suricata
detect-engine-siggroup.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2021 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Victor Julien <victor@inliniac.net>
22  *
23  * Signature grouping part of the detection engine.
24  */
25 
26 #include "suricata-common.h"
27 #include "decode.h"
28 
29 #include "flow-var.h"
30 
31 #include "app-layer-protos.h"
32 
33 #include "detect.h"
34 #include "detect-parse.h"
35 #include "detect-engine.h"
36 #include "detect-engine-build.h"
37 #include "detect-engine-address.h"
38 #include "detect-engine-mpm.h"
39 #include "detect-engine-siggroup.h"
41 
42 #include "detect-content.h"
43 #include "detect-uricontent.h"
44 #include "detect-tcp-flags.h"
45 
46 #include "util-hash.h"
47 #include "util-hashlist.h"
48 
49 #include "util-error.h"
50 #include "util-debug.h"
51 #include "util-cidr.h"
52 #include "util-unittest.h"
53 #include "util-unittest-helper.h"
54 #include "util-memcmp.h"
55 
56 /* prototypes */
58 
60 {
61  if (sghid->match_array != NULL) {
62  SCFree(sghid->match_array);
63  sghid->match_array = NULL;
64  }
65  if (sghid->sig_array != NULL) {
66  SCFree(sghid->sig_array);
67  sghid->sig_array = NULL;
68  }
69  if (sghid->app_mpms != NULL) {
70  SCFree(sghid->app_mpms);
71  }
72  if (sghid->pkt_mpms != NULL) {
73  SCFree(sghid->pkt_mpms);
74  }
75  if (sghid->frame_mpms != NULL) {
76  SCFree(sghid->frame_mpms);
77  }
78 
83 
84  SCFree(sghid);
85 }
86 
87 static SigGroupHeadInitData *SigGroupHeadInitDataAlloc(uint32_t size)
88 {
90  if (unlikely(sghid == NULL))
91  return NULL;
92 
93  memset(sghid, 0x00, sizeof(SigGroupHeadInitData));
94 
95  /* initialize the signature bitarray */
96  sghid->sig_size = size;
97  if ( (sghid->sig_array = SCMalloc(sghid->sig_size)) == NULL)
98  goto error;
99 
100  memset(sghid->sig_array, 0, sghid->sig_size);
101 
102  return sghid;
103 error:
105  return NULL;
106 }
107 
109 {
110  void *ptmp;
111  //printf("de_ctx->sgh_array_cnt %u, de_ctx->sgh_array_size %u, de_ctx->sgh_array %p\n", de_ctx->sgh_array_cnt, de_ctx->sgh_array_size, de_ctx->sgh_array);
114  } else {
115  int increase = 16;
116  ptmp = SCRealloc(de_ctx->sgh_array,
117  sizeof(SigGroupHead *) * (increase + de_ctx->sgh_array_size));
118  if (ptmp == NULL) {
120  de_ctx->sgh_array = NULL;
121  return;
122  }
123  de_ctx->sgh_array = ptmp;
124 
125  de_ctx->sgh_array_size += increase;
127  }
129 }
130 
131 /**
132  * \brief Alloc a SigGroupHead and its signature bit_array.
133  *
134  * \param size Size of the sig_array that has to be created for this
135  * SigGroupHead.
136  *
137  * \retval sgh Pointer to the newly init SigGroupHead on success; or NULL in
138  * case of error.
139  */
140 static SigGroupHead *SigGroupHeadAlloc(const DetectEngineCtx *de_ctx, uint32_t size)
141 {
142  SigGroupHead *sgh = SCMalloc(sizeof(SigGroupHead));
143  if (unlikely(sgh == NULL))
144  return NULL;
145  memset(sgh, 0, sizeof(SigGroupHead));
146 
147  sgh->init = SigGroupHeadInitDataAlloc(size);
148  if (sgh->init == NULL)
149  goto error;
150 
151  return sgh;
152 
153 error:
154  SigGroupHeadFree(de_ctx, sgh);
155  return NULL;
156 }
157 
158 /**
159  * \brief Free a SigGroupHead and its members.
160  *
161  * \param sgh Pointer to the SigGroupHead that has to be freed.
162  */
164 {
165  if (sgh == NULL)
166  return;
167 
168  SCLogDebug("sgh %p", sgh);
169 
170  if (sgh->non_pf_other_store_array != NULL) {
172  sgh->non_pf_other_store_array = NULL;
173  sgh->non_pf_other_store_cnt = 0;
174  }
175 
176  if (sgh->non_pf_syn_store_array != NULL) {
178  sgh->non_pf_syn_store_array = NULL;
179  sgh->non_pf_syn_store_cnt = 0;
180  }
181 
182  if (sgh->init != NULL) {
184  sgh->init = NULL;
185  }
186 
188  SCFree(sgh);
189 
190  return;
191 }
192 
193 /**
194  * \brief The hash function to be the used by the hash table -
195  * DetectEngineCtx->sgh_hash_table.
196  *
197  * \param ht Pointer to the hash table.
198  * \param data Pointer to the SigGroupHead.
199  * \param datalen Not used in our case.
200  *
201  * \retval hash The generated hash value.
202  */
203 static uint32_t SigGroupHeadHashFunc(HashListTable *ht, void *data, uint16_t datalen)
204 {
205  SigGroupHead *sgh = (SigGroupHead *)data;
206  uint32_t hash = 0;
207  uint32_t b = 0;
208 
209  SCLogDebug("hashing sgh %p", sgh);
210 
211  for (b = 0; b < sgh->init->sig_size; b++)
212  hash += sgh->init->sig_array[b];
213 
214  hash %= ht->array_size;
215  SCLogDebug("hash %"PRIu32" (sig_size %"PRIu32")", hash, sgh->init->sig_size);
216  return hash;
217 }
218 
219 /**
220  * \brief The Compare function to be used by the SigGroupHead hash table -
221  * DetectEngineCtx->sgh_hash_table.
222  *
223  * \param data1 Pointer to the first SigGroupHead.
224  * \param len1 Not used.
225  * \param data2 Pointer to the second SigGroupHead.
226  * \param len2 Not used.
227  *
228  * \retval 1 If the 2 SigGroupHeads sent as args match.
229  * \retval 0 If the 2 SigGroupHeads sent as args do not match.
230  */
231 static char SigGroupHeadCompareFunc(void *data1, uint16_t len1, void *data2,
232  uint16_t len2)
233 {
234  SigGroupHead *sgh1 = (SigGroupHead *)data1;
235  SigGroupHead *sgh2 = (SigGroupHead *)data2;
236 
237  if (data1 == NULL || data2 == NULL)
238  return 0;
239 
240  if (sgh1->init->sig_size != sgh2->init->sig_size)
241  return 0;
242 
243  if (SCMemcmp(sgh1->init->sig_array, sgh2->init->sig_array, sgh1->init->sig_size) != 0)
244  return 0;
245 
246  return 1;
247 }
248 
249 /**
250  * \brief Initializes the hash table in the detection engine context to hold the
251  * SigGroupHeads.
252  *
253  * \param de_ctx Pointer to the detection engine context.
254  *
255  * \retval 0 On success.
256  * \retval -1 On failure.
257  */
259 {
260  de_ctx->sgh_hash_table = HashListTableInit(4096, SigGroupHeadHashFunc,
261  SigGroupHeadCompareFunc, NULL);
262  if (de_ctx->sgh_hash_table == NULL)
263  goto error;
264 
265  return 0;
266 
267 error:
268  return -1;
269 }
270 
271 /**
272  * \brief Adds a SigGroupHead to the detection engine context SigGroupHead
273  * hash table.
274  *
275  * \param de_ctx Pointer to the detection engine context.
276  * \param sgh Pointer to the SigGroupHead.
277  *
278  * \retval ret 0 on Successfully adding the SigGroupHead; -1 on failure.
279  */
281 {
282  int ret = HashListTableAdd(de_ctx->sgh_hash_table, (void *)sgh, 0);
283 
284  return ret;
285 }
286 
288 {
289  return HashListTableRemove(de_ctx->sgh_hash_table, (void *)sgh, 0);
290 }
291 
292 /**
293  * \brief Used to lookup a SigGroupHead hash from the detection engine context
294  * SigGroupHead hash table.
295  *
296  * \param de_ctx Pointer to the detection engine context.
297  * \param sgh Pointer to the SigGroupHead.
298  *
299  * \retval rsgh On success a pointer to the SigGroupHead if the SigGroupHead is
300  * found in the hash table; NULL on failure.
301  */
303 {
304  SCEnter();
305 
307  (void *)sgh, 0);
308 
309  SCReturnPtr(rsgh, "SigGroupHead");
310 }
311 
312 /**
313  * \brief Frees the hash table - DetectEngineCtx->sgh_hash_table, allocated by
314  * SigGroupHeadHashInit() function.
315  *
316  * \param de_ctx Pointer to the detection engine context.
317  */
319 {
320  if (de_ctx->sgh_hash_table == NULL)
321  return;
322 
324  de_ctx->sgh_hash_table = NULL;
325 
326  return;
327 }
328 
329 /**
330  * \brief Add a Signature to a SigGroupHead.
331  *
332  * \param de_ctx Pointer to the detection engine context.
333  * \param sgh Pointer to a SigGroupHead. Can be NULL also.
334  * \param s Pointer to the Signature that has to be added to the
335  * SigGroupHead.
336  *
337  * \retval 0 On success.
338  * \retval -1 On failure.
339  */
341  const Signature *s)
342 {
343  if (de_ctx == NULL)
344  return 0;
345 
346  /* see if we have a head already */
347  if (*sgh == NULL) {
348  *sgh = SigGroupHeadAlloc(de_ctx, DetectEngineGetMaxSigId(de_ctx) / 8 + 1);
349  if (*sgh == NULL)
350  goto error;
351  }
352 
353  /* enable the sig in the bitarray */
354  (*sgh)->init->sig_array[s->num / 8] |= 1 << (s->num % 8);
355 
356  return 0;
357 
358 error:
359  return -1;
360 }
361 
362 /**
363  * \brief Clears the bitarray holding the sids for this SigGroupHead.
364  *
365  * \param sgh Pointer to the SigGroupHead.
366  *
367  * \retval 0 Always.
368  */
370 {
371  if (sgh == NULL)
372  return 0;
373 
374  if (sgh->init->sig_array != NULL)
375  memset(sgh->init->sig_array, 0, sgh->init->sig_size);
376 
377  sgh->init->sig_cnt = 0;
378 
379  return 0;
380 }
381 
382 /**
383  * \brief Copies the bitarray holding the sids from the source SigGroupHead to
384  * the destination SigGroupHead.
385  *
386  * \param de_ctx Pointer to the detection engine context.
387  * \param src Pointer to the source SigGroupHead.
388  * \param dst Pointer to the destination SigGroupHead.
389  *
390  * \retval 0 On success.
391  * \retval -1 On failure.
392  */
394 {
395  uint32_t idx = 0;
396 
397  if (src == NULL || de_ctx == NULL)
398  return 0;
399 
400  if (*dst == NULL) {
401  *dst = SigGroupHeadAlloc(de_ctx, DetectEngineGetMaxSigId(de_ctx) / 8 + 1);
402  if (*dst == NULL)
403  goto error;
404  }
405 
406  /* do the copy */
407  for (idx = 0; idx < src->init->sig_size; idx++)
408  (*dst)->init->sig_array[idx] = (*dst)->init->sig_array[idx] | src->init->sig_array[idx];
409 
410  if (src->init->whitelist)
411  (*dst)->init->whitelist = MAX((*dst)->init->whitelist, src->init->whitelist);
412 
413  return 0;
414 
415 error:
416  return -1;
417 }
418 
419 /**
420  * \brief Updates the SigGroupHead->sig_cnt with the total count of all the
421  * Signatures present in this SigGroupHead.
422  *
423  * \param sgh Pointer to the SigGroupHead.
424  * \param max_idx Maximum sid of the all the Signatures present in this
425  * SigGroupHead.
426  */
427 void SigGroupHeadSetSigCnt(SigGroupHead *sgh, uint32_t max_idx)
428 {
429  uint32_t sig;
430 
431  sgh->init->sig_cnt = 0;
432  for (sig = 0; sig < max_idx + 1; sig++) {
433  if (sgh->init->sig_array[sig / 8] & (1 << (sig % 8)))
434  sgh->init->sig_cnt++;
435  }
436 
437  return;
438 }
439 
441  uint8_t ipproto, int dir)
442 {
443  if (sgh && sgh->init) {
444  SCLogDebug("setting proto %u and dir %d on sgh %p", ipproto, dir, sgh);
445  sgh->init->protos[ipproto] = 1;
446  sgh->init->direction |= dir;
447  }
448 }
449 
450 /**
451  * \brief Helper function used to print the list of sids for the Signatures
452  * present in this SigGroupHead.
453  *
454  * \param de_ctx Pointer to the detection engine context.
455  * \param sgh Pointer to the SigGroupHead.
456  */
458 {
459  SCEnter();
460 
461  if (sgh == NULL) {
462  SCReturn;
463  }
464 
465  uint32_t u;
466 
467  SCLogDebug("The Signatures present in this SigGroupHead are: ");
468  for (u = 0; u < (sgh->init->sig_size * 8); u++) {
469  if (sgh->init->sig_array[u / 8] & (1 << (u % 8))) {
470  SCLogDebug("%" PRIu32, u);
471  printf("s->num %"PRIu32" ", u);
472  }
473  }
474 
475  SCReturn;
476 }
477 
478 /**
479  * \brief Create an array with all the internal ids of the sigs that this
480  * sig group head will check for.
481  *
482  * \param de_ctx Pointer to the detection engine context.
483  * \param sgh Pointer to the SigGroupHead.
484  * \param max_idx The maximum value of the sid in the SigGroupHead arg.
485  *
486  * \retval 0 success
487  * \retval -1 error
488  */
490  uint32_t max_idx)
491 {
492  Signature *s = NULL;
493  uint32_t idx = 0;
494  uint32_t sig = 0;
495 
496  if (sgh == NULL)
497  return 0;
498 
499  BUG_ON(sgh->init->match_array != NULL);
500 
501  sgh->init->match_array = SCMalloc(sgh->init->sig_cnt * sizeof(Signature *));
502  if (sgh->init->match_array == NULL)
503  return -1;
504 
505  memset(sgh->init->match_array, 0, sgh->init->sig_cnt * sizeof(Signature *));
506 
507  for (sig = 0; sig < max_idx + 1; sig++) {
508  if (!(sgh->init->sig_array[(sig / 8)] & (1 << (sig % 8))) )
509  continue;
510 
511  s = de_ctx->sig_array[sig];
512  if (s == NULL)
513  continue;
514 
515  sgh->init->match_array[idx] = s;
516  idx++;
517  }
518 
519  return 0;
520 }
521 
522 /**
523  * \brief Set the need magic flag in the sgh.
524  *
525  * \param de_ctx detection engine ctx for the signatures
526  * \param sgh sig group head to set the flag in
527  */
529 {
530 #ifdef HAVE_MAGIC
531  Signature *s = NULL;
532  uint32_t sig = 0;
533 
534  if (sgh == NULL)
535  return;
536 
537  for (sig = 0; sig < sgh->init->sig_cnt; sig++) {
538  s = sgh->init->match_array[sig];
539  if (s == NULL)
540  continue;
541 
543  sgh->flags |= SIG_GROUP_HEAD_HAVEFILEMAGIC;
544  break;
545  }
546  }
547 #endif
548  return;
549 }
550 
551 /**
552  * \brief Set the need size flag in the sgh.
553  *
554  * \param de_ctx detection engine ctx for the signatures
555  * \param sgh sig group head to set the flag in
556  */
558 {
559  Signature *s = NULL;
560  uint32_t sig = 0;
561 
562  if (sgh == NULL)
563  return;
564 
565  for (sig = 0; sig < sgh->init->sig_cnt; sig++) {
566  s = sgh->init->match_array[sig];
567  if (s == NULL)
568  continue;
569 
572  break;
573  }
574  }
575 
576  return;
577 }
578 
579 /**
580  * \brief Set the need hash flag in the sgh.
581  *
582  * \param de_ctx detection engine ctx for the signatures
583  * \param sgh sig group head to set the flag in
584  */
586 {
587  Signature *s = NULL;
588  uint32_t sig = 0;
589 
590  if (sgh == NULL)
591  return;
592 
593  for (sig = 0; sig < sgh->init->sig_cnt; sig++) {
594  s = sgh->init->match_array[sig];
595  if (s == NULL)
596  continue;
597 
600  SCLogDebug("sgh %p has filemd5", sgh);
601  break;
602  }
603 
606  SCLogDebug("sgh %p has filesha1", sgh);
607  break;
608  }
609 
612  SCLogDebug("sgh %p has filesha256", sgh);
613  break;
614  }
615  }
616 
617  return;
618 }
619 
620 /**
621  * \brief Set the filestore_cnt in the sgh.
622  *
623  * \param de_ctx detection engine ctx for the signatures
624  * \param sgh sig group head to set the counter in
625  */
627 {
628  Signature *s = NULL;
629  uint32_t sig = 0;
630 
631  if (sgh == NULL)
632  return;
633 
634  for (sig = 0; sig < sgh->init->sig_cnt; sig++) {
635  s = sgh->init->match_array[sig];
636  if (s == NULL)
637  continue;
638 
639  if (SignatureIsFilestoring(s)) {
640  sgh->filestore_cnt++;
641  }
642  }
643 
644  return;
645 }
646 
647 /** \brief build an array of rule id's for sigs with no prefilter
648  * Also updated de_ctx::non_pf_store_cnt_max to track the highest cnt
649  */
651 {
652  Signature *s = NULL;
653  uint32_t sig = 0;
654  uint32_t non_pf = 0;
655  uint32_t non_pf_syn = 0;
656 
657  if (sgh == NULL)
658  return 0;
659 
660  BUG_ON(sgh->non_pf_other_store_array != NULL);
661 
662  for (sig = 0; sig < sgh->init->sig_cnt; sig++) {
663  s = sgh->init->match_array[sig];
664  if (s == NULL)
665  continue;
666 
667  if (!(s->flags & SIG_FLAG_PREFILTER) || (s->flags & SIG_FLAG_MPM_NEG)) {
669  non_pf++;
670  }
671  non_pf_syn++;
672  }
673  }
674 
675  if (non_pf == 0 && non_pf_syn == 0) {
676  sgh->non_pf_other_store_array = NULL;
677  sgh->non_pf_syn_store_array = NULL;
678  return 0;
679  }
680 
681  if (non_pf > 0) {
683  BUG_ON(sgh->non_pf_other_store_array == NULL);
684  memset(sgh->non_pf_other_store_array, 0, non_pf * sizeof(SignatureNonPrefilterStore));
685  }
686 
687  if (non_pf_syn > 0) {
688  sgh->non_pf_syn_store_array = SCMalloc(non_pf_syn * sizeof(SignatureNonPrefilterStore));
689  BUG_ON(sgh->non_pf_syn_store_array == NULL);
690  memset(sgh->non_pf_syn_store_array, 0, non_pf_syn * sizeof(SignatureNonPrefilterStore));
691  }
692 
693  for (sig = 0; sig < sgh->init->sig_cnt; sig++) {
694  s = sgh->init->match_array[sig];
695  if (s == NULL)
696  continue;
697 
698  if (!(s->flags & SIG_FLAG_PREFILTER) || (s->flags & SIG_FLAG_MPM_NEG)) {
700  BUG_ON(sgh->non_pf_other_store_cnt >= non_pf);
701  BUG_ON(sgh->non_pf_other_store_array == NULL);
705  sgh->non_pf_other_store_cnt++;
706  }
707 
708  BUG_ON(sgh->non_pf_syn_store_cnt >= non_pf_syn);
709  BUG_ON(sgh->non_pf_syn_store_array == NULL);
713  sgh->non_pf_syn_store_cnt++;
714  }
715  }
716 
717  /* track highest cnt for any sgh in our de_ctx */
718  uint32_t max = MAX(sgh->non_pf_other_store_cnt, sgh->non_pf_syn_store_cnt);
719  if (max > de_ctx->non_pf_store_cnt_max)
721 
722  return 0;
723 }
724 
725 /**
726  * \brief Check if a SigGroupHead contains a Signature, whose sid is sent as an
727  * argument.
728  *
729  * \param de_ctx Pointer to the detection engine context.
730  * \param sgh Pointer to the SigGroupHead that has to be checked for the
731  * presence of a Signature.
732  * \param sid The Signature id(sid) that has to be checked in the SigGroupHead.
733  *
734  * \retval 1 On successfully finding the sid in the SigGroupHead.
735  * \retval 0 If the sid is not found in the SigGroupHead
736  */
738  uint32_t sid)
739 {
740  SCEnter();
741 
742  uint32_t sig = 0;
743  Signature *s = NULL;
744  uint32_t max_sid = DetectEngineGetMaxSigId(de_ctx);
745 
746  if (sgh == NULL) {
747  SCReturnInt(0);
748  }
749 
750  for (sig = 0; sig < max_sid; sig++) {
751  if (sgh->init->sig_array == NULL) {
752  SCReturnInt(0);
753  }
754 
755  /* Check if the SigGroupHead has an entry for the sid */
756  if ( !(sgh->init->sig_array[sig / 8] & (1 << (sig % 8))) )
757  continue;
758 
759  /* If we have reached here, we have an entry for sid in the SigGrouHead.
760  * Retrieve the Signature from the detection engine context */
761  s = de_ctx->sig_array[sig];
762  if (s == NULL)
763  continue;
764 
765  /* If the retrieved Signature matches the sid arg, we have a match */
766  if (s->id == sid) {
767  SCReturnInt(1);
768  }
769  }
770 
771  SCReturnInt(0);
772 }
773 
774 /*----------------------------------Unittests---------------------------------*/
775 
776 #ifdef UNITTESTS
777 
779 
780 /**
781  * \test Check if a SigGroupHead hash table is properly allocated and
782  * deallocated when calling SigGroupHeadHashInit() and
783  * SigGroupHeadHashFree() respectively.
784  */
785 static int SigGroupHeadTest01(void)
786 {
788 
791 
794 
795  PASS;
796 }
797 
798 /**
799  * \test Check if a SigGroupHeadAppendSig() correctly appends a sid to a
800  * SigGroupHead() and SigGroupHeadContainsSigId() correctly indicates
801  * the presence of a sid.
802  */
803 static int SigGroupHeadTest02(void)
804 {
805  SigGroupHead *sh = NULL;
806 
809 
810  Signature *s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "
811  "(msg:\"SigGroupHead tests\"; content:\"test1\"; "
812  "content:\"test2\"; content:\"test3\"; sid:1;)");
813  FAIL_IF_NULL(s);
814 
815  s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "
816  "(msg:\"SigGroupHead tests\"; content:\"test1\"; "
817  "content:\"test2\"; content:\"test3\"; sid:2;)");
818  FAIL_IF_NULL(s);
819 
820  s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "
821  "(msg:\"SigGroupHead tests\"; content:\"test1\"; "
822  "content:\"test2\"; content:\"test3\"; sid:3;)");
823  FAIL_IF_NULL(s);
824 
825  s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "
826  "(msg:\"SigGroupHead tests\"; content:\"test1\"; "
827  "content:\"test2\"; content:\"test3\"; sid:4;)");
828  FAIL_IF_NULL(s);
829 
830  s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "
831  "(msg:\"SigGroupHead tests\"; content:\"test1\"; "
832  "content:\"test2\"; content:\"test3\"; sid:5;)");
833  FAIL_IF_NULL(s);
834 
836 
840 
841  SigGroupHeadSetSigCnt(sh, 4);
842 
843  FAIL_IF_NOT(sh->init->sig_cnt == 3);
849 
851 
853 
854  PASS;
855 }
856 
857 /**
858  * \test Check if a SigGroupHeadAppendSig(), correctly appends a sid to a
859  * SigGroupHead() and SigGroupHeadContainsSigId(), correctly indicates
860  * the presence of a sid and SigGroupHeadClearSigs(), correctly clears
861  * the SigGroupHead->sig_array and SigGroupHead->sig_cnt.
862  */
863 static int SigGroupHeadTest03(void)
864 {
865  SigGroupHead *sh = NULL;
866 
869 
870  Signature *s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "
871  "(msg:\"SigGroupHead tests\"; content:\"test1\"; "
872  "content:\"test2\"; content:\"test3\"; sid:1;)");
873  FAIL_IF_NULL(s);
874 
875  s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "
876  "(msg:\"SigGroupHead tests\"; content:\"test1\"; "
877  "content:\"test2\"; content:\"test3\"; sid:2;)");
878  FAIL_IF_NULL(s);
879 
880  s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "
881  "(msg:\"SigGroupHead tests\"; content:\"test1\"; "
882  "content:\"test2\"; content:\"test3\"; sid:3;)");
883  FAIL_IF_NULL(s);
884 
885  s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "
886  "(msg:\"SigGroupHead tests\"; content:\"test1\"; "
887  "content:\"test2\"; content:\"test3\"; sid:4;)");
888  FAIL_IF_NULL(s);
889 
890  s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "
891  "(msg:\"SigGroupHead tests\"; content:\"test1\"; "
892  "content:\"test2\"; content:\"test3\"; sid:5;)");
893  FAIL_IF_NULL(s);
894 
896 
900 
901  SigGroupHeadSetSigCnt(sh, 4);
902 
903  FAIL_IF_NOT(sh->init->sig_cnt == 3);
909 
911 
912  FAIL_IF_NOT(sh->init->sig_cnt == 0);
918 
920 
922 
923  PASS;
924 }
925 
926 /**
927  * \test Check if SigGroupHeadCopySigs(), correctly copies the sig_array from
928  * the source to the destination SigGroupHead.
929  */
930 static int SigGroupHeadTest04(void)
931 {
932  SigGroupHead *src_sh = NULL;
933  SigGroupHead *dst_sh = NULL;
935 
937 
938  Signature *s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "
939  "(msg:\"SigGroupHead tests\"; content:\"test1\"; "
940  "content:\"test2\"; content:\"test3\"; sid:1;)");
941  FAIL_IF_NULL(s);
942 
943  s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "
944  "(msg:\"SigGroupHead tests\"; content:\"test1\"; "
945  "content:\"test2\"; content:\"test3\"; sid:2;)");
946  FAIL_IF_NULL(s);
947 
948  s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "
949  "(msg:\"SigGroupHead tests\"; content:\"test1\"; "
950  "content:\"test2\"; content:\"test3\"; sid:3;)");
951  FAIL_IF_NULL(s);
952 
953  s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "
954  "(msg:\"SigGroupHead tests\"; content:\"test1\"; "
955  "content:\"test2\"; content:\"test3\"; sid:4;)");
956  FAIL_IF_NULL(s);
957 
958  s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "
959  "(msg:\"SigGroupHead tests\"; content:\"test1\"; "
960  "content:\"test2\"; content:\"test3\"; sid:5;)");
961  FAIL_IF_NULL(s);
962 
964 
968 
969  SigGroupHeadSetSigCnt(src_sh, 4);
970 
971  FAIL_IF_NOT(src_sh->init->sig_cnt == 3);
972  FAIL_IF_NOT(SigGroupHeadContainsSigId(de_ctx, src_sh, 1) == 1);
973  FAIL_IF_NOT(SigGroupHeadContainsSigId(de_ctx, src_sh, 2) == 0);
974  FAIL_IF_NOT(SigGroupHeadContainsSigId(de_ctx, src_sh, 3) == 1);
975  FAIL_IF_NOT(SigGroupHeadContainsSigId(de_ctx, src_sh, 4) == 0);
976  FAIL_IF_NOT(SigGroupHeadContainsSigId(de_ctx, src_sh, 5) == 1);
977 
978  SigGroupHeadCopySigs(de_ctx, src_sh, &dst_sh);
979 
980  SigGroupHeadSetSigCnt(dst_sh, 4);
981 
982  FAIL_IF_NOT(dst_sh->init->sig_cnt == 3);
983  FAIL_IF_NOT(SigGroupHeadContainsSigId(de_ctx, dst_sh, 1) == 1);
984  FAIL_IF_NOT(SigGroupHeadContainsSigId(de_ctx, dst_sh, 2) == 0);
985  FAIL_IF_NOT(SigGroupHeadContainsSigId(de_ctx, dst_sh, 3) == 1);
986  FAIL_IF_NOT(SigGroupHeadContainsSigId(de_ctx, dst_sh, 4) == 0);
987  FAIL_IF_NOT(SigGroupHeadContainsSigId(de_ctx, dst_sh, 5) == 1);
988 
989  SigGroupHeadFree(de_ctx, src_sh);
990  SigGroupHeadFree(de_ctx, dst_sh);
991 
993 
994  PASS;
995 }
996 
997 /**
998  * \test Check if SigGroupHeadBuildMatchArray(), correctly updates the
999  * match array with the sids.
1000  */
1001 static int SigGroupHeadTest05(void)
1002 {
1003  SigGroupHead *sh = NULL;
1005 
1007 
1008  Signature *s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "
1009  "(msg:\"SigGroupHead tests\"; content:\"test1\"; "
1010  "content:\"test2\"; content:\"test3\"; sid:1;)");
1011  FAIL_IF_NULL(s);
1012 
1013  s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "
1014  "(msg:\"SigGroupHead tests\"; content:\"test1\"; "
1015  "content:\"test2\"; content:\"test3\"; sid:2;)");
1016  FAIL_IF_NULL(s);
1017 
1018  s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "
1019  "(msg:\"SigGroupHead tests\"; content:\"test1\"; "
1020  "content:\"test2\"; content:\"test3\"; sid:3;)");
1021  FAIL_IF_NULL(s);
1022 
1023  s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "
1024  "(msg:\"SigGroupHead tests\"; content:\"test1\"; "
1025  "content:\"test2\"; content:\"test3\"; sid:4;)");
1026  FAIL_IF_NULL(s);
1027 
1028  s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "
1029  "(msg:\"SigGroupHead tests\"; content:\"test1\"; "
1030  "content:\"test2\"; content:\"test3\"; sid:5;)");
1031  FAIL_IF_NULL(s);
1032 
1034 
1038 
1039  SigGroupHeadSetSigCnt(sh, 4);
1041 
1042  /* matching an array to a queue structure (sig_list) constructed by SigInit()
1043 
1044  FAIL_IF_NOT(sh->init->match_array[0] == de_ctx->sig_list);
1045  FAIL_IF_NOT(sh->init->match_array[1] == de_ctx->sig_list->next->next);
1046  FAIL_IF_NOT(sh->init->match_array[2] == de_ctx->sig_list->next->next->next->next);
1047  */
1048 
1049  // matching an array to a stack structure (sig_list) constructed by DetectEngineAppendSig()
1053 
1054  SigGroupHeadFree(de_ctx, sh);
1055 
1057 
1058  PASS;
1059 }
1060 
1061 /**
1062  * \test ICMP(?) sig grouping bug.
1063  */
1064 static int SigGroupHeadTest06(void)
1065 {
1067  DetectEngineThreadCtx *det_ctx = NULL;
1068  ThreadVars th_v;
1069 
1070  memset(&th_v, 0, sizeof(ThreadVars));
1071 
1072  Packet *p = UTHBuildPacketSrcDst(NULL, 0, IPPROTO_ICMP, "192.168.1.1", "1.2.3.4");
1073  FAIL_IF_NULL(p);
1074 
1075  p->icmpv4h->type = 5;
1076  p->icmpv4h->code = 1;
1077 
1078  /* originally ip's were
1079  p.src.addr_data32[0] = 0xe08102d3;
1080  p.dst.addr_data32[0] = 0x3001a8c0;
1081  */
1082 
1084 
1085  Signature *s = DetectEngineAppendSig(de_ctx, "alert icmp 192.168.0.0/16 any -> any any "
1086  "(icode:>1; itype:11; sid:1; rev:1;)");
1087  FAIL_IF_NULL(s);
1088 
1089  s = DetectEngineAppendSig(de_ctx, "alert icmp any any -> 192.168.0.0/16 any "
1090  "(icode:1; itype:5; sid:2; rev:1;)");
1091  FAIL_IF_NULL(s);
1092 
1094  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1095 
1096  AddressDebugPrint(&p->dst);
1097 
1098  const SigGroupHead *sgh = SigMatchSignaturesGetSgh(de_ctx, p);
1099  FAIL_IF_NULL(sgh);
1100 
1102  UTHFreePackets(&p, 1);
1103 
1104  PASS;
1105 }
1106 #endif
1107 
1109 {
1110 #ifdef UNITTESTS
1111  UtRegisterTest("SigGroupHeadTest01", SigGroupHeadTest01);
1112  UtRegisterTest("SigGroupHeadTest02", SigGroupHeadTest02);
1113  UtRegisterTest("SigGroupHeadTest03", SigGroupHeadTest03);
1114  UtRegisterTest("SigGroupHeadTest04", SigGroupHeadTest04);
1115  UtRegisterTest("SigGroupHeadTest05", SigGroupHeadTest05);
1116  UtRegisterTest("SigGroupHeadTest06", SigGroupHeadTest06);
1117 #endif
1118 }
detect-tcp-flags.h
DetectEngineCtx_::sgh_hash_table
HashListTable * sgh_hash_table
Definition: detect.h:824
SigGroupHead_::non_pf_syn_store_cnt
uint32_t non_pf_syn_store_cnt
Definition: detect.h:1405
SIG_GROUP_HEAD_HAVEFILEMD5
#define SIG_GROUP_HEAD_HAVEFILEMD5
Definition: detect.h:1275
detect-content.h
detect-engine.h
FAIL_IF_NULL
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
Definition: util-unittest.h:89
util-hashlist.h
detect-engine-siggroup.h
Signature_::num
SigIntId num
Definition: detect.h:551
SigGroupHead_
Container for matching data for a signature group.
Definition: detect.h:1399
SIG_GROUP_HEAD_HAVEFILESIZE
#define SIG_GROUP_HEAD_HAVEFILESIZE
Definition: detect.h:1276
unlikely
#define unlikely(expr)
Definition: util-optimize.h:35
SigGroupHeadBuildNonPrefilterArray
int SigGroupHeadBuildNonPrefilterArray(DetectEngineCtx *de_ctx, SigGroupHead *sgh)
build an array of rule id's for sigs with no prefilter Also updated de_ctx::non_pf_store_cnt_max to t...
Definition: detect-engine-siggroup.c:650
SigGroupHeadSetFilestoreCount
void SigGroupHeadSetFilestoreCount(DetectEngineCtx *de_ctx, SigGroupHead *sgh)
Set the filestore_cnt in the sgh.
Definition: detect-engine-siggroup.c:626
SigGroupHeadInitData_::sig_array
uint8_t * sig_array
Definition: detect.h:1372
SigGroupHeadSetFileHashFlag
void SigGroupHeadSetFileHashFlag(DetectEngineCtx *de_ctx, SigGroupHead *sgh)
Set the need hash flag in the sgh.
Definition: detect-engine-siggroup.c:585
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
Signature_::alproto
AppProto alproto
Definition: detect.h:544
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:296
SignatureNonPrefilterStore_::id
SigIntId id
Definition: detect.h:1011
DetectEngineCtx_::non_pf_store_cnt_max
uint32_t non_pf_store_cnt_max
Definition: detect.h:808
AddressDebugPrint
void AddressDebugPrint(Address *a)
Debug print function for printing addresses.
Definition: decode.c:670
UTHBuildPacketSrcDst
Packet * UTHBuildPacketSrcDst(uint8_t *payload, uint16_t payload_len, uint8_t ipproto, const char *src, const char *dst)
UTHBuildPacketSrcDst is a wrapper that build packets specifying IPs and defaulting ports.
Definition: util-unittest-helper.c:419
util-hash.h
SIG_GROUP_HEAD_HAVEFILESHA1
#define SIG_GROUP_HEAD_HAVEFILESHA1
Definition: detect.h:1277
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:785
SigGroupHeadSetFilesizeFlag
void SigGroupHeadSetFilesizeFlag(DetectEngineCtx *de_ctx, SigGroupHead *sgh)
Set the need size flag in the sgh.
Definition: detect-engine-siggroup.c:557
DetectFlagsSignatureNeedsSynPackets
int DetectFlagsSignatureNeedsSynPackets(const Signature *s)
Definition: detect-tcp-flags.c:514
SigGroupHeadSetProtoAndDirection
void SigGroupHeadSetProtoAndDirection(SigGroupHead *sgh, uint8_t ipproto, int dir)
Definition: detect-engine-siggroup.c:440
DetectEngineCtxFree
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
Definition: detect-engine.c:2446
SigGroupHeadPrintSigs
void SigGroupHeadPrintSigs(DetectEngineCtx *de_ctx, SigGroupHead *sgh)
Helper function used to print the list of sids for the Signatures present in this SigGroupHead.
Definition: detect-engine-siggroup.c:457
HashListTableLookup
void * HashListTableLookup(HashListTable *ht, void *data, uint16_t datalen)
Definition: util-hashlist.c:248
MAX
#define MAX(x, y)
Definition: suricata-common.h:376
SignatureIsFilesizeInspecting
int SignatureIsFilesizeInspecting(const Signature *s)
Check if a signature contains the filesize keyword.
Definition: detect-engine-build.c:176
SignatureNonPrefilterStore_
Definition: detect.h:1010
detect-engine-prefilter.h
util-unittest.h
util-unittest-helper.h
FAIL_IF_NOT
#define FAIL_IF_NOT(expr)
Fail a test if expression evaluates to false.
Definition: util-unittest.h:82
SigGroupHeadRegisterTests
void SigGroupHeadRegisterTests(void)
Definition: detect-engine-siggroup.c:1108
HashListTableAdd
int HashListTableAdd(HashListTable *ht, void *data, uint16_t datalen)
Definition: util-hashlist.c:116
SigGroupHeadHashInit
int SigGroupHeadHashInit(DetectEngineCtx *de_ctx)
Initializes the hash table in the detection engine context to hold the SigGroupHeads.
Definition: detect-engine-siggroup.c:258
HashListTable_::array_size
uint32_t array_size
Definition: util-hashlist.h:41
util-memcmp.h
DetectEngineCtx_::sgh_array_size
uint32_t sgh_array_size
Definition: detect.h:869
SigGroupHeadInitData_::pkt_mpms
MpmCtx ** pkt_mpms
Definition: detect.h:1380
SigAddressPrepareStage1
int SigAddressPrepareStage1(DetectEngineCtx *)
Preprocess signature, classify ip-only, etc, build sig array.
Definition: detect-engine-build.c:1357
SignatureIsFileSha256Inspecting
int SignatureIsFileSha256Inspecting(const Signature *s)
Check if a signature contains the filesha256 keyword.
Definition: detect-engine-build.c:160
Signature_::next
struct Signature_ * next
Definition: detect.h:614
util-cidr.h
HashListTableInit
HashListTable * HashListTableInit(uint32_t size, uint32_t(*Hash)(struct HashListTable_ *, void *, uint16_t), char(*Compare)(void *, uint16_t, void *, uint16_t), void(*Free)(void *))
Definition: util-hashlist.c:35
decode.h
FAIL_IF_NOT_NULL
#define FAIL_IF_NOT_NULL(expr)
Fail a test if expression evaluates to non-NULL.
Definition: util-unittest.h:96
util-debug.h
SigGroupHeadBuildMatchArray
int SigGroupHeadBuildMatchArray(DetectEngineCtx *de_ctx, SigGroupHead *sgh, uint32_t max_idx)
Create an array with all the internal ids of the sigs that this sig group head will check for.
Definition: detect-engine-siggroup.c:489
SigGroupHeadInitData_::sig_cnt
SigIntId sig_cnt
Definition: detect.h:1389
PASS
#define PASS
Pass the test.
Definition: util-unittest.h:105
util-error.h
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:17
DetectEngineThreadCtx_
Definition: detect.h:1034
SigGroupHeadInitData_::tx_engines
PrefilterEngineList * tx_engines
Definition: detect.h:1385
DetectEngineGetMaxSigId
#define DetectEngineGetMaxSigId(de_ctx)
Definition: detect-engine.h:100
SCEnter
#define SCEnter(...)
Definition: util-debug.h:298
detect-engine-mpm.h
SigGroupHeadSetFilemagicFlag
void SigGroupHeadSetFilemagicFlag(DetectEngineCtx *de_ctx, SigGroupHead *sgh)
Set the need magic flag in the sgh.
Definition: detect-engine-siggroup.c:528
detect.h
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:56
SignatureNonPrefilterStore_::alproto
AppProto alproto
Definition: detect.h:1013
SigGroupHead_::init
SigGroupHeadInitData * init
Definition: detect.h:1422
SigGroupHeadInitData_::direction
uint32_t direction
Definition: detect.h:1376
BUG_ON
#define BUG_ON(x)
Definition: suricata-common.h:281
SCReturn
#define SCReturn
Definition: util-debug.h:300
Signature_::flags
uint32_t flags
Definition: detect.h:541
Packet_
Definition: decode.h:433
detect-engine-build.h
SCReturnPtr
#define SCReturnPtr(x, type)
Definition: util-debug.h:314
DetectEngineCtx_::sgh_array_cnt
uint32_t sgh_array_cnt
Definition: detect.h:868
SigGroupHeadAppendSig
int SigGroupHeadAppendSig(const DetectEngineCtx *de_ctx, SigGroupHead **sgh, const Signature *s)
Add a Signature to a SigGroupHead.
Definition: detect-engine-siggroup.c:340
DetectEngineCtx_::sgh_array
struct SigGroupHead_ ** sgh_array
Definition: detect.h:867
HashListTable_
Definition: util-hashlist.h:37
SigGroupHeadFree
void SigGroupHeadFree(const DetectEngineCtx *de_ctx, SigGroupHead *sgh)
Free a SigGroupHead and its members.
Definition: detect-engine-siggroup.c:163
SigGroupHeadHashRemove
int SigGroupHeadHashRemove(DetectEngineCtx *de_ctx, SigGroupHead *sgh)
Definition: detect-engine-siggroup.c:287
SigGroupHeadInitData_::app_mpms
MpmCtx ** app_mpms
Definition: detect.h:1379
SignatureIsFileSha1Inspecting
int SignatureIsFileSha1Inspecting(const Signature *s)
Check if a signature contains the filesha1 keyword.
Definition: detect-engine-build.c:144
SigGroupBuild
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
Definition: detect-engine-build.c:1957
SCRealloc
#define SCRealloc(ptr, sz)
Definition: util-mem.h:50
SIG_FLAG_MPM_NEG
#define SIG_FLAG_MPM_NEG
Definition: detect.h:220
SigGroupHeadInitData_::pkt_engines
PrefilterEngineList * pkt_engines
Definition: detect.h:1383
SigGroupHeadSetSigCnt
void SigGroupHeadSetSigCnt(SigGroupHead *sgh, uint32_t max_idx)
Updates the SigGroupHead->sig_cnt with the total count of all the Signatures present in this SigGroup...
Definition: detect-engine-siggroup.c:427
DetectEngineAppendSig
Signature * DetectEngineAppendSig(DetectEngineCtx *de_ctx, const char *sigstr)
Parse and append a Signature into the Detection Engine Context signature list.
Definition: detect-parse.c:2422
DetectEngineThreadCtxInit
TmEcode DetectEngineThreadCtxInit(ThreadVars *, void *, void **)
initialize thread specific detection engine context
Definition: detect-engine.c:3155
SigGroupHead_::non_pf_other_store_array
SignatureNonPrefilterStore * non_pf_other_store_array
Definition: detect.h:1406
suricata-common.h
SigGroupHeadStore
void SigGroupHeadStore(DetectEngineCtx *de_ctx, SigGroupHead *sgh)
Definition: detect-engine-siggroup.c:108
SigGroupHeadInitData_::frame_engines
PrefilterEngineList * frame_engines
Definition: detect.h:1386
SigGroupHeadInitData_::payload_engines
PrefilterEngineList * payload_engines
Definition: detect.h:1384
HashListTableFree
void HashListTableFree(HashListTable *ht)
Definition: util-hashlist.c:82
SigGroupHeadInitData_::match_array
Signature ** match_array
Definition: detect.h:1392
SigGroupHead_::non_pf_other_store_cnt
uint32_t non_pf_other_store_cnt
Definition: detect.h:1404
SigGroupHeadInitData_::sig_size
uint32_t sig_size
Definition: detect.h:1373
PrefilterCleanupRuleGroup
void PrefilterCleanupRuleGroup(const DetectEngineCtx *de_ctx, SigGroupHead *sgh)
Definition: detect-engine-prefilter.c:382
DetectEngineCtx_::sig_list
Signature * sig_list
Definition: detect.h:791
SigGroupHeadHashFree
void SigGroupHeadHashFree(DetectEngineCtx *de_ctx)
Frees the hash table - DetectEngineCtx->sgh_hash_table, allocated by SigGroupHeadHashInit() function.
Definition: detect-engine-siggroup.c:318
Packet_::icmpv4h
ICMPV4Hdr * icmpv4h
Definition: decode.h:561
SigGroupHeadHashAdd
int SigGroupHeadHashAdd(DetectEngineCtx *de_ctx, SigGroupHead *sgh)
Adds a SigGroupHead to the detection engine context SigGroupHead hash table.
Definition: detect-engine-siggroup.c:280
SCMalloc
#define SCMalloc(sz)
Definition: util-mem.h:47
SigGroupHeadInitData_
Definition: detect.h:1369
SigGroupHeadHashLookup
SigGroupHead * SigGroupHeadHashLookup(DetectEngineCtx *de_ctx, SigGroupHead *sgh)
Used to lookup a SigGroupHead hash from the detection engine context SigGroupHead hash table.
Definition: detect-engine-siggroup.c:302
SigGroupHead_::flags
uint32_t flags
Definition: detect.h:1400
SignatureIsFilestoring
int SignatureIsFilestoring(const Signature *s)
Check if a signature contains the filestore keyword.
Definition: detect-engine-build.c:90
SCFree
#define SCFree(p)
Definition: util-mem.h:61
Signature_::id
uint32_t id
Definition: detect.h:574
HashListTableRemove
int HashListTableRemove(HashListTable *ht, void *data, uint16_t datalen)
Definition: util-hashlist.c:157
detect-parse.h
src
uint16_t src
Definition: app-layer-dnp3.h:5
Signature_
Signature container.
Definition: detect.h:540
SigGroupHeadInitDataFree
void SigGroupHeadInitDataFree(SigGroupHeadInitData *sghid)
Definition: detect-engine-siggroup.c:59
SigGroupHeadContainsSigId
int SigGroupHeadContainsSigId(DetectEngineCtx *de_ctx, SigGroupHead *sgh, uint32_t sid)
Check if a SigGroupHead contains a Signature, whose sid is sent as an argument.
Definition: detect-engine-siggroup.c:737
SignatureIsFileMd5Inspecting
int SignatureIsFileMd5Inspecting(const Signature *s)
Check if a signature contains the filemd5 keyword.
Definition: detect-engine-build.c:128
SigGroupHeadInitData_::protos
uint8_t protos[256]
Definition: detect.h:1375
DetectEngineCtxInit
DetectEngineCtx * DetectEngineCtxInit(void)
Definition: detect-engine.c:2407
app-layer-protos.h
DetectEngineCtx_::sig_array
Signature ** sig_array
Definition: detect.h:800
Packet_::dst
Address dst
Definition: decode.h:438
SigGroupHead_::non_pf_syn_store_array
SignatureNonPrefilterStore * non_pf_syn_store_array
Definition: detect.h:1408
SignatureNonPrefilterStore_::mask
SignatureMask mask
Definition: detect.h:1012
detect-uricontent.h
dst
uint16_t dst
Definition: app-layer-dnp3.h:4
SIG_GROUP_HEAD_HAVEFILESHA256
#define SIG_GROUP_HEAD_HAVEFILESHA256
Definition: detect.h:1278
SCReturnInt
#define SCReturnInt(x)
Definition: util-debug.h:302
SignatureIsFilemagicInspecting
int SignatureIsFilemagicInspecting(const Signature *s)
Check if a signature contains the filemagic keyword.
Definition: detect-engine-build.c:109
SigGroupHead_::filestore_cnt
uint16_t filestore_cnt
Definition: detect.h:1412
flow-var.h
PrefilterFreeEnginesList
void PrefilterFreeEnginesList(PrefilterEngineList *list)
Definition: detect-engine-prefilter.c:354
SCMemcmp
#define SCMemcmp(a, b, c)
Definition: util-memcmp.h:290
SIG_FLAG_PREFILTER
#define SIG_FLAG_PREFILTER
Definition: detect.h:237
detect-engine-address.h
SigMatchSignaturesGetSgh
const SigGroupHead * SigMatchSignaturesGetSgh(const DetectEngineCtx *de_ctx, const Packet *p)
Get the SigGroupHead for a packet.
Definition: detect.c:198
SigGroupHeadCopySigs
int SigGroupHeadCopySigs(DetectEngineCtx *de_ctx, SigGroupHead *src, SigGroupHead **dst)
Copies the bitarray holding the sids from the source SigGroupHead to the destination SigGroupHead.
Definition: detect-engine-siggroup.c:393
Signature_::mask
SignatureMask mask
Definition: detect.h:550
SigGroupHeadClearSigs
int SigGroupHeadClearSigs(SigGroupHead *)
Clears the bitarray holding the sids for this SigGroupHead.
Definition: detect-engine-siggroup.c:369
SigGroupHeadInitData_::frame_mpms
MpmCtx ** frame_mpms
Definition: detect.h:1381
UTHFreePackets
void UTHFreePackets(Packet **p, int numpkts)
UTHFreePackets: function to release the allocated data from UTHBuildPacket and the packet itself.
Definition: util-unittest-helper.c:469