suricata
detect-engine-frame.c
Go to the documentation of this file.
1 /* Copyright (C) 2021 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Victor Julien <victor@inliniac.net>
22  *
23  */
24 
25 #include "suricata-common.h"
26 #include "suricata.h"
27 
28 #include "app-layer-parser.h"
29 #include "app-layer-frames.h"
30 
31 #include "detect-engine.h"
34 #include "detect-engine-mpm.h"
35 #include "detect-engine-frame.h"
36 
37 #include "stream-tcp.h"
38 
39 #include "util-profiling.h"
40 #include "util-validate.h"
41 #include "util-print.h"
42 
44  const Frames *frames, const Frame *frame, const AppProto alproto, const uint32_t idx)
45 {
46  SCLogDebug("pcap_cnt %" PRIu64, p->pcap_cnt);
47  PrefilterEngine *engine = sgh->frame_engines;
48  do {
49  BUG_ON(engine->alproto == ALPROTO_UNKNOWN);
50  if (engine->alproto == alproto && engine->ctx.frame_type == frame->type) {
51  SCLogDebug("frame %p engine %p", frame, engine);
53  engine->cb.PrefilterFrame(det_ctx, engine->pectx, p, frames, frame, idx);
54  PREFILTER_PROFILING_END(det_ctx, engine->gid);
55  }
56  if (engine->is_last)
57  break;
58  engine++;
59  } while (1);
60 }
61 
62 /* generic mpm for frame engines */
63 
64 // TODO same as Generic?
65 typedef struct PrefilterMpmFrameCtx {
66  int list_id;
67  const MpmCtx *mpm_ctx;
70 
71 /** \brief Generic Mpm prefilter callback
72  *
73  * \param det_ctx detection engine thread ctx
74  * \param frames container for the frames
75  * \param frame frame to inspect
76  * \param pectx inspection context
77  */
78 static void PrefilterMpmFrame(DetectEngineThreadCtx *det_ctx, const void *pectx, Packet *p,
79  const Frames *frames, const Frame *frame, const uint32_t idx)
80 {
81  SCEnter();
82 
83  const PrefilterMpmFrameCtx *ctx = (const PrefilterMpmFrameCtx *)pectx;
84  const MpmCtx *mpm_ctx = ctx->mpm_ctx;
85  SCLogDebug("running on list %d -> frame field type %u", ctx->list_id, frame->type);
86  // BUG_ON(frame->type != ctx->type);
87 
89  det_ctx, ctx->transforms, p, frames, frame, ctx->list_id, idx, true);
90  if (buffer == NULL)
91  return;
92  DEBUG_VALIDATE_BUG_ON(buffer->orig_len > frame->len);
93 
94  const uint32_t data_len = buffer->inspect_len;
95  const uint8_t *data = buffer->inspect;
96 
97  SCLogDebug("mpm'ing buffer:");
98  // SCLogDebug("frame: %p", frame);
99  // PrintRawDataFp(stdout, data, MIN(32, data_len));
100 
101  if (data != NULL && data_len >= mpm_ctx->minlen) {
102  (void)mpm_table[mpm_ctx->mpm_type].Search(
103  mpm_ctx, &det_ctx->mtcu, &det_ctx->pmq, data, data_len);
104  SCLogDebug("det_ctx->pmq.rule_id_array_cnt %u", det_ctx->pmq.rule_id_array_cnt);
105  }
106 }
107 
108 static void PrefilterMpmFrameFree(void *ptr)
109 {
110  SCFree(ptr);
111 }
112 
114  const DetectBufferMpmRegistery *mpm_reg, int list_id)
115 {
116  SCEnter();
117  PrefilterMpmFrameCtx *pectx = SCCalloc(1, sizeof(*pectx));
118  if (pectx == NULL)
119  return -1;
120  pectx->list_id = list_id;
121  BUG_ON(mpm_reg->frame_v1.alproto == ALPROTO_UNKNOWN);
122  pectx->mpm_ctx = mpm_ctx;
123  pectx->transforms = &mpm_reg->transforms;
124 
125  int r = PrefilterAppendFrameEngine(de_ctx, sgh, PrefilterMpmFrame, mpm_reg->frame_v1.alproto,
126  mpm_reg->frame_v1.type, pectx, PrefilterMpmFrameFree, mpm_reg->pname);
127  if (r != 0) {
128  SCFree(pectx);
129  }
130  return r;
131 }
132 
134  Flow *f, Packet *p, const Frames *frames, const Frame *frame, const uint32_t idx)
135 {
136  BUG_ON(s->frame_inspect == NULL);
137 
138  SCLogDebug("inspecting rule %u against frame %p/%" PRIi64 "/%s", s->id, frame, frame->id,
140 
141  for (DetectEngineFrameInspectionEngine *e = s->frame_inspect; e != NULL; e = e->next) {
142  if (frame->type == e->type) {
143  // TODO check alproto, direction?
144 
145  // TODO there should be only one inspect engine for this frame, ever?
146 
147  if (e->v1.Callback(det_ctx, e, s, p, frames, frame, idx) == true) {
148  SCLogDebug("sid %u: e %p Callback returned true", s->id, e);
149  return true;
150  }
151  SCLogDebug("sid %u: e %p Callback returned false", s->id, e);
152  } else {
153  SCLogDebug(
154  "sid %u: e %p not for frame type %u (want %u)", s->id, e, frame->type, e->type);
155  }
156  }
157  return false;
158 }
159 
160 /** \internal
161  * \brief setup buffer based on frame in UDP payload
162  */
163 static InspectionBuffer *DetectFrame2InspectBufferUdp(DetectEngineThreadCtx *det_ctx,
164  const DetectEngineTransforms *transforms, Packet *p, InspectionBuffer *buffer,
165  const Frames *frames, const Frame *frame, const int list_id, const uint32_t idx,
166  const bool first)
167 {
169  if (frame->rel_offset >= p->payload_len)
170  return NULL;
171 
172  int frame_len = frame->len != -1 ? frame->len : p->payload_len - frame->rel_offset;
173  uint8_t ci_flags = DETECT_CI_FLAGS_START;
174 
175  if (frame->rel_offset + frame_len > p->payload_len) {
176  frame_len = p->payload_len - frame->rel_offset;
177  } else {
178  ci_flags |= DETECT_CI_FLAGS_END;
179  }
180  const uint8_t *data = p->payload + frame->rel_offset;
181  const uint32_t data_len = frame_len;
182 
183  SCLogDebug("packet %" PRIu64 " -> frame %p/%" PRIi64 "/%s rel_offset %" PRIi64
184  " type %u len %" PRIi64,
185  p->pcap_cnt, frame, frame->id,
187  frame->rel_offset, frame->type, frame->len);
188  // PrintRawDataFp(stdout, data, MIN(64,data_len));
189 
190  InspectionBufferSetupMulti(buffer, transforms, data, data_len);
191  buffer->inspect_offset = 0;
192  buffer->flags = ci_flags;
193  return buffer;
194 }
195 
199  const Frame *frame;
200  int list_id;
201  uint32_t idx;
204 };
205 
206 static int FrameStreamDataFunc(
207  void *cb_data, const uint8_t *input, const uint32_t input_len, const uint64_t offset)
208 {
209  struct FrameStreamData *fsd = cb_data;
210  SCLogDebug("fsd %p { det_ct:%p, transforms:%p, frame:%p, list_id:%d, idx:%u, "
211  "frame_data_offset_abs:%" PRIu64 ", frame_start_offset_abs:%" PRIu64
212  " }, input: %p, input_len:%u, offset:%" PRIu64,
213  fsd, fsd->det_ctx, fsd->transforms, fsd->frame, fsd->list_id, fsd->idx,
214  fsd->frame_data_offset_abs, fsd->frame_start_offset_abs, input, input_len, offset);
215 
216  InspectionBuffer *buffer =
218  BUG_ON(buffer == NULL);
219  SCLogDebug("buffer %p", buffer);
220 
221  const Frame *frame = fsd->frame;
222  SCLogDebug("frame rel_offset:%" PRIi64, frame->rel_offset);
223  const uint8_t *data = input;
224  uint8_t ci_flags = 0;
225  uint32_t data_len;
226  if (fsd->frame_start_offset_abs == offset) {
227  ci_flags |= DETECT_CI_FLAGS_START;
228  SCLogDebug("have frame data start");
229 
230  if (frame->len >= 0) {
231  data_len = MIN(input_len, frame->len);
232  } else {
233  data_len = input_len;
234  }
235 
236  if (data_len == frame->len) {
237  ci_flags |= DETECT_CI_FLAGS_END;
238  SCLogDebug("have frame data end");
239  }
240  } else {
241  BUG_ON(offset < fsd->frame_data_offset_abs);
242 
243  uint64_t frame_delta = offset - fsd->frame_start_offset_abs;
244  uint64_t request_delta =
245  offset -
246  fsd->frame_data_offset_abs; // diff between what we requested and what we got
247  BUG_ON(request_delta > frame_delta);
248 
249  if (frame->len >= 0) {
250  if (frame_delta >= (uint64_t)frame->len) {
251  SCLogDebug("data entirely past frame");
252  return 1;
253  }
254  uint32_t adjusted_frame_len = (uint32_t)((uint64_t)frame->len - frame_delta);
255  SCLogDebug("frame len after applying offset %" PRIu64 ": %u", frame_delta,
256  adjusted_frame_len);
257 
258  data_len = MIN(adjusted_frame_len, input_len);
259  SCLogDebug("usable data len for frame: %u", data_len);
260 
261  if ((uint64_t)data_len + frame_delta == (uint64_t)frame->len) {
262  ci_flags |= DETECT_CI_FLAGS_END;
263  SCLogDebug("have frame data end");
264  }
265  } else {
266  data_len = input_len;
267  }
268  }
269  // PrintRawDataFp(stdout, data, data_len);
270  InspectionBufferSetupMulti(buffer, fsd->transforms, data, data_len);
271  buffer->inspect_offset = frame->rel_offset < 0 ? -1 * frame->rel_offset : 0; // TODO review/test
272  buffer->flags = ci_flags;
273  return 1; // for now only the first chunk
274 }
275 
277  const DetectEngineTransforms *transforms, Packet *p, const Frames *frames,
278  const Frame *frame, const int list_id, const uint32_t idx, const bool first)
279 {
280  // TODO do we really need multiple buffer support here?
282  if (buffer == NULL)
283  return NULL;
284  if (!first && buffer->inspect != NULL)
285  return buffer;
286 
287  BUG_ON(p->flow == NULL);
288 
289  if (p->proto == IPPROTO_UDP) {
290  return DetectFrame2InspectBufferUdp(
291  det_ctx, transforms, p, buffer, frames, frame, list_id, idx, first);
292  }
293 
294  BUG_ON(p->flow->protoctx == NULL);
295  TcpSession *ssn = p->flow->protoctx;
296  TcpStream *stream;
297  if (PKT_IS_TOSERVER(p)) {
298  stream = &ssn->client;
299  } else {
300  stream = &ssn->server;
301  }
302 
303  /*
304  stream: [s ]
305  frame: [r ]
306  progress: |>p
307  rel_offset: 10, len 100
308  progress: 20
309  avail: 90 (complete)
310 
311  stream: [s ]
312  frame: [r ]
313  progress: |>p
314  stream: 0, len 59
315  rel_offset: 10, len 100
316  progress: 20
317  avail: 30 (incomplete)
318 
319  stream: [s ]
320  frame: [r ]
321  progress: |>p
322  stream: 0, len 200
323  rel_offset: -30, len 100
324  progress: 20
325  avail: 50 (complete)
326  */
327 
328  SCLogDebug("frame %" PRIi64 ", len %" PRIi64 ", rel_offset %" PRIi64, frame->id, frame->len,
329  frame->rel_offset);
330 
331  uint64_t offset = STREAM_BASE_OFFSET(stream);
332  if (frame->rel_offset > 0) {
333  offset += (uint64_t)frame->rel_offset;
334  }
335  const int64_t frame_start_abs_offset = frame->rel_offset + (int64_t)STREAM_BASE_OFFSET(stream);
336  BUG_ON(frame_start_abs_offset < 0);
337 
338  const bool eof = ssn->state == TCP_CLOSED || PKT_IS_PSEUDOPKT(p);
339 
340  const uint64_t usable = StreamTcpGetUsable(stream, eof);
341  if (usable <= offset)
342  return NULL;
343 
345  (uint64_t)frame_start_abs_offset };
346  StreamReassembleForFrame(ssn, stream, FrameStreamDataFunc, &fsd, offset, eof);
347  SCLogDebug("offset %" PRIu64, offset);
348 
350  SCLogDebug("ret %p", ret);
351  return ret;
352 }
353 
354 /**
355  * \brief Do the content inspection & validation for a signature
356  *
357  * \param de_ctx Detection engine context
358  * \param det_ctx Detection engine thread context
359  * \param s Signature to inspect
360  * \param p Packet
361  * \param frame stream frame to inspect
362  *
363  * \retval 0 no match.
364  * \retval 1 match.
365  */
367  const DetectEngineFrameInspectionEngine *engine, const Signature *s, Packet *p,
368  const Frames *frames, const Frame *frame, const uint32_t idx)
369 {
370  const int list_id = engine->sm_list;
371  SCLogDebug("running inspect on %d", list_id);
372 
373  SCLogDebug("list %d transforms %p", engine->sm_list, engine->v1.transforms);
374 
375  /* if prefilter didn't already run, we need to consider transformations */
376  const DetectEngineTransforms *transforms = NULL;
377  if (!engine->mpm) {
378  transforms = engine->v1.transforms;
379  }
380 
381  const InspectionBuffer *buffer =
383  if (unlikely(buffer == NULL)) {
385  }
386 
387  const uint32_t data_len = buffer->inspect_len;
388  const uint8_t *data = buffer->inspect;
389  const uint64_t offset = buffer->inspect_offset;
390 
392  det_ctx->buffer_offset = 0;
394 #ifdef DEBUG
395  const uint8_t ci_flags = buffer->flags;
396  SCLogDebug("frame %p rel_offset %" PRIi64 " type %u len %" PRIi64
397  " ci_flags %02x (start:%s, end:%s)",
398  frame, frame->rel_offset, frame->type, frame->len, ci_flags,
399  (ci_flags & DETECT_CI_FLAGS_START) ? "true" : "false",
400  (ci_flags & DETECT_CI_FLAGS_END) ? "true" : "false");
401  SCLogDebug("buffer %p offset %" PRIu64 " len %u ci_flags %02x (start:%s, end:%s)", buffer,
402  buffer->inspect_offset, buffer->inspect_len, ci_flags,
403  (ci_flags & DETECT_CI_FLAGS_START) ? "true" : "false",
404  (ci_flags & DETECT_CI_FLAGS_END) ? "true" : "false");
405  // PrintRawDataFp(stdout, data, data_len);
406  // PrintRawDataFp(stdout, data, MIN(64, data_len));
407 #endif
408  BUG_ON(frame->len > 0 && (int64_t)data_len > frame->len);
409 
410  // TODO don't call if matching needs frame end and DETECT_CI_FLAGS_END not set
411  // TODO same for start
412  int r = DetectEngineContentInspection(det_ctx->de_ctx, det_ctx, s, engine->smd, p, p->flow,
413  (uint8_t *)data, data_len, offset, buffer->flags,
415  if (r == 1) {
417  } else {
419  }
420 }
PrefilterMpmFrameCtx
struct PrefilterMpmFrameCtx PrefilterMpmFrameCtx
DetectEngineInspectFrameBufferGeneric
int DetectEngineInspectFrameBufferGeneric(DetectEngineThreadCtx *det_ctx, const DetectEngineFrameInspectionEngine *engine, const Signature *s, Packet *p, const Frames *frames, const Frame *frame, const uint32_t idx)
Do the content inspection & validation for a signature.
Definition: detect-engine-frame.c:366
PrefilterMpmFrameCtx::list_id
int list_id
Definition: detect-engine-frame.c:66
Packet_::proto
uint8_t proto
Definition: decode.h:464
TcpStream_
Definition: stream-tcp-private.h:109
MpmCtx_::mpm_type
uint8_t mpm_type
Definition: util-mpm.h:90
DetectEngineThreadCtx_::buffer_offset
uint32_t buffer_offset
Definition: detect.h:1071
detect-engine.h
offset
uint64_t offset
Definition: util-streaming-buffer.h:0
DETECT_CI_FLAGS_START
#define DETECT_CI_FLAGS_START
Definition: detect-engine-content-inspection.h:39
DETECT_ENGINE_CONTENT_INSPECTION_MODE_FRAME
@ DETECT_ENGINE_CONTENT_INSPECTION_MODE_FRAME
Definition: detect-engine-content-inspection.h:35
PKT_IS_PSEUDOPKT
#define PKT_IS_PSEUDOPKT(p)
return 1 if the packet is a pseudo packet
Definition: decode.h:1238
PREFILTER_PROFILING_END
#define PREFILTER_PROFILING_END(ctx, profile_id)
Definition: util-profiling.h:294
stream-tcp.h
PrefilterRuleStore_::rule_id_array_cnt
uint32_t rule_id_array_cnt
Definition: util-prefilter.h:38
SigGroupHead_
Container for matching data for a signature group.
Definition: detect.h:1408
unlikely
#define unlikely(expr)
Definition: util-optimize.h:35
DetectEngineTransforms
Definition: detect.h:381
Frame::rel_offset
int64_t rel_offset
Definition: app-layer-frames.h:51
PrefilterGenericMpmFrameRegister
int PrefilterGenericMpmFrameRegister(DetectEngineCtx *de_ctx, SigGroupHead *sgh, MpmCtx *mpm_ctx, const DetectBufferMpmRegistery *mpm_reg, int list_id)
Definition: detect-engine-frame.c:113
FrameStreamData::frame
const Frame * frame
Definition: detect-engine-frame.c:199
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:298
Packet_::pcap_cnt
uint64_t pcap_cnt
Definition: decode.h:603
PREFILTER_PROFILING_START
#define PREFILTER_PROFILING_START
Definition: util-profiling.h:280
Flow_::proto
uint8_t proto
Definition: flow.h:378
AppProto
uint16_t AppProto
Definition: app-layer-protos.h:80
Packet_::payload
uint8_t * payload
Definition: decode.h:582
DetectBufferMpmRegistery_::transforms
DetectEngineTransforms transforms
Definition: detect.h:649
InspectionBuffer
Definition: detect.h:347
FrameStreamData::list_id
int list_id
Definition: detect-engine-frame.c:200
Frame
Definition: app-layer-frames.h:45
Flow_
Flow data structure.
Definition: flow.h:356
DetectEngineThreadCtx_::pmq
PrefilterRuleStore pmq
Definition: detect.h:1150
DetectRunPrefilterFrame
void DetectRunPrefilterFrame(DetectEngineThreadCtx *det_ctx, const SigGroupHead *sgh, Packet *p, const Frames *frames, const Frame *frame, const AppProto alproto, const uint32_t idx)
Definition: detect-engine-frame.c:43
DetectEngineFrameInspectionEngine::transforms
const DetectEngineTransforms * transforms
Definition: detect.h:487
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:794
DetectEngineFrameInspectionEngine::mpm
bool mpm
Definition: detect.h:481
Frame::id
int64_t id
Definition: app-layer-frames.h:54
FrameStreamData::det_ctx
DetectEngineThreadCtx * det_ctx
Definition: detect-engine-frame.c:197
PrefilterMpmFrameCtx::mpm_ctx
const MpmCtx * mpm_ctx
Definition: detect-engine-frame.c:67
MIN
#define MIN(x, y)
Definition: suricata-common.h:372
Frames
Definition: app-layer-frames.h:61
DetectBufferMpmRegistery_
one time registration of keywords at start up
Definition: detect.h:635
InspectionBuffer::flags
uint8_t flags
Definition: detect.h:351
detect-engine-frame.h
Flow_::protoctx
void * protoctx
Definition: flow.h:454
PrefilterAppendFrameEngine
int PrefilterAppendFrameEngine(DetectEngineCtx *de_ctx, SigGroupHead *sgh, PrefilterFrameFn PrefilterFrameFunc, AppProto alproto, uint8_t frame_type, void *pectx, void(*FreeFunc)(void *pectx), const char *name)
Definition: detect-engine-prefilter.c:311
Packet_::payload_len
uint16_t payload_len
Definition: decode.h:583
InspectionBuffer::orig_len
uint32_t orig_len
Definition: detect.h:359
detect-engine-prefilter.h
DetectEngineThreadCtx_::mtcu
MpmThreadCtx mtcu
Definition: detect.h:1148
Signature_::frame_inspect
DetectEngineFrameInspectionEngine * frame_inspect
Definition: detect.h:600
DetectBufferMpmRegistery_::frame_v1
struct DetectBufferMpmRegistery_::@87::@91 frame_v1
StreamTcpGetUsable
uint64_t StreamTcpGetUsable(const TcpStream *stream, const bool eof)
Definition: stream-tcp-reassemble.c:410
PrefilterMpmFrameCtx::transforms
const DetectEngineTransforms * transforms
Definition: detect-engine-frame.c:68
DetectFrame2InspectBuffer
InspectionBuffer * DetectFrame2InspectBuffer(DetectEngineThreadCtx *det_ctx, const DetectEngineTransforms *transforms, Packet *p, const Frames *frames, const Frame *frame, const int list_id, const uint32_t idx, const bool first)
Definition: detect-engine-frame.c:276
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:17
PKT_IS_TOSERVER
#define PKT_IS_TOSERVER(p)
Definition: decode.h:268
AppLayerParserGetFrameNameById
const char * AppLayerParserGetFrameNameById(uint8_t ipproto, AppProto alproto, const uint8_t id)
Definition: app-layer-parser.c:1549
FrameStreamData::idx
uint32_t idx
Definition: detect-engine-frame.c:201
DetectEngineThreadCtx_
Definition: detect.h:1043
PrefilterEngine_
Definition: detect.h:1347
STREAM_BASE_OFFSET
#define STREAM_BASE_OFFSET(stream)
Definition: stream-tcp-private.h:146
util-print.h
SCEnter
#define SCEnter(...)
Definition: util-debug.h:300
detect-engine-mpm.h
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:58
DetectEngineFrameInspectionEngine::sm_list
uint16_t sm_list
Definition: detect.h:482
DETECT_ENGINE_INSPECT_SIG_MATCH
#define DETECT_ENGINE_INSPECT_SIG_MATCH
Definition: detect-engine-state.h:39
TcpSession_::state
uint8_t state
Definition: stream-tcp-private.h:276
FrameStreamData::transforms
const DetectEngineTransforms * transforms
Definition: detect-engine-frame.c:198
InspectionBuffer::inspect_offset
uint64_t inspect_offset
Definition: detect.h:349
app-layer-parser.h
MpmCtx_::minlen
uint16_t minlen
Definition: util-mpm.h:99
BUG_ON
#define BUG_ON(x)
Definition: suricata-common.h:281
util-profiling.h
PrefilterEngine_::alproto
AppProto alproto
Definition: detect.h:1351
DetectEngineFrameInspectionEngine::v1
struct DetectEngineFrameInspectionEngine::@86 v1
Packet_
Definition: decode.h:442
DetectRunFrameInspectRule
int DetectRunFrameInspectRule(ThreadVars *tv, DetectEngineThreadCtx *det_ctx, const Signature *s, Flow *f, Packet *p, const Frames *frames, const Frame *frame, const uint32_t idx)
Definition: detect-engine-frame.c:133
DETECT_CI_FLAGS_END
#define DETECT_CI_FLAGS_END
Definition: detect-engine-content-inspection.h:40
FrameStreamData::frame_start_offset_abs
uint64_t frame_start_offset_abs
Definition: detect-engine-frame.c:203
PrefilterEngine_::cb
union PrefilterEngine_::@101 cb
DetectEngineFrameInspectionEngine
Definition: detect.h:477
Frame::len
int64_t len
Definition: app-layer-frames.h:53
PrefilterEngine_::PrefilterFrame
PrefilterFrameFn PrefilterFrame
Definition: detect.h:1369
PrefilterEngine_::frame_type
uint8_t frame_type
Definition: detect.h:1357
MpmTableElmt_::Search
uint32_t(* Search)(const struct MpmCtx_ *, struct MpmThreadCtx_ *, PrefilterRuleStore *, const uint8_t *, uint32_t)
Definition: util-mpm.h:165
SigGroupHead_::frame_engines
PrefilterEngine * frame_engines
Definition: detect.h:1428
detect-engine-content-inspection.h
DetectEngineThreadCtx_::discontinue_matching
uint16_t discontinue_matching
Definition: detect.h:1110
DetectEngineContentInspection
uint8_t DetectEngineContentInspection(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const Signature *s, const SigMatchData *smd, Packet *p, Flow *f, const uint8_t *buffer, uint32_t buffer_len, uint32_t stream_start_offset, uint8_t flags, uint8_t inspection_mode)
Run the actual payload match functions.
Definition: detect-engine-content-inspection.c:103
TCP_CLOSED
@ TCP_CLOSED
Definition: stream-tcp-private.h:164
PrefilterMpmFrameCtx
Definition: detect-engine-frame.c:65
app-layer-frames.h
Packet_::flow
struct Flow_ * flow
Definition: decode.h:479
DetectBufferMpmRegistery_::pname
char pname[32]
Definition: detect.h:637
Frame::type
uint8_t type
Definition: app-layer-frames.h:46
suricata-common.h
DetectEngineFrameInspectionEngine::next
struct DetectEngineFrameInspectionEngine * next
Definition: detect.h:490
DetectEngineThreadCtx_::inspection_recursion_counter
int inspection_recursion_counter
Definition: detect.h:1127
PrefilterEngine_::gid
uint32_t gid
Definition: detect.h:1373
InspectionBufferSetupMulti
void InspectionBufferSetupMulti(InspectionBuffer *buffer, const DetectEngineTransforms *transforms, const uint8_t *data, const uint32_t data_len)
setup the buffer with our initial data
Definition: detect-engine.c:1434
TcpSession_::client
TcpStream client
Definition: stream-tcp-private.h:287
DETECT_ENGINE_INSPECT_SIG_NO_MATCH
#define DETECT_ENGINE_INSPECT_SIG_NO_MATCH
Definition: detect-engine-state.h:38
tv
ThreadVars * tv
Definition: fuzz_decodepcapfile.c:29
util-validate.h
InspectionBuffer::inspect_len
uint32_t inspect_len
Definition: detect.h:350
PrefilterEngine_::pectx
void * pectx
Definition: detect.h:1362
TcpSession_::server
TcpStream server
Definition: stream-tcp-private.h:286
InspectionBuffer::inspect
const uint8_t * inspect
Definition: detect.h:348
SCFree
#define SCFree(p)
Definition: util-mem.h:61
Signature_::id
uint32_t id
Definition: detect.h:583
Signature_
Signature container.
Definition: detect.h:549
ALPROTO_UNKNOWN
@ ALPROTO_UNKNOWN
Definition: app-layer-protos.h:29
mpm_table
MpmTableElmt mpm_table[MPM_TABLE_SIZE]
Definition: util-mpm.c:48
PrefilterEngine_::ctx
union PrefilterEngine_::@100 ctx
PrefilterEngine_::is_last
bool is_last
Definition: detect.h:1374
DetectEngineThreadCtx_::de_ctx
DetectEngineCtx * de_ctx
Definition: detect.h:1175
suricata.h
InspectionBufferMultipleForListGet
InspectionBuffer * InspectionBufferMultipleForListGet(DetectEngineThreadCtx *det_ctx, const int list_id, const uint32_t local_id)
for a InspectionBufferMultipleForList get a InspectionBuffer
Definition: detect-engine.c:1387
MpmCtx_
Definition: util-mpm.h:88
TcpSession_
Definition: stream-tcp-private.h:274
Flow_::alproto
AppProto alproto
application level protocol
Definition: flow.h:463
SCCalloc
#define SCCalloc(nm, sz)
Definition: util-mem.h:53
StreamReassembleForFrame
int StreamReassembleForFrame(TcpSession *ssn, TcpStream *stream, StreamReassembleRawFunc Callback, void *cb_data, const uint64_t offset, const bool eof)
Definition: stream-tcp-reassemble.c:1812
FrameStreamData::frame_data_offset_abs
uint64_t frame_data_offset_abs
Definition: detect-engine-frame.c:202
DEBUG_VALIDATE_BUG_ON
#define DEBUG_VALIDATE_BUG_ON(exp)
Definition: util-validate.h:111
DetectEngineFrameInspectionEngine::smd
SigMatchData * smd
Definition: detect.h:489
FrameStreamData
Definition: detect-engine-frame.c:196