suricata
detect-engine-siggroup.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2021 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Victor Julien <victor@inliniac.net>
22  *
23  * Signature grouping part of the detection engine.
24  */
25 
26 #include "suricata-common.h"
27 #include "decode.h"
28 
29 #include "flow-var.h"
30 
31 #include "app-layer-protos.h"
32 
33 #include "detect.h"
34 #include "detect-parse.h"
35 #include "detect-engine.h"
36 #include "detect-engine-build.h"
37 #include "detect-engine-address.h"
38 #include "detect-engine-mpm.h"
39 #include "detect-engine-siggroup.h"
41 
42 #include "detect-content.h"
43 #include "detect-uricontent.h"
44 #include "detect-tcp-flags.h"
45 
46 #include "util-hash.h"
47 #include "util-hashlist.h"
48 
49 #include "util-error.h"
50 #include "util-debug.h"
51 #include "util-validate.h"
52 #include "util-cidr.h"
53 #include "util-unittest.h"
54 #include "util-unittest-helper.h"
55 #include "util-memcmp.h"
56 
57 /* prototypes */
59 
61 {
62  if (sghid->match_array != NULL) {
63  SCFree(sghid->match_array);
64  sghid->match_array = NULL;
65  }
66  if (sghid->sig_array != NULL) {
67  SCFree(sghid->sig_array);
68  sghid->sig_array = NULL;
69  }
70  if (sghid->app_mpms != NULL) {
71  SCFree(sghid->app_mpms);
72  }
73  if (sghid->pkt_mpms != NULL) {
74  SCFree(sghid->pkt_mpms);
75  }
76  if (sghid->frame_mpms != NULL) {
77  SCFree(sghid->frame_mpms);
78  }
79 
84 
85  SCFree(sghid);
86 }
87 
88 static SigGroupHeadInitData *SigGroupHeadInitDataAlloc(uint32_t size)
89 {
91  if (unlikely(sghid == NULL))
92  return NULL;
93 
94  /* initialize the signature bitarray */
95  sghid->sig_size = size;
96  if ((sghid->sig_array = SCCalloc(1, sghid->sig_size)) == NULL)
97  goto error;
98 
99  return sghid;
100 error:
102  return NULL;
103 }
104 
106 {
107  void *ptmp;
108  //printf("de_ctx->sgh_array_cnt %u, de_ctx->sgh_array_size %u, de_ctx->sgh_array %p\n", de_ctx->sgh_array_cnt, de_ctx->sgh_array_size, de_ctx->sgh_array);
111  } else {
112  int increase = 16;
113  ptmp = SCRealloc(de_ctx->sgh_array,
114  sizeof(SigGroupHead *) * (increase + de_ctx->sgh_array_size));
115  if (ptmp == NULL) {
117  de_ctx->sgh_array = NULL;
118  return;
119  }
120  de_ctx->sgh_array = ptmp;
121 
122  de_ctx->sgh_array_size += increase;
124  }
126 }
127 
128 /**
129  * \brief Alloc a SigGroupHead and its signature bit_array.
130  *
131  * \param size Size of the sig_array that has to be created for this
132  * SigGroupHead.
133  *
134  * \retval sgh Pointer to the newly init SigGroupHead on success; or NULL in
135  * case of error.
136  */
137 static SigGroupHead *SigGroupHeadAlloc(const DetectEngineCtx *de_ctx, uint32_t size)
138 {
139  SigGroupHead *sgh = SCCalloc(1, sizeof(SigGroupHead));
140  if (unlikely(sgh == NULL))
141  return NULL;
142 
143  sgh->init = SigGroupHeadInitDataAlloc(size);
144  if (sgh->init == NULL)
145  goto error;
146 
147  return sgh;
148 
149 error:
150  SigGroupHeadFree(de_ctx, sgh);
151  return NULL;
152 }
153 
154 /**
155  * \brief Free a SigGroupHead and its members.
156  *
157  * \param sgh Pointer to the SigGroupHead that has to be freed.
158  */
160 {
161  if (sgh == NULL)
162  return;
163 
164  SCLogDebug("sgh %p", sgh);
165 
166  if (sgh->non_pf_other_store_array != NULL) {
168  sgh->non_pf_other_store_array = NULL;
169  sgh->non_pf_other_store_cnt = 0;
170  }
171 
172  if (sgh->non_pf_syn_store_array != NULL) {
174  sgh->non_pf_syn_store_array = NULL;
175  sgh->non_pf_syn_store_cnt = 0;
176  }
177 
178  if (sgh->init != NULL) {
180  sgh->init = NULL;
181  }
182 
184  SCFree(sgh);
185 
186  return;
187 }
188 
189 /**
190  * \brief The hash function to be the used by the hash table -
191  * DetectEngineCtx->sgh_hash_table.
192  *
193  * \param ht Pointer to the hash table.
194  * \param data Pointer to the SigGroupHead.
195  * \param datalen Not used in our case.
196  *
197  * \retval hash The generated hash value.
198  */
199 static uint32_t SigGroupHeadHashFunc(HashListTable *ht, void *data, uint16_t datalen)
200 {
201  SigGroupHead *sgh = (SigGroupHead *)data;
202  uint32_t hash = 0;
203  uint32_t b = 0;
204 
205  SCLogDebug("hashing sgh %p", sgh);
206 
207  for (b = 0; b < sgh->init->sig_size; b++)
208  hash += sgh->init->sig_array[b];
209 
210  hash %= ht->array_size;
211  SCLogDebug("hash %"PRIu32" (sig_size %"PRIu32")", hash, sgh->init->sig_size);
212  return hash;
213 }
214 
215 /**
216  * \brief The Compare function to be used by the SigGroupHead hash table -
217  * DetectEngineCtx->sgh_hash_table.
218  *
219  * \param data1 Pointer to the first SigGroupHead.
220  * \param len1 Not used.
221  * \param data2 Pointer to the second SigGroupHead.
222  * \param len2 Not used.
223  *
224  * \retval 1 If the 2 SigGroupHeads sent as args match.
225  * \retval 0 If the 2 SigGroupHeads sent as args do not match.
226  */
227 static char SigGroupHeadCompareFunc(void *data1, uint16_t len1, void *data2,
228  uint16_t len2)
229 {
230  SigGroupHead *sgh1 = (SigGroupHead *)data1;
231  SigGroupHead *sgh2 = (SigGroupHead *)data2;
232 
233  if (data1 == NULL || data2 == NULL)
234  return 0;
235 
236  if (sgh1->init->sig_size != sgh2->init->sig_size)
237  return 0;
238 
239  if (SCMemcmp(sgh1->init->sig_array, sgh2->init->sig_array, sgh1->init->sig_size) != 0)
240  return 0;
241 
242  return 1;
243 }
244 
245 /**
246  * \brief Initializes the hash table in the detection engine context to hold the
247  * SigGroupHeads.
248  *
249  * \param de_ctx Pointer to the detection engine context.
250  *
251  * \retval 0 On success.
252  * \retval -1 On failure.
253  */
255 {
256  de_ctx->sgh_hash_table = HashListTableInit(4096, SigGroupHeadHashFunc,
257  SigGroupHeadCompareFunc, NULL);
258  if (de_ctx->sgh_hash_table == NULL)
259  goto error;
260 
261  return 0;
262 
263 error:
264  return -1;
265 }
266 
267 /**
268  * \brief Adds a SigGroupHead to the detection engine context SigGroupHead
269  * hash table.
270  *
271  * \param de_ctx Pointer to the detection engine context.
272  * \param sgh Pointer to the SigGroupHead.
273  *
274  * \retval ret 0 on Successfully adding the SigGroupHead; -1 on failure.
275  */
277 {
278  int ret = HashListTableAdd(de_ctx->sgh_hash_table, (void *)sgh, 0);
279 
280  return ret;
281 }
282 
284 {
285  return HashListTableRemove(de_ctx->sgh_hash_table, (void *)sgh, 0);
286 }
287 
288 /**
289  * \brief Used to lookup a SigGroupHead hash from the detection engine context
290  * SigGroupHead hash table.
291  *
292  * \param de_ctx Pointer to the detection engine context.
293  * \param sgh Pointer to the SigGroupHead.
294  *
295  * \retval rsgh On success a pointer to the SigGroupHead if the SigGroupHead is
296  * found in the hash table; NULL on failure.
297  */
299 {
300  SCEnter();
301 
303  (void *)sgh, 0);
304 
305  SCReturnPtr(rsgh, "SigGroupHead");
306 }
307 
308 /**
309  * \brief Frees the hash table - DetectEngineCtx->sgh_hash_table, allocated by
310  * SigGroupHeadHashInit() function.
311  *
312  * \param de_ctx Pointer to the detection engine context.
313  */
315 {
316  if (de_ctx->sgh_hash_table == NULL)
317  return;
318 
320  de_ctx->sgh_hash_table = NULL;
321 
322  return;
323 }
324 
325 /**
326  * \brief Add a Signature to a SigGroupHead.
327  *
328  * \param de_ctx Pointer to the detection engine context.
329  * \param sgh Pointer to a SigGroupHead. Can be NULL also.
330  * \param s Pointer to the Signature that has to be added to the
331  * SigGroupHead.
332  *
333  * \retval 0 On success.
334  * \retval -1 On failure.
335  */
337  const Signature *s)
338 {
339  if (de_ctx == NULL)
340  return 0;
341 
342  /* see if we have a head already */
343  if (*sgh == NULL) {
344  *sgh = SigGroupHeadAlloc(de_ctx, DetectEngineGetMaxSigId(de_ctx) / 8 + 1);
345  if (*sgh == NULL)
346  goto error;
347  }
348 
349  /* enable the sig in the bitarray */
350  (*sgh)->init->sig_array[s->num / 8] |= 1 << (s->num % 8);
351  (*sgh)->init->max_sig_id = MAX(s->num, (*sgh)->init->max_sig_id);
352  return 0;
353 
354 error:
355  return -1;
356 }
357 
358 /**
359  * \brief Clears the bitarray holding the sids for this SigGroupHead.
360  *
361  * \param sgh Pointer to the SigGroupHead.
362  *
363  * \retval 0 Always.
364  */
366 {
367  if (sgh == NULL)
368  return 0;
369 
370  if (sgh->init->sig_array != NULL)
371  memset(sgh->init->sig_array, 0, sgh->init->sig_size);
372 
373  sgh->init->sig_cnt = 0;
374 
375  return 0;
376 }
377 
378 /**
379  * \brief Copies the bitarray holding the sids from the source SigGroupHead to
380  * the destination SigGroupHead.
381  *
382  * \param de_ctx Pointer to the detection engine context.
383  * \param src Pointer to the source SigGroupHead.
384  * \param dst Pointer to the destination SigGroupHead.
385  *
386  * \retval 0 On success.
387  * \retval -1 On failure.
388  */
390 {
391  uint32_t idx = 0;
392 
393  if (src == NULL || de_ctx == NULL)
394  return 0;
395 
396  if (*dst == NULL) {
397  *dst = SigGroupHeadAlloc(de_ctx, DetectEngineGetMaxSigId(de_ctx) / 8 + 1);
398  if (*dst == NULL)
399  goto error;
400  }
401 
402  /* do the copy */
403  for (idx = 0; idx < src->init->sig_size; idx++)
404  (*dst)->init->sig_array[idx] = (*dst)->init->sig_array[idx] | src->init->sig_array[idx];
405 
406  if (src->init->score)
407  (*dst)->init->score = MAX((*dst)->init->score, src->init->score);
408 
409  if (src->init->max_sig_id)
410  (*dst)->init->max_sig_id = MAX((*dst)->init->max_sig_id, src->init->max_sig_id);
411  return 0;
412 
413 error:
414  return -1;
415 }
416 
417 /**
418  * \brief Updates the SigGroupHead->sig_cnt with the total count of all the
419  * Signatures present in this SigGroupHead.
420  *
421  * \param sgh Pointer to the SigGroupHead.
422  * \param max_idx Maximum sid of the all the Signatures present in this
423  * SigGroupHead.
424  */
425 void SigGroupHeadSetSigCnt(SigGroupHead *sgh, uint32_t max_idx)
426 {
427  uint32_t sig;
428  sgh->init->max_sig_id = MAX(max_idx, sgh->init->max_sig_id);
429  sgh->init->sig_cnt = 0;
430  for (sig = 0; sig < sgh->init->max_sig_id + 1; sig++) {
431  if (sgh->init->sig_array[sig / 8] & (1 << (sig % 8)))
432  sgh->init->sig_cnt++;
433  }
434 
435  return;
436 }
437 
439  uint8_t ipproto, int dir)
440 {
441  if (sgh && sgh->init) {
442  SCLogDebug("setting proto %u and dir %d on sgh %p", ipproto, dir, sgh);
443  sgh->init->protos[ipproto] = 1;
444  sgh->init->direction |= dir;
445  }
446 }
447 
448 /**
449  * \brief Helper function used to print the list of sids for the Signatures
450  * present in this SigGroupHead.
451  *
452  * \param de_ctx Pointer to the detection engine context.
453  * \param sgh Pointer to the SigGroupHead.
454  */
456 {
457  SCEnter();
458 
459  if (sgh == NULL) {
460  SCReturn;
461  }
462 
463  uint32_t u;
464 
465  SCLogDebug("The Signatures present in this SigGroupHead are: ");
466  for (u = 0; u < (sgh->init->sig_size * 8); u++) {
467  if (sgh->init->sig_array[u / 8] & (1 << (u % 8))) {
468  SCLogDebug("%" PRIu32, u);
469  printf("s->num %"PRIu32" ", u);
470  }
471  }
472 
473  SCReturn;
474 }
475 
476 /**
477  * \brief Create an array with all the internal ids of the sigs that this
478  * sig group head will check for.
479  *
480  * \param de_ctx Pointer to the detection engine context.
481  * \param sgh Pointer to the SigGroupHead.
482  * \param max_idx The maximum value of the sid in the SigGroupHead arg.
483  *
484  * \retval 0 success
485  * \retval -1 error
486  */
488  uint32_t max_idx)
489 {
490  Signature *s = NULL;
491  uint32_t idx = 0;
492  uint32_t sig = 0;
493 
494  if (sgh == NULL)
495  return 0;
496 
497  BUG_ON(sgh->init->match_array != NULL);
498  sgh->init->max_sig_id = MAX(sgh->init->max_sig_id, max_idx);
499 
500  sgh->init->match_array = SCCalloc(sgh->init->sig_cnt, sizeof(Signature *));
501  if (sgh->init->match_array == NULL)
502  return -1;
503 
504  for (sig = 0; sig < sgh->init->max_sig_id + 1; sig++) {
505  if (!(sgh->init->sig_array[(sig / 8)] & (1 << (sig % 8))) )
506  continue;
507 
508  s = de_ctx->sig_array[sig];
509  if (s == NULL)
510  continue;
511 
512  sgh->init->match_array[idx] = s;
513  idx++;
514  }
515 
516  return 0;
517 }
518 
519 /**
520  * \brief Set the need hash flag in the sgh.
521  *
522  * \param de_ctx detection engine ctx for the signatures
523  * \param sgh sig group head to update
524  */
526 {
527  if (sgh == NULL)
528  return;
529 
530  for (uint32_t sig = 0; sig < sgh->init->sig_cnt; sig++) {
531  const Signature *s = sgh->init->match_array[sig];
532  if (s == NULL)
533  continue;
534 
537  }
540  SCLogDebug("sgh %p has filemd5", sgh);
541  }
544  SCLogDebug("sgh %p has filesha1", sgh);
545  }
548  SCLogDebug("sgh %p has filesha256", sgh);
549  }
550 #ifdef HAVE_MAGIC
552  sgh->flags |= SIG_GROUP_HEAD_HAVEFILEMAGIC;
553  }
554 #endif
555  if (SignatureIsFilestoring(s)) {
556  // should be insured by caller that we do not overflow
557  DEBUG_VALIDATE_BUG_ON(sgh->filestore_cnt == UINT16_MAX);
558  sgh->filestore_cnt++;
559  }
560  }
561 
562  return;
563 }
564 
565 /** \brief build an array of rule id's for sigs with no prefilter
566  * Also updated de_ctx::non_pf_store_cnt_max to track the highest cnt
567  */
569 {
570  Signature *s = NULL;
571  uint32_t sig = 0;
572  uint32_t non_pf = 0;
573  uint32_t non_pf_syn = 0;
574 
575  if (sgh == NULL)
576  return 0;
577 
578  BUG_ON(sgh->non_pf_other_store_array != NULL);
579 
580  for (sig = 0; sig < sgh->init->sig_cnt; sig++) {
581  s = sgh->init->match_array[sig];
582  if (s == NULL)
583  continue;
584 
585  if (!(s->flags & SIG_FLAG_PREFILTER) || (s->flags & SIG_FLAG_MPM_NEG)) {
587  non_pf++;
588  }
589  non_pf_syn++;
590  }
591  }
592 
593  if (non_pf == 0 && non_pf_syn == 0) {
594  sgh->non_pf_other_store_array = NULL;
595  sgh->non_pf_syn_store_array = NULL;
596  return 0;
597  }
598 
599  if (non_pf > 0) {
601  BUG_ON(sgh->non_pf_other_store_array == NULL);
602  }
603 
604  if (non_pf_syn > 0) {
605  sgh->non_pf_syn_store_array = SCCalloc(non_pf_syn, sizeof(SignatureNonPrefilterStore));
606  BUG_ON(sgh->non_pf_syn_store_array == NULL);
607  }
608 
609  for (sig = 0; sig < sgh->init->sig_cnt; sig++) {
610  s = sgh->init->match_array[sig];
611  if (s == NULL)
612  continue;
613 
614  if (!(s->flags & SIG_FLAG_PREFILTER) || (s->flags & SIG_FLAG_MPM_NEG)) {
616  BUG_ON(sgh->non_pf_other_store_cnt >= non_pf);
617  BUG_ON(sgh->non_pf_other_store_array == NULL);
621  sgh->non_pf_other_store_cnt++;
622  }
623 
624  BUG_ON(sgh->non_pf_syn_store_cnt >= non_pf_syn);
625  BUG_ON(sgh->non_pf_syn_store_array == NULL);
629  sgh->non_pf_syn_store_cnt++;
630  }
631  }
632 
633  /* track highest cnt for any sgh in our de_ctx */
634  uint32_t max = MAX(sgh->non_pf_other_store_cnt, sgh->non_pf_syn_store_cnt);
635  if (max > de_ctx->non_pf_store_cnt_max)
637 
638  return 0;
639 }
640 
641 /**
642  * \brief Check if a SigGroupHead contains a Signature, whose sid is sent as an
643  * argument.
644  *
645  * \param de_ctx Pointer to the detection engine context.
646  * \param sgh Pointer to the SigGroupHead that has to be checked for the
647  * presence of a Signature.
648  * \param sid The Signature id(sid) that has to be checked in the SigGroupHead.
649  *
650  * \retval 1 On successfully finding the sid in the SigGroupHead.
651  * \retval 0 If the sid is not found in the SigGroupHead
652  */
654  uint32_t sid)
655 {
656  SCEnter();
657 
658  uint32_t sig = 0;
659  Signature *s = NULL;
660  uint32_t max_sid = DetectEngineGetMaxSigId(de_ctx);
661 
662  if (sgh == NULL) {
663  SCReturnInt(0);
664  }
665 
666  for (sig = 0; sig < max_sid; sig++) {
667  if (sgh->init->sig_array == NULL) {
668  SCReturnInt(0);
669  }
670 
671  /* Check if the SigGroupHead has an entry for the sid */
672  if ( !(sgh->init->sig_array[sig / 8] & (1 << (sig % 8))) )
673  continue;
674 
675  /* If we have reached here, we have an entry for sid in the SigGroupHead.
676  * Retrieve the Signature from the detection engine context */
677  s = de_ctx->sig_array[sig];
678  if (s == NULL)
679  continue;
680 
681  /* If the retrieved Signature matches the sid arg, we have a match */
682  if (s->id == sid) {
683  SCReturnInt(1);
684  }
685  }
686 
687  SCReturnInt(0);
688 }
689 
690 /*----------------------------------Unittests---------------------------------*/
691 
692 #ifdef UNITTESTS
693 
695 
696 /**
697  * \test Check if a SigGroupHead hash table is properly allocated and
698  * deallocated when calling SigGroupHeadHashInit() and
699  * SigGroupHeadHashFree() respectively.
700  */
701 static int SigGroupHeadTest01(void)
702 {
704 
707 
710 
711  PASS;
712 }
713 
714 /**
715  * \test Check if a SigGroupHeadAppendSig() correctly appends a sid to a
716  * SigGroupHead() and SigGroupHeadContainsSigId() correctly indicates
717  * the presence of a sid.
718  */
719 static int SigGroupHeadTest02(void)
720 {
721  SigGroupHead *sh = NULL;
722 
725 
726  Signature *s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "
727  "(msg:\"SigGroupHead tests\"; content:\"test1\"; "
728  "content:\"test2\"; content:\"test3\"; sid:1;)");
729  FAIL_IF_NULL(s);
730 
731  s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "
732  "(msg:\"SigGroupHead tests\"; content:\"test1\"; "
733  "content:\"test2\"; content:\"test3\"; sid:2;)");
734  FAIL_IF_NULL(s);
735 
736  s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "
737  "(msg:\"SigGroupHead tests\"; content:\"test1\"; "
738  "content:\"test2\"; content:\"test3\"; sid:3;)");
739  FAIL_IF_NULL(s);
740 
741  s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "
742  "(msg:\"SigGroupHead tests\"; content:\"test1\"; "
743  "content:\"test2\"; content:\"test3\"; sid:4;)");
744  FAIL_IF_NULL(s);
745 
746  s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "
747  "(msg:\"SigGroupHead tests\"; content:\"test1\"; "
748  "content:\"test2\"; content:\"test3\"; sid:5;)");
749  FAIL_IF_NULL(s);
750 
752 
756 
757  SigGroupHeadSetSigCnt(sh, 4);
758 
759  FAIL_IF_NOT(sh->init->sig_cnt == 3);
765 
767 
769 
770  PASS;
771 }
772 
773 /**
774  * \test Check if a SigGroupHeadAppendSig(), correctly appends a sid to a
775  * SigGroupHead() and SigGroupHeadContainsSigId(), correctly indicates
776  * the presence of a sid and SigGroupHeadClearSigs(), correctly clears
777  * the SigGroupHead->sig_array and SigGroupHead->sig_cnt.
778  */
779 static int SigGroupHeadTest03(void)
780 {
781  SigGroupHead *sh = NULL;
782 
785 
786  Signature *s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "
787  "(msg:\"SigGroupHead tests\"; content:\"test1\"; "
788  "content:\"test2\"; content:\"test3\"; sid:1;)");
789  FAIL_IF_NULL(s);
790 
791  s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "
792  "(msg:\"SigGroupHead tests\"; content:\"test1\"; "
793  "content:\"test2\"; content:\"test3\"; sid:2;)");
794  FAIL_IF_NULL(s);
795 
796  s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "
797  "(msg:\"SigGroupHead tests\"; content:\"test1\"; "
798  "content:\"test2\"; content:\"test3\"; sid:3;)");
799  FAIL_IF_NULL(s);
800 
801  s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "
802  "(msg:\"SigGroupHead tests\"; content:\"test1\"; "
803  "content:\"test2\"; content:\"test3\"; sid:4;)");
804  FAIL_IF_NULL(s);
805 
806  s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "
807  "(msg:\"SigGroupHead tests\"; content:\"test1\"; "
808  "content:\"test2\"; content:\"test3\"; sid:5;)");
809  FAIL_IF_NULL(s);
810 
812 
816 
817  SigGroupHeadSetSigCnt(sh, 4);
818 
819  FAIL_IF_NOT(sh->init->sig_cnt == 3);
825 
827 
828  FAIL_IF_NOT(sh->init->sig_cnt == 0);
834 
836 
838 
839  PASS;
840 }
841 
842 /**
843  * \test Check if SigGroupHeadCopySigs(), correctly copies the sig_array from
844  * the source to the destination SigGroupHead.
845  */
846 static int SigGroupHeadTest04(void)
847 {
848  SigGroupHead *src_sh = NULL;
849  SigGroupHead *dst_sh = NULL;
851 
853 
854  Signature *s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "
855  "(msg:\"SigGroupHead tests\"; content:\"test1\"; "
856  "content:\"test2\"; content:\"test3\"; sid:1;)");
857  FAIL_IF_NULL(s);
858 
859  s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "
860  "(msg:\"SigGroupHead tests\"; content:\"test1\"; "
861  "content:\"test2\"; content:\"test3\"; sid:2;)");
862  FAIL_IF_NULL(s);
863 
864  s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "
865  "(msg:\"SigGroupHead tests\"; content:\"test1\"; "
866  "content:\"test2\"; content:\"test3\"; sid:3;)");
867  FAIL_IF_NULL(s);
868 
869  s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "
870  "(msg:\"SigGroupHead tests\"; content:\"test1\"; "
871  "content:\"test2\"; content:\"test3\"; sid:4;)");
872  FAIL_IF_NULL(s);
873 
874  s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "
875  "(msg:\"SigGroupHead tests\"; content:\"test1\"; "
876  "content:\"test2\"; content:\"test3\"; sid:5;)");
877  FAIL_IF_NULL(s);
878 
880 
884 
885  SigGroupHeadSetSigCnt(src_sh, 4);
886 
887  FAIL_IF_NOT(src_sh->init->sig_cnt == 3);
888  FAIL_IF_NOT(SigGroupHeadContainsSigId(de_ctx, src_sh, 1) == 1);
889  FAIL_IF_NOT(SigGroupHeadContainsSigId(de_ctx, src_sh, 2) == 0);
890  FAIL_IF_NOT(SigGroupHeadContainsSigId(de_ctx, src_sh, 3) == 1);
891  FAIL_IF_NOT(SigGroupHeadContainsSigId(de_ctx, src_sh, 4) == 0);
892  FAIL_IF_NOT(SigGroupHeadContainsSigId(de_ctx, src_sh, 5) == 1);
893 
894  SigGroupHeadCopySigs(de_ctx, src_sh, &dst_sh);
895 
896  SigGroupHeadSetSigCnt(dst_sh, 4);
897 
898  FAIL_IF_NOT(dst_sh->init->sig_cnt == 3);
899  FAIL_IF_NOT(SigGroupHeadContainsSigId(de_ctx, dst_sh, 1) == 1);
900  FAIL_IF_NOT(SigGroupHeadContainsSigId(de_ctx, dst_sh, 2) == 0);
901  FAIL_IF_NOT(SigGroupHeadContainsSigId(de_ctx, dst_sh, 3) == 1);
902  FAIL_IF_NOT(SigGroupHeadContainsSigId(de_ctx, dst_sh, 4) == 0);
903  FAIL_IF_NOT(SigGroupHeadContainsSigId(de_ctx, dst_sh, 5) == 1);
904 
905  SigGroupHeadFree(de_ctx, src_sh);
906  SigGroupHeadFree(de_ctx, dst_sh);
907 
909 
910  PASS;
911 }
912 
913 /**
914  * \test Check if SigGroupHeadBuildMatchArray(), correctly updates the
915  * match array with the sids.
916  */
917 static int SigGroupHeadTest05(void)
918 {
919  SigGroupHead *sh = NULL;
921 
923 
924  Signature *s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "
925  "(msg:\"SigGroupHead tests\"; content:\"test1\"; "
926  "content:\"test2\"; content:\"test3\"; sid:1;)");
927  FAIL_IF_NULL(s);
928 
929  s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "
930  "(msg:\"SigGroupHead tests\"; content:\"test1\"; "
931  "content:\"test2\"; content:\"test3\"; sid:2;)");
932  FAIL_IF_NULL(s);
933 
934  s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "
935  "(msg:\"SigGroupHead tests\"; content:\"test1\"; "
936  "content:\"test2\"; content:\"test3\"; sid:3;)");
937  FAIL_IF_NULL(s);
938 
939  s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "
940  "(msg:\"SigGroupHead tests\"; content:\"test1\"; "
941  "content:\"test2\"; content:\"test3\"; sid:4;)");
942  FAIL_IF_NULL(s);
943 
944  s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "
945  "(msg:\"SigGroupHead tests\"; content:\"test1\"; "
946  "content:\"test2\"; content:\"test3\"; sid:5;)");
947  FAIL_IF_NULL(s);
948 
950 
954 
955  SigGroupHeadSetSigCnt(sh, 4);
957 
958  /* matching an array to a queue structure (sig_list) constructed by SigInit()
959 
960  FAIL_IF_NOT(sh->init->match_array[0] == de_ctx->sig_list);
961  FAIL_IF_NOT(sh->init->match_array[1] == de_ctx->sig_list->next->next);
962  FAIL_IF_NOT(sh->init->match_array[2] == de_ctx->sig_list->next->next->next->next);
963  */
964 
965  // matching an array to a stack structure (sig_list) constructed by DetectEngineAppendSig()
969 
971 
973 
974  PASS;
975 }
976 
977 /**
978  * \test ICMP(?) sig grouping bug.
979  */
980 static int SigGroupHeadTest06(void)
981 {
983  DetectEngineThreadCtx *det_ctx = NULL;
984  ThreadVars th_v;
985 
986  memset(&th_v, 0, sizeof(ThreadVars));
987 
988  Packet *p = UTHBuildPacketSrcDst(NULL, 0, IPPROTO_ICMP, "192.168.1.1", "1.2.3.4");
989  FAIL_IF_NULL(p);
990 
991  p->icmpv4h->type = 5;
992  p->icmpv4h->code = 1;
993 
994  /* originally ip's were
995  p.src.addr_data32[0] = 0xe08102d3;
996  p.dst.addr_data32[0] = 0x3001a8c0;
997  */
998 
1000 
1001  Signature *s = DetectEngineAppendSig(de_ctx, "alert icmp 192.168.0.0/16 any -> any any "
1002  "(icode:>1; itype:11; sid:1; rev:1;)");
1003  FAIL_IF_NULL(s);
1004 
1005  s = DetectEngineAppendSig(de_ctx, "alert icmp any any -> 192.168.0.0/16 any "
1006  "(icode:1; itype:5; sid:2; rev:1;)");
1007  FAIL_IF_NULL(s);
1008 
1010  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1011 
1012  AddressDebugPrint(&p->dst);
1013 
1014  const SigGroupHead *sgh = SigMatchSignaturesGetSgh(de_ctx, p);
1015  FAIL_IF_NULL(sgh);
1016 
1018  UTHFreePackets(&p, 1);
1019 
1020  PASS;
1021 }
1022 #endif
1023 
1025 {
1026 #ifdef UNITTESTS
1027  UtRegisterTest("SigGroupHeadTest01", SigGroupHeadTest01);
1028  UtRegisterTest("SigGroupHeadTest02", SigGroupHeadTest02);
1029  UtRegisterTest("SigGroupHeadTest03", SigGroupHeadTest03);
1030  UtRegisterTest("SigGroupHeadTest04", SigGroupHeadTest04);
1031  UtRegisterTest("SigGroupHeadTest05", SigGroupHeadTest05);
1032  UtRegisterTest("SigGroupHeadTest06", SigGroupHeadTest06);
1033 #endif
1034 }
detect-tcp-flags.h
DetectEngineCtx_::sgh_hash_table
HashListTable * sgh_hash_table
Definition: detect.h:868
SigGroupHead_::non_pf_syn_store_cnt
uint32_t non_pf_syn_store_cnt
Definition: detect.h:1456
SIG_GROUP_HEAD_HAVEFILEMD5
#define SIG_GROUP_HEAD_HAVEFILEMD5
Definition: detect.h:1322
detect-content.h
detect-engine.h
FAIL_IF_NULL
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
Definition: util-unittest.h:89
util-hashlist.h
detect-engine-siggroup.h
SigGroupHead_::flags
uint16_t flags
Definition: detect.h:1445
Signature_::num
SigIntId num
Definition: detect.h:604
SigGroupHead_
Container for matching data for a signature group.
Definition: detect.h:1444
SIG_GROUP_HEAD_HAVEFILESIZE
#define SIG_GROUP_HEAD_HAVEFILESIZE
Definition: detect.h:1323
unlikely
#define unlikely(expr)
Definition: util-optimize.h:35
SigGroupHeadBuildNonPrefilterArray
int SigGroupHeadBuildNonPrefilterArray(DetectEngineCtx *de_ctx, SigGroupHead *sgh)
build an array of rule id's for sigs with no prefilter Also updated de_ctx::non_pf_store_cnt_max to t...
Definition: detect-engine-siggroup.c:568
SigGroupHeadInitData_::sig_array
uint8_t * sig_array
Definition: detect.h:1419
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
Signature_::alproto
AppProto alproto
Definition: detect.h:597
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:269
SignatureNonPrefilterStore_::id
SigIntId id
Definition: detect.h:1068
DetectEngineCtx_::non_pf_store_cnt_max
uint32_t non_pf_store_cnt_max
Definition: detect.h:859
AddressDebugPrint
void AddressDebugPrint(Address *a)
Debug print function for printing addresses.
Definition: decode.c:671
UTHBuildPacketSrcDst
Packet * UTHBuildPacketSrcDst(uint8_t *payload, uint16_t payload_len, uint8_t ipproto, const char *src, const char *dst)
UTHBuildPacketSrcDst is a wrapper that build packets specifying IPs and defaulting ports.
Definition: util-unittest-helper.c:419
util-hash.h
SIG_GROUP_HEAD_HAVEFILESHA1
#define SIG_GROUP_HEAD_HAVEFILESHA1
Definition: detect.h:1324
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:835
DetectFlagsSignatureNeedsSynPackets
int DetectFlagsSignatureNeedsSynPackets(const Signature *s)
Definition: detect-tcp-flags.c:513
SigGroupHeadSetProtoAndDirection
void SigGroupHeadSetProtoAndDirection(SigGroupHead *sgh, uint8_t ipproto, int dir)
Definition: detect-engine-siggroup.c:438
DetectEngineCtxFree
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
Definition: detect-engine.c:2580
SigPrepareStage1
int SigPrepareStage1(DetectEngineCtx *)
Preprocess signature, classify ip-only, etc, build sig array.
Definition: detect-engine-build.c:1346
SigGroupHeadPrintSigs
void SigGroupHeadPrintSigs(DetectEngineCtx *de_ctx, SigGroupHead *sgh)
Helper function used to print the list of sids for the Signatures present in this SigGroupHead.
Definition: detect-engine-siggroup.c:455
HashListTableLookup
void * HashListTableLookup(HashListTable *ht, void *data, uint16_t datalen)
Definition: util-hashlist.c:253
DetectEngineAppendSig
Signature * DetectEngineAppendSig(DetectEngineCtx *, const char *)
Parse and append a Signature into the Detection Engine Context signature list.
Definition: detect-parse.c:2620
MAX
#define MAX(x, y)
Definition: suricata-common.h:395
SigGroupHeadSetupFiles
void SigGroupHeadSetupFiles(const DetectEngineCtx *de_ctx, SigGroupHead *sgh)
Set the need hash flag in the sgh.
Definition: detect-engine-siggroup.c:525
SignatureIsFilesizeInspecting
int SignatureIsFilesizeInspecting(const Signature *s)
Check if a signature contains the filesize keyword.
Definition: detect-engine-build.c:184
SignatureNonPrefilterStore_
Definition: detect.h:1067
detect-engine-prefilter.h
util-unittest.h
util-unittest-helper.h
FAIL_IF_NOT
#define FAIL_IF_NOT(expr)
Fail a test if expression evaluates to false.
Definition: util-unittest.h:82
SigGroupHeadRegisterTests
void SigGroupHeadRegisterTests(void)
Definition: detect-engine-siggroup.c:1024
HashListTableAdd
int HashListTableAdd(HashListTable *ht, void *data, uint16_t datalen)
Definition: util-hashlist.c:122
SigGroupHeadHashInit
int SigGroupHeadHashInit(DetectEngineCtx *de_ctx)
Initializes the hash table in the detection engine context to hold the SigGroupHeads.
Definition: detect-engine-siggroup.c:254
HashListTable_::array_size
uint32_t array_size
Definition: util-hashlist.h:41
util-memcmp.h
DetectEngineCtx_::sgh_array_size
uint32_t sgh_array_size
Definition: detect.h:903
SigGroupHeadInitData_::pkt_mpms
MpmCtx ** pkt_mpms
Definition: detect.h:1428
SignatureIsFileSha256Inspecting
int SignatureIsFileSha256Inspecting(const Signature *s)
Check if a signature contains the filesha256 keyword.
Definition: detect-engine-build.c:168
Signature_::next
struct Signature_ * next
Definition: detect.h:664
util-cidr.h
HashListTableInit
HashListTable * HashListTableInit(uint32_t size, uint32_t(*Hash)(struct HashListTable_ *, void *, uint16_t), char(*Compare)(void *, uint16_t, void *, uint16_t), void(*Free)(void *))
Definition: util-hashlist.c:35
decode.h
FAIL_IF_NOT_NULL
#define FAIL_IF_NOT_NULL(expr)
Fail a test if expression evaluates to non-NULL.
Definition: util-unittest.h:96
util-debug.h
SigGroupHeadBuildMatchArray
int SigGroupHeadBuildMatchArray(DetectEngineCtx *de_ctx, SigGroupHead *sgh, uint32_t max_idx)
Create an array with all the internal ids of the sigs that this sig group head will check for.
Definition: detect-engine-siggroup.c:487
SigGroupHeadInitData_::sig_cnt
SigIntId sig_cnt
Definition: detect.h:1437
PASS
#define PASS
Pass the test.
Definition: util-unittest.h:105
util-error.h
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:17
DetectEngineThreadCtx_
Definition: detect.h:1091
SigGroupHeadInitData_::tx_engines
PrefilterEngineList * tx_engines
Definition: detect.h:1433
DetectEngineGetMaxSigId
#define DetectEngineGetMaxSigId(de_ctx)
Definition: detect-engine.h:105
SCEnter
#define SCEnter(...)
Definition: util-debug.h:271
detect-engine-mpm.h
detect.h
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:57
SignatureNonPrefilterStore_::alproto
AppProto alproto
Definition: detect.h:1070
SigGroupHead_::init
SigGroupHeadInitData * init
Definition: detect.h:1467
SigGroupHeadInitData_::direction
uint32_t direction
Definition: detect.h:1423
BUG_ON
#define BUG_ON(x)
Definition: suricata-common.h:300
SCReturn
#define SCReturn
Definition: util-debug.h:273
Signature_::flags
uint32_t flags
Definition: detect.h:593
Packet_
Definition: decode.h:430
detect-engine-build.h
SCReturnPtr
#define SCReturnPtr(x, type)
Definition: util-debug.h:287
SigGroupHeadInitData_::max_sig_id
uint32_t max_sig_id
Definition: detect.h:1425
DetectEngineCtx_::sgh_array_cnt
uint32_t sgh_array_cnt
Definition: detect.h:902
SigGroupHeadAppendSig
int SigGroupHeadAppendSig(const DetectEngineCtx *de_ctx, SigGroupHead **sgh, const Signature *s)
Add a Signature to a SigGroupHead.
Definition: detect-engine-siggroup.c:336
DetectEngineCtx_::sgh_array
struct SigGroupHead_ ** sgh_array
Definition: detect.h:901
HashListTable_
Definition: util-hashlist.h:37
SigGroupHeadFree
void SigGroupHeadFree(const DetectEngineCtx *de_ctx, SigGroupHead *sgh)
Free a SigGroupHead and its members.
Definition: detect-engine-siggroup.c:159
SigGroupHeadHashRemove
int SigGroupHeadHashRemove(DetectEngineCtx *de_ctx, SigGroupHead *sgh)
Definition: detect-engine-siggroup.c:283
SigGroupHeadInitData_::app_mpms
MpmCtx ** app_mpms
Definition: detect.h:1427
SignatureIsFileSha1Inspecting
int SignatureIsFileSha1Inspecting(const Signature *s)
Check if a signature contains the filesha1 keyword.
Definition: detect-engine-build.c:152
SigGroupBuild
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
Definition: detect-engine-build.c:1948
SCRealloc
#define SCRealloc(ptr, sz)
Definition: util-mem.h:50
SIG_FLAG_MPM_NEG
#define SIG_FLAG_MPM_NEG
Definition: detect.h:248
SigGroupHeadInitData_::pkt_engines
PrefilterEngineList * pkt_engines
Definition: detect.h:1431
SigGroupHeadSetSigCnt
void SigGroupHeadSetSigCnt(SigGroupHead *sgh, uint32_t max_idx)
Updates the SigGroupHead->sig_cnt with the total count of all the Signatures present in this SigGroup...
Definition: detect-engine-siggroup.c:425
DetectEngineThreadCtxInit
TmEcode DetectEngineThreadCtxInit(ThreadVars *, void *, void **)
initialize thread specific detection engine context
Definition: detect-engine.c:3291
SigGroupHead_::non_pf_other_store_array
SignatureNonPrefilterStore * non_pf_other_store_array
Definition: detect.h:1457
suricata-common.h
SigGroupHeadStore
void SigGroupHeadStore(DetectEngineCtx *de_ctx, SigGroupHead *sgh)
Definition: detect-engine-siggroup.c:105
SigGroupHeadInitData_::frame_engines
PrefilterEngineList * frame_engines
Definition: detect.h:1434
SigGroupHeadInitData_::payload_engines
PrefilterEngineList * payload_engines
Definition: detect.h:1432
HashListTableFree
void HashListTableFree(HashListTable *ht)
Definition: util-hashlist.c:88
SigGroupHeadInitData_::match_array
Signature ** match_array
Definition: detect.h:1440
SigGroupHead_::non_pf_other_store_cnt
uint32_t non_pf_other_store_cnt
Definition: detect.h:1455
SigGroupHeadInitData_::sig_size
uint32_t sig_size
Definition: detect.h:1420
PrefilterCleanupRuleGroup
void PrefilterCleanupRuleGroup(const DetectEngineCtx *de_ctx, SigGroupHead *sgh)
Definition: detect-engine-prefilter.c:378
DetectEngineCtx_::sig_list
Signature * sig_list
Definition: detect.h:843
SigGroupHeadHashFree
void SigGroupHeadHashFree(DetectEngineCtx *de_ctx)
Frees the hash table - DetectEngineCtx->sgh_hash_table, allocated by SigGroupHeadHashInit() function.
Definition: detect-engine-siggroup.c:314
Packet_::icmpv4h
ICMPV4Hdr * icmpv4h
Definition: decode.h:565
SigGroupHeadHashAdd
int SigGroupHeadHashAdd(DetectEngineCtx *de_ctx, SigGroupHead *sgh)
Adds a SigGroupHead to the detection engine context SigGroupHead hash table.
Definition: detect-engine-siggroup.c:276
util-validate.h
SigGroupHeadInitData_
Definition: detect.h:1416
SigGroupHeadHashLookup
SigGroupHead * SigGroupHeadHashLookup(DetectEngineCtx *de_ctx, SigGroupHead *sgh)
Used to lookup a SigGroupHead hash from the detection engine context SigGroupHead hash table.
Definition: detect-engine-siggroup.c:298
SignatureIsFilestoring
int SignatureIsFilestoring(const Signature *s)
Check if a signature contains the filestore keyword.
Definition: detect-engine-build.c:98
SCFree
#define SCFree(p)
Definition: util-mem.h:61
Signature_::id
uint32_t id
Definition: detect.h:627
HashListTableRemove
int HashListTableRemove(HashListTable *ht, void *data, uint16_t datalen)
Definition: util-hashlist.c:162
detect-parse.h
src
uint16_t src
Definition: app-layer-dnp3.h:5
Signature_
Signature container.
Definition: detect.h:592
SigGroupHeadInitDataFree
void SigGroupHeadInitDataFree(SigGroupHeadInitData *sghid)
Definition: detect-engine-siggroup.c:60
SigGroupHeadContainsSigId
int SigGroupHeadContainsSigId(DetectEngineCtx *de_ctx, SigGroupHead *sgh, uint32_t sid)
Check if a SigGroupHead contains a Signature, whose sid is sent as an argument.
Definition: detect-engine-siggroup.c:653
SignatureIsFileMd5Inspecting
int SignatureIsFileMd5Inspecting(const Signature *s)
Check if a signature contains the filemd5 keyword.
Definition: detect-engine-build.c:136
SigGroupHeadInitData_::protos
uint8_t protos[256]
Definition: detect.h:1422
DetectEngineCtxInit
DetectEngineCtx * DetectEngineCtxInit(void)
Definition: detect-engine.c:2541
app-layer-protos.h
DetectEngineCtx_::sig_array
Signature ** sig_array
Definition: detect.h:852
Packet_::dst
Address dst
Definition: decode.h:435
SigGroupHead_::non_pf_syn_store_array
SignatureNonPrefilterStore * non_pf_syn_store_array
Definition: detect.h:1459
SignatureNonPrefilterStore_::mask
SignatureMask mask
Definition: detect.h:1069
detect-uricontent.h
dst
uint16_t dst
Definition: app-layer-dnp3.h:4
SCCalloc
#define SCCalloc(nm, sz)
Definition: util-mem.h:53
SIG_GROUP_HEAD_HAVEFILESHA256
#define SIG_GROUP_HEAD_HAVEFILESHA256
Definition: detect.h:1325
SCReturnInt
#define SCReturnInt(x)
Definition: util-debug.h:275
SignatureIsFilemagicInspecting
int SignatureIsFilemagicInspecting(const Signature *s)
Check if a signature contains the filemagic keyword.
Definition: detect-engine-build.c:117
SigGroupHead_::filestore_cnt
uint16_t filestore_cnt
Definition: detect.h:1450
flow-var.h
PrefilterFreeEnginesList
void PrefilterFreeEnginesList(PrefilterEngineList *list)
Definition: detect-engine-prefilter.c:350
SCMemcmp
#define SCMemcmp(a, b, c)
Definition: util-memcmp.h:290
DEBUG_VALIDATE_BUG_ON
#define DEBUG_VALIDATE_BUG_ON(exp)
Definition: util-validate.h:104
SIG_FLAG_PREFILTER
#define SIG_FLAG_PREFILTER
Definition: detect.h:269
detect-engine-address.h
SigMatchSignaturesGetSgh
const SigGroupHead * SigMatchSignaturesGetSgh(const DetectEngineCtx *de_ctx, const Packet *p)
Get the SigGroupHead for a packet.
Definition: detect.c:215
SigGroupHeadCopySigs
int SigGroupHeadCopySigs(DetectEngineCtx *de_ctx, SigGroupHead *src, SigGroupHead **dst)
Copies the bitarray holding the sids from the source SigGroupHead to the destination SigGroupHead.
Definition: detect-engine-siggroup.c:389
Signature_::mask
SignatureMask mask
Definition: detect.h:603
SigGroupHeadClearSigs
int SigGroupHeadClearSigs(SigGroupHead *)
Clears the bitarray holding the sids for this SigGroupHead.
Definition: detect-engine-siggroup.c:365
SigGroupHeadInitData_::frame_mpms
MpmCtx ** frame_mpms
Definition: detect.h:1429
UTHFreePackets
void UTHFreePackets(Packet **p, int numpkts)
UTHFreePackets: function to release the allocated data from UTHBuildPacket and the packet itself.
Definition: util-unittest-helper.c:469