56 static int StreamMpmFunc(
void *cb_data,
const uint8_t *data,
const uint32_t data_len)
62 smd->
det_ctx->stream_mpm_size += data_len;
72 Packet *p,
const void *pectx)
80 SCLogDebug(
"PRE det_ctx->raw_stream_progress %"PRIu64,
84 StreamMpmFunc, &stream_mpm_data,
87 SCLogDebug(
"POST det_ctx->raw_stream_progress %"PRIu64,
90 SCLogDebug(
"NOT p->flags & PKT_DETECT_HAS_STREAMDATA");
99 det_ctx->payload_mpm_cnt++;
103 &det_ctx->
mtc, &det_ctx->
pmq,
113 PrefilterPktStream, mpm_ctx, NULL,
"stream");
117 Packet *p,
const void *pectx)
126 &det_ctx->
mtc, &det_ctx->
pmq,
134 PrefilterPktPayload, mpm_ctx, NULL,
"payload");
160 det_ctx->payload_persig_cnt++;
190 static int DetectEngineInspectStreamUDPPayload(
DetectEngineCtx *de_ctx,
202 det_ctx->payload_persig_cnt++;
226 static int StreamContentInspectFunc(
void *cb_data,
const uint8_t *data,
const uint32_t data_len)
232 smd->
det_ctx->stream_persig_cnt++;
233 smd->
det_ctx->stream_persig_size += data_len;
241 smd->
f, (uint8_t *)data, data_len, 0, 0,
271 StreamContentInspectFunc, &inspect_data,
284 static int StreamContentInspectEngineFunc(
void *cb_data,
const uint8_t *data,
const uint32_t data_len)
290 smd->
det_ctx->stream_persig_cnt++;
291 smd->
det_ctx->stream_persig_size += data_len;
299 smd->
f, (uint8_t *)data, data_len, 0, 0,
325 if (p->
proto == IPPROTO_UDP) {
326 return DetectEngineInspectStreamUDPPayload(de_ctx,
327 det_ctx, s, smd, f, p);
329 }
else if (p->
proto != IPPROTO_TCP)
336 SCLogDebug(
"pre-inspect det_ctx->raw_stream_progress %"PRIu64,
341 StreamContentInspectEngineFunc, &inspect_data,
344 bool is_last =
false;
355 SCLogDebug(
"%s ran stream for sid %u on packet %"PRIu64
" and we %s",
356 is_last?
"LAST:" :
"normal:", s->
id, p->
pcap_cnt,
357 match ?
"matched" :
"didn't match");
375 static int PayloadTestSig01 (
void)
377 uint8_t *buf = (uint8_t *)
379 uint16_t buflen = strlen((
char *)buf);
383 char sig[] =
"alert tcp any any -> any any (content:\"abc\"; content:\"d\"; distance:0; within:1; sid:1;)";
397 static int PayloadTestSig02 (
void)
399 uint8_t *buf = (uint8_t *)
401 uint16_t buflen = strlen((
char *)buf);
405 char sig[] =
"alert tcp any any -> any any (content:\"abc\"; nocase; content:\"d\"; distance:0; within:1; sid:1;)";
419 static int PayloadTestSig03 (
void)
421 uint8_t *buf = (uint8_t *)
423 uint16_t buflen = strlen((
char *)buf);
427 char sig[] =
"alert tcp any any -> any any (content:\"aBc\"; nocase; content:\"abca\"; distance:-10; within:4; sid:1;)";
443 static int PayloadTestSig04(
void)
445 uint8_t *buf = (uint8_t *)
"now this is is big big string now";
446 uint16_t buflen = strlen((
char *)buf);
450 char sig[] =
"alert tcp any any -> any any (msg:\"dummy\"; " 451 "content:\"this\"; content:\"is\"; within:6; content:\"big\"; within:8; " 452 "content:\"string\"; within:8; sid:1;)";
468 static int PayloadTestSig05(
void)
470 uint8_t *buf = (uint8_t *)
"now this is is is big big big string now";
471 uint16_t buflen = strlen((
char *)buf);
475 char sig[] =
"alert tcp any any -> any any (msg:\"dummy\"; " 476 "content:\"this\"; content:\"is\"; within:9; content:\"big\"; within:12; " 477 "content:\"string\"; within:8; sid:1;)";
493 static int PayloadTestSig06(
void)
495 uint8_t *buf = (uint8_t *)
"this this now is is big string now";
496 uint16_t buflen = strlen((
char *)buf);
500 char sig[] =
"alert tcp any any -> any any (msg:\"dummy\"; " 501 "content:\"now\"; content:\"this\"; content:\"is\"; within:12; content:\"big\"; within:8; " 502 "content:\"string\"; within:8; sid:1;)";
518 static int PayloadTestSig07(
void)
520 uint8_t *buf = (uint8_t *)
" thus thus is a big";
521 uint16_t buflen = strlen((
char *)buf);
525 char sig[] =
"alert tcp any any -> any any (msg:\"dummy\"; " 526 "content:\"thus\"; offset:8; content:\"is\"; within:6; content:\"big\"; within:8; sid:1;)";
544 static int PayloadTestSig08(
void)
546 uint8_t *buf = (uint8_t *)
"we need to fix this and yes fix this now";
547 uint16_t buflen = strlen((
char *)buf);
551 char sig[] =
"alert tcp any any -> any any (msg:\"dummy\"; " 552 "content:\"fix\"; content:\"this\"; within:6; content:!\"and\"; distance:0; sid:1;)";
568 static int PayloadTestSig09(
void)
570 uint8_t *buf = (uint8_t *)
"this is a super duper nova in super nova now";
571 uint16_t buflen = strlen((
char *)buf);
575 char sig[] =
"alert tcp any any -> any any (msg:\"dummy\"; " 576 "pcre:/super/; content:\"nova\"; within:7; sid:1;)";
593 static int PayloadTestSig10(
void)
595 uint8_t *buf = (uint8_t *)
"this is a super duper nova in super nova now";
596 uint16_t buflen = strlen((
char *)buf);
600 char sig[] =
"alert udp any any -> any any (msg:\"crash\"; " 601 "byte_test:4,>,2,0,relative; sid:11;)";
618 static int PayloadTestSig11(
void)
620 uint8_t *buf = (uint8_t *)
"this is a super duper nova in super nova now";
621 uint16_t buflen = strlen((
char *)buf);
625 char sig[] =
"alert udp any any -> any any (msg:\"crash\"; " 626 "byte_jump:1,0,relative; sid:11;)";
643 static int PayloadTestSig12(
void)
645 uint8_t *buf = (uint8_t *)
"this is a super duper nova in super nova now";
646 uint16_t buflen = strlen((
char *)buf);
650 char sig[] =
"alert udp any any -> any any (msg:\"crash\"; " 651 "isdataat:10,relative; sid:11;)";
668 static int PayloadTestSig13(
void)
670 uint8_t *buf = (uint8_t *)
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" 671 "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" 672 "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" 673 "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" 674 "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" 675 "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" 676 "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" 677 "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" 678 "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" 679 "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" 680 "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" 681 "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" 682 "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" 683 "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" 684 "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" 685 "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" 686 "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" 687 "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" 688 "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" 689 "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa";
690 uint16_t buflen = strlen((
char *)buf);
695 char sig[] =
"alert tcp any any -> any any (msg:\"dummy\"; " 696 "content:\"aa\"; content:\"aa\"; distance:0; content:\"aa\"; distance:0; " 697 "byte_test:1,>,200,0,relative; sid:1;)";
699 struct timeval tv_start, tv_end, tv_diff;
701 gettimeofday(&tv_start, NULL);
709 memset(&th_v, 0,
sizeof(th_v));
712 if (de_ctx == NULL) {
713 printf(
"de_ctx == NULL: ");
723 printf(
"signature == NULL: ");
747 gettimeofday(&tv_end, NULL);
749 tv_diff.tv_sec = tv_end.tv_sec - tv_start.tv_sec;
750 tv_diff.tv_usec = tv_end.tv_usec - tv_start.tv_usec;
752 printf(
"%ld.%06ld\n", (
long int)tv_diff.tv_sec, (
long int)tv_diff.tv_usec);
764 static int PayloadTestSig14(
void)
766 uint8_t *buf = (uint8_t *)
"User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1b4) Gecko/20090423 Firefox/3.6 GTB5";
767 uint16_t buflen = strlen((
char *)buf);
771 char sig[] =
"alert tcp any any -> any any (content:\"User-Agent|3A| Mozilla/5.0 |28|Macintosh|3B| \"; content:\"Firefox/3.\"; distance:0; content:!\"Firefox/3.6.12\"; distance:-10; content:!\"Mozilla/5.0 |28|Macintosh|3B| U|3B| Intel Mac OS X 10.5|3B| en-US|3B| rv|3A|1.9.1b4|29| Gecko/20090423 Firefox/3.6 GTB5\"; sid:1; rev:1;)";
786 static int PayloadTestSig15(
void)
788 uint8_t *buf = (uint8_t *)
"this is a super duper nova in super nova now";
789 uint16_t buflen = strlen((
char *)buf);
793 char sig[] =
"alert tcp any any -> any any (msg:\"dummy\"; " 794 "content:\"nova\"; isdataat:18,relative; sid:1;)";
809 static int PayloadTestSig16(
void)
811 uint8_t *buf = (uint8_t *)
"this is a super duper nova in super nova now";
812 uint16_t buflen = strlen((
char *)buf);
816 char sig[] =
"alert tcp any any -> any any (msg:\"dummy\"; " 817 "content:\"nova\"; isdataat:!20,relative; sid:1;)";
832 static int PayloadTestSig17(
void)
834 uint8_t buf[] = { 0xEB, 0x29, 0x25, 0x38, 0x78, 0x25, 0x38, 0x78, 0x25 };
839 char sig[] =
"alert tcp any any -> any any (msg:\"dummy\"; " 840 "content:\"%\"; depth:4; offset:0; " 841 "content:\"%\"; within:2; distance:1; sid:1;)";
856 static int PayloadTestSig18(
void)
859 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x35,
860 0x07, 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D,
863 uint16_t buflen =
sizeof(buf);
867 char sig[] =
"alert tcp any any -> any any (msg:\"dummy\"; " 868 "content:\"|01 02 03 04|\"; " 869 "byte_extract:1,2,one,string,dec,relative; " 870 "content:\"|0C 0D 0E 0F|\"; distance:one; sid:1;)";
885 static int PayloadTestSig19(
void)
888 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x35,
889 0x07, 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D,
892 uint16_t buflen =
sizeof(buf);
896 char sig[] =
"alert tcp any any -> any any (msg:\"dummy\"; " 897 "content:\"|01 02 03 04|\"; " 898 "byte_extract:1,2,one,string,hex,relative; " 899 "content:\"|0C 0D 0E 0F|\"; distance:one; sid:1;)";
914 static int PayloadTestSig20(
void)
917 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x35,
918 0x07, 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D,
921 uint16_t buflen =
sizeof(buf);
925 char sig[] =
"alert tcp any any -> any any (msg:\"dummy\"; " 926 "content:\"|01 02 03 04|\"; " 927 "byte_extract:1,2,one,string,dec,relative; " 928 "content:\"|06 35 07 08|\"; offset:one; sid:1;)";
943 static int PayloadTestSig21(
void)
946 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x36,
947 0x07, 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D,
950 uint16_t buflen =
sizeof(buf);
954 char sig[] =
"alert tcp any any -> any any (msg:\"dummy\"; " 955 "content:\"|01 02 03 04|\"; " 956 "byte_extract:1,2,one,string,dec,relative; " 957 "content:\"|03 04 05 06|\"; depth:one; sid:1;)";
972 static int PayloadTestSig22(
void)
975 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x36,
976 0x07, 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D,
979 uint16_t buflen =
sizeof(buf);
983 char sig[] =
"alert tcp any any -> any any (msg:\"dummy\"; " 984 "content:\"|01 02 03 04|\"; " 985 "byte_extract:1,2,one,string,dec,relative; " 986 "content:\"|09 0A 0B 0C|\"; within:one; sid:1;)";
1001 static int PayloadTestSig23(
void)
1004 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x32,
1005 0x07, 0x08, 0x09, 0x33, 0x0B, 0x0C, 0x0D,
1008 uint16_t buflen =
sizeof(buf);
1012 char sig[] =
"alert tcp any any -> any any (msg:\"dummy\"; " 1013 "content:\"|01 02 03 04|\"; " 1014 "byte_extract:1,2,one,string,dec,relative; " 1015 "byte_extract:1,3,two,string,dec,relative; " 1016 "byte_test:1,=,one,two,string,dec,relative; sid:1;)";
1031 static int PayloadTestSig24(
void)
1034 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x32,
1035 0x07, 0x08, 0x33, 0x0A, 0x0B, 0x0C, 0x0D,
1038 uint16_t buflen =
sizeof(buf);
1042 char sig[] =
"alert tcp any any -> any any (msg:\"dummy\"; " 1043 "content:\"|01 02 03 04|\"; " 1044 "byte_extract:1,2,one,string,dec,relative; " 1045 "byte_jump:1,one,string,dec,relative; " 1046 "content:\"|0D 0E 0F|\"; distance:0; sid:1;)";
1064 static int PayloadTestSig25(
void)
1067 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x35,
1068 0x07, 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D,
1071 uint16_t buflen =
sizeof(buf);
1075 char sig[] =
"alert tcp any any -> any any (msg:\"dummy\"; " 1076 "content:\"|35 07 08 09|\"; " 1077 "byte_extract:1,-4,one,string,dec,relative; " 1078 "content:\"|0C 0D 0E 0F|\"; distance:one; sid:1;)";
1096 static int PayloadTestSig26(
void)
1099 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x35,
1100 0x07, 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D,
1103 uint16_t buflen =
sizeof(buf);
1107 char sig[] =
"alert tcp any any -> any any (msg:\"dummy\"; " 1108 "content:\"|35 07 08 09|\"; " 1109 "byte_extract:1,-3000,one,string,dec,relative; " 1110 "content:\"|0C 0D 0E 0F|\"; distance:one; sid:1;)";
1128 static int PayloadTestSig27(
void)
1130 uint8_t buf[] =
"dummypayload";
1131 uint16_t buflen =
sizeof(buf) - 1;
1136 char sig[] =
"alert tcp any any -> any any (content:\"dummy\"; " 1154 static int PayloadTestSig28(
void)
1156 uint8_t buf[] =
"dummypayload";
1157 uint16_t buflen =
sizeof(buf) - 1;
1162 char sig[] =
"alert tcp any any -> any any (content:\"payload\"; " 1163 "offset:4; depth:12; sid:1;)";
1180 static int PayloadTestSig29(
void)
1182 uint8_t *buf = (uint8_t *)
"this is a super dupernova in super nova now";
1183 uint16_t buflen = strlen((
char *)buf);
1187 char sig[] =
"alert tcp any any -> any any (msg:\"dummy\"; " 1188 "pcre:/^.{4}/; content:\"nova\"; within:4; sid:1;)";
1202 static int PayloadTestSig30(
void)
1204 uint8_t *buf = (uint8_t *)
1205 "xyonexxxxxxtwojunkonetwo";
1206 uint16_t buflen = strlen((
char *)buf);
1210 char sig[] =
"alert tcp any any -> any any (content:\"one\"; pcre:\"/^two/R\"; sid:1;)";
1223 static int PayloadTestSig31(
void)
1225 uint8_t *buf = (uint8_t *)
1226 "xyonexxxxxxtwojunkonetwo";
1227 uint16_t buflen = strlen((
char *)buf);
1231 char sig[] =
"alert tcp any any -> any any (content:\"one\"; pcre:\"/(fiv|^two)/R\"; sid:1;)";
1247 static int PayloadTestSig32(
void)
1249 uint8_t *buf = (uint8_t *)
"dummy2xxcardmessage";
1250 uint16_t buflen = strlen((
char *)buf);
1254 char sig[] =
"alert tcp any any -> any any (msg:\"crash\"; " 1255 "content:\"message\"; byte_jump:2,-14,string,dec,relative; content:\"card\"; within:4; sid:1;)";
1270 static int PayloadTestSig33(
void)
1272 uint8_t *buf = (uint8_t *)
"dummy2xxcardmessage";
1273 uint16_t buflen = strlen((
char *)buf);
1277 char sig[] =
"alert tcp any any -> any any (msg:\"crash\"; " 1278 "content:\"message\"; byte_test:1,=,2,-14,string,dec,relative; sid:1;)";
1293 static int PayloadTestSig34(
void)
1295 uint8_t *buf = (uint8_t *)
"dummy2xxcardmessage";
1296 uint16_t buflen = strlen((
char *)buf);
1300 char sig[] =
"alert tcp any any -> any any (msg:\"crash\"; " 1301 "content:\"message\"; byte_extract:1,-14,boom,string,dec,relative; sid:1;)";
int PacketAlertCheck(Packet *p, uint32_t sid)
Check if a certain sid alerted, this is used in the test functions.
uint16_t discontinue_matching
int DetectEngineInspectStreamPayload(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const Signature *s, Flow *f, Packet *p)
Do the content inspection & validation for a signature on the raw stream.
Signature * SigInit(DetectEngineCtx *, const char *)
Parses a signature and adds it to the Detection Engine Context.
#define STREAMTCP_STREAM_FLAG_DEPTH_REACHED
void PayloadRegisterTests(void)
DetectReplaceList * replist
void SigCleanSignatures(DetectEngineCtx *de_ctx)
Container for matching data for a signature group.
TmEcode DetectEngineThreadCtxInit(ThreadVars *, void *, void **)
initialize thread specific detection engine context
main detection engine ctx
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *, void *)
int UTHPacketMatchSigMpm(Packet *p, char *sig, uint16_t mpm_type)
int StreamReassembleRaw(TcpSession *ssn, const Packet *p, StreamReassembleRawFunc Callback, void *cb_data, uint64_t *progress_out, bool respect_inspect_depth)
int DetectEngineInspectPacketPayload(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const Signature *s, Flow *f, Packet *p)
Do the content inspection & validation for a signature.
int DetectEngineInspectStream(ThreadVars *tv, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const Signature *s, const SigMatchData *smd, Flow *f, uint8_t flags, void *alstate, void *txv, uint64_t tx_id)
inspect engine for stateful rules
#define DETECT_ENGINE_INSPECT_SIG_MATCH
int PrefilterAppendPayloadEngine(DetectEngineCtx *de_ctx, SigGroupHead *sgh, void(*PrefilterFunc)(DetectEngineThreadCtx *det_ctx, Packet *p, const void *pectx), void *pectx, void(*FreeFunc)(void *pectx), const char *name)
Data structures and function prototypes for keeping state for the detection engine.
#define PKT_DETECT_HAS_STREAMDATA
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Structure to hold thread specific data for all decode modules.
void SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
int PrefilterPktStreamRegister(DetectEngineCtx *de_ctx, SigGroupHead *sgh, MpmCtx *mpm_ctx)
Packet * UTHBuildPacket(uint8_t *payload, uint16_t payload_len, uint8_t ipproto)
UTHBuildPacket is a wrapper that build packets with default ip and port fields.
SigMatchData * sm_arrays[DETECT_SM_LIST_MAX]
int SigGroupCleanup(DetectEngineCtx *de_ctx)
#define DETECT_ENGINE_INSPECT_SIG_CANT_MATCH
uint64_t raw_stream_progress
#define DETECT_ENGINE_INSPECT_SIG_NO_MATCH
MpmTableElmt mpm_table[MPM_TABLE_SIZE]
DetectEngineThreadCtx * det_ctx
int DetectEngineContentInspection(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const Signature *s, const SigMatchData *smd, Flow *f, uint8_t *buffer, uint32_t buffer_len, uint32_t stream_start_offset, uint8_t flags, uint8_t inspection_mode, void *data)
Run the actual payload match functions.
DetectEngineThreadCtx * det_ctx
int PrefilterPktPayloadRegister(DetectEngineCtx *de_ctx, SigGroupHead *sgh, MpmCtx *mpm_ctx)
void UTHFreePacket(Packet *p)
UTHFreePacket: function to release the allocated data from UTHBuildPacket and the packet itself...
int inspection_recursion_counter
#define DETECT_CI_FLAGS_SINGLE
uint32_t(* Search)(const struct MpmCtx_ *, struct MpmThreadCtx_ *, PrefilterRuleStore *, const uint8_t *, uint32_t)
Per thread variable structure.
DetectEngineThreadCtx * det_ctx
#define PKT_NOPAYLOAD_INSPECTION
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
int inspection_recursion_limit
DetectEngineCtx * DetectEngineCtxInit(void)