suricata
detect-engine-siggroup.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2021 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Victor Julien <victor@inliniac.net>
22  *
23  * Signature grouping part of the detection engine.
24  */
25 
26 #include "suricata-common.h"
27 #include "decode.h"
28 
29 #include "flow-var.h"
30 
31 #include "app-layer-protos.h"
32 
33 #include "detect.h"
34 #include "detect-parse.h"
35 #include "detect-engine.h"
36 #include "detect-engine-build.h"
37 #include "detect-engine-address.h"
38 #include "detect-engine-mpm.h"
39 #include "detect-engine-siggroup.h"
41 
42 #include "detect-content.h"
43 #include "detect-uricontent.h"
44 #include "detect-tcp-flags.h"
45 
46 #include "util-hash.h"
47 #include "util-hashlist.h"
48 
49 #include "util-error.h"
50 #include "util-debug.h"
51 #include "util-validate.h"
52 #include "util-cidr.h"
53 #include "util-unittest.h"
54 #include "util-unittest-helper.h"
55 #include "util-memcmp.h"
56 
57 /* prototypes */
59 
61 {
62  if (sghid->match_array != NULL) {
63  SCFree(sghid->match_array);
64  sghid->match_array = NULL;
65  }
66  if (sghid->sig_array != NULL) {
67  SCFreeAligned(sghid->sig_array);
68  sghid->sig_array = NULL;
69  }
70  if (sghid->app_mpms != NULL) {
71  SCFree(sghid->app_mpms);
72  }
73  if (sghid->pkt_mpms != NULL) {
74  SCFree(sghid->pkt_mpms);
75  }
76  if (sghid->frame_mpms != NULL) {
77  SCFree(sghid->frame_mpms);
78  }
79 
84 
85  SCFree(sghid);
86 }
87 
88 static SigGroupHeadInitData *SigGroupHeadInitDataAlloc(uint32_t size)
89 {
91  if (unlikely(sghid == NULL))
92  return NULL;
93 
94  /* initialize the signature bitarray */
95  size = sghid->sig_size = size + 16 - (size % 16);
96  void *ptr = SCMallocAligned(sghid->sig_size, 16);
97  if (ptr == NULL)
98  goto error;
99  memset(ptr, 0, size);
100  sghid->sig_array = ptr;
101 
102  return sghid;
103 error:
105  return NULL;
106 }
107 
109 {
110  void *ptmp;
111  //printf("de_ctx->sgh_array_cnt %u, de_ctx->sgh_array_size %u, de_ctx->sgh_array %p\n", de_ctx->sgh_array_cnt, de_ctx->sgh_array_size, de_ctx->sgh_array);
114  } else {
115  int increase = 16;
116  ptmp = SCRealloc(de_ctx->sgh_array,
117  sizeof(SigGroupHead *) * (increase + de_ctx->sgh_array_size));
118  if (ptmp == NULL) {
120  de_ctx->sgh_array = NULL;
121  return;
122  }
123  de_ctx->sgh_array = ptmp;
124 
125  de_ctx->sgh_array_size += increase;
127  }
129 }
130 
131 /**
132  * \brief Alloc a SigGroupHead and its signature bit_array.
133  *
134  * \param size Size of the sig_array that has to be created for this
135  * SigGroupHead.
136  *
137  * \retval sgh Pointer to the newly init SigGroupHead on success; or NULL in
138  * case of error.
139  */
140 static SigGroupHead *SigGroupHeadAlloc(const DetectEngineCtx *de_ctx, uint32_t size)
141 {
142  SigGroupHead *sgh = SCCalloc(1, sizeof(SigGroupHead));
143  if (unlikely(sgh == NULL))
144  return NULL;
145 
146  sgh->init = SigGroupHeadInitDataAlloc(size);
147  if (sgh->init == NULL)
148  goto error;
149 
150  return sgh;
151 
152 error:
153  SigGroupHeadFree(de_ctx, sgh);
154  return NULL;
155 }
156 
157 /**
158  * \brief Free a SigGroupHead and its members.
159  *
160  * \param sgh Pointer to the SigGroupHead that has to be freed.
161  */
163 {
164  if (sgh == NULL)
165  return;
166 
167  SCLogDebug("sgh %p", sgh);
168 
169  if (sgh->non_pf_other_store_array != NULL) {
171  sgh->non_pf_other_store_array = NULL;
172  sgh->non_pf_other_store_cnt = 0;
173  }
174 
175  if (sgh->non_pf_syn_store_array != NULL) {
177  sgh->non_pf_syn_store_array = NULL;
178  sgh->non_pf_syn_store_cnt = 0;
179  }
180 
181  if (sgh->init != NULL) {
183  sgh->init = NULL;
184  }
185 
187  SCFree(sgh);
188 }
189 
190 /**
191  * \brief The hash function to be the used by the hash table -
192  * DetectEngineCtx->sgh_hash_table.
193  *
194  * \param ht Pointer to the hash table.
195  * \param data Pointer to the SigGroupHead.
196  * \param datalen Not used in our case.
197  *
198  * \retval hash The generated hash value.
199  */
200 static uint32_t SigGroupHeadHashFunc(HashListTable *ht, void *data, uint16_t datalen)
201 {
202  SigGroupHead *sgh = (SigGroupHead *)data;
203  uint32_t hash = 0;
204  uint32_t b = 0;
205 
206  SCLogDebug("hashing sgh %p", sgh);
207 
208  for (b = 0; b < sgh->init->sig_size; b++)
209  hash += sgh->init->sig_array[b];
210 
211  hash %= ht->array_size;
212  SCLogDebug("hash %"PRIu32" (sig_size %"PRIu32")", hash, sgh->init->sig_size);
213  return hash;
214 }
215 
216 /**
217  * \brief The Compare function to be used by the SigGroupHead hash table -
218  * DetectEngineCtx->sgh_hash_table.
219  *
220  * \param data1 Pointer to the first SigGroupHead.
221  * \param len1 Not used.
222  * \param data2 Pointer to the second SigGroupHead.
223  * \param len2 Not used.
224  *
225  * \retval 1 If the 2 SigGroupHeads sent as args match.
226  * \retval 0 If the 2 SigGroupHeads sent as args do not match.
227  */
228 static char SigGroupHeadCompareFunc(void *data1, uint16_t len1, void *data2,
229  uint16_t len2)
230 {
231  SigGroupHead *sgh1 = (SigGroupHead *)data1;
232  SigGroupHead *sgh2 = (SigGroupHead *)data2;
233 
234  if (data1 == NULL || data2 == NULL)
235  return 0;
236 
237  if (sgh1->init->sig_size != sgh2->init->sig_size)
238  return 0;
239 
240  if (SCMemcmp(sgh1->init->sig_array, sgh2->init->sig_array, sgh1->init->sig_size) != 0)
241  return 0;
242 
243  return 1;
244 }
245 
246 /**
247  * \brief Initializes the hash table in the detection engine context to hold the
248  * SigGroupHeads.
249  *
250  * \param de_ctx Pointer to the detection engine context.
251  *
252  * \retval 0 On success.
253  * \retval -1 On failure.
254  */
256 {
257  de_ctx->sgh_hash_table = HashListTableInit(4096, SigGroupHeadHashFunc,
258  SigGroupHeadCompareFunc, NULL);
259  if (de_ctx->sgh_hash_table == NULL)
260  goto error;
261 
262  return 0;
263 
264 error:
265  return -1;
266 }
267 
268 /**
269  * \brief Adds a SigGroupHead to the detection engine context SigGroupHead
270  * hash table.
271  *
272  * \param de_ctx Pointer to the detection engine context.
273  * \param sgh Pointer to the SigGroupHead.
274  *
275  * \retval ret 0 on Successfully adding the SigGroupHead; -1 on failure.
276  */
278 {
279  int ret = HashListTableAdd(de_ctx->sgh_hash_table, (void *)sgh, 0);
280 
281  return ret;
282 }
283 
284 /**
285  * \brief Used to lookup a SigGroupHead hash from the detection engine context
286  * SigGroupHead hash table.
287  *
288  * \param de_ctx Pointer to the detection engine context.
289  * \param sgh Pointer to the SigGroupHead.
290  *
291  * \retval rsgh On success a pointer to the SigGroupHead if the SigGroupHead is
292  * found in the hash table; NULL on failure.
293  */
295 {
296  SCEnter();
297 
299  (void *)sgh, 0);
300 
301  SCReturnPtr(rsgh, "SigGroupHead");
302 }
303 
304 /**
305  * \brief Frees the hash table - DetectEngineCtx->sgh_hash_table, allocated by
306  * SigGroupHeadHashInit() function.
307  *
308  * \param de_ctx Pointer to the detection engine context.
309  */
311 {
312  if (de_ctx->sgh_hash_table == NULL)
313  return;
314 
316  de_ctx->sgh_hash_table = NULL;
317 }
318 
319 /**
320  * \brief Add a Signature to a SigGroupHead.
321  *
322  * \param de_ctx Pointer to the detection engine context.
323  * \param sgh Pointer to a SigGroupHead. Can be NULL also.
324  * \param s Pointer to the Signature that has to be added to the
325  * SigGroupHead.
326  *
327  * \retval 0 On success.
328  * \retval -1 On failure.
329  */
331  const Signature *s)
332 {
333  if (de_ctx == NULL)
334  return 0;
335 
336  /* see if we have a head already */
337  if (*sgh == NULL) {
338  *sgh = SigGroupHeadAlloc(de_ctx, DetectEngineGetMaxSigId(de_ctx) / 8 + 1);
339  if (*sgh == NULL)
340  goto error;
341  }
342 
343  /* enable the sig in the bitarray */
344  (*sgh)->init->sig_array[s->num / 8] |= 1 << (s->num % 8);
345  (*sgh)->init->max_sig_id = MAX(s->num, (*sgh)->init->max_sig_id);
346  return 0;
347 
348 error:
349  return -1;
350 }
351 
352 /**
353  * \brief Clears the bitarray holding the sids for this SigGroupHead.
354  *
355  * \param sgh Pointer to the SigGroupHead.
356  *
357  * \retval 0 Always.
358  */
360 {
361  if (sgh == NULL)
362  return 0;
363 
364  if (sgh->init->sig_array != NULL)
365  memset(sgh->init->sig_array, 0, sgh->init->sig_size);
366 
367  sgh->init->sig_cnt = 0;
368 
369  return 0;
370 }
371 
372 #ifdef __SSE2__
373 #include <emmintrin.h>
374 static void MergeBitarrays(const uint8_t *src, uint8_t *dst, const uint32_t size)
375 {
376 #define BYTES 16
377  const uint8_t *srcptr = src;
378  uint8_t *dstptr = dst;
379  for (uint32_t i = 0; i < size; i += 16) {
380  __m128i s = _mm_load_si128((const __m128i *)srcptr);
381  __m128i d = _mm_load_si128((const __m128i *)dstptr);
382  d = _mm_or_si128(s, d);
383  _mm_store_si128((__m128i *)dstptr, d);
384  srcptr += BYTES;
385  dstptr += BYTES;
386  }
387 }
388 #endif
389 
390 /**
391  * \brief Copies the bitarray holding the sids from the source SigGroupHead to
392  * the destination SigGroupHead.
393  *
394  * \param de_ctx Pointer to the detection engine context.
395  * \param src Pointer to the source SigGroupHead.
396  * \param dst Pointer to the destination SigGroupHead.
397  *
398  * \retval 0 On success.
399  * \retval -1 On failure.
400  */
402 {
403  if (src == NULL || de_ctx == NULL)
404  return 0;
405 
406  if (*dst == NULL) {
407  *dst = SigGroupHeadAlloc(de_ctx, DetectEngineGetMaxSigId(de_ctx) / 8 + 1);
408  if (*dst == NULL)
409  goto error;
410  }
411  DEBUG_VALIDATE_BUG_ON(src->init->sig_size != (*dst)->init->sig_size);
412 
413 #ifdef __SSE2__
414  MergeBitarrays(src->init->sig_array, (*dst)->init->sig_array, src->init->sig_size);
415 #else
416  /* do the copy */
417  for (uint32_t idx = 0; idx < src->init->sig_size; idx++)
418  (*dst)->init->sig_array[idx] = (*dst)->init->sig_array[idx] | src->init->sig_array[idx];
419 #endif
420  if (src->init->score)
421  (*dst)->init->score = MAX((*dst)->init->score, src->init->score);
422 
423  if (src->init->max_sig_id)
424  (*dst)->init->max_sig_id = MAX((*dst)->init->max_sig_id, src->init->max_sig_id);
425  return 0;
426 
427 error:
428  return -1;
429 }
430 
431 #ifdef HAVE_POPCNT64
432 #include <x86intrin.h>
433 static uint32_t Popcnt(const uint8_t *array, const uint32_t size)
434 {
435  /* input needs to be a multiple of 8 for u64 casts to work */
436  DEBUG_VALIDATE_BUG_ON(size < 8);
437  DEBUG_VALIDATE_BUG_ON(size % 8);
438 
439  uint32_t cnt = 0;
440  uint64_t *ptr = (uint64_t *)array;
441  for (uint64_t idx = 0; idx < size; idx += 8) {
442  cnt += _popcnt64(*ptr);
443  ptr++;
444  }
445  return cnt;
446 }
447 #endif
448 
449 /**
450  * \brief Updates the SigGroupHead->sig_cnt with the total count of all the
451  * Signatures present in this SigGroupHead.
452  *
453  * \param sgh Pointer to the SigGroupHead.
454  * \param max_idx Maximum sid of the all the Signatures present in this
455  * SigGroupHead.
456  */
457 void SigGroupHeadSetSigCnt(SigGroupHead *sgh, uint32_t max_idx)
458 {
459  sgh->init->max_sig_id = MAX(max_idx, sgh->init->max_sig_id);
460 #ifdef HAVE_POPCNT64
461  sgh->init->sig_cnt = Popcnt(sgh->init->sig_array, sgh->init->sig_size);
462 #else
463  uint32_t cnt = 0;
464  for (uint32_t sig = 0; sig < sgh->init->max_sig_id + 1; sig++) {
465  if (sgh->init->sig_array[sig / 8] & (1 << (sig % 8)))
466  cnt++;
467  }
468  sgh->init->sig_cnt = cnt;
469 #endif
470 }
471 
472 /**
473  * \brief Finds if two Signature Group Heads are the same.
474  *
475  * \param sgha First SGH to be compared
476  * \param sghb Secornd SGH to be compared
477  *
478  * \return true if they're a match, false otherwise
479  */
480 bool SigGroupHeadEqual(const SigGroupHead *sgha, const SigGroupHead *sghb)
481 {
482  if (sgha == NULL || sghb == NULL)
483  return false;
484 
485  if (sgha->init->sig_size != sghb->init->sig_size)
486  return false;
487 
488  if (sgha->init->max_sig_id != sghb->init->max_sig_id)
489  return false;
490 
491  if (SCMemcmp(sgha->init->sig_array, sghb->init->sig_array, sgha->init->sig_size) != 0)
492  return false;
493 
494  return true;
495 }
496 
498  uint8_t ipproto, int dir)
499 {
500  if (sgh && sgh->init) {
501  SCLogDebug("setting proto %u and dir %d on sgh %p", ipproto, dir, sgh);
502  sgh->init->protos[ipproto] = 1;
503  sgh->init->direction |= dir;
504  }
505 }
506 
507 /**
508  * \brief Helper function used to print the list of sids for the Signatures
509  * present in this SigGroupHead.
510  *
511  * \param de_ctx Pointer to the detection engine context.
512  * \param sgh Pointer to the SigGroupHead.
513  */
515 {
516  SCEnter();
517 
518  if (sgh == NULL) {
519  SCReturn;
520  }
521 
522  uint32_t u;
523 
524  SCLogDebug("The Signatures present in this SigGroupHead are: ");
525  for (u = 0; u < (sgh->init->sig_size * 8); u++) {
526  if (sgh->init->sig_array[u / 8] & (1 << (u % 8))) {
527  SCLogDebug("%" PRIu32, u);
528  printf("s->num %"PRIu32" ", u);
529  }
530  }
531 
532  SCReturn;
533 }
534 
535 /**
536  * \brief Create an array with all the internal ids of the sigs that this
537  * sig group head will check for.
538  *
539  * \param de_ctx Pointer to the detection engine context.
540  * \param sgh Pointer to the SigGroupHead.
541  * \param max_idx The maximum value of the sid in the SigGroupHead arg.
542  *
543  * \retval 0 success
544  * \retval -1 error
545  */
547  uint32_t max_idx)
548 {
549  Signature *s = NULL;
550  uint32_t idx = 0;
551  uint32_t sig = 0;
552 
553  if (sgh == NULL)
554  return 0;
555 
556  BUG_ON(sgh->init->match_array != NULL);
557  sgh->init->max_sig_id = MAX(sgh->init->max_sig_id, max_idx);
558 
559  sgh->init->match_array = SCCalloc(sgh->init->sig_cnt, sizeof(Signature *));
560  if (sgh->init->match_array == NULL)
561  return -1;
562 
563  for (sig = 0; sig < sgh->init->max_sig_id + 1; sig++) {
564  if (!(sgh->init->sig_array[(sig / 8)] & (1 << (sig % 8))) )
565  continue;
566 
567  s = de_ctx->sig_array[sig];
568  if (s == NULL)
569  continue;
570 
571  sgh->init->match_array[idx] = s;
572  idx++;
573  }
574 
575  return 0;
576 }
577 
578 /**
579  * \brief Set the need hash flag in the sgh.
580  *
581  * \param de_ctx detection engine ctx for the signatures
582  * \param sgh sig group head to update
583  */
585 {
586  if (sgh == NULL)
587  return;
588 
589  for (uint32_t sig = 0; sig < sgh->init->sig_cnt; sig++) {
590  const Signature *s = sgh->init->match_array[sig];
591  if (s == NULL)
592  continue;
593 
596  }
599  SCLogDebug("sgh %p has filemd5", sgh);
600  }
603  SCLogDebug("sgh %p has filesha1", sgh);
604  }
607  SCLogDebug("sgh %p has filesha256", sgh);
608  }
609 #ifdef HAVE_MAGIC
611  sgh->flags |= SIG_GROUP_HEAD_HAVEFILEMAGIC;
612  }
613 #endif
614  if (SignatureIsFilestoring(s)) {
615  // should be insured by caller that we do not overflow
616  DEBUG_VALIDATE_BUG_ON(sgh->filestore_cnt == UINT16_MAX);
617  sgh->filestore_cnt++;
618  }
619  }
620 }
621 
622 /** \brief build an array of rule id's for sigs with no prefilter
623  * Also updated de_ctx::non_pf_store_cnt_max to track the highest cnt
624  */
626 {
627  Signature *s = NULL;
628  uint32_t sig = 0;
629  uint32_t non_pf = 0;
630  uint32_t non_pf_syn = 0;
631 
632  if (sgh == NULL)
633  return 0;
634 
635  BUG_ON(sgh->non_pf_other_store_array != NULL);
636 
637  for (sig = 0; sig < sgh->init->sig_cnt; sig++) {
638  s = sgh->init->match_array[sig];
639  if (s == NULL)
640  continue;
641 
642  if (!(s->flags & SIG_FLAG_PREFILTER) || (s->flags & SIG_FLAG_MPM_NEG)) {
644  non_pf++;
645  }
646  non_pf_syn++;
647  }
648  }
649 
650  if (non_pf == 0 && non_pf_syn == 0) {
651  sgh->non_pf_other_store_array = NULL;
652  sgh->non_pf_syn_store_array = NULL;
653  return 0;
654  }
655 
656  if (non_pf > 0) {
658  BUG_ON(sgh->non_pf_other_store_array == NULL);
659  }
660 
661  if (non_pf_syn > 0) {
662  sgh->non_pf_syn_store_array = SCCalloc(non_pf_syn, sizeof(SignatureNonPrefilterStore));
663  BUG_ON(sgh->non_pf_syn_store_array == NULL);
664  }
665 
666  for (sig = 0; sig < sgh->init->sig_cnt; sig++) {
667  s = sgh->init->match_array[sig];
668  if (s == NULL)
669  continue;
670 
671  if (!(s->flags & SIG_FLAG_PREFILTER) || (s->flags & SIG_FLAG_MPM_NEG)) {
673  BUG_ON(sgh->non_pf_other_store_cnt >= non_pf);
674  BUG_ON(sgh->non_pf_other_store_array == NULL);
678  sgh->non_pf_other_store_cnt++;
679  }
680 
681  BUG_ON(sgh->non_pf_syn_store_cnt >= non_pf_syn);
682  BUG_ON(sgh->non_pf_syn_store_array == NULL);
686  sgh->non_pf_syn_store_cnt++;
687  }
688  }
689 
690  /* track highest cnt for any sgh in our de_ctx */
691  uint32_t max = MAX(sgh->non_pf_other_store_cnt, sgh->non_pf_syn_store_cnt);
692  if (max > de_ctx->non_pf_store_cnt_max)
694 
695  return 0;
696 }
697 
698 /**
699  * \brief Check if a SigGroupHead contains a Signature, whose sid is sent as an
700  * argument.
701  *
702  * \param de_ctx Pointer to the detection engine context.
703  * \param sgh Pointer to the SigGroupHead that has to be checked for the
704  * presence of a Signature.
705  * \param sid The Signature id(sid) that has to be checked in the SigGroupHead.
706  *
707  * \retval 1 On successfully finding the sid in the SigGroupHead.
708  * \retval 0 If the sid is not found in the SigGroupHead
709  */
711  uint32_t sid)
712 {
713  SCEnter();
714 
715  uint32_t sig = 0;
716  Signature *s = NULL;
717  uint32_t max_sid = DetectEngineGetMaxSigId(de_ctx);
718 
719  if (sgh == NULL) {
720  SCReturnInt(0);
721  }
722 
723  for (sig = 0; sig < max_sid; sig++) {
724  if (sgh->init->sig_array == NULL) {
725  SCReturnInt(0);
726  }
727 
728  /* Check if the SigGroupHead has an entry for the sid */
729  if ( !(sgh->init->sig_array[sig / 8] & (1 << (sig % 8))) )
730  continue;
731 
732  /* If we have reached here, we have an entry for sid in the SigGroupHead.
733  * Retrieve the Signature from the detection engine context */
734  s = de_ctx->sig_array[sig];
735  if (s == NULL)
736  continue;
737 
738  /* If the retrieved Signature matches the sid arg, we have a match */
739  if (s->id == sid) {
740  SCReturnInt(1);
741  }
742  }
743 
744  SCReturnInt(0);
745 }
746 
747 /*----------------------------------Unittests---------------------------------*/
748 
749 #ifdef UNITTESTS
750 
752 
753 /**
754  * \test Check if a SigGroupHead hash table is properly allocated and
755  * deallocated when calling SigGroupHeadHashInit() and
756  * SigGroupHeadHashFree() respectively.
757  */
758 static int SigGroupHeadTest01(void)
759 {
761 
764 
767 
768  PASS;
769 }
770 
771 /**
772  * \test Check if a SigGroupHeadAppendSig() correctly appends a sid to a
773  * SigGroupHead() and SigGroupHeadContainsSigId() correctly indicates
774  * the presence of a sid.
775  */
776 static int SigGroupHeadTest02(void)
777 {
778  SigGroupHead *sh = NULL;
779 
782 
783  Signature *s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "
784  "(msg:\"SigGroupHead tests\"; content:\"test1\"; "
785  "content:\"test2\"; content:\"test3\"; sid:1;)");
786  FAIL_IF_NULL(s);
787 
788  s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "
789  "(msg:\"SigGroupHead tests\"; content:\"test1\"; "
790  "content:\"test2\"; content:\"test3\"; sid:2;)");
791  FAIL_IF_NULL(s);
792 
793  s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "
794  "(msg:\"SigGroupHead tests\"; content:\"test1\"; "
795  "content:\"test2\"; content:\"test3\"; sid:3;)");
796  FAIL_IF_NULL(s);
797 
798  s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "
799  "(msg:\"SigGroupHead tests\"; content:\"test1\"; "
800  "content:\"test2\"; content:\"test3\"; sid:4;)");
801  FAIL_IF_NULL(s);
802 
803  s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "
804  "(msg:\"SigGroupHead tests\"; content:\"test1\"; "
805  "content:\"test2\"; content:\"test3\"; sid:5;)");
806  FAIL_IF_NULL(s);
807 
809 
813 
814  SigGroupHeadSetSigCnt(sh, 4);
815 
816  FAIL_IF_NOT(sh->init->sig_cnt == 3);
822 
824 
826 
827  PASS;
828 }
829 
830 /**
831  * \test Check if a SigGroupHeadAppendSig(), correctly appends a sid to a
832  * SigGroupHead() and SigGroupHeadContainsSigId(), correctly indicates
833  * the presence of a sid and SigGroupHeadClearSigs(), correctly clears
834  * the SigGroupHead->sig_array and SigGroupHead->sig_cnt.
835  */
836 static int SigGroupHeadTest03(void)
837 {
838  SigGroupHead *sh = NULL;
839 
842 
843  Signature *s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "
844  "(msg:\"SigGroupHead tests\"; content:\"test1\"; "
845  "content:\"test2\"; content:\"test3\"; sid:1;)");
846  FAIL_IF_NULL(s);
847 
848  s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "
849  "(msg:\"SigGroupHead tests\"; content:\"test1\"; "
850  "content:\"test2\"; content:\"test3\"; sid:2;)");
851  FAIL_IF_NULL(s);
852 
853  s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "
854  "(msg:\"SigGroupHead tests\"; content:\"test1\"; "
855  "content:\"test2\"; content:\"test3\"; sid:3;)");
856  FAIL_IF_NULL(s);
857 
858  s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "
859  "(msg:\"SigGroupHead tests\"; content:\"test1\"; "
860  "content:\"test2\"; content:\"test3\"; sid:4;)");
861  FAIL_IF_NULL(s);
862 
863  s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "
864  "(msg:\"SigGroupHead tests\"; content:\"test1\"; "
865  "content:\"test2\"; content:\"test3\"; sid:5;)");
866  FAIL_IF_NULL(s);
867 
869 
873 
874  SigGroupHeadSetSigCnt(sh, 4);
875 
876  FAIL_IF_NOT(sh->init->sig_cnt == 3);
882 
884 
885  FAIL_IF_NOT(sh->init->sig_cnt == 0);
891 
893 
895 
896  PASS;
897 }
898 
899 /**
900  * \test Check if SigGroupHeadCopySigs(), correctly copies the sig_array from
901  * the source to the destination SigGroupHead.
902  */
903 static int SigGroupHeadTest04(void)
904 {
905  SigGroupHead *src_sh = NULL;
906  SigGroupHead *dst_sh = NULL;
908 
910 
911  Signature *s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "
912  "(msg:\"SigGroupHead tests\"; content:\"test1\"; "
913  "content:\"test2\"; content:\"test3\"; sid:1;)");
914  FAIL_IF_NULL(s);
915 
916  s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "
917  "(msg:\"SigGroupHead tests\"; content:\"test1\"; "
918  "content:\"test2\"; content:\"test3\"; sid:2;)");
919  FAIL_IF_NULL(s);
920 
921  s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "
922  "(msg:\"SigGroupHead tests\"; content:\"test1\"; "
923  "content:\"test2\"; content:\"test3\"; sid:3;)");
924  FAIL_IF_NULL(s);
925 
926  s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "
927  "(msg:\"SigGroupHead tests\"; content:\"test1\"; "
928  "content:\"test2\"; content:\"test3\"; sid:4;)");
929  FAIL_IF_NULL(s);
930 
931  s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "
932  "(msg:\"SigGroupHead tests\"; content:\"test1\"; "
933  "content:\"test2\"; content:\"test3\"; sid:5;)");
934  FAIL_IF_NULL(s);
935 
937 
941 
942  SigGroupHeadSetSigCnt(src_sh, 4);
943 
944  FAIL_IF_NOT(src_sh->init->sig_cnt == 3);
945  FAIL_IF_NOT(SigGroupHeadContainsSigId(de_ctx, src_sh, 1) == 1);
946  FAIL_IF_NOT(SigGroupHeadContainsSigId(de_ctx, src_sh, 2) == 0);
947  FAIL_IF_NOT(SigGroupHeadContainsSigId(de_ctx, src_sh, 3) == 1);
948  FAIL_IF_NOT(SigGroupHeadContainsSigId(de_ctx, src_sh, 4) == 0);
949  FAIL_IF_NOT(SigGroupHeadContainsSigId(de_ctx, src_sh, 5) == 1);
950 
951  SigGroupHeadCopySigs(de_ctx, src_sh, &dst_sh);
952 
953  SigGroupHeadSetSigCnt(dst_sh, 4);
954 
955  FAIL_IF_NOT(dst_sh->init->sig_cnt == 3);
956  FAIL_IF_NOT(SigGroupHeadContainsSigId(de_ctx, dst_sh, 1) == 1);
957  FAIL_IF_NOT(SigGroupHeadContainsSigId(de_ctx, dst_sh, 2) == 0);
958  FAIL_IF_NOT(SigGroupHeadContainsSigId(de_ctx, dst_sh, 3) == 1);
959  FAIL_IF_NOT(SigGroupHeadContainsSigId(de_ctx, dst_sh, 4) == 0);
960  FAIL_IF_NOT(SigGroupHeadContainsSigId(de_ctx, dst_sh, 5) == 1);
961 
962  SigGroupHeadFree(de_ctx, src_sh);
963  SigGroupHeadFree(de_ctx, dst_sh);
964 
966 
967  PASS;
968 }
969 
970 /**
971  * \test Check if SigGroupHeadBuildMatchArray(), correctly updates the
972  * match array with the sids.
973  */
974 static int SigGroupHeadTest05(void)
975 {
976  SigGroupHead *sh = NULL;
978 
980 
981  Signature *s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "
982  "(msg:\"SigGroupHead tests\"; content:\"test1\"; "
983  "content:\"test2\"; content:\"test3\"; sid:1;)");
984  FAIL_IF_NULL(s);
985 
986  s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "
987  "(msg:\"SigGroupHead tests\"; content:\"test1\"; "
988  "content:\"test2\"; content:\"test3\"; sid:2;)");
989  FAIL_IF_NULL(s);
990 
991  s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "
992  "(msg:\"SigGroupHead tests\"; content:\"test1\"; "
993  "content:\"test2\"; content:\"test3\"; sid:3;)");
994  FAIL_IF_NULL(s);
995 
996  s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "
997  "(msg:\"SigGroupHead tests\"; content:\"test1\"; "
998  "content:\"test2\"; content:\"test3\"; sid:4;)");
999  FAIL_IF_NULL(s);
1000 
1001  s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "
1002  "(msg:\"SigGroupHead tests\"; content:\"test1\"; "
1003  "content:\"test2\"; content:\"test3\"; sid:5;)");
1004  FAIL_IF_NULL(s);
1005 
1007 
1011 
1012  SigGroupHeadSetSigCnt(sh, 4);
1014 
1015  /* matching an array to a queue structure (sig_list) constructed by SigInit()
1016 
1017  FAIL_IF_NOT(sh->init->match_array[0] == de_ctx->sig_list);
1018  FAIL_IF_NOT(sh->init->match_array[1] == de_ctx->sig_list->next->next);
1019  FAIL_IF_NOT(sh->init->match_array[2] == de_ctx->sig_list->next->next->next->next);
1020  */
1021 
1022  // matching an array to a stack structure (sig_list) constructed by DetectEngineAppendSig()
1026 
1027  SigGroupHeadFree(de_ctx, sh);
1028 
1030 
1031  PASS;
1032 }
1033 
1034 /**
1035  * \test ICMP(?) sig grouping bug.
1036  */
1037 static int SigGroupHeadTest06(void)
1038 {
1040  DetectEngineThreadCtx *det_ctx = NULL;
1041  ThreadVars th_v;
1042 
1043  memset(&th_v, 0, sizeof(ThreadVars));
1044 
1045  Packet *p = UTHBuildPacketSrcDst(NULL, 0, IPPROTO_ICMP, "192.168.1.1", "1.2.3.4");
1046  FAIL_IF_NULL(p);
1047  FAIL_IF_NOT(PacketIsICMPv4(p));
1048 
1049  p->l4.hdrs.icmpv4h->type = 5;
1050  p->l4.hdrs.icmpv4h->code = 1;
1051 
1052  /* originally ip's were
1053  p.src.addr_data32[0] = 0xe08102d3;
1054  p.dst.addr_data32[0] = 0x3001a8c0;
1055  */
1056 
1058 
1059  Signature *s = DetectEngineAppendSig(de_ctx, "alert icmp 192.168.0.0/16 any -> any any "
1060  "(icode:>1; itype:11; sid:1; rev:1;)");
1061  FAIL_IF_NULL(s);
1062 
1063  s = DetectEngineAppendSig(de_ctx, "alert icmp any any -> 192.168.0.0/16 any "
1064  "(icode:1; itype:5; sid:2; rev:1;)");
1065  FAIL_IF_NULL(s);
1066 
1068  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1069 
1070  AddressDebugPrint(&p->dst);
1071 
1072  const SigGroupHead *sgh = SigMatchSignaturesGetSgh(de_ctx, p);
1073  FAIL_IF_NULL(sgh);
1074 
1076  UTHFreePackets(&p, 1);
1077 
1078  PASS;
1079 }
1080 #endif
1081 
1083 {
1084 #ifdef UNITTESTS
1085  UtRegisterTest("SigGroupHeadTest01", SigGroupHeadTest01);
1086  UtRegisterTest("SigGroupHeadTest02", SigGroupHeadTest02);
1087  UtRegisterTest("SigGroupHeadTest03", SigGroupHeadTest03);
1088  UtRegisterTest("SigGroupHeadTest04", SigGroupHeadTest04);
1089  UtRegisterTest("SigGroupHeadTest05", SigGroupHeadTest05);
1090  UtRegisterTest("SigGroupHeadTest06", SigGroupHeadTest06);
1091 #endif
1092 }
detect-tcp-flags.h
DetectEngineCtx_::sgh_hash_table
HashListTable * sgh_hash_table
Definition: detect.h:876
SigGroupHead_::non_pf_syn_store_cnt
uint32_t non_pf_syn_store_cnt
Definition: detect.h:1477
SIG_GROUP_HEAD_HAVEFILEMD5
#define SIG_GROUP_HEAD_HAVEFILEMD5
Definition: detect.h:1339
detect-content.h
detect-engine.h
FAIL_IF_NULL
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
Definition: util-unittest.h:89
util-hashlist.h
detect-engine-siggroup.h
SigGroupHead_::flags
uint16_t flags
Definition: detect.h:1466
Signature_::num
SigIntId num
Definition: detect.h:615
SigGroupHead_
Container for matching data for a signature group.
Definition: detect.h:1465
SIG_GROUP_HEAD_HAVEFILESIZE
#define SIG_GROUP_HEAD_HAVEFILESIZE
Definition: detect.h:1340
unlikely
#define unlikely(expr)
Definition: util-optimize.h:35
SigGroupHeadBuildNonPrefilterArray
int SigGroupHeadBuildNonPrefilterArray(DetectEngineCtx *de_ctx, SigGroupHead *sgh)
build an array of rule id's for sigs with no prefilter Also updated de_ctx::non_pf_store_cnt_max to t...
Definition: detect-engine-siggroup.c:625
SigGroupHeadEqual
bool SigGroupHeadEqual(const SigGroupHead *sgha, const SigGroupHead *sghb)
Finds if two Signature Group Heads are the same.
Definition: detect-engine-siggroup.c:480
SigGroupHeadInitData_::sig_array
uint8_t * sig_array
Definition: detect.h:1440
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
Signature_::alproto
AppProto alproto
Definition: detect.h:608
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:269
SignatureNonPrefilterStore_::id
SigIntId id
Definition: detect.h:1075
DetectEngineCtx_::non_pf_store_cnt_max
uint32_t non_pf_store_cnt_max
Definition: detect.h:867
AddressDebugPrint
void AddressDebugPrint(Address *a)
Debug print function for printing addresses.
Definition: decode.c:757
UTHBuildPacketSrcDst
Packet * UTHBuildPacketSrcDst(uint8_t *payload, uint16_t payload_len, uint8_t ipproto, const char *src, const char *dst)
UTHBuildPacketSrcDst is a wrapper that build packets specifying IPs and defaulting ports.
Definition: util-unittest-helper.c:400
util-hash.h
SIG_GROUP_HEAD_HAVEFILESHA1
#define SIG_GROUP_HEAD_HAVEFILESHA1
Definition: detect.h:1341
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:843
DetectFlagsSignatureNeedsSynPackets
int DetectFlagsSignatureNeedsSynPackets(const Signature *s)
Definition: detect-tcp-flags.c:516
SigGroupHeadSetProtoAndDirection
void SigGroupHeadSetProtoAndDirection(SigGroupHead *sgh, uint8_t ipproto, int dir)
Definition: detect-engine-siggroup.c:497
DetectEngineCtxFree
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
Definition: detect-engine.c:2623
SigPrepareStage1
int SigPrepareStage1(DetectEngineCtx *)
Preprocess signature, classify ip-only, etc, build sig array.
Definition: detect-engine-build.c:1715
SigGroupHeadPrintSigs
void SigGroupHeadPrintSigs(DetectEngineCtx *de_ctx, SigGroupHead *sgh)
Helper function used to print the list of sids for the Signatures present in this SigGroupHead.
Definition: detect-engine-siggroup.c:514
HashListTableLookup
void * HashListTableLookup(HashListTable *ht, void *data, uint16_t datalen)
Definition: util-hashlist.c:245
DetectEngineAppendSig
Signature * DetectEngineAppendSig(DetectEngineCtx *, const char *)
Parse and append a Signature into the Detection Engine Context signature list.
Definition: detect-parse.c:2591
MAX
#define MAX(x, y)
Definition: suricata-common.h:395
SigGroupHeadSetupFiles
void SigGroupHeadSetupFiles(const DetectEngineCtx *de_ctx, SigGroupHead *sgh)
Set the need hash flag in the sgh.
Definition: detect-engine-siggroup.c:584
SignatureIsFilesizeInspecting
int SignatureIsFilesizeInspecting(const Signature *s)
Check if a signature contains the filesize keyword.
Definition: detect-engine-build.c:186
SignatureNonPrefilterStore_
Definition: detect.h:1074
detect-engine-prefilter.h
util-unittest.h
util-unittest-helper.h
FAIL_IF_NOT
#define FAIL_IF_NOT(expr)
Fail a test if expression evaluates to false.
Definition: util-unittest.h:82
SigGroupHeadRegisterTests
void SigGroupHeadRegisterTests(void)
Definition: detect-engine-siggroup.c:1082
HashListTableAdd
int HashListTableAdd(HashListTable *ht, void *data, uint16_t datalen)
Definition: util-hashlist.c:114
SigGroupHeadHashInit
int SigGroupHeadHashInit(DetectEngineCtx *de_ctx)
Initializes the hash table in the detection engine context to hold the SigGroupHeads.
Definition: detect-engine-siggroup.c:255
HashListTable_::array_size
uint32_t array_size
Definition: util-hashlist.h:41
util-memcmp.h
DetectEngineCtx_::sgh_array_size
uint32_t sgh_array_size
Definition: detect.h:916
SigGroupHeadInitData_::pkt_mpms
MpmCtx ** pkt_mpms
Definition: detect.h:1449
SignatureIsFileSha256Inspecting
int SignatureIsFileSha256Inspecting(const Signature *s)
Check if a signature contains the filesha256 keyword.
Definition: detect-engine-build.c:170
Signature_::next
struct Signature_ * next
Definition: detect.h:675
util-cidr.h
HashListTableInit
HashListTable * HashListTableInit(uint32_t size, uint32_t(*Hash)(struct HashListTable_ *, void *, uint16_t), char(*Compare)(void *, uint16_t, void *, uint16_t), void(*Free)(void *))
Definition: util-hashlist.c:35
decode.h
FAIL_IF_NOT_NULL
#define FAIL_IF_NOT_NULL(expr)
Fail a test if expression evaluates to non-NULL.
Definition: util-unittest.h:96
util-debug.h
SigGroupHeadBuildMatchArray
int SigGroupHeadBuildMatchArray(DetectEngineCtx *de_ctx, SigGroupHead *sgh, uint32_t max_idx)
Create an array with all the internal ids of the sigs that this sig group head will check for.
Definition: detect-engine-siggroup.c:546
SigGroupHeadInitData_::sig_cnt
SigIntId sig_cnt
Definition: detect.h:1458
PASS
#define PASS
Pass the test.
Definition: util-unittest.h:105
util-error.h
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:17
DetectEngineThreadCtx_
Definition: detect.h:1098
SigGroupHeadInitData_::tx_engines
PrefilterEngineList * tx_engines
Definition: detect.h:1454
DetectEngineGetMaxSigId
#define DetectEngineGetMaxSigId(de_ctx)
Definition: detect-engine.h:105
SCEnter
#define SCEnter(...)
Definition: util-debug.h:271
detect-engine-mpm.h
detect.h
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:58
SignatureNonPrefilterStore_::alproto
AppProto alproto
Definition: detect.h:1077
DetectEngineThreadCtxInit
TmEcode DetectEngineThreadCtxInit(ThreadVars *tv, void *initdata, void **data)
initialize thread specific detection engine context
Definition: detect-engine.c:3365
SigGroupHead_::init
SigGroupHeadInitData * init
Definition: detect.h:1488
SigGroupHeadInitData_::direction
uint32_t direction
Definition: detect.h:1444
BUG_ON
#define BUG_ON(x)
Definition: suricata-common.h:300
PacketL4::L4Hdrs::icmpv4h
ICMPV4Hdr * icmpv4h
Definition: decode.h:446
SCReturn
#define SCReturn
Definition: util-debug.h:273
Signature_::flags
uint32_t flags
Definition: detect.h:604
ICMPV4Hdr_::type
uint8_t type
Definition: decode-icmpv4.h:166
Packet_
Definition: decode.h:476
SCFreeAligned
#define SCFreeAligned(p)
Definition: util-mem.h:77
detect-engine-build.h
Packet_::l4
struct PacketL4 l4
Definition: decode.h:570
SCReturnPtr
#define SCReturnPtr(x, type)
Definition: util-debug.h:287
SigGroupHeadInitData_::max_sig_id
uint32_t max_sig_id
Definition: detect.h:1446
DetectEngineCtx_::sgh_array_cnt
uint32_t sgh_array_cnt
Definition: detect.h:915
SigGroupHeadAppendSig
int SigGroupHeadAppendSig(const DetectEngineCtx *de_ctx, SigGroupHead **sgh, const Signature *s)
Add a Signature to a SigGroupHead.
Definition: detect-engine-siggroup.c:330
DetectEngineCtx_::sgh_array
struct SigGroupHead_ ** sgh_array
Definition: detect.h:914
HashListTable_
Definition: util-hashlist.h:37
SigGroupHeadFree
void SigGroupHeadFree(const DetectEngineCtx *de_ctx, SigGroupHead *sgh)
Free a SigGroupHead and its members.
Definition: detect-engine-siggroup.c:162
SigGroupHeadInitData_::app_mpms
MpmCtx ** app_mpms
Definition: detect.h:1448
SignatureIsFileSha1Inspecting
int SignatureIsFileSha1Inspecting(const Signature *s)
Check if a signature contains the filesha1 keyword.
Definition: detect-engine-build.c:154
SigGroupBuild
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
Definition: detect-engine-build.c:2145
SCRealloc
#define SCRealloc(ptr, sz)
Definition: util-mem.h:50
SIG_FLAG_MPM_NEG
#define SIG_FLAG_MPM_NEG
Definition: detect.h:253
SigGroupHeadInitData_::pkt_engines
PrefilterEngineList * pkt_engines
Definition: detect.h:1452
SigGroupHeadSetSigCnt
void SigGroupHeadSetSigCnt(SigGroupHead *sgh, uint32_t max_idx)
Updates the SigGroupHead->sig_cnt with the total count of all the Signatures present in this SigGroup...
Definition: detect-engine-siggroup.c:457
cnt
uint32_t cnt
Definition: tmqh-packetpool.h:7
SigGroupHead_::non_pf_other_store_array
SignatureNonPrefilterStore * non_pf_other_store_array
Definition: detect.h:1478
suricata-common.h
SigGroupHeadStore
void SigGroupHeadStore(DetectEngineCtx *de_ctx, SigGroupHead *sgh)
Definition: detect-engine-siggroup.c:108
SigGroupHeadInitData_::frame_engines
PrefilterEngineList * frame_engines
Definition: detect.h:1455
SigGroupHeadInitData_::payload_engines
PrefilterEngineList * payload_engines
Definition: detect.h:1453
HashListTableFree
void HashListTableFree(HashListTable *ht)
Definition: util-hashlist.c:88
SigGroupHeadInitData_::match_array
Signature ** match_array
Definition: detect.h:1461
SigGroupHead_::non_pf_other_store_cnt
uint32_t non_pf_other_store_cnt
Definition: detect.h:1476
SCMallocAligned
#define SCMallocAligned(size, align)
Definition: util-mem.h:68
SigGroupHeadInitData_::sig_size
uint32_t sig_size
Definition: detect.h:1441
PrefilterCleanupRuleGroup
void PrefilterCleanupRuleGroup(const DetectEngineCtx *de_ctx, SigGroupHead *sgh)
Definition: detect-engine-prefilter.c:381
ICMPV4Hdr_::code
uint8_t code
Definition: decode-icmpv4.h:167
DetectEngineCtx_::sig_list
Signature * sig_list
Definition: detect.h:851
SigGroupHeadHashFree
void SigGroupHeadHashFree(DetectEngineCtx *de_ctx)
Frees the hash table - DetectEngineCtx->sgh_hash_table, allocated by SigGroupHeadHashInit() function.
Definition: detect-engine-siggroup.c:310
SigGroupHeadHashAdd
int SigGroupHeadHashAdd(DetectEngineCtx *de_ctx, SigGroupHead *sgh)
Adds a SigGroupHead to the detection engine context SigGroupHead hash table.
Definition: detect-engine-siggroup.c:277
util-validate.h
SigGroupHeadInitData_
Definition: detect.h:1437
SigGroupHeadHashLookup
SigGroupHead * SigGroupHeadHashLookup(DetectEngineCtx *de_ctx, SigGroupHead *sgh)
Used to lookup a SigGroupHead hash from the detection engine context SigGroupHead hash table.
Definition: detect-engine-siggroup.c:294
SignatureIsFilestoring
int SignatureIsFilestoring(const Signature *s)
Check if a signature contains the filestore keyword.
Definition: detect-engine-build.c:100
SCFree
#define SCFree(p)
Definition: util-mem.h:61
Signature_::id
uint32_t id
Definition: detect.h:638
detect-parse.h
src
uint16_t src
Definition: app-layer-dnp3.h:5
Signature_
Signature container.
Definition: detect.h:603
SigGroupHeadInitDataFree
void SigGroupHeadInitDataFree(SigGroupHeadInitData *sghid)
Definition: detect-engine-siggroup.c:60
SigGroupHeadContainsSigId
int SigGroupHeadContainsSigId(DetectEngineCtx *de_ctx, SigGroupHead *sgh, uint32_t sid)
Check if a SigGroupHead contains a Signature, whose sid is sent as an argument.
Definition: detect-engine-siggroup.c:710
SignatureIsFileMd5Inspecting
int SignatureIsFileMd5Inspecting(const Signature *s)
Check if a signature contains the filemd5 keyword.
Definition: detect-engine-build.c:138
PacketL4::hdrs
union PacketL4::L4Hdrs hdrs
SigGroupHeadInitData_::protos
uint8_t protos[256]
Definition: detect.h:1443
DetectEngineCtxInit
DetectEngineCtx * DetectEngineCtxInit(void)
Definition: detect-engine.c:2584
app-layer-protos.h
DetectEngineCtx_::sig_array
Signature ** sig_array
Definition: detect.h:860
Packet_::dst
Address dst
Definition: decode.h:481
SigGroupHead_::non_pf_syn_store_array
SignatureNonPrefilterStore * non_pf_syn_store_array
Definition: detect.h:1480
SignatureNonPrefilterStore_::mask
SignatureMask mask
Definition: detect.h:1076
detect-uricontent.h
dst
uint16_t dst
Definition: app-layer-dnp3.h:4
SCCalloc
#define SCCalloc(nm, sz)
Definition: util-mem.h:53
SIG_GROUP_HEAD_HAVEFILESHA256
#define SIG_GROUP_HEAD_HAVEFILESHA256
Definition: detect.h:1342
SCReturnInt
#define SCReturnInt(x)
Definition: util-debug.h:275
SignatureIsFilemagicInspecting
int SignatureIsFilemagicInspecting(const Signature *s)
Check if a signature contains the filemagic keyword.
Definition: detect-engine-build.c:119
SigGroupHead_::filestore_cnt
uint16_t filestore_cnt
Definition: detect.h:1471
flow-var.h
PrefilterFreeEnginesList
void PrefilterFreeEnginesList(PrefilterEngineList *list)
Definition: detect-engine-prefilter.c:353
SCMemcmp
#define SCMemcmp(a, b, c)
Definition: util-memcmp.h:290
DEBUG_VALIDATE_BUG_ON
#define DEBUG_VALIDATE_BUG_ON(exp)
Definition: util-validate.h:102
SIG_FLAG_PREFILTER
#define SIG_FLAG_PREFILTER
Definition: detect.h:274
detect-engine-address.h
SigMatchSignaturesGetSgh
const SigGroupHead * SigMatchSignaturesGetSgh(const DetectEngineCtx *de_ctx, const Packet *p)
Get the SigGroupHead for a packet.
Definition: detect.c:220
SigGroupHeadCopySigs
int SigGroupHeadCopySigs(DetectEngineCtx *de_ctx, SigGroupHead *src, SigGroupHead **dst)
Copies the bitarray holding the sids from the source SigGroupHead to the destination SigGroupHead.
Definition: detect-engine-siggroup.c:401
Signature_::mask
SignatureMask mask
Definition: detect.h:614
SigGroupHeadClearSigs
int SigGroupHeadClearSigs(SigGroupHead *)
Clears the bitarray holding the sids for this SigGroupHead.
Definition: detect-engine-siggroup.c:359
SigGroupHeadInitData_::frame_mpms
MpmCtx ** frame_mpms
Definition: detect.h:1450
UTHFreePackets
void UTHFreePackets(Packet **p, int numpkts)
UTHFreePackets: function to release the allocated data from UTHBuildPacket and the packet itself.
Definition: util-unittest-helper.c:450