx, &de_ctx->eth_non_ip_sgh, s);
1914 }
1915 
1916 static void DetectEngineAddSigToPreStreamHook(DetectEngineCtx *de_ctx, Signature *s)
1917 {
1918  SCLogDebug("adding signature %" PRIu32 " to the pre_stream hook sgh", s->id);
1919 
1920  if ((s->flags & (SIG_FLAG_TOSERVER | SIG_FLAG_TOCLIENT)) ==
1921  (SIG_FLAG_TOSERVER | SIG_FLAG_TOCLIENT)) {
1922  SigGroupHeadAppendSig(de_ctx, &de_ctx->pre_stream_sgh[0], s);
1923  SigGroupHeadAppendSig(de_ctx, &de_ctx->pre_stream_sgh[1], s);
1924  } else if (s->flags & SIG_FLAG_TOSERVER) {
1925  SigGroupHeadAppendSig(de_ctx, &de_ctx->pre_stream_sgh[0], s);
1926  } else if (s->flags & SIG_FLAG_TOCLIENT) {
1927  SigGroupHeadAppendSig(de_ctx, &de_ctx->pre_stream_sgh[1], s);
1928  }
1929 }
1930 
1931 static void DetectEngineAddSigToPreFlowHook(DetectEngineCtx *de_ctx, Signature *s)
1932 {
1933  SCLogDebug("adding signature %" PRIu32 " to the pre_flow hook sgh", s->id);
1934  SigGroupHeadAppendSig(de_ctx, &de_ctx->pre_flow_sgh, s);
1935 }
1936 
1937 /**
1938  * \brief Fill the global src group head, with the sigs included
1939  *
1940  * \param de_ctx Pointer to the Detection Engine Context whose Signatures have
1941  * to be processed
1942  *
1943  * \retval 0 On success
1944  * \retval -1 On failure
1945  */
1946 int SigPrepareStage2(DetectEngineCtx *de_ctx)
1947 {
1948  SCLogDebug("building signature grouping structure, stage 2: "
1949  "building source address lists...");
1950 
1951  IPOnlyInit(de_ctx, &de_ctx->io_ctx);
1952 
1953  de_ctx->flow_gh[1].tcp = RulesGroupByPorts(de_ctx, IPPROTO_TCP, SIG_FLAG_TOSERVER);
1954  de_ctx->flow_gh[0].tcp = RulesGroupByPorts(de_ctx, IPPROTO_TCP, SIG_FLAG_TOCLIENT);
1955  de_ctx->flow_gh[1].udp = RulesGroupByPorts(de_ctx, IPPROTO_UDP, SIG_FLAG_TOSERVER);
1956  de_ctx->flow_gh[0].udp = RulesGroupByPorts(de_ctx, IPPROTO_UDP, SIG_FLAG_TOCLIENT);
1957 
1958  /* Setup the other IP Protocols (so not TCP/UDP) */
1959  RulesGroupByIPProto(de_ctx);
1960 
1961  /* now for every rule add the source group to our temp lists */
1962  for (Signature *s = de_ctx->sig_list; s != NULL; s = s->next) {
1963  SCLogDebug("s->id %"PRIu32, s->id);
1964  if (s->type == SIG_TYPE_IPONLY) {
1965  IPOnlyAddSignature(de_ctx, &de_ctx->io_ctx, s);
1966  } else if (s->type == SIG_TYPE_DEONLY) {
1967  DetectEngineAddDecoderEventSig(de_ctx, s);
1968  } else if (s->type == SIG_TYPE_PKT && s->init_data->hook.type == SIGNATURE_HOOK_TYPE_PKT &&
1969  s->init_data->hook.t.pkt.ph == SIGNATURE_HOOK_PKT_PRE_STREAM) {
1970  DetectEngineAddSigToPreStreamHook(de_ctx, s);
1971  } else if (s->type == SIG_TYPE_PKT && s->init_data->hook.type == SIGNATURE_HOOK_TYPE_PKT &&
1972  s->init_data->hook.t.pkt.ph == SIGNATURE_HOOK_PKT_PRE_FLOW) {
1973  DetectEngineAddSigToPreFlowHook(de_ctx, s);
1974  }
1975 
1976  /* add ethernet sigs and decoder events to the ethernet sgh */
1977  if ((s->type == SIG_TYPE_PKT && SigIsEthernetAddToNonIP(s)) || s->type == SIG_TYPE_DEONLY ||
1978  (s->init_data->proto.flags & DETECT_PROTO_L2_ANY)) {
1979  // ethernet
1980  SCLogDebug("rule: %u: add to non-IP", s->id);
1981  DetectEngineAddEthernetSig(de_ctx, s);
1982  }
1983  }
1984 
1985  IPOnlyPrepare(de_ctx);
1986  IPOnlyPrint(de_ctx, &de_ctx->io_ctx);
1987  return 0;
1988 }
1989 
1990 static void DetectEngineBuildDecoderEventSgh(DetectEngineCtx *de_ctx)
1991 {
1992  if (de_ctx->decoder_event_sgh == NULL)
1993  return;
1994 
1995  uint32_t max_idx = DetectEngineGetMaxSigId(de_ctx);
1996  SigGroupHeadSetSigCnt(de_ctx->decoder_event_sgh, max_idx);
1997  SigGroupHeadBuildMatchArray(de_ctx, de_ctx->decoder_event_sgh, max_idx);
1998 }
1999 
2000 static void DetectEngineBuildPreStreamHookSghs(DetectEngineCtx *de_ctx)
2001 {
2002  uint32_t max_idx = DetectEngineGetMaxSigId(de_ctx);
2003  if (de_ctx->pre_stream_sgh[0] != NULL) {
2004  SigGroupHeadSetSigCnt(de_ctx->pre_stream_sgh[0], max_idx);
2005  SigGroupHeadBuildMatchArray(de_ctx, de_ctx->pre_stream_sgh[0], max_idx);
2006  PrefilterSetupRuleGroup(de_ctx, de_ctx->pre_stream_sgh[0]);
2007  }
2008  if (de_ctx->pre_stream_sgh[1] != NULL) {
2009  SigGroupHeadSetSigCnt(de_ctx->pre_stream_sgh[1], max_idx);
2010  SigGroupHeadBuildMatchArray(de_ctx, de_ctx->pre_stream_sgh[1], max_idx);
2011  PrefilterSetupRuleGroup(de_ctx, de_ctx->pre_stream_sgh[1]);
2012  }
2013 
2014  if (de_ctx->pre_stream_sgh[0] != NULL || de_ctx->pre_stream_sgh[1] != NULL) {
2015  de_ctx->PreStreamHook = DetectPreStream;
2016  }
2017 }
2018 
2019 static void DetectEngineBuildPreFlowHookSghs(DetectEngineCtx *de_ctx)
2020 {
2021  if (de_ctx->pre_flow_sgh != NULL) {
2022  uint32_t max_idx = DetectEngineGetMaxSigId(de_ctx);
2023  SigGroupHeadSetSigCnt(de_ctx->pre_flow_sgh, max_idx);
2024  SigGroupHeadBuildMatchArray(de_ctx, de_ctx->pre_flow_sgh, max_idx);
2025  PrefilterSetupRuleGroup(de_ctx, de_ctx->pre_flow_sgh);
2026  de_ctx->PreFlowHook = DetectPreFlow;
2027  }
2028 }
2029 
2030 static void DetectEngineBuildEthernetNonIPSgh(DetectEngineCtx *de_ctx)
2031 {
2032  if (de_ctx->eth_non_ip_sgh != NULL) {
2033  const uint32_t max_idx = DetectEngineGetMaxSigId(de_ctx);
2034  SigGroupHeadSetSigCnt(de_ctx->eth_non_ip_sgh, max_idx);
2035  SigGroupHeadBuildMatchArray(de_ctx, de_ctx->eth_non_ip_sgh, max_idx);
2036  PrefilterSetupRuleGroup(de_ctx, de_ctx->eth_non_ip_sgh);
2037  }
2038 }
2039 
2040 int SigPrepareStage3(DetectEngineCtx *de_ctx)
2041 {
2042  /* prepare the decoder event sgh */
2043  DetectEngineBuildDecoderEventSgh(de_ctx);
2044 
2045  /* pre_flow hook sgh */
2046  DetectEngineBuildPreFlowHookSghs(de_ctx);
2047 
2048  /* pre_stream hook sghs */
2049  DetectEngineBuildPreStreamHookSghs(de_ctx);
2050 
2051  /* Ethernet Non IP */
2052  DetectEngineBuildEthernetNonIPSgh(de_ctx);
2053 
2054  return 0;
2055 }
2056 
2057 int SigAddressCleanupStage1(DetectEngineCtx *de_ctx)
2058 {
2059  BUG_ON(de_ctx == NULL);
2060 
2061  SCLogDebug("cleaning up signature grouping structure...");
2062 
2063  if (de_ctx->eth_non_ip_sgh)
2064  SigGroupHeadFree(de_ctx, de_ctx->eth_non_ip_sgh);
2065  if (de_ctx->decoder_event_sgh)
2066  SigGroupHeadFree(de_ctx, de_ctx->decoder_event_sgh);
2067  de_ctx->decoder_event_sgh = NULL;
2068  if (de_ctx->pre_flow_sgh)
2069  SigGroupHeadFree(de_ctx, de_ctx->pre_flow_sgh);
2070  de_ctx->pre_flow_sgh = NULL;
2071  if (de_ctx->pre_stream_sgh[0])
2072  SigGroupHeadFree(de_ctx, de_ctx->pre_stream_sgh[0]);
2073  de_ctx->pre_stream_sgh[0] = NULL;
2074  if (de_ctx->pre_stream_sgh[1])
2075  SigGroupHeadFree(de_ctx, de_ctx->pre_stream_sgh[1]);
2076  de_ctx->pre_stream_sgh[1] = NULL;
2077 
2078  for (int f = 0; f < FLOW_STATES; f++) {
2079  for (int p = 0; p < 256; p++) {
2080  de_ctx->flow_gh[f].sgh[p] = NULL;
2081  }
2082 
2083  /* free lookup lists */
2084  DetectPortCleanupList(de_ctx, de_ctx->flow_gh[f].tcp);
2085  de_ctx->flow_gh[f].tcp = NULL;
2086  DetectPortCleanupList(de_ctx, de_ctx->flow_gh[f].udp);
2087  de_ctx->flow_gh[f].udp = NULL;
2088  }
2089 
2090  for (uint32_t idx = 0; idx < de_ctx->sgh_array_cnt; idx++) {
2091  SigGroupHead *sgh = de_ctx->sgh_array[idx];
2092  if (sgh == NULL)
2093  continue;
2094 
2095  SCLogDebug("sgh %p", sgh);
2096  SigGroupHeadFree(de_ctx, sgh);
2097  }
2098  SCFree(de_ctx->sgh_array);
2099  de_ctx->sgh_array = NULL;
2100  de_ctx->sgh_array_cnt = 0;
2101  de_ctx->sgh_array_size = 0;
2102 
2103  IPOnlyDeinit(de_ctx, &de_ctx->io_ctx);
2104 
2105  SCLogDebug("cleaning up signature grouping structure... complete");
2106  return 0;
2107 }
2108 
2109 #if 0
2110 static void DbgPrintSigs(DetectEngineCtx *de_ctx, SigGroupHead *sgh)
2111 {
2112  if (sgh == NULL) {
2113  printf("\n");
2114  return;
2115  }
2116 
2117  uint32_t sig;
2118  for (sig = 0; sig < sgh->sig_cnt; sig++) {
2119  printf("%" PRIu32 " ", sgh->match_array[sig]->id);
2120  }
2121  printf("\n");
2122 }
2123 
2124 static void DbgPrintSigs2(DetectEngineCtx *de_ctx, SigGroupHead *sgh)
2125 {
2126  if (sgh == NULL || sgh->init == NULL) {
2127  printf("\n");
2128  return;
2129  }
2130 
2131  uint32_t sig;
2132  for (sig = 0; sig < DetectEngineGetMaxSigId(de_ctx); sig++) {
2133  if (sgh->init->sig_array[(sig/8)] & (1<<(sig%8))) {
2134  printf("%" PRIu32 " ", de_ctx->sig_array[sig]->id);
2135  }
2136  }
2137  printf("\n");
2138 }
2139 #endif
2140 
2141 /** \brief finalize preparing sgh's */
2142 int SigPrepareStage4(DetectEngineCtx *de_ctx)
2143 {
2144  SCEnter();
2145 
2146  //SCLogInfo("sgh's %"PRIu32, de_ctx->sgh_array_cnt);
2147 
2148  uint32_t cnt = 0;
2149  for (uint32_t idx = 0; idx < de_ctx->sgh_array_cnt; idx++) {
2150  SigGroupHead *sgh = de_ctx->sgh_array[idx];
2151  if (sgh == NULL)
2152  continue;
2153 
2154  SCLogDebug("sgh %p", sgh);
2155 
2156  SigGroupHeadSetupFiles(de_ctx, sgh);
2157  SCLogDebug("filestore count %u", sgh->filestore_cnt);
2158 
2159  PrefilterSetupRuleGroup(de_ctx, sgh);
2160 
2161  sgh->id = idx;
2162  cnt++;
2163  }
2164  SCLogPerf("Unique rule groups: %u", cnt);
2165 
2166  MpmStoreReportStats(de_ctx);
2167 
2168  if (de_ctx->decoder_event_sgh != NULL) {
2169  /* no need to set filestore count here as that would make a
2170  * signature not decode event only. */
2171  PrefilterSetupRuleGroup(de_ctx, de_ctx->decoder_event_sgh);
2172  }
2173 
2174  int dump_grouping = 0;
2175  (void)SCConfGetBool("detect.profiling.grouping.dump-to-disk", &dump_grouping);
2176 
2177  if (dump_grouping) {
2178  int add_rules = 0;
2179  (void)SCConfGetBool("detect.profiling.grouping.include-rules", &add_rules);
2180  int add_mpm_stats = 0;
2181  (void)SCConfGetBool("detect.profiling.grouping.include-mpm-stats", &add_mpm_stats);
2182 
2183  RulesDumpGrouping(de_ctx, add_rules, add_mpm_stats);
2184  }
2185 
2186  for (uint32_t idx = 0; idx < de_ctx->sgh_array_cnt; idx++) {
2187  SigGroupHead *sgh = de_ctx->sgh_array[idx];
2188  if (sgh == NULL)
2189  continue;
2190  SigGroupHeadInitDataFree(sgh->init);
2191  sgh->init = NULL;
2192  }
2193  /* cleanup the hashes now since we won't need them
2194  * after the initialization phase. */
2195  SigGroupHeadHashFree(de_ctx);
2196 
2197 #ifdef PROFILING
2198  SCProfilingSghInitCounters(de_ctx);
2199 #endif
2200  SCReturnInt(0);
2201 }
2202 
2203 extern bool rule_engine_analysis_set;
2204 /** \internal
2205  * \brief perform final per signature setup tasks
2206  *
2207  * - Create SigMatchData arrays from the init only SigMatch lists
2208  * - Setup per signature inspect engines
2209  * - remove signature init data.
2210  */
2211 static int SigMatchPrepare(DetectEngineCtx *de_ctx)
2212 {
2213  SCEnter();
2214 
2215  Signature *s = de_ctx->sig_list;
2216  for (; s != NULL; s = s->next) {
2217  /* set up inspect engines */
2218  DetectEngineAppInspectionEngine2Signature(de_ctx, s);
2219 
2220  /* built-ins */
2221  for (int type = 0; type < DETECT_SM_LIST_MAX; type++) {
2222  /* skip PMATCH if it is used in a stream 'app engine' instead */
2223  if (type == DETECT_SM_LIST_PMATCH && (s->init_data->init_flags & SIG_FLAG_INIT_STATE_MATCH))
2224  continue;
2225  SigMatch *sm = s->init_data->smlists[type];
2226  s->sm_arrays[type] = SigMatchList2DataArray(sm);
2227  }
2228  /* set up the pkt inspection engines */
2229  DetectEnginePktInspectionSetup(s);
2230 
2231  if (rule_engine_analysis_set) {
2232  EngineAnalysisAddAllRulePatterns(de_ctx, s);
2233  EngineAnalysisRules2(de_ctx, s);
2234  }
2235  /* free lists. Ctx' are xferred to sm_arrays so won't get freed */
2236  for (uint32_t i = 0; i < DETECT_SM_LIST_MAX; i++) {
2237  SigMatch *sm = s->init_data->smlists[i];
2238  while (sm != NULL) {
2239  SigMatch *nsm = sm->next;
2240  SigMatchFree(de_ctx, sm);
2241  sm = nsm;
2242  }
2243  }
2244  for (uint32_t i = 0; i < (uint32_t)s->init_data->transforms.cnt; i++) {
2245  if (s->init_data->transforms.transforms[i].options) {
2246  int transform = s->init_data->transforms.transforms[i].transform;
2247  sigmatch_table[transform].Free(
2248  de_ctx, s->init_data->transforms.transforms[i].options);
2249  s->init_data->transforms.transforms[i].options = NULL;
2250  }
2251  }
2252  for (uint32_t x = 0; x < s->init_data->buffer_index; x++) {
2253  SigMatch *sm = s->init_data->buffers[x].head;
2254  while (sm != NULL) {
2255  SigMatch *nsm = sm->next;
2256  SigMatchFree(de_ctx, sm);
2257  sm = nsm;
2258  }
2259  }
2260  if (s->init_data->cidr_dst != NULL)
2261  IPOnlyCIDRListFree(s->init_data->cidr_dst);
2262 
2263  if (s->init_data->cidr_src != NULL)
2264  IPOnlyCIDRListFree(s->init_data->cidr_src);
2265 
2266  SCFree(s->init_data->buffers);
2267  SCFree(s->init_data->rule_state_dependant_sids_array);
2268  SCFree(s->init_data->rule_state_flowbits_ids_array);
2269  SCFree(s->init_data);
2270  s->init_data = NULL;
2271  }
2272 
2273  DumpPatterns(de_ctx);
2274  SCReturnInt(0);
2275 }
2276 
2277 /**
2278  * \brief Convert the signature list into the runtime match structure.
2279  *
2280  * \param de_ctx Pointer to the Detection Engine Context whose Signatures have
2281  * to be processed
2282  *
2283  * \retval 0 On Success.
2284  * \retval -1 On failure.
2285  */
2286 int SigGroupBuild(DetectEngineCtx *de_ctx)
2287 {
2288  Signature *s = de_ctx->sig_list;
2289 
2290  /* Assign the unique order id of signatures after sorting,
2291  * so the IP Only engine process them in order too. Also
2292  * reset the old signums and assign new signums. We would
2293  * have experienced Sig reordering by now, hence the new
2294  * signums. */
2295  de_ctx->signum = 0;
2296  while (s != NULL) {
2297  s->iid = de_ctx->signum++;
2298 
2299  s = s->next;
2300  }
2301 
2302  if (DetectSetFastPatternAndItsId(de_ctx) < 0)
2303  return -1;
2304 
2305  SigInitStandardMpmFactoryContexts(de_ctx);
2306 
2307  if (SigPrepareStage1(de_ctx) != 0) {
2308  FatalError("initializing the detection engine failed");
2309  }
2310 
2311  if (SigPrepareStage2(de_ctx) != 0) {
2312  FatalError("initializing the detection engine failed");
2313  }
2314 
2315  if (SigPrepareStage3(de_ctx) != 0) {
2316  FatalError("initializing the detection engine failed");
2317  }
2318  if (SigPrepareStage4(de_ctx) != 0) {
2319  FatalError("initializing the detection engine failed");
2320  }
2321 
2322  int r = DetectMpmPrepareBuiltinMpms(de_ctx);
2323  r |= DetectMpmPrepareAppMpms(de_ctx);
2324  r |= DetectMpmPreparePktMpms(de_ctx);
2325  r |= DetectMpmPrepareFrameMpms(de_ctx);
2326  if (r != 0) {
2327  FatalError("initializing the detection engine failed");
2328  }
2329 
2330  if (SigMatchPrepare(de_ctx) != 0) {
2331  FatalError("initializing the detection engine failed");
2332  }
2333 
2334 #ifdef PROFILING
2335  SCProfilingKeywordInitCounters(de_ctx);
2336  SCProfilingPrefilterInitCounters(de_ctx);
2337  de_ctx->profile_match_logging_threshold = UINT_MAX; // disabled
2338 
2339  intmax_t v = 0;
2340  if (SCConfGetInt("detect.profiling.inspect-logging-threshold", &v) == 1)
2341  de_ctx->profile_match_logging_threshold = (uint32_t)v;
2342 #endif
2343 #ifdef PROFILE_RULES
2344  SCProfilingRuleInitCounters(de_ctx);
2345 #endif
2346 
2347  if (!DetectEngineMultiTenantEnabled()) {
2348  VarNameStoreActivate();
2349  }
2350 
2351  if (EngineModeIsFirewall()) {
2352  FirewallAnalyzer(de_ctx);
2353  }
2354  return 0;
2355 }
2356 
2357 int SigGroupCleanup (DetectEngineCtx *de_ctx)
2358 {
2359  SigAddressCleanupStage1(de_ctx);
2360 
2361  return 0;
2362 }
detect-tcp-flags.h
HashListTableGetListData
#define HashListTableGetListData(hb)
Definition: util-hashlist.h:56
SIG_TYPE_STREAM
@ SIG_TYPE_STREAM
Definition: detect.h:74
DETECT_FLOW_FLAG_TOCLIENT
#define DETECT_FLOW_FLAG_TOCLIENT
Definition: detect-flow.h:28
SignatureInitDataBuffer_::head
SigMatch * head
Definition: detect.h:535
detect-content.h
DETECT_APP_LAYER_EVENT
@ DETECT_APP_LAYER_EVENT
Definition: detect-engine-register.h:199
util-port-interval-tree.h
MpmStat::max
uint32_t max
Definition: detect-engine-build.c:607
detect-engine.h
DetectEngineResetMaxSigId
void DetectEngineResetMaxSigId(DetectEngineCtx *de_ctx)
Definition: detect-engine.c:3137
DetectEngineBufferTypeSupportsPacketGetById
bool DetectEngineBufferTypeSupportsPacketGetById(const DetectEngineCtx *de_ctx, const int id)
Definition: detect-engine.c:1497
DETECT_SM_LIST_PMATCH
@ DETECT_SM_LIST_PMATCH
Definition: detect.h:119
SIG_MASK_REQUIRE_REAL_PKT
#define SIG_MASK_REQUIRE_REAL_PKT
Definition: detect.h:316
MASK_TCP_UNUSUAL_FLAGS
#define MASK_TCP_UNUSUAL_FLAGS
Definition: detect-engine-build.c:396
DetectFlagsSignatureNeedsSynOnlyPackets
int DetectFlagsSignatureNeedsSynOnlyPackets(const Signature *s)
Definition: detect-tcp-flags.c:170
SignatureInitData_::smlists
struct SigMatch_ * smlists[DETECT_SM_LIST_MAX]
Definition: detect.h:649
detect-engine-proto.h
detect-dsize.h
sigmatch_table
SigTableElmt * sigmatch_table
Definition: detect-parse.c:79
PKT_HAS_FLOW
#define PKT_HAS_FLOW
Definition: decode.h:1304
UniquePortPoint_
Definition: detect-engine-build.c:1329
SIG_TYPE_APP_TX
@ SIG_TYPE_APP_TX
Definition: detect.h:77
SigMatchFree
void SigMatchFree(DetectEngineCtx *de_ctx, SigMatch *sm)
free a SigMatch
Definition: detect-parse.c:288
SigTableElmt_::Free
void(* Free)(DetectEngineCtx *, void *)
Definition: detect.h:1496
DetectEngineCtx_::decoder_event_sgh
struct SigGroupHead_ * decoder_event_sgh
Definition: detect.h:1061
DetectPortHashInit
int DetectPortHashInit(DetectEngineCtx *de_ctx)
Initializes the hash table in the detection engine context to hold the DetectPort hash.
Definition: detect-engine-port.c:1320
DetectEngineCtx_::flow_gh
DetectEngineLookupFlow flow_gh[FLOW_STATES]
Definition: detect.h:1000
FILE_SIG_NEED_SHA1
#define FILE_SIG_NEED_SHA1
Definition: detect.h:325
SigPrepareStage4
int SigPrepareStage4(DetectEngineCtx *de_ctx)
finalize preparing sgh's
Definition: detect-engine-build.c:2142
detect-engine-siggroup.h
DetectFlowData_
Definition: detect-flow.h:37
SigTableElmt_::name
const char * name
Definition: detect.h:1509
PKT_IS_PSEUDOPKT
#define PKT_IS_PSEUDOPKT(p)
return 1 if the packet is a pseudo packet
Definition: decode.h:1357
DetectEngineBufferRunSetupCallback
void DetectEngineBufferRunSetupCallback(const DetectEngineCtx *de_ctx, const int id, Signature *s)
Definition: detect-engine.c:1534
SigGroupHead_
Container for matching data for a signature group.
Definition: detect.h:1679
DetectListToHumanString
const char * DetectListToHumanString(int list)
Definition: detect-parse.c:112
SIG_FLAG_INIT_FLOW
#define SIG_FLAG_INIT_FLOW
Definition: detect.h:291
SigFree
void SigFree(DetectEngineCtx *, Signature *)
Definition: detect-parse.c:2126
DumpPatterns
void DumpPatterns(DetectEngineCtx *de_ctx)
Definition: detect-engine-analyzer.c:1556
unlikely
#define unlikely(expr)
Definition: util-optimize.h:35
SigGroupHeadInitData_::sig_array
uint8_t * sig_array
Definition: detect.h:1653
DetectPortFree
void DetectPortFree(const DetectEngineCtx *de_ctx, DetectPort *dp)
Free a DetectPort and its members.
Definition: detect-engine-port.c:80
DetectEngineCtx_::PreFlowHook
DetectPacketHookFunc PreFlowHook
Definition: detect.h:1205
DETECT_CONTENT
@ DETECT_CONTENT
Definition: detect-engine-register.h:71
SigTableElmt_::flags
uint32_t flags
Definition: detect.h:1500
DetectEngineCtx_::max_uniq_toclient_groups
uint16_t max_uniq_toclient_groups
Definition: detect.h:1034
MpmStoreReportStats
void MpmStoreReportStats(const DetectEngineCtx *de_ctx)
Definition: detect-engine-mpm.c:1536
SignatureInitData_::prefilter_sm
SigMatch * prefilter_sm
Definition: detect.h:629
SignatureInitData_::src_contains_negation
bool src_contains_negation
Definition: detect.h:605
DETECT_FLOW
@ DETECT_FLOW
Definition: detect-engine-register.h:56
Signature_::alproto
AppProto alproto
Definition: detect.h:680
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:282
DETECT_UINT_NE
#define DETECT_UINT_NE
Definition: detect-engine-uint.h:36
IPOnlyDeinit
void IPOnlyDeinit(DetectEngineCtx *de_ctx, DetectEngineIPOnlyCtx *io_ctx)
Deinitialize the IP Only detection engine context.
Definition: detect-engine-iponly.c:954
next
struct HtpBodyChunk_ * next
Definition: app-layer-htp.h:0
DetectPort_::port
uint16_t port
Definition: detect.h:220
name
const char * name
Definition: detect-engine-proto.c:48
SCPortIntervalFindOverlappingRanges
void SCPortIntervalFindOverlappingRanges(DetectEngineCtx *de_ctx, const uint16_t port, const uint16_t port2, const struct PI *head, DetectPort **list)
Callee function to find all overlapping port ranges as asked by the detection engine during Stage 2 o...
Definition: util-port-interval-tree.c:317
PORT_SIGGROUPHEAD_COPY
#define PORT_SIGGROUPHEAD_COPY
Definition: detect.h:216
AppProto
uint16_t AppProto
Definition: app-layer-protos.h:87
DETECT_DECODE_EVENT
@ DETECT_DECODE_EVENT
Definition: detect-engine-register.h:125
DETECT_SM_LIST_DYNAMIC_START
@ DETECT_SM_LIST_DYNAMIC_START
Definition: detect.h:138
SignatureHook_::t
union SignatureHook_::@87 t
Packet_::flags
uint32_t flags
Definition: decode.h:560
DetectEngineCtx_::PreStreamHook
DetectPacketHookFunc PreStreamHook
Definition: detect.h:1200
UNDEFINED_PORT
#define UNDEFINED_PORT
Definition: detect-engine-build.c:1325
PatternStrength
uint32_t PatternStrength(uint8_t *pat, uint16_t patlen)
Predict a strength value for patterns.
Definition: detect-engine-mpm.c:1000
MpmStat::cnt
uint32_t cnt
Definition: detect-engine-build.c:605
DetectFlowbitsAnalyze
int DetectFlowbitsAnalyze(DetectEngineCtx *de_ctx)
Definition: detect-flowbits.c:639
DetectSetFastPatternAndItsId
int DetectSetFastPatternAndItsId(DetectEngineCtx *de_ctx)
Figure out the FP and their respective content ids for all the sigs in the engine.
Definition: detect-engine-mpm.c:2544
AppProtoToString
const char * AppProtoToString(AppProto alproto)
Maps the ALPROTO_*, to its string equivalent.
Definition: app-layer-protos.c:41
SCProfilingSghInitCounters
void SCProfilingSghInitCounters(DetectEngineCtx *de_ctx)
Register the keyword profiling counters.
Definition: util-profiling-rulegroups.c:349
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:973
DETECT_PROTO_ANY
#define DETECT_PROTO_ANY
Definition: detect-engine-proto.h:28
SIG_TYPE_PKT_STREAM
@ SIG_TYPE_PKT_STREAM
Definition: detect.h:73
DetectEngineCtx_::pre_stream_sgh
struct SigGroupHead_ * pre_stream_sgh[2]
Definition: detect.h:1202
DETECT_PROTO_ETHERNET
#define DETECT_PROTO_ETHERNET
Definition: detect-engine-proto.h:33
MpmStat
Definition: detect-engine-build.c:603
DetectFlagsSignatureNeedsSynPackets
int DetectFlagsSignatureNeedsSynPackets(const Signature *s)
Definition: detect-tcp-flags.c:151
TransformData_::options
void * options
Definition: detect.h:388
DetectFlowbitsData_::cmd
uint8_t cmd
Definition: detect-flowbits.h:36
HashListTableGetListHead
HashListTableBucket * HashListTableGetListHead(HashListTable *ht)
Definition: util-hashlist.c:287
SigGroupHeadSetProtoAndDirection
void SigGroupHeadSetProtoAndDirection(SigGroupHead *sgh, uint8_t ipproto, int dir)
Definition: detect-engine-siggroup.c:483
DETECT_UINT_EQ
#define DETECT_UINT_EQ
Definition: detect-engine-uint.h:35
DetectEngineBufferTypeGetNameById
const char * DetectEngineBufferTypeGetNameById(const DetectEngineCtx *de_ctx, const int id)
Definition: detect-engine.c:1369
DetectMpmInitializeBuiltinMpms
void DetectMpmInitializeBuiltinMpms(DetectEngineCtx *de_ctx)
Definition: detect-engine-mpm.c:783
SIG_FLAG_DST_ANY
#define SIG_FLAG_DST_ANY
Definition: detect.h:241
util-var-name.h
SIG_FLAG_REQUIRE_STREAM
#define SIG_FLAG_REQUIRE_STREAM
Definition: detect.h:254
rule_engine_analysis_set
bool rule_engine_analysis_set
Definition: detect-engine-loader.c:58
SCConfGetBool
int SCConfGetBool(const char *name, int *val)
Retrieve a configuration value as a boolean.
Definition: conf.c:498
DE_QUIET
#define DE_QUIET
Definition: detect.h:330
DetectPort_::next
struct DetectPort_ * next
Definition: detect.h:233
DetectEngineCtx_::tcp_priorityports
DetectPort * tcp_priorityports
Definition: detect.h:1115
DetectEngineCtx_::dport_hash_table
HashListTable * dport_hash_table
Definition: detect.h:1113
Signature_::sm_arrays
SigMatchData * sm_arrays[DETECT_SM_LIST_MAX]
Definition: detect.h:738
SignatureInitData_::init_flags
uint32_t init_flags
Definition: detect.h:612
proto
uint8_t proto
Definition: decode-template.h:0
DetectPort_::sh
struct SigGroupHead_ * sh
Definition: detect.h:230
DetectEngineCtx_::udp_priorityports
DetectPort * udp_priorityports
Definition: detect.h:1116
DetectContentData_
Definition: detect-content.h:93
DETECT_FLOWBITS_CMD_ISSET
#define DETECT_FLOWBITS_CMD_ISSET
Definition: detect-flowbits.h:31
p
Packet * p
Definition: fuzz_iprep.c:21
PKT_NOPAYLOAD_INSPECTION
#define PKT_NOPAYLOAD_INSPECTION
Definition: decode.h:1290
SigCleanSignatures
void SigCleanSignatures(DetectEngineCtx *de_ctx)
Definition: detect-engine-build.c:56
DetectPortPrintList
void DetectPortPrintList(DetectPort *head)
Helper function used to print the list of ports present in this DetectPort list.
Definition: detect-engine-port.c:100
DETECT_UINT_GT
#define DETECT_UINT_GT
Definition: detect-engine-uint.h:32
SigPrepareStage1
int SigPrepareStage1(DetectEngineCtx *de_ctx)
Preprocess signature, classify ip-only, etc, build sig array.
Definition: detect-engine-build.c:1773
DETECT_PGSCORE_RULE_SYN_ONLY
#define DETECT_PGSCORE_RULE_SYN_ONLY
Definition: detect-engine-build.c:54
EngineModeIsFirewall
bool EngineModeIsFirewall(void)
Definition: suricata.c:239
SIG_FLAG_TOCLIENT
#define SIG_FLAG_TOCLIENT
Definition: detect.h:271
MAX
#define MAX(x, y)
Definition: suricata-common.h:420
SIG_FLAG_SRC_ANY
#define SIG_FLAG_SRC_ANY
Definition: detect.h:240
SigGroupHeadSetupFiles
void SigGroupHeadSetupFiles(const DetectEngineCtx *de_ctx, SigGroupHead *sgh)
Set the need hash flag in the sgh.
Definition: detect-engine-siggroup.c:570
SIG_TYPE_APPLAYER
@ SIG_TYPE_APPLAYER
Definition: detect.h:76
Packet_::payload_len
uint16_t payload_len
Definition: decode.h:619
MpmStat
struct MpmStat MpmStat
DetectPort_::port2
uint16_t port2
Definition: detect.h:221
detect-engine-prefilter.h
Packet_::app_layer_events
AppLayerDecoderEvents * app_layer_events
Definition: decode.h:643
Packet_::events
PacketEngineEvents events
Definition: decode.h:641
FLOW_STATES
#define FLOW_STATES
Definition: detect.h:953
EngineAnalysisAddAllRulePatterns
void EngineAnalysisAddAllRulePatterns(DetectEngineCtx *de_ctx, const Signature *s)
add all patterns on our stats hash Used to fill the hash later used by DumpPatterns()
Definition: detect-engine-mpm.c:2601
DetectPort_::flags
uint8_t flags
Definition: detect.h:223
DetectPortPrint
void DetectPortPrint(DetectPort *dp)
Helper function that print the DetectPort info.
Definition: detect-engine-port.c:568
FirewallAnalyzer
int FirewallAnalyzer(const DetectEngineCtx *de_ctx)
Definition: detect-engine-analyzer.c:2191
PacketCreateMask
void PacketCreateMask(Packet *p, SignatureMask *mask, AppProto alproto, bool app_decoder_events)
Definition: detect-engine-build.c:401
SIG_FLAG_APPLAYER
#define SIG_FLAG_APPLAYER
Definition: detect.h:248
SigGroupHeadHashInit
int SigGroupHeadHashInit(DetectEngineCtx *de_ctx)
Initializes the hash table in the detection engine context to hold the SigGroupHeads.
Definition: detect-engine-siggroup.c:244
FILE_SIG_NEED_MD5
#define FILE_SIG_NEED_MD5
Definition: detect.h:324
DetectEngineCtx_::sgh_array_size
uint32_t sgh_array_size
Definition: detect.h:1046
SIGNATURE_HOOK_TYPE_APP
@ SIGNATURE_HOOK_TYPE_APP
Definition: detect.h:550
SignatureIsFileSha256Inspecting
int SignatureIsFileSha256Inspecting(const Signature *s)
Check if a signature contains the filesha256 keyword.
Definition: detect-engine-build.c:171
Signature_::next
struct Signature_ * next
Definition: detect.h:757
DetectFlowbitsData_
Definition: detect-flowbits.h:34
HashListTableGetListNext
#define HashListTableGetListNext(hb)
Definition: util-hashlist.h:55
DETECT_APP_LAYER_PROTOCOL
@ DETECT_APP_LAYER_PROTOCOL
Definition: detect-engine-register.h:35
DETECT_SM_LIST_POSTMATCH
@ DETECT_SM_LIST_POSTMATCH
Definition: detect.h:127
SigGroupHeadInitData_::score
int score
Definition: detect.h:1658
DetectPortCopySingle
DetectPort * DetectPortCopySingle(DetectEngineCtx *de_ctx, DetectPort *src)
Function that return a copy of DetectPort src sigs.
Definition: detect-engine-port.c:528
SIG_FLAG_TOSERVER
#define SIG_FLAG_TOSERVER
Definition: detect.h:270
DetectPortParse
int DetectPortParse(const DetectEngineCtx *de_ctx, DetectPort **head, const char *str)
Function for parsing port strings.
Definition: detect-engine-port.c:1135
SigAddressCleanupStage1
int SigAddressCleanupStage1(DetectEngineCtx *de_ctx)
Definition: detect-engine-build.c:2057
SCPortIntervalInsert
int SCPortIntervalInsert(DetectEngineCtx *de_ctx, SCPortIntervalTree *it, const DetectPort *p)
Function to insert a node in the interval tree.
Definition: util-port-interval-tree.c:111
DetectEngineCtx_::pre_flow_sgh
struct SigGroupHead_ * pre_flow_sgh
Definition: detect.h:1207
SIG_TYPE_PKT
@ SIG_TYPE_PKT
Definition: detect.h:72
TCPHdr_::th_flags
uint8_t th_flags
Definition: decode-tcp.h:155
SigGroupHeadBuildMatchArray
int SigGroupHeadBuildMatchArray(DetectEngineCtx *de_ctx, SigGroupHead *sgh, uint32_t max_idx)
Create an array with all the internal ids of the sigs that this sig group head will check for.
Definition: detect-engine-siggroup.c:532
DETECT_PROTO_ARP
#define DETECT_PROTO_ARP
Definition: detect-engine-proto.h:34
SigGroupHeadInitData_::sig_cnt
SigIntId sig_cnt
Definition: detect.h:1672
DETECT_CONTENT_ENDS_WITH
#define DETECT_CONTENT_ENDS_WITH
Definition: detect-content.h:42
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:22
g_alproto_max
AppProto g_alproto_max
Definition: app-layer-protos.c:30
DETECT_FLOWINT
@ DETECT_FLOWINT
Definition: detect-engine-register.h:64
IPOnlyInit
void IPOnlyInit(DetectEngineCtx *de_ctx, DetectEngineIPOnlyCtx *io_ctx)
Setup the IP Only detection engine context.
Definition: detect-engine-iponly.c:915
SIG_MASK_REQUIRE_ENGINE_EVENT
#define SIG_MASK_REQUIRE_ENGINE_EVENT
Definition: detect.h:318
SIG_TYPE_IPONLY
@ SIG_TYPE_IPONLY
Definition: detect.h:66
SignatureInitData_::mpm_sm
SigMatch * mpm_sm
Definition: detect.h:627
SigFindSignatureBySidGid
Signature * SigFindSignatureBySidGid(DetectEngineCtx *de_ctx, uint32_t sid, uint32_t gid)
Find a specific signature by sid and gid.
Definition: detect-engine-build.c:80
DetectConfigData_::scope
enum ConfigScope scope
Definition: detect-config.h:32
DetectEngineGetMaxSigId
#define DetectEngineGetMaxSigId(de_ctx)
Definition: detect-engine.h:93
DETECT_FLOW_FLAG_TOSERVER
#define DETECT_FLOW_FLAG_TOSERVER
Definition: detect-flow.h:27
FILE_SIG_NEED_MAGIC
#define FILE_SIG_NEED_MAGIC
Definition: detect.h:322
SignatureInitData_::mpm_sm_list
int mpm_sm_list
Definition: detect.h:625
SIG_MASK_REQUIRE_FLOW
#define SIG_MASK_REQUIRE_FLOW
Definition: detect.h:312
SCConfGetInt
int SCConfGetInt(const char *name, intmax_t *val)
Retrieve a configuration value as an integer.
Definition: conf.c:415
SignatureInitData_::cidr_dst
IPOnlyCIDRItem * cidr_dst
Definition: detect.h:622
Packet_::prev
struct Packet_ * prev
Definition: decode.h:647
DETECT_CONTENT_DEPTH
#define DETECT_CONTENT_DEPTH
Definition: detect-content.h:33
SCEnter
#define SCEnter(...)
Definition: util-debug.h:284
MpmStat::total
uint32_t total
Definition: detect-engine-build.c:604
detect-engine-mpm.h
DetectEngineLookupFlow_::sgh
struct SigGroupHead_ * sgh[256]
Definition: detect.h:872
detect.h
SIG_MASK_REQUIRE_FLAGS_INITDEINIT
#define SIG_MASK_REQUIRE_FLAGS_INITDEINIT
Definition: detect.h:313
SCProfilingPrefilterInitCounters
void SCProfilingPrefilterInitCounters(DetectEngineCtx *de_ctx)
Register the prefilter profiling counters.
Definition: util-profiling-prefilter.c:300
SigMatchList2DataArray
SigMatchData * SigMatchList2DataArray(SigMatch *head)
convert SigMatch list to SigMatchData array
Definition: detect-parse.c:2437
PKT_DETECT_HAS_STREAMDATA
#define PKT_DETECT_HAS_STREAMDATA
Definition: decode.h:1343
SigMatch_::next
struct SigMatch_ * next
Definition: detect.h:360
DETECT_CONTENT_NEGATED
#define DETECT_CONTENT_NEGATED
Definition: detect-content.h:40
detect-engine-port.h
SignatureInitData_::proto
DetectProto proto
Definition: detect.h:638
DETECT_ENGINE_EVENT
@ DETECT_ENGINE_EVENT
Definition: detect-engine-register.h:212
DetectU8Data
DetectUintData_u8 DetectU8Data
Definition: detect-engine-uint.h:43
DETECT_SM_LIST_MATCH
@ DETECT_SM_LIST_MATCH
Definition: detect.h:117
SCLogWarning
#define SCLogWarning(...)
Macro used to log WARNING messages.
Definition: util-debug.h:262
DetectContentPropagateLimits
void DetectContentPropagateLimits(Signature *s)
Definition: detect-content.c:715
DetectPort_
Port structure for detection engine.
Definition: detect.h:219
SigGroupHead_::init
SigGroupHeadInitData * init
Definition: detect.h:1696
DetectEngineCtx_::sig_cnt
uint32_t sig_cnt
Definition: detect.h:983
SignatureHook_::pkt
struct SignatureHook_::@87::@89 pkt
DETECT_PGSCORE_RULE_NO_MPM
#define DETECT_PGSCORE_RULE_NO_MPM
Definition: detect-engine-build.c:53
UniquePortPoint_::single
bool single
Definition: detect-engine-build.c:1331
SignatureInitData_::cidr_src
IPOnlyCIDRItem * cidr_src
Definition: detect.h:622
SigMatch_::ctx
SigMatchCtx * ctx
Definition: detect.h:359
SignatureInitData_::hook
SignatureHook hook
Definition: detect.h:594
SIGNATURE_HOOK_TYPE_NOT_SET
@ SIGNATURE_HOOK_TYPE_NOT_SET
Definition: detect.h:548
DetectProto_::proto
uint8_t proto[256/8]
Definition: detect-engine-proto.h:39
BUG_ON
#define BUG_ON(x)
Definition: suricata-common.h:325
AppLayerDecoderEvents_::cnt
uint8_t cnt
Definition: app-layer-events.h:37
IPOnlyPrepare
void IPOnlyPrepare(DetectEngineCtx *de_ctx)
Build the radix trees from the lists of parsed addresses in CIDR format the result should be 4 radix ...
Definition: detect-engine-iponly.c:1142
SigGroupCleanup
int SigGroupCleanup(DetectEngineCtx *de_ctx)
Definition: detect-engine-build.c:2357
DETECT_PGSCORE_RULE_MPM_FAST_PATTERN
#define DETECT_PGSCORE_RULE_MPM_FAST_PATTERN
Definition: detect-engine-build.c:51
SIG_FLAG_REQUIRE_FLOWVAR
#define SIG_FLAG_REQUIRE_FLOWVAR
Definition: detect.h:266
util-profiling.h
FILE_SIG_NEED_SHA256
#define FILE_SIG_NEED_SHA256
Definition: detect.h:326
DetectEngineLookupFlow_::udp
DetectPort * udp
Definition: detect.h:871
SCReturn
#define SCReturn
Definition: util-debug.h:286
Signature_::flags
uint32_t flags
Definition: detect.h:676
Packet_
Definition: decode.h:514
SIGMATCH_IPONLY_COMPAT
#define SIGMATCH_IPONLY_COMPAT
Definition: detect-engine-register.h:308
detect-engine-build.h
type
uint16_t type
Definition: decode-vlan.c:106
DETECT_UINT_GTE
#define DETECT_UINT_GTE
Definition: detect-engine-uint.h:33
SCConfigGetLogDirectory
const char * SCConfigGetLogDirectory(void)
Definition: util-conf.c:38
IPOnlyPrint
void IPOnlyPrint(DetectEngineCtx *de_ctx, DetectEngineIPOnlyCtx *io_ctx)
Print stats of the IP Only engine.
Definition: detect-engine-iponly.c:943
DetectConfigData_
Definition: detect-config.h:29
DetectContentData_::flags
uint32_t flags
Definition: detect-content.h:104
DetectEngineCtx_::max_uniq_toserver_groups
uint16_t max_uniq_toserver_groups
Definition: detect.h:1035
IPOnlyAddSignature
void IPOnlyAddSignature(DetectEngineCtx *de_ctx, DetectEngineIPOnlyCtx *io_ctx, Signature *s)
Add a signature to the lists of Addresses in CIDR format (sorted) this step is necessary to build the...
Definition: detect-engine-iponly.c:1414
SC_OK
@ SC_OK
Definition: util-error.h:27
DETECT_CONFIG
@ DETECT_CONFIG
Definition: detect-engine-register.h:215
Signature_::init_data
SignatureInitData * init_data
Definition: detect.h:754
DetectPreFlow
uint8_t DetectPreFlow(ThreadVars *tv, DetectEngineThreadCtx *det_ctx, Packet *p)
Definition: detect.c:2863
SignatureInitData_::rule_state_dependant_sids_array
uint32_t * rule_state_dependant_sids_array
Definition: detect.h:664
DetectEngineCtx_::sgh_array_cnt
uint32_t sgh_array_cnt
Definition: detect.h:1045
SigGroupHeadAppendSig
int SigGroupHeadAppendSig(const DetectEngineCtx *de_ctx, SigGroupHead **sgh, const Signature *s)
Add a Signature to a SigGroupHead.
Definition: detect-engine-siggroup.c:319
DetectEngineCtx_::sgh_array
struct SigGroupHead_ ** sgh_array
Definition: detect.h:1044
UniquePortPoint_::port
uint16_t port
Definition: detect-engine-build.c:1330
SignatureInitData_::dst_contains_negation
bool dst_contains_negation
Definition: detect.h:606
SigGroupHeadFree
void SigGroupHeadFree(const DetectEngineCtx *de_ctx, SigGroupHead *sgh)
Free a SigGroupHead and its members.
Definition: detect-engine-siggroup.c:163
DetectEngineTransforms::transforms
TransformData transforms[DETECT_TRANSFORMS_MAX]
Definition: detect.h:392
SIG_TYPE_DEONLY
@ SIG_TYPE_DEONLY
Definition: detect.h:71
SIGNATURE_HOOK_PKT_PRE_STREAM
@ SIGNATURE_HOOK_PKT_PRE_STREAM
Definition: detect.h:543
DetectEngineMultiTenantEnabled
bool DetectEngineMultiTenantEnabled(void)
Definition: detect-engine.c:3980
detect-flowbits.h
SIG_MASK_REQUIRE_PAYLOAD
#define SIG_MASK_REQUIRE_PAYLOAD
Definition: detect.h:311
SIGMATCH_DEONLY_COMPAT
#define SIGMATCH_DEONLY_COMPAT
Definition: detect-engine-register.h:310
SCLogInfo
#define SCLogInfo(...)
Macro used to log INFORMATIONAL messages.
Definition: util-debug.h:232
DETECT_DSIZE
@ DETECT_DSIZE
Definition: detect-engine-register.h:54
Signature_::sp
DetectPort * sp
Definition: detect.h:726
SIG_TYPE_NOT_SET
@ SIG_TYPE_NOT_SET
Definition: detect.h:65
SignatureIsFileSha1Inspecting
int SignatureIsFileSha1Inspecting(const Signature *s)
Check if a signature contains the filesha1 keyword.
Definition: detect-engine-build.c:155
SCPortIntervalTreeInit
SCPortIntervalTree * SCPortIntervalTreeInit(void)
Function to initialize the interval tree.
Definition: util-port-interval-tree.c:60
IPOnlyCIDRListFree
void IPOnlyCIDRListFree(IPOnlyCIDRItem *tmphead)
This function free a IPOnlyCIDRItem list.
Definition: detect-engine-iponly.c:482
SigGroupBuild
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
Definition: detect-engine-build.c:2286
DetectEngineCtx_::config_prefix
char config_prefix[64]
Definition: detect.h:1098
SIG_FLAG_MPM_NEG
#define SIG_FLAG_MPM_NEG
Definition: detect.h:256
SCPortIntervalTree_::tree
struct PI tree
Definition: util-port-interval-tree.h:30
detect-engine-analyzer.h
SIG_FLAG_INIT_STATE_MATCH
#define SIG_FLAG_INIT_STATE_MATCH
Definition: detect.h:296
DetectEngineBufferTypeSupportsFramesGetById
bool DetectEngineBufferTypeSupportsFramesGetById(const DetectEngineCtx *de_ctx, const int id)
Definition: detect-engine.c:1515
EngineAnalysisRules2
void EngineAnalysisRules2(const DetectEngineCtx *de_ctx, const Signature *s)
Definition: detect-engine-analyzer.c:1108
SigGroupHeadSetSigCnt
void SigGroupHeadSetSigCnt(SigGroupHead *sgh, uint32_t max_idx)
Updates the SigGroupHead->sig_cnt with the total count of all the Signatures present in this SigGroup...
Definition: detect-engine-siggroup.c:446
DetectEngineCtx_::eth_non_ip_sgh
struct SigGroupHead_ * eth_non_ip_sgh
Definition: detect.h:1064
DetectProto_::flags
uint8_t flags
Definition: detect-engine-proto.h:40
cnt
uint32_t cnt
Definition: tmqh-packetpool.h:7
util-conf.h
DetectMpmPrepareFrameMpms
int DetectMpmPrepareFrameMpms(DetectEngineCtx *de_ctx)
initialize mpm contexts for applayer buffers that are in "single or "shared" mode.
Definition: detect-engine-mpm.c:570
SINGLE_PORT
#define SINGLE_PORT
Definition: detect-engine-build.c:1327
DetectEnginePktInspectionSetup
int DetectEnginePktInspectionSetup(Signature *s)
Definition: detect-engine.c:1913
tail
Host * tail
Definition: host.h:2
suricata-common.h
SIG_MASK_REQUIRE_NO_PAYLOAD
#define SIG_MASK_REQUIRE_NO_PAYLOAD
Definition: detect.h:315
SIG_FLAG_SP_ANY
#define SIG_FLAG_SP_ANY
Definition: detect.h:242
SigGroupHeadStore
void SigGroupHeadStore(DetectEngineCtx *de_ctx, SigGroupHead *sgh)
Definition: detect-engine-siggroup.c:109
SigMatch_::type
uint16_t type
Definition: detect.h:357
SigGroupHeadInitData_::match_array
Signature ** match_array
Definition: detect.h:1675
Signature_::file_flags
uint8_t file_flags
Definition: detect.h:691
SigPrepareStage3
int SigPrepareStage3(DetectEngineCtx *de_ctx)
Definition: detect-engine-build.c:2040
SignatureHook_::type
enum SignatureHookType type
Definition: detect.h:576
SCLogPerf
#define SCLogPerf(...)
Definition: util-debug.h:241
DetectContentData_::content
uint8_t * content
Definition: detect-content.h:94
MASK_TCP_INITDEINIT_FLAGS
#define MASK_TCP_INITDEINIT_FLAGS
Definition: detect-engine-build.c:395
DetectListToString
const char * DetectListToString(int list)
Definition: detect-parse.c:130
SIGNATURE_HOOK_PKT_PRE_FLOW
@ SIGNATURE_HOOK_PKT_PRE_FLOW
Definition: detect.h:542
DetectEngineCtx_::profile_match_logging_threshold
uint32_t profile_match_logging_threshold
Definition: detect.h:1096
Signature_::proto
DetectProto * proto
Definition: detect.h:694
FatalError
#define FatalError(...)
Definition: util-debug.h:517
SIGNATURE_HOOK_TYPE_PKT
@ SIGNATURE_HOOK_TYPE_PKT
Definition: detect.h:549
DetectEngineCtx_::sig_list
Signature * sig_list
Definition: detect.h:982
DetectMpmPreparePktMpms
int DetectMpmPreparePktMpms(DetectEngineCtx *de_ctx)
initialize mpm contexts for applayer buffers that are in "single or "shared" mode.
Definition: detect-engine-mpm.c:737
SigGroupHeadHashFree
void SigGroupHeadHashFree(DetectEngineCtx *de_ctx)
Frees the hash table - DetectEngineCtx->sgh_hash_table, allocated by SigGroupHeadHashInit() function.
Definition: detect-engine-siggroup.c:299
SIG_MASK_REQUIRE_FLAGS_UNUSUAL
#define SIG_MASK_REQUIRE_FLAGS_UNUSUAL
Definition: detect.h:314
TransformData_::transform
int transform
Definition: detect.h:387
DETECT_FLOWBITS
@ DETECT_FLOWBITS
Definition: detect-engine-register.h:61
app-layer-events.h
SigGroupHeadHashAdd
int SigGroupHeadHashAdd(DetectEngineCtx *de_ctx, SigGroupHead *sgh)
Adds a SigGroupHead to the detection engine context SigGroupHead hash table.
Definition: detect-engine-siggroup.c:266
util-validate.h
detect-flow.h
SCPortIntervalTree_
Definition: util-port-interval-tree.h:29
SigPrepareStage2
int SigPrepareStage2(DetectEngineCtx *de_ctx)
Fill the global src group head, with the sigs included.
Definition: detect-engine-build.c:1946
SCLogConfig
struct SCLogConfig_ SCLogConfig
Holds the config state used by the logging api.
Packet_::next
struct Packet_ * next
Definition: decode.h:646
SignatureInitData_::buffers
SignatureInitDataBuffer * buffers
Definition: detect.h:654
HtpBodyChunk_::next
struct HtpBodyChunk_ * next
Definition: app-layer-htp.h:124
SigGroupHeadHashLookup
SigGroupHead * SigGroupHeadHashLookup(DetectEngineCtx *de_ctx, SigGroupHead *sgh)
Used to lookup a SigGroupHead hash from the detection engine context SigGroupHead hash table.
Definition: detect-engine-siggroup.c:283
Signature_::dp
DetectPort * dp
Definition: detect.h:726
DETECT_STREAM_EVENT
@ DETECT_STREAM_EVENT
Definition: detect-engine-register.h:213
Signature_::iid
SigIntId iid
Definition: detect.h:687
DETECT_PGSCORE_RULE_PORT_PRIORITIZED
#define DETECT_PGSCORE_RULE_PORT_PRIORITIZED
Definition: detect-engine-build.c:50
SignatureIsFilestoring
int SignatureIsFilestoring(const Signature *s)
Check if a signature contains the filestore keyword.
Definition: detect-engine-build.c:101
SCFree
#define SCFree(p)
Definition: util-mem.h:61
SignatureIsIPOnly
int SignatureIsIPOnly(DetectEngineCtx *de_ctx, const Signature *s)
Test is a initialized signature is IP only.
Definition: detect-engine-build.c:191
DetectMpmPrepareBuiltinMpms
int DetectMpmPrepareBuiltinMpms(DetectEngineCtx *de_ctx)
initialize mpm contexts for builtin buffers that are in "single or "shared" mode.
Definition: detect-engine-mpm.c:796
Signature_::id
uint32_t id
Definition: detect.h:720
HashListTableBucket_
Definition: util-hashlist.h:28
detect-engine-iponly.h
SignatureInitData_::score
int score
Definition: detect.h:643
detect-parse.h
SignatureInitDataBuffer_::id
uint32_t id
Definition: detect.h:526
Signature_
Signature container.
Definition: detect.h:675
SigMatch_
a single match condition for a signature
Definition: detect.h:356
DETECT_SM_LIST_MAX
@ DETECT_SM_LIST_MAX
Definition: detect.h:135
SigGroupHeadInitDataFree
void SigGroupHeadInitDataFree(SigGroupHeadInitData *sghid)
Definition: detect-engine-siggroup.c:60
SignatureIsFileMd5Inspecting
int SignatureIsFileMd5Inspecting(const Signature *s)
Check if a signature contains the filemd5 keyword.
Definition: detect-engine-build.c:139
DETECT_PGSCORE_RULE_MPM_NEGATED
#define DETECT_PGSCORE_RULE_MPM_NEGATED
Definition: detect-engine-build.c:52
ALPROTO_UNKNOWN
@ ALPROTO_UNKNOWN
Definition: app-layer-protos.h:29
SignatureSetType
void SignatureSetType(DetectEngineCtx *de_ctx, Signature *s)
Definition: detect-engine-build.c:1692
RANGE_PORT
#define RANGE_PORT
Definition: detect-engine-build.c:1326
PrefilterSetupRuleGroup
int PrefilterSetupRuleGroup(DetectEngineCtx *de_ctx, SigGroupHead *sgh)
Definition: detect-engine-prefilter.c:1201
DETECT_PROTO_L2_ANY
#define DETECT_PROTO_L2_ANY
Definition: detect-engine-proto.h:35
SCProfilingKeywordInitCounters
void SCProfilingKeywordInitCounters(DetectEngineCtx *de_ctx)
Register the keyword profiling counters.
Definition: util-profiling-keywords.c:365
DetectEngineTransforms::cnt
int cnt
Definition: detect.h:393
DetectPortHashAdd
int DetectPortHashAdd(DetectEngineCtx *de_ctx, DetectPort *dp)
Adds a DetectPort to the detection engine context DetectPort hash table.
Definition: detect-engine-port.c:1340
DetectEngineCtx_::sig_array
Signature ** sig_array
Definition: detect.h:991
CONFIG_SCOPE_FLOW
@ CONFIG_SCOPE_FLOW
Definition: util-config.h:51
DetectContentData_::content_len
uint16_t content_len
Definition: detect-content.h:95
DetectEngineCtx_::buffer_type_id
uint32_t buffer_type_id
Definition: detect.h:1128
DetectPreStream
uint8_t DetectPreStream(ThreadVars *tv, DetectEngineThreadCtx *det_ctx, Packet *p)
Definition: detect.c:2873
SigParseApplyDsizeToContent
void SigParseApplyDsizeToContent(Signature *s)
Apply dsize as depth to content matches in the rule.
Definition: detect-dsize.c:320
SignatureInitData_::rule_state_flowbits_ids_array
uint32_t * rule_state_flowbits_ids_array
Definition: detect.h:667
DetectEngineCtx_::flags
uint8_t flags
Definition: detect.h:975
UniquePortPoint
struct UniquePortPoint_ UniquePortPoint
SignatureInitData_::transforms
DetectEngineTransforms transforms
Definition: detect.h:635
DetectEngineCtx_::io_ctx
DetectEngineIPOnlyCtx io_ctx
Definition: detect.h:1014
DetectU16Data
DetectUintData_u16 DetectU16Data
Definition: detect-engine-uint.h:42
DetectPortHashFree
void DetectPortHashFree(DetectEngineCtx *de_ctx)
Frees the hash table - DetectEngineCtx->sgh_hash_table, allocated by DetectPortInit() function.
Definition: detect-engine-port.c:1371
DetectPortHashLookup
DetectPort * DetectPortHashLookup(DetectEngineCtx *de_ctx, DetectPort *dp)
Used to lookup a DetectPort hash from the detection engine context DetectPort hash table.
Definition: detect-engine-port.c:1356
SCCalloc
#define SCCalloc(nm, sz)
Definition: util-mem.h:53
DetectEngineCtx_::sig_array_len
uint32_t sig_array_len
Definition: detect.h:992
detect-config.h
DETECT_FLAGS
@ DETECT_FLAGS
Definition: detect-engine-register.h:42
SCReturnInt
#define SCReturnInt(x)
Definition: util-debug.h:288
Signature_::type
enum SignatureType type
Definition: detect.h:678
SignatureIsFilemagicInspecting
int SignatureIsFilemagicInspecting(const Signature *s)
Check if a signature contains the filemagic keyword.
Definition: detect-engine-build.c:120
DetectEngineCtx_::signum
uint32_t signum
Definition: detect.h:994
DetectEngineCtx_::tenant_id
uint32_t tenant_id
Definition: detect.h:980
SigGroupHead_::filestore_cnt
uint16_t filestore_cnt
Definition: detect.h:1685
SignatureInitData_::buffer_index
uint32_t buffer_index
Definition: detect.h:655
DetectMpmPrepareAppMpms
int DetectMpmPrepareAppMpms(DetectEngineCtx *de_ctx)
initialize mpm contexts for applayer buffers that are in "single or "shared" mode.
Definition: detect-engine-mpm.c:341
DetectEngineLookupFlow_::tcp
DetectPort * tcp
Definition: detect.h:870
DetectPortCleanupList
void DetectPortCleanupList(const DetectEngineCtx *de_ctx, DetectPort *head)
Free a DetectPort list and each of its members.
Definition: detect-engine-port.c:124
SIG_TYPE_PDONLY
@ SIG_TYPE_PDONLY
Definition: detect.h:70
SCLogDebugEnabled
int SCLogDebugEnabled(void)
Returns whether debug messages are enabled to be logged or not.
Definition: util-debug.c:768
DEBUG_VALIDATE_BUG_ON
#define DEBUG_VALIDATE_BUG_ON(exp)
Definition: util-validate.h:109
DetectEngineAppInspectionEngine2Signature
int DetectEngineAppInspectionEngine2Signature(DetectEngineCtx *de_ctx, Signature *s)
Definition: detect-engine.c:827
SCPortIntervalTreeFree
void SCPortIntervalTreeFree(DetectEngineCtx *de_ctx, SCPortIntervalTree *it)
Function to free an entire interval tree.
Definition: util-port-interval-tree.c:94
TCPHdr_
Definition: decode-tcp.h:149
detect-engine-address.h
SigGroupHead_::id
uint32_t id
Definition: detect.h:1687
VarNameStoreActivate
int VarNameStoreActivate(void)
Definition: util-var-name.c:221
SIG_FLAG_FILESTORE
#define SIG_FLAG_FILESTORE
Definition: detect.h:268
DETECT_UINT_RA
#define DETECT_UINT_RA
Definition: detect-engine-uint.h:34
SIG_FLAG_DP_ANY
#define SIG_FLAG_DP_ANY
Definition: detect.h:243
MpmStat::min
uint32_t min
Definition: detect-engine-build.c:606
DETECT_FLOWBITS_CMD_SET
#define DETECT_FLOWBITS_CMD_SET
Definition: detect-flowbits.h:28
detect-engine-threshold.h
SignatureMask
#define SignatureMask
Definition: decode.h:100
SigGroupHeadCopySigs
int SigGroupHeadCopySigs(DetectEngineCtx *de_ctx, SigGroupHead *src, SigGroupHead **dst)
Copies the bitarray holding the sids from the source SigGroupHead to the destination SigGroupHead.
Definition: detect-engine-siggroup.c:390
Signature_::mask
SignatureMask mask
Definition: detect.h:686
SIG_TYPE_LIKE_IPONLY
@ SIG_TYPE_LIKE_IPONLY
Definition: detect.h:67
PacketEngineEvents_::cnt
uint8_t cnt
Definition: decode.h:309
DetectProtoContainsProto
int DetectProtoContainsProto(const DetectProto *dp, int proto)
see if a DetectProto contains a certain proto
Definition: detect-engine-proto.c:115
SIG_FLAG_REQUIRE_PACKET
#define SIG_FLAG_REQUIRE_PACKET
Definition: detect.h:253