suricata
detect-engine-frame.c
Go to the documentation of this file.
1 /* Copyright (C) 2021-2023 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Victor Julien <victor@inliniac.net>
22  *
23  */
24 
25 #include "suricata-common.h"
26 #include "suricata.h"
27 
28 #include "app-layer-parser.h"
29 #include "app-layer-frames.h"
30 
31 #include "detect-engine.h"
34 #include "detect-engine-mpm.h"
35 #include "detect-engine-frame.h"
36 
37 #include "stream-tcp.h"
38 
39 #include "util-profiling.h"
40 #include "util-validate.h"
41 #include "util-print.h"
42 
44  // shared between prefilter and inspect
47  const Frame *frame;
48  int list_id;
49  uint32_t idx; /**< multi buffer idx, incremented for each stream chunk */
50 
51  // inspection only
53  const Signature *s;
54  int inspect_result; // DETECT_ENGINE_INSPECT_SIG_MATCH / DETECT_ENGINE_INSPECT_SIG_NO_MATCH
56 
57  // prefilter only
58  const MpmCtx *mpm_ctx;
59 
61 };
62 
63 static bool SetupStreamCallbackData(struct FrameStreamData *dst, const TcpSession *ssn,
64  const TcpStream *stream, DetectEngineThreadCtx *det_ctx,
65  const DetectEngineTransforms *transforms, const Frames *_frames, const Frame *frame,
66  const int list_id, const bool eof);
67 
68 static bool BufferSetup(struct FrameStreamData *fsd, InspectionBuffer *buffer, const uint8_t *input,
69  const uint32_t input_len, const uint64_t input_offset);
70 static void BufferSetupUdp(InspectionBuffer *buffer, const Frame *frame, const Packet *p,
71  const DetectEngineTransforms *transforms);
72 
74  const Frames *frames, const Frame *frame, const AppProto alproto)
75 {
76  SCLogDebug("pcap_cnt %" PRIu64, p->pcap_cnt);
77  PrefilterEngine *engine = sgh->frame_engines;
78  do {
79  BUG_ON(engine->alproto == ALPROTO_UNKNOWN);
80  if (engine->alproto == alproto && engine->ctx.frame_type == frame->type) {
81  SCLogDebug("frame %p engine %p", frame, engine);
83  engine->cb.PrefilterFrame(det_ctx, engine->pectx, p, frames, frame);
84  PREFILTER_PROFILING_END(det_ctx, engine->gid);
85  }
86  if (engine->is_last)
87  break;
88  engine++;
89  } while (1);
90 }
91 
92 /* generic mpm for frame engines */
93 
94 // TODO same as Generic?
95 typedef struct PrefilterMpmFrameCtx {
96  int list_id;
97  const MpmCtx *mpm_ctx;
100 
101 static int FrameStreamDataPrefilterFunc(
102  void *cb_data, const uint8_t *input, const uint32_t input_len, const uint64_t input_offset)
103 {
104  struct FrameStreamData *fsd = cb_data;
105  SCLogDebug("prefilter: fsd %p { det_ctx:%p, transforms:%p, frame:%p, list_id:%d, idx:%u, "
106  "data_offset:%" PRIu64 "}, input: %p, input_len:%u, input_offset:%" PRIu64,
107  fsd, fsd->det_ctx, fsd->transforms, fsd->frame, fsd->list_id, fsd->idx,
108  fsd->requested_stream_offset, input, input_len, input_offset);
109  // PrintRawDataFp(stdout, input, input_len);
110 
111  InspectionBuffer *buffer =
113  if (buffer == NULL) {
114  return 0;
115  }
116  SCLogDebug("buffer %p idx %u", buffer, fsd->idx);
117 
118  const int more_chunks = BufferSetup(fsd, buffer, input, input_len, input_offset);
119 
120  const uint32_t data_len = buffer->inspect_len;
121  const uint8_t *data = buffer->inspect;
123  const MpmCtx *mpm_ctx = fsd->mpm_ctx;
124 
125  if (data != NULL && data_len >= mpm_ctx->minlen) {
126  // PrintRawDataFp(stdout, data, data_len);
127 
129  mpm_ctx, &det_ctx->mtc, &det_ctx->pmq, data, data_len);
130  SCLogDebug("det_ctx->pmq.rule_id_array_cnt %u", det_ctx->pmq.rule_id_array_cnt);
132  }
133  return more_chunks;
134 }
135 
136 /** \brief Generic Mpm prefilter callback
137  *
138  * \param det_ctx detection engine thread ctx
139  * \param frames container for the frames
140  * \param frame frame to inspect
141  * \param pectx inspection context
142  */
143 static void PrefilterMpmFrame(DetectEngineThreadCtx *det_ctx, const void *pectx, Packet *p,
144  const Frames *frames, const Frame *frame)
145 {
146  SCEnter();
147 
148  const PrefilterMpmFrameCtx *ctx = (const PrefilterMpmFrameCtx *)pectx;
149  const MpmCtx *mpm_ctx = ctx->mpm_ctx;
150 
151  SCLogDebug("packet:%" PRIu64 ", prefilter running on list %d -> frame field type %u",
152  p->pcap_cnt, ctx->list_id, frame->type);
153  if (p->proto == IPPROTO_UDP) {
154  // TODO can we use single here? Could it conflict with TCP?
156  if (buffer == NULL)
157  return;
159  if (frame->offset >= p->payload_len)
160  return;
161 
162  BufferSetupUdp(buffer, frame, p, ctx->transforms);
163  const uint32_t data_len = buffer->inspect_len;
164  const uint8_t *data = buffer->inspect;
165 
166  // PrintRawDataFp(stdout, data, data_len);
167 
168  if (data != NULL && data_len >= mpm_ctx->minlen) {
170  mpm_ctx, &det_ctx->mtc, &det_ctx->pmq, data, data_len);
171  SCLogDebug("det_ctx->pmq.rule_id_array_cnt %u", det_ctx->pmq.rule_id_array_cnt);
173  }
174  } else if (p->proto == IPPROTO_TCP) {
175  BUG_ON(p->flow->protoctx == NULL);
176  TcpSession *ssn = p->flow->protoctx;
177  TcpStream *stream;
178  if (PKT_IS_TOSERVER(p)) {
179  stream = &ssn->client;
180  } else {
181  stream = &ssn->server;
182  }
183  const bool eof = ssn->state == TCP_CLOSED || PKT_IS_PSEUDOPKT(p);
184 
185  struct FrameStreamData fsd;
186  memset(&fsd, 0, sizeof(fsd));
187  fsd.mpm_ctx = mpm_ctx;
188 
189  if (SetupStreamCallbackData(&fsd, ssn, stream, det_ctx, ctx->transforms, frames, frame,
190  ctx->list_id, eof) == true) {
191  StreamReassembleForFrame(ssn, stream, FrameStreamDataPrefilterFunc, &fsd,
192  fsd.requested_stream_offset, eof);
193  }
194  } else {
196  }
197  SCLogDebug("packet:%" PRIu64
198  ", prefilter done running on list %d -> frame field type %u; have %u matches",
200 }
201 
202 static void PrefilterMpmFrameFree(void *ptr)
203 {
204  SCFree(ptr);
205 }
206 
208  const DetectBufferMpmRegistry *mpm_reg, int list_id)
209 {
210  SCEnter();
211  PrefilterMpmFrameCtx *pectx = SCCalloc(1, sizeof(*pectx));
212  if (pectx == NULL)
213  return -1;
214  pectx->list_id = list_id;
215  BUG_ON(mpm_reg->frame_v1.alproto == ALPROTO_UNKNOWN);
216  pectx->mpm_ctx = mpm_ctx;
217  pectx->transforms = &mpm_reg->transforms;
218 
219  int r = PrefilterAppendFrameEngine(de_ctx, sgh, PrefilterMpmFrame, mpm_reg->frame_v1.alproto,
220  mpm_reg->frame_v1.type, pectx, PrefilterMpmFrameFree, mpm_reg->pname);
221  if (r != 0) {
222  SCFree(pectx);
223  }
224  return r;
225 }
226 
228  Flow *f, Packet *p, const Frames *frames, const Frame *frame)
229 {
230  BUG_ON(s->frame_inspect == NULL);
231 
232  SCLogDebug("inspecting rule %u against frame %p/%" PRIi64 "/%s", s->id, frame, frame->id,
234 
235  for (DetectEngineFrameInspectionEngine *e = s->frame_inspect; e != NULL; e = e->next) {
236  if (frame->type == e->type) {
237  // TODO check alproto, direction?
238 
239  // TODO there should be only one inspect engine for this frame, ever?
240 
241  if (e->v1.Callback(det_ctx, e, s, p, frames, frame) == true) {
242  SCLogDebug("sid %u: e %p Callback returned true", s->id, e);
243  return true;
244  }
245  SCLogDebug("sid %u: e %p Callback returned false", s->id, e);
246  } else {
247  SCLogDebug(
248  "sid %u: e %p not for frame type %u (want %u)", s->id, e, frame->type, e->type);
249  }
250  }
251  return false;
252 }
253 
254 static void BufferSetupUdp(InspectionBuffer *buffer, const Frame *frame, const Packet *p,
256 {
257  uint8_t ci_flags = DETECT_CI_FLAGS_START;
258  uint32_t frame_len;
259  if (frame->len == -1) {
260  frame_len = p->payload_len - frame->offset;
261  } else {
262  frame_len = (uint32_t)frame->len;
263  }
264  if (frame->offset + frame_len > p->payload_len) {
265  frame_len = p->payload_len - frame->offset;
266  } else {
267  ci_flags |= DETECT_CI_FLAGS_END;
268  }
269  const uint8_t *data = p->payload + frame->offset;
270  const uint32_t data_len = frame_len;
271 
272  SCLogDebug("packet %" PRIu64 " -> frame %p/%" PRIi64 "/%s offset %" PRIu64
273  " type %u len %" PRIi64,
274  p->pcap_cnt, frame, frame->id,
276  frame->offset, frame->type, frame->len);
277 
278  InspectionBufferSetupMulti(buffer, transforms, data, data_len);
279  buffer->inspect_offset = 0;
280  buffer->flags = ci_flags;
281 }
282 
283 /** \internal
284  * \brief setup buffer based on frame in UDP payload
285  */
286 static int DetectFrameInspectUdp(DetectEngineThreadCtx *det_ctx,
287  const DetectEngineFrameInspectionEngine *engine, const Signature *s,
288  const DetectEngineTransforms *transforms, Packet *p, const Frames *_frames,
289  const Frame *frame, const int list_id)
290 {
291  SCLogDebug("packet:%" PRIu64 ", inspect: s:%p s->id:%u, transforms:%p", p->pcap_cnt, s, s->id,
292  transforms);
293 
294  // TODO can we use single here? Could it conflict with TCP?
296  if (buffer == NULL)
298 
300  if (frame->offset >= p->payload_len)
302 
303  if (!buffer->initialized)
304  BufferSetupUdp(buffer, frame, p, transforms);
306  if (buffer->inspect == NULL)
308 
309  const bool match = DetectEngineContentInspection(det_ctx->de_ctx, det_ctx, s, engine->smd, p,
310  p->flow, buffer->inspect, buffer->inspect_len, 0, buffer->flags,
312  if (match) {
313  SCLogDebug("match!");
315  } else {
317  }
318 }
319 
320 /**
321  * \retval bool true if callback should run again */
322 static bool BufferSetup(struct FrameStreamData *fsd, InspectionBuffer *buffer, const uint8_t *input,
323  const uint32_t input_len, const uint64_t input_offset)
324 {
325  const Frame *frame = fsd->frame;
326  /* so: relative to start of stream */
327  const uint64_t so_input_re = input_offset + input_len;
328  const uint64_t so_frame_re =
329  frame->offset + (uint64_t)frame->len; // TODO if eof, set to available data?
330  SCLogDebug("frame offset:%" PRIu64, frame->offset);
331  const uint8_t *data = input;
332  uint8_t ci_flags = 0;
333  uint32_t data_len;
334 
335  /* fo: frame offset; offset relative to start of the frame */
336  uint64_t fo_inspect_offset = 0;
337 
338  if (frame->offset == 0 && input_offset == 0) {
339  ci_flags |= DETECT_CI_FLAGS_START;
340  SCLogDebug("have frame data start");
341 
342  if (frame->len >= 0) {
343  data_len = MIN(input_len, frame->len);
344  if (data_len == frame->len) {
345  ci_flags |= DETECT_CI_FLAGS_END;
346  SCLogDebug("have frame data end");
347  }
348  } else {
349  data_len = input_len;
350  }
351  } else {
352  const uint64_t so_frame_inspect_offset = frame->inspect_progress + frame->offset;
353  const uint64_t so_inspect_offset = MAX(input_offset, so_frame_inspect_offset);
354  fo_inspect_offset = so_inspect_offset - frame->offset;
355 
356  if (frame->offset >= input_offset) {
357  ci_flags |= DETECT_CI_FLAGS_START;
358  SCLogDebug("have frame data start");
359  }
360  if (frame->len >= 0) {
361  if (fo_inspect_offset >= (uint64_t)frame->len) {
362  SCLogDebug("data entirely past frame (%" PRIu64 " > %" PRIi64 ")",
363  fo_inspect_offset, frame->len);
365  return false;
366  }
367 
368  /* in: relative to start of input data */
369  BUG_ON(so_inspect_offset < input_offset);
370  const uint32_t in_data_offset = so_inspect_offset - input_offset;
371  data += in_data_offset;
372 
373  uint32_t in_data_excess = 0;
374  if (so_input_re >= so_frame_re) {
375  ci_flags |= DETECT_CI_FLAGS_END;
376  SCLogDebug("have frame data end");
377  in_data_excess = so_input_re - so_frame_re;
378  }
379  data_len = input_len - in_data_offset - in_data_excess;
380  } else {
381  /* in: relative to start of input data */
382  BUG_ON(so_inspect_offset < input_offset);
383  const uint32_t in_data_offset = so_inspect_offset - input_offset;
384  data += in_data_offset;
385  data_len = input_len - in_data_offset;
386  }
387  }
388  // PrintRawDataFp(stdout, data, data_len);
389  SCLogDebug("fsd->transforms %p", fsd->transforms);
390  InspectionBufferSetupMulti(buffer, fsd->transforms, data, data_len);
391  SCLogDebug("inspect_offset %" PRIu64, fo_inspect_offset);
392  buffer->inspect_offset = fo_inspect_offset;
393  buffer->flags = ci_flags;
394 
395  if (frame->len >= 0 && so_input_re >= so_frame_re) {
396  SCLogDebug("have the full frame, we can set progress accordingly (%" PRIu64 " > %" PRIu64
397  ")",
398  so_input_re, so_frame_re);
400  MAX(fo_inspect_offset + data_len, fsd->det_ctx->frame_inspect_progress);
401  } else {
403  MAX(fo_inspect_offset + data_len, fsd->det_ctx->frame_inspect_progress);
404  /* in IPS mode keep a sliding window */
405  const bool ips = StreamTcpInlineMode();
406  if (ips) {
407  if (fsd->det_ctx->frame_inspect_progress < 2500)
409  else
410  fsd->det_ctx->frame_inspect_progress -= 2500;
411  }
412  SCLogDebug("ips %s inspect_progress %" PRIu64, BOOL2STR(ips),
414  }
415 
416  /* keep going as long as there is possibly still data for this frame */
417  const bool ret = (frame->len >= 0 && so_input_re >= so_frame_re);
418  SCLogDebug("buffer set up, more to do: %s", BOOL2STR(ret));
419  return ret;
420 }
421 
422 static int FrameStreamDataInspectFunc(
423  void *cb_data, const uint8_t *input, const uint32_t input_len, const uint64_t input_offset)
424 {
425  struct FrameStreamData *fsd = cb_data;
426  SCLogDebug("inspect: fsd %p { det_ctx:%p, transforms:%p, s:%p, s->id:%u, frame:%p, list_id:%d, "
427  "idx:%u, "
428  "requested_stream_offset:%" PRIu64
429  "}, input: %p, input_len:%u, input_offset:%" PRIu64,
430  fsd, fsd->det_ctx, fsd->transforms, fsd->s, fsd->s->id, fsd->frame, fsd->list_id,
431  fsd->idx, fsd->requested_stream_offset, input, input_len, input_offset);
432  // PrintRawDataFp(stdout, input, input_len);
433 
434  InspectionBuffer *buffer =
436  if (buffer == NULL) {
437  return 0;
438  }
439  SCLogDebug("buffer %p idx %u", buffer, fsd->idx);
440 
441  /* if we've not done so already, set up the buffer */
442  int more_chunks = 1;
443  if (!buffer->initialized) {
444  more_chunks = BufferSetup(fsd, buffer, input, input_len, input_offset);
445  }
447  if (buffer->inspect == NULL) {
448  return more_chunks;
449  }
450 
451  const uint32_t data_len = buffer->inspect_len;
452  const uint8_t *data = buffer->inspect;
453  const uint64_t data_offset = buffer->inspect_offset;
455 
457  const Signature *s = fsd->s;
458  Packet *p = fsd->p;
459 
460 #ifdef DEBUG
461  const uint8_t ci_flags = buffer->flags;
462  SCLogDebug("frame %p offset %" PRIu64 " type %u len %" PRIi64
463  " ci_flags %02x (start:%s, end:%s)",
464  fsd->frame, fsd->frame->offset, fsd->frame->type, fsd->frame->len, ci_flags,
465  (ci_flags & DETECT_CI_FLAGS_START) ? "true" : "false",
466  (ci_flags & DETECT_CI_FLAGS_END) ? "true" : "false");
467  SCLogDebug("buffer %p offset %" PRIu64 " len %u ci_flags %02x (start:%s, end:%s)", buffer,
468  buffer->inspect_offset, buffer->inspect_len, ci_flags,
469  (ci_flags & DETECT_CI_FLAGS_START) ? "true" : "false",
470  (ci_flags & DETECT_CI_FLAGS_END) ? "true" : "false");
471  // PrintRawDataFp(stdout, data, data_len);
472  // PrintRawDataFp(stdout, data, MIN(64, data_len));
473 #endif
474  BUG_ON(fsd->frame->len > 0 && (int64_t)data_len > fsd->frame->len);
475 
476  const bool match = DetectEngineContentInspection(det_ctx->de_ctx, det_ctx, s, engine->smd, p,
477  p->flow, data, data_len, data_offset, buffer->flags,
479  if (match) {
480  SCLogDebug("DETECT_ENGINE_INSPECT_SIG_MATCH");
482  } else {
483  SCLogDebug("DETECT_ENGINE_INSPECT_SIG_NO_MATCH");
484  }
485  return more_chunks;
486 }
487 
488 static bool SetupStreamCallbackData(struct FrameStreamData *dst, const TcpSession *ssn,
489  const TcpStream *stream, DetectEngineThreadCtx *det_ctx,
490  const DetectEngineTransforms *transforms, const Frames *_frames, const Frame *frame,
491  const int list_id, const bool eof)
492 {
493  SCLogDebug("frame %" PRIi64 ", len %" PRIi64 ", offset %" PRIu64 ", inspect_progress %" PRIu64,
495 
496  const uint64_t frame_offset = frame->offset;
497  const uint64_t usable = StreamDataRightEdge(stream, eof);
498  if (usable <= frame_offset)
499  return false;
500 
501  uint64_t want = frame->inspect_progress;
502  if (frame->len == -1) {
503  if (eof) {
504  want = usable;
505  } else {
506  want += 2500;
507  }
508  } else {
509  /* don't have the full frame yet */
510  if (frame->offset + frame->len > usable) {
511  want += 2500;
512  } else {
513  want = frame->offset + frame->len;
514  }
515  }
516 
517  const bool ips = StreamTcpInlineMode();
518 
519  const uint64_t have = usable;
520  if (!ips && have < want) {
521  SCLogDebug("wanted %" PRIu64 " bytes, got %" PRIu64, want, have);
522  return false;
523  }
524 
525  const uint64_t available_data = usable - STREAM_BASE_OFFSET(stream);
526  SCLogDebug("check inspection for having 2500 bytes: %" PRIu64, available_data);
527  if (!ips && !eof && available_data < 2500 &&
528  (frame->len < 0 || frame->len > (int64_t)available_data)) {
529  SCLogDebug("skip inspection until we have 2500 bytes (have %" PRIu64 ")", available_data);
530  return false;
531  }
532 
533  const uint64_t offset =
535 
536  dst->det_ctx = det_ctx;
537  dst->transforms = transforms;
538  dst->frame = frame;
539  dst->list_id = list_id;
540  dst->requested_stream_offset = offset;
541  return true;
542 }
543 
544 /**
545  * \brief Do the content inspection & validation for a signature
546  *
547  * \param de_ctx Detection engine context
548  * \param det_ctx Detection engine thread context
549  * \param s Signature to inspect
550  * \param p Packet
551  * \param frame stream frame to inspect
552  *
553  * \retval 0 no match.
554  * \retval 1 match.
555  */
557  const DetectEngineFrameInspectionEngine *engine, const Signature *s, Packet *p,
558  const Frames *frames, const Frame *frame)
559 {
560  /* if prefilter didn't already run, we need to consider transformations */
561  const DetectEngineTransforms *transforms = NULL;
562  if (!engine->mpm) {
563  transforms = engine->v1.transforms;
564  }
565  const int list_id = engine->sm_list;
566  SCLogDebug("running inspect on %d", list_id);
567 
568  if (p->proto == IPPROTO_UDP) {
569  return DetectFrameInspectUdp(det_ctx, engine, s, transforms, p, frames, frame, list_id);
570  }
571  DEBUG_VALIDATE_BUG_ON(p->proto != IPPROTO_TCP);
572 
573  SCLogDebug("packet:%" PRIu64 ", frame->id:%" PRIu64
574  ", list:%d, transforms:%p, s:%p, s->id:%u, engine:%p",
575  p->pcap_cnt, frame->id, engine->sm_list, engine->v1.transforms, s, s->id, engine);
576 
577  BUG_ON(p->flow->protoctx == NULL);
578  TcpSession *ssn = p->flow->protoctx;
579  TcpStream *stream;
580  if (PKT_IS_TOSERVER(p)) {
581  stream = &ssn->client;
582  } else {
583  stream = &ssn->server;
584  }
585  const bool eof = ssn->state == TCP_CLOSED || PKT_IS_PSEUDOPKT(p);
586 
587  struct FrameStreamData fsd;
588  memset(&fsd, 0, sizeof(fsd));
589  fsd.inspect_engine = engine;
590  fsd.s = s;
592  fsd.p = p;
593 
594  if (SetupStreamCallbackData(
595  &fsd, ssn, stream, det_ctx, transforms, frames, frame, list_id, eof) == false) {
597  }
599  ssn, stream, FrameStreamDataInspectFunc, &fsd, fsd.requested_stream_offset, eof);
600 
601  return fsd.inspect_result;
602 }
PrefilterMpmFrameCtx
struct PrefilterMpmFrameCtx PrefilterMpmFrameCtx
PrefilterMpmFrameCtx::list_id
int list_id
Definition: detect-engine-frame.c:96
Packet_::proto
uint8_t proto
Definition: decode.h:459
TcpStream_
Definition: stream-tcp-private.h:106
Frame::inspect_progress
uint64_t inspect_progress
Definition: app-layer-frames.h:55
MpmCtx_::mpm_type
uint8_t mpm_type
Definition: util-mpm.h:90
detect-engine.h
offset
uint64_t offset
Definition: util-streaming-buffer.h:0
DETECT_CI_FLAGS_START
#define DETECT_CI_FLAGS_START
Definition: detect-engine-content-inspection.h:40
PrefilterEngine_::ctx
union PrefilterEngine_::@101 ctx
PKT_IS_PSEUDOPKT
#define PKT_IS_PSEUDOPKT(p)
return 1 if the packet is a pseudo packet
Definition: decode.h:1074
PREFILTER_PROFILING_END
#define PREFILTER_PROFILING_END(ctx, profile_id)
Definition: util-profiling.h:277
InspectionBuffer::initialized
bool initialized
Definition: detect.h:375
stream-tcp.h
PrefilterRuleStore_::rule_id_array_cnt
uint32_t rule_id_array_cnt
Definition: util-prefilter.h:40
SigGroupHead_
Container for matching data for a signature group.
Definition: detect.h:1445
StreamTcpInlineMode
bool StreamTcpInlineMode(void)
See if stream engine is operating in inline mode.
Definition: stream-tcp.c:7029
DetectEngineTransforms
Definition: detect.h:406
FrameStreamData::requested_stream_offset
uint64_t requested_stream_offset
Definition: detect-engine-frame.c:60
FrameStreamData::frame
const Frame * frame
Definition: detect-engine-frame.c:47
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:269
Packet_::pcap_cnt
uint64_t pcap_cnt
Definition: decode.h:608
DetectBufferMpmRegistry_::frame_v1
struct DetectBufferMpmRegistry_::@88::@92 frame_v1
Flow_::proto
uint8_t proto
Definition: flow.h:373
AppProto
uint16_t AppProto
Definition: app-layer-protos.h:80
Packet_::payload
uint8_t * payload
Definition: decode.h:587
InspectionBuffer
Definition: detect.h:371
Frame::offset
uint64_t offset
Definition: app-layer-frames.h:51
FrameStreamData::list_id
int list_id
Definition: detect-engine-frame.c:48
Frame
Definition: app-layer-frames.h:45
Flow_
Flow data structure.
Definition: flow.h:351
PREFILTER_PROFILING_START
#define PREFILTER_PROFILING_START(det_ctx)
Definition: util-profiling.h:261
DetectEngineThreadCtx_::pmq
PrefilterRuleStore pmq
Definition: detect.h:1201
DetectEngineFrameInspectionEngine::transforms
const DetectEngineTransforms * transforms
Definition: detect.h:513
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:836
DetectEngineFrameInspectionEngine::mpm
bool mpm
Definition: detect.h:507
Frame::id
int64_t id
Definition: app-layer-frames.h:53
FrameStreamData::mpm_ctx
const MpmCtx * mpm_ctx
Definition: detect-engine-frame.c:58
FrameStreamData::det_ctx
DetectEngineThreadCtx * det_ctx
Definition: detect-engine-frame.c:45
PrefilterMpmFrameCtx::mpm_ctx
const MpmCtx * mpm_ctx
Definition: detect-engine-frame.c:97
MIN
#define MIN(x, y)
Definition: suricata-common.h:391
Frames
Definition: app-layer-frames.h:60
DetectBufferMpmRegistry_
one time registration of keywords at start up
Definition: detect.h:677
InspectionBuffer::flags
uint8_t flags
Definition: detect.h:376
detect-engine-frame.h
FrameStreamData::inspect_engine
const DetectEngineFrameInspectionEngine * inspect_engine
Definition: detect-engine-frame.c:52
PrefilterGenericMpmFrameRegister
int PrefilterGenericMpmFrameRegister(DetectEngineCtx *de_ctx, SigGroupHead *sgh, MpmCtx *mpm_ctx, const DetectBufferMpmRegistry *mpm_reg, int list_id)
Definition: detect-engine-frame.c:207
MAX
#define MAX(x, y)
Definition: suricata-common.h:395
DetectRunFrameInspectRule
bool DetectRunFrameInspectRule(ThreadVars *tv, DetectEngineThreadCtx *det_ctx, const Signature *s, Flow *f, Packet *p, const Frames *frames, const Frame *frame)
Definition: detect-engine-frame.c:227
Flow_::protoctx
void * protoctx
Definition: flow.h:441
PrefilterAppendFrameEngine
int PrefilterAppendFrameEngine(DetectEngineCtx *de_ctx, SigGroupHead *sgh, PrefilterFrameFn PrefilterFrameFunc, AppProto alproto, uint8_t frame_type, void *pectx, void(*FreeFunc)(void *pectx), const char *name)
Definition: detect-engine-prefilter.c:307
DetectBufferMpmRegistry_::transforms
DetectEngineTransforms transforms
Definition: detect.h:690
Packet_::payload_len
uint16_t payload_len
Definition: decode.h:588
detect-engine-prefilter.h
DetectRunPrefilterFrame
void DetectRunPrefilterFrame(DetectEngineThreadCtx *det_ctx, const SigGroupHead *sgh, Packet *p, const Frames *frames, const Frame *frame, const AppProto alproto)
Definition: detect-engine-frame.c:73
Signature_::frame_inspect
DetectEngineFrameInspectionEngine * frame_inspect
Definition: detect.h:642
PrefilterMpmFrameCtx::transforms
const DetectEngineTransforms * transforms
Definition: detect-engine-frame.c:98
PrefilterEngine_::cb
union PrefilterEngine_::@102 cb
InspectionBufferSetupMultiEmpty
void InspectionBufferSetupMultiEmpty(InspectionBuffer *buffer)
setup the buffer empty
Definition: detect-engine.c:1593
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:17
PKT_IS_TOSERVER
#define PKT_IS_TOSERVER(p)
Definition: decode.h:252
AppLayerParserGetFrameNameById
const char * AppLayerParserGetFrameNameById(uint8_t ipproto, AppProto alproto, const uint8_t id)
Definition: app-layer-parser.c:1623
FrameStreamData::idx
uint32_t idx
Definition: detect-engine-frame.c:49
DetectEngineThreadCtx_
Definition: detect.h:1092
PrefilterEngine_
Definition: detect.h:1388
STREAM_BASE_OFFSET
#define STREAM_BASE_OFFSET(stream)
Definition: stream-tcp-private.h:144
BOOL2STR
#define BOOL2STR(b)
Definition: util-debug.h:527
util-print.h
SCEnter
#define SCEnter(...)
Definition: util-debug.h:271
detect-engine-mpm.h
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:57
DetectEngineFrameInspectionEngine::sm_list
uint16_t sm_list
Definition: detect.h:508
DETECT_ENGINE_INSPECT_SIG_MATCH
#define DETECT_ENGINE_INSPECT_SIG_MATCH
Definition: detect-engine-state.h:38
TcpSession_::state
uint8_t state
Definition: stream-tcp-private.h:285
FrameStreamData::transforms
const DetectEngineTransforms * transforms
Definition: detect-engine-frame.c:46
InspectionBuffer::inspect_offset
uint64_t inspect_offset
Definition: detect.h:373
app-layer-parser.h
MpmCtx_::minlen
uint16_t minlen
Definition: util-mpm.h:99
BUG_ON
#define BUG_ON(x)
Definition: suricata-common.h:300
util-profiling.h
PrefilterEngine_::alproto
AppProto alproto
Definition: detect.h:1392
Packet_
Definition: decode.h:437
DETECT_CI_FLAGS_END
#define DETECT_CI_FLAGS_END
Definition: detect-engine-content-inspection.h:42
DetectEngineFrameInspectionEngine
Definition: detect.h:503
Frame::len
int64_t len
Definition: app-layer-frames.h:52
PrefilterEngine_::PrefilterFrame
PrefilterFrameFn PrefilterFrame
Definition: detect.h:1408
PrefilterEngine_::frame_type
uint8_t frame_type
Definition: detect.h:1398
MpmTableElmt_::Search
uint32_t(* Search)(const struct MpmCtx_ *, struct MpmThreadCtx_ *, PrefilterRuleStore *, const uint8_t *, uint32_t)
Definition: util-mpm.h:168
SigGroupHead_::frame_engines
PrefilterEngine * frame_engines
Definition: detect.h:1465
DetectEngineThreadCtx_::mtc
MpmThreadCtx mtc
Definition: detect.h:1200
detect-engine-content-inspection.h
TCP_CLOSED
@ TCP_CLOSED
Definition: stream-tcp-private.h:162
PrefilterMpmFrameCtx
Definition: detect-engine-frame.c:95
PREFILTER_PROFILING_ADD_BYTES
#define PREFILTER_PROFILING_ADD_BYTES(det_ctx, bytes)
Definition: util-profiling.h:287
app-layer-frames.h
Packet_::flow
struct Flow_ * flow
Definition: decode.h:476
Frame::type
uint8_t type
Definition: app-layer-frames.h:46
suricata-common.h
DETECT_ENGINE_CONTENT_INSPECTION_MODE_FRAME
@ DETECT_ENGINE_CONTENT_INSPECTION_MODE_FRAME
Definition: detect-engine-content-inspection.h:35
DetectEngineFrameInspectionEngine::next
struct DetectEngineFrameInspectionEngine * next
Definition: detect.h:516
DetectEngineInspectFrameBufferGeneric
int DetectEngineInspectFrameBufferGeneric(DetectEngineThreadCtx *det_ctx, const DetectEngineFrameInspectionEngine *engine, const Signature *s, Packet *p, const Frames *frames, const Frame *frame)
Do the content inspection & validation for a signature.
Definition: detect-engine-frame.c:556
DetectEngineThreadCtx_::frame_inspect_progress
uint64_t frame_inspect_progress
Definition: detect.h:1177
FrameStreamData::inspect_result
int inspect_result
Definition: detect-engine-frame.c:54
PrefilterEngine_::gid
uint32_t gid
Definition: detect.h:1412
InspectionBufferSetupMulti
void InspectionBufferSetupMulti(InspectionBuffer *buffer, const DetectEngineTransforms *transforms, const uint8_t *data, const uint32_t data_len)
setup the buffer with our initial data
Definition: detect-engine.c:1606
TcpSession_::client
TcpStream client
Definition: stream-tcp-private.h:295
DETECT_ENGINE_INSPECT_SIG_NO_MATCH
#define DETECT_ENGINE_INSPECT_SIG_NO_MATCH
Definition: detect-engine-state.h:37
tv
ThreadVars * tv
Definition: fuzz_decodepcapfile.c:32
util-validate.h
InspectionBuffer::inspect_len
uint32_t inspect_len
Definition: detect.h:374
PrefilterEngine_::pectx
void * pectx
Definition: detect.h:1403
TcpSession_::server
TcpStream server
Definition: stream-tcp-private.h:294
InspectionBuffer::inspect
const uint8_t * inspect
Definition: detect.h:372
SCFree
#define SCFree(p)
Definition: util-mem.h:61
Signature_::id
uint32_t id
Definition: detect.h:628
Signature_
Signature container.
Definition: detect.h:593
FrameStreamData::s
const Signature * s
Definition: detect-engine-frame.c:53
ALPROTO_UNKNOWN
@ ALPROTO_UNKNOWN
Definition: app-layer-protos.h:29
mpm_table
MpmTableElmt mpm_table[MPM_TABLE_SIZE]
Definition: util-mpm.c:47
StreamDataRightEdge
uint64_t StreamDataRightEdge(const TcpStream *stream, const bool eof)
Definition: stream-tcp-reassemble.c:421
PrefilterEngine_::is_last
bool is_last
Definition: detect.h:1413
DetectEngineThreadCtx_::de_ctx
DetectEngineCtx * de_ctx
Definition: detect.h:1216
suricata.h
InspectionBufferMultipleForListGet
InspectionBuffer * InspectionBufferMultipleForListGet(DetectEngineThreadCtx *det_ctx, const int list_id, const uint32_t local_id)
for a InspectionBufferMultipleForList get a InspectionBuffer
Definition: detect-engine.c:1546
dst
uint16_t dst
Definition: app-layer-dnp3.h:4
MpmCtx_
Definition: util-mpm.h:88
TcpSession_
Definition: stream-tcp-private.h:283
DetectEngineContentInspection
bool DetectEngineContentInspection(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const Signature *s, const SigMatchData *smd, Packet *p, Flow *f, const uint8_t *buffer, const uint32_t buffer_len, const uint32_t stream_start_offset, const uint8_t flags, const enum DetectContentInspectionType inspection_mode)
wrapper around DetectEngineContentInspectionInternal to return true/false only
Definition: detect-engine-content-inspection.c:723
Flow_::alproto
AppProto alproto
application level protocol
Definition: flow.h:450
DetectEngineFrameInspectionEngine::v1
struct DetectEngineFrameInspectionEngine::@87 v1
SCCalloc
#define SCCalloc(nm, sz)
Definition: util-mem.h:53
FrameStreamData::p
Packet * p
Definition: detect-engine-frame.c:55
StreamReassembleForFrame
int StreamReassembleForFrame(TcpSession *ssn, TcpStream *stream, StreamReassembleRawFunc Callback, void *cb_data, const uint64_t offset, const bool eof)
Definition: stream-tcp-reassemble.c:1844
DEBUG_VALIDATE_BUG_ON
#define DEBUG_VALIDATE_BUG_ON(exp)
Definition: util-validate.h:103
DetectBufferMpmRegistry_::pname
char pname[32]
Definition: detect.h:679
DetectEngineFrameInspectionEngine::smd
SigMatchData * smd
Definition: detect.h:515
FrameStreamData
Definition: detect-engine-frame.c:43