suricata
detect-engine-prefilter.c
Go to the documentation of this file.
1 /* Copyright (C) 2016-2025 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Victor Julien <victor@inliniac.net>
22  *
23  * Prefilter engine
24  *
25  * Prefilter engines have as purpose to check for a critical common part of
26  * a set of rules. If the condition is present in the traffic, the rules
27  * will have to be inspected individually. Otherwise, the rules can be
28  * skipped.
29  *
30  * The best example of this is the MPM. From each rule take a pattern and
31  * add it to the MPM state machine. Inspect that in one step and only
32  * individually inspect the rules that had a match in MPM.
33  *
34  * This prefilter API is designed to abstract this logic so that it becomes
35  * easier to add other types of prefilters.
36  *
37  * The prefilter engines are structured as a simple list of engines. Each
38  * engine checks for a condition using it's callback function and private
39  * data. It then adds the rule match candidates to the PrefilterRuleStore
40  * structure.
41  *
42  * After the engines have run the resulting list of match candidates is
43  * sorted by the rule id's so that the individual inspection happens in
44  * the correct order.
45  */
46 
47 #include "suricata-common.h"
48 #include "suricata.h"
49 
50 #include "detect-engine.h"
51 #include "detect-engine-prefilter.h"
52 #include "detect-engine-mpm.h"
53 #include "detect-engine-frame.h"
54 #include "detect-engine-uint.h"
55 
56 #include "app-layer-parser.h"
57 #include "app-layer-htp.h"
58 
59 #include "util-profiling.h"
60 #include "util-validate.h"
61 #include "util-hash-string.h"
62 
63 static int PrefilterStoreGetId(DetectEngineCtx *de_ctx,
64  const char *name, void (*FreeFunc)(void *));
65 static const PrefilterStore *PrefilterStoreGetStore(const DetectEngineCtx *de_ctx,
66  const uint32_t id);
67 
68 static inline void QuickSortSigIntId(SigIntId *sids, uint32_t n)
69 {
70  if (n < 2)
71  return;
72  SigIntId p = sids[n / 2];
73  SigIntId *l = sids;
74  SigIntId *r = sids + n - 1;
75  while (l <= r) {
76  if (*l < p)
77  l++;
78  else if (*r > p)
79  r--;
80  else {
81  SigIntId t = *l;
82  *l = *r;
83  *r = t;
84  l++;
85  r--;
86  }
87  }
88  QuickSortSigIntId(sids, (uint32_t)(r - sids) + 1);
89  QuickSortSigIntId(l, (uint32_t)(sids + n - l));
90 }
91 
92 /**
93  * \brief run prefilter engines on a transaction
94  */
95 void DetectRunPrefilterTx(DetectEngineThreadCtx *det_ctx,
96  const SigGroupHead *sgh,
97  Packet *p,
98  const uint8_t ipproto,
99  const uint8_t flow_flags,
100  const AppProto alproto,
101  void *alstate,
102  DetectTransaction *tx)
103 {
104  /* reset rule store */
105  det_ctx->pmq.rule_id_array_cnt = 0;
106 
107  SCLogDebug("packet %" PRIu64 " tx %p progress %d tx->detect_progress %02x", PcapPacketCntGet(p),
108  tx->tx_ptr, tx->tx_progress, tx->detect_progress);
109 
110  PrefilterEngine *engine = sgh->tx_engines;
111  do {
112  // based on flow alproto, and engine, we get right tx_ptr
113  void *tx_ptr = DetectGetInnerTx(tx->tx_ptr, alproto, engine->alproto, flow_flags);
114  if (tx_ptr == NULL) {
115  // incompatible engine->alproto with flow alproto
116  goto next;
117  }
118 
119  if (engine->ctx.tx_min_progress != -1) {
120 #ifdef DEBUG
121  const char *pname = AppLayerParserGetStateNameById(ipproto, engine->alproto,
122  engine->ctx.tx_min_progress, flow_flags & (STREAM_TOSERVER | STREAM_TOCLIENT));
123  SCLogDebug("engine %p min_progress %d %s:%s", engine, engine->ctx.tx_min_progress,
124  AppProtoToString(engine->alproto), pname);
125 #endif
126  /* if engine needs tx state to be higher, break out. */
127  if (engine->ctx.tx_min_progress > tx->tx_progress)
128  break;
129  if (tx->tx_progress > engine->ctx.tx_min_progress) {
130  SCLogDebug("tx->tx_progress %u > engine->ctx.tx_min_progress %d", tx->tx_progress,
131  engine->ctx.tx_min_progress);
132 
133  /* if state value is at or beyond engine state, we can skip it. It means we ran at
134  * least once already. */
135  if (tx->detect_progress > engine->ctx.tx_min_progress) {
136  SCLogDebug("tx already marked progress as beyond engine: %u > %u",
137  tx->detect_progress, engine->ctx.tx_min_progress);
138  goto next;
139  } else {
140  SCLogDebug("tx->tx_progress %u > engine->ctx.tx_min_progress %d: "
141  "tx->detect_progress %u",
142  tx->tx_progress, engine->ctx.tx_min_progress, tx->detect_progress);
143  }
144  }
145 #ifdef DEBUG
146  uint32_t old = det_ctx->pmq.rule_id_array_cnt;
147 #endif
148  PREFILTER_PROFILING_START(det_ctx);
149  engine->cb.PrefilterTx(det_ctx, engine->pectx, p, p->flow, tx_ptr, tx->tx_id,
150  tx->tx_data_ptr, flow_flags);
151  PREFILTER_PROFILING_END(det_ctx, engine->gid);
152  SCLogDebug("engine %p min_progress %d %s:%s: results %u", engine,
153  engine->ctx.tx_min_progress, AppProtoToString(engine->alproto), pname,
154  det_ctx->pmq.rule_id_array_cnt - old);
155 
156  if (tx->tx_progress > engine->ctx.tx_min_progress && engine->is_last_for_progress &&
157  tx->tx_ptr == tx_ptr) {
158  /* track with an offset of one, so that tx->progress 0 complete is tracked
159  * as 1, progress 1 as 2, etc. This is to allow 0 to mean: nothing tracked, even
160  * though a parser may use 0 as a valid value. */
161  // tx->tx_ptr == tx_ptr ensures we do not use a dns engine progress
162  // to update a HTTP2 tx detect_progress in case of DOH2
163  tx->detect_progress = engine->ctx.tx_min_progress + 1;
164  SCLogDebug("tx->tx_progress %d engine->ctx.tx_min_progress %d "
165  "engine->is_last_for_progress %d => tx->detect_progress updated to %02x",
166  tx->tx_progress, engine->ctx.tx_min_progress, engine->is_last_for_progress,
167  tx->detect_progress);
168  }
169  } else {
170  PREFILTER_PROFILING_START(det_ctx);
171  engine->cb.PrefilterTx(det_ctx, engine->pectx, p, p->flow, tx_ptr, tx->tx_id,
172  tx->tx_data_ptr, flow_flags);
173  PREFILTER_PROFILING_END(det_ctx, engine->gid);
174  }
175  next:
176  if (engine->is_last)
177  break;
178  engine++;
179  } while (1);
180 
181  /* Sort the rule list to lets look at pmq.
182  * NOTE due to merging of 'stream' pmqs we *MAY* have duplicate entries */
183  if (likely(det_ctx->pmq.rule_id_array_cnt > 1)) {
184  PACKET_PROFILING_DETECT_START(p, PROF_DETECT_PF_SORT1);
185  QuickSortSigIntId(det_ctx->pmq.rule_id_array, det_ctx->pmq.rule_id_array_cnt);
186  PACKET_PROFILING_DETECT_END(p, PROF_DETECT_PF_SORT1);
187  }
188 }
189 
190 /** \brief invoke post-rule match "prefilter" engines
191  *
192  * Invoke prefilter engines that depend on a rule match to run.
193  * e.g. the flowbits:set prefilter that adds sids that depend on
194  * a flowbit "set" to the match array.
195  */
196 void PrefilterPostRuleMatch(
197  DetectEngineThreadCtx *det_ctx, const SigGroupHead *sgh, Packet *p, Flow *f)
198 {
199  SCLogDebug("post-rule-match engines %p", sgh->post_rule_match_engines);
200  if (sgh->post_rule_match_engines) {
201  PrefilterEngine *engine = sgh->post_rule_match_engines;
202  do {
203  SCLogDebug("running post-rule-match engine");
204  PREFILTER_PROFILING_START(det_ctx);
205  engine->cb.PrefilterPostRule(det_ctx, engine->pectx, p, f);
206  PREFILTER_PROFILING_END(det_ctx, engine->gid);
207 
208  if (engine->is_last)
209  break;
210  engine++;
211  } while (1);
212 
213  if (det_ctx->pmq.rule_id_array_cnt > 1) {
214  QuickSortSigIntId(det_ctx->pmq.rule_id_array, det_ctx->pmq.rule_id_array_cnt);
215  }
216  }
217 }
218 
219 void Prefilter(DetectEngineThreadCtx *det_ctx, const SigGroupHead *sgh, Packet *p,
220  const uint8_t flags, const SignatureMask mask)
221 {
222  SCEnter();
223 #if 0
224  /* TODO review this check */
225  SCLogDebug("sgh %p frame_engines %p", sgh, sgh->frame_engines);
226  if (p->proto == IPPROTO_TCP && sgh->frame_engines && p->flow &&
227  p->flow->alproto != ALPROTO_UNKNOWN && p->flow->alparser != NULL) {
228  PACKET_PROFILING_DETECT_START(p, PROF_DETECT_PF_RECORD);
229  PrefilterFrames(det_ctx, sgh, p, flags, p->flow->alproto);
230  PACKET_PROFILING_DETECT_END(p, PROF_DETECT_PF_RECORD);
231  }
232 #endif
233  if (sgh->pkt_engines) {
234  PACKET_PROFILING_DETECT_START(p, PROF_DETECT_PF_PKT);
235  /* run packet engines */
236  PrefilterEngine *engine = sgh->pkt_engines;
237  do {
238  /* run engine if:
239  * mask matches
240  * no hook is used OR hook matches
241  */
242  if (((engine->ctx.pkt.mask & mask) == engine->ctx.pkt.mask) &&
243  (engine->ctx.pkt.hook == 0 || (p->pkt_hooks & BIT_U16(engine->ctx.pkt.hook)))) {
244  PREFILTER_PROFILING_START(det_ctx);
245  engine->cb.Prefilter(det_ctx, p, engine->pectx);
246  PREFILTER_PROFILING_END(det_ctx, engine->gid);
247  }
248 
249  if (engine->is_last)
250  break;
251  engine++;
252  } while (1);
253  PACKET_PROFILING_DETECT_END(p, PROF_DETECT_PF_PKT);
254  }
255 
256  /* run payload inspecting engines */
257  if (sgh->payload_engines &&
258  (p->payload_len || (p->flags & PKT_DETECT_HAS_STREAMDATA)) &&
259  !(p->flags & PKT_NOPAYLOAD_INSPECTION))
260  {
261  PACKET_PROFILING_DETECT_START(p, PROF_DETECT_PF_PAYLOAD);
262  PrefilterEngine *engine = sgh->payload_engines;
263  while (1) {
264  PREFILTER_PROFILING_START(det_ctx);
265  engine->cb.Prefilter(det_ctx, p, engine->pectx);
266  PREFILTER_PROFILING_END(det_ctx, engine->gid);
267 
268  if (engine->is_last)
269  break;
270  engine++;
271  }
272  PACKET_PROFILING_DETECT_END(p, PROF_DETECT_PF_PAYLOAD);
273  }
274 
275  /* Sort the rule list to lets look at pmq.
276  * NOTE due to merging of 'stream' pmqs we *MAY* have duplicate entries */
277  if (likely(det_ctx->pmq.rule_id_array_cnt > 1)) {
278  PACKET_PROFILING_DETECT_START(p, PROF_DETECT_PF_SORT1);
279  QuickSortSigIntId(det_ctx->pmq.rule_id_array, det_ctx->pmq.rule_id_array_cnt);
280  PACKET_PROFILING_DETECT_END(p, PROF_DETECT_PF_SORT1);
281  }
282  SCReturn;
283 }
284 
285 int PrefilterAppendEngine(DetectEngineCtx *de_ctx, SigGroupHead *sgh, PrefilterPktFn PrefilterFunc,
286  SignatureMask mask, enum SignatureHookPkt hook, void *pectx, void (*FreeFunc)(void *pectx),
287  const char *name)
288 {
289  if (sgh == NULL || PrefilterFunc == NULL || pectx == NULL)
290  return -1;
291 
292  PrefilterEngineList *e = SCMallocAligned(sizeof(*e), CLS);
293  if (e == NULL)
294  return -1;
295  memset(e, 0x00, sizeof(*e));
296 
297  // TODO right now we represent the hook in a u8 in the prefilter engine for space reasons.
298  BUG_ON(hook >= 8);
299 
300  e->Prefilter = PrefilterFunc;
301  e->pectx = pectx;
302  e->Free = FreeFunc;
303  e->pkt_mask = mask;
304  e->pkt_hook = hook;
305 
306  if (sgh->init->pkt_engines == NULL) {
307  sgh->init->pkt_engines = e;
308  } else {
309  PrefilterEngineList *t = sgh->init->pkt_engines;
310  while (t->next != NULL) {
311  t = t->next;
312  }
313 
314  t->next = e;
315  e->id = t->id + 1;
316  }
317 
318  e->name = name;
319  e->gid = PrefilterStoreGetId(de_ctx, e->name, e->Free);
320  return 0;
321 }
322 
323 int PrefilterAppendPayloadEngine(DetectEngineCtx *de_ctx, SigGroupHead *sgh,
324  PrefilterPktFn PrefilterFunc, void *pectx, void (*FreeFunc)(void *pectx), const char *name)
325 {
326  if (sgh == NULL || PrefilterFunc == NULL || pectx == NULL)
327  return -1;
328 
329  PrefilterEngineList *e = SCMallocAligned(sizeof(*e), CLS);
330  if (e == NULL)
331  return -1;
332  memset(e, 0x00, sizeof(*e));
333 
334  e->Prefilter = PrefilterFunc;
335  e->pectx = pectx;
336  e->Free = FreeFunc;
337 
338  if (sgh->init->payload_engines == NULL) {
339  sgh->init->payload_engines = e;
340  } else {
341  PrefilterEngineList *t = sgh->init->payload_engines;
342  while (t->next != NULL) {
343  t = t->next;
344  }
345 
346  t->next = e;
347  e->id = t->id + 1;
348  }
349 
350  e->name = name;
351  e->gid = PrefilterStoreGetId(de_ctx, e->name, e->Free);
352  return 0;
353 }
354 
355 int PrefilterAppendTxEngine(DetectEngineCtx *de_ctx, SigGroupHead *sgh,
356  PrefilterTxFn PrefilterTxFunc, AppProto alproto, int tx_min_progress, void *pectx,
357  void (*FreeFunc)(void *pectx), const char *name)
358 {
359  if (sgh == NULL || PrefilterTxFunc == NULL || pectx == NULL)
360  return -1;
361 
362  PrefilterEngineList *e = SCMallocAligned(sizeof(*e), CLS);
363  if (e == NULL)
364  return -1;
365  memset(e, 0x00, sizeof(*e));
366 
367  e->PrefilterTx = PrefilterTxFunc;
368  e->pectx = pectx;
369  e->alproto = alproto;
370  // TODO change function prototype ?
371  DEBUG_VALIDATE_BUG_ON(tx_min_progress > INT8_MAX);
372  e->tx_min_progress = (uint8_t)tx_min_progress;
373  e->Free = FreeFunc;
374 
375  if (sgh->init->tx_engines == NULL) {
376  sgh->init->tx_engines = e;
377  } else {
378  PrefilterEngineList *t = sgh->init->tx_engines;
379  while (t->next != NULL) {
380  t = t->next;
381  }
382 
383  t->next = e;
384  e->id = t->id + 1;
385  }
386 
387  e->name = name;
388  e->gid = PrefilterStoreGetId(de_ctx, e->name, e->Free);
389  return 0;
390 }
391 
392 int PrefilterAppendFrameEngine(DetectEngineCtx *de_ctx, SigGroupHead *sgh,
393  PrefilterFrameFn PrefilterFrameFunc, AppProto alproto, uint8_t frame_type, void *pectx,
394  void (*FreeFunc)(void *pectx), const char *name)
395 {
396  if (sgh == NULL || PrefilterFrameFunc == NULL || pectx == NULL)
397  return -1;
398 
399  PrefilterEngineList *e = SCMallocAligned(sizeof(*e), CLS);
400  if (e == NULL)
401  return -1;
402  memset(e, 0x00, sizeof(*e));
403 
404  e->frame_type = frame_type;
405  e->alproto = alproto;
406  e->PrefilterFrame = PrefilterFrameFunc;
407  e->pectx = pectx;
408  e->Free = FreeFunc;
409 
410  if (sgh->init->frame_engines == NULL) {
411  sgh->init->frame_engines = e;
412  } else {
413  PrefilterEngineList *t = sgh->init->frame_engines;
414  while (t->next != NULL) {
415  t = t->next;
416  }
417 
418  t->next = e;
419  e->id = t->id + 1;
420  }
421 
422  e->name = name;
423  e->gid = PrefilterStoreGetId(de_ctx, e->name, e->Free);
424  return 0;
425 }
426 
427 int PrefilterAppendPostRuleEngine(DetectEngineCtx *de_ctx, SigGroupHead *sgh,
428  void (*PrefilterPostRuleFunc)(
429  DetectEngineThreadCtx *det_ctx, const void *pectx, Packet *p, Flow *f),
430  void *pectx, void (*FreeFunc)(void *pectx), const char *name)
431 {
432  if (sgh == NULL || PrefilterPostRuleFunc == NULL || pectx == NULL)
433  return -1;
434 
435  PrefilterEngineList *e = SCMallocAligned(sizeof(*e), CLS);
436  if (e == NULL)
437  return -1;
438  memset(e, 0x00, sizeof(*e));
439  e->PrefilterPostRule = PrefilterPostRuleFunc;
440  e->pectx = pectx;
441  e->Free = FreeFunc;
442 
443  if (sgh->init->post_rule_match_engines == NULL) {
444  sgh->init->post_rule_match_engines = e;
445  } else {
446  PrefilterEngineList *t = sgh->init->post_rule_match_engines;
447  while (t->next != NULL) {
448  t = t->next;
449  }
450 
451  t->next = e;
452  e->id = t->id + 1;
453  }
454 
455  e->name = name;
456  e->gid = PrefilterStoreGetId(de_ctx, e->name, e->Free);
457  return 0;
458 }
459 
460 static void PrefilterFreeEngineList(PrefilterEngineList *e)
461 {
462  if (e->Free && e->pectx) {
463  e->Free(e->pectx);
464  }
465  SCFreeAligned(e);
466 }
467 
468 void PrefilterFreeEnginesList(PrefilterEngineList *list)
469 {
470  PrefilterEngineList *t = list;
471 
472  while (t != NULL) {
473  PrefilterEngineList *next = t->next;
474  PrefilterFreeEngineList(t);
475  t = next;
476  }
477 }
478 
479 static void PrefilterFreeEngines(const DetectEngineCtx *de_ctx, PrefilterEngine *list)
480 {
481  PrefilterEngine *t = list;
482 
483  while (1) {
484  const PrefilterStore *s = PrefilterStoreGetStore(de_ctx, t->gid);
485  if (s && s->FreeFunc && t->pectx) {
486  s->FreeFunc(t->pectx);
487  }
488 
489  if (t->is_last)
490  break;
491  t++;
492  }
493  SCFreeAligned(list);
494 }
495 
496 void PrefilterCleanupRuleGroup(const DetectEngineCtx *de_ctx, SigGroupHead *sgh)
497 {
498  if (sgh->pkt_engines) {
499  PrefilterFreeEngines(de_ctx, sgh->pkt_engines);
500  sgh->pkt_engines = NULL;
501  }
502  if (sgh->payload_engines) {
503  PrefilterFreeEngines(de_ctx, sgh->payload_engines);
504  sgh->payload_engines = NULL;
505  }
506  if (sgh->tx_engines) {
507  PrefilterFreeEngines(de_ctx, sgh->tx_engines);
508  sgh->tx_engines = NULL;
509  }
510  if (sgh->frame_engines) {
511  PrefilterFreeEngines(de_ctx, sgh->frame_engines);
512  sgh->frame_engines = NULL;
513  }
514  if (sgh->post_rule_match_engines) {
515  PrefilterFreeEngines(de_ctx, sgh->post_rule_match_engines);
516  sgh->post_rule_match_engines = NULL;
517  }
518 }
519 
520 static int PrefilterSetupRuleGroupSortHelper(const void *a, const void *b)
521 {
522  const PrefilterEngine *s0 = a;
523  const PrefilterEngine *s1 = b;
524  if (s1->ctx.tx_min_progress == s0->ctx.tx_min_progress) {
525  if (s1->alproto == s0->alproto) {
526  return s0->local_id > s1->local_id ? 1 : -1;
527  } else {
528  return s0->alproto > s1->alproto ? 1 : -1;
529  }
530  } else {
531  return s0->ctx.tx_min_progress > s1->ctx.tx_min_progress ? 1 : -1;
532  }
533 }
534 
535 /** prefilter engine data for the non-prefilter engine for the prefilter API */
536 struct PrefilterNonPFDataSig {
537  uint32_t sid : 30;
538  uint32_t type : 2; /**< type for `value` field below: 0:alproto 1:dport 2:dsize */
539  uint16_t value;
540  /* since we have 2 more bytes available due to padding, we can add some additional
541  * filters here. */
542  union {
543  struct {
544  SignatureMask sig_mask;
545  } pkt;
546  struct {
547  /* filter for frame type */
548  uint8_t type;
549  } frame;
550  struct {
551  uint8_t foo; // TODO unused
552  } app;
553  };
554 };
555 
556 struct PrefilterNonPFData {
557  uint32_t size;
558  struct PrefilterNonPFDataSig array[];
559 };
560 
561 struct PrefilterNonPFDataTx {
562  uint32_t size;
563  uint32_t array[];
564 };
565 
566 /** \internal
567  * \brief wrapper for use in APIs */
568 static void PrefilterNonPFDataFree(void *data)
569 {
570  SCFree(data);
571 }
572 
573 static void PrefilterTxNonPF(DetectEngineThreadCtx *det_ctx, const void *pectx, Packet *p, Flow *f,
574  void *tx, const uint64_t tx_id, const AppLayerTxData *tx_data, const uint8_t flags)
575 {
576  const struct PrefilterNonPFDataTx *data = (const struct PrefilterNonPFDataTx *)pectx;
577  SCLogDebug("adding %u sids", data->size);
578  PrefilterAddSids(&det_ctx->pmq, data->array, data->size);
579 }
580 
581 #ifdef NONPF_PKT_STATS
582 static thread_local uint64_t prefilter_pkt_nonpf_called = 0;
583 static thread_local uint64_t prefilter_pkt_nonpf_mask_fail = 0;
584 static thread_local uint64_t prefilter_pkt_nonpf_alproto_fail = 0;
585 static thread_local uint64_t prefilter_pkt_nonpf_dsize_fail = 0;
586 static thread_local uint64_t prefilter_pkt_nonpf_dport_fail = 0;
587 static thread_local uint64_t prefilter_pkt_nonpf_sids = 0;
588 #define NONPF_PKT_STATS_INCR(s) (s)++
589 #else
590 #define NONPF_PKT_STATS_INCR(s)
591 #endif
592 
593 void PrefilterPktNonPFStatsDump(void)
594 {
595 #ifdef NONPF_PKT_STATS
596  SCLogDebug("prefilter non-pf: called:%" PRIu64 ", mask_fail:%" PRIu64 ", alproto fail:%" PRIu64
597  ", dport fail:%" PRIu64 ", dsize fail:%" PRIu64 ", sids:%" PRIu64
598  ", avg sids:%" PRIu64,
599  prefilter_pkt_nonpf_called, prefilter_pkt_nonpf_mask_fail,
600  prefilter_pkt_nonpf_alproto_fail, prefilter_pkt_nonpf_dport_fail,
601  prefilter_pkt_nonpf_dsize_fail, prefilter_pkt_nonpf_sids,
602  prefilter_pkt_nonpf_called ? prefilter_pkt_nonpf_sids / prefilter_pkt_nonpf_called : 0);
603 #endif
604 }
605 
606 static void PrefilterPktNonPF(DetectEngineThreadCtx *det_ctx, Packet *p, const void *pectx)
607 {
608  const uint16_t alproto = p->flow ? p->flow->alproto : ALPROTO_UNKNOWN;
609  const SignatureMask mask = p->sig_mask;
610  const struct PrefilterNonPFData *data = (const struct PrefilterNonPFData *)pectx;
611  SCLogDebug("adding %u sids", data->size);
612  NONPF_PKT_STATS_INCR(prefilter_pkt_nonpf_called);
613  for (uint32_t i = 0; i < data->size; i++) {
614  const struct PrefilterNonPFDataSig *ds = &data->array[i];
615  const SignatureMask rule_mask = ds->pkt.sig_mask;
616  if ((rule_mask & mask) == rule_mask) {
617  switch (ds->type) {
618  case 0:
619  if (ds->value == ALPROTO_UNKNOWN || AppProtoEquals(ds->value, alproto)) {
620  const uint32_t sid = ds->sid;
621  PrefilterAddSids(&det_ctx->pmq, &sid, 1);
622  NONPF_PKT_STATS_INCR(prefilter_pkt_nonpf_sids);
623  } else {
624  NONPF_PKT_STATS_INCR(prefilter_pkt_nonpf_alproto_fail);
625  }
626  break;
627  case 1:
628  if (ds->value == p->dp) {
629  const uint32_t sid = ds->sid;
630  PrefilterAddSids(&det_ctx->pmq, &sid, 1);
631  NONPF_PKT_STATS_INCR(prefilter_pkt_nonpf_sids);
632  } else {
633  NONPF_PKT_STATS_INCR(prefilter_pkt_nonpf_dport_fail);
634  }
635  break;
636  case 2:
637  if (ds->value == p->payload_len) {
638  const uint32_t sid = ds->sid;
639  PrefilterAddSids(&det_ctx->pmq, &sid, 1);
640  NONPF_PKT_STATS_INCR(prefilter_pkt_nonpf_sids);
641  } else {
642  NONPF_PKT_STATS_INCR(prefilter_pkt_nonpf_dsize_fail);
643  }
644  break;
645  }
646  } else {
647  NONPF_PKT_STATS_INCR(prefilter_pkt_nonpf_mask_fail);
648  }
649  }
650 }
651 
652 static void PrefilterPktNonPFHookFlowStart(
653  DetectEngineThreadCtx *det_ctx, Packet *p, const void *pectx)
654 {
655  if (p->flowflags & (FLOW_PKT_TOSERVER_FIRST | FLOW_PKT_TOCLIENT_FIRST)) {
656  PrefilterPktNonPF(det_ctx, p, pectx);
657  }
658 }
659 
660 /** \internal
661  * \brief engine to select the non-prefilter rules for frames
662  * Checks the alproto and type as well.
663  * Direction needs no checking as the rule groups are per direction. */
664 static void PrefilterFrameNonPF(DetectEngineThreadCtx *det_ctx, const void *pectx, Packet *p,
665  const Frames *frames, const Frame *frame)
666 {
667  DEBUG_VALIDATE_BUG_ON(p->flow == NULL);
668  const uint16_t alproto = p->flow->alproto;
669  const struct PrefilterNonPFData *data = (const struct PrefilterNonPFData *)pectx;
670  SCLogDebug("adding %u sids", data->size);
671  for (uint32_t i = 0; i < data->size; i++) {
672  const struct PrefilterNonPFDataSig *ds = &data->array[i];
673  if (ds->frame.type == frame->type &&
674  (ds->value == ALPROTO_UNKNOWN || AppProtoEquals(ds->value, alproto))) {
675  const uint32_t sid = ds->sid;
676  PrefilterAddSids(&det_ctx->pmq, &sid, 1);
677  }
678  }
679 }
680 
681 /* helper funcs for the non prefilter names hash */
682 
683 static uint32_t NonPFNamesHash(HashTable *h, void *data, uint16_t _len)
684 {
685  const char *str = data;
686  return StringHashDjb2((const uint8_t *)str, (uint16_t)strlen(str)) % h->array_size;
687 }
688 
689 static char NonPFNamesCompare(void *data1, uint16_t _len1, void *data2, uint16_t len2)
690 {
691  const char *s1 = data1;
692  const char *s2 = data2;
693  return StringHashCompareFunc(data1, (uint16_t)strlen(s1), data2, (uint16_t)strlen(s2));
694 }
695 
696 static void NonPFNamesFree(void *data)
697 {
698  SCFree(data);
699 }
700 
701 /* helper funcs for assembling non-prefilter engines */
702 
703 struct TxNonPFData {
704  AppProto alproto;
705  int dir; /**< 0: toserver, 1: toclient */
706  int progress; /**< progress state value to register at */
707  int sig_list; /**< special handling: normally 0, but for special cases (app-layer-state,
708  app-layer-event) use the list id to create separate engines */
709  uint32_t sigs_cnt;
710  struct PrefilterNonPFDataSig *sigs;
711  const char *engine_name; /**< pointer to name owned by DetectEngineCtx::non_pf_engine_names */
712 };
713 
714 static uint32_t TxNonPFHash(HashListTable *h, void *data, uint16_t _len)
715 {
716  struct TxNonPFData *d = data;
717  return (d->alproto + d->progress + d->dir + d->sig_list) % h->array_size;
718 }
719 
720 static char TxNonPFCompare(void *data1, uint16_t _len1, void *data2, uint16_t len2)
721 {
722  struct TxNonPFData *d1 = data1;
723  struct TxNonPFData *d2 = data2;
724  return d1->alproto == d2->alproto && d1->progress == d2->progress && d1->dir == d2->dir &&
725  d1->sig_list == d2->sig_list;
726 }
727 
728 static void TxNonPFFree(void *data)
729 {
730  struct TxNonPFData *d = data;
731  SCFree(d->sigs);
732  SCFree(d);
733 }
734 
735 static int TxNonPFAddSig(DetectEngineCtx *de_ctx, HashListTable *tx_engines_hash,
736  const AppProto alproto, const int dir, const int16_t progress, const int sig_list,
737  const char *name, const Signature *s)
738 {
739  const uint32_t max_sids = DetectEngineGetMaxSigId(de_ctx);
740 
741  struct TxNonPFData lookup = {
742  .alproto = alproto,
743  .dir = dir,
744  .progress = progress,
745  .sig_list = sig_list,
746  .sigs_cnt = 0,
747  .sigs = NULL,
748  .engine_name = NULL,
749  };
750  struct TxNonPFData *e = HashListTableLookup(tx_engines_hash, &lookup, 0);
751  if (e != NULL) {
752  bool found = false;
753  // avoid adding same sid multiple times
754  for (uint32_t y = 0; y < e->sigs_cnt; y++) {
755  if (e->sigs[y].sid == s->iid) {
756  found = true;
757  break;
758  }
759  }
760  if (!found) {
761  BUG_ON(e->sigs_cnt == max_sids);
762  e->sigs[e->sigs_cnt].sid = s->iid;
763  e->sigs[e->sigs_cnt].value = alproto;
764  e->sigs_cnt++;
765  }
766  return 0;
767  }
768 
769  struct TxNonPFData *add = SCCalloc(1, sizeof(*add));
770  if (add == NULL) {
771  return -1;
772  }
773  add->dir = dir;
774  add->alproto = alproto;
775  add->progress = progress;
776  add->sig_list = sig_list;
777  add->sigs = SCCalloc(max_sids, sizeof(struct PrefilterNonPFDataSig));
778  if (add->sigs == NULL) {
779  SCFree(add);
780  return -1;
781  }
782  add->sigs_cnt = 0;
783  add->sigs[add->sigs_cnt].sid = s->iid;
784  add->sigs[add->sigs_cnt].value = alproto;
785  add->sigs_cnt++;
786 
787  char engine_name[128];
788  snprintf(engine_name, sizeof(engine_name), "%s:%s:non_pf:%s", AppProtoToString(alproto), name,
789  dir == 0 ? "toserver" : "toclient");
790  char *engine_name_heap = SCStrdup(engine_name);
791  if (engine_name_heap == NULL) {
792  SCFree(add->sigs);
793  SCFree(add);
794  return -1;
795  }
796  int result = HashTableAdd(
797  de_ctx->non_pf_engine_names, engine_name_heap, (uint16_t)strlen(engine_name_heap));
798  if (result != 0) {
799  SCFree(add->sigs);
800  SCFree(add);
801  return -1;
802  }
803 
804  add->engine_name = engine_name_heap;
805  SCLogDebug("engine_name_heap %s", engine_name_heap);
806 
807  int ret = HashListTableAdd(tx_engines_hash, add, 0);
808  if (ret != 0) {
809  SCFree(add->sigs);
810  SCFree(add);
811  return -1;
812  }
813 
814  return 0;
815 }
816 
817 /** \internal
818  * \brief setup non-prefilter rules in special "non-prefilter" engines that are registered in the
819  * prefilter logic.
820  *
821  * \retval 0 ok
822  * \retval -1 error
823  */
824 static int SetupNonPrefilter(DetectEngineCtx *de_ctx, SigGroupHead *sgh)
825 {
826  const uint32_t max_sids = DetectEngineGetMaxSigId(de_ctx);
827  SCLogDebug("max_sids %u", max_sids);
828  struct PrefilterNonPFDataSig *pkt_non_pf_array = SCCalloc(max_sids, sizeof(*pkt_non_pf_array));
829  if (pkt_non_pf_array == NULL) {
830  return -1;
831  }
832  uint32_t pkt_non_pf_array_size = 0;
833  struct PrefilterNonPFDataSig *frame_non_pf_array =
834  SCCalloc(max_sids, sizeof(*frame_non_pf_array));
835  if (frame_non_pf_array == NULL) {
836  SCFree(pkt_non_pf_array);
837  return -1;
838  }
839  uint32_t frame_non_pf_array_size = 0;
840 
841  struct PrefilterNonPFDataSig *pkt_hook_flow_start_non_pf_array =
842  SCCalloc(max_sids, sizeof(*pkt_hook_flow_start_non_pf_array));
843  if (pkt_hook_flow_start_non_pf_array == NULL) {
844  SCFree(pkt_non_pf_array);
845  SCFree(frame_non_pf_array);
846  return -1;
847  }
848  uint32_t pkt_hook_flow_start_non_pf_array_size = 0;
849  SignatureMask pkt_hook_flow_start_mask = 0;
850  bool pkt_hook_flow_start_mask_init = false;
851 
852  HashListTable *tx_engines_hash =
853  HashListTableInit(256, TxNonPFHash, TxNonPFCompare, TxNonPFFree);
854  if (tx_engines_hash == NULL) {
855  SCFree(pkt_non_pf_array);
856  SCFree(pkt_hook_flow_start_non_pf_array);
857  SCFree(frame_non_pf_array);
858  return -1;
859  }
860 
861  if (de_ctx->non_pf_engine_names == NULL) {
862  de_ctx->non_pf_engine_names =
863  HashTableInit(512, NonPFNamesHash, NonPFNamesCompare, NonPFNamesFree);
864  if (de_ctx->non_pf_engine_names == NULL) {
865  SCFree(pkt_non_pf_array);
866  SCFree(pkt_hook_flow_start_non_pf_array);
867  SCFree(frame_non_pf_array);
868  HashListTableFree(tx_engines_hash);
869  return -1;
870  }
871  }
872 
873  SignatureMask pkt_mask = 0;
874  bool pkt_mask_init = false;
875 #ifdef NONPF_PKT_STATS
876  uint32_t nonpf_pkt_alproto = 0;
877  uint32_t nonpf_pkt_dsize = 0;
878  uint32_t nonpf_pkt_dport = 0;
879 #endif
880  const int app_events_list_id = DetectBufferTypeGetByName("app-layer-events");
881  SCLogDebug("app_events_list_id %d", app_events_list_id);
882  const int app_state_list_id = DetectBufferTypeGetByName("app-layer-state");
883  SCLogDebug("app_state_list_id %d", app_state_list_id);
884  for (uint32_t sig = 0; sig < sgh->init->sig_cnt; sig++) {
885  Signature *s = sgh->init->match_array[sig];
886  if (s == NULL)
887  continue;
888  SCLogDebug("checking sid %u for non-prefilter", s->id);
889  if (s->init_data->mpm_sm != NULL && (s->flags & SIG_FLAG_MPM_NEG) == 0)
890  continue;
891  if (s->init_data->prefilter_sm != NULL)
892  continue;
893  if ((s->flags & (SIG_FLAG_PREFILTER | SIG_FLAG_MPM_NEG)) == SIG_FLAG_PREFILTER)
894  continue;
895  SCLogDebug("setting up sid %u for non-prefilter", s->id);
896 
897  uint8_t frame_type = 0; /**< only a single type per rule */
898  bool tx_non_pf = false;
899  bool frame_non_pf = false;
900  bool pkt_non_pf = false;
901 
902  if (s->init_data->hook.type == SIGNATURE_HOOK_TYPE_PKT &&
903  s->init_data->hook.t.pkt.ph == SIGNATURE_HOOK_PKT_FLOW_START) {
904  // TODO code duplication with regular pkt case below
905 
906  /* for pkt non prefilter, we have some space in the structure,
907  * so we can squeeze another filter */
908  uint8_t type;
909  uint16_t value;
910  if ((s->flags & SIG_FLAG_DSIZE) && s->dsize_mode == DETECT_UINT_EQ) {
911  SCLogDebug("dsize extra match");
912  type = 2;
913  value = s->dsize_low;
914  } else if (s->dp != NULL && s->dp->next == NULL && s->dp->port == s->dp->port2) {
915  type = 1;
916  value = s->dp->port;
917  } else {
918  type = 0;
919  value = s->alproto;
920  }
921  pkt_hook_flow_start_non_pf_array[pkt_hook_flow_start_non_pf_array_size].sid = s->iid;
922  pkt_hook_flow_start_non_pf_array[pkt_hook_flow_start_non_pf_array_size].value = value;
923  pkt_hook_flow_start_non_pf_array[pkt_hook_flow_start_non_pf_array_size].type = type;
924  pkt_hook_flow_start_non_pf_array[pkt_hook_flow_start_non_pf_array_size].pkt.sig_mask =
925  s->mask;
926  pkt_hook_flow_start_non_pf_array_size++;
927 
928  if (pkt_hook_flow_start_mask_init) {
929  pkt_hook_flow_start_mask &= s->mask;
930  } else {
931  pkt_hook_flow_start_mask = s->mask;
932  pkt_hook_flow_start_mask_init = true;
933  }
934 
935  SCLogDebug("flow_start hook");
936  continue; // done for this sig
937  }
938 
939  /* special case: insert sigs at hook before Signature::app_progress_hook for the HOOK_LTE
940  * case: we need a addition per hook to make sure that the sig is called when needed. For
941  * hook 0 it could have a preceding rule that makes sure this sig isn't triggered, but then
942  * for hook 1 we would need to be called. */
943  if (s->flags & SIG_FLAG_FW_HOOK_LTE) {
944  for (uint8_t state = 0; state < s->app_progress_hook; state++) {
945  SCLogDebug("handle HOOK %u LTE", state);
946  const int dir = (s->flags & SIG_FLAG_TOSERVER) ? 0 : 1;
947  const char *pname = AppLayerParserGetStateNameById(IPPROTO_TCP, // TODO
948  s->alproto, state, dir == 0 ? STREAM_TOSERVER : STREAM_TOCLIENT);
949  if (pname == NULL)
950  goto error;
951  const int sm_list = DetectEngineAppHookToSmlist(
952  s->alproto, state, dir == 0 ? STREAM_TOSERVER : STREAM_TOCLIENT);
953  if (TxNonPFAddSig(de_ctx, tx_engines_hash, s->alproto, dir, (int16_t)state, sm_list,
954  pname, s) != 0) {
955  goto error;
956  }
957  tx_non_pf = true;
958  }
959  }
960 
961  for (uint32_t x = 0; x < s->init_data->buffer_index; x++) {
962  const int list_id = s->init_data->buffers[x].id;
963  const DetectBufferType *buf = DetectEngineBufferTypeGetById(de_ctx, list_id);
964  if (buf == NULL)
965  continue;
966  /* for now, exclude app-layer-events, as they are not tied to a specific
967  * progress value like other keywords. */
968  SCLogDebug("list_id %d buf %p", list_id, buf);
969  if (list_id == app_events_list_id)
970  continue;
971  if (buf->packet) {
972  SCLogDebug("packet buf");
973  /* packet is handled below */
974  pkt_non_pf = true;
975  } else if (buf->frame) {
976  for (DetectEngineFrameInspectionEngine *f = de_ctx->frame_inspect_engines;
977  f != NULL; f = f->next) {
978  if (!((((s->flags & SIG_FLAG_TOSERVER) != 0 && f->dir == 0) ||
979  ((s->flags & SIG_FLAG_TOCLIENT) != 0 && f->dir == 1)) &&
980  list_id == (int)f->sm_list &&
981  AppProtoEquals(s->alproto, f->alproto)))
982  continue;
983 
984  SCLogDebug("frame '%s' type %u", buf->name, f->type);
985  frame_type = f->type;
986  frame_non_pf = true;
987 
988  frame_non_pf_array[frame_non_pf_array_size].sid = s->iid;
989  frame_non_pf_array[frame_non_pf_array_size].value = s->alproto;
990  frame_non_pf_array[frame_non_pf_array_size].frame.type = frame_type;
991  frame_non_pf_array_size++;
992  break;
993  }
994 
995  } else {
996  SCLogDebug("x %u list_id %d", x, list_id);
997  for (DetectEngineAppInspectionEngine *app = de_ctx->app_inspect_engines;
998  app != NULL; app = app->next) {
999  SCLogDebug("app %p proto %s list_d %d sig dir %0x", app,
1000  AppProtoToString(app->alproto), app->sm_list,
1001  s->flags & (SIG_FLAG_TOSERVER | SIG_FLAG_TOCLIENT));
1002 
1003  /* skip if:
1004  * - not in our dir
1005  * - not our list
1006  * - app proto mismatch. Both sig and app can have proto or unknown */
1007  if (!((((s->flags & SIG_FLAG_TOSERVER) != 0 && app->dir == 0) ||
1008  ((s->flags & SIG_FLAG_TOCLIENT) != 0 && app->dir == 1)) &&
1009  list_id == (int)app->sm_list &&
1010  (s->alproto == ALPROTO_UNKNOWN || app->alproto == ALPROTO_UNKNOWN ||
1011  AppProtoEquals(s->alproto, app->alproto))))
1012  continue;
1013 
1014  int sig_list = 0;
1015  if (list_id == app_state_list_id)
1016  sig_list = app_state_list_id;
1017  if (TxNonPFAddSig(de_ctx, tx_engines_hash, app->alproto, app->dir,
1018  app->progress, sig_list, buf->name, s) != 0) {
1019  goto error;
1020  }
1021  tx_non_pf = true;
1022  }
1023  }
1024  }
1025  /* handle hook only rules */
1026  if (!tx_non_pf && s->init_data->hook.type == SIGNATURE_HOOK_TYPE_APP) {
1027  const int dir = (s->flags & SIG_FLAG_TOSERVER) ? 0 : 1;
1028  const char *pname = AppLayerParserGetStateNameById(IPPROTO_TCP, // TODO
1029  s->alproto, s->init_data->hook.t.app.app_progress,
1030  dir == 0 ? STREAM_TOSERVER : STREAM_TOCLIENT);
1031 
1032  if (TxNonPFAddSig(de_ctx, tx_engines_hash, s->alproto, dir,
1033  (int16_t)s->init_data->hook.t.app.app_progress, s->init_data->hook.sm_list,
1034  pname, s) != 0) {
1035  goto error;
1036  }
1037  tx_non_pf = true;
1038  }
1039  /* mark as prefiltered as the sig is now part of a engine */
1040  // s->flags |= SIG_FLAG_PREFILTER;
1041  // TODO doesn't work for sigs that are in multiple sgh's
1042 
1043  /* default to pkt if there was no tx or frame match */
1044  if (!(tx_non_pf || frame_non_pf)) {
1045  if (!pkt_non_pf) {
1046  SCLogDebug("not frame, not tx, so pkt");
1047  }
1048  pkt_non_pf = true;
1049  }
1050 
1051  SCLogDebug("setting up sid %u for non-prefilter: %s", s->id,
1052  tx_non_pf ? "tx engine" : (frame_non_pf ? "frame engine" : "pkt engine"));
1053 
1054  if (pkt_non_pf) {
1055  /* for pkt non prefilter, we have some space in the structure,
1056  * so we can squeeze another filter */
1057  uint8_t type;
1058  uint16_t value;
1059  if ((s->flags & SIG_FLAG_DSIZE) && s->dsize_mode == DETECT_UINT_EQ) {
1060  SCLogDebug("dsize extra match");
1061  type = 2;
1062  value = s->dsize_low;
1063 #ifdef NONPF_PKT_STATS
1064  nonpf_pkt_dsize++;
1065 #endif
1066  } else if (s->dp != NULL && s->dp->next == NULL && s->dp->port == s->dp->port2) {
1067  type = 1;
1068  value = s->dp->port;
1069 #ifdef NONPF_PKT_STATS
1070  nonpf_pkt_dport++;
1071 #endif
1072  } else {
1073  type = 0;
1074  value = s->alproto;
1075 #ifdef NONPF_PKT_STATS
1076  nonpf_pkt_alproto++;
1077 #endif
1078  }
1079 
1080  pkt_non_pf_array[pkt_non_pf_array_size].sid = s->iid;
1081  pkt_non_pf_array[pkt_non_pf_array_size].value = value;
1082  pkt_non_pf_array[pkt_non_pf_array_size].type = type;
1083  pkt_non_pf_array[pkt_non_pf_array_size].pkt.sig_mask = s->mask;
1084  pkt_non_pf_array_size++;
1085 
1086  if (pkt_mask_init) {
1087  pkt_mask &= s->mask;
1088  } else {
1089  pkt_mask = s->mask;
1090  pkt_mask_init = true;
1091  }
1092  }
1093  }
1094 
1095  /* for each unique sig set, add an engine */
1096  for (HashListTableBucket *b = HashListTableGetListHead(tx_engines_hash); b != NULL;
1097  b = HashListTableGetListNext(b)) {
1098  struct TxNonPFData *t = HashListTableGetListData(b);
1099  SCLogDebug("%s engine for %s hook %d has %u non-pf sigs",
1100  t->dir == 0 ? "toserver" : "toclient", AppProtoToString(t->alproto), t->progress,
1101  t->sigs_cnt);
1102 
1103  if (((sgh->init->direction & SIG_FLAG_TOSERVER) && t->dir == 1) ||
1104  ((sgh->init->direction & SIG_FLAG_TOCLIENT) && t->dir == 0)) {
1105  SCLogDebug("skipped");
1106  continue;
1107  }
1108 
1109  /* register special progress value to indicate we need to run it all the time */
1110  int engine_progress = t->progress;
1111  if (t->sig_list == app_state_list_id) {
1112  SCLogDebug("engine %s for state list", t->engine_name);
1113  engine_progress = -1;
1114  }
1115 
1116  struct PrefilterNonPFDataTx *data =
1117  SCCalloc(1, sizeof(*data) + t->sigs_cnt * sizeof(data->array[0]));
1118  if (data == NULL)
1119  goto error;
1120  data->size = t->sigs_cnt;
1121  for (uint32_t i = 0; i < t->sigs_cnt; i++) {
1122  data->array[i] = t->sigs[i].sid;
1123  }
1124  if (PrefilterAppendTxEngine(de_ctx, sgh, PrefilterTxNonPF, t->alproto, engine_progress,
1125  (void *)data, PrefilterNonPFDataFree, t->engine_name) < 0) {
1126  SCFree(data);
1127  goto error;
1128  }
1129  }
1130  HashListTableFree(tx_engines_hash);
1131  tx_engines_hash = NULL;
1132 
1133  if (pkt_non_pf_array_size) {
1134  struct PrefilterNonPFData *data =
1135  SCCalloc(1, sizeof(*data) + pkt_non_pf_array_size * sizeof(data->array[0]));
1136  if (data == NULL)
1137  goto error;
1138  data->size = pkt_non_pf_array_size;
1139  memcpy((uint8_t *)&data->array, pkt_non_pf_array,
1140  pkt_non_pf_array_size * sizeof(data->array[0]));
1141  enum SignatureHookPkt hook = SIGNATURE_HOOK_PKT_NOT_SET; // TODO review
1142  if (PrefilterAppendEngine(de_ctx, sgh, PrefilterPktNonPF, pkt_mask, hook, (void *)data,
1143  PrefilterNonPFDataFree, "packet:non_pf") < 0) {
1144  SCFree(data);
1145  goto error;
1146  }
1147  }
1148  if (pkt_hook_flow_start_non_pf_array_size) {
1149  struct PrefilterNonPFData *data = SCCalloc(
1150  1, sizeof(*data) + pkt_hook_flow_start_non_pf_array_size * sizeof(data->array[0]));
1151  if (data == NULL)
1152  goto error;
1153  data->size = pkt_hook_flow_start_non_pf_array_size;
1154  memcpy((uint8_t *)&data->array, pkt_hook_flow_start_non_pf_array,
1155  pkt_hook_flow_start_non_pf_array_size * sizeof(data->array[0]));
1156  SCLogDebug("packet:flow_start:non_pf added with %u rules", data->size);
1157  enum SignatureHookPkt hook = SIGNATURE_HOOK_PKT_FLOW_START;
1158  if (PrefilterAppendEngine(de_ctx, sgh,
1159  PrefilterPktNonPFHookFlowStart, // TODO no longer needed to have a dedicated
1160  // callback
1161  pkt_hook_flow_start_mask, hook, (void *)data, PrefilterNonPFDataFree,
1162  "packet:flow_start:non_pf") < 0) {
1163  SCFree(data);
1164  goto error;
1165  }
1166  }
1167  if (frame_non_pf_array_size) {
1168  SCLogDebug("%u frame non-pf sigs", frame_non_pf_array_size);
1169  struct PrefilterNonPFData *data =
1170  SCCalloc(1, sizeof(*data) + frame_non_pf_array_size * sizeof(data->array[0]));
1171  if (data == NULL)
1172  goto error;
1173  data->size = frame_non_pf_array_size;
1174  memcpy((uint8_t *)&data->array, frame_non_pf_array,
1175  frame_non_pf_array_size * sizeof(data->array[0]));
1176  if (PrefilterAppendFrameEngine(de_ctx, sgh, PrefilterFrameNonPF, ALPROTO_UNKNOWN,
1177  FRAME_ANY_TYPE, (void *)data, PrefilterNonPFDataFree, "frame:non_pf") < 0) {
1178  SCFree(data);
1179  goto error;
1180  }
1181  }
1182 
1183  SCFree(pkt_hook_flow_start_non_pf_array);
1184  pkt_hook_flow_start_non_pf_array = NULL;
1185  SCFree(pkt_non_pf_array);
1186  pkt_non_pf_array = NULL;
1187  SCFree(frame_non_pf_array);
1188  frame_non_pf_array = NULL;
1189  return 0;
1190 
1191 error:
1192  if (tx_engines_hash) {
1193  HashListTableFree(tx_engines_hash);
1194  }
1195  SCFree(pkt_hook_flow_start_non_pf_array);
1196  SCFree(pkt_non_pf_array);
1197  SCFree(frame_non_pf_array);
1198  return -1;
1199 }
1200 
1201 int PrefilterSetupRuleGroup(DetectEngineCtx *de_ctx, SigGroupHead *sgh)
1202 {
1203  int r = PatternMatchPrepareGroup(de_ctx, sgh);
1204  if (r != 0) {
1205  FatalError("failed to set up pattern matching");
1206  }
1207 
1208  /* set up engines if needed - when prefilter is set to auto we run
1209  * all engines, otherwise only those that have been forced by the
1210  * prefilter keyword. */
1211  const enum DetectEnginePrefilterSetting setting = de_ctx->prefilter_setting;
1212  for (int i = 0; i < DETECT_TBLSIZE; i++) {
1213  if (sigmatch_table[i].SetupPrefilter != NULL &&
1214  (setting == DETECT_PREFILTER_AUTO || de_ctx->sm_types_prefilter[i])) {
1215  sigmatch_table[i].SetupPrefilter(de_ctx, sgh);
1216  }
1217  }
1218 
1219  if (SetupNonPrefilter(de_ctx, sgh) != 0) {
1220  return -1;
1221  }
1222 
1223  /* we have lists of engines in sgh->init now. Lets setup the
1224  * match arrays */
1225  PrefilterEngineList *el;
1226  if (sgh->init->pkt_engines != NULL) {
1227  uint32_t cnt = 0;
1228  for (el = sgh->init->pkt_engines ; el != NULL; el = el->next) {
1229  cnt++;
1230  }
1231  sgh->pkt_engines = SCMallocAligned(cnt * sizeof(PrefilterEngine), CLS);
1232  if (sgh->pkt_engines == NULL) {
1233  return -1;
1234  }
1235  memset(sgh->pkt_engines, 0x00, (cnt * sizeof(PrefilterEngine)));
1236 
1237  PrefilterEngine *e = sgh->pkt_engines;
1238  for (el = sgh->init->pkt_engines ; el != NULL; el = el->next) {
1239  e->local_id = el->id;
1240  e->cb.Prefilter = el->Prefilter;
1241  e->ctx.pkt.mask = el->pkt_mask;
1242  // TODO right now we represent the hook in a u8 in the prefilter engine for space
1243  // reasons.
1244  BUG_ON(el->pkt_hook >= 8);
1245  e->ctx.pkt.hook = (uint8_t)el->pkt_hook;
1246  e->pectx = el->pectx;
1247  el->pectx = NULL; // e now owns the ctx
1248  e->gid = el->gid;
1249  if (el->next == NULL) {
1250  e->is_last = true;
1251  }
1252  e++;
1253  }
1254  }
1255  if (sgh->init->payload_engines != NULL) {
1256  uint32_t cnt = 0;
1257  for (el = sgh->init->payload_engines ; el != NULL; el = el->next) {
1258  cnt++;
1259  }
1260  sgh->payload_engines = SCMallocAligned(cnt * sizeof(PrefilterEngine), CLS);
1261  if (sgh->payload_engines == NULL) {
1262  return -1;
1263  }
1264  memset(sgh->payload_engines, 0x00, (cnt * sizeof(PrefilterEngine)));
1265 
1266  PrefilterEngine *e = sgh->payload_engines;
1267  for (el = sgh->init->payload_engines ; el != NULL; el = el->next) {
1268  e->local_id = el->id;
1269  e->cb.Prefilter = el->Prefilter;
1270  e->ctx.pkt.mask = el->pkt_mask;
1271  // TODO right now we represent the hook in a u8 in the prefilter engine for space
1272  // reasons.
1273  BUG_ON(el->pkt_hook >= 8);
1274  e->ctx.pkt.hook = (uint8_t)el->pkt_hook;
1275  e->pectx = el->pectx;
1276  el->pectx = NULL; // e now owns the ctx
1277  e->gid = el->gid;
1278  if (el->next == NULL) {
1279  e->is_last = true;
1280  }
1281  e++;
1282  }
1283  }
1284  if (sgh->init->tx_engines != NULL) {
1285  uint32_t cnt = 0;
1286  for (el = sgh->init->tx_engines ; el != NULL; el = el->next) {
1287  cnt++;
1288  }
1289  sgh->tx_engines = SCMallocAligned(cnt * sizeof(PrefilterEngine), CLS);
1290  if (sgh->tx_engines == NULL) {
1291  return -1;
1292  }
1293  memset(sgh->tx_engines, 0x00, (cnt * sizeof(PrefilterEngine)));
1294 
1295  uint16_t local_id = 0;
1296  PrefilterEngine *e = sgh->tx_engines;
1297  for (el = sgh->init->tx_engines ; el != NULL; el = el->next) {
1298  e->local_id = local_id++;
1299  e->alproto = el->alproto;
1300  e->ctx.tx_min_progress = el->tx_min_progress;
1301  e->cb.PrefilterTx = el->PrefilterTx;
1302  e->pectx = el->pectx;
1303  el->pectx = NULL; // e now owns the ctx
1304  e->gid = el->gid;
1305  e++;
1306  }
1307 
1308  /* sort by tx_min_progress, then alproto, then local_id */
1309  qsort(sgh->tx_engines, local_id, sizeof(PrefilterEngine),
1310  PrefilterSetupRuleGroupSortHelper);
1311  sgh->tx_engines[local_id - 1].is_last = true;
1312  sgh->tx_engines[local_id - 1].is_last_for_progress = true;
1313 
1314  PrefilterEngine *engine;
1315 
1316  /* per alproto to set is_last_for_progress per alproto because the inspect
1317  * loop skips over engines that are not the correct alproto */
1318  for (AppProto a = ALPROTO_FAILED + 1; a < g_alproto_max; a++) {
1319  int last_tx_progress = 0;
1320  bool last_tx_progress_set = false;
1321  PrefilterEngine *prev_engine = NULL;
1322  engine = sgh->tx_engines;
1323  do {
1324  if (engine->ctx.tx_min_progress != -1)
1325  BUG_ON(engine->ctx.tx_min_progress < last_tx_progress);
1326  if (engine->alproto == a) {
1327  if (last_tx_progress_set && engine->ctx.tx_min_progress > last_tx_progress) {
1328  if (prev_engine) {
1329  prev_engine->is_last_for_progress = true;
1330  }
1331  }
1332 
1333  last_tx_progress_set = true;
1334  prev_engine = engine;
1335  } else {
1336  if (prev_engine) {
1337  prev_engine->is_last_for_progress = true;
1338  }
1339  }
1340  last_tx_progress = engine->ctx.tx_min_progress;
1341  if (engine->is_last)
1342  break;
1343  engine++;
1344  } while (1);
1345  }
1346 #ifdef DEBUG
1347  SCLogDebug("sgh %p", sgh);
1348  engine = sgh->tx_engines;
1349  do {
1350  SCLogDebug("engine: gid %u alproto %s tx_min_progress %d is_last %s "
1351  "is_last_for_progress %s",
1352  engine->gid, AppProtoToString(engine->alproto), engine->ctx.tx_min_progress,
1353  engine->is_last ? "true" : "false",
1354  engine->is_last_for_progress ? "true" : "false");
1355  if (engine->is_last)
1356  break;
1357  engine++;
1358  } while (1);
1359 #endif
1360  }
1361  if (sgh->init->frame_engines != NULL) {
1362  uint32_t cnt = 0;
1363  for (el = sgh->init->frame_engines; el != NULL; el = el->next) {
1364  cnt++;
1365  }
1366  sgh->frame_engines = SCMallocAligned(cnt * sizeof(PrefilterEngine), CLS);
1367  if (sgh->frame_engines == NULL) {
1368  return -1;
1369  }
1370  memset(sgh->frame_engines, 0x00, (cnt * sizeof(PrefilterEngine)));
1371 
1372  PrefilterEngine *e = sgh->frame_engines;
1373  for (el = sgh->init->frame_engines; el != NULL; el = el->next) {
1374  e->local_id = el->id;
1375  e->ctx.frame_type = el->frame_type;
1376  e->cb.PrefilterFrame = el->PrefilterFrame;
1377  e->alproto = el->alproto;
1378  e->pectx = el->pectx;
1379  el->pectx = NULL; // e now owns the ctx
1380  e->gid = el->gid;
1381  if (el->next == NULL) {
1382  e->is_last = true;
1383  }
1384  e++;
1385  }
1386  }
1387 
1388  if (sgh->init->post_rule_match_engines != NULL) {
1389  uint32_t cnt = 0;
1390  for (el = sgh->init->post_rule_match_engines; el != NULL; el = el->next) {
1391  cnt++;
1392  }
1393  sgh->post_rule_match_engines = SCMallocAligned(cnt * sizeof(PrefilterEngine), CLS);
1394  if (sgh->post_rule_match_engines == NULL) {
1395  return -1;
1396  }
1397  memset(sgh->post_rule_match_engines, 0x00, (cnt * sizeof(PrefilterEngine)));
1398 
1399  uint16_t local_id = 0;
1400  PrefilterEngine *e = sgh->post_rule_match_engines;
1401  for (el = sgh->init->post_rule_match_engines; el != NULL; el = el->next) {
1402  e->local_id = local_id++;
1403  e->cb.PrefilterPostRule = el->PrefilterPostRule;
1404  e->pectx = el->pectx;
1405  el->pectx = NULL; // e now owns the ctx
1406  e->gid = el->gid;
1407  e->is_last = (el->next == NULL);
1408  e++;
1409  }
1410  SCLogDebug("sgh %p max local_id %u", sgh, local_id);
1411  }
1412 
1413  return 0;
1414 }
1415 
1416 /* hash table for assigning a unique id to each engine type. */
1417 
1418 static uint32_t PrefilterStoreHashFunc(HashListTable *ht, void *data, uint16_t datalen)
1419 {
1420  PrefilterStore *ctx = data;
1421 
1422  uint32_t hash = (uint32_t)strlen(ctx->name);
1423 
1424  for (size_t u = 0; u < strlen(ctx->name); u++) {
1425  hash += ctx->name[u];
1426  }
1427 
1428  hash %= ht->array_size;
1429  return hash;
1430 }
1431 
1432 static char PrefilterStoreCompareFunc(void *data1, uint16_t len1,
1433  void *data2, uint16_t len2)
1434 {
1435  PrefilterStore *ctx1 = data1;
1436  PrefilterStore *ctx2 = data2;
1437  return (strcmp(ctx1->name, ctx2->name) == 0);
1438 }
1439 
1440 static void PrefilterStoreFreeFunc(void *ptr)
1441 {
1442  SCFree(ptr);
1443 }
1444 
1445 void PrefilterDeinit(DetectEngineCtx *de_ctx)
1446 {
1447  if (de_ctx->prefilter_hash_table != NULL) {
1448  HashListTableFree(de_ctx->prefilter_hash_table);
1449  }
1450 }
1451 
1452 void PrefilterInit(DetectEngineCtx *de_ctx)
1453 {
1454  BUG_ON(de_ctx->prefilter_hash_table != NULL);
1455 
1456  de_ctx->prefilter_hash_table = HashListTableInit(256,
1457  PrefilterStoreHashFunc,
1458  PrefilterStoreCompareFunc,
1459  PrefilterStoreFreeFunc);
1460  BUG_ON(de_ctx->prefilter_hash_table == NULL);
1461 }
1462 
1463 static int PrefilterStoreGetId(DetectEngineCtx *de_ctx,
1464  const char *name, void (*FreeFunc)(void *))
1465 {
1466  PrefilterStore ctx = { name, FreeFunc, 0 };
1467 
1468  BUG_ON(de_ctx->prefilter_hash_table == NULL);
1469 
1470  SCLogDebug("looking up %s", name);
1471 
1472  PrefilterStore *rctx = HashListTableLookup(de_ctx->prefilter_hash_table, (void *)&ctx, 0);
1473  if (rctx != NULL) {
1474  return rctx->id;
1475  }
1476 
1477  PrefilterStore *actx = SCCalloc(1, sizeof(*actx));
1478  if (actx == NULL) {
1479  return -1;
1480  }
1481 
1482  actx->name = name;
1483  actx->FreeFunc = FreeFunc;
1484  actx->id = de_ctx->prefilter_id++;
1485  SCLogDebug("prefilter engine %s has profile id %u", actx->name, actx->id);
1486 
1487  int ret = HashListTableAdd(de_ctx->prefilter_hash_table, actx, 0);
1488  if (ret != 0) {
1489  SCFree(actx);
1490  return -1;
1491  }
1492 
1493  int r = actx->id;
1494  return r;
1495 }
1496 
1497 /** \warning slow */
1498 static const PrefilterStore *PrefilterStoreGetStore(const DetectEngineCtx *de_ctx,
1499  const uint32_t id)
1500 {
1501 
1502  const PrefilterStore *store = NULL;
1503  if (de_ctx->prefilter_hash_table != NULL) {
1504  HashListTableBucket *hb = HashListTableGetListHead(de_ctx->prefilter_hash_table);
1505  for ( ; hb != NULL; hb = HashListTableGetListNext(hb)) {
1506  PrefilterStore *ctx = HashListTableGetListData(hb);
1507  if (ctx->id == id) {
1508  store = ctx;
1509  break;
1510  }
1511  }
1512  }
1513  return store;
1514 }
1515 
1516 #include "util-print.h"
1517 
1518 typedef struct PrefilterMpmCtx {
1519  int list_id;
1520  union {
1521  InspectionBufferGetDataPtr GetData;
1522  InspectionSingleBufferGetDataPtr GetDataSingle;
1523  };
1524  const MpmCtx *mpm_ctx;
1525  const DetectEngineTransforms *transforms;
1526 } PrefilterMpmCtx;
1527 
1528 /** \brief Generic Mpm prefilter callback for simple InspectionSingleBufferGetDataPtr
1529  *
1530  * \param det_ctx detection engine thread ctx
1531  * \param p packet to inspect
1532  * \param f flow to inspect
1533  * \param txv tx to inspect
1534  * \param pectx inspection context
1535  */
1536 static void PrefilterMpmTxSingle(DetectEngineThreadCtx *det_ctx, const void *pectx, Packet *p,
1537  Flow *f, void *txv, const uint64_t idx, const AppLayerTxData *_txd, const uint8_t flags)
1538 {
1539  SCEnter();
1540 
1541  const PrefilterMpmCtx *ctx = (const PrefilterMpmCtx *)pectx;
1542  const MpmCtx *mpm_ctx = ctx->mpm_ctx;
1543  SCLogDebug("running on list %d", ctx->list_id);
1544 
1545  InspectionBuffer *buffer = DetectGetSingleData(
1546  det_ctx, ctx->transforms, f, flags, txv, ctx->list_id, ctx->GetDataSingle);
1547  if (buffer == NULL)
1548  return;
1549 
1550  const uint32_t data_len = buffer->inspect_len;
1551  const uint8_t *data = buffer->inspect;
1552 
1553  SCLogDebug("mpm'ing buffer:");
1554  // PrintRawDataFp(stdout, data, data_len);
1555 
1556  if (data != NULL && data_len >= mpm_ctx->minlen) {
1557  (void)mpm_table[mpm_ctx->mpm_type].Search(
1558  mpm_ctx, &det_ctx->mtc, &det_ctx->pmq, data, data_len);
1559  PREFILTER_PROFILING_ADD_BYTES(det_ctx, data_len);
1560  }
1561 }
1562 
1563 /** \brief Generic Mpm prefilter callback
1564  *
1565  * \param det_ctx detection engine thread ctx
1566  * \param p packet to inspect
1567  * \param f flow to inspect
1568  * \param txv tx to inspect
1569  * \param pectx inspection context
1570  */
1571 static void PrefilterMpm(DetectEngineThreadCtx *det_ctx, const void *pectx, Packet *p, Flow *f,
1572  void *txv, const uint64_t idx, const AppLayerTxData *_txd, const uint8_t flags)
1573 {
1574  SCEnter();
1575 
1576  const PrefilterMpmCtx *ctx = (const PrefilterMpmCtx *)pectx;
1577  const MpmCtx *mpm_ctx = ctx->mpm_ctx;
1578  SCLogDebug("running on list %d", ctx->list_id);
1579 
1580  InspectionBuffer *buffer = ctx->GetData(det_ctx, ctx->transforms, f, flags, txv, ctx->list_id);
1581  if (buffer == NULL)
1582  return;
1583 
1584  const uint32_t data_len = buffer->inspect_len;
1585  const uint8_t *data = buffer->inspect;
1586 
1587  SCLogDebug("mpm'ing buffer:");
1588  //PrintRawDataFp(stdout, data, data_len);
1589 
1590  if (data != NULL && data_len >= mpm_ctx->minlen) {
1591  (void)mpm_table[mpm_ctx->mpm_type].Search(
1592  mpm_ctx, &det_ctx->mtc, &det_ctx->pmq, data, data_len);
1593  PREFILTER_PROFILING_ADD_BYTES(det_ctx, data_len);
1594  }
1595 }
1596 
1597 static void PrefilterGenericMpmFree(void *ptr)
1598 {
1599  SCFree(ptr);
1600 }
1601 
1602 int PrefilterGenericMpmRegister(DetectEngineCtx *de_ctx, SigGroupHead *sgh, MpmCtx *mpm_ctx,
1603  const DetectBufferMpmRegistry *mpm_reg, int list_id)
1604 {
1605  SCEnter();
1606  PrefilterMpmCtx *pectx = SCCalloc(1, sizeof(*pectx));
1607  if (pectx == NULL)
1608  return -1;
1609  pectx->list_id = list_id;
1610  pectx->GetData = mpm_reg->app_v2.GetData;
1611  pectx->mpm_ctx = mpm_ctx;
1612  pectx->transforms = &mpm_reg->transforms;
1613 
1614  int r = PrefilterAppendTxEngine(de_ctx, sgh, PrefilterMpm,
1615  mpm_reg->app_v2.alproto, mpm_reg->app_v2.tx_min_progress,
1616  pectx, PrefilterGenericMpmFree, mpm_reg->pname);
1617  if (r != 0) {
1618  SCFree(pectx);
1619  }
1620  return r;
1621 }
1622 
1623 int PrefilterSingleMpmRegister(DetectEngineCtx *de_ctx, SigGroupHead *sgh, MpmCtx *mpm_ctx,
1624  const DetectBufferMpmRegistry *mpm_reg, int list_id)
1625 {
1626  SCEnter();
1627  PrefilterMpmCtx *pectx = SCCalloc(1, sizeof(*pectx));
1628  if (pectx == NULL)
1629  return -1;
1630  pectx->list_id = list_id;
1631  pectx->GetDataSingle = mpm_reg->app_v2.GetDataSingle;
1632  pectx->mpm_ctx = mpm_ctx;
1633  pectx->transforms = &mpm_reg->transforms;
1634 
1635  int r = PrefilterAppendTxEngine(de_ctx, sgh, PrefilterMpmTxSingle, mpm_reg->app_v2.alproto,
1636  mpm_reg->app_v2.tx_min_progress, pectx, PrefilterGenericMpmFree, mpm_reg->pname);
1637  if (r != 0) {
1638  SCFree(pectx);
1639  }
1640  return r;
1641 }
1642 
1643 static void PrefilterMultiGenericMpmFree(void *ptr)
1644 {
1645  // PrefilterMpmListId
1646  SCFree(ptr);
1647 }
1648 
1649 static void PrefilterMultiMpm(DetectEngineThreadCtx *det_ctx, const void *pectx, Packet *p, Flow *f,
1650  void *txv, const uint64_t idx, const AppLayerTxData *_txd, const uint8_t flags)
1651 {
1652  SCEnter();
1653 
1654  const PrefilterMpmListId *ctx = (const PrefilterMpmListId *)pectx;
1655  const MpmCtx *mpm_ctx = ctx->mpm_ctx;
1656  SCLogDebug("running on list %d", ctx->list_id);
1657  uint32_t local_id = 0;
1658 
1659  do {
1660  // loop until we get a NULL
1661  InspectionBuffer *buffer = DetectGetMultiData(
1662  det_ctx, ctx->transforms, f, flags, txv, ctx->list_id, local_id, ctx->GetData);
1663  if (buffer == NULL)
1664  break;
1665 
1666  if (buffer->inspect_len >= mpm_ctx->minlen) {
1667  (void)mpm_table[mpm_ctx->mpm_type].Search(
1668  mpm_ctx, &det_ctx->mtc, &det_ctx->pmq, buffer->inspect, buffer->inspect_len);
1669  PREFILTER_PROFILING_ADD_BYTES(det_ctx, buffer->inspect_len);
1670  }
1671 
1672  local_id++;
1673  } while (1);
1674 }
1675 
1676 int PrefilterMultiGenericMpmRegister(DetectEngineCtx *de_ctx, SigGroupHead *sgh, MpmCtx *mpm_ctx,
1677  const DetectBufferMpmRegistry *mpm_reg, int list_id)
1678 {
1679  SCEnter();
1680  PrefilterMpmListId *pectx = SCCalloc(1, sizeof(*pectx));
1681  if (pectx == NULL)
1682  return -1;
1683  pectx->list_id = list_id;
1684  pectx->GetData = mpm_reg->app_v2.GetMultiData;
1685  pectx->mpm_ctx = mpm_ctx;
1686  pectx->transforms = &mpm_reg->transforms;
1687 
1688  int r = PrefilterAppendTxEngine(de_ctx, sgh, PrefilterMultiMpm, mpm_reg->app_v2.alproto,
1689  mpm_reg->app_v2.tx_min_progress, pectx, PrefilterMultiGenericMpmFree, mpm_reg->pname);
1690  if (r != 0) {
1691  SCFree(pectx);
1692  }
1693  return r;
1694 }
1695 
1696 /* generic mpm for pkt engines */
1697 
1698 typedef struct PrefilterMpmPktCtx {
1699  int list_id;
1700  InspectionBufferGetPktDataPtr GetData;
1701  const MpmCtx *mpm_ctx;
1702  const DetectEngineTransforms *transforms;
1703 } PrefilterMpmPktCtx;
1704 
1705 /** \brief Generic Mpm prefilter callback
1706  *
1707  * \param det_ctx detection engine thread ctx
1708  * \param p packet to inspect
1709  * \param f flow to inspect
1710  * \param txv tx to inspect
1711  * \param pectx inspection context
1712  */
1713 static void PrefilterMpmPkt(DetectEngineThreadCtx *det_ctx,
1714  Packet *p, const void *pectx)
1715 {
1716  SCEnter();
1717 
1718  const PrefilterMpmPktCtx *ctx = (const PrefilterMpmPktCtx *)pectx;
1719  const MpmCtx *mpm_ctx = ctx->mpm_ctx;
1720  SCLogDebug("running on list %d", ctx->list_id);
1721 
1722  InspectionBuffer *buffer = ctx->GetData(det_ctx, ctx->transforms,
1723  p, ctx->list_id);
1724  if (buffer == NULL)
1725  return;
1726 
1727  const uint32_t data_len = buffer->inspect_len;
1728  const uint8_t *data = buffer->inspect;
1729 
1730  SCLogDebug("mpm'ing buffer:");
1731  //PrintRawDataFp(stdout, data, data_len);
1732 
1733  if (data != NULL && data_len >= mpm_ctx->minlen) {
1734  (void)mpm_table[mpm_ctx->mpm_type].Search(
1735  mpm_ctx, &det_ctx->mtc, &det_ctx->pmq, data, data_len);
1736  PREFILTER_PROFILING_ADD_BYTES(det_ctx, data_len);
1737  }
1738 }
1739 
1740 static void PrefilterMpmPktFree(void *ptr)
1741 {
1742  SCFree(ptr);
1743 }
1744 
1745 int PrefilterGenericMpmPktRegister(DetectEngineCtx *de_ctx, SigGroupHead *sgh, MpmCtx *mpm_ctx,
1746  const DetectBufferMpmRegistry *mpm_reg, int list_id)
1747 {
1748  SCEnter();
1749  PrefilterMpmPktCtx *pectx = SCCalloc(1, sizeof(*pectx));
1750  if (pectx == NULL)
1751  return -1;
1752  pectx->list_id = list_id;
1753  pectx->GetData = mpm_reg->pkt_v1.GetData;
1754  pectx->mpm_ctx = mpm_ctx;
1755  pectx->transforms = &mpm_reg->transforms;
1756 
1757  enum SignatureHookPkt hook = SIGNATURE_HOOK_PKT_NOT_SET; // TODO review
1758  int r = PrefilterAppendEngine(
1759  de_ctx, sgh, PrefilterMpmPkt, 0, hook, pectx, PrefilterMpmPktFree, mpm_reg->pname);
1760  if (r != 0) {
1761  SCFree(pectx);
1762  }
1763  return r;
1764 }
1765 
1766 #define QUEUE_STEP 16
1767 
1768 void PostRuleMatchWorkQueueAppend(
1769  DetectEngineThreadCtx *det_ctx, const Signature *s, const int type, const uint32_t value)
1770 {
1771  if (det_ctx->post_rule_work_queue.q == NULL) {
1772  det_ctx->post_rule_work_queue.q =
1773  SCCalloc(1, sizeof(PostRuleMatchWorkQueueItem) * QUEUE_STEP);
1774  if (det_ctx->post_rule_work_queue.q == NULL) {
1775  DetectEngineSetEvent(det_ctx, DETECT_EVENT_POST_MATCH_QUEUE_FAILED);
1776  return;
1777  }
1778  det_ctx->post_rule_work_queue.size = QUEUE_STEP;
1779  } else if (det_ctx->post_rule_work_queue.len == det_ctx->post_rule_work_queue.size) {
1780  void *ptr = SCRealloc(
1781  det_ctx->post_rule_work_queue.q, (det_ctx->post_rule_work_queue.size + QUEUE_STEP) *
1782  sizeof(PostRuleMatchWorkQueueItem));
1783  if (ptr == NULL) {
1784  DetectEngineSetEvent(det_ctx, DETECT_EVENT_POST_MATCH_QUEUE_FAILED);
1785  return;
1786  }
1787  det_ctx->post_rule_work_queue.q = ptr;
1788  det_ctx->post_rule_work_queue.size += QUEUE_STEP;
1789  }
1790  det_ctx->post_rule_work_queue.q[det_ctx->post_rule_work_queue.len].sm_type = type;
1791  det_ctx->post_rule_work_queue.q[det_ctx->post_rule_work_queue.len].value = value;
1792 #ifdef DEBUG
1793  det_ctx->post_rule_work_queue.q[det_ctx->post_rule_work_queue.len].id = s->iid;
1794 #endif
1795  det_ctx->post_rule_work_queue.len++;
1796  SCLogDebug("det_ctx->post_rule_work_queue.len %u", det_ctx->post_rule_work_queue.len);
1797 }
HashListTableGetListData
#define HashListTableGetListData(hb)
Definition: util-hashlist.h:56
PrefilterGenericMpmPktRegister
int PrefilterGenericMpmPktRegister(DetectEngineCtx *de_ctx, SigGroupHead *sgh, MpmCtx *mpm_ctx, const DetectBufferMpmRegistry *mpm_reg, int list_id)
Definition: detect-engine-prefilter.c:1745
detect-engine-uint.h
PrefilterEngineList_::frame_type
uint8_t frame_type
Definition: detect.h:1588
SigGroupHead_::tx_engines
PrefilterEngine * tx_engines
Definition: detect.h:1691
DetectEngineAppInspectionEngine_
Definition: detect.h:416
DetectGetMultiData
InspectionBuffer * DetectGetMultiData(struct DetectEngineThreadCtx_ *det_ctx, const DetectEngineTransforms *transforms, Flow *f, const uint8_t flow_flags, void *txv, const int list_id, uint32_t index, InspectionMultiBufferGetDataPtr GetBuf)
Definition: detect-engine.c:2186
Packet_::proto
uint8_t proto
Definition: decode.h:536
util-hash-string.h
DetectTransaction_::tx_data_ptr
struct AppLayerTxData * tx_data_ptr
Definition: detect-engine-prefilter.h:34
PrefilterEngineList_::Prefilter
PrefilterPktFn Prefilter
Definition: detect.h:1598
MpmCtx_::mpm_type
uint8_t mpm_type
Definition: util-mpm.h:99
detect-engine.h
PrefilterNonPFDataSig::sid
uint32_t sid
Definition: detect-engine-prefilter.c:537
PrefilterEngine_::PrefilterPostRule
void(* PrefilterPostRule)(DetectEngineThreadCtx *det_ctx, const void *pectx, Packet *p, Flow *f)
Definition: detect.h:1642
SIG_FLAG_FW_HOOK_LTE
#define SIG_FLAG_FW_HOOK_LTE
Definition: detect.h:251
DetectGetSingleData
InspectionBuffer * DetectGetSingleData(struct DetectEngineThreadCtx_ *det_ctx, const DetectEngineTransforms *transforms, Flow *f, const uint8_t flow_flags, void *txv, const int list_id, InspectionSingleBufferGetDataPtr GetBuf)
Definition: detect-engine.c:2169
sigmatch_table
SigTableElmt * sigmatch_table
Definition: detect-parse.c:79
PostRuleMatchWorkQueueAppend
void PostRuleMatchWorkQueueAppend(DetectEngineThreadCtx *det_ctx, const Signature *s, const int type, const uint32_t value)
Definition: detect-engine-prefilter.c:1768
AppLayerParserGetStateNameById
const char * AppLayerParserGetStateNameById(uint8_t ipproto, AppProto alproto, const int id, const uint8_t direction)
Definition: app-layer-parser.c:1642
SignatureHook_::sm_list
int sm_list
Definition: detect.h:577
PatternMatchPrepareGroup
int PatternMatchPrepareGroup(DetectEngineCtx *de_ctx, SigGroupHead *sh)
Prepare the pattern matcher ctx in a sig group head.
Definition: detect-engine-mpm.c:2353
PrefilterMpmPktCtx
struct PrefilterMpmPktCtx PrefilterMpmPktCtx
PrefilterStore_::FreeFunc
void(* FreeFunc)(void *)
Definition: detect-engine-prefilter.h:50
DetectEngineAppHookToSmlist
int DetectEngineAppHookToSmlist(const AppProto p, const uint8_t state, const int direction)
get the sm_list for a app hook
Definition: detect-engine.c:798
PostRuleMatchWorkQueue::len
uint32_t len
Definition: detect.h:1274
PostRuleMatchWorkQueueItem::sm_type
int sm_type
Definition: detect.h:1263
PREFILTER_PROFILING_END
#define PREFILTER_PROFILING_END(ctx, profile_id)
Definition: util-profiling.h:276
PrefilterStore_
Definition: detect-engine-prefilter.h:48
CLS
#define CLS
Definition: suricata-common.h:77
PrefilterRuleStore_::rule_id_array_cnt
uint32_t rule_id_array_cnt
Definition: util-prefilter.h:40
SigGroupHead_
Container for matching data for a signature group.
Definition: detect.h:1679
PostRuleMatchWorkQueueItem
Definition: detect.h:1262
PrefilterNonPFData::size
uint32_t size
Definition: detect-engine-prefilter.c:557
DetectEngineTransforms
Definition: detect.h:391
PrefilterEngineList_::id
uint16_t id
Definition: detect.h:1580
PROF_DETECT_PF_PAYLOAD
@ PROF_DETECT_PF_PAYLOAD
Definition: suricata-common.h:471
Signature_::app_progress_hook
uint8_t app_progress_hook
Definition: detect.h:712
BIT_U16
#define BIT_U16(n)
Definition: suricata-common.h:424
SignatureInitData_::prefilter_sm
SigMatch * prefilter_sm
Definition: detect.h:629
PcapPacketCntGet
uint64_t PcapPacketCntGet(const Packet *p)
Definition: decode.c:1175
Signature_::alproto
AppProto alproto
Definition: detect.h:680
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:282
QUEUE_STEP
#define QUEUE_STEP
Definition: detect-engine-prefilter.c:1766
TxNonPFData::progress
int progress
Definition: detect-engine-prefilter.c:706
next
struct HtpBodyChunk_ * next
Definition: app-layer-htp.h:0
DetectPort_::port
uint16_t port
Definition: detect.h:220
SignatureHook_::app
struct SignatureHook_::@87::@88 app
DetectBufferMpmRegistry_::app_v2
struct DetectBufferMpmRegistry_::@90::@92 app_v2
name
const char * name
Definition: detect-engine-proto.c:48
PrefilterSingleMpmRegister
int PrefilterSingleMpmRegister(DetectEngineCtx *de_ctx, SigGroupHead *sgh, MpmCtx *mpm_ctx, const DetectBufferMpmRegistry *mpm_reg, int list_id)
Definition: detect-engine-prefilter.c:1623
AppProto
uint16_t AppProto
Definition: app-layer-protos.h:87
PrefilterMpmCtx::GetData
InspectionBufferGetDataPtr GetData
Definition: detect-engine-prefilter.c:1521
InspectionBuffer
Definition: detect-engine-inspect-buffer.h:34
SignatureHook_::t
union SignatureHook_::@87 t
PrefilterAppendEngine
int PrefilterAppendEngine(DetectEngineCtx *de_ctx, SigGroupHead *sgh, PrefilterPktFn PrefilterFunc, SignatureMask mask, enum SignatureHookPkt hook, void *pectx, void(*FreeFunc)(void *pectx), const char *name)
Definition: detect-engine-prefilter.c:285
Packet_::flags
uint32_t flags
Definition: decode.h:560
Frame
Definition: app-layer-frames.h:43
Flow_
Flow data structure.
Definition: flow.h:354
PrefilterEngine_::tx_min_progress
int8_t tx_min_progress
Definition: detect.h:1627
PREFILTER_PROFILING_START
#define PREFILTER_PROFILING_START(det_ctx)
Definition: util-profiling.h:260
DetectEngineThreadCtx_::pmq
PrefilterRuleStore pmq
Definition: detect.h:1399
AppProtoToString
const char * AppProtoToString(AppProto alproto)
Maps the ALPROTO_*, to its string equivalent.
Definition: app-layer-protos.c:41
ctx
struct Thresholds ctx
PrefilterEngineList_::name
const char * name
Definition: detect.h:1609
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:973
SIGNATURE_HOOK_PKT_NOT_SET
@ SIGNATURE_HOOK_PKT_NOT_SET
Definition: detect.h:540
HashListTableGetListHead
HashListTableBucket * HashListTableGetListHead(HashListTable *ht)
Definition: util-hashlist.c:287
DETECT_UINT_EQ
#define DETECT_UINT_EQ
Definition: detect-engine-uint.h:35
PrefilterNonPFData
Definition: detect-engine-prefilter.c:556
InspectionBufferGetPktDataPtr
InspectionBuffer *(* InspectionBufferGetPktDataPtr)(struct DetectEngineThreadCtx_ *det_ctx, const DetectEngineTransforms *transforms, Packet *p, const int list_id)
Definition: detect.h:479
PrefilterEngine_::cb
union PrefilterEngine_::@105 cb
PrefilterDeinit
void PrefilterDeinit(DetectEngineCtx *de_ctx)
Definition: detect-engine-prefilter.c:1445
TxNonPFData::engine_name
const char * engine_name
Definition: detect-engine-prefilter.c:711
HashTable_
Definition: util-hash.h:35
DetectEngineSetEvent
void DetectEngineSetEvent(DetectEngineThreadCtx *det_ctx, uint8_t e)
Definition: detect-engine.c:5128
Packet_::sig_mask
SignatureMask sig_mask
Definition: decode.h:551
Frames
Definition: app-layer-frames.h:58
DetectBufferMpmRegistry_
one time registration of keywords at start up
Definition: detect.h:770
DetectPort_::next
struct DetectPort_ * next
Definition: detect.h:233
PrefilterNonPFDataTx
Definition: detect-engine-prefilter.c:561
PrefilterMpmPktCtx
Definition: detect-engine-prefilter.c:1698
detect-engine-frame.h
SigGroupHead_::payload_engines
PrefilterEngine * payload_engines
Definition: detect.h:1690
DetectEngineCtx_::prefilter_setting
enum DetectEnginePrefilterSetting prefilter_setting
Definition: detect.h:1111
DetectBufferType_
Definition: detect.h:449
p
Packet * p
Definition: fuzz_iprep.c:21
PKT_NOPAYLOAD_INSPECTION
#define PKT_NOPAYLOAD_INSPECTION
Definition: decode.h:1290
PrefilterNonPFData::array
struct PrefilterNonPFDataSig array[]
Definition: detect-engine-prefilter.c:558
PostRuleMatchWorkQueue::size
uint32_t size
Definition: detect.h:1275
PACKET_PROFILING_DETECT_END
#define PACKET_PROFILING_DETECT_END(p, id)
Definition: util-profiling.h:221
HashListTableLookup
void * HashListTableLookup(HashListTable *ht, void *data, uint16_t datalen)
Definition: util-hashlist.c:245
TxNonPFData::sig_list
int sig_list
Definition: detect-engine-prefilter.c:707
PrefilterEngine_::local_id
uint16_t local_id
Definition: detect.h:1615
Packet_::flowflags
uint8_t flowflags
Definition: decode.h:545
PrefilterEngineList_::Free
void(* Free)(void *pectx)
Definition: detect.h:1607
StringHashCompareFunc
char StringHashCompareFunc(void *data1, uint16_t datalen1, void *data2, uint16_t datalen2)
Definition: util-hash-string.c:38
SIG_FLAG_TOCLIENT
#define SIG_FLAG_TOCLIENT
Definition: detect.h:271
PrefilterAppendFrameEngine
int PrefilterAppendFrameEngine(DetectEngineCtx *de_ctx, SigGroupHead *sgh, PrefilterFrameFn PrefilterFrameFunc, AppProto alproto, uint8_t frame_type, void *pectx, void(*FreeFunc)(void *pectx), const char *name)
Definition: detect-engine-prefilter.c:392
DetectBufferMpmRegistry_::transforms
DetectEngineTransforms transforms
Definition: detect.h:783
Packet_::payload_len
uint16_t payload_len
Definition: decode.h:619
Signature_::dsize_low
uint16_t dsize_low
Definition: detect.h:682
DetectPort_::port2
uint16_t port2
Definition: detect.h:221
DetectEngineCtx_::non_pf_engine_names
HashTable * non_pf_engine_names
Definition: detect.h:1189
detect-engine-prefilter.h
PrefilterMultiGenericMpmRegister
int PrefilterMultiGenericMpmRegister(DetectEngineCtx *de_ctx, SigGroupHead *sgh, MpmCtx *mpm_ctx, const DetectBufferMpmRegistry *mpm_reg, int list_id)
Definition: detect-engine-prefilter.c:1676
PrefilterNonPFDataSig::foo
uint8_t foo
Definition: detect-engine-prefilter.c:551
PrefilterStore_::id
uint32_t id
Definition: detect-engine-prefilter.h:51
DetectBufferTypeGetByName
int DetectBufferTypeGetByName(const char *name)
Definition: detect-engine.c:1339
HashListTableAdd
int HashListTableAdd(HashListTable *ht, void *data, uint16_t datalen)
Definition: util-hashlist.c:114
HashTable_::array_size
uint32_t array_size
Definition: util-hash.h:37
DetectBufferMpmRegistry_::pkt_v1
struct DetectBufferMpmRegistry_::@90::@93 pkt_v1
DETECT_PREFILTER_AUTO
@ DETECT_PREFILTER_AUTO
Definition: detect.h:905
HashListTable_::array_size
uint32_t array_size
Definition: util-hashlist.h:41
PrefilterEngine_::is_last_for_progress
bool is_last_for_progress
Definition: detect.h:1632
PROF_DETECT_PF_SORT1
@ PROF_DETECT_PF_SORT1
Definition: suricata-common.h:474
DetectEngineCtx_::prefilter_id
uint32_t prefilter_id
Definition: detect.h:1142
FRAME_ANY_TYPE
#define FRAME_ANY_TYPE
Definition: app-layer-frames.h:28
PrefilterEngineList_::next
struct PrefilterEngineList_ * next
Definition: detect.h:1604
SigTableElmt_::SetupPrefilter
int(* SetupPrefilter)(DetectEngineCtx *de_ctx, struct SigGroupHead_ *sgh)
Definition: detect.h:1494
SIGNATURE_HOOK_TYPE_APP
@ SIGNATURE_HOOK_TYPE_APP
Definition: detect.h:550
Flow_::alparser
AppLayerParserState * alparser
Definition: flow.h:478
HashListTableGetListNext
#define HashListTableGetListNext(hb)
Definition: util-hashlist.h:55
PrefilterMpmListId
Definition: detect-engine-mpm.h:123
DetectEngineCtx_::prefilter_hash_table
HashListTable * prefilter_hash_table
Definition: detect.h:1143
SIG_FLAG_TOSERVER
#define SIG_FLAG_TOSERVER
Definition: detect.h:270
app-layer-htp.h
HashListTableInit
HashListTable * HashListTableInit(uint32_t size, uint32_t(*Hash)(struct HashListTable_ *, void *, uint16_t), char(*Compare)(void *, uint16_t, void *, uint16_t), void(*Free)(void *))
Definition: util-hashlist.c:35
DetectBufferMpmRegistry_::pname
char pname[DETECT_PROFILE_NAME_LEN]
Definition: detect.h:772
PrefilterEngineList_::pkt_hook
enum SignatureHookPkt pkt_hook
Definition: detect.h:1592
PrefilterEngineList_::alproto
AppProto alproto
Definition: detect.h:1583
SigGroupHeadInitData_::sig_cnt
SigIntId sig_cnt
Definition: detect.h:1672
AppLayerTxData
Definition: app-layer-parser.h:163
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:22
g_alproto_max
AppProto g_alproto_max
Definition: app-layer-protos.c:30
Prefilter
void Prefilter(DetectEngineThreadCtx *det_ctx, const SigGroupHead *sgh, Packet *p, const uint8_t flags, const SignatureMask mask)
Definition: detect-engine-prefilter.c:219
DetectEngineThreadCtx_
Definition: detect.h:1291
PrefilterEngine_
Definition: detect.h:1614
SigGroupHeadInitData_::tx_engines
PrefilterEngineList * tx_engines
Definition: detect.h:1667
DetectTransaction_::detect_progress
uint8_t detect_progress
Definition: detect-engine-prefilter.h:39
SignatureInitData_::mpm_sm
SigMatch * mpm_sm
Definition: detect.h:627
DetectEngineGetMaxSigId
#define DetectEngineGetMaxSigId(de_ctx)
Definition: detect-engine.h:93
PROF_DETECT_PF_PKT
@ PROF_DETECT_PF_PKT
Definition: suricata-common.h:470
PrefilterEngineList_::PrefilterFrame
PrefilterFrameFn PrefilterFrame
Definition: detect.h:1600
PrefilterEngine_::ctx
union PrefilterEngine_::@104 ctx
PrefilterEngineList_::pectx
void * pectx
Definition: detect.h:1596
util-print.h
SCEnter
#define SCEnter(...)
Definition: util-debug.h:284
detect-engine-mpm.h
PrefilterEngineList_::PrefilterTx
PrefilterTxFn PrefilterTx
Definition: detect.h:1599
DetectEngineCtx_::sm_types_prefilter
bool * sm_types_prefilter
Definition: detect.h:1158
TxNonPFData
Definition: detect-engine-prefilter.c:703
SignatureHookPkt
SignatureHookPkt
Definition: detect.h:539
PrefilterEngineList_::gid
uint32_t gid
Definition: detect.h:1611
PrefilterMpmPktCtx::GetData
InspectionBufferGetPktDataPtr GetData
Definition: detect-engine-prefilter.c:1700
PKT_DETECT_HAS_STREAMDATA
#define PKT_DETECT_HAS_STREAMDATA
Definition: decode.h:1343
InspectionSingleBufferGetDataPtr
bool(* InspectionSingleBufferGetDataPtr)(const void *txv, const uint8_t flow_flags, const uint8_t **buf, uint32_t *buf_len)
Definition: detect-engine-helper.h:45
FLOW_PKT_TOCLIENT_FIRST
#define FLOW_PKT_TOCLIENT_FIRST
Definition: flow.h:235
PrefilterMpmCtx
struct PrefilterMpmCtx PrefilterMpmCtx
NONPF_PKT_STATS_INCR
#define NONPF_PKT_STATS_INCR(s)
Definition: detect-engine-prefilter.c:590
DetectEngineCtx_::frame_inspect_engines
DetectEngineFrameInspectionEngine * frame_inspect_engines
Definition: detect.h:1138
PrefilterGenericMpmRegister
int PrefilterGenericMpmRegister(DetectEngineCtx *de_ctx, SigGroupHead *sgh, MpmCtx *mpm_ctx, const DetectBufferMpmRegistry *mpm_reg, int list_id)
Definition: detect-engine-prefilter.c:1602
PrefilterFrameFn
void(* PrefilterFrameFn)(DetectEngineThreadCtx *det_ctx, const void *pectx, Packet *p, const struct Frames *frames, const struct Frame *frame)
Definition: detect.h:1572
HashTableAdd
int HashTableAdd(HashTable *ht, void *data, uint16_t datalen)
Definition: util-hash.c:132
PrefilterNonPFDataTx::array
uint32_t array[]
Definition: detect-engine-prefilter.c:563
SigGroupHead_::init
SigGroupHeadInitData * init
Definition: detect.h:1696
SignatureHook_::pkt
struct SignatureHook_::@87::@89 pkt
PrefilterMpmListId::transforms
const DetectEngineTransforms * transforms
Definition: detect-engine-mpm.h:127
app-layer-parser.h
MpmCtx_::minlen
uint16_t minlen
Definition: util-mpm.h:108
Packet_::pkt_hooks
uint16_t pkt_hooks
Definition: decode.h:554
PrefilterNonPFDataSig::type
uint8_t type
Definition: detect-engine-prefilter.c:548
SignatureInitData_::hook
SignatureHook hook
Definition: detect.h:594
SigGroupHeadInitData_::direction
uint32_t direction
Definition: detect.h:1657
BUG_ON
#define BUG_ON(x)
Definition: suricata-common.h:325
PrefilterEngine_::pkt
struct PrefilterEngine_::@104::@106 pkt
util-profiling.h
DetectTransaction_::tx_id
const uint64_t tx_id
Definition: detect-engine-prefilter.h:33
SigIntId
#define SigIntId
Definition: detect-engine-state.h:38
SCReturn
#define SCReturn
Definition: util-debug.h:286
PrefilterEngine_::alproto
AppProto alproto
Definition: detect.h:1618
Signature_::flags
uint32_t flags
Definition: detect.h:676
PrefilterMpmListId::mpm_ctx
const MpmCtx * mpm_ctx
Definition: detect-engine-mpm.h:125
Packet_
Definition: decode.h:514
SCFreeAligned
#define SCFreeAligned(p)
Definition: util-mem.h:77
Flow_::type
uint8_t type
Definition: flow.h:361
type
uint16_t type
Definition: decode-vlan.c:106
DetectBufferType_::packet
bool packet
Definition: detect.h:455
DetectEngineFrameInspectionEngine
Definition: detect.h:509
DetectEngineBufferTypeGetById
const DetectBufferType * DetectEngineBufferTypeGetById(const DetectEngineCtx *de_ctx, const int id)
Definition: detect-engine.c:1359
PrefilterEngine_::PrefilterFrame
PrefilterFrameFn PrefilterFrame
Definition: detect.h:1641
PrefilterEngine_::frame_type
uint8_t frame_type
Definition: detect.h:1628
DetectBufferType_::name
char name[64]
Definition: detect.h:450
Signature_::init_data
SignatureInitData * init_data
Definition: detect.h:754
HashListTable_
Definition: util-hashlist.h:37
PrefilterTxFn
void(* PrefilterTxFn)(DetectEngineThreadCtx *det_ctx, const void *pectx, Packet *p, Flow *f, void *tx, const uint64_t tx_id, const AppLayerTxData *tx_data, const uint8_t flags)
Definition: detect.h:1576
MpmTableElmt_::Search
uint32_t(* Search)(const struct MpmCtx_ *, struct MpmThreadCtx_ *, PrefilterRuleStore *, const uint8_t *, uint32_t)
Definition: util-mpm.h:186
SigGroupHead_::frame_engines
PrefilterEngine * frame_engines
Definition: detect.h:1692
PrefilterMpmCtx::list_id
int list_id
Definition: detect-engine-prefilter.c:1519
DetectEngineThreadCtx_::mtc
MpmThreadCtx mtc
Definition: detect.h:1395
Flow_::next
struct Flow_ * next
Definition: flow.h:401
PrefilterMpmPktCtx::list_id
int list_id
Definition: detect-engine-prefilter.c:1699
PrefilterAppendPayloadEngine
int PrefilterAppendPayloadEngine(DetectEngineCtx *de_ctx, SigGroupHead *sgh, PrefilterPktFn PrefilterFunc, void *pectx, void(*FreeFunc)(void *pectx), const char *name)
Definition: detect-engine-prefilter.c:323
PrefilterEngineList_::tx_min_progress
int8_t tx_min_progress
Definition: detect.h:1586
SCRealloc
#define SCRealloc(ptr, sz)
Definition: util-mem.h:50
SIG_FLAG_MPM_NEG
#define SIG_FLAG_MPM_NEG
Definition: detect.h:256
SigGroupHeadInitData_::pkt_engines
PrefilterEngineList * pkt_engines
Definition: detect.h:1665
SigGroupHead_::post_rule_match_engines
PrefilterEngine * post_rule_match_engines
Definition: detect.h:1693
DetectBufferType_::frame
bool frame
Definition: detect.h:456
cnt
uint32_t cnt
Definition: tmqh-packetpool.h:7
PREFILTER_PROFILING_ADD_BYTES
#define PREFILTER_PROFILING_ADD_BYTES(det_ctx, bytes)
Definition: util-profiling.h:286
Packet_::flow
struct Flow_ * flow
Definition: decode.h:562
PrefilterNonPFDataSig::type
uint32_t type
Definition: detect-engine-prefilter.c:538
flags
uint8_t flags
Definition: decode-gre.h:0
PrefilterNonPFDataTx::size
uint32_t size
Definition: detect-engine-prefilter.c:562
suricata-common.h
SigGroupHeadInitData_::frame_engines
PrefilterEngineList * frame_engines
Definition: detect.h:1668
SigGroupHeadInitData_::payload_engines
PrefilterEngineList * payload_engines
Definition: detect.h:1666
PrefilterNonPFDataSig::sig_mask
SignatureMask sig_mask
Definition: detect-engine-prefilter.c:544
HashListTableFree
void HashListTableFree(HashListTable *ht)
Definition: util-hashlist.c:88
SigGroupHeadInitData_::match_array
Signature ** match_array
Definition: detect.h:1675
PROF_DETECT_PF_RECORD
@ PROF_DETECT_PF_RECORD
Definition: suricata-common.h:473
SCMallocAligned
#define SCMallocAligned(size, align)
Definition: util-mem.h:68
DetectEnginePrefilterSetting
DetectEnginePrefilterSetting
Definition: detect.h:903
SignatureHook_::type
enum SignatureHookType type
Definition: detect.h:576
DetectTransaction_
Definition: detect-engine-prefilter.h:31
PrefilterEngineList_::PrefilterPostRule
void(* PrefilterPostRule)(DetectEngineThreadCtx *det_ctx, const void *pectx, Packet *p, Flow *f)
Definition: detect.h:1601
PrefilterEngineList_
Definition: detect.h:1579
PrefilterCleanupRuleGroup
void PrefilterCleanupRuleGroup(const DetectEngineCtx *de_ctx, SigGroupHead *sgh)
Definition: detect-engine-prefilter.c:496
PostRuleMatchWorkQueue::q
PostRuleMatchWorkQueueItem * q
Definition: detect.h:1273
PrefilterEngine_::gid
uint32_t gid
Definition: detect.h:1647
PrefilterNonPFDataSig::app
struct PrefilterNonPFDataSig::@53::@57 app
SCStrdup
#define SCStrdup(s)
Definition: util-mem.h:56
FatalError
#define FatalError(...)
Definition: util-debug.h:517
SIGNATURE_HOOK_TYPE_PKT
@ SIGNATURE_HOOK_TYPE_PKT
Definition: detect.h:549
PrefilterMpmPktCtx::transforms
const DetectEngineTransforms * transforms
Definition: detect-engine-prefilter.c:1702
PrefilterAppendTxEngine
int PrefilterAppendTxEngine(DetectEngineCtx *de_ctx, SigGroupHead *sgh, PrefilterTxFn PrefilterTxFunc, AppProto alproto, int tx_min_progress, void *pectx, void(*FreeFunc)(void *pectx), const char *name)
Definition: detect-engine-prefilter.c:355
PrefilterPktFn
void(* PrefilterPktFn)(DetectEngineThreadCtx *det_ctx, Packet *p, const void *pectx)
Definition: detect.h:1571
PrefilterMpmCtx
Definition: detect-engine-prefilter.c:1518
PrefilterMpmListId::GetData
InspectionMultiBufferGetDataPtr GetData
Definition: detect-engine-mpm.h:126
util-validate.h
DetectTransaction_::tx_ptr
void * tx_ptr
Definition: detect-engine-prefilter.h:32
InspectionBuffer::inspect_len
uint32_t inspect_len
Definition: detect-engine-inspect-buffer.h:37
SignatureInitData_::buffers
SignatureInitDataBuffer * buffers
Definition: detect.h:654
DetectEngineCtx_::app_inspect_engines
DetectEngineAppInspectionEngine * app_inspect_engines
Definition: detect.h:1134
PrefilterEngine_::pectx
void * pectx
Definition: detect.h:1636
PrefilterAppendPostRuleEngine
int PrefilterAppendPostRuleEngine(DetectEngineCtx *de_ctx, SigGroupHead *sgh, void(*PrefilterPostRuleFunc)(DetectEngineThreadCtx *det_ctx, const void *pectx, Packet *p, Flow *f), void *pectx, void(*FreeFunc)(void *pectx), const char *name)
Definition: detect-engine-prefilter.c:427
Signature_::dp
DetectPort * dp
Definition: detect.h:726
PrefilterInit
void PrefilterInit(DetectEngineCtx *de_ctx)
Definition: detect-engine-prefilter.c:1452
InspectionBuffer::inspect
const uint8_t * inspect
Definition: detect-engine-inspect-buffer.h:35
PACKET_PROFILING_DETECT_START
#define PACKET_PROFILING_DETECT_START(p, id)
Definition: util-profiling.h:214
str
#define str(s)
Definition: suricata-common.h:316
PrefilterMpmCtx::transforms
const DetectEngineTransforms * transforms
Definition: detect-engine-prefilter.c:1525
DETECT_TBLSIZE
int DETECT_TBLSIZE
Definition: detect-engine-register.c:263
TxNonPFData::dir
int dir
Definition: detect-engine-prefilter.c:705
Signature_::iid
SigIntId iid
Definition: detect.h:687
TxNonPFData::sigs_cnt
uint32_t sigs_cnt
Definition: detect-engine-prefilter.c:709
PrefilterStore_::name
const char * name
Definition: detect-engine-prefilter.h:49
SCFree
#define SCFree(p)
Definition: util-mem.h:61
SigGroupHeadInitData_::post_rule_match_engines
PrefilterEngineList * post_rule_match_engines
Definition: detect.h:1669
Signature_::id
uint32_t id
Definition: detect.h:720
HashListTableBucket_
Definition: util-hashlist.h:28
PrefilterMpmPktCtx::mpm_ctx
const MpmCtx * mpm_ctx
Definition: detect-engine-prefilter.c:1701
PrefilterNonPFDataSig
Definition: detect-engine-prefilter.c:536
SignatureInitDataBuffer_::id
uint32_t id
Definition: detect.h:526
Signature_
Signature container.
Definition: detect.h:675
PrefilterEngineList_::pkt_mask
SignatureMask pkt_mask
Definition: detect.h:1590
PrefilterMpmListId::list_id
int list_id
Definition: detect-engine-mpm.h:124
TxNonPFData::alproto
AppProto alproto
Definition: detect-engine-prefilter.c:704
HashTableInit
HashTable * HashTableInit(uint32_t size, uint32_t(*Hash)(struct HashTable_ *, void *, uint16_t), char(*Compare)(void *, uint16_t, void *, uint16_t), void(*Free)(void *))
Definition: util-hash.c:35
ALPROTO_UNKNOWN
@ ALPROTO_UNKNOWN
Definition: app-layer-protos.h:29
ALPROTO_FAILED
@ ALPROTO_FAILED
Definition: app-layer-protos.h:33
PostRuleMatchWorkQueueItem::value
uint32_t value
Definition: detect.h:1264
Signature_::dsize_mode
uint8_t dsize_mode
Definition: detect.h:684
mpm_table
MpmTableElmt mpm_table[MPM_TABLE_SIZE]
Definition: util-mpm.c:47
PrefilterSetupRuleGroup
int PrefilterSetupRuleGroup(DetectEngineCtx *de_ctx, SigGroupHead *sgh)
Definition: detect-engine-prefilter.c:1201
SIGNATURE_HOOK_PKT_FLOW_START
@ SIGNATURE_HOOK_PKT_FLOW_START
Definition: detect.h:541
PrefilterEngine_::is_last
bool is_last
Definition: detect.h:1631
suricata.h
InspectionBufferGetDataPtr
InspectionBuffer *(* InspectionBufferGetDataPtr)(struct DetectEngineThreadCtx_ *det_ctx, const DetectEngineTransforms *transforms, Flow *f, const uint8_t flow_flags, void *txv, const int list_id)
Definition: detect-engine-helper.h:39
PrefilterPostRuleMatch
void PrefilterPostRuleMatch(DetectEngineThreadCtx *det_ctx, const SigGroupHead *sgh, Packet *p, Flow *f)
invoke post-rule match "prefilter" engines
Definition: detect-engine-prefilter.c:196
DetectGetInnerTx
void * DetectGetInnerTx(void *tx_ptr, AppProto alproto, AppProto engine_alproto, uint8_t flow_flags)
Definition: detect.c:1249
PrefilterNonPFDataSig::pkt
struct PrefilterNonPFDataSig::@53::@55 pkt
likely
#define likely(expr)
Definition: util-optimize.h:32
PrefilterMpmCtx::GetDataSingle
InspectionSingleBufferGetDataPtr GetDataSingle
Definition: detect-engine-prefilter.c:1522
PrefilterNonPFDataSig::value
uint16_t value
Definition: detect-engine-prefilter.c:539
PrefilterMpm
struct PrefilterMpm PrefilterMpm
SigGroupHead_::pkt_engines
PrefilterEngine * pkt_engines
Definition: detect.h:1689
PrefilterEngine_::Prefilter
PrefilterPktFn Prefilter
Definition: detect.h:1639
DetectTransaction_::tx_progress
const uint8_t tx_progress
Definition: detect-engine-prefilter.h:43
PrefilterEngine_::PrefilterTx
PrefilterTxFn PrefilterTx
Definition: detect.h:1640
MpmCtx_
Definition: util-mpm.h:97
Flow_::alproto
AppProto alproto
application level protocol
Definition: flow.h:450
Packet_::dp
Port dp
Definition: decode.h:529
SCCalloc
#define SCCalloc(nm, sz)
Definition: util-mem.h:53
PrefilterNonPFDataSig::frame
struct PrefilterNonPFDataSig::@53::@56 frame
PrefilterMpm
Definition: detect-dns-response.c:40
SignatureInitData_::buffer_index
uint32_t buffer_index
Definition: detect.h:655
PrefilterFreeEnginesList
void PrefilterFreeEnginesList(PrefilterEngineList *list)
Definition: detect-engine-prefilter.c:468
FLOW_PKT_TOSERVER_FIRST
#define FLOW_PKT_TOSERVER_FIRST
Definition: flow.h:234
DEBUG_VALIDATE_BUG_ON
#define DEBUG_VALIDATE_BUG_ON(exp)
Definition: util-validate.h:109
SIG_FLAG_PREFILTER
#define SIG_FLAG_PREFILTER
Definition: detect.h:277
PrefilterMpmCtx::mpm_ctx
const MpmCtx * mpm_ctx
Definition: detect-engine-prefilter.c:1524
DetectRunPrefilterTx
void DetectRunPrefilterTx(DetectEngineThreadCtx *det_ctx, const SigGroupHead *sgh, Packet *p, const uint8_t ipproto, const uint8_t flow_flags, const AppProto alproto, void *alstate, DetectTransaction *tx)
run prefilter engines on a transaction
Definition: detect-engine-prefilter.c:95
DetectEngineThreadCtx_::post_rule_work_queue
PostRuleMatchWorkQueue post_rule_work_queue
Definition: detect.h:1397
SIG_FLAG_DSIZE
#define SIG_FLAG_DSIZE
Definition: detect.h:247
StringHashDjb2
uint32_t StringHashDjb2(const uint8_t *data, uint32_t datalen)
Definition: util-hash-string.c:22
SignatureMask
#define SignatureMask
Definition: decode.h:100
Signature_::mask
SignatureMask mask
Definition: detect.h:686
DETECT_EVENT_POST_MATCH_QUEUE_FAILED
@ DETECT_EVENT_POST_MATCH_QUEUE_FAILED
Definition: detect.h:1535
PrefilterRuleStore_::rule_id_array
SigIntId * rule_id_array
Definition: util-prefilter.h:38
PrefilterPktNonPFStatsDump
void PrefilterPktNonPFStatsDump(void)
Definition: detect-engine-prefilter.c:593
TxNonPFData::sigs
struct PrefilterNonPFDataSig * sigs
Definition: detect-engine-prefilter.c:710