suricata
detect-engine-event.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2021 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Breno Silva <breno.silva@gmail.com>
22  *
23  * Implements the decode-event keyword
24  */
25 
26 #include "suricata-common.h"
27 #include "suricata.h"
28 #include "decode.h"
29 #include "detect.h"
30 #include "detect-parse.h"
32 #include "detect-engine-uint.h"
33 
34 #include "flow-var.h"
35 #include "decode-events.h"
36 
37 #include "util-debug.h"
38 
39 #include "stream-tcp.h"
40 
41 
42 /* Need to get the DEvents[] array */
43 
44 #include "detect-engine-event.h"
45 #include "util-unittest.h"
46 
47 #define PARSE_REGEX "\\S[0-9A-z_]+[.][A-z0-9_+.]+$"
48 
49 static DetectParseRegex parse_regex;
50 
51 static int DetectEngineEventMatch (DetectEngineThreadCtx *,
52  Packet *, const Signature *, const SigMatchCtx *);
53 static int DetectEngineEventSetup (DetectEngineCtx *, Signature *, const char *);
54 static int DetectDecodeEventSetup (DetectEngineCtx *, Signature *, const char *);
55 static int DetectStreamEventSetup (DetectEngineCtx *, Signature *, const char *);
56 static void DetectEngineEventFree (DetectEngineCtx *, void *);
57 #ifdef UNITTESTS
58 void EngineEventRegisterTests(void);
59 #endif
60 
61 static bool PrefilterEventIsPrefilterable(const Signature *s, int smtype)
62 {
63  const SigMatch *sm;
64  for (sm = s->init_data->smlists[DETECT_SM_LIST_MATCH]; sm != NULL; sm = sm->next) {
65  if (sm->type == smtype) {
66  return true;
67  }
68  }
69  return false;
70 }
71 static bool PrefilterStreamEventIsPrefilterable(const Signature *s)
72 {
73  return PrefilterEventIsPrefilterable(s, DETECT_STREAM_EVENT);
74 }
75 
76 static bool PrefilterDecodeEventIsPrefilterable(const Signature *s)
77 {
78  return PrefilterEventIsPrefilterable(s, DETECT_DECODE_EVENT);
79 }
80 
81 static void PrefilterPacketEventSet(PrefilterPacketHeaderValue *v, void *smctx)
82 {
83  const DetectEngineEventData *a = smctx;
85  v->u8[1] = a->event; // arg1
86  v->u8[2] = 0; // arg2
87 }
88 
89 static bool PrefilterPacketEventCompare(PrefilterPacketHeaderValue v, void *smctx)
90 {
91  const DetectEngineEventData *a = smctx;
92  DetectUintData_u8 du8;
93  du8.mode = DETECT_UINT_EQ;
94  du8.arg1 = a->event;
95  du8.arg2 = 0;
96  return PrefilterPacketU8Compare(v, &du8);
97 }
98 
99 static void PrefilterPacketEventMatch(DetectEngineThreadCtx *det_ctx, Packet *p, const void *pectx)
100 {
101  const PrefilterPacketU8HashCtx *h = pectx;
102  for (uint8_t u = 0; u < p->events.cnt; u++) {
103  const SigsArray *sa = h->array[p->events.events[u]];
104  if (sa) {
105  PrefilterAddSids(&det_ctx->pmq, sa->sigs, sa->cnt);
106  }
107  }
108 }
109 
110 static int PrefilterSetupStreamEvent(DetectEngineCtx *de_ctx, SigGroupHead *sgh)
111 {
113  SIG_MASK_REQUIRE_ENGINE_EVENT, PrefilterPacketEventSet, PrefilterPacketEventCompare,
114  PrefilterPacketEventMatch);
115 }
116 
117 static int PrefilterSetupDecodeEvent(DetectEngineCtx *de_ctx, SigGroupHead *sgh)
118 {
120  SIG_MASK_REQUIRE_ENGINE_EVENT, PrefilterPacketEventSet, PrefilterPacketEventCompare,
121  PrefilterPacketEventMatch);
122 }
123 
124 /**
125  * \brief Registration function for decode-event: keyword
126  */
128 {
129  sigmatch_table[DETECT_ENGINE_EVENT].name = "engine-event";
130  sigmatch_table[DETECT_ENGINE_EVENT].Match = DetectEngineEventMatch;
131  sigmatch_table[DETECT_ENGINE_EVENT].Setup = DetectEngineEventSetup;
132  sigmatch_table[DETECT_ENGINE_EVENT].Free = DetectEngineEventFree;
133 #ifdef UNITTESTS
135 #endif
136 
137  sigmatch_table[DETECT_DECODE_EVENT].name = "decode-event";
138  sigmatch_table[DETECT_DECODE_EVENT].Match = DetectEngineEventMatch;
139  sigmatch_table[DETECT_DECODE_EVENT].Setup = DetectDecodeEventSetup;
140  sigmatch_table[DETECT_DECODE_EVENT].Free = DetectEngineEventFree;
142  "match on events triggered by structural or invalid values during packet decoding";
143  sigmatch_table[DETECT_DECODE_EVENT].url = "/rules/decode-layer.html#decode-event";
145  sigmatch_table[DETECT_DECODE_EVENT].SupportsPrefilter = PrefilterDecodeEventIsPrefilterable;
146  sigmatch_table[DETECT_DECODE_EVENT].SetupPrefilter = PrefilterSetupDecodeEvent;
147 
148  sigmatch_table[DETECT_STREAM_EVENT].name = "stream-event";
149  sigmatch_table[DETECT_STREAM_EVENT].Match = DetectEngineEventMatch;
150  sigmatch_table[DETECT_STREAM_EVENT].Setup = DetectStreamEventSetup;
151  sigmatch_table[DETECT_STREAM_EVENT].Free = DetectEngineEventFree;
153  "match on events triggered by anomalies during TCP streaming";
154  sigmatch_table[DETECT_STREAM_EVENT].SupportsPrefilter = PrefilterStreamEventIsPrefilterable;
155  sigmatch_table[DETECT_STREAM_EVENT].SetupPrefilter = PrefilterSetupStreamEvent;
156 
157  DetectSetupParseRegexes(PARSE_REGEX, &parse_regex);
158 }
159 
160 /**
161  * \brief This function is used to match decoder event flags set on a packet with those passed via decode-event:
162  *
163  * \param t pointer to thread vars
164  * \param det_ctx pointer to the pattern matcher thread
165  * \param p pointer to the current packet
166  * \param s pointer to the Signature
167  * \param m pointer to the sigmatch
168  *
169  * \retval 0 no match
170  * \retval 1 match
171  */
172 static int DetectEngineEventMatch (DetectEngineThreadCtx *det_ctx,
173  Packet *p, const Signature *s, const SigMatchCtx *ctx)
174 {
175  SCEnter();
176 
177  const DetectEngineEventData *de = (const DetectEngineEventData *)ctx;
178 
179  if (ENGINE_ISSET_EVENT(p, de->event)) {
180  SCLogDebug("de->event matched %u", de->event);
181  SCReturnInt(1);
182  }
183 
184  SCReturnInt(0);
185 }
186 
187 static bool OutdatedEvent(const char *raw)
188 {
189  if (strcmp(raw, "decoder.udp.hlen_invalid") == 0) {
190  return true;
191  }
192  return false;
193 }
194 
195 /**
196  * \brief This function is used to parse decoder events options passed via decode-event: keyword
197  *
198  * \param rawstr Pointer to the user provided decode-event options
199  *
200  * \retval de pointer to DetectFlowData on success
201  * \retval NULL on failure
202  */
203 static DetectEngineEventData *DetectEngineEventParse (const char *rawstr)
204 {
205  int i;
206  DetectEngineEventData *de = NULL;
207  int res = 0, found = 0;
208  size_t pcre2len;
209  pcre2_match_data *match = NULL;
210 
211  int ret = DetectParsePcreExec(&parse_regex, &match, rawstr, 0, 0);
212  if (ret < 1) {
213  SCLogError("pcre_exec parse error, ret %" PRId32 ", string %s", ret, rawstr);
214  goto error;
215  }
216 
217  char copy_str[128] = "";
218  pcre2len = sizeof(copy_str);
219  res = pcre2_substring_copy_bynumber(match, 0, (PCRE2_UCHAR8 *)copy_str, &pcre2len);
220 
221  if (res < 0) {
222  SCLogError("pcre2_substring_copy_bynumber failed");
223  goto error;
224  }
225 
226  for (i = 0; DEvents[i].event_name != NULL; i++) {
227  if (strcasecmp(DEvents[i].event_name,copy_str) == 0) {
228  found = 1;
229  break;
230  }
231  }
232 
233  if (found == 0) {
234  SCLogError("unknown decode event \"%s\"", copy_str);
235  goto error;
236  }
237 
238  de = SCMalloc(sizeof(DetectEngineEventData));
239  if (unlikely(de == NULL))
240  goto error;
241 
242  de->event = DEvents[i].code;
243 
246  }
247 
248  if (OutdatedEvent(rawstr)) {
250  SCLogError("decode-event keyword no longer supports event \"%s\"", rawstr);
251  goto error;
252  } else {
253  SCLogWarning("decode-event keyword no longer supports event \"%s\"", rawstr);
254  }
255  }
256 
257  pcre2_match_data_free(match);
258  return de;
259 
260 error:
261  if (de)
262  SCFree(de);
263  if (match) {
264  pcre2_match_data_free(match);
265  }
266  return NULL;
267 }
268 
269 /**
270  * \brief this function is used to add the parsed decode-event into the current signature
271  *
272  * \param de_ctx pointer to the Detection Engine Context
273  * \param s pointer to the Current Signature
274  * \param rawstr pointer to the user provided decode-event options
275  *
276  * \retval 0 on Success
277  * \retval -1 on Failure
278  */
279 static int DetectEngineEventSetupDo(
280  DetectEngineCtx *de_ctx, Signature *s, const char *rawstr, uint16_t smtype)
281 {
282  DetectEngineEventData *de = DetectEngineEventParse(rawstr);
283  if (de == NULL)
284  return -1;
285 
286  SCLogDebug("rawstr %s %u", rawstr, de->event);
287 
289  NULL) {
290  SCFree(de);
291  return -1;
292  }
293  return 0;
294 }
295 
296 
297 static int DetectEngineEventSetup (DetectEngineCtx *de_ctx, Signature *s, const char *rawstr)
298 {
299  return DetectEngineEventSetupDo (de_ctx, s, rawstr, DETECT_ENGINE_EVENT);
300 }
301 
302 /**
303  * \brief this function will free memory associated with DetectEngineEventData
304  *
305  * \param de pointer to DetectEngineEventData
306  */
307 static void DetectEngineEventFree(DetectEngineCtx *de_ctx, void *ptr)
308 {
310  if (de)
311  SCFree(de);
312 }
313 
314 
315 /**
316  * \brief this function Setup the 'decode-event' keyword by setting the correct
317  * signature type
318 */
319 static int DetectDecodeEventSetup (DetectEngineCtx *de_ctx, Signature *s, const char *rawstr)
320 {
321  char drawstr[64] = "decoder.";
322 
323  /* decoder:$EVENT alias command develop as decode-event:decoder.$EVENT */
324  strlcat(drawstr, rawstr, sizeof(drawstr));
325 
326  return DetectEngineEventSetupDo(de_ctx, s, drawstr, DETECT_DECODE_EVENT);
327 }
328 
329 /**
330  * \brief this function Setup the 'stream-event' keyword by resolving the alias
331 */
332 static int DetectStreamEventSetup (DetectEngineCtx *de_ctx, Signature *s, const char *rawstr)
333 {
334  char srawstr[64] = "stream.";
335 
336  if (strcmp(rawstr, "est_synack_resend_with_different_ack") == 0) {
337  rawstr = "est_synack_resend_with_diff_ack";
338  } else if (strcmp(rawstr, "3whs_synack_resend_with_different_ack") == 0) {
339  rawstr = "3whs_synack_resend_with_diff_ack";
340  }
341 
342  /* stream:$EVENT alias command develop as decode-event:stream.$EVENT */
343  strlcat(srawstr, rawstr, sizeof(srawstr));
344 
345  return DetectEngineEventSetupDo(de_ctx, s, srawstr, DETECT_STREAM_EVENT);
346 }
347 
348 /*
349  * ONLY TESTS BELOW THIS COMMENT
350  */
351 #ifdef UNITTESTS
352 
353 /**
354  * \test EngineEventTestParse01 is a test for a valid decode-event value
355  */
356 static int EngineEventTestParse01 (void)
357 {
358  DetectEngineEventData *de = DetectEngineEventParse("decoder.ipv4.pkt_too_small");
359 
360  FAIL_IF_NULL(de);
361 
362  DetectEngineEventFree(NULL, de);
363 
364  PASS;
365 }
366 
367 
368 /**
369  * \test EngineEventTestParse02 is a test for a valid upper + lower case decode-event value
370  */
371 static int EngineEventTestParse02 (void)
372 {
373  DetectEngineEventData *de = DetectEngineEventParse("decoder.PPP.pkt_too_small");
374 
375  FAIL_IF_NULL(de);
376 
377  DetectEngineEventFree(NULL, de);
378 
379  PASS;
380 }
381 
382 /**
383  * \test EngineEventTestParse03 is a test for a valid upper case decode-event value
384  */
385 static int EngineEventTestParse03 (void)
386 {
387  DetectEngineEventData *de = DetectEngineEventParse("decoder.IPV6.PKT_TOO_SMALL");
388 
389  FAIL_IF_NULL(de);
390 
391  DetectEngineEventFree(NULL, de);
392 
393  PASS;
394 }
395 
396 /**
397  * \test EngineEventTestParse04 is a test for an invalid upper case decode-event value
398  */
399 static int EngineEventTestParse04 (void)
400 {
401  DetectEngineEventData *de = DetectEngineEventParse("decoder.IPV6.INVALID_EVENT");
402 
403  FAIL_IF_NOT_NULL(de);
404 
405  DetectEngineEventFree(NULL, de);
406 
407  PASS;
408 }
409 
410 /**
411  * \test EngineEventTestParse05 is a test for an invalid char into the decode-event value
412  */
413 static int EngineEventTestParse05 (void)
414 {
415  DetectEngineEventData *de = DetectEngineEventParse("decoder.IPV-6,INVALID_CHAR");
416 
417  FAIL_IF_NOT_NULL(de);
418 
419  DetectEngineEventFree(NULL, de);
420 
421  PASS;
422 }
423 
424 /**
425  * \test EngineEventTestParse06 is a test for match function with valid decode-event value
426  */
427 static int EngineEventTestParse06 (void)
428 {
429  Packet *p = PacketGetFromAlloc();
430  FAIL_IF_NULL(p);
431 
432  ThreadVars tv;
433 
434  memset(&tv, 0, sizeof(ThreadVars));
435 
437 
438  DetectEngineEventData *de = DetectEngineEventParse("decoder.ppp.pkt_too_small");
439  FAIL_IF_NULL(de);
440 
441  de->event = PPP_PKT_TOO_SMALL;
442 
443  SigMatch *sm = SigMatchAlloc();
444  FAIL_IF_NULL(sm);
445 
447  sm->ctx = (SigMatchCtx *)de;
448 
449  FAIL_IF_NOT(DetectEngineEventMatch(NULL, p, NULL, sm->ctx));
450 
451  SCFree(p);
452  SCFree(de);
453  SCFree(sm);
454 
455  PASS;
456 }
457 
458 /**
459  * \brief this function registers unit tests for EngineEvent
460  */
462 {
463  UtRegisterTest("EngineEventTestParse01", EngineEventTestParse01);
464  UtRegisterTest("EngineEventTestParse02", EngineEventTestParse02);
465  UtRegisterTest("EngineEventTestParse03", EngineEventTestParse03);
466  UtRegisterTest("EngineEventTestParse04", EngineEventTestParse04);
467  UtRegisterTest("EngineEventTestParse05", EngineEventTestParse05);
468  UtRegisterTest("EngineEventTestParse06", EngineEventTestParse06);
469 }
470 #endif /* UNITTESTS */
ENGINE_SET_EVENT
#define ENGINE_SET_EVENT(p, e)
Definition: decode.h:1186
detect-engine-uint.h
EngineEventRegisterTests
void EngineEventRegisterTests(void)
this function registers unit tests for EngineEvent
Definition: detect-engine-event.c:461
SigTableElmt_::url
const char * url
Definition: detect.h:1462
FAIL_IF_NULL
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
Definition: util-unittest.h:89
SignatureInitData_::smlists
struct SigMatch_ * smlists[DETECT_SM_LIST_MAX]
Definition: detect.h:642
SigTableElmt_::desc
const char * desc
Definition: detect.h:1461
sigmatch_table
SigTableElmt * sigmatch_table
Definition: detect-parse.c:79
SigTableElmt_::Free
void(* Free)(DetectEngineCtx *, void *)
Definition: detect.h:1446
DetectParseRegex
Definition: detect-parse.h:93
SigTableElmt_::name
const char * name
Definition: detect.h:1459
stream-tcp.h
detect-engine-event.h
SigGroupHead_
Container for matching data for a signature group.
Definition: detect.h:1629
unlikely
#define unlikely(expr)
Definition: util-optimize.h:35
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
PacketEngineEvents_::events
uint8_t events[PACKET_ENGINE_EVENT_MAX]
Definition: decode.h:308
ENGINE_ISSET_EVENT
#define ENGINE_ISSET_EVENT(p, e)
Definition: decode.h:1199
PrefilterPacketU8HashCtx_::array
SigsArray * array[256]
Definition: detect-engine-prefilter-common.h:53
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:275
DETECT_DECODE_EVENT
@ DETECT_DECODE_EVENT
Definition: detect-engine-register.h:122
DetectEngineThreadCtx_::pmq
PrefilterRuleStore pmq
Definition: detect.h:1349
SigTableElmt_::flags
uint16_t flags
Definition: detect.h:1450
ctx
struct Thresholds ctx
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:932
StreamTcpReassembleConfigEnableOverlapCheck
void StreamTcpReassembleConfigEnableOverlapCheck(void)
Definition: stream-tcp-list.c:40
SIGMATCH_DEONLY_COMPAT
#define SIGMATCH_DEONLY_COMPAT
Definition: detect.h:1655
DETECT_UINT_EQ
#define DETECT_UINT_EQ
Definition: detect-engine-uint.h:35
PrefilterPacketHeaderValue::u8
uint8_t u8[16]
Definition: detect-engine-prefilter-common.h:24
DetectParsePcreExec
int DetectParsePcreExec(DetectParseRegex *parse_regex, pcre2_match_data **match, const char *str, int start_offset, int options)
Definition: detect-parse.c:3491
SigTableElmt_::Setup
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1441
Packet_::events
PacketEngineEvents events
Definition: decode.h:630
util-unittest.h
FAIL_IF_NOT
#define FAIL_IF_NOT(expr)
Fail a test if expression evaluates to false.
Definition: util-unittest.h:82
PARSE_REGEX
#define PARSE_REGEX
Definition: detect-engine-event.c:47
SigTableElmt_::SetupPrefilter
int(* SetupPrefilter)(DetectEngineCtx *de_ctx, struct SigGroupHead_ *sgh)
Definition: detect.h:1444
PPP_PKT_TOO_SMALL
@ PPP_PKT_TOO_SMALL
Definition: decode-events.h:122
decode.h
FAIL_IF_NOT_NULL
#define FAIL_IF_NOT_NULL(expr)
Fail a test if expression evaluates to non-NULL.
Definition: util-unittest.h:96
util-debug.h
PrefilterSetupPacketHeaderU8Hash
int PrefilterSetupPacketHeaderU8Hash(DetectEngineCtx *de_ctx, SigGroupHead *sgh, int sm_type, SignatureMask mask, void(*Set)(PrefilterPacketHeaderValue *v, void *), bool(*Compare)(PrefilterPacketHeaderValue v, void *), void(*Match)(DetectEngineThreadCtx *det_ctx, Packet *p, const void *pectx))
Definition: detect-engine-prefilter-common.c:398
PASS
#define PASS
Pass the test.
Definition: util-unittest.h:105
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:18
DetectEngineThreadCtx_
Definition: detect.h:1244
strlcat
size_t strlcat(char *, const char *src, size_t siz)
Definition: util-strlcatu.c:45
SIG_MASK_REQUIRE_ENGINE_EVENT
#define SIG_MASK_REQUIRE_ENGINE_EVENT
Definition: detect.h:318
DEvents
const struct DecodeEvents_ DEvents[]
Definition: decode-events.c:29
DetectSetupParseRegexes
void DetectSetupParseRegexes(const char *parse_str, DetectParseRegex *detect_parse)
Definition: detect-parse.c:3617
SCEnter
#define SCEnter(...)
Definition: util-debug.h:277
SCSigMatchAppendSMToList
SigMatch * SCSigMatchAppendSMToList(DetectEngineCtx *de_ctx, Signature *s, uint16_t type, SigMatchCtx *ctx, const int list)
Append a SigMatch to the list type.
Definition: detect-parse.c:388
detect.h
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:58
SigMatch_::next
struct SigMatch_ * next
Definition: detect.h:360
DETECT_ENGINE_EVENT
@ DETECT_ENGINE_EVENT
Definition: detect-engine-register.h:226
SigMatchStrictEnabled
bool SigMatchStrictEnabled(const enum DetectKeywordId id)
Definition: detect-parse.c:336
DETECT_SM_LIST_MATCH
@ DETECT_SM_LIST_MATCH
Definition: detect.h:117
SCLogWarning
#define SCLogWarning(...)
Macro used to log WARNING messages.
Definition: util-debug.h:255
SigMatch_::ctx
SigMatchCtx * ctx
Definition: detect.h:359
Packet_
Definition: decode.h:501
DecodeEvents_::code
uint8_t code
Definition: decode-events.h:328
Signature_::init_data
SignatureInitData * init_data
Definition: detect.h:747
SigTableElmt_::Match
int(* Match)(DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *)
Definition: detect.h:1421
SigMatchAlloc
SigMatch * SigMatchAlloc(void)
Definition: detect-parse.c:274
DecodeEvents_::event_name
const char * event_name
Definition: decode-events.h:327
decode-events.h
SigMatchCtx_
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
Definition: detect.h:351
PREFILTER_U8HASH_MODE_EQ
#define PREFILTER_U8HASH_MODE_EQ
Definition: detect-engine-prefilter-common.h:56
SigsArray_::sigs
SigIntId * sigs
Definition: detect-engine-prefilter-common.h:47
suricata-common.h
SigMatch_::type
uint16_t type
Definition: detect.h:357
SigsArray_
Definition: detect-engine-prefilter-common.h:46
SigsArray_::cnt
uint32_t cnt
Definition: detect-engine-prefilter-common.h:48
tv
ThreadVars * tv
Definition: fuzz_decodepcapfile.c:32
PacketGetFromAlloc
Packet * PacketGetFromAlloc(void)
Get a malloced packet.
Definition: decode.c:258
DetectEngineEventRegister
void DetectEngineEventRegister(void)
Registration function for decode-event: keyword.
Definition: detect-engine-event.c:127
SCMalloc
#define SCMalloc(sz)
Definition: util-mem.h:47
DETECT_STREAM_EVENT
@ DETECT_STREAM_EVENT
Definition: detect-engine-register.h:227
SCLogError
#define SCLogError(...)
Macro used to log ERROR messages.
Definition: util-debug.h:267
SCFree
#define SCFree(p)
Definition: util-mem.h:61
SigTableElmt_::SupportsPrefilter
bool(* SupportsPrefilter)(const Signature *s)
Definition: detect.h:1443
detect-parse.h
Signature_
Signature container.
Definition: detect.h:668
SigMatch_
a single match condition for a signature
Definition: detect.h:356
DetectEngineEventData_
Definition: detect-engine-event.h:27
PrefilterPacketU8Compare
bool PrefilterPacketU8Compare(PrefilterPacketHeaderValue v, void *smctx)
Definition: detect-engine-uint.c:98
suricata.h
PrefilterPacketU8HashCtx_
Definition: detect-engine-prefilter-common.h:52
PrefilterPacketHeaderValue
Definition: detect-engine-prefilter-common.h:23
STREAM_REASSEMBLY_OVERLAP_DIFFERENT_DATA
@ STREAM_REASSEMBLY_OVERLAP_DIFFERENT_DATA
Definition: decode-events.h:301
detect-engine-prefilter-common.h
SCReturnInt
#define SCReturnInt(x)
Definition: util-debug.h:281
flow-var.h
SigTableElmt_::RegisterTests
void(* RegisterTests)(void)
Definition: detect.h:1448
DetectEngineEventData_::event
uint8_t event
Definition: detect-engine-event.h:28
PacketEngineEvents_::cnt
uint8_t cnt
Definition: decode.h:307