suricata
detect-engine-mpm.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2021 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Victor Julien <victor@inliniac.net>
22  * \author Anoop Saldanha <anoopsaldanha@gmail.com>
23  *
24  * Multi pattern matcher
25  */
26 
27 #include "suricata.h"
28 #include "suricata-common.h"
29 
30 #include "app-layer-protos.h"
31 
32 #include "decode.h"
33 #include "detect.h"
34 #include "detect-engine.h"
35 #include "detect-engine-siggroup.h"
36 #include "detect-engine-mpm.h"
37 #include "detect-engine-iponly.h"
38 #include "detect-parse.h"
39 #include "detect-engine-prefilter.h"
40 #include "util-mpm.h"
41 #include "util-memcmp.h"
42 #include "util-memcpy.h"
43 #include "conf.h"
44 #include "detect-fast-pattern.h"
45 
46 #include "detect-tcphdr.h"
47 #include "detect-udphdr.h"
48 
49 #include "flow.h"
50 #include "flow-var.h"
51 #include "detect-flow.h"
52 
53 #include "detect-content.h"
54 
55 #include "detect-engine-payload.h"
56 
57 #include "stream.h"
58 
59 #include "util-misc.h"
60 #include "util-enum.h"
61 #include "util-debug.h"
62 #include "util-print.h"
63 #include "util-validate.h"
64 #include "util-hash-string.h"
65 
66 const char *builtin_mpms[] = {
67  "toserver TCP packet",
68  "toclient TCP packet",
69  "toserver TCP stream",
70  "toclient TCP stream",
71  "toserver UDP packet",
72  "toclient UDP packet",
73  "other IP packet",
74 
75  NULL };
76 
77 /* Registry for mpm keywords
78  *
79  * Keywords are registered at engine start up
80  */
81 
82 static DetectBufferMpmRegistry *g_mpm_list[DETECT_BUFFER_MPM_TYPE_SIZE] = { NULL, NULL, NULL };
83 static int g_mpm_list_cnt[DETECT_BUFFER_MPM_TYPE_SIZE] = { 0, 0, 0 };
84 
85 /** \brief register a MPM engine
86  *
87  * \note to be used at start up / registration only. Errors are fatal.
88  */
89 void DetectAppLayerMpmRegister(const char *name, int direction, int priority,
90  PrefilterRegisterFunc PrefilterRegister, InspectionBufferGetDataPtr GetData,
91  AppProto alproto, int tx_min_progress)
92 {
93  SCLogDebug("registering %s/%d/%d/%p/%p/%u/%d", name, direction, priority,
94  PrefilterRegister, GetData, alproto, tx_min_progress);
95 
96  BUG_ON(tx_min_progress >= 48);
97 
98  if (PrefilterRegister == PrefilterGenericMpmRegister && GetData == NULL) {
99  // must register GetData with PrefilterGenericMpmRegister
100  abort();
101  }
102 
103  DetectBufferTypeSupportsMpm(name);
104  DetectBufferTypeSupportsTransformations(name);
105  int sm_list = DetectBufferTypeGetByName(name);
106  if (sm_list == -1) {
107  FatalError("MPM engine registration for %s failed", name);
108  }
109 
110  DetectBufferMpmRegistry *am = SCCalloc(1, sizeof(*am));
111  BUG_ON(am == NULL);
112  am->name = name;
113  snprintf(am->pname, sizeof(am->pname), "%s", am->name);
114  am->direction = direction;
115  DEBUG_VALIDATE_BUG_ON(sm_list < 0 || sm_list > INT16_MAX);
116  am->sm_list = (int16_t)sm_list;
117  am->sm_list_base = (int16_t)sm_list;
118  am->priority = priority;
119  am->type = DETECT_BUFFER_MPM_TYPE_APP;
120 
121  am->PrefilterRegisterWithListId = PrefilterRegister;
122  am->app_v2.GetData = GetData;
123  am->app_v2.alproto = alproto;
124  am->app_v2.tx_min_progress = tx_min_progress;
125 
126  if (g_mpm_list[DETECT_BUFFER_MPM_TYPE_APP] == NULL) {
127  g_mpm_list[DETECT_BUFFER_MPM_TYPE_APP] = am;
128  } else {
129  DetectBufferMpmRegistry *t = g_mpm_list[DETECT_BUFFER_MPM_TYPE_APP];
130  while (t->next != NULL) {
131  t = t->next;
132  }
133 
134  t->next = am;
135  am->id = t->id + 1;
136  }
137  g_mpm_list_cnt[DETECT_BUFFER_MPM_TYPE_APP]++;
138 
139  SupportFastPatternForSigMatchList(sm_list, priority);
140 }
141 
142 /** \brief copy a mpm engine from parent_id, add in transforms */
143 void DetectAppLayerMpmRegisterByParentId(DetectEngineCtx *de_ctx,
144  const int id, const int parent_id,
145  DetectEngineTransforms *transforms)
146 {
147  SCLogDebug("registering %d/%d", id, parent_id);
148 
149  DetectBufferMpmRegistry *t = de_ctx->app_mpms_list;
150  while (t) {
151  if (t->sm_list == parent_id) {
152  DetectBufferMpmRegistry *am = SCCalloc(1, sizeof(*am));
153  BUG_ON(am == NULL);
154  am->name = t->name;
155  am->direction = t->direction;
156  DEBUG_VALIDATE_BUG_ON(id < 0 || id > INT16_MAX);
157  am->sm_list = (uint16_t)id; // use new id
158  am->sm_list_base = t->sm_list;
159  am->type = DETECT_BUFFER_MPM_TYPE_APP;
160  am->PrefilterRegisterWithListId = t->PrefilterRegisterWithListId;
161  am->app_v2.GetData = t->app_v2.GetData;
162  am->app_v2.alproto = t->app_v2.alproto;
163  am->app_v2.tx_min_progress = t->app_v2.tx_min_progress;
164  am->priority = t->priority;
165  am->sgh_mpm_context = t->sgh_mpm_context;
166  am->sgh_mpm_context = MpmFactoryRegisterMpmCtxProfile(
167  de_ctx, am->name, am->sm_list, am->app_v2.alproto);
168  am->next = t->next;
169  if (transforms) {
170  memcpy(&am->transforms, transforms, sizeof(*transforms));
171 
172  /* create comma separated string of the names of the
173  * transforms and then shorten it if necessary. Finally
174  * use it to construct the 'profile' name for the engine */
175  char xforms[1024] = "";
176  for (int i = 0; i < transforms->cnt; i++) {
177  char ttstr[64];
178  (void)snprintf(ttstr,sizeof(ttstr), "%s,",
179  sigmatch_table[transforms->transforms[i].transform].name);
180  strlcat(xforms, ttstr, sizeof(xforms));
181  }
182  xforms[strlen(xforms)-1] = '\0';
183 
184  size_t space = sizeof(am->pname) - strlen(am->name) - 3;
185  char toprint[space + 1];
186  memset(toprint, 0x00, space + 1);
187  if (space < strlen(xforms)) {
188  ShortenString(xforms, toprint, space, '~');
189  } else {
190  strlcpy(toprint, xforms,sizeof(toprint));
191  }
192  (void)snprintf(am->pname, sizeof(am->pname), "%s#%d (%s)",
193  am->name, id, toprint);
194  } else {
195  (void)snprintf(am->pname, sizeof(am->pname), "%s#%d",
196  am->name, id);
197  }
198  am->id = de_ctx->app_mpms_list_cnt++;
199 
200  DetectEngineRegisterFastPatternForId(de_ctx, am->sm_list, am->priority);
201  t->next = am;
202  SCLogDebug("copied mpm registration for %s id %u "
203  "with parent %u and GetData %p",
204  t->name, id, parent_id, am->app_v2.GetData);
205  t = am;
206  }
207  t = t->next;
208  }
209 }
210 
211 void DetectMpmInitializeAppMpms(DetectEngineCtx *de_ctx)
212 {
213  const DetectBufferMpmRegistry *list = g_mpm_list[DETECT_BUFFER_MPM_TYPE_APP];
214  DetectBufferMpmRegistry *toadd = de_ctx->app_mpms_list;
215  while (list != NULL) {
216  DetectBufferMpmRegistry *n = SCCalloc(1, sizeof(*n));
217  BUG_ON(n == NULL);
218 
219  *n = *list;
220  n->next = NULL;
221 
222  if (toadd == NULL) {
223  toadd = n;
224  de_ctx->app_mpms_list = n;
225  } else {
226  toadd->next = n;
227  toadd = toadd->next;
228  }
229 
230  /* default to whatever the global setting is */
231  int shared = (de_ctx->sgh_mpm_ctx_cnf == ENGINE_SGH_MPM_FACTORY_CONTEXT_SINGLE);
232 
233  /* see if we use a unique or shared mpm ctx for this type */
234  int confshared = 0;
235  char confstring[256] = "detect.mpm.";
236  strlcat(confstring, n->name, sizeof(confstring));
237  strlcat(confstring, ".shared", sizeof(confstring));
238  if (ConfGetBool(confstring, &confshared) == 1)
239  shared = confshared;
240 
241  if (shared == 0) {
242  SCLogDebug("using unique mpm ctx' for %s", n->name);
243  n->sgh_mpm_context = MPM_CTX_FACTORY_UNIQUE_CONTEXT;
244  } else {
245  SCLogDebug("using shared mpm ctx' for %s", n->name);
246  n->sgh_mpm_context =
247  MpmFactoryRegisterMpmCtxProfile(de_ctx, n->name, n->sm_list, n->app_v2.alproto);
248  }
249 
250  list = list->next;
251  }
252  de_ctx->app_mpms_list_cnt = g_mpm_list_cnt[DETECT_BUFFER_MPM_TYPE_APP];
253  SCLogDebug("mpm: de_ctx app_mpms_list %p %u",
254  de_ctx->app_mpms_list, de_ctx->app_mpms_list_cnt);
255 }
256 
257 /**
258  * \brief initialize mpm contexts for applayer buffers that are in
259  * "single or "shared" mode.
260  */
261 int DetectMpmPrepareAppMpms(DetectEngineCtx *de_ctx)
262 {
263  int r = 0;
264  const DetectBufferMpmRegistry *am = de_ctx->app_mpms_list;
265  while (am != NULL) {
266  int dir = (am->direction == SIG_FLAG_TOSERVER) ? 1 : 0;
267 
268  if (am->sgh_mpm_context != MPM_CTX_FACTORY_UNIQUE_CONTEXT)
269  {
270  MpmCtx *mpm_ctx = MpmFactoryGetMpmCtxForProfile(de_ctx, am->sgh_mpm_context, dir);
271  if (mpm_ctx != NULL) {
272  if (mpm_table[de_ctx->mpm_matcher].Prepare != NULL) {
273  r |= mpm_table[de_ctx->mpm_matcher].Prepare(mpm_ctx);
274  }
275  }
276  }
277  am = am->next;
278  }
279  return r;
280 }
281 
282 /** \brief register a MPM engine
283  *
284  * \note to be used at start up / registration only. Errors are fatal.
285  */
286 void DetectFrameMpmRegister(const char *name, int direction, int priority,
287  int (*PrefilterRegister)(DetectEngineCtx *de_ctx, SigGroupHead *sgh, MpmCtx *mpm_ctx,
288  const DetectBufferMpmRegistry *mpm_reg, int list_id),
289  AppProto alproto, uint8_t type)
290 {
291  SCLogDebug("registering %s/%d/%p/%s/%u", name, priority, PrefilterRegister,
292  AppProtoToString(alproto), type);
293 
294  DetectBufferTypeSupportsMpm(name);
295  DetectBufferTypeSupportsFrames(name);
296  DetectBufferTypeSupportsTransformations(name);
297  int sm_list = DetectBufferTypeGetByName(name);
298  if (sm_list < 0 || sm_list > UINT16_MAX) {
299  FatalError("MPM engine registration for %s failed", name);
300  }
301 
302  DetectBufferMpmRegistry *am = SCCalloc(1, sizeof(*am));
303  BUG_ON(am == NULL);
304  am->name = name;
305  snprintf(am->pname, sizeof(am->pname), "%s", am->name);
306  am->sm_list = (uint16_t)sm_list;
307  am->direction = direction;
308  am->priority = priority;
309  am->type = DETECT_BUFFER_MPM_TYPE_FRAME;
310 
311  am->PrefilterRegisterWithListId = PrefilterRegister;
312  am->frame_v1.alproto = alproto;
313  am->frame_v1.type = type;
314  SCLogDebug("type %u", type);
315  SCLogDebug("am type %u", am->frame_v1.type);
316 
317  if (g_mpm_list[DETECT_BUFFER_MPM_TYPE_FRAME] == NULL) {
318  g_mpm_list[DETECT_BUFFER_MPM_TYPE_FRAME] = am;
319  } else {
320  DetectBufferMpmRegistry *t = g_mpm_list[DETECT_BUFFER_MPM_TYPE_FRAME];
321  while (t->next != NULL) {
322  t = t->next;
323  }
324  t->next = am;
325  am->id = t->id + 1;
326  }
327  g_mpm_list_cnt[DETECT_BUFFER_MPM_TYPE_FRAME]++;
328 
329  SupportFastPatternForSigMatchList(sm_list, priority);
330  SCLogDebug("%s/%d done", name, sm_list);
331 }
332 
333 /** \brief copy a mpm engine from parent_id, add in transforms */
334 void DetectFrameMpmRegisterByParentId(DetectEngineCtx *de_ctx, const int id, const int parent_id,
335  DetectEngineTransforms *transforms)
336 {
337  SCLogDebug("registering %d/%d", id, parent_id);
338 
339  DetectBufferMpmRegistry *t = de_ctx->frame_mpms_list;
340  while (t) {
341  if (t->sm_list == parent_id) {
342  DetectBufferMpmRegistry *am = SCCalloc(1, sizeof(*am));
343  BUG_ON(am == NULL);
344  am->name = t->name;
345  snprintf(am->pname, sizeof(am->pname), "%s#%d", am->name, id);
346  DEBUG_VALIDATE_BUG_ON(id < 0 || id > UINT16_MAX);
347  am->sm_list = (uint16_t)id; // use new id
348  am->sm_list_base = t->sm_list;
349  am->type = DETECT_BUFFER_MPM_TYPE_FRAME;
350  am->PrefilterRegisterWithListId = t->PrefilterRegisterWithListId;
351  am->frame_v1 = t->frame_v1;
352  SCLogDebug("am type %u", am->frame_v1.type);
353  am->priority = t->priority;
354  am->direction = t->direction;
355  am->sgh_mpm_context = t->sgh_mpm_context;
356  am->next = t->next;
357  if (transforms) {
358  memcpy(&am->transforms, transforms, sizeof(*transforms));
359  }
360  am->id = de_ctx->frame_mpms_list_cnt++;
361 
362  DetectEngineRegisterFastPatternForId(de_ctx, am->sm_list, am->priority);
363  t->next = am;
364  SCLogDebug("copied mpm registration for %s id %u "
365  "with parent %u",
366  t->name, id, parent_id);
367  t = am;
368  }
369  t = t->next;
370  }
371 }
372 
373 void DetectEngineFrameMpmRegister(DetectEngineCtx *de_ctx, const char *name, int direction,
374  int priority,
375  int (*PrefilterRegister)(DetectEngineCtx *de_ctx, SigGroupHead *sgh, MpmCtx *mpm_ctx,
376  const DetectBufferMpmRegistry *mpm_reg, int list_id),
377  AppProto alproto, uint8_t type)
378 {
379  SCLogDebug("registering %s/%d/%p/%s/%u", name, priority, PrefilterRegister,
380  AppProtoToString(alproto), type);
381 
382  const int sm_list = DetectEngineBufferTypeRegister(de_ctx, name);
383  if (sm_list < 0 || sm_list > UINT16_MAX) {
384  FatalError("MPM engine registration for %s failed", name);
385  }
386 
387  DetectEngineBufferTypeSupportsMpm(de_ctx, name);
388  DetectEngineBufferTypeSupportsFrames(de_ctx, name);
389  DetectEngineBufferTypeSupportsTransformations(de_ctx, name);
390 
391  DetectBufferMpmRegistry *am = SCCalloc(1, sizeof(*am));
392  BUG_ON(am == NULL);
393  am->name = name;
394  snprintf(am->pname, sizeof(am->pname), "%s", am->name);
395  am->sm_list = (uint16_t)sm_list;
396  am->direction = direction;
397  am->priority = priority;
398  am->type = DETECT_BUFFER_MPM_TYPE_FRAME;
399 
400  am->PrefilterRegisterWithListId = PrefilterRegister;
401  am->frame_v1.alproto = alproto;
402  am->frame_v1.type = type;
403 
404  // TODO is it ok to do this here?
405 
406  /* default to whatever the global setting is */
407  int shared = (de_ctx->sgh_mpm_ctx_cnf == ENGINE_SGH_MPM_FACTORY_CONTEXT_SINGLE);
408  /* see if we use a unique or shared mpm ctx for this type */
409  int confshared = 0;
410  if (ConfGetBool("detect.mpm.frame.shared", &confshared) == 1)
411  shared = confshared;
412 
413  if (shared == 0) {
414  am->sgh_mpm_context = MPM_CTX_FACTORY_UNIQUE_CONTEXT;
415  } else {
416  am->sgh_mpm_context =
417  MpmFactoryRegisterMpmCtxProfile(de_ctx, am->name, am->sm_list, alproto);
418  }
419 
420  if (de_ctx->frame_mpms_list == NULL) {
421  de_ctx->frame_mpms_list = am;
422  } else {
423  DetectBufferMpmRegistry *t = de_ctx->frame_mpms_list;
424  while (t->next != NULL) {
425  t = t->next;
426  }
427 
428  t->next = am;
429  }
430  de_ctx->frame_mpms_list_cnt++;
431 
432  DetectEngineRegisterFastPatternForId(de_ctx, sm_list, priority);
433  SCLogDebug("%s/%d done", name, sm_list);
434 }
435 
436 void DetectMpmInitializeFrameMpms(DetectEngineCtx *de_ctx)
437 {
438  const DetectBufferMpmRegistry *list = g_mpm_list[DETECT_BUFFER_MPM_TYPE_FRAME];
439  while (list != NULL) {
440  DetectBufferMpmRegistry *n = SCCalloc(1, sizeof(*n));
441  BUG_ON(n == NULL);
442 
443  *n = *list;
444  n->next = NULL;
445 
446  if (de_ctx->frame_mpms_list == NULL) {
447  de_ctx->frame_mpms_list = n;
448  } else {
449  DetectBufferMpmRegistry *t = de_ctx->frame_mpms_list;
450  while (t->next != NULL) {
451  t = t->next;
452  }
453 
454  t->next = n;
455  }
456 
457  /* default to whatever the global setting is */
458  int shared = (de_ctx->sgh_mpm_ctx_cnf == ENGINE_SGH_MPM_FACTORY_CONTEXT_SINGLE);
459 
460  /* see if we use a unique or shared mpm ctx for this type */
461  int confshared = 0;
462  char confstring[256] = "detect.mpm.";
463  strlcat(confstring, n->name, sizeof(confstring));
464  strlcat(confstring, ".shared", sizeof(confstring));
465  if (ConfGetBool(confstring, &confshared) == 1)
466  shared = confshared;
467 
468  if (shared == 0) {
469  SCLogDebug("using unique mpm ctx' for %s", n->name);
470  n->sgh_mpm_context = MPM_CTX_FACTORY_UNIQUE_CONTEXT;
471  } else {
472  SCLogDebug("using shared mpm ctx' for %s", n->name);
473  n->sgh_mpm_context = MpmFactoryRegisterMpmCtxProfile(
474  de_ctx, n->name, n->sm_list, n->frame_v1.alproto);
475  }
476 
477  list = list->next;
478  }
479  de_ctx->frame_mpms_list_cnt = g_mpm_list_cnt[DETECT_BUFFER_MPM_TYPE_FRAME];
480  SCLogDebug("mpm: de_ctx frame_mpms_list %p %u", de_ctx->frame_mpms_list,
481  de_ctx->frame_mpms_list_cnt);
482 }
483 
484 /**
485  * \brief initialize mpm contexts for applayer buffers that are in
486  * "single or "shared" mode.
487  */
488 int DetectMpmPrepareFrameMpms(DetectEngineCtx *de_ctx)
489 {
490  SCLogDebug("preparing frame mpm");
491  int r = 0;
492  const DetectBufferMpmRegistry *am = de_ctx->frame_mpms_list;
493  while (am != NULL) {
494  SCLogDebug("am %p %s sgh_mpm_context %d", am, am->name, am->sgh_mpm_context);
495  SCLogDebug("%s", am->name);
496  if (am->sgh_mpm_context != MPM_CTX_FACTORY_UNIQUE_CONTEXT) {
497  int dir = (am->direction == SIG_FLAG_TOSERVER) ? 1 : 0;
498  MpmCtx *mpm_ctx = MpmFactoryGetMpmCtxForProfile(de_ctx, am->sgh_mpm_context, dir);
499  SCLogDebug("%s: %d mpm_Ctx %p", am->name, r, mpm_ctx);
500  if (mpm_ctx != NULL) {
501  if (mpm_table[de_ctx->mpm_matcher].Prepare != NULL) {
502  r |= mpm_table[de_ctx->mpm_matcher].Prepare(mpm_ctx);
503  SCLogDebug("%s: %d", am->name, r);
504  }
505  }
506  }
507  am = am->next;
508  }
509  return r;
510 }
511 
512 /** \brief register a MPM engine
513  *
514  * \note to be used at start up / registration only. Errors are fatal.
515  */
516 void DetectPktMpmRegister(const char *name, int priority,
517  int (*PrefilterRegister)(DetectEngineCtx *de_ctx, SigGroupHead *sgh, MpmCtx *mpm_ctx,
518  const DetectBufferMpmRegistry *mpm_reg, int list_id),
519  InspectionBufferGetPktDataPtr GetData)
520 {
521  SCLogDebug("registering %s/%d/%p/%p", name, priority,
522  PrefilterRegister, GetData);
523 
524  if (PrefilterRegister == PrefilterGenericMpmPktRegister && GetData == NULL) {
525  // must register GetData with PrefilterGenericMpmRegister
526  abort();
527  }
528 
529  DetectBufferTypeSupportsMpm(name);
530  DetectBufferTypeSupportsTransformations(name);
531  int sm_list = DetectBufferTypeGetByName(name);
532  if (sm_list == -1) {
533  FatalError("MPM engine registration for %s failed", name);
534  }
535 
536  DetectBufferMpmRegistry *am = SCCalloc(1, sizeof(*am));
537  BUG_ON(am == NULL);
538  am->name = name;
539  snprintf(am->pname, sizeof(am->pname), "%s", am->name);
540  DEBUG_VALIDATE_BUG_ON(sm_list < 0 || sm_list > INT16_MAX);
541  am->sm_list = (uint16_t)sm_list;
542  am->priority = priority;
543  am->type = DETECT_BUFFER_MPM_TYPE_PKT;
544 
545  am->PrefilterRegisterWithListId = PrefilterRegister;
546  am->pkt_v1.GetData = GetData;
547 
548  if (g_mpm_list[DETECT_BUFFER_MPM_TYPE_PKT] == NULL) {
549  g_mpm_list[DETECT_BUFFER_MPM_TYPE_PKT] = am;
550  } else {
551  DetectBufferMpmRegistry *t = g_mpm_list[DETECT_BUFFER_MPM_TYPE_PKT];
552  while (t->next != NULL) {
553  t = t->next;
554  }
555  t->next = am;
556  am->id = t->id + 1;
557  }
558  g_mpm_list_cnt[DETECT_BUFFER_MPM_TYPE_PKT]++;
559 
560  SupportFastPatternForSigMatchList(sm_list, priority);
561  SCLogDebug("%s/%d done", name, sm_list);
562 }
563 
564 /** \brief copy a mpm engine from parent_id, add in transforms */
565 void DetectPktMpmRegisterByParentId(DetectEngineCtx *de_ctx,
566  const int id, const int parent_id,
567  DetectEngineTransforms *transforms)
568 {
569  SCLogDebug("registering %d/%d", id, parent_id);
570 
571  DetectBufferMpmRegistry *t = de_ctx->pkt_mpms_list;
572  while (t) {
573  if (t->sm_list == parent_id) {
574  DetectBufferMpmRegistry *am = SCCalloc(1, sizeof(*am));
575  BUG_ON(am == NULL);
576  am->name = t->name;
577  snprintf(am->pname, sizeof(am->pname), "%s#%d", am->name, id);
578  DEBUG_VALIDATE_BUG_ON(id < 0 || id > INT16_MAX);
579  am->sm_list = (uint16_t)id; // use new id
580  am->sm_list_base = t->sm_list;
581  am->type = DETECT_BUFFER_MPM_TYPE_PKT;
582  am->PrefilterRegisterWithListId = t->PrefilterRegisterWithListId;
583  am->pkt_v1.GetData = t->pkt_v1.GetData;
584  am->priority = t->priority;
585  am->sgh_mpm_context = t->sgh_mpm_context;
586  am->next = t->next;
587  if (transforms) {
588  memcpy(&am->transforms, transforms, sizeof(*transforms));
589  }
590  am->id = de_ctx->pkt_mpms_list_cnt++;
591 
592  DetectEngineRegisterFastPatternForId(de_ctx, am->sm_list, am->priority);
593  t->next = am;
594  SCLogDebug("copied mpm registration for %s id %u "
595  "with parent %u and GetData %p",
596  t->name, id, parent_id, am->pkt_v1.GetData);
597  t = am;
598  }
599  t = t->next;
600  }
601 }
602 
603 void DetectMpmInitializePktMpms(DetectEngineCtx *de_ctx)
604 {
605  const DetectBufferMpmRegistry *list = g_mpm_list[DETECT_BUFFER_MPM_TYPE_PKT];
606  while (list != NULL) {
607  DetectBufferMpmRegistry *n = SCCalloc(1, sizeof(*n));
608  BUG_ON(n == NULL);
609 
610  *n = *list;
611  n->next = NULL;
612 
613  if (de_ctx->pkt_mpms_list == NULL) {
614  de_ctx->pkt_mpms_list = n;
615  } else {
616  DetectBufferMpmRegistry *t = de_ctx->pkt_mpms_list;
617  while (t->next != NULL) {
618  t = t->next;
619  }
620 
621  t->next = n;
622  }
623 
624  /* default to whatever the global setting is */
625  int shared = (de_ctx->sgh_mpm_ctx_cnf == ENGINE_SGH_MPM_FACTORY_CONTEXT_SINGLE);
626 
627  /* see if we use a unique or shared mpm ctx for this type */
628  int confshared = 0;
629  char confstring[256] = "detect.mpm.";
630  strlcat(confstring, n->name, sizeof(confstring));
631  strlcat(confstring, ".shared", sizeof(confstring));
632  if (ConfGetBool(confstring, &confshared) == 1)
633  shared = confshared;
634 
635  if (shared == 0) {
636  SCLogDebug("using unique mpm ctx' for %s", n->name);
637  n->sgh_mpm_context = MPM_CTX_FACTORY_UNIQUE_CONTEXT;
638  } else {
639  SCLogDebug("using shared mpm ctx' for %s", n->name);
640  n->sgh_mpm_context =
641  MpmFactoryRegisterMpmCtxProfile(de_ctx, n->name, n->sm_list, ALPROTO_UNKNOWN);
642  }
643 
644  list = list->next;
645  }
646  de_ctx->pkt_mpms_list_cnt = g_mpm_list_cnt[DETECT_BUFFER_MPM_TYPE_PKT];
647  SCLogDebug("mpm: de_ctx pkt_mpms_list %p %u",
648  de_ctx->pkt_mpms_list, de_ctx->pkt_mpms_list_cnt);
649 }
650 
651 /**
652  * \brief initialize mpm contexts for applayer buffers that are in
653  * "single or "shared" mode.
654  */
655 int DetectMpmPreparePktMpms(DetectEngineCtx *de_ctx)
656 {
657  SCLogDebug("preparing pkt mpm");
658  int r = 0;
659  const DetectBufferMpmRegistry *am = de_ctx->pkt_mpms_list;
660  while (am != NULL) {
661  SCLogDebug("%s", am->name);
662  if (am->sgh_mpm_context != MPM_CTX_FACTORY_UNIQUE_CONTEXT)
663  {
664  MpmCtx *mpm_ctx = MpmFactoryGetMpmCtxForProfile(de_ctx, am->sgh_mpm_context, 0);
665  if (mpm_ctx != NULL) {
666  if (mpm_table[de_ctx->mpm_matcher].Prepare != NULL) {
667  r |= mpm_table[de_ctx->mpm_matcher].Prepare(mpm_ctx);
668  SCLogDebug("%s: %d", am->name, r);
669  }
670  }
671  }
672  am = am->next;
673  }
674  return r;
675 }
676 
677 static int32_t SetupBuiltinMpm(DetectEngineCtx *de_ctx, const char *name)
678 {
679  /* default to whatever the global setting is */
680  int shared = (de_ctx->sgh_mpm_ctx_cnf == ENGINE_SGH_MPM_FACTORY_CONTEXT_SINGLE);
681 
682  /* see if we use a unique or shared mpm ctx for this type */
683  int confshared = 0;
684  char confstring[256] = "detect.mpm.";
685  strlcat(confstring, name, sizeof(confstring));
686  strlcat(confstring, ".shared", sizeof(confstring));
687  if (ConfGetBool(confstring, &confshared) == 1)
688  shared = confshared;
689 
690  int32_t ctx;
691  if (shared == 0) {
692  ctx = MPM_CTX_FACTORY_UNIQUE_CONTEXT;
693  SCLogDebug("using unique mpm ctx' for %s", name);
694  } else {
695  ctx = MpmFactoryRegisterMpmCtxProfile(de_ctx, name, DETECT_SM_LIST_PMATCH, ALPROTO_UNKNOWN);
696  SCLogDebug("using shared mpm ctx' for %s", name);
697  }
698  return ctx;
699 }
700 
701 void DetectMpmInitializeBuiltinMpms(DetectEngineCtx *de_ctx)
702 {
703  de_ctx->sgh_mpm_context_proto_tcp_packet = SetupBuiltinMpm(de_ctx, "tcp-packet");
704  de_ctx->sgh_mpm_context_stream = SetupBuiltinMpm(de_ctx, "tcp-stream");
705 
706  de_ctx->sgh_mpm_context_proto_udp_packet = SetupBuiltinMpm(de_ctx, "udp-packet");
707  de_ctx->sgh_mpm_context_proto_other_packet = SetupBuiltinMpm(de_ctx, "other-ip");
708 }
709 
710 /**
711  * \brief initialize mpm contexts for builtin buffers that are in
712  * "single or "shared" mode.
713  */
714 int DetectMpmPrepareBuiltinMpms(DetectEngineCtx *de_ctx)
715 {
716  int r = 0;
717  MpmCtx *mpm_ctx = NULL;
718 
719  if (de_ctx->sgh_mpm_context_proto_tcp_packet != MPM_CTX_FACTORY_UNIQUE_CONTEXT) {
720  mpm_ctx = MpmFactoryGetMpmCtxForProfile(de_ctx, de_ctx->sgh_mpm_context_proto_tcp_packet, 0);
721  if (mpm_table[de_ctx->mpm_matcher].Prepare != NULL) {
722  r |= mpm_table[de_ctx->mpm_matcher].Prepare(mpm_ctx);
723  }
724  mpm_ctx = MpmFactoryGetMpmCtxForProfile(de_ctx, de_ctx->sgh_mpm_context_proto_tcp_packet, 1);
725  if (mpm_table[de_ctx->mpm_matcher].Prepare != NULL) {
726  r |= mpm_table[de_ctx->mpm_matcher].Prepare(mpm_ctx);
727  }
728  }
729 
730  if (de_ctx->sgh_mpm_context_proto_udp_packet != MPM_CTX_FACTORY_UNIQUE_CONTEXT) {
731  mpm_ctx = MpmFactoryGetMpmCtxForProfile(de_ctx, de_ctx->sgh_mpm_context_proto_udp_packet, 0);
732  if (mpm_table[de_ctx->mpm_matcher].Prepare != NULL) {
733  r |= mpm_table[de_ctx->mpm_matcher].Prepare(mpm_ctx);
734  }
735  mpm_ctx = MpmFactoryGetMpmCtxForProfile(de_ctx, de_ctx->sgh_mpm_context_proto_udp_packet, 1);
736  if (mpm_table[de_ctx->mpm_matcher].Prepare != NULL) {
737  r |= mpm_table[de_ctx->mpm_matcher].Prepare(mpm_ctx);
738  }
739  }
740 
741  if (de_ctx->sgh_mpm_context_proto_other_packet != MPM_CTX_FACTORY_UNIQUE_CONTEXT) {
742  mpm_ctx = MpmFactoryGetMpmCtxForProfile(de_ctx, de_ctx->sgh_mpm_context_proto_other_packet, 0);
743  if (mpm_table[de_ctx->mpm_matcher].Prepare != NULL) {
744  r |= mpm_table[de_ctx->mpm_matcher].Prepare(mpm_ctx);
745  }
746  }
747 
748  if (de_ctx->sgh_mpm_context_stream != MPM_CTX_FACTORY_UNIQUE_CONTEXT) {
749  mpm_ctx = MpmFactoryGetMpmCtxForProfile(de_ctx, de_ctx->sgh_mpm_context_stream, 0);
750  if (mpm_table[de_ctx->mpm_matcher].Prepare != NULL) {
751  r |= mpm_table[de_ctx->mpm_matcher].Prepare(mpm_ctx);
752  }
753  mpm_ctx = MpmFactoryGetMpmCtxForProfile(de_ctx, de_ctx->sgh_mpm_context_stream, 1);
754  if (mpm_table[de_ctx->mpm_matcher].Prepare != NULL) {
755  r |= mpm_table[de_ctx->mpm_matcher].Prepare(mpm_ctx);
756  }
757  }
758 
759  return r;
760 }
761 
762 /**
763  * \brief check if a signature has patterns that are to be inspected
764  * against a packets payload (as opposed to the stream payload)
765  *
766  * \param s signature
767  *
768  * \retval 1 true
769  * \retval 0 false
770  */
771 int SignatureHasPacketContent(const Signature *s)
772 {
773  SCEnter();
774 
775  if (!(s->proto.proto[IPPROTO_TCP / 8] & 1 << (IPPROTO_TCP % 8))) {
776  SCReturnInt(1);
777  }
778 
779  if (s->init_data->smlists[DETECT_SM_LIST_PMATCH] == NULL) {
780  SCLogDebug("no PMATCH");
781  SCReturnInt(0);
782  }
783 
784  if (!(s->flags & SIG_FLAG_REQUIRE_PACKET)) {
785  SCReturnInt(0);
786  }
787 
788  SCReturnInt(1);
789 }
790 
791 /**
792  * \brief check if a signature has patterns that are to be inspected
793  * against the stream payload (as opposed to the individual packets
794  * payload(s))
795  *
796  * \param s signature
797  *
798  * \retval 1 true
799  * \retval 0 false
800  */
801 int SignatureHasStreamContent(const Signature *s)
802 {
803  SCEnter();
804 
805  if (!(s->proto.proto[IPPROTO_TCP / 8] & 1 << (IPPROTO_TCP % 8))) {
806  SCReturnInt(0);
807  }
808 
809  if (s->init_data->smlists[DETECT_SM_LIST_PMATCH] == NULL) {
810  SCLogDebug("no PMATCH");
811  SCReturnInt(0);
812  }
813 
814  if (!(s->flags & SIG_FLAG_REQUIRE_STREAM)) {
815  SCReturnInt(0);
816  }
817 
818  SCReturnInt(1);
819 }
820 
821 
822 /**
823  * \brief Function to return the multi pattern matcher algorithm to be
824  * used by the engine, based on the mpm-algo setting in yaml
825  * Use the default mpm if none is specified in the yaml file.
826  *
827  * \retval mpm algo value
828  */
829 uint8_t PatternMatchDefaultMatcher(void)
830 {
831  const char *mpm_algo;
832  uint8_t mpm_algo_val = mpm_default_matcher;
833 
834  /* Get the mpm algo defined in config file by the user */
835  if ((ConfGet("mpm-algo", &mpm_algo)) == 1) {
836  if (mpm_algo != NULL) {
837 #if __BYTE_ORDER == __BIG_ENDIAN
838  if (strcmp(mpm_algo, "ac-ks") == 0) {
839  FatalError("ac-ks does "
840  "not work on big endian systems at this time.");
841  }
842 #endif
843  if (strcmp("auto", mpm_algo) == 0) {
844  goto done;
845  } else if (strcmp("ac-bs", mpm_algo) == 0) {
846  SCLogWarning("mpm-algo \"ac-bs\" has been removed. See ticket #6586.");
847  goto done;
848  }
849  for (uint8_t u = 0; u < MPM_TABLE_SIZE; u++) {
850  if (mpm_table[u].name == NULL)
851  continue;
852 
853  if (strcmp(mpm_table[u].name, mpm_algo) == 0) {
854  mpm_algo_val = u;
855  goto done;
856  }
857  }
858 
859 #ifndef BUILD_HYPERSCAN
860  if ((strcmp(mpm_algo, "hs") == 0)) {
861  FatalError("Hyperscan (hs) support for mpm-algo is "
862  "not compiled into Suricata.");
863  }
864 #endif
865  }
866  FatalError("Invalid mpm algo supplied "
867  "in the yaml conf file: \"%s\"",
868  mpm_algo);
869  }
870 
871  done:
872  return mpm_algo_val;
873 }
874 
875 void PatternMatchDestroy(MpmCtx *mpm_ctx, uint16_t mpm_matcher)
876 {
877  SCLogDebug("mpm_ctx %p, mpm_matcher %"PRIu16"", mpm_ctx, mpm_matcher);
878  mpm_table[mpm_matcher].DestroyCtx(mpm_ctx);
879 }
880 
881 void PatternMatchThreadDestroy(MpmThreadCtx *mpm_thread_ctx, uint16_t mpm_matcher)
882 {
883  SCLogDebug("mpm_thread_ctx %p, mpm_matcher %"PRIu16"", mpm_thread_ctx, mpm_matcher);
884  MpmDestroyThreadCtx(mpm_thread_ctx, mpm_matcher);
885 }
886 void PatternMatchThreadPrepare(MpmThreadCtx *mpm_thread_ctx, uint16_t mpm_matcher)
887 {
888  SCLogDebug("mpm_thread_ctx %p, type %"PRIu16, mpm_thread_ctx, mpm_matcher);
889  MpmInitThreadCtx(mpm_thread_ctx, mpm_matcher);
890 }
891 
892 /** \brief Predict a strength value for patterns
893  *
894  * Patterns with high character diversity score higher.
895  * Alpha chars score not so high
896  * Other printable + a few common codes a little higher
897  * Everything else highest.
898  * Longer patterns score better than short patters.
899  *
900  * \param pat pattern
901  * \param patlen length of the pattern
902  *
903  * \retval s pattern score
904  */
905 uint32_t PatternStrength(uint8_t *pat, uint16_t patlen)
906 {
907  uint8_t a[256];
908  memset(&a, 0 ,sizeof(a));
909 
910  uint32_t s = 0;
911  uint16_t u = 0;
912  for (u = 0; u < patlen; u++) {
913  if (a[pat[u]] == 0) {
914  if (isalpha(pat[u]))
915  s += 3;
916  else if (isprint(pat[u]) || pat[u] == 0x00 || pat[u] == 0x01 || pat[u] == 0xFF)
917  s += 4;
918  else
919  s += 6;
920 
921  a[pat[u]] = 1;
922  } else {
923  s++;
924  }
925  }
926 
927  return s;
928 }
929 
930 static void PopulateMpmHelperAddPattern(MpmCtx *mpm_ctx, const DetectContentData *cd,
931  const Signature *s, const uint8_t flags, const int chop)
932 {
933  uint16_t pat_offset = cd->offset;
934  uint16_t pat_depth = cd->depth;
935 
936  /* recompute offset/depth to cope with chop */
937  if (chop && (pat_depth || pat_offset)) {
938  pat_offset += cd->fp_chop_offset;
939  if (pat_depth) {
940  pat_depth -= cd->content_len;
941  pat_depth += cd->fp_chop_offset + cd->fp_chop_len;
942  }
943  }
944 
945  /* We have to effectively "wild card" values that will be coming from
946  * byte_extract variables
947  */
948  if (cd->flags & (DETECT_CONTENT_DEPTH_VAR | DETECT_CONTENT_OFFSET_VAR)) {
949  pat_depth = pat_offset = 0;
950  }
951 
952  if (cd->flags & DETECT_CONTENT_NOCASE) {
953  if (chop) {
954  MpmAddPatternCI(mpm_ctx,
955  cd->content + cd->fp_chop_offset, cd->fp_chop_len,
956  pat_offset, pat_depth,
957  cd->id, s->num, flags|MPM_PATTERN_CTX_OWNS_ID);
958  } else {
959  MpmAddPatternCI(mpm_ctx,
960  cd->content, cd->content_len,
961  pat_offset, pat_depth,
962  cd->id, s->num, flags|MPM_PATTERN_CTX_OWNS_ID);
963  }
964  } else {
965  if (chop) {
966  MpmAddPatternCS(mpm_ctx,
967  cd->content + cd->fp_chop_offset, cd->fp_chop_len,
968  pat_offset, pat_depth,
969  cd->id, s->num, flags|MPM_PATTERN_CTX_OWNS_ID);
970  } else {
971  MpmAddPatternCS(mpm_ctx,
972  cd->content, cd->content_len,
973  pat_offset, pat_depth,
974  cd->id, s->num, flags|MPM_PATTERN_CTX_OWNS_ID);
975  }
976  }
977 
978  return;
979 }
980 
981 #define SGH_PROTO(sgh, p) ((sgh)->init->protos[(p)] == 1)
982 #define SGH_DIRECTION_TS(sgh) ((sgh)->init->direction & SIG_FLAG_TOSERVER)
983 #define SGH_DIRECTION_TC(sgh) ((sgh)->init->direction & SIG_FLAG_TOCLIENT)
984 
985 static void SetMpm(Signature *s, SigMatch *mpm_sm, const int mpm_sm_list)
986 {
987  if (s == NULL || mpm_sm == NULL)
988  return;
989 
990  DetectContentData *cd = (DetectContentData *)mpm_sm->ctx;
991  if (cd->flags & DETECT_CONTENT_FAST_PATTERN_CHOP) {
992  if (DETECT_CONTENT_IS_SINGLE(cd) &&
993  !(cd->flags & DETECT_CONTENT_NEGATED) &&
994  !(cd->flags & DETECT_CONTENT_REPLACE) &&
995  cd->content_len == cd->fp_chop_len)
996  {
997  cd->flags |= DETECT_CONTENT_NO_DOUBLE_INSPECTION_REQUIRED;
998  }
999  } else {
1000  if (DETECT_CONTENT_IS_SINGLE(cd) &&
1001  !(cd->flags & DETECT_CONTENT_NEGATED) &&
1002  !(cd->flags & DETECT_CONTENT_REPLACE))
1003  {
1004  cd->flags |= DETECT_CONTENT_NO_DOUBLE_INSPECTION_REQUIRED;
1005  }
1006  }
1007  cd->flags |= DETECT_CONTENT_MPM;
1008  s->init_data->mpm_sm_list = mpm_sm_list;
1009  s->init_data->mpm_sm = mpm_sm;
1010  return;
1011 }
1012 
1013 static SigMatch *GetMpmForList(const Signature *s, SigMatch *list, SigMatch *mpm_sm,
1014  uint16_t max_len, bool skip_negated_content)
1015 {
1016  for (SigMatch *sm = list; sm != NULL; sm = sm->next) {
1017  if (sm->type != DETECT_CONTENT)
1018  continue;
1019 
1020  const DetectContentData *cd = (DetectContentData *)sm->ctx;
1021  /* skip_negated_content is only set if there's absolutely no
1022  * non-negated content present in the sig */
1023  if ((cd->flags & DETECT_CONTENT_NEGATED) && skip_negated_content)
1024  continue;
1025  if (cd->content_len != max_len) {
1026  SCLogDebug("content_len %u != max_len %u", cd->content_len, max_len);
1027  continue;
1028  }
1029  if (mpm_sm == NULL) {
1030  mpm_sm = sm;
1031  } else {
1032  DetectContentData *data1 = (DetectContentData *)sm->ctx;
1033  DetectContentData *data2 = (DetectContentData *)mpm_sm->ctx;
1034  uint32_t ls = PatternStrength(data1->content, data1->content_len);
1035  uint32_t ss = PatternStrength(data2->content, data2->content_len);
1036  if (ls > ss) {
1037  mpm_sm = sm;
1038  } else if (ls == ss) {
1039  /* if 2 patterns are of equal strength, we pick the longest */
1040  if (data1->content_len > data2->content_len)
1041  mpm_sm = sm;
1042  } else {
1043  SCLogDebug("sticking with mpm_sm");
1044  }
1045  }
1046  }
1047  return mpm_sm;
1048 }
1049 
1050 int g_skip_prefilter = 0;
1051 
1052 void RetrieveFPForSig(const DetectEngineCtx *de_ctx, Signature *s)
1053 {
1054  if (g_skip_prefilter)
1055  return;
1056 
1057  if (s->init_data->mpm_sm != NULL)
1058  return;
1059 
1060  const int nlists = s->init_data->max_content_list_id + 1;
1061  int pos_sm_list[nlists];
1062  int neg_sm_list[nlists];
1063  memset(pos_sm_list, 0, nlists * sizeof(int));
1064  memset(neg_sm_list, 0, nlists * sizeof(int));
1065  int pos_sm_list_cnt = 0;
1066  int neg_sm_list_cnt = 0;
1067 
1068  /* inspect rule to see if we have the fast_pattern reg to
1069  * force using a sig, otherwise keep stats about the patterns */
1070  if (s->init_data->smlists[DETECT_SM_LIST_PMATCH] != NULL) {
1071  if (FastPatternSupportEnabledForSigMatchList(de_ctx, DETECT_SM_LIST_PMATCH)) {
1072  for (SigMatch *sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH]; sm != NULL;
1073  sm = sm->next) {
1074  if (sm->type != DETECT_CONTENT)
1075  continue;
1076 
1077  const DetectContentData *cd = (DetectContentData *)sm->ctx;
1078  /* fast_pattern set in rule, so using this pattern */
1079  if ((cd->flags & DETECT_CONTENT_FAST_PATTERN)) {
1080  SetMpm(s, sm, DETECT_SM_LIST_PMATCH);
1081  return;
1082  }
1083 
1084  if (cd->flags & DETECT_CONTENT_NEGATED) {
1085  neg_sm_list[DETECT_SM_LIST_PMATCH] = 1;
1086  neg_sm_list_cnt++;
1087  } else {
1088  pos_sm_list[DETECT_SM_LIST_PMATCH] = 1;
1089  pos_sm_list_cnt++;
1090  }
1091  }
1092  }
1093  }
1094  for (uint32_t x = 0; x < s->init_data->buffer_index; x++) {
1095  const int list_id = s->init_data->buffers[x].id;
1096 
1097  SCLogDebug("%u: list_id %d: %s", s->id, list_id,
1098  DetectEngineBufferTypeGetNameById(de_ctx, list_id));
1099 
1100  if (!FastPatternSupportEnabledForSigMatchList(de_ctx, list_id)) {
1101  SCLogDebug("skip");
1102  continue;
1103  }
1104 
1105  for (SigMatch *sm = s->init_data->buffers[x].head; sm != NULL; sm = sm->next) {
1106  if (sm->type != DETECT_CONTENT)
1107  continue;
1108 
1109  const DetectContentData *cd = (DetectContentData *)sm->ctx;
1110  /* fast_pattern set in rule, so using this pattern */
1111  if ((cd->flags & DETECT_CONTENT_FAST_PATTERN)) {
1112  SetMpm(s, sm, list_id);
1113  return;
1114  }
1115 
1116  if (cd->flags & DETECT_CONTENT_NEGATED) {
1117  neg_sm_list[list_id] = 1;
1118  neg_sm_list_cnt++;
1119  } else {
1120  pos_sm_list[list_id] = 1;
1121  pos_sm_list_cnt++;
1122  SCLogDebug("pos added for %d", list_id);
1123  }
1124  }
1125  SCLogDebug("ok");
1126  }
1127 
1128  SCLogDebug("neg_sm_list_cnt %d pos_sm_list_cnt %d", neg_sm_list_cnt, pos_sm_list_cnt);
1129 
1130  /* prefer normal not-negated over negated */
1131  int *curr_sm_list = NULL;
1132  int skip_negated_content = 1;
1133  if (pos_sm_list_cnt > 0) {
1134  curr_sm_list = pos_sm_list;
1135  } else if (neg_sm_list_cnt > 0) {
1136  curr_sm_list = neg_sm_list;
1137  skip_negated_content = 0;
1138  } else {
1139  return;
1140  }
1141 
1142  int final_sm_list[nlists];
1143  memset(&final_sm_list, 0, (nlists * sizeof(int)));
1144 
1145  int count_final_sm_list = 0;
1146  int priority;
1147 
1148  const SCFPSupportSMList *tmp = de_ctx->fp_support_smlist_list;
1149  while (tmp != NULL) {
1150  for (priority = tmp->priority;
1151  tmp != NULL && priority == tmp->priority;
1152  tmp = tmp->next)
1153  {
1154  SCLogDebug("tmp->list_id %d tmp->priority %d", tmp->list_id, tmp->priority);
1155  if (tmp->list_id >= nlists)
1156  continue;
1157  if (curr_sm_list[tmp->list_id] == 0)
1158  continue;
1159  final_sm_list[count_final_sm_list++] = tmp->list_id;
1160  SCLogDebug("tmp->list_id %d", tmp->list_id);
1161  }
1162  if (count_final_sm_list != 0)
1163  break;
1164  }
1165 
1166  BUG_ON(count_final_sm_list == 0);
1167  SCLogDebug("count_final_sm_list %d skip_negated_content %d", count_final_sm_list,
1168  skip_negated_content);
1169 
1170  uint16_t max_len = 0;
1171  for (int i = 0; i < count_final_sm_list; i++) {
1172  SCLogDebug("i %d final_sm_list[i] %d", i, final_sm_list[i]);
1173 
1174  if (final_sm_list[i] == DETECT_SM_LIST_PMATCH) {
1175  for (SigMatch *sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH]; sm != NULL;
1176  sm = sm->next) {
1177  if (sm->type != DETECT_CONTENT)
1178  continue;
1179 
1180  const DetectContentData *cd = (DetectContentData *)sm->ctx;
1181  /* skip_negated_content is only set if there's absolutely no
1182  * non-negated content present in the sig */
1183  if ((cd->flags & DETECT_CONTENT_NEGATED) && skip_negated_content)
1184  continue;
1185  max_len = MAX(max_len, cd->content_len);
1186  }
1187  } else {
1188  for (uint32_t x = 0; x < s->init_data->buffer_index; x++) {
1189  const int list_id = s->init_data->buffers[x].id;
1190  if (final_sm_list[i] == list_id) {
1191  SCLogDebug("%u: list_id %d: %s", s->id, list_id,
1192  DetectEngineBufferTypeGetNameById(de_ctx, list_id));
1193 
1194  for (SigMatch *sm = s->init_data->buffers[x].head; sm != NULL; sm = sm->next) {
1195  if (sm->type != DETECT_CONTENT)
1196  continue;
1197 
1198  const DetectContentData *cd = (DetectContentData *)sm->ctx;
1199  /* skip_negated_content is only set if there's absolutely no
1200  * non-negated content present in the sig */
1201  if ((cd->flags & DETECT_CONTENT_NEGATED) && skip_negated_content)
1202  continue;
1203  max_len = MAX(max_len, cd->content_len);
1204  }
1205  }
1206  }
1207  }
1208  }
1209 
1210  SigMatch *mpm_sm = NULL;
1211  int mpm_sm_list = -1;
1212  for (int i = 0; i < count_final_sm_list; i++) {
1213  SCLogDebug("i %d", i);
1214  if (final_sm_list[i] == DETECT_SM_LIST_PMATCH) {
1215  /* GetMpmForList may keep `mpm_sm` the same, so track if it changed */
1216  SigMatch *prev_mpm_sm = mpm_sm;
1217  mpm_sm = GetMpmForList(s, s->init_data->smlists[DETECT_SM_LIST_PMATCH], mpm_sm, max_len,
1218  skip_negated_content);
1219  if (mpm_sm != prev_mpm_sm) {
1220  mpm_sm_list = final_sm_list[i];
1221  }
1222  } else {
1223  SCLogDebug(
1224  "%u: %s", s->id, DetectEngineBufferTypeGetNameById(de_ctx, final_sm_list[i]));
1225  for (uint32_t x = 0; x < s->init_data->buffer_index; x++) {
1226  const int list_id = s->init_data->buffers[x].id;
1227  if (final_sm_list[i] == list_id) {
1228  SCLogDebug("%u: list_id %d: %s", s->id, list_id,
1229  DetectEngineBufferTypeGetNameById(de_ctx, list_id));
1230  /* GetMpmForList may keep `mpm_sm` the same, so track if it changed */
1231  SigMatch *prev_mpm_sm = mpm_sm;
1232  mpm_sm = GetMpmForList(s, s->init_data->buffers[x].head, mpm_sm, max_len,
1233  skip_negated_content);
1234  SCLogDebug("mpm_sm %p from %p", mpm_sm, s->init_data->buffers[x].head);
1235  if (mpm_sm != prev_mpm_sm) {
1236  mpm_sm_list = list_id;
1237  }
1238  }
1239  }
1240  }
1241  }
1242 
1243 #ifdef DEBUG
1244  if (mpm_sm != NULL) {
1245  BUG_ON(mpm_sm_list == -1);
1246  int check_list = SigMatchListSMBelongsTo(s, mpm_sm);
1247  BUG_ON(check_list != mpm_sm_list);
1248  }
1249 #endif
1250  /* assign to signature */
1251  SetMpm(s, mpm_sm, mpm_sm_list);
1252  return;
1253 }
1254 
1255 /** \internal
1256  * \brief The hash function for MpmStore
1257  *
1258  * \param ht Pointer to the hash table.
1259  * \param data Pointer to the MpmStore.
1260  * \param datalen Not used in our case.
1261  *
1262  * \retval hash The generated hash value.
1263  */
1264 static uint32_t MpmStoreHashFunc(HashListTable *ht, void *data, uint16_t datalen)
1265 {
1266  const MpmStore *ms = (MpmStore *)data;
1267  uint32_t hash = ms->alproto;
1268 
1269  for (uint32_t b = 0; b < ms->sid_array_size; b++)
1270  hash += ms->sid_array[b];
1271 
1272  return hash % ht->array_size;
1273 }
1274 
1275 /**
1276  * \brief The Compare function for MpmStore
1277  *
1278  * \param data1 Pointer to the first MpmStore.
1279  * \param len1 Not used.
1280  * \param data2 Pointer to the second MpmStore.
1281  * \param len2 Not used.
1282  *
1283  * \retval 1 If the 2 MpmStores sent as args match.
1284  * \retval 0 If the 2 MpmStores sent as args do not match.
1285  */
1286 static char MpmStoreCompareFunc(void *data1, uint16_t len1, void *data2,
1287  uint16_t len2)
1288 {
1289  const MpmStore *ms1 = (MpmStore *)data1;
1290  const MpmStore *ms2 = (MpmStore *)data2;
1291 
1292  if (ms1->alproto != ms2->alproto)
1293  return 0;
1294 
1295  if (ms1->sid_array_size != ms2->sid_array_size)
1296  return 0;
1297 
1298  if (ms1->buffer != ms2->buffer)
1299  return 0;
1300 
1301  if (ms1->direction != ms2->direction)
1302  return 0;
1303 
1304  if (ms1->sm_list != ms2->sm_list)
1305  return 0;
1306 
1307  if (SCMemcmp(ms1->sid_array, ms2->sid_array,
1308  ms1->sid_array_size) != 0)
1309  {
1310  return 0;
1311  }
1312 
1313  return 1;
1314 }
1315 
1316 static void MpmStoreFreeFunc(void *ptr)
1317 {
1318  MpmStore *ms = ptr;
1319  if (ms != NULL) {
1320  if (ms->mpm_ctx != NULL && !(ms->mpm_ctx->flags & MPMCTX_FLAGS_GLOBAL))
1321  {
1322  SCLogDebug("destroying mpm_ctx %p", ms->mpm_ctx);
1323  mpm_table[ms->mpm_ctx->mpm_type].DestroyCtx(ms->mpm_ctx);
1324  SCFree(ms->mpm_ctx);
1325  }
1326  ms->mpm_ctx = NULL;
1327 
1328  SCFree(ms->sid_array);
1329  SCFree(ms);
1330  }
1331 }
1332 
1333 /**
1334  * \brief Initializes the MpmStore mpm hash table to be used by the detection
1335  * engine context.
1336  *
1337  * \param de_ctx Pointer to the detection engine context.
1338  *
1339  * \retval 0 On success.
1340  * \retval -1 On failure.
1341  */
1342 int MpmStoreInit(DetectEngineCtx *de_ctx)
1343 {
1344  de_ctx->mpm_hash_table = HashListTableInit(4096,
1345  MpmStoreHashFunc,
1346  MpmStoreCompareFunc,
1347  MpmStoreFreeFunc);
1348  if (de_ctx->mpm_hash_table == NULL)
1349  goto error;
1350 
1351  return 0;
1352 
1353 error:
1354  return -1;
1355 }
1356 
1357 /**
1358  * \brief Adds a MpmStore to the detection engine context MpmStore
1359  *
1360  * \param de_ctx Pointer to the detection engine context.
1361  * \param sgh Pointer to the MpmStore.
1362  *
1363  * \retval ret 0 on Successfully adding the argument sgh; -1 on failure.
1364  */
1365 static int MpmStoreAdd(DetectEngineCtx *de_ctx, MpmStore *s)
1366 {
1367  int ret = HashListTableAdd(de_ctx->mpm_hash_table, (void *)s, 0);
1368  return ret;
1369 }
1370 
1371 /**
1372  * \brief Used to lookup a MpmStore from the MpmStore
1373  *
1374  * \param de_ctx Pointer to the detection engine context.
1375  * \param sgh Pointer to the MpmStore.
1376  *
1377  * \retval rsgh On success a pointer to the MpmStore if the MpmStore is
1378  * found in the hash table; NULL on failure.
1379  */
1380 static MpmStore *MpmStoreLookup(DetectEngineCtx *de_ctx, MpmStore *s)
1381 {
1382  MpmStore *rs = HashListTableLookup(de_ctx->mpm_hash_table,
1383  (void *)s, 0);
1384  return rs;
1385 }
1386 
1387 static const DetectBufferMpmRegistry *GetByMpmStore(
1388  const DetectEngineCtx *de_ctx, const MpmStore *ms)
1389 {
1390  const DetectBufferMpmRegistry *am = de_ctx->app_mpms_list;
1391  while (am != NULL) {
1392  if (ms->sm_list == am->sm_list &&
1393  ms->direction == am->direction) {
1394  return am;
1395  }
1396  am = am->next;
1397  }
1398  am = de_ctx->pkt_mpms_list;
1399  while (am != NULL) {
1400  if (ms->sm_list == am->sm_list) {
1401  return am;
1402  }
1403  am = am->next;
1404  }
1405  return NULL;
1406 }
1407 
1408 void MpmStoreReportStats(const DetectEngineCtx *de_ctx)
1409 {
1410  HashListTableBucket *htb = NULL;
1411 
1412  uint32_t stats[MPMB_MAX] = {0};
1413  int app_mpms_cnt = de_ctx->buffer_type_id;
1414  uint32_t appstats[app_mpms_cnt + 1]; // +1 to silence scan-build
1415  memset(&appstats, 0x00, sizeof(appstats));
1416  int pkt_mpms_cnt = de_ctx->buffer_type_id;
1417  uint32_t pktstats[pkt_mpms_cnt + 1]; // +1 to silence scan-build
1418  memset(&pktstats, 0x00, sizeof(pktstats));
1419  int frame_mpms_cnt = de_ctx->buffer_type_id;
1420  uint32_t framestats[frame_mpms_cnt + 1]; // +1 to silence scan-build
1421  memset(&framestats, 0x00, sizeof(framestats));
1422 
1423  for (htb = HashListTableGetListHead(de_ctx->mpm_hash_table);
1424  htb != NULL;
1425  htb = HashListTableGetListNext(htb))
1426  {
1427  const MpmStore *ms = (MpmStore *)HashListTableGetListData(htb);
1428  if (ms == NULL || ms->mpm_ctx == NULL) {
1429  continue;
1430  }
1431  if (ms->buffer < MPMB_MAX)
1432  stats[ms->buffer]++;
1433  else if (ms->sm_list != DETECT_SM_LIST_PMATCH) {
1434  const DetectBufferMpmRegistry *am = GetByMpmStore(de_ctx, ms);
1435  if (am != NULL) {
1436  switch (am->type) {
1437  case DETECT_BUFFER_MPM_TYPE_PKT:
1438  SCLogDebug("%s: %u patterns. Min %u, Max %u. Ctx %p",
1439  am->name,
1440  ms->mpm_ctx->pattern_cnt,
1441  ms->mpm_ctx->minlen, ms->mpm_ctx->maxlen,
1442  ms->mpm_ctx);
1443  pktstats[am->sm_list]++;
1444  break;
1445  case DETECT_BUFFER_MPM_TYPE_APP:
1446  SCLogDebug("%s %s %s: %u patterns. Min %u, Max %u. Ctx %p",
1447  AppProtoToString(ms->alproto), am->name,
1448  am->direction == SIG_FLAG_TOSERVER ? "toserver" : "toclient",
1449  ms->mpm_ctx->pattern_cnt, ms->mpm_ctx->minlen, ms->mpm_ctx->maxlen,
1450  ms->mpm_ctx);
1451  appstats[am->sm_list]++;
1452  break;
1453  case DETECT_BUFFER_MPM_TYPE_FRAME:
1454  SCLogDebug("%s: %u patterns. Min %u, Max %u. Ctx %p", am->name,
1455  ms->mpm_ctx->pattern_cnt, ms->mpm_ctx->minlen, ms->mpm_ctx->maxlen,
1456  ms->mpm_ctx);
1457  framestats[am->sm_list]++;
1458  break;
1459  case DETECT_BUFFER_MPM_TYPE_SIZE:
1460  break;
1461  }
1462  }
1463  }
1464  }
1465 
1466  if (!(de_ctx->flags & DE_QUIET)) {
1467  for (int x = 0; x < MPMB_MAX; x++) {
1468  SCLogPerf("Builtin MPM \"%s\": %u", builtin_mpms[x], stats[x]);
1469  }
1470  const DetectBufferMpmRegistry *am = de_ctx->app_mpms_list;
1471  while (am != NULL) {
1472  if (appstats[am->sm_list] > 0) {
1473  const char *name = am->name;
1474  const char *direction = am->direction == SIG_FLAG_TOSERVER ? "toserver" : "toclient";
1475  SCLogPerf("AppLayer MPM \"%s %s (%s)\": %u", direction, name,
1476  AppProtoToString(am->app_v2.alproto), appstats[am->sm_list]);
1477  }
1478  am = am->next;
1479  }
1480  const DetectBufferMpmRegistry *pm = de_ctx->pkt_mpms_list;
1481  while (pm != NULL) {
1482  if (pktstats[pm->sm_list] > 0) {
1483  const char *name = pm->name;
1484  SCLogPerf("Pkt MPM \"%s\": %u", name, pktstats[pm->sm_list]);
1485  }
1486  pm = pm->next;
1487  }
1488  const DetectBufferMpmRegistry *um = de_ctx->frame_mpms_list;
1489  while (um != NULL) {
1490  if (framestats[um->sm_list] > 0) {
1491  const char *name = um->name;
1492  SCLogPerf("Frame MPM \"%s\": %u", name, framestats[um->sm_list]);
1493  }
1494  um = um->next;
1495  }
1496  }
1497 }
1498 
1499 /**
1500  * \brief Frees the hash table - DetectEngineCtx->mpm_hash_table, allocated by
1501  * MpmStoreInit() function.
1502  *
1503  * \param de_ctx Pointer to the detection engine context.
1504  */
1505 void MpmStoreFree(DetectEngineCtx *de_ctx)
1506 {
1507  if (de_ctx->mpm_hash_table == NULL)
1508  return;
1509 
1510  HashListTableFree(de_ctx->mpm_hash_table);
1511  de_ctx->mpm_hash_table = NULL;
1512  return;
1513 }
1514 
1515 static void MpmStoreSetup(const DetectEngineCtx *de_ctx, MpmStore *ms)
1516 {
1517  const Signature *s = NULL;
1518  uint32_t sig;
1519  int dir = 0;
1520 
1521  if (ms->buffer != MPMB_MAX) {
1522  BUG_ON(ms->sm_list != DETECT_SM_LIST_PMATCH);
1523 
1524  switch (ms->buffer) {
1525  /* TS is 1 */
1526  case MPMB_TCP_PKT_TS:
1527  case MPMB_TCP_STREAM_TS:
1528  case MPMB_UDP_TS:
1529  dir = 1;
1530  break;
1531 
1532  /* TC is 0 */
1533  default:
1534  case MPMB_UDP_TC:
1535  case MPMB_TCP_STREAM_TC:
1536  case MPMB_TCP_PKT_TC:
1537  case MPMB_OTHERIP: /**< use 0 for other */
1538  dir = 0;
1539  break;
1540  }
1541  } else {
1542  BUG_ON(ms->sm_list == DETECT_SM_LIST_PMATCH);
1543 
1544  if (ms->direction == SIG_FLAG_TOSERVER)
1545  dir = 1;
1546  else
1547  dir = 0;
1548  }
1549 
1550  ms->mpm_ctx = MpmFactoryGetMpmCtxForProfile(de_ctx, ms->sgh_mpm_context, dir);
1551  if (ms->mpm_ctx == NULL) {
1552  return;
1553  }
1554 
1555  MpmInitCtx(ms->mpm_ctx, de_ctx->mpm_matcher);
1556 
1557  const bool mpm_supports_endswith =
1558  (mpm_table[de_ctx->mpm_matcher].feature_flags & MPM_FEATURE_FLAG_ENDSWITH) != 0;
1559 
1560  /* add the patterns */
1561  for (sig = 0; sig < (ms->sid_array_size * 8); sig++) {
1562  if (ms->sid_array[sig / 8] & (1 << (sig % 8))) {
1563  s = de_ctx->sig_array[sig];
1564  DEBUG_VALIDATE_BUG_ON(s == NULL);
1565  if (s == NULL)
1566  continue;
1567 
1568  SCLogDebug("%p: direction %d adding %u", ms, ms->direction, s->id);
1569 
1570  const DetectContentData *cd = (DetectContentData *)s->init_data->mpm_sm->ctx;
1571 
1572  int skip = 0;
1573  /* negated logic: if mpm match can't be used to be sure about this
1574  * pattern, we have to inspect the rule fully regardless of mpm
1575  * match. So in this case there is no point of adding it at all.
1576  * The non-mpm list entry for the sig will make sure the sig is
1577  * inspected. */
1578  if ((cd->flags & DETECT_CONTENT_NEGATED) &&
1579  !(DETECT_CONTENT_MPM_IS_CONCLUSIVE(cd)))
1580  {
1581  skip = 1;
1582  SCLogDebug("not adding negated mpm as it's not 'single'");
1583  }
1584 
1585  if (!skip) {
1586  uint8_t flags = 0;
1587  if ((cd->flags & DETECT_CONTENT_ENDS_WITH) && mpm_supports_endswith)
1588  flags = MPM_PATTERN_FLAG_ENDSWITH;
1589  PopulateMpmHelperAddPattern(
1590  ms->mpm_ctx, cd, s, flags, (cd->flags & DETECT_CONTENT_FAST_PATTERN_CHOP));
1591  }
1592  }
1593  }
1594 
1595  if (ms->mpm_ctx->pattern_cnt == 0) {
1596  MpmFactoryReClaimMpmCtx(de_ctx, ms->mpm_ctx);
1597  ms->mpm_ctx = NULL;
1598  } else {
1599  if (ms->sgh_mpm_context == MPM_CTX_FACTORY_UNIQUE_CONTEXT) {
1600  if (mpm_table[ms->mpm_ctx->mpm_type].Prepare != NULL) {
1601  mpm_table[ms->mpm_ctx->mpm_type].Prepare(ms->mpm_ctx);
1602  }
1603  }
1604  }
1605 }
1606 
1607 
1608 /** \brief Get MpmStore for a built-in buffer type
1609  *
1610  */
1611 MpmStore *MpmStorePrepareBuffer(DetectEngineCtx *de_ctx, SigGroupHead *sgh,
1612  enum MpmBuiltinBuffers buf)
1613 {
1614  const Signature *s = NULL;
1615  uint32_t sig;
1616  uint32_t cnt = 0;
1617  int direction = 0;
1618  uint32_t max_sid = DetectEngineGetMaxSigId(de_ctx) / 8 + 1;
1619  uint8_t sids_array[max_sid];
1620  memset(sids_array, 0x00, max_sid);
1621  int sgh_mpm_context = 0;
1622  int sm_list = DETECT_SM_LIST_PMATCH;
1623 
1624  switch (buf) {
1625  case MPMB_TCP_PKT_TS:
1626  case MPMB_TCP_PKT_TC:
1627  sgh_mpm_context = de_ctx->sgh_mpm_context_proto_tcp_packet;
1628  break;
1629  case MPMB_TCP_STREAM_TS:
1630  case MPMB_TCP_STREAM_TC:
1631  sgh_mpm_context = de_ctx->sgh_mpm_context_stream;
1632  break;
1633  case MPMB_UDP_TS:
1634  case MPMB_UDP_TC:
1635  sgh_mpm_context = de_ctx->sgh_mpm_context_proto_udp_packet;
1636  break;
1637  case MPMB_OTHERIP:
1638  sgh_mpm_context = de_ctx->sgh_mpm_context_proto_other_packet;
1639  break;
1640  default:
1641  break;
1642  }
1643 
1644  switch(buf) {
1645  case MPMB_TCP_PKT_TS:
1646  case MPMB_TCP_STREAM_TS:
1647  case MPMB_UDP_TS:
1648  direction = SIG_FLAG_TOSERVER;
1649  break;
1650 
1651  case MPMB_TCP_PKT_TC:
1652  case MPMB_TCP_STREAM_TC:
1653  case MPMB_UDP_TC:
1654  direction = SIG_FLAG_TOCLIENT;
1655  break;
1656 
1657  case MPMB_OTHERIP:
1658  direction = (SIG_FLAG_TOCLIENT|SIG_FLAG_TOSERVER);
1659  break;
1660 
1661  case MPMB_MAX:
1662  BUG_ON(1);
1663  break;
1664  }
1665 
1666  for (sig = 0; sig < sgh->init->sig_cnt; sig++) {
1667  s = sgh->init->match_array[sig];
1668  if (s == NULL)
1669  continue;
1670 
1671  if (s->init_data->mpm_sm == NULL)
1672  continue;
1673 
1674  int list = s->init_data->mpm_sm_list;
1675  if (list < 0)
1676  continue;
1677 
1678  if (list != DETECT_SM_LIST_PMATCH)
1679  continue;
1680 
1681  switch (buf) {
1682  case MPMB_TCP_PKT_TS:
1683  case MPMB_TCP_PKT_TC:
1684  if (SignatureHasPacketContent(s) == 1)
1685  {
1686  sids_array[s->num / 8] |= 1 << (s->num % 8);
1687  cnt++;
1688  }
1689  break;
1690  case MPMB_TCP_STREAM_TS:
1691  case MPMB_TCP_STREAM_TC:
1692  if (SignatureHasStreamContent(s) == 1)
1693  {
1694  sids_array[s->num / 8] |= 1 << (s->num % 8);
1695  cnt++;
1696  }
1697  break;
1698  case MPMB_UDP_TS:
1699  case MPMB_UDP_TC:
1700  sids_array[s->num / 8] |= 1 << (s->num % 8);
1701  cnt++;
1702  break;
1703  case MPMB_OTHERIP:
1704  sids_array[s->num / 8] |= 1 << (s->num % 8);
1705  cnt++;
1706  break;
1707  default:
1708  break;
1709  }
1710  }
1711 
1712  if (cnt == 0)
1713  return NULL;
1714 
1715  MpmStore lookup = { sids_array, max_sid, direction, buf, sm_list, 0, 0, NULL };
1716 
1717  MpmStore *result = MpmStoreLookup(de_ctx, &lookup);
1718  if (result == NULL) {
1719  MpmStore *copy = SCCalloc(1, sizeof(MpmStore));
1720  if (copy == NULL)
1721  return NULL;
1722  uint8_t *sids = SCCalloc(1, max_sid);
1723  if (sids == NULL) {
1724  SCFree(copy);
1725  return NULL;
1726  }
1727 
1728  memcpy(sids, sids_array, max_sid);
1729  copy->sid_array = sids;
1730  copy->sid_array_size = max_sid;
1731  copy->buffer = buf;
1732  copy->direction = direction;
1733  copy->sm_list = sm_list;
1734  copy->sgh_mpm_context = sgh_mpm_context;
1735 
1736  MpmStoreSetup(de_ctx, copy);
1737  MpmStoreAdd(de_ctx, copy);
1738  return copy;
1739  } else {
1740  return result;
1741  }
1742 }
1743 
1744 struct SidsArray {
1745  uint8_t *sids_array;
1746  uint32_t sids_array_size;
1747  /* indicates this has an active engine */
1748  bool active;
1749 
1750  enum DetectBufferMpmType type;
1751 };
1752 
1753 static MpmStore *MpmStorePrepareBufferAppLayer(DetectEngineCtx *de_ctx, SigGroupHead *sgh,
1754  const DetectBufferMpmRegistry *am, const struct SidsArray *sa)
1755 {
1756  if (sa->sids_array_size == 0 || sa->sids_array == NULL)
1757  return NULL;
1758 
1759  SCLogDebug("handling %s direction %s for list %d", am->name,
1760  am->direction == SIG_FLAG_TOSERVER ? "toserver" : "toclient",
1761  am->sm_list);
1762 
1763  MpmStore lookup = { sa->sids_array, sa->sids_array_size, am->direction, MPMB_MAX, am->sm_list,
1764  0, am->app_v2.alproto, NULL };
1765  SCLogDebug("am->direction %d am->sm_list %d sgh_mpm_context %d", am->direction, am->sm_list,
1766  am->sgh_mpm_context);
1767 
1768  MpmStore *result = MpmStoreLookup(de_ctx, &lookup);
1769  if (result == NULL) {
1770  SCLogDebug("new unique mpm for %s %s", am->name,
1771  am->direction == SIG_FLAG_TOSERVER ? "toserver" : "toclient");
1772 
1773  MpmStore *copy = SCCalloc(1, sizeof(MpmStore));
1774  if (copy == NULL)
1775  return NULL;
1776  uint8_t *sids = SCCalloc(1, sa->sids_array_size);
1777  if (sids == NULL) {
1778  SCFree(copy);
1779  return NULL;
1780  }
1781 
1782  memcpy(sids, sa->sids_array, sa->sids_array_size);
1783  copy->sid_array = sids;
1784  copy->sid_array_size = sa->sids_array_size;
1785  copy->buffer = MPMB_MAX;
1786  copy->direction = am->direction;
1787  copy->sm_list = am->sm_list;
1788  copy->sgh_mpm_context = am->sgh_mpm_context;
1789  copy->alproto = am->app_v2.alproto;
1790 
1791  MpmStoreSetup(de_ctx, copy);
1792  MpmStoreAdd(de_ctx, copy);
1793  return copy;
1794  } else {
1795  SCLogDebug("using existing mpm %p", result);
1796  return result;
1797  }
1798  return NULL;
1799 }
1800 
1801 static MpmStore *MpmStorePrepareBufferPkt(DetectEngineCtx *de_ctx, SigGroupHead *sgh,
1802  const DetectBufferMpmRegistry *am, const struct SidsArray *sa)
1803 {
1804  SCLogDebug("handling %s for list %d", am->name,
1805  am->sm_list);
1806 
1807  if (sa->sids_array_size == 0 || sa->sids_array == NULL)
1808  return NULL;
1809 
1810  MpmStore lookup = { sa->sids_array, sa->sids_array_size, SIG_FLAG_TOSERVER | SIG_FLAG_TOCLIENT,
1811  MPMB_MAX, am->sm_list, 0, 0, NULL };
1812  SCLogDebug("am->sm_list %d", am->sm_list);
1813 
1814  MpmStore *result = MpmStoreLookup(de_ctx, &lookup);
1815  if (result == NULL) {
1816  SCLogDebug("new unique mpm for %s", am->name);
1817 
1818  MpmStore *copy = SCCalloc(1, sizeof(MpmStore));
1819  if (copy == NULL)
1820  return NULL;
1821  uint8_t *sids = SCCalloc(1, sa->sids_array_size);
1822  if (sids == NULL) {
1823  SCFree(copy);
1824  return NULL;
1825  }
1826 
1827  memcpy(sids, sa->sids_array, sa->sids_array_size);
1828  copy->sid_array = sids;
1829  copy->sid_array_size = sa->sids_array_size;
1830  copy->buffer = MPMB_MAX;
1831  copy->direction = SIG_FLAG_TOSERVER|SIG_FLAG_TOCLIENT;
1832  copy->sm_list = am->sm_list;
1833  copy->sgh_mpm_context = am->sgh_mpm_context;
1834 
1835  MpmStoreSetup(de_ctx, copy);
1836  MpmStoreAdd(de_ctx, copy);
1837  return copy;
1838  } else {
1839  SCLogDebug("using existing mpm %p", result);
1840  return result;
1841  }
1842  return NULL;
1843 }
1844 
1845 static MpmStore *MpmStorePrepareBufferFrame(DetectEngineCtx *de_ctx, SigGroupHead *sgh,
1846  const DetectBufferMpmRegistry *am, const struct SidsArray *sa)
1847 {
1848  SCLogDebug("handling %s for list %d", am->name, am->sm_list);
1849 
1850  if (sa->sids_array_size == 0 || sa->sids_array == NULL)
1851  return NULL;
1852 
1853  MpmStore lookup = { sa->sids_array, sa->sids_array_size, am->direction, MPMB_MAX, am->sm_list,
1854  0, am->frame_v1.alproto, NULL };
1855  SCLogDebug("am->sm_list %d", am->sm_list);
1856 
1857  MpmStore *result = MpmStoreLookup(de_ctx, &lookup);
1858  if (result == NULL) {
1859  SCLogDebug("new unique mpm for %s", am->name);
1860 
1861  MpmStore *copy = SCCalloc(1, sizeof(MpmStore));
1862  if (copy == NULL)
1863  return NULL;
1864  uint8_t *sids = SCCalloc(1, sa->sids_array_size);
1865  if (sids == NULL) {
1866  SCFree(copy);
1867  return NULL;
1868  }
1869 
1870  memcpy(sids, sa->sids_array, sa->sids_array_size);
1871  copy->sid_array = sids;
1872  copy->sid_array_size = sa->sids_array_size;
1873  copy->buffer = MPMB_MAX;
1874  copy->direction = am->direction;
1875  copy->sm_list = am->sm_list;
1876  copy->sgh_mpm_context = am->sgh_mpm_context;
1877  copy->alproto = am->frame_v1.alproto;
1878 
1879  MpmStoreSetup(de_ctx, copy);
1880  MpmStoreAdd(de_ctx, copy);
1881  return copy;
1882  } else {
1883  SCLogDebug("using existing mpm %p", result);
1884  return result;
1885  }
1886  return NULL;
1887 }
1888 
1889 static void SetRawReassemblyFlag(DetectEngineCtx *de_ctx, SigGroupHead *sgh)
1890 {
1891  const Signature *s = NULL;
1892  uint32_t sig;
1893 
1894  for (sig = 0; sig < sgh->init->sig_cnt; sig++) {
1895  s = sgh->init->match_array[sig];
1896  if (s == NULL)
1897  continue;
1898 
1899  if (SignatureHasStreamContent(s) == 1) {
1900  sgh->flags |= SIG_GROUP_HEAD_HAVERAWSTREAM;
1901  SCLogDebug("rule group %p has SIG_GROUP_HEAD_HAVERAWSTREAM set", sgh);
1902  return;
1903  }
1904  }
1905  SCLogDebug("rule group %p does NOT have SIG_GROUP_HEAD_HAVERAWSTREAM set", sgh);
1906 }
1907 
1908 typedef struct DetectBufferInstance {
1909  // key
1910  int list;
1911  AppProto alproto;
1912 
1913  struct SidsArray ts;
1914  struct SidsArray tc;
1915 } DetectBufferInstance;
1916 
1917 static uint32_t DetectBufferInstanceHashFunc(HashListTable *ht, void *data, uint16_t datalen)
1918 {
1919  const DetectBufferInstance *ms = (const DetectBufferInstance *)data;
1920  uint32_t hash = ms->list + ms->alproto;
1921  return hash % ht->array_size;
1922 }
1923 
1924 static char DetectBufferInstanceCompareFunc(void *data1, uint16_t len1, void *data2, uint16_t len2)
1925 {
1926  const DetectBufferInstance *ms1 = (DetectBufferInstance *)data1;
1927  const DetectBufferInstance *ms2 = (DetectBufferInstance *)data2;
1928  return (ms1->list == ms2->list && ms1->alproto == ms2->alproto);
1929 }
1930 
1931 static void DetectBufferInstanceFreeFunc(void *ptr)
1932 {
1933  DetectBufferInstance *ms = ptr;
1934  if (ms->ts.sids_array != NULL)
1935  SCFree(ms->ts.sids_array);
1936  if (ms->tc.sids_array != NULL)
1937  SCFree(ms->tc.sids_array);
1938  SCFree(ms);
1939 }
1940 
1941 static HashListTable *DetectBufferInstanceInit(void)
1942 {
1943  return HashListTableInit(4096, DetectBufferInstanceHashFunc, DetectBufferInstanceCompareFunc,
1944  DetectBufferInstanceFreeFunc);
1945 }
1946 
1947 static void PrepareMpms(DetectEngineCtx *de_ctx, SigGroupHead *sh)
1948 {
1949  HashListTable *bufs = DetectBufferInstanceInit();
1950  BUG_ON(bufs == NULL);
1951 
1952  const int max_buffer_id = de_ctx->buffer_type_id + 1;
1953  const uint32_t max_sid = DetectEngineGetMaxSigId(de_ctx) / 8 + 1;
1954 
1955  AppProto engines[max_buffer_id][ALPROTO_MAX];
1956  memset(engines, 0, sizeof(engines));
1957  int engines_idx[max_buffer_id];
1958  memset(engines_idx, 0, sizeof(engines_idx));
1959  int types[max_buffer_id];
1960  memset(types, 0, sizeof(types));
1961 
1962  /* flag the list+directions we have engines for as active */
1963  for (DetectBufferMpmRegistry *a = de_ctx->pkt_mpms_list; a != NULL; a = a->next) {
1964  types[a->sm_list] = a->type;
1965 
1966  DetectBufferInstance lookup = { .list = a->sm_list, .alproto = ALPROTO_UNKNOWN };
1967  DetectBufferInstance *instance = HashListTableLookup(bufs, &lookup, 0);
1968  if (instance == NULL) {
1969  instance = SCCalloc(1, sizeof(*instance));
1970  BUG_ON(instance == NULL);
1971  instance->list = a->sm_list;
1972  instance->alproto = ALPROTO_UNKNOWN;
1973  HashListTableAdd(bufs, instance, 0);
1974  }
1975  instance->ts.active = true;
1976  instance->tc.active = true;
1977  }
1978  for (DetectBufferMpmRegistry *a = de_ctx->frame_mpms_list; a != NULL; a = a->next) {
1979  const bool add_ts = ((a->direction == SIG_FLAG_TOSERVER) && SGH_DIRECTION_TS(sh));
1980  const bool add_tc = ((a->direction == SIG_FLAG_TOCLIENT) && SGH_DIRECTION_TC(sh));
1981  if (add_ts || add_tc) {
1982  types[a->sm_list] = a->type;
1983  engines[a->sm_list][engines_idx[a->sm_list]++] = a->frame_v1.alproto;
1984 
1985  DetectBufferInstance lookup = { .list = a->sm_list, .alproto = a->frame_v1.alproto };
1986  DetectBufferInstance *instance = HashListTableLookup(bufs, &lookup, 0);
1987  if (instance == NULL) {
1988  instance = SCCalloc(1, sizeof(*instance));
1989  BUG_ON(instance == NULL);
1990  instance->list = a->sm_list;
1991  instance->alproto = a->frame_v1.alproto;
1992  HashListTableAdd(bufs, instance, 0);
1993  }
1994  instance->ts.active |= add_ts;
1995  instance->tc.active |= add_tc;
1996  }
1997  }
1998  for (DetectBufferMpmRegistry *a = de_ctx->app_mpms_list; a != NULL; a = a->next) {
1999  const bool add_ts = ((a->direction == SIG_FLAG_TOSERVER) && SGH_DIRECTION_TS(sh));
2000  const bool add_tc = ((a->direction == SIG_FLAG_TOCLIENT) && SGH_DIRECTION_TC(sh));
2001  if (add_ts || add_tc) {
2002  types[a->sm_list] = a->type;
2003  engines[a->sm_list][engines_idx[a->sm_list]++] = a->app_v2.alproto;
2004 
2005  DetectBufferInstance lookup = { .list = a->sm_list, .alproto = a->app_v2.alproto };
2006  DetectBufferInstance *instance = HashListTableLookup(bufs, &lookup, 0);
2007  if (instance == NULL) {
2008  instance = SCCalloc(1, sizeof(*instance));
2009  BUG_ON(instance == NULL);
2010  instance->list = a->sm_list;
2011  instance->alproto = a->app_v2.alproto;
2012  HashListTableAdd(bufs, instance, 0);
2013  }
2014  instance->ts.active |= add_ts;
2015  instance->tc.active |= add_tc;
2016  }
2017  }
2018 
2019  for (uint32_t sig = 0; sig < sh->init->sig_cnt; sig++) {
2020  const Signature *s = sh->init->match_array[sig];
2021  if (s == NULL)
2022  continue;
2023  if (s->init_data->mpm_sm == NULL)
2024  continue;
2025  const int list = s->init_data->mpm_sm_list;
2026  if (list < 0)
2027  continue;
2028  if (list == DETECT_SM_LIST_PMATCH)
2029  continue;
2030 
2031  switch (types[list]) {
2032  /* app engines are direction aware */
2033  case DETECT_BUFFER_MPM_TYPE_FRAME:
2034  case DETECT_BUFFER_MPM_TYPE_APP: {
2035  for (int e = 0; e < engines_idx[list]; e++) {
2036  const AppProto alproto = engines[list][e];
2037  if (!(AppProtoEquals(s->alproto, alproto) || s->alproto == 0))
2038  continue;
2039 
2040  DetectBufferInstance lookup = { .list = list, .alproto = alproto };
2041  DetectBufferInstance *instance = HashListTableLookup(bufs, &lookup, 0);
2042  if (instance == NULL)
2043  continue;
2044  if (s->flags & SIG_FLAG_TOSERVER) {
2045  struct SidsArray *sa = &instance->ts;
2046  if (sa->active) {
2047  if (sa->sids_array == NULL) {
2048  sa->sids_array = SCCalloc(1, max_sid);
2049  sa->sids_array_size = max_sid;
2050  BUG_ON(sa->sids_array == NULL); // TODO
2051  }
2052  sa->sids_array[s->num / 8] |= 1 << (s->num % 8);
2053  SCLogDebug("instance %p: stored %u/%u ts", instance, s->id, s->num);
2054  }
2055  }
2056  if (s->flags & SIG_FLAG_TOCLIENT) {
2057  struct SidsArray *sa = &instance->tc;
2058  if (sa->active) {
2059  if (sa->sids_array == NULL) {
2060  sa->sids_array = SCCalloc(1, max_sid);
2061  sa->sids_array_size = max_sid;
2062  BUG_ON(sa->sids_array == NULL); // TODO
2063  }
2064  sa->sids_array[s->num / 8] |= 1 << (s->num % 8);
2065  SCLogDebug("instance %p: stored %u/%u tc", instance, s->id, s->num);
2066  }
2067  }
2068  }
2069  break;
2070  }
2071  /* pkt engines are directionless, so only use ts */
2072  case DETECT_BUFFER_MPM_TYPE_PKT: {
2073  DetectBufferInstance lookup = { .list = list, .alproto = ALPROTO_UNKNOWN };
2074  DetectBufferInstance *instance = HashListTableLookup(bufs, &lookup, 0);
2075  if (instance == NULL)
2076  continue;
2077  struct SidsArray *sa = &instance->ts;
2078  if (sa->active) {
2079  if (sa->sids_array == NULL) {
2080  sa->sids_array = SCCalloc(1, max_sid);
2081  sa->sids_array_size = max_sid;
2082  BUG_ON(sa->sids_array == NULL); // TODO
2083  }
2084  sa->sids_array[s->num / 8] |= 1 << (s->num % 8);
2085  }
2086  break;
2087  }
2088  default:
2089  abort();
2090  break;
2091  }
2092  }
2093 
2094  sh->init->app_mpms = SCCalloc(de_ctx->app_mpms_list_cnt, sizeof(MpmCtx *));
2095  BUG_ON(sh->init->app_mpms == NULL);
2096 
2097  sh->init->pkt_mpms = SCCalloc(de_ctx->pkt_mpms_list_cnt, sizeof(MpmCtx *));
2098  BUG_ON(sh->init->pkt_mpms == NULL);
2099 
2100  sh->init->frame_mpms = SCCalloc(de_ctx->frame_mpms_list_cnt, sizeof(MpmCtx *));
2101  BUG_ON(sh->init->frame_mpms == NULL);
2102 
2103  for (DetectBufferMpmRegistry *a = de_ctx->pkt_mpms_list; a != NULL; a = a->next) {
2104  DetectBufferInstance lookup = { .list = a->sm_list, .alproto = ALPROTO_UNKNOWN };
2105  DetectBufferInstance *instance = HashListTableLookup(bufs, &lookup, 0);
2106  if (instance == NULL) {
2107  continue;
2108  }
2109  struct SidsArray *sa = &instance->ts;
2110  if (!sa->active)
2111  continue;
2112 
2113  MpmStore *mpm_store = MpmStorePrepareBufferPkt(de_ctx, sh, a, sa);
2114  if (mpm_store != NULL) {
2115  sh->init->pkt_mpms[a->id] = mpm_store->mpm_ctx;
2116 
2117  SCLogDebug("a %p a->name %s a->reg->PrefilterRegisterWithListId %p "
2118  "mpm_store->mpm_ctx %p", a, a->name,
2119  a->PrefilterRegisterWithListId, mpm_store->mpm_ctx);
2120 
2121  /* if we have just certain types of negated patterns,
2122  * mpm_ctx can be NULL */
2123  if (a->PrefilterRegisterWithListId && mpm_store->mpm_ctx) {
2124  BUG_ON(a->PrefilterRegisterWithListId(de_ctx,
2125  sh, mpm_store->mpm_ctx,
2126  a, a->sm_list) != 0);
2127  SCLogDebug("mpm %s %d set up", a->name, a->sm_list);
2128  }
2129  }
2130  }
2131  for (DetectBufferMpmRegistry *a = de_ctx->frame_mpms_list; a != NULL; a = a->next) {
2132  if ((a->direction == SIG_FLAG_TOSERVER && SGH_DIRECTION_TS(sh)) ||
2133  (a->direction == SIG_FLAG_TOCLIENT && SGH_DIRECTION_TC(sh))) {
2134  DetectBufferInstance lookup = { .list = a->sm_list, .alproto = a->frame_v1.alproto };
2135  DetectBufferInstance *instance = HashListTableLookup(bufs, &lookup, 0);
2136  if (instance == NULL) {
2137  continue;
2138  }
2139  struct SidsArray *sa =
2140  (a->direction == SIG_FLAG_TOSERVER) ? &instance->ts : &instance->tc;
2141  if (!sa->active)
2142  continue;
2143 
2144  SCLogDebug("a %s direction %d PrefilterRegisterWithListId %p", a->name, a->direction,
2145  a->PrefilterRegisterWithListId);
2146  MpmStore *mpm_store = MpmStorePrepareBufferFrame(de_ctx, sh, a, sa);
2147  if (mpm_store != NULL) {
2148  sh->init->frame_mpms[a->id] = mpm_store->mpm_ctx;
2149 
2150  SCLogDebug("a %p a->name %s a->reg->PrefilterRegisterWithListId %p "
2151  "mpm_store->mpm_ctx %p",
2152  a, a->name, a->PrefilterRegisterWithListId, mpm_store->mpm_ctx);
2153 
2154  /* if we have just certain types of negated patterns,
2155  * mpm_ctx can be NULL */
2156  SCLogDebug("mpm_store %p mpm_ctx %p", mpm_store, mpm_store->mpm_ctx);
2157  if (a->PrefilterRegisterWithListId && mpm_store->mpm_ctx) {
2158  BUG_ON(a->PrefilterRegisterWithListId(
2159  de_ctx, sh, mpm_store->mpm_ctx, a, a->sm_list) != 0);
2160  SCLogDebug("mpm %s %d set up", a->name, a->sm_list);
2161  }
2162  }
2163  }
2164  }
2165  for (DetectBufferMpmRegistry *a = de_ctx->app_mpms_list; a != NULL; a = a->next) {
2166  if ((a->direction == SIG_FLAG_TOSERVER && SGH_DIRECTION_TS(sh)) ||
2167  (a->direction == SIG_FLAG_TOCLIENT && SGH_DIRECTION_TC(sh))) {
2168 
2169  DetectBufferInstance lookup = { .list = a->sm_list, .alproto = a->app_v2.alproto };
2170  DetectBufferInstance *instance = HashListTableLookup(bufs, &lookup, 0);
2171  if (instance == NULL) {
2172  continue;
2173  }
2174  struct SidsArray *sa =
2175  (a->direction == SIG_FLAG_TOSERVER) ? &instance->ts : &instance->tc;
2176  if (!sa->active)
2177  continue;
2178 
2179  MpmStore *mpm_store = MpmStorePrepareBufferAppLayer(de_ctx, sh, a, sa);
2180  if (mpm_store != NULL) {
2181  sh->init->app_mpms[a->id] = mpm_store->mpm_ctx;
2182 
2183  SCLogDebug("a %p a->name %s a->PrefilterRegisterWithListId %p "
2184  "mpm_store->mpm_ctx %p",
2185  a, a->name, a->PrefilterRegisterWithListId, mpm_store->mpm_ctx);
2186 
2187  /* if we have just certain types of negated patterns,
2188  * mpm_ctx can be NULL */
2189  if (a->PrefilterRegisterWithListId && mpm_store->mpm_ctx) {
2190  BUG_ON(a->PrefilterRegisterWithListId(
2191  de_ctx, sh, mpm_store->mpm_ctx, a, a->sm_list) != 0);
2192  SCLogDebug("mpm %s %d set up", a->name, a->sm_list);
2193  }
2194  }
2195  }
2196  }
2197  HashListTableFree(bufs);
2198 }
2199 
2200 /** \brief Prepare the pattern matcher ctx in a sig group head.
2201  *
2202  */
2203 int PatternMatchPrepareGroup(DetectEngineCtx *de_ctx, SigGroupHead *sh)
2204 {
2205  MpmStore *mpm_store = NULL;
2206  if (SGH_PROTO(sh, IPPROTO_TCP)) {
2207  if (SGH_DIRECTION_TS(sh)) {
2208  mpm_store = MpmStorePrepareBuffer(de_ctx, sh, MPMB_TCP_PKT_TS);
2209  if (mpm_store != NULL) {
2210  PrefilterPktPayloadRegister(de_ctx, sh, mpm_store->mpm_ctx);
2211  }
2212 
2213  mpm_store = MpmStorePrepareBuffer(de_ctx, sh, MPMB_TCP_STREAM_TS);
2214  if (mpm_store != NULL) {
2215  PrefilterPktStreamRegister(de_ctx, sh, mpm_store->mpm_ctx);
2216  }
2217 
2218  SetRawReassemblyFlag(de_ctx, sh);
2219  }
2220  if (SGH_DIRECTION_TC(sh)) {
2221  mpm_store = MpmStorePrepareBuffer(de_ctx, sh, MPMB_TCP_PKT_TC);
2222  if (mpm_store != NULL) {
2223  PrefilterPktPayloadRegister(de_ctx, sh, mpm_store->mpm_ctx);
2224  }
2225 
2226  mpm_store = MpmStorePrepareBuffer(de_ctx, sh, MPMB_TCP_STREAM_TC);
2227  if (mpm_store != NULL) {
2228  PrefilterPktStreamRegister(de_ctx, sh, mpm_store->mpm_ctx);
2229  }
2230 
2231  SetRawReassemblyFlag(de_ctx, sh);
2232  }
2233  } else if (SGH_PROTO(sh, IPPROTO_UDP)) {
2234  if (SGH_DIRECTION_TS(sh)) {
2235  mpm_store = MpmStorePrepareBuffer(de_ctx, sh, MPMB_UDP_TS);
2236  if (mpm_store != NULL) {
2237  PrefilterPktPayloadRegister(de_ctx, sh, mpm_store->mpm_ctx);
2238  }
2239  }
2240  if (SGH_DIRECTION_TC(sh)) {
2241  mpm_store = MpmStorePrepareBuffer(de_ctx, sh, MPMB_UDP_TC);
2242  if (mpm_store != NULL) {
2243  PrefilterPktPayloadRegister(de_ctx, sh, mpm_store->mpm_ctx);
2244  }
2245  }
2246  } else {
2247  mpm_store = MpmStorePrepareBuffer(de_ctx, sh, MPMB_OTHERIP);
2248  if (mpm_store != NULL) {
2249  PrefilterPktPayloadRegister(de_ctx, sh, mpm_store->mpm_ctx);
2250  }
2251  }
2252 
2253  PrepareMpms(de_ctx, sh);
2254  return 0;
2255 }
2256 
2257 static inline uint32_t ContentFlagsForHash(const DetectContentData *cd)
2258 {
2259  return cd->flags & (DETECT_CONTENT_NOCASE | DETECT_CONTENT_OFFSET | DETECT_CONTENT_DEPTH |
2260  DETECT_CONTENT_NEGATED | DETECT_CONTENT_ENDS_WITH);
2261 }
2262 
2263 /** \internal
2264  * \brief The hash function for Pattern. Hashes pattern after chop is applied.
2265  *
2266  * \param ht Pointer to the hash table.
2267  * \param data Pointer to the Pattern.
2268  * \param datalen Not used in our case.
2269  *
2270  * \retval hash The generated hash value.
2271  */
2272 static uint32_t PatternChopHashFunc(HashListTable *ht, void *data, uint16_t datalen)
2273 {
2274  const DetectPatternTracker *p = (DetectPatternTracker *)data;
2275  uint32_t hash = p->sm_list + ContentFlagsForHash(p->cd);
2276  uint16_t content_len = p->cd->content_len;
2277  const uint8_t *content = p->cd->content;
2278  if (p->cd->flags & DETECT_CONTENT_FAST_PATTERN_CHOP) {
2279  content += p->cd->fp_chop_offset;
2280  content_len = p->cd->fp_chop_len;
2281  }
2282  hash += StringHashDjb2(content, content_len);
2283  return hash % ht->array_size;
2284 }
2285 
2286 /** \internal
2287  * \brief The hash function for Pattern. Ignores chop.
2288  *
2289  * \param ht Pointer to the hash table.
2290  * \param data Pointer to the Pattern.
2291  * \param datalen Not used in our case.
2292  *
2293  * \retval hash The generated hash value.
2294  */
2295 static uint32_t PatternNoChopHashFunc(HashListTable *ht, void *data, uint16_t datalen)
2296 {
2297  const DetectPatternTracker *p = (DetectPatternTracker *)data;
2298  uint32_t hash = p->sm_list + ContentFlagsForHash(p->cd);
2299  hash += StringHashDjb2(p->cd->content, p->cd->content_len);
2300  return hash % ht->array_size;
2301 }
2302 
2303 /**
2304  * \brief The Compare function for Pattern. Compares patterns after chop is applied.
2305  *
2306  * \param data1 Pointer to the first Pattern.
2307  * \param len1 Not used.
2308  * \param data2 Pointer to the second Pattern.
2309  * \param len2 Not used.
2310  *
2311  * \retval 1 If the 2 Patterns sent as args match.
2312  * \retval 0 If the 2 Patterns sent as args do not match.
2313  */
2314 static char PatternChopCompareFunc(void *data1, uint16_t len1, void *data2, uint16_t len2)
2315 {
2316  const DetectPatternTracker *p1 = (DetectPatternTracker *)data1;
2317  const DetectPatternTracker *p2 = (DetectPatternTracker *)data2;
2318 
2319  if (p1->sm_list != p2->sm_list)
2320  return 0;
2321 
2322  if (ContentFlagsForHash(p1->cd) != ContentFlagsForHash(p2->cd))
2323  return 0;
2324 
2325  uint16_t p1_content_len = p1->cd->content_len;
2326  uint8_t *p1_content = p1->cd->content;
2327  if (p1->cd->flags & DETECT_CONTENT_FAST_PATTERN_CHOP) {
2328  p1_content += p1->cd->fp_chop_offset;
2329  p1_content_len = p1->cd->fp_chop_len;
2330  }
2331  uint16_t p2_content_len = p2->cd->content_len;
2332  uint8_t *p2_content = p2->cd->content;
2333  if (p2->cd->flags & DETECT_CONTENT_FAST_PATTERN_CHOP) {
2334  p2_content += p2->cd->fp_chop_offset;
2335  p2_content_len = p2->cd->fp_chop_len;
2336  }
2337 
2338  if (p1_content_len != p2_content_len)
2339  return 0;
2340 
2341  if (memcmp(p1_content, p2_content, p1_content_len) != 0) {
2342  return 0;
2343  }
2344 
2345  return 1;
2346 }
2347 
2348 /**
2349  * \brief The Compare function for Pattern. Ignores chop settings
2350  *
2351  * \param data1 Pointer to the first Pattern.
2352  * \param len1 Not used.
2353  * \param data2 Pointer to the second Pattern.
2354  * \param len2 Not used.
2355  *
2356  * \retval 1 If the 2 Patterns sent as args match.
2357  * \retval 0 If the 2 Patterns sent as args do not match.
2358  */
2359 static char PatternNoChopCompareFunc(void *data1, uint16_t len1, void *data2, uint16_t len2)
2360 {
2361  const DetectPatternTracker *p1 = (DetectPatternTracker *)data1;
2362  const DetectPatternTracker *p2 = (DetectPatternTracker *)data2;
2363 
2364  if (p1->sm_list != p2->sm_list)
2365  return 0;
2366 
2367  if (ContentFlagsForHash(p1->cd) != ContentFlagsForHash(p2->cd))
2368  return 0;
2369 
2370  if (p1->cd->content_len != p2->cd->content_len)
2371  return 0;
2372 
2373  if (memcmp(p1->cd->content, p2->cd->content, p1->cd->content_len) != 0) {
2374  return 0;
2375  }
2376 
2377  return 1;
2378 }
2379 
2380 static void PatternFreeFunc(void *ptr)
2381 {
2382  SCFree(ptr);
2383 }
2384 
2385 /**
2386  * \brief Figure out the FP and their respective content ids for all the
2387  * sigs in the engine.
2388  *
2389  * \param de_ctx Detection engine context.
2390  *
2391  * \retval 0 On success.
2392  * \retval -1 On failure.
2393  */
2394 int DetectSetFastPatternAndItsId(DetectEngineCtx *de_ctx)
2395 {
2396  uint32_t cnt = 0;
2397  for (Signature *s = de_ctx->sig_list; s != NULL; s = s->next) {
2398  if (s->flags & SIG_FLAG_PREFILTER)
2399  continue;
2400 
2401  RetrieveFPForSig(de_ctx, s);
2402  if (s->init_data->mpm_sm != NULL) {
2403  s->flags |= SIG_FLAG_PREFILTER;
2404  cnt++;
2405  }
2406  }
2407  /* no mpm rules */
2408  if (cnt == 0)
2409  return 0;
2410 
2411  HashListTable *ht =
2412  HashListTableInit(4096, PatternChopHashFunc, PatternChopCompareFunc, PatternFreeFunc);
2413  BUG_ON(ht == NULL);
2414  PatIntId max_id = 0;
2415 
2416  for (Signature *s = de_ctx->sig_list; s != NULL; s = s->next) {
2417  if (s->init_data->mpm_sm == NULL)
2418  continue;
2419 
2420  const int sm_list = s->init_data->mpm_sm_list;
2421  BUG_ON(sm_list == -1);
2422 
2423  DetectContentData *cd = (DetectContentData *)s->init_data->mpm_sm->ctx;
2424 
2425  DetectPatternTracker lookup = { .cd = cd, .sm_list = sm_list, .cnt = 0, .mpm = 0 };
2426  DetectPatternTracker *res = HashListTableLookup(ht, &lookup, 0);
2427  if (res) {
2428  res->cnt++;
2429  res->mpm += ((cd->flags & DETECT_CONTENT_MPM) != 0);
2430 
2431  cd->id = res->cd->id;
2432  SCLogDebug("%u: res id %u cnt %u", s->id, res->cd->id, res->cnt);
2433  } else {
2434  DetectPatternTracker *add = SCCalloc(1, sizeof(*add));
2435  BUG_ON(add == NULL);
2436  add->cd = cd;
2437  add->sm_list = sm_list;
2438  add->cnt = 1;
2439  add->mpm = ((cd->flags & DETECT_CONTENT_MPM) != 0);
2440  HashListTableAdd(ht, (void *)add, 0);
2441 
2442  cd->id = max_id++;
2443  SCLogDebug("%u: add id %u cnt %u", s->id, add->cd->id, add->cnt);
2444  }
2445  }
2446 
2447  HashListTableFree(ht);
2448 
2449  return 0;
2450 }
2451 
2452 /** \brief add all patterns on our stats hash
2453  * Used to fill the hash later used by DumpPatterns()
2454  * \note sets up the hash table on first call
2455  */
2456 void EngineAnalysisAddAllRulePatterns(DetectEngineCtx *de_ctx, const Signature *s)
2457 {
2458  if (de_ctx->pattern_hash_table == NULL) {
2459  de_ctx->pattern_hash_table = HashListTableInit(
2460  4096, PatternNoChopHashFunc, PatternNoChopCompareFunc, PatternFreeFunc);
2461  BUG_ON(de_ctx->pattern_hash_table == NULL);
2462  }
2463  if (s->sm_arrays[DETECT_SM_LIST_PMATCH]) {
2464  SigMatchData *smd = s->sm_arrays[DETECT_SM_LIST_PMATCH];
2465  do {
2466  switch (smd->type) {
2467  case DETECT_CONTENT: {
2468  const DetectContentData *cd = (const DetectContentData *)smd->ctx;
2469  DetectPatternTracker lookup = {
2470  .cd = cd, .sm_list = DETECT_SM_LIST_PMATCH, .cnt = 0, .mpm = 0
2471  };
2472  DetectPatternTracker *res =
2473  HashListTableLookup(de_ctx->pattern_hash_table, &lookup, 0);
2474  if (res) {
2475  res->cnt++;
2476  res->mpm += ((cd->flags & DETECT_CONTENT_MPM) != 0);
2477  } else {
2478  DetectPatternTracker *add = SCCalloc(1, sizeof(*add));
2479  BUG_ON(add == NULL);
2480  add->cd = cd;
2481  add->sm_list = DETECT_SM_LIST_PMATCH;
2482  add->cnt = 1;
2483  add->mpm = ((cd->flags & DETECT_CONTENT_MPM) != 0);
2484  HashListTableAdd(de_ctx->pattern_hash_table, (void *)add, 0);
2485  }
2486  break;
2487  }
2488  }
2489  if (smd->is_last)
2490  break;
2491  smd++;
2492  } while (1);
2493  }
2494 
2495  const DetectEngineAppInspectionEngine *app = s->app_inspect;
2496  for (; app != NULL; app = app->next) {
2497  DEBUG_VALIDATE_BUG_ON(app->smd == NULL);
2498  SigMatchData *smd = app->smd;
2499  do {
2500  switch (smd->type) {
2501  case DETECT_CONTENT: {
2502  const DetectContentData *cd = (const DetectContentData *)smd->ctx;
2503 
2504  DetectPatternTracker lookup = {
2505  .cd = cd, .sm_list = app->sm_list, .cnt = 0, .mpm = 0
2506  };
2507  DetectPatternTracker *res =
2508  HashListTableLookup(de_ctx->pattern_hash_table, &lookup, 0);
2509  if (res) {
2510  res->cnt++;
2511  res->mpm += ((cd->flags & DETECT_CONTENT_MPM) != 0);
2512  } else {
2513  DetectPatternTracker *add = SCCalloc(1, sizeof(*add));
2514  BUG_ON(add == NULL);
2515  add->cd = cd;
2516  add->sm_list = app->sm_list;
2517  add->cnt = 1;
2518  add->mpm = ((cd->flags & DETECT_CONTENT_MPM) != 0);
2519  HashListTableAdd(de_ctx->pattern_hash_table, (void *)add, 0);
2520  }
2521  break;
2522  }
2523  }
2524  if (smd->is_last)
2525  break;
2526  smd++;
2527  } while (1);
2528  }
2529  const DetectEnginePktInspectionEngine *pkt = s->pkt_inspect;
2530  for (; pkt != NULL; pkt = pkt->next) {
2531  SigMatchData *smd = pkt->smd;
2532  do {
2533  if (smd == NULL) {
2534  BUG_ON(!(pkt->sm_list < DETECT_SM_LIST_DYNAMIC_START));
2535  smd = s->sm_arrays[pkt->sm_list];
2536  }
2537  switch (smd->type) {
2538  case DETECT_CONTENT: {
2539  const DetectContentData *cd = (const DetectContentData *)smd->ctx;
2540 
2541  DetectPatternTracker lookup = {
2542  .cd = cd, .sm_list = pkt->sm_list, .cnt = 0, .mpm = 0
2543  };
2544  DetectPatternTracker *res =
2545  HashListTableLookup(de_ctx->pattern_hash_table, &lookup, 0);
2546  if (res) {
2547  res->cnt++;
2548  res->mpm += ((cd->flags & DETECT_CONTENT_MPM) != 0);
2549  } else {
2550  DetectPatternTracker *add = SCCalloc(1, sizeof(*add));
2551  BUG_ON(add == NULL);
2552  add->cd = cd;
2553  add->sm_list = pkt->sm_list;
2554  add->cnt = 1;
2555  add->mpm = ((cd->flags & DETECT_CONTENT_MPM) != 0);
2556  HashListTableAdd(de_ctx->pattern_hash_table, (void *)add, 0);
2557  }
2558  break;
2559  }
2560  }
2561  if (smd->is_last)
2562  break;
2563  smd++;
2564  } while (1);
2565  }
2566  const DetectEngineFrameInspectionEngine *frame = s->frame_inspect;
2567  for (; frame != NULL; frame = frame->next) {
2568  SigMatchData *smd = frame->smd;
2569  do {
2570  if (smd == NULL) {
2571  BUG_ON(!(frame->sm_list < DETECT_SM_LIST_DYNAMIC_START));
2572  smd = s->sm_arrays[frame->sm_list];
2573  }
2574  switch (smd->type) {
2575  case DETECT_CONTENT: {
2576  const DetectContentData *cd = (const DetectContentData *)smd->ctx;
2577 
2578  DetectPatternTracker lookup = {
2579  .cd = cd, .sm_list = frame->sm_list, .cnt = 0, .mpm = 0
2580  };
2581  DetectPatternTracker *res =
2582  HashListTableLookup(de_ctx->pattern_hash_table, &lookup, 0);
2583  if (res) {
2584  res->cnt++;
2585  res->mpm += ((cd->flags & DETECT_CONTENT_MPM) != 0);
2586  } else {
2587  DetectPatternTracker *add = SCCalloc(1, sizeof(*add));
2588  BUG_ON(add == NULL);
2589  add->cd = cd;
2590  add->sm_list = frame->sm_list;
2591  add->cnt = 1;
2592  add->mpm = ((cd->flags & DETECT_CONTENT_MPM) != 0);
2593  HashListTableAdd(de_ctx->pattern_hash_table, (void *)add, 0);
2594  }
2595  break;
2596  }
2597  }
2598  if (smd->is_last)
2599  break;
2600  smd++;
2601  } while (1);
2602  }
2603 }
MpmInitThreadCtx
void MpmInitThreadCtx(MpmThreadCtx *mpm_thread_ctx, uint16_t matcher)
Definition: util-mpm.c:196
DETECT_CONTENT_NOCASE
#define DETECT_CONTENT_NOCASE
Definition: detect-content.h:29
SignatureHasPacketContent
int SignatureHasPacketContent(const Signature *s)
check if a signature has patterns that are to be inspected against a packets payload (as opposed to t...
Definition: detect-engine-mpm.c:771
DetectEngineCtx_::pkt_mpms_list_cnt
uint32_t pkt_mpms_list_cnt
Definition: detect.h:1001
HashListTableGetListData
#define HashListTableGetListData(hb)
Definition: util-hashlist.h:56
DetectEngineCtx_::frame_mpms_list_cnt
uint32_t frame_mpms_list_cnt
Definition: detect.h:1004
DetectContentData_::offset
uint16_t offset
Definition: detect-content.h:107
SignatureInitData_::max_content_list_id
uint32_t max_content_list_id
Definition: detect.h:592
DetectPatternTracker
Definition: detect.h:722
SCFPSupportSMList_
Definition: detect.h:752
DetectEngineAppInspectionEngine_
Definition: detect.h:427
util-hash-string.h
MPMB_UDP_TS
@ MPMB_UDP_TS
Definition: detect.h:1336
SignatureInitDataBuffer_::head
SigMatch * head
Definition: detect.h:530
detect-content.h
SGH_DIRECTION_TC
#define SGH_DIRECTION_TC(sgh)
Definition: detect-engine-mpm.c:983
MpmCtx_::mpm_type
uint8_t mpm_type
Definition: util-mpm.h:90
detect-engine.h
DETECT_SM_LIST_PMATCH
@ DETECT_SM_LIST_PMATCH
Definition: detect.h:116
DetectBufferMpmRegistry_::direction
int direction
Definition: detect.h:683
DETECT_CONTENT_FAST_PATTERN_CHOP
#define DETECT_CONTENT_FAST_PATTERN_CHOP
Definition: detect-content.h:36
SignatureInitData_::smlists
struct SigMatch_ * smlists[DETECT_SM_LIST_MAX]
Definition: detect.h:581
PatternMatchDestroy
void PatternMatchDestroy(MpmCtx *mpm_ctx, uint16_t mpm_matcher)
Definition: detect-engine-mpm.c:875
MpmStore_::sid_array_size
uint32_t sid_array_size
Definition: detect.h:1344
DetectContentData_::fp_chop_len
uint16_t fp_chop_len
Definition: detect-content.h:98
MpmStore_::sid_array
uint8_t * sid_array
Definition: detect.h:1343
DetectEngineCtx_::sgh_mpm_context_proto_tcp_packet
int32_t sgh_mpm_context_proto_tcp_packet
Definition: detect.h:909
PatternMatchPrepareGroup
int PatternMatchPrepareGroup(DetectEngineCtx *de_ctx, SigGroupHead *sh)
Prepare the pattern matcher ctx in a sig group head.
Definition: detect-engine-mpm.c:2203
SCFPSupportSMList_::next
struct SCFPSupportSMList_ * next
Definition: detect.h:755
DetectEnginePktInspectionEngine
Definition: detect.h:481
DetectEngineAppInspectionEngine_::next
struct DetectEngineAppInspectionEngine_ * next
Definition: detect.h:446
detect-engine-siggroup.h
SigGroupHead_::flags
uint16_t flags
Definition: detect.h:1449
SCFPSupportSMList_::list_id
int list_id
Definition: detect.h:753
SigTableElmt_::name
const char * name
Definition: detect.h:1296
MpmStoreFree
void MpmStoreFree(DetectEngineCtx *de_ctx)
Frees the hash table - DetectEngineCtx->mpm_hash_table, allocated by MpmStoreInit() function.
Definition: detect-engine-mpm.c:1505
DetectFrameMpmRegisterByParentId
void DetectFrameMpmRegisterByParentId(DetectEngineCtx *de_ctx, const int id, const int parent_id, DetectEngineTransforms *transforms)
copy a mpm engine from parent_id, add in transforms
Definition: detect-engine-mpm.c:334
MpmThreadCtx_
Definition: util-mpm.h:46
DetectPatternTracker::mpm
uint32_t mpm
Definition: detect.h:726
Signature_::num
SigIntId num
Definition: detect.h:608
ConfGetBool
int ConfGetBool(const char *name, int *val)
Retrieve a configuration value as a boolean.
Definition: conf.c:483
SigGroupHead_
Container for matching data for a signature group.
Definition: detect.h:1448
DetectEngineCtx_::pattern_hash_table
HashListTable * pattern_hash_table
Definition: detect.h:875
DetectEngineTransforms
Definition: detect.h:409
DetectBufferMpmRegistry_::sm_list_base
int16_t sm_list_base
Definition: detect.h:685
MpmFactoryReClaimMpmCtx
void MpmFactoryReClaimMpmCtx(const DetectEngineCtx *de_ctx, MpmCtx *mpm_ctx)
Definition: util-mpm.c:157
DETECT_CONTENT
@ DETECT_CONTENT
Definition: detect-engine-register.h:62
MpmStoreReportStats
void MpmStoreReportStats(const DetectEngineCtx *de_ctx)
Definition: detect-engine-mpm.c:1408
Signature_::alproto
AppProto alproto
Definition: detect.h:601
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:269
MPMB_OTHERIP
@ MPMB_OTHERIP
Definition: detect.h:1338
DetectPktMpmRegister
void DetectPktMpmRegister(const char *name, int priority, int(*PrefilterRegister)(DetectEngineCtx *de_ctx, SigGroupHead *sgh, MpmCtx *mpm_ctx, const DetectBufferMpmRegistry *mpm_reg, int list_id), InspectionBufferGetPktDataPtr GetData)
register a MPM engine
Definition: detect-engine-mpm.c:516
SigMatchData_::is_last
bool is_last
Definition: detect.h:361
DetectBufferTypeSupportsFrames
void DetectBufferTypeSupportsFrames(const char *name)
Definition: detect-engine.c:1032
DetectBufferMpmRegistry_::frame_v1
struct DetectBufferMpmRegistry_::@88::@92 frame_v1
DetectMpmInitializeFrameMpms
void DetectMpmInitializeFrameMpms(DetectEngineCtx *de_ctx)
Definition: detect-engine-mpm.c:436
AppProto
uint16_t AppProto
Definition: app-layer-protos.h:81
DETECT_SM_LIST_DYNAMIC_START
@ DETECT_SM_LIST_DYNAMIC_START
Definition: detect.h:135
SigMatchData_::ctx
SigMatchCtx * ctx
Definition: detect.h:362
DETECT_CONTENT_NO_DOUBLE_INSPECTION_REQUIRED
#define DETECT_CONTENT_NO_DOUBLE_INSPECTION_REQUIRED
Definition: detect-content.h:55
MpmStore_::sm_list
int sm_list
Definition: detect.h:1348
PatternStrength
uint32_t PatternStrength(uint8_t *pat, uint16_t patlen)
Predict a strength value for patterns.
Definition: detect-engine-mpm.c:905
DetectEngineCtx_::pkt_mpms_list
DetectBufferMpmRegistry * pkt_mpms_list
Definition: detect.h:1000
DETECT_BUFFER_MPM_TYPE_FRAME
@ DETECT_BUFFER_MPM_TYPE_FRAME
Definition: detect.h:674
DetectSetFastPatternAndItsId
int DetectSetFastPatternAndItsId(DetectEngineCtx *de_ctx)
Figure out the FP and their respective content ids for all the sigs in the engine.
Definition: detect-engine-mpm.c:2394
InspectionBufferGetDataPtr
InspectionBuffer *(* InspectionBufferGetDataPtr)(struct DetectEngineThreadCtx_ *det_ctx, const DetectEngineTransforms *transforms, Flow *f, const uint8_t flow_flags, void *txv, const int list_id)
Definition: detect.h:415
AppProtoToString
const char * AppProtoToString(AppProto alproto)
Maps the ALPROTO_*, to its string equivalent.
Definition: app-layer-protos.c:75
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:839
DetectEnginePktInspectionEngine::smd
SigMatchData * smd
Definition: detect.h:482
util-memcpy.h
DETECT_CONTENT_MPM_IS_CONCLUSIVE
#define DETECT_CONTENT_MPM_IS_CONCLUSIVE(c)
Definition: detect-content.h:78
HashListTableGetListHead
HashListTableBucket * HashListTableGetListHead(HashListTable *ht)
Definition: util-hashlist.c:287
DETECT_CONTENT_DEPTH_VAR
#define DETECT_CONTENT_DEPTH_VAR
Definition: detect-content.h:46
InspectionBufferGetPktDataPtr
InspectionBuffer *(* InspectionBufferGetPktDataPtr)(struct DetectEngineThreadCtx_ *det_ctx, const DetectEngineTransforms *transforms, Packet *p, const int list_id)
Definition: detect.h:476
DetectEngineBufferTypeGetNameById
const char * DetectEngineBufferTypeGetNameById(const DetectEngineCtx *de_ctx, const int id)
Definition: detect-engine.c:1102
DetectMpmInitializeBuiltinMpms
void DetectMpmInitializeBuiltinMpms(DetectEngineCtx *de_ctx)
Definition: detect-engine-mpm.c:701
DetectBufferMpmRegistry_::next
struct DetectBufferMpmRegistry_ * next
Definition: detect.h:718
SIG_FLAG_REQUIRE_STREAM
#define SIG_FLAG_REQUIRE_STREAM
Definition: detect.h:250
DetectPatternTracker::cnt
uint32_t cnt
Definition: detect.h:725
DetectBufferMpmRegistry_
one time registration of keywords at start up
Definition: detect.h:680
DE_QUIET
#define DE_QUIET
Definition: detect.h:324
MpmCtx_::maxlen
uint16_t maxlen
Definition: util-mpm.h:100
MPMB_TCP_STREAM_TS
@ MPMB_TCP_STREAM_TS
Definition: detect.h:1334
DetectPatternTracker::cd
const struct DetectContentData_ * cd
Definition: detect.h:723
PatIntId
#define PatIntId
Definition: suricata-common.h:318
SIG_GROUP_HEAD_HAVERAWSTREAM
#define SIG_GROUP_HEAD_HAVERAWSTREAM
Definition: detect.h:1322
MpmTableElmt_::feature_flags
uint8_t feature_flags
Definition: util-mpm.h:174
mpm_default_matcher
uint8_t mpm_default_matcher
Definition: util-mpm.c:48
Signature_::sm_arrays
SigMatchData * sm_arrays[DETECT_SM_LIST_MAX]
Definition: detect.h:649
DetectBufferMpmRegistry_::app_v2
struct DetectBufferMpmRegistry_::@88::@90 app_v2
DetectContentData_
Definition: detect-content.h:93
DetectContentData_::fp_chop_offset
uint16_t fp_chop_offset
Definition: detect-content.h:100
HashListTableLookup
void * HashListTableLookup(HashListTable *ht, void *data, uint16_t datalen)
Definition: util-hashlist.c:245
detect-engine-payload.h
SIG_FLAG_TOCLIENT
#define SIG_FLAG_TOCLIENT
Definition: detect.h:267
MAX
#define MAX(x, y)
Definition: suricata-common.h:395
ALPROTO_MAX
@ ALPROTO_MAX
Definition: app-layer-protos.h:76
MPMB_MAX
@ MPMB_MAX
Definition: detect.h:1339
SigMatchData_
Data needed for Match()
Definition: detect.h:359
DetectEngineCtx_::sgh_mpm_context_proto_udp_packet
int32_t sgh_mpm_context_proto_udp_packet
Definition: detect.h:910
DetectBufferMpmRegistry_::transforms
DetectEngineTransforms transforms
Definition: detect.h:693
ShortenString
void ShortenString(const char *input, char *output, size_t output_size, char c)
Definition: util-misc.c:215
SigMatchData_::type
uint16_t type
Definition: detect.h:360
DetectEngineRegisterFastPatternForId
void DetectEngineRegisterFastPatternForId(DetectEngineCtx *de_ctx, int list_id, int priority)
Definition: detect-fast-pattern.c:135
SidsArray
Definition: detect-engine-mpm.c:1744
MPMB_TCP_STREAM_TC
@ MPMB_TCP_STREAM_TC
Definition: detect.h:1335
detect-engine-prefilter.h
EngineAnalysisAddAllRulePatterns
void EngineAnalysisAddAllRulePatterns(DetectEngineCtx *de_ctx, const Signature *s)
add all patterns on our stats hash Used to fill the hash later used by DumpPatterns()
Definition: detect-engine-mpm.c:2456
Signature_::frame_inspect
DetectEngineFrameInspectionEngine * frame_inspect
Definition: detect.h:645
MpmBuiltinBuffers
MpmBuiltinBuffers
Definition: detect.h:1331
DetectBufferTypeGetByName
int DetectBufferTypeGetByName(const char *name)
Definition: detect-engine.c:1072
HashListTableAdd
int HashListTableAdd(HashListTable *ht, void *data, uint16_t datalen)
Definition: util-hashlist.c:114
detect-udphdr.h
strlcpy
size_t strlcpy(char *dst, const char *src, size_t siz)
Definition: util-strlcpyu.c:43
HashListTable_::array_size
uint32_t array_size
Definition: util-hashlist.h:41
DetectAppLayerMpmRegisterByParentId
void DetectAppLayerMpmRegisterByParentId(DetectEngineCtx *de_ctx, const int id, const int parent_id, DetectEngineTransforms *transforms)
copy a mpm engine from parent_id, add in transforms
Definition: detect-engine-mpm.c:143
util-memcmp.h
SigGroupHeadInitData_::pkt_mpms
MpmCtx ** pkt_mpms
Definition: detect.h:1432
MpmInitCtx
void MpmInitCtx(MpmCtx *mpm_ctx, uint8_t matcher)
Definition: util-mpm.c:210
Signature_::next
struct Signature_ * next
Definition: detect.h:668
DetectEngineCtx_::sgh_mpm_context_proto_other_packet
int32_t sgh_mpm_context_proto_other_packet
Definition: detect.h:911
DetectEngineAppInspectionEngine_::sm_list
uint16_t sm_list
Definition: detect.h:433
DetectBufferInstance::alproto
AppProto alproto
Definition: detect-engine-mpm.c:1911
ConfGet
int ConfGet(const char *name, const char **vptr)
Retrieve the value of a configuration node.
Definition: conf.c:335
HashListTableGetListNext
#define HashListTableGetListNext(hb)
Definition: util-hashlist.h:55
DetectBufferMpmType
DetectBufferMpmType
Definition: detect.h:671
SIG_FLAG_TOSERVER
#define SIG_FLAG_TOSERVER
Definition: detect.h:266
HashListTableInit
HashListTable * HashListTableInit(uint32_t size, uint32_t(*Hash)(struct HashListTable_ *, void *, uint16_t), char(*Compare)(void *, uint16_t, void *, uint16_t), void(*Free)(void *))
Definition: util-hashlist.c:35
decode.h
MpmDestroyThreadCtx
void MpmDestroyThreadCtx(MpmThreadCtx *mpm_thread_ctx, const uint16_t matcher)
Definition: util-mpm.c:203
util-debug.h
DetectBufferInstance::ts
struct SidsArray ts
Definition: detect-engine-mpm.c:1913
SigGroupHeadInitData_::sig_cnt
SigIntId sig_cnt
Definition: detect.h:1441
SidsArray::sids_array_size
uint32_t sids_array_size
Definition: detect-engine-mpm.c:1746
DETECT_CONTENT_ENDS_WITH
#define DETECT_CONTENT_ENDS_WITH
Definition: detect-content.h:42
DetectBufferMpmRegistry_::sgh_mpm_context
int sgh_mpm_context
Definition: detect.h:689
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:17
MpmFactoryGetMpmCtxForProfile
MpmCtx * MpmFactoryGetMpmCtxForProfile(const DetectEngineCtx *de_ctx, int32_t id, int direction)
Definition: util-mpm.c:132
DetectEnginePktInspectionEngine::sm_list
uint16_t sm_list
Definition: detect.h:484
DetectMpmInitializePktMpms
void DetectMpmInitializePktMpms(DetectEngineCtx *de_ctx)
Definition: detect-engine-mpm.c:603
MPM_PATTERN_CTX_OWNS_ID
#define MPM_PATTERN_CTX_OWNS_ID
Definition: util-mpm.h:139
strlcat
size_t strlcat(char *, const char *src, size_t siz)
Definition: util-strlcatu.c:45
MpmStore_
Definition: detect.h:1342
SignatureInitData_::mpm_sm
SigMatch * mpm_sm
Definition: detect.h:560
DetectBufferMpmRegistry_::sm_list
int16_t sm_list
Definition: detect.h:684
DetectEngineGetMaxSigId
#define DetectEngineGetMaxSigId(de_ctx)
Definition: detect-engine.h:105
SignatureInitData_::mpm_sm_list
int mpm_sm_list
Definition: detect.h:558
SidsArray::sids_array
uint8_t * sids_array
Definition: detect-engine-mpm.c:1745
DETECT_CONTENT_DEPTH
#define DETECT_CONTENT_DEPTH
Definition: detect-content.h:33
Signature_::pkt_inspect
DetectEnginePktInspectionEngine * pkt_inspect
Definition: detect.h:644
util-print.h
SCEnter
#define SCEnter(...)
Definition: util-debug.h:271
detect-engine-mpm.h
detect.h
DetectEngineFrameInspectionEngine::sm_list
uint16_t sm_list
Definition: detect.h:511
SigMatch_::next
struct SigMatch_ * next
Definition: detect.h:354
DetectEngineCtx_::mpm_matcher
uint8_t mpm_matcher
Definition: detect.h:842
DETECT_CONTENT_IS_SINGLE
#define DETECT_CONTENT_IS_SINGLE(c)
Definition: detect-content.h:68
DETECT_CONTENT_NEGATED
#define DETECT_CONTENT_NEGATED
Definition: detect-content.h:40
PrefilterGenericMpmRegister
int PrefilterGenericMpmRegister(DetectEngineCtx *de_ctx, SigGroupHead *sgh, MpmCtx *mpm_ctx, const DetectBufferMpmRegistry *mpm_reg, int list_id)
Definition: detect-engine-prefilter.c:745
DetectBufferMpmRegistry_::priority
int priority
Definition: detect.h:686
PatternMatchThreadPrepare
void PatternMatchThreadPrepare(MpmThreadCtx *mpm_thread_ctx, uint16_t mpm_matcher)
Definition: detect-engine-mpm.c:886
SCLogWarning
#define SCLogWarning(...)
Macro used to log WARNING messages.
Definition: util-debug.h:249
DetectEngineBufferTypeRegister
int DetectEngineBufferTypeRegister(DetectEngineCtx *de_ctx, const char *name)
Definition: detect-engine.c:1159
SigGroupHead_::init
SigGroupHeadInitData * init
Definition: detect.h:1471
DetectBufferMpmRegistry_::pkt_v1
struct DetectBufferMpmRegistry_::@88::@91 pkt_v1
DetectContentData_::id
PatIntId id
Definition: detect-content.h:105
DetectAppLayerMpmRegister
void DetectAppLayerMpmRegister(const char *name, int direction, int priority, PrefilterRegisterFunc PrefilterRegister, InspectionBufferGetDataPtr GetData, AppProto alproto, int tx_min_progress)
register a MPM engine
Definition: detect-engine-mpm.c:89
Signature_::app_inspect
DetectEngineAppInspectionEngine * app_inspect
Definition: detect.h:643
MpmCtx_::minlen
uint16_t minlen
Definition: util-mpm.h:99
SigMatch_::ctx
SigMatchCtx * ctx
Definition: detect.h:353
DetectProto_::proto
uint8_t proto[256/8]
Definition: detect-engine-proto.h:37
BUG_ON
#define BUG_ON(x)
Definition: suricata-common.h:300
MpmStore_::direction
int direction
Definition: detect.h:1346
MPMCTX_FLAGS_GLOBAL
#define MPMCTX_FLAGS_GLOBAL
Definition: util-mpm.h:85
PrefilterRegisterFunc
int(* PrefilterRegisterFunc)(DetectEngineCtx *de_ctx, SigGroupHead *sgh, MpmCtx *mpm_ctx, const DetectBufferMpmRegistry *mpm_reg, int list_id)
Definition: detect-engine-mpm.h:75
Signature_::flags
uint32_t flags
Definition: detect.h:597
DetectContentData_::depth
uint16_t depth
Definition: detect-content.h:106
stream.h
MpmFactoryRegisterMpmCtxProfile
int32_t MpmFactoryRegisterMpmCtxProfile(DetectEngineCtx *de_ctx, const char *name, const int sm_list, const AppProto alproto)
Register a new Mpm Context.
Definition: util-mpm.c:59
DetectEngineCtx_::sgh_mpm_context_stream
int32_t sgh_mpm_context_stream
Definition: detect.h:912
type
uint16_t type
Definition: decode-vlan.c:107
DetectEngineBufferTypeSupportsFrames
void DetectEngineBufferTypeSupportsFrames(DetectEngineCtx *de_ctx, const char *name)
Definition: detect-engine.c:1198
DetectEngineCtx_::frame_mpms_list
DetectBufferMpmRegistry * frame_mpms_list
Definition: detect.h:1003
conf.h
DetectEngineCtx_::sgh_mpm_ctx_cnf
uint8_t sgh_mpm_ctx_cnf
Definition: detect.h:940
DetectContentData_::flags
uint32_t flags
Definition: detect-content.h:104
PrefilterPktPayloadRegister
int PrefilterPktPayloadRegister(DetectEngineCtx *de_ctx, SigGroupHead *sgh, MpmCtx *mpm_ctx)
Definition: detect-engine-payload.c:132
MpmStore_::alproto
AppProto alproto
Definition: detect.h:1350
DetectEngineFrameInspectionEngine
Definition: detect.h:506
DETECT_BUFFER_MPM_TYPE_PKT
@ DETECT_BUFFER_MPM_TYPE_PKT
Definition: detect.h:672
MpmTableElmt_::Prepare
int(* Prepare)(struct MpmCtx_ *)
Definition: util-mpm.h:166
Signature_::init_data
SignatureInitData * init_data
Definition: detect.h:665
FastPatternSupportEnabledForSigMatchList
int FastPatternSupportEnabledForSigMatchList(const DetectEngineCtx *de_ctx, const int list_id)
Checks if a particular buffer is in the list of lists that need to be searched for a keyword that has...
Definition: detect-fast-pattern.c:64
MPM_TABLE_SIZE
@ MPM_TABLE_SIZE
Definition: util-mpm.h:40
SCFPSupportSMList_::priority
int priority
Definition: detect.h:754
HashListTable_
Definition: util-hashlist.h:37
DetectEngineTransforms::transforms
TransformData transforms[DETECT_TRANSFORMS_MAX]
Definition: detect.h:410
SidsArray::type
enum DetectBufferMpmType type
Definition: detect-engine-mpm.c:1750
SigGroupHeadInitData_::app_mpms
MpmCtx ** app_mpms
Definition: detect.h:1431
MpmAddPatternCS
int MpmAddPatternCS(struct MpmCtx_ *mpm_ctx, uint8_t *pat, uint16_t patlen, uint16_t offset, uint16_t depth, uint32_t pid, SigIntId sid, uint8_t flags)
Definition: util-mpm.c:250
DetectEngineBufferTypeSupportsTransformations
void DetectEngineBufferTypeSupportsTransformations(DetectEngineCtx *de_ctx, const char *name)
Definition: detect-engine.c:1222
SGH_DIRECTION_TS
#define SGH_DIRECTION_TS(sgh)
Definition: detect-engine-mpm.c:982
PrefilterGenericMpmPktRegister
int PrefilterGenericMpmPktRegister(DetectEngineCtx *de_ctx, SigGroupHead *sgh, MpmCtx *mpm_ctx, const DetectBufferMpmRegistry *mpm_reg, int list_id)
Definition: detect-engine-prefilter.c:815
DetectPatternTracker::sm_list
int sm_list
Definition: detect.h:724
DetectEngineAppInspectionEngine_::smd
SigMatchData * smd
Definition: detect.h:444
DetectBufferInstance
Definition: detect-engine-mpm.c:1908
MpmStore_::mpm_ctx
MpmCtx * mpm_ctx
Definition: detect.h:1351
MPM_FEATURE_FLAG_ENDSWITH
#define MPM_FEATURE_FLAG_ENDSWITH
Definition: util-mpm.h:144
detect-fast-pattern.h
MpmStorePrepareBuffer
MpmStore * MpmStorePrepareBuffer(DetectEngineCtx *de_ctx, SigGroupHead *sgh, enum MpmBuiltinBuffers buf)
Get MpmStore for a built-in buffer type.
Definition: detect-engine-mpm.c:1611
MPMB_TCP_PKT_TC
@ MPMB_TCP_PKT_TC
Definition: detect.h:1333
cnt
uint32_t cnt
Definition: tmqh-packetpool.h:7
DetectMpmPrepareFrameMpms
int DetectMpmPrepareFrameMpms(DetectEngineCtx *de_ctx)
initialize mpm contexts for applayer buffers that are in "single or "shared" mode.
Definition: detect-engine-mpm.c:488
DetectEngineFrameMpmRegister
void DetectEngineFrameMpmRegister(DetectEngineCtx *de_ctx, const char *name, int direction, int priority, int(*PrefilterRegister)(DetectEngineCtx *de_ctx, SigGroupHead *sgh, MpmCtx *mpm_ctx, const DetectBufferMpmRegistry *mpm_reg, int list_id), AppProto alproto, uint8_t type)
Definition: detect-engine-mpm.c:373
SignatureHasStreamContent
int SignatureHasStreamContent(const Signature *s)
check if a signature has patterns that are to be inspected against the stream payload (as opposed to ...
Definition: detect-engine-mpm.c:801
util-mpm.h
flags
uint8_t flags
Definition: decode-gre.h:0
Signature_::proto
DetectProto proto
Definition: detect.h:615
DetectBufferMpmRegistry_::type
enum DetectBufferMpmType type
Definition: detect.h:688
MpmStoreInit
int MpmStoreInit(DetectEngineCtx *de_ctx)
Initializes the MpmStore mpm hash table to be used by the detection engine context.
Definition: detect-engine-mpm.c:1342
DetectEngineCtx_::app_mpms_list
DetectBufferMpmRegistry * app_mpms_list
Definition: detect.h:995
suricata-common.h
MpmCtx_::pattern_cnt
uint32_t pattern_cnt
Definition: util-mpm.h:97
DETECT_BUFFER_MPM_TYPE_APP
@ DETECT_BUFFER_MPM_TYPE_APP
Definition: detect.h:673
DetectBufferTypeSupportsMpm
void DetectBufferTypeSupportsMpm(const char *name)
Definition: detect-engine.c:1052
DetectBufferInstance::list
int list
Definition: detect-engine-mpm.c:1910
HashListTableFree
void HashListTableFree(HashListTable *ht)
Definition: util-hashlist.c:88
SigGroupHeadInitData_::match_array
Signature ** match_array
Definition: detect.h:1444
DetectBufferMpmRegistry_::name
const char * name
Definition: detect.h:681
SupportFastPatternForSigMatchList
void SupportFastPatternForSigMatchList(int list_id, int priority)
Lets one add a sm list id to be searched for potential fp supported keywords later.
Definition: detect-fast-pattern.c:130
sigmatch_table
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
Definition: detect-parse.c:127
DetectEngineFrameInspectionEngine::next
struct DetectEngineFrameInspectionEngine * next
Definition: detect.h:519
SCLogPerf
#define SCLogPerf(...)
Definition: util-debug.h:230
DetectEnginePktInspectionEngine::next
struct DetectEnginePktInspectionEngine * next
Definition: detect.h:492
DetectContentData_::content
uint8_t * content
Definition: detect-content.h:94
PatternMatchDefaultMatcher
uint8_t PatternMatchDefaultMatcher(void)
Function to return the multi pattern matcher algorithm to be used by the engine, based on the mpm-alg...
Definition: detect-engine-mpm.c:829
FatalError
#define FatalError(...)
Definition: util-debug.h:502
DetectEngineCtx_::sig_list
Signature * sig_list
Definition: detect.h:847
DetectMpmPreparePktMpms
int DetectMpmPreparePktMpms(DetectEngineCtx *de_ctx)
initialize mpm contexts for applayer buffers that are in "single or "shared" mode.
Definition: detect-engine-mpm.c:655
TransformData_::transform
int transform
Definition: detect.h:405
DetectEngineBufferTypeSupportsMpm
void DetectEngineBufferTypeSupportsMpm(DetectEngineCtx *de_ctx, const char *name)
Definition: detect-engine.c:1214
util-validate.h
detect-flow.h
DetectEngineCtx_::app_mpms_list_cnt
uint32_t app_mpms_list_cnt
Definition: detect.h:994
DetectBufferTypeSupportsTransformations
void DetectBufferTypeSupportsTransformations(const char *name)
Definition: detect-engine.c:1062
MPM_PATTERN_FLAG_ENDSWITH
#define MPM_PATTERN_FLAG_ENDSWITH
Definition: util-mpm.h:140
builtin_mpms
const char * builtin_mpms[]
Definition: detect-engine-mpm.c:66
SignatureInitData_::buffers
SignatureInitDataBuffer * buffers
Definition: detect.h:586
g_skip_prefilter
int g_skip_prefilter
Definition: detect-engine-mpm.c:1050
DetectEngineCtx_::mpm_hash_table
HashListTable * mpm_hash_table
Definition: detect.h:874
MPMB_UDP_TC
@ MPMB_UDP_TC
Definition: detect.h:1337
MpmTableElmt_::DestroyCtx
void(* DestroyCtx)(struct MpmCtx_ *)
Definition: util-mpm.h:150
DetectBufferMpmRegistry_::id
int id
Definition: detect.h:687
SigMatchListSMBelongsTo
int SigMatchListSMBelongsTo(const Signature *s, const SigMatch *key_sm)
Definition: detect-parse.c:820
SCFree
#define SCFree(p)
Definition: util-mem.h:61
MPM_CTX_FACTORY_UNIQUE_CONTEXT
#define MPM_CTX_FACTORY_UNIQUE_CONTEXT
Definition: util-mpm.h:113
DetectMpmPrepareBuiltinMpms
int DetectMpmPrepareBuiltinMpms(DetectEngineCtx *de_ctx)
initialize mpm contexts for builtin buffers that are in "single or "shared" mode.
Definition: detect-engine-mpm.c:714
Signature_::id
uint32_t id
Definition: detect.h:631
DETECT_CONTENT_OFFSET
#define DETECT_CONTENT_OFFSET
Definition: detect-content.h:32
HashListTableBucket_
Definition: util-hashlist.h:28
DetectBufferMpmRegistry_::PrefilterRegisterWithListId
int(* PrefilterRegisterWithListId)(struct DetectEngineCtx_ *de_ctx, struct SigGroupHead_ *sgh, MpmCtx *mpm_ctx, const struct DetectBufferMpmRegistry_ *mpm_reg, int list_id)
Definition: detect.h:691
detect-tcphdr.h
DETECT_CONTENT_MPM
#define DETECT_CONTENT_MPM
Definition: detect-content.h:61
detect-engine-iponly.h
detect-parse.h
SignatureInitDataBuffer_::id
uint32_t id
Definition: detect.h:523
Signature_
Signature container.
Definition: detect.h:596
SigMatch_
a single match condition for a signature
Definition: detect.h:350
ALPROTO_UNKNOWN
@ ALPROTO_UNKNOWN
Definition: app-layer-protos.h:29
MPMB_TCP_PKT_TS
@ MPMB_TCP_PKT_TS
Definition: detect.h:1332
mpm_table
MpmTableElmt mpm_table[MPM_TABLE_SIZE]
Definition: util-mpm.c:47
app-layer-protos.h
DetectMpmInitializeAppMpms
void DetectMpmInitializeAppMpms(DetectEngineCtx *de_ctx)
Definition: detect-engine-mpm.c:211
DetectEngineTransforms::cnt
int cnt
Definition: detect.h:411
suricata.h
DetectEngineCtx_::sig_array
Signature ** sig_array
Definition: detect.h:856
DETECT_BUFFER_MPM_TYPE_SIZE
@ DETECT_BUFFER_MPM_TYPE_SIZE
Definition: detect.h:676
DetectContentData_::content_len
uint16_t content_len
Definition: detect-content.h:95
DetectBufferInstance::tc
struct SidsArray tc
Definition: detect-engine-mpm.c:1914
DetectEngineCtx_::buffer_type_id
uint32_t buffer_type_id
Definition: detect.h:992
DetectEngineCtx_::flags
uint8_t flags
Definition: detect.h:841
MpmCtx_
Definition: util-mpm.h:88
SGH_PROTO
#define SGH_PROTO(sgh, p)
Definition: detect-engine-mpm.c:981
DETECT_CONTENT_REPLACE
#define DETECT_CONTENT_REPLACE
Definition: detect-content.h:51
util-misc.h
flow.h
MpmCtx_::flags
uint8_t flags
Definition: util-mpm.h:92
DetectPktMpmRegisterByParentId
void DetectPktMpmRegisterByParentId(DetectEngineCtx *de_ctx, const int id, const int parent_id, DetectEngineTransforms *transforms)
copy a mpm engine from parent_id, add in transforms
Definition: detect-engine-mpm.c:565
DETECT_CONTENT_FAST_PATTERN
#define DETECT_CONTENT_FAST_PATTERN
Definition: detect-content.h:34
SCCalloc
#define SCCalloc(nm, sz)
Definition: util-mem.h:53
DetectFrameMpmRegister
void DetectFrameMpmRegister(const char *name, int direction, int priority, int(*PrefilterRegister)(DetectEngineCtx *de_ctx, SigGroupHead *sgh, MpmCtx *mpm_ctx, const DetectBufferMpmRegistry *mpm_reg, int list_id), AppProto alproto, uint8_t type)
register a MPM engine
Definition: detect-engine-mpm.c:286
util-enum.h
SCReturnInt
#define SCReturnInt(x)
Definition: util-debug.h:275
DetectBufferInstance
struct DetectBufferInstance DetectBufferInstance
SidsArray::active
bool active
Definition: detect-engine-mpm.c:1748
SignatureInitData_::buffer_index
uint32_t buffer_index
Definition: detect.h:587
MpmAddPatternCI
int MpmAddPatternCI(struct MpmCtx_ *mpm_ctx, uint8_t *pat, uint16_t patlen, uint16_t offset, uint16_t depth, uint32_t pid, SigIntId sid, uint8_t flags)
Definition: util-mpm.c:259
flow-var.h
SCMemcmp
#define SCMemcmp(a, b, c)
Definition: util-memcmp.h:290
DetectMpmPrepareAppMpms
int DetectMpmPrepareAppMpms(DetectEngineCtx *de_ctx)
initialize mpm contexts for applayer buffers that are in "single or "shared" mode.
Definition: detect-engine-mpm.c:261
DetectEngineCtx_::fp_support_smlist_list
SCFPSupportSMList * fp_support_smlist_list
Definition: detect.h:1017
MpmStore_::sgh_mpm_context
int32_t sgh_mpm_context
Definition: detect.h:1349
DEBUG_VALIDATE_BUG_ON
#define DEBUG_VALIDATE_BUG_ON(exp)
Definition: util-validate.h:103
SIG_FLAG_PREFILTER
#define SIG_FLAG_PREFILTER
Definition: detect.h:273
PatternMatchThreadDestroy
void PatternMatchThreadDestroy(MpmThreadCtx *mpm_thread_ctx, uint16_t mpm_matcher)
Definition: detect-engine-mpm.c:881
MpmStore_::buffer
enum MpmBuiltinBuffers buffer
Definition: detect.h:1347
ENGINE_SGH_MPM_FACTORY_CONTEXT_SINGLE
@ ENGINE_SGH_MPM_FACTORY_CONTEXT_SINGLE
Definition: detect.h:1064
RetrieveFPForSig
void RetrieveFPForSig(const DetectEngineCtx *de_ctx, Signature *s)
Definition: detect-engine-mpm.c:1052
StringHashDjb2
uint32_t StringHashDjb2(const uint8_t *data, uint32_t datalen)
Definition: util-hash-string.c:22
PrefilterPktStreamRegister
int PrefilterPktStreamRegister(DetectEngineCtx *de_ctx, SigGroupHead *sgh, MpmCtx *mpm_ctx)
Definition: detect-engine-payload.c:109
DETECT_CONTENT_OFFSET_VAR
#define DETECT_CONTENT_OFFSET_VAR
Definition: detect-content.h:45
SigGroupHeadInitData_::frame_mpms
MpmCtx ** frame_mpms
Definition: detect.h:1433
DetectBufferMpmRegistry_::pname
char pname[32]
Definition: detect.h:682
SIG_FLAG_REQUIRE_PACKET
#define SIG_FLAG_REQUIRE_PACKET
Definition: detect.h:249
DetectEngineFrameInspectionEngine::smd
SigMatchData * smd
Definition: detect.h:518