suricata
Data Structures | Macros | Typedefs | Enumerations | Functions | Variables
detect-engine.c File Reference
#include "suricata-common.h"
#include "suricata.h"
#include "debug.h"
#include "detect.h"
#include "flow.h"
#include "flow-private.h"
#include "flow-util.h"
#include "flow-worker.h"
#include "conf.h"
#include "conf-yaml-loader.h"
#include "app-layer-parser.h"
#include "app-layer-htp.h"
#include "detect-parse.h"
#include "detect-engine-sigorder.h"
#include "detect-engine-siggroup.h"
#include "detect-engine-address.h"
#include "detect-engine-port.h"
#include "detect-engine-prefilter.h"
#include "detect-engine-mpm.h"
#include "detect-engine-iponly.h"
#include "detect-engine-tag.h"
#include "detect-engine-file.h"
#include "detect-engine.h"
#include "detect-engine-state.h"
#include "detect-engine-payload.h"
#include "detect-byte-extract.h"
#include "detect-content.h"
#include "detect-uricontent.h"
#include "detect-engine-threshold.h"
#include "detect-engine-content-inspection.h"
#include "detect-engine-loader.h"
#include "util-classification-config.h"
#include "util-reference-config.h"
#include "util-threshold-config.h"
#include "util-error.h"
#include "util-hash.h"
#include "util-byte.h"
#include "util-debug.h"
#include "util-unittest.h"
#include "util-action.h"
#include "util-magic.h"
#include "util-signal.h"
#include "util-spm.h"
#include "util-device.h"
#include "util-var-name.h"
#include "tm-threads.h"
#include "runmodes.h"
#include "util-profiling.h"
#include "reputation.h"
#include "util-hash-lookup3.h"

Go to the source code of this file.

Data Structures

struct  DetectEngineSyncer_
 
struct  TenantLoaderCtx_
 

Macros

#define DETECT_ENGINE_DEFAULT_INSPECTION_RECURSION_LIMIT   3000
 

Typedefs

typedef struct DetectEngineSyncer_ DetectEngineSyncer
 
typedef struct TenantLoaderCtx_ TenantLoaderCtx
 

Enumerations

enum  DetectEngineSyncState { IDLE, RELOAD }
 

Functions

void DetectAppLayerInspectEngineRegister (const char *name, AppProto alproto, uint32_t dir, int progress, InspectEngineFuncPtr Callback)
 register inspect engine at start up time More...
 
void DetectAppLayerInspectEngineRegister2 (const char *name, AppProto alproto, uint32_t dir, int progress, InspectEngineFuncPtr2 Callback2, InspectionBufferGetDataPtr GetData)
 register inspect engine at start up time More...
 
int DetectEngineAppInspectionEngine2Signature (DetectEngineCtx *de_ctx, Signature *s)
 
void DetectEngineAppInspectionEngineSignatureFree (Signature *s)
 free app inspect engines for a signature More...
 
int DetectBufferTypeMaxId (void)
 
int DetectBufferTypeRegister (const char *name)
 
void DetectBufferTypeSupportsPacket (const char *name)
 
void DetectBufferTypeSupportsMpm (const char *name)
 
void DetectBufferTypeSupportsTransformations (const char *name)
 
int DetectBufferTypeGetByName (const char *name)
 
const char * DetectBufferTypeGetNameById (const DetectEngineCtx *de_ctx, const int id)
 
void DetectBufferTypeSetDescriptionByName (const char *name, const char *desc)
 
const char * DetectBufferTypeGetDescriptionById (const DetectEngineCtx *de_ctx, const int id)
 
const char * DetectBufferTypeGetDescriptionByName (const char *name)
 
bool DetectBufferTypeSupportsPacketGetById (const DetectEngineCtx *de_ctx, const int id)
 
bool DetectBufferTypeSupportsMpmGetById (const DetectEngineCtx *de_ctx, const int id)
 
void DetectBufferTypeRegisterSetupCallback (const char *name, void(*SetupCallback)(const DetectEngineCtx *, Signature *))
 
void DetectBufferRunSetupCallback (const DetectEngineCtx *de_ctx, const int id, Signature *s)
 
void DetectBufferTypeRegisterValidateCallback (const char *name, _Bool(*ValidateCallback)(const Signature *, const char **sigerror))
 
bool DetectBufferRunValidateCallback (const DetectEngineCtx *de_ctx, const int id, const Signature *s, const char **sigerror)
 
int DetectBufferSetActiveList (Signature *s, const int list)
 
int DetectBufferGetActiveList (DetectEngineCtx *de_ctx, Signature *s)
 
void InspectionBufferClean (DetectEngineThreadCtx *det_ctx)
 
InspectionBufferInspectionBufferGet (DetectEngineThreadCtx *det_ctx, const int list_id)
 
InspectionBufferInspectionBufferMultipleForListGet (InspectionBufferMultipleForList *fb, uint32_t local_id)
 for a InspectionBufferMultipleForList get a InspectionBuffer More...
 
InspectionBufferMultipleForListInspectionBufferGetMulti (DetectEngineThreadCtx *det_ctx, const int list_id)
 
void InspectionBufferInit (InspectionBuffer *buffer, uint32_t initial_size)
 
void InspectionBufferSetup (InspectionBuffer *buffer, const uint8_t *data, const uint32_t data_len)
 setup the buffer with our initial data More...
 
void InspectionBufferFree (InspectionBuffer *buffer)
 
void InspectionBufferCheckAndExpand (InspectionBuffer *buffer, uint32_t min_size)
 make sure that the buffer has at least 'min_size' bytes Expand the buffer if necessary More...
 
void InspectionBufferCopy (InspectionBuffer *buffer, uint8_t *buf, uint32_t buf_len)
 
void InspectionBufferApplyTransforms (InspectionBuffer *buffer, const DetectEngineTransforms *transforms)
 
void DetectBufferTypeCloseRegistration (void)
 
int DetectBufferTypeGetByIdTransforms (DetectEngineCtx *de_ctx, const int id, int *transforms, int transform_cnt)
 
int DetectEngineReloadStart (void)
 
int DetectEngineReloadIsStart (void)
 
void DetectEngineReloadSetIdle (void)
 
int DetectEngineReloadIsIdle (void)
 
int DetectEngineInspectGenericList (ThreadVars *tv, const DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const Signature *s, const SigMatchData *smd, Flow *f, const uint8_t flags, void *alstate, void *txv, uint64_t tx_id)
 Do the content inspection & validation for a signature. More...
 
int DetectEngineInspectBufferGeneric (DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const DetectEngineAppInspectionEngine *engine, const Signature *s, Flow *f, uint8_t flags, void *alstate, void *txv, uint64_t tx_id)
 Do the content inspection & validation for a signature. More...
 
DetectEngineCtxDetectEngineCtxInitStubForMT (void)
 
DetectEngineCtxDetectEngineCtxInitStubForDD (void)
 
DetectEngineCtxDetectEngineCtxInit (void)
 
DetectEngineCtxDetectEngineCtxInitWithPrefix (const char *prefix)
 
void DetectEngineCtxFree (DetectEngineCtx *de_ctx)
 Free a DetectEngineCtx:: More...
 
void DetectEngineResetMaxSigId (DetectEngineCtx *de_ctx)
 
TmEcode DetectEngineThreadCtxInit (ThreadVars *tv, void *initdata, void **data)
 initialize thread specific detection engine context More...
 
TmEcode DetectEngineThreadCtxDeinit (ThreadVars *tv, void *data)
 
void DetectEngineThreadCtxInfo (ThreadVars *t, DetectEngineThreadCtx *det_ctx)
 
int DetectRegisterThreadCtxFuncs (DetectEngineCtx *de_ctx, const char *name, void *(*InitFunc)(void *), void *data, void(*FreeFunc)(void *), int mode)
 Register Thread keyword context Funcs. More...
 
void * DetectThreadCtxGetKeywordThreadCtx (DetectEngineThreadCtx *det_ctx, int id)
 Retrieve thread local keyword ctx by id. More...
 
int DetectRegisterThreadCtxGlobalFuncs (const char *name, void *(*InitFunc)(void *), void *data, void(*FreeFunc)(void *))
 Register Thread keyword context Funcs (Global) More...
 
void * DetectThreadCtxGetGlobalKeywordThreadCtx (DetectEngineThreadCtx *det_ctx, int id)
 Retrieve thread local keyword ctx by id. More...
 
int DetectEngineEnabled (void)
 Check if detection is enabled. More...
 
uint32_t DetectEngineGetVersion (void)
 
void DetectEngineBumpVersion (void)
 
DetectEngineCtxDetectEngineGetCurrent (void)
 
DetectEngineCtxDetectEngineReference (DetectEngineCtx *de_ctx)
 
int DetectEngineMultiTenantEnabled (void)
 
int DetectEngineLoadTenantBlocking (uint32_t tenant_id, const char *yaml)
 Load a tenant and wait for loading to complete. More...
 
int DetectEngineReloadTenantBlocking (uint32_t tenant_id, const char *yaml, int reload_cnt)
 Reload a tenant and wait for loading to complete. More...
 
int DetectEngineMultiTenantSetup (void)
 setup multi-detect / multi-tenancy More...
 
int DetectEngineTentantRegisterLivedev (uint32_t tenant_id, int device_id)
 
int DetectEngineTentantRegisterVlanId (uint32_t tenant_id, uint16_t vlan_id)
 
int DetectEngineTentantUnregisterVlanId (uint32_t tenant_id, uint16_t vlan_id)
 
int DetectEngineTentantRegisterPcapFile (uint32_t tenant_id)
 
int DetectEngineTentantUnregisterPcapFile (uint32_t tenant_id)
 
DetectEngineCtxDetectEngineGetByTenantId (int tenant_id)
 
void DetectEngineDeReference (DetectEngineCtx **de_ctx)
 
int DetectEngineAddToMaster (DetectEngineCtx *de_ctx)
 
int DetectEngineMoveToFreeList (DetectEngineCtx *de_ctx)
 
void DetectEnginePruneFreeList (void)
 
int DetectEngineReload (const SCInstance *suri)
 Reload the detection engine. More...
 
int DetectEngineMTApply (void)
 
void DetectEngineSetParseMetadata (void)
 
void DetectEngineUnsetParseMetadata (void)
 
int DetectEngineMustParseMetadata (void)
 
const char * DetectSigmatchListEnumToString (enum DetectSigmatchListEnum type)
 
void DetectEngineSetEvent (DetectEngineThreadCtx *det_ctx, uint8_t e)
 
AppLayerDecoderEventsDetectEngineGetEvents (DetectEngineThreadCtx *det_ctx)
 
int DetectEngineGetEventInfo (const char *event_name, int *event_id, AppLayerEventType *event_type)
 
void DetectEngineRegisterTests ()
 

Variables

SCEnumCharMap det_ctx_event_table []
 

Detailed Description

Author
Victor Julien victo.nosp@m.r@in.nosp@m.linia.nosp@m.c.ne.nosp@m.t

Definition in file detect-engine.c.

Macro Definition Documentation

#define DETECT_ENGINE_DEFAULT_INSPECTION_RECURSION_LIMIT   3000

Definition at line 86 of file detect-engine.c.

Referenced by DetectEngineCtxFree(), and DetectEngineGetEventInfo().

Typedef Documentation

typedef struct DetectEngineSyncer_ DetectEngineSyncer
typedef struct TenantLoaderCtx_ TenantLoaderCtx

Enumeration Type Documentation

enum DetectEngineSyncState
Enumerator
IDLE 

ready to start a reload

RELOAD 

command main thread to do the reload

Definition at line 1121 of file detect-engine.c.

Function Documentation

void DetectAppLayerInspectEngineRegister ( const char *  name,
AppProto  alproto,
uint32_t  dir,
int  progress,
InspectEngineFuncPtr  Callback 
)

register inspect engine at start up time

Registers an app inspection engine.

Note
errors are fatal

Definition at line 129 of file detect-engine.c.

References DetectEngineAppInspectionEngine_::alproto, ALPROTO_FAILED, BUG_ON, DetectEngineAppInspectionEngine_::Callback, DETECT_SM_LIST_MATCH, DetectBufferTypeGetByName(), DetectBufferTypeRegister(), DetectEngineAppInspectionEngine_::dir, FatalError, DetectEngineAppInspectionEngine_::next, DetectEngineAppInspectionEngine_::progress, SC_ERR_INITIALIZATION, SC_ERR_INVALID_ARGUMENTS, SCLogError, SCMalloc, SIG_FLAG_TOCLIENT, SIG_FLAG_TOSERVER, DetectEngineAppInspectionEngine_::sm_list, and unlikely.

Referenced by DetectAppLayerEventRegister(), DetectCipServiceRegister(), DetectDceIfaceRegister(), DetectDNP3Register(), DetectDnsQueryRegister(), DetectEnipCommandRegister(), DetectFilenameRegister(), DetectFtpbounceRegister(), DetectFtpdataRegister(), DetectLuaRegister(), DetectModbusRegister(), DetectNfsProcedureRegister(), DetectNfsVersionRegister(), DetectSNMPPduTypeRegister(), DetectSNMPVersionRegister(), DetectSshSoftwareVersionRegister(), DetectSslStateRegister(), DetectTemplateRustBufferRegister(), DetectTlsRegister(), and DetectTlsValidityRegister().

Here is the call graph for this function:

Here is the caller graph for this function:

void DetectAppLayerInspectEngineRegister2 ( const char *  name,
AppProto  alproto,
uint32_t  dir,
int  progress,
InspectEngineFuncPtr2  Callback2,
InspectionBufferGetDataPtr  GetData 
)

register inspect engine at start up time

Note
errors are fatal

Definition at line 183 of file detect-engine.c.

References DetectEngineAppInspectionEngine_::alproto, ALPROTO_FAILED, ALPROTO_UNKNOWN, Signature_::app_inspect, DetectEngineCtx_::app_inspect_engines, BUG_ON, DetectEngineAppInspectionEngine_::Callback, DE_STATE_FLAG_BASE, DETECT_SM_LIST_MATCH, DETECT_SM_LIST_PMATCH, DetectBufferTypeGetByName(), DetectBufferTypeRegister(), DetectEngineInspectBufferGeneric(), DetectEngineInspectStream(), DetectEngineAppInspectionEngine_::dir, FatalError, DetectEngineAppInspectionEngine_::GetData, DetectEngineAppInspectionEngine_::id, Signature_::id, Signature_::init_data, DetectEngineAppInspectionEngine_::mpm, SignatureInitData_::mpm_sm, DetectEngineAppInspectionEngine_::next, DetectEngineAppInspectionEngine_::progress, SC_ERR_INITIALIZATION, SC_ERR_INVALID_ARGUMENTS, SCCalloc, SCLogDebug, SCLogError, SCMalloc, SIG_FLAG_TOCLIENT, SIG_FLAG_TOSERVER, SigMatchListSMBelongsTo(), DetectEngineAppInspectionEngine_::sm_list, DetectEngineAppInspectionEngine_::smd, DetectEngineAppInspectionEngine_::stream, DetectEngineAppInspectionEngine_::transforms, unlikely, and DetectEngineAppInspectionEngine_::v2.

Referenced by DetectDceStubDataRegister(), DetectDnsQueryRegister(), DetectFiledataRegister(), DetectFilemagicRegister(), DetectFilenameRegister(), DetectHttpClientBodyRegister(), DetectHttpCookieRegister(), DetectHttpHeaderNamesRegister(), DetectHttpHeaderRegister(), DetectHttpHHRegister(), DetectHttpMethodRegister(), DetectHttpProtocolRegister(), DetectHttpRawHeaderRegister(), DetectHttpRequestLineRegister(), DetectHttpResponseLineRegister(), DetectHttpStartRegister(), DetectHttpStatCodeRegister(), DetectHttpStatMsgRegister(), DetectHttpUARegister(), DetectHttpUriRegister(), DetectKrb5CNameRegister(), DetectKrb5SNameRegister(), DetectSmbNamedPipeRegister(), DetectSmbShareRegister(), DetectSNMPCommunityRegister(), DetectSshProtocolRegister(), DetectSshSoftwareRegister(), DetectTemplateBufferRegister(), DetectTlsCertsRegister(), DetectTlsFingerprintRegister(), DetectTlsIssuerRegister(), DetectTlsJa3HashRegister(), DetectTlsJa3SHashRegister(), DetectTlsJa3SStringRegister(), DetectTlsJa3StringRegister(), DetectTlsSerialRegister(), DetectTlsSniRegister(), and DetectTlsSubjectRegister().

Here is the call graph for this function:

Here is the caller graph for this function:

int DetectBufferGetActiveList ( DetectEngineCtx de_ctx,
Signature s 
)

Definition at line 823 of file detect-engine.c.

References BUG_ON, DetectBufferTypeGetByIdTransforms(), Signature_::init_data, SignatureInitData_::list, SignatureInitData_::list_set, SCLogDebug, SignatureInitData_::transform_cnt, and SignatureInitData_::transforms.

Referenced by DetectBytejumpDoMatch(), DetectBytetestDoMatch(), DetectContentSetup(), DetectIsdataatSetup(), DetectLuaRegister(), and DetectPcrePayloadMatch().

Here is the call graph for this function:

Here is the caller graph for this function:

void DetectBufferRunSetupCallback ( const DetectEngineCtx de_ctx,
const int  id,
Signature s 
)

Definition at line 781 of file detect-engine.c.

References DetectBufferType_::SetupCallback.

Referenced by SigAddressPrepareStage1(), and SigMatchList2DataArray().

Here is the caller graph for this function:

bool DetectBufferRunValidateCallback ( const DetectEngineCtx de_ctx,
const int  id,
const Signature s,
const char **  sigerror 
)

Definition at line 800 of file detect-engine.c.

References TRUE, and DetectBufferType_::ValidateCallback.

Referenced by SigMatchList2DataArray().

Here is the caller graph for this function:

int DetectBufferSetActiveList ( Signature s,
const int  list 
)

Definition at line 810 of file detect-engine.c.

References BUG_ON, Signature_::init_data, SignatureInitData_::list, SignatureInitData_::list_set, and SignatureInitData_::transform_cnt.

Referenced by DetectDceStubDataRegister(), DetectDnsQueryRegister(), DetectFilemagicRegister(), DetectFilenameRegister(), DetectHttpClientBodyRegister(), DetectHttpCookieRegister(), DetectHttpHHRegister(), DetectHttpMethodRegister(), DetectHttpRawHeaderRegister(), DetectHttpRequestLineRegister(), DetectHttpResponseLineRegister(), DetectHttpServerBodyRegister(), DetectHttpStatCodeRegister(), DetectHttpStatMsgRegister(), DetectHttpUARegister(), DetectHttpUriSetup(), DetectSNMPCommunityRegister(), DetectTlsCertsRegister(), DetectTlsFingerprintRegister(), DetectTlsIssuerRegister(), DetectTlsJa3HashRegister(), DetectTlsJa3SHashRegister(), DetectTlsJa3SStringRegister(), DetectTlsJa3StringRegister(), DetectTlsSerialRegister(), DetectTlsSniRegister(), and DetectTlsSubjectRegister().

Here is the caller graph for this function:

void DetectBufferTypeCloseRegistration ( void  )

Definition at line 1053 of file detect-engine.c.

References BUG_ON.

Referenced by SigTableSetup().

Here is the caller graph for this function:

int DetectBufferTypeGetByIdTransforms ( DetectEngineCtx de_ctx,
const int  id,
int *  transforms,
int  transform_cnt 
)

Definition at line 1060 of file detect-engine.c.

References DetectEngineCtx_::buffer_type_hash, DetectEngineCtx_::buffer_type_id, DetectEngineCtx_::buffer_type_map, DetectEngineCtx_::buffer_type_map_elements, BUG_ON, DetectEngineTransforms::cnt, DetectAppLayerMpmRegisterByParentId(), HashListTableAdd(), HashListTableLookup(), DetectBufferType_::id, DetectBufferType_::mpm, DetectBufferType_::parent_id, res, SC_ERR_INVALID_SIGNATURE, SCCalloc, SCLogDebug, SCLogError, SCRealloc, DetectBufferType_::SetupCallback, DetectBufferType_::string, DetectBufferType_::supports_transforms, DetectEngineTransforms::transforms, DetectBufferType_::transforms, and DetectBufferType_::ValidateCallback.

Referenced by DetectBufferGetActiveList().

Here is the call graph for this function:

Here is the caller graph for this function:

int DetectBufferTypeGetByName ( const char *  name)

Definition at line 698 of file detect-engine.c.

References DetectBufferType_::id.

Referenced by DcePayloadRegisterTests(), DetectAppLayerEventRegister(), DetectAppLayerInspectEngineRegister(), DetectAppLayerInspectEngineRegister2(), DetectAppLayerMpmRegister(), DetectAppLayerMpmRegister2(), DetectBase64DataDoMatch(), DetectBase64DecodeDoMatch(), DetectByteExtractRetrieveSMVar(), DetectBytejumpDoMatch(), DetectBytetestDoMatch(), DetectCipServiceRegister(), DetectDceStubDataRegister(), DetectDnsQueryRegister(), DetectEngineAppInspectionEngine2Signature(), DetectEnipCommandRegister(), DetectFastPatternRegisterTests(), DetectFiledataRegister(), DetectFilemagicRegister(), DetectFilenameRegister(), DetectFtpdataRegister(), DetectHttpClientBodyRegister(), DetectHttpCookieRegister(), DetectHttpCookieRegisterTests(), DetectHttpHeaderNamesRegister(), DetectHttpHeaderRegister(), DetectHttpHHRegister(), DetectHttpMethodRegister(), DetectHttpProtocolRegister(), DetectHttpRawHeaderRegister(), DetectHttpRequestLineRegister(), DetectHttpResponseLineRegister(), DetectHttpStartRegister(), DetectHttpStatCodeRegister(), DetectHttpStatMsgRegister(), DetectHttpUARegister(), DetectHttpUriRegister(), DetectIsdataatRegisterTests(), DetectKrb5CNameRegister(), DetectKrb5SNameRegister(), DetectLuaRegister(), DetectModbusRegister(), DetectNfsProcedureRegister(), DetectNfsVersionRegister(), DetectPcrePayloadMatch(), DetectPktDataRegister(), DetectSmbNamedPipeRegister(), DetectSmbShareRegister(), DetectSNMPCommunityRegister(), DetectSNMPPduTypeRegister(), DetectSNMPVersionRegister(), DetectSshProtocolRegister(), DetectSshSoftwareRegister(), DetectTemplateBufferRegister(), DetectTemplateRustBufferRegister(), DetectTlsCertsRegister(), DetectTlsFingerprintRegister(), DetectTlsIssuerRegister(), DetectTlsJa3HashRegister(), DetectTlsJa3SHashRegister(), DetectTlsJa3SStringRegister(), DetectTlsJa3StringRegister(), DetectTlsSerialRegister(), DetectTlsSniRegister(), DetectTlsSubjectRegister(), DetectTlsValidityRegister(), EngineAnalysisRules(), and PacketCreateMask().

const char* DetectBufferTypeGetDescriptionById ( const DetectEngineCtx de_ctx,
const int  id 
)

Definition at line 735 of file detect-engine.c.

References DetectBufferType_::description.

Referenced by EngineAnalysisFP(), and PerCentEncodingMatch().

Here is the caller graph for this function:

const char* DetectBufferTypeGetDescriptionByName ( const char *  name)

Definition at line 744 of file detect-engine.c.

References DetectBufferType_::description.

const char* DetectBufferTypeGetNameById ( const DetectEngineCtx de_ctx,
const int  id 
)

Definition at line 707 of file detect-engine.c.

References DetectEngineCtx_::buffer_type_map, DetectEngineCtx_::buffer_type_map_elements, BUG_ON, and DetectBufferType_::string.

Referenced by DetectEngineAppInspectionEngine2Signature(), DetectRawbytesRegister(), EngineAnalysisFP(), EngineAnalysisRulesFailure(), PerCentEncodingMatch(), SCProfilingKeywordsGlobalInit(), SigMatchList2DataArray(), and SignatureIsIPOnly().

Here is the caller graph for this function:

int DetectBufferTypeMaxId ( void  )

Definition at line 573 of file detect-engine.c.

References HashListTable_::array_size, BUG_ON, HashListTableAdd(), HashListTableFree(), HashListTableInit(), HashListTableLookup(), hashlittle_safe(), DetectBufferType_::id, res, SCCalloc, SCFree, SCLogDebug, DetectBufferType_::string, and DetectBufferType_::transforms.

Referenced by SigAlloc().

Here is the call graph for this function:

Here is the caller graph for this function:

int DetectBufferTypeRegister ( const char *  name)

Definition at line 654 of file detect-engine.c.

References BUG_ON, and DetectBufferType_::id.

Referenced by DetectAppLayerInspectEngineRegister(), DetectAppLayerInspectEngineRegister2(), DetectBufferTypeRegisterSetupCallback(), DetectBufferTypeRegisterValidateCallback(), DetectBufferTypeSupportsMpm(), DetectBufferTypeSupportsPacket(), DetectBufferTypeSupportsTransformations(), DetectDceIfaceRegister(), DetectDceOpnumRegister(), DetectDNP3Register(), DetectFileextRegister(), DetectFilemagicRegister(), DetectFileMd5Register(), DetectFileSha1Register(), DetectFileSha256Register(), DetectFilesizeRegister(), DetectFilestoreRegister(), DetectFtpbounceRegister(), DetectHttpServerBodyRegister(), DetectLuaRegister(), DetectSshSoftwareVersionRegister(), DetectSshVersionRegister(), DetectSslStateRegister(), DetectSslVersionRegister(), DetectTlsRegister(), DetectTlsVersionRegister(), DetectUricontentRegister(), and DetectUrilenRegister().

Here is the caller graph for this function:

void DetectBufferTypeRegisterSetupCallback ( const char *  name,
void(*)(const DetectEngineCtx *, Signature *)  SetupCallback 
)

Definition at line 771 of file detect-engine.c.

References BUG_ON, DetectBufferTypeRegister(), and DetectBufferType_::SetupCallback.

Referenced by DetectFiledataRegister(), DetectHttpClientBodyRegister(), DetectHttpUriRegister(), DetectTlsFingerprintRegister(), DetectTlsJa3HashRegister(), DetectTlsJa3SHashRegister(), and DetectTlsSerialRegister().

Here is the call graph for this function:

Here is the caller graph for this function:

void DetectBufferTypeRegisterValidateCallback ( const char *  name,
_Bool(*)(const Signature *, const char **sigerror)  ValidateCallback 
)

Definition at line 790 of file detect-engine.c.

References BUG_ON, DetectBufferTypeRegister(), and DetectBufferType_::ValidateCallback.

Referenced by DetectHttpHHRegister(), DetectHttpMethodRegister(), DetectHttpRawHeaderRegister(), DetectHttpUriRegister(), DetectTlsFingerprintRegister(), DetectTlsJa3HashRegister(), DetectTlsJa3SHashRegister(), and DetectTlsSerialRegister().

Here is the call graph for this function:

Here is the caller graph for this function:

void DetectBufferTypeSetDescriptionByName ( const char *  name,
const char *  desc 
)

Definition at line 726 of file detect-engine.c.

References DetectBufferType_::description.

Referenced by DetectDnsQueryRegister(), DetectFiledataRegister(), DetectFilemagicRegister(), DetectFilenameRegister(), DetectHttpClientBodyRegister(), DetectHttpCookieRegister(), DetectHttpHeaderNamesRegister(), DetectHttpHeaderRegister(), DetectHttpHHRegister(), DetectHttpMethodRegister(), DetectHttpProtocolRegister(), DetectHttpRawHeaderRegister(), DetectHttpRequestLineRegister(), DetectHttpResponseLineRegister(), DetectHttpStartRegister(), DetectHttpStatCodeRegister(), DetectHttpStatMsgRegister(), DetectHttpUARegister(), DetectHttpUriRegister(), DetectKrb5CNameRegister(), DetectKrb5SNameRegister(), DetectSNMPCommunityRegister(), DetectSshProtocolRegister(), DetectSshSoftwareRegister(), DetectSslStateRegister(), DetectTlsCertsRegister(), DetectTlsFingerprintRegister(), DetectTlsIssuerRegister(), DetectTlsJa3HashRegister(), DetectTlsJa3SHashRegister(), DetectTlsJa3SStringRegister(), DetectTlsJa3StringRegister(), DetectTlsSerialRegister(), DetectTlsSniRegister(), and DetectTlsSubjectRegister().

Here is the caller graph for this function:

void DetectBufferTypeSupportsMpm ( const char *  name)

Definition at line 678 of file detect-engine.c.

References BUG_ON, DetectBufferTypeRegister(), DetectBufferType_::id, DetectBufferType_::mpm, SCLogDebug, and TRUE.

Referenced by DetectAppLayerMpmRegister(), and DetectAppLayerMpmRegister2().

Here is the call graph for this function:

Here is the caller graph for this function:

bool DetectBufferTypeSupportsMpmGetById ( const DetectEngineCtx de_ctx,
const int  id 
)

Definition at line 762 of file detect-engine.c.

References FALSE, DetectBufferType_::mpm, and SCLogDebug.

Referenced by DetectGetLastSMFromMpmLists(), and FastPatternSupportEnabledForSigMatchList().

Here is the caller graph for this function:

void DetectBufferTypeSupportsPacket ( const char *  name)

Definition at line 668 of file detect-engine.c.

References BUG_ON, DetectBufferTypeRegister(), DetectBufferType_::id, DetectBufferType_::packet, SCLogDebug, and TRUE.

Here is the call graph for this function:

bool DetectBufferTypeSupportsPacketGetById ( const DetectEngineCtx de_ctx,
const int  id 
)

Definition at line 753 of file detect-engine.c.

References FALSE, DetectBufferType_::packet, and SCLogDebug.

Referenced by SigMatchList2DataArray().

Here is the caller graph for this function:

void DetectBufferTypeSupportsTransformations ( const char *  name)

Definition at line 688 of file detect-engine.c.

References BUG_ON, DetectBufferTypeRegister(), DetectBufferType_::id, SCLogDebug, and DetectBufferType_::supports_transforms.

Referenced by DetectAppLayerMpmRegister2().

Here is the call graph for this function:

Here is the caller graph for this function:

int DetectEngineAddToMaster ( DetectEngineCtx de_ctx)

Definition at line 3507 of file detect-engine.c.

References DetectEngineMasterCtx_::lock, SCLogDebug, SCMutexLock, and SCMutexUnlock.

Referenced by DetectEngineMultiTenantEnabled(), DetectEngineReload(), DetectReplaceFreeInternal(), and PostRunDeinit().

Here is the caller graph for this function:

int DetectEngineAppInspectionEngine2Signature ( DetectEngineCtx de_ctx,
Signature s 
)
Note
for the file inspect engine, the id DE_STATE_ID_FILE_INSPECT is assigned.

Definition at line 358 of file detect-engine.c.

References DetectEngineAppInspectionEngine_::alproto, Signature_::alproto, ALPROTO_UNKNOWN, Signature_::app_inspect, DetectEngineCtx_::app_inspect_engines, BUG_ON, DetectEngineAppInspectionEngine_::Callback, DE_STATE_FLAG_BASE, DE_STATE_ID_FILE_INSPECT, DETECT_SM_LIST_DYNAMIC_START, DETECT_SM_LIST_PMATCH, DetectBufferTypeGetByName(), DetectBufferTypeGetNameById(), DetectEngineAppInspectionEngine_::dir, Signature_::flags, DetectEngineAppInspectionEngine_::GetData, DetectEngineAppInspectionEngine_::id, Signature_::id, Signature_::init_data, SignatureInitData_::init_flags, DetectEngineAppInspectionEngine_::mpm, SignatureInitData_::mpm_sm, DetectEngineAppInspectionEngine_::next, next, DetectEngineAppInspectionEngine_::progress, SCCalloc, SCLogDebug, SIG_FLAG_FLUSH, SIG_FLAG_INIT_NEED_FLUSH, SIG_FLAG_INIT_STATE_MATCH, SIG_FLAG_TOCLIENT, SIG_FLAG_TOSERVER, SigMatchList2DataArray(), SigMatchListSMBelongsTo(), DetectEngineAppInspectionEngine_::sm_list, DetectEngineAppInspectionEngine_::smd, SignatureInitData_::smlists, SignatureInitData_::smlists_array_size, DetectEngineAppInspectionEngine_::transforms, unlikely, and DetectEngineAppInspectionEngine_::v2.

Referenced by SigAddressPrepareStage4().

Here is the call graph for this function:

Here is the caller graph for this function:

void DetectEngineAppInspectionEngineSignatureFree ( Signature s)

free app inspect engines for a signature

For lists that are registered multiple times, like http_header and http_cookie, making the engines owner of the lists is complicated. Multiple engines in a sig may be pointing to the same list. To address this the 'free' code needs to be extra careful about not double freeing, so it takes an approach to first fill an array of the to-free pointers before freeing them.

Definition at line 517 of file detect-engine.c.

References Signature_::app_inspect, BUG_ON, SigMatchData_::ctx, DETECT_SM_LIST_DYNAMIC_START, SigTableElmt_::Free, SigMatchData_::is_last, MAX, DetectEngineAppInspectionEngine_::next, next, SCFree, sigmatch_table, DetectEngineAppInspectionEngine_::sm_list, DetectEngineAppInspectionEngine_::smd, DetectEngineTransforms::transforms, and SigMatchData_::type.

Referenced by SigFree().

Here is the caller graph for this function:

void DetectEngineBumpVersion ( void  )

Definition at line 2773 of file detect-engine.c.

References DetectEngineMasterCtx_::lock, SCLogDebug, SCMutexLock, SCMutexUnlock, and DetectEngineMasterCtx_::version.

Referenced by DetectEngineReload(), and PostRunDeinit().

Here is the caller graph for this function:

void DetectEngineCtxFree ( DetectEngineCtx de_ctx)

Free a DetectEngineCtx::

Parameters
de_ctxDetectEngineCtx:: to be freed

Definition at line 1686 of file detect-engine.c.

References DetectEngineCtx_::app_mpms, ByteExtractStringUint16(), ConfDump(), ConfGet(), ConfGetInt(), ConfGetNode(), DetectEngineCtx_::config_prefix, ConfNodeLookupChild(), ConfNodeLookupChildValue(), ConfNodeRemove(), DETECT_ENGINE_DEFAULT_INSPECTION_RECURSION_LIMIT, DETECT_PREFILTER_AUTO, DETECT_PREFILTER_MPM, DetectAddressMapFree(), DetectMetadataHashFree(), DetectParseDupSigHashFree(), DetectPortCleanupList(), DetectPortParse(), ENGINE_PROFILE_CUSTOM, ENGINE_PROFILE_HIGH, ENGINE_PROFILE_LOW, ENGINE_PROFILE_MEDIUM, ENGINE_PROFILE_UNKNOWN, ENGINE_SGH_MPM_FACTORY_CONTEXT_FULL, ENGINE_SGH_MPM_FACTORY_CONTEXT_SINGLE, DetectEngineCtx_::inspection_recursion_limit, DetectEngineCtx_::max_uniq_toclient_groups, DetectEngineCtx_::max_uniq_toserver_groups, MPM_AC, MPM_AC_BS, MPM_AC_KS, MPM_HS, DetectEngineCtx_::mpm_matcher, MpmFactoryDeRegisterAllMpmCtxProfiles(), MpmStoreFree(), ConfNode_::name, DetectPort_::next, next, DetectPort_::port, DetectPort_::port2, DetectEngineCtx_::prefilter_setting, DetectEngineCtx_::profile_ctx, DetectEngineCtx_::profile_keyword_ctx, DetectEngineCtx_::profile_sgh_ctx, run_mode, RUNMODE_UNITTEST, SC_ERR_INVALID_YAML_CONF_ENTRY, SC_ERR_SIZE_PARSE, SCClassConfDeInitContext(), SCFree, SCLogDebug, SCLogError, SCLogWarning, SCProfilingKeywordDestroyCtx(), SCProfilingPrefilterDestroyCtx(), SCProfilingRuleDestroyCtx(), SCProfilingSghDestroyCtx(), SCRConfDeInitContext(), SCSigSignatureOrderingModuleCleanup(), DetectEngineCtx_::sgh_mpm_context, DetectEngineCtx_::sig_array, SigCleanSignatures(), SigGroupCleanup(), SigGroupHeadHashFree(), DetectEngineCtx_::spm_global_thread_ctx, SpmDestroyGlobalThreadCtx(), SRepDestroy(), TAILQ_FOREACH, DetectEngineCtx_::tcp_whitelist, ThresholdContextDestroy(), DetectEngineCtx_::udp_whitelist, ConfNode_::val, VarNameStoreFree(), and DetectEngineCtx_::version.

Referenced by ActionInitConfig(), AlertFastLogInitCtx(), DetectAckRegister(), DetectAppLayerProtocolRegister(), DetectBase64DataDoMatch(), DetectBase64DecodeDoMatch(), DetectByteExtractRetrieveSMVar(), DetectBytejumpDoMatch(), DetectBytetestDoMatch(), DetectCipServiceRegister(), DetectClasstypeRegister(), DetectDceIfaceRegister(), DetectDceOpnumRegister(), DetectDceStubDataRegister(), DetectDetectionFilterRegister(), DetectDistanceRegister(), DetectDNP3Register(), DetectDnsQueryRegister(), DetectEngineGetEventInfo(), DetectEngineInspectBufferGeneric(), DetectEngineInspectENIP(), DetectEngineInspectModbus(), DetectEngineInspectStream(), DetectEngineMultiTenantEnabled(), DetectEnginePruneFreeList(), DetectEngineReload(), DetectEngineStateResetTxs(), DetectEnipCommandRegister(), DetectFastPatternRegister(), DetectFilesizeRegister(), DetectFilestoreRegister(), DetectFlowbitsAnalyze(), DetectFlowFree(), DetectFlowintFree(), DetectFragOffsetFree(), DetectFtpbounceRegister(), DetectFtpdataRegister(), DetectGeoipRegister(), DetectGidRegister(), DetectHostbitFree(), DetectHttpRequestLineRegister(), DetectHttpResponseLineRegister(), DetectIcmpIdFree(), DetectIcmpSeqFree(), DetectICodeFree(), DetectIPProtoRemoveAllSMs(), DetectIPRepFree(), DetectIsdataatFree(), DetectITypeFree(), DetectL3ProtoRegister(), DetectLuaRegister(), DetectMetadataHashFree(), DetectModbusRegister(), DetectMsgRegister(), DetectPcrePayloadMatch(), DetectPktDataRegister(), DetectPriorityRegister(), DetectProtoContainsProto(), DetectReferenceFree(), DetectReplaceFreeInternal(), DetectRpcFree(), DetectSameipRegister(), DetectSeqRegister(), DetectSetupParseRegexes(), DetectSidRegister(), DetectSshSoftwareVersionRegister(), DetectSshVersionRegister(), DetectTargetRegister(), DetectTemplateRustBufferRegister(), DetectThresholdRegister(), DetectTransformCompressWhitespaceRegister(), DetectTransformStripWhitespaceRegister(), DetectUricontentRegister(), DetectUrilenValidateContent(), DetectWithinRegister(), DetectXbitFree(), IPOnlyAddSignature(), MpmACRegister(), MpmACTileRegister(), RegisterModbusParsers(), SCACBSPrintInfo(), SCClassConfGenerateInValidDummyClassConfigFD03(), SCRConfGenerateInValidDummyReferenceConfigFD03(), SCRuleVarsGetConfVar(), SCSigSignatureOrderingModuleCleanup(), SCThresholdConfParseFile(), SigGroupHeadContainsSigId(), SigParseApplyDsizeToContent(), SMTPParserCleanup(), TagTimeoutCheck(), UTHGenericTest(), UTHPacketMatchSig(), UTHPacketMatchSigMpm(), and UTHParseSignature().

Here is the call graph for this function:

DetectEngineCtx* DetectEngineCtxInit ( void  )

Definition at line 1641 of file detect-engine.c.

References DETECT_ENGINE_TYPE_NORMAL.

Referenced by ActionInitConfig(), AlertFastLogInitCtx(), DetectAckRegister(), DetectAppLayerProtocolRegister(), DetectBase64DataDoMatch(), DetectBase64DecodeDoMatch(), DetectBypassRegister(), DetectByteExtractRetrieveSMVar(), DetectBytejumpDoMatch(), DetectBytetestDoMatch(), DetectCipServiceRegister(), DetectClasstypeRegister(), DetectDceIfaceRegister(), DetectDceOpnumRegister(), DetectDceStubDataRegister(), DetectDetectionFilterRegister(), DetectDistanceRegister(), DetectDNP3Register(), DetectDnsQueryRegister(), DetectEngineCtxInitWithPrefix(), DetectEngineGetEventInfo(), DetectEngineInspectENIP(), DetectEngineInspectModbus(), DetectEngineInspectStream(), DetectEngineStateResetTxs(), DetectEnipCommandRegister(), DetectFastPatternRegister(), DetectFilesizeRegister(), DetectFilestoreRegister(), DetectFlowbitsAnalyze(), DetectFlowFree(), DetectFlowintFree(), DetectFragOffsetFree(), DetectFtpbounceRegister(), DetectFtpdataRegister(), DetectGeoipRegister(), DetectGidRegister(), DetectHostbitFree(), DetectHttpRequestLineRegister(), DetectHttpResponseLineRegister(), DetectIcmpIdFree(), DetectIcmpSeqFree(), DetectICodeFree(), DetectIPProtoRemoveAllSMs(), DetectIPRepFree(), DetectIsdataatFree(), DetectITypeFree(), DetectL3ProtoRegister(), DetectLuaRegister(), DetectMetadataHashFree(), DetectModbusRegister(), DetectMsgRegister(), DetectPcrePayloadMatch(), DetectPktDataRegister(), DetectPortHashFree(), DetectPriorityRegister(), DetectProtoContainsProto(), DetectReferenceFree(), DetectReplaceFreeInternal(), DetectRpcFree(), DetectSameipRegister(), DetectSeqRegister(), DetectSetupParseRegexes(), DetectSidRegister(), DetectSshSoftwareVersionRegister(), DetectSshVersionRegister(), DetectTargetRegister(), DetectTemplateRustBufferRegister(), DetectThresholdRegister(), DetectTransformCompressWhitespaceRegister(), DetectTransformStripWhitespaceRegister(), DetectUricontentRegister(), DetectUrilenValidateContent(), DetectWithinRegister(), DetectXbitFree(), IPOnlyAddSignature(), MpmACRegister(), MpmACTileRegister(), PostRunDeinit(), RegisterModbusParsers(), SCACBSPrintInfo(), SCClassConfGenerateInValidDummyClassConfigFD03(), SCRConfGenerateInValidDummyReferenceConfigFD03(), SCRuleVarsGetConfVar(), SCSigSignatureOrderingModuleCleanup(), SCThresholdConfParseFile(), SigGroupHeadContainsSigId(), SigParseApplyDsizeToContent(), SMTPParserCleanup(), TagTimeoutCheck(), UTHGenericTest(), UTHPacketMatchSig(), UTHPacketMatchSigMpm(), and UTHParseSignature().

DetectEngineCtx* DetectEngineCtxInitStubForDD ( void  )

Definition at line 1636 of file detect-engine.c.

References DETECT_ENGINE_TYPE_DD_STUB.

Referenced by PostRunDeinit().

Here is the caller graph for this function:

DetectEngineCtx* DetectEngineCtxInitStubForMT ( void  )

Definition at line 1631 of file detect-engine.c.

References DETECT_ENGINE_TYPE_MT_STUB.

Referenced by DetectEngineMTApply(), and PostRunDeinit().

Here is the caller graph for this function:

DetectEngineCtx* DetectEngineCtxInitWithPrefix ( const char *  prefix)

Definition at line 1646 of file detect-engine.c.

References DETECT_ENGINE_TYPE_NORMAL, DetectEngineCtxInit(), SigString_::filename, DetectEngineCtx_::keyword_list, next, DetectEngineThreadKeywordCtxItem_::next, SCFree, SigString_::sig_error, DetectEngineCtx_::sig_stat, SigString_::sig_str, TAILQ_FOREACH_SAFE, and TAILQ_REMOVE.

Referenced by DetectEngineMultiTenantEnabled(), and DetectEngineReload().

Here is the call graph for this function:

Here is the caller graph for this function:

void DetectEngineDeReference ( DetectEngineCtx **  de_ctx)

Definition at line 3483 of file detect-engine.c.

References BUG_ON, DetectEngineMasterCtx_::list, and DetectEngineCtx_::next.

Referenced by DetectEngineMultiTenantEnabled(), DetectEngineReload(), DetectEngineThreadCtxInit(), GlobalsInitPreConfig(), and UnixSocketPcapFile().

Here is the caller graph for this function:

int DetectEngineEnabled ( void  )

Check if detection is enabled.

Return values
booltrue or false

Definition at line 2749 of file detect-engine.c.

References DetectEngineMasterCtx_::list, DetectEngineMasterCtx_::lock, SCMutexLock, and SCMutexUnlock.

Referenced by PostRunDeinit().

Here is the caller graph for this function:

DetectEngineCtx* DetectEngineGetByTenantId ( int  tenant_id)

Definition at line 3457 of file detect-engine.c.

References DETECT_ENGINE_TYPE_TENANT, DetectEngineMasterCtx_::list, DetectEngineMasterCtx_::lock, DetectEngineCtx_::next, DetectEngineCtx_::ref_cnt, SCMutexLock, SCMutexUnlock, DetectEngineCtx_::tenant_id, and DetectEngineCtx_::type.

Referenced by DetectEngineMultiTenantEnabled(), and UnixSocketPcapFile().

Here is the caller graph for this function:

DetectEngineCtx* DetectEngineGetCurrent ( void  )

Definition at line 2782 of file detect-engine.c.

References DETECT_ENGINE_TYPE_DD_STUB, DETECT_ENGINE_TYPE_MT_STUB, DETECT_ENGINE_TYPE_NORMAL, DetectEngineMasterCtx_::list, DetectEngineMasterCtx_::lock, DetectEngineCtx_::next, DetectEngineCtx_::ref_cnt, SCLogDebug, SCMutexLock, SCMutexUnlock, and DetectEngineCtx_::type.

Referenced by DetectEngineReload(), DetectEngineThreadCtxInit(), and GlobalsInitPreConfig().

Here is the caller graph for this function:

int DetectEngineGetEventInfo ( const char *  event_name,
int *  event_id,
AppLayerEventType event_type 
)

Definition at line 3824 of file detect-engine.c.

References APP_LAYER_EVENT_TYPE_TRANSACTION, ConfCreateContextBackup(), ConfDeInit(), ConfInit(), ConfRestoreContextBackup(), ConfYamlLoadString(), DETECT_ENGINE_DEFAULT_INSPECTION_RECURSION_LIMIT, DetectEngineCtxFree(), DetectEngineCtxInit(), DetectEngineCtx_::inspection_recursion_limit, DetectEngineCtx_::max_uniq_toclient_groups, DetectEngineCtx_::max_uniq_toserver_groups, SC_ERR_INVALID_ENUM_MAP, SCLogError, and SCMapEnumNameToValue().

Referenced by DetectAppLayerEventRegister().

Here is the call graph for this function:

Here is the caller graph for this function:

AppLayerDecoderEvents* DetectEngineGetEvents ( DetectEngineThreadCtx det_ctx)

Definition at line 3819 of file detect-engine.c.

References DetectEngineThreadCtx_::decoder_events.

uint32_t DetectEngineGetVersion ( void  )

Definition at line 2763 of file detect-engine.c.

References DetectEngineMasterCtx_::lock, SCMutexLock, SCMutexUnlock, version, and DetectEngineMasterCtx_::version.

Referenced by DetectEngineInspectBufferGeneric().

Here is the caller graph for this function:

int DetectEngineInspectBufferGeneric ( DetectEngineCtx de_ctx,
DetectEngineThreadCtx det_ctx,
const DetectEngineAppInspectionEngine engine,
const Signature s,
Flow f,
uint8_t  flags,
void *  alstate,
void *  txv,
uint64_t  tx_id 
)

Do the content inspection & validation for a signature.

Parameters
de_ctxDetection engine context
det_ctxDetection engine thread context
sSignature to inspect
fFlow
flagsapp layer flags
stateApp layer state
Return values
0no match.
1match.
2Sig can't match.

Definition at line 1242 of file detect-engine.c.

References ActionInitConfig(), Flow_::alproto, AppLayerParserGetStateProgress(), DetectEngineThreadCtx_::buffer_offset, BUG_ON, PacketQueue_::cond_q, ConfGetBool(), DetectEngineCtx_::config_prefix, DETECT_CI_FLAGS_END, DETECT_CI_FLAGS_START, DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE, DETECT_ENGINE_INSPECT_SIG_CANT_MATCH, DETECT_ENGINE_INSPECT_SIG_MATCH, DETECT_ENGINE_INSPECT_SIG_NO_MATCH, DETECT_ENGINE_TYPE_DD_STUB, DETECT_ENGINE_TYPE_MT_STUB, DetectAddressMapInit(), DetectEngineContentInspection(), DetectEngineCtxFree(), DetectEngineGetVersion(), DetectEngineThreadCtxDeinit(), DetectMetadataHashInit(), DetectParseDupSigHashInit(), DetectEngineThreadCtx_::discontinue_matching, DetectEngineCtx_::failure_fatal, TmModule_::flags, InspectionBuffer::flags, Packet_::flags, FlowWorkerGetDetectCtxPtr(), FlowWorkerReplaceDetectCtx(), DetectEngineAppInspectionEngine_::GetData, Tmq_::id, ThreadVars_::inq, InspectionBuffer::inspect, InspectionBuffer::inspect_len, InspectionBuffer::inspect_offset, DetectEngineThreadCtx_::inspection_recursion_counter, DetectEngineAppInspectionEngine_::mpm, DetectEngineCtx_::mpm_matcher, mpm_table, MpmStoreInit(), PacketQueue_::mutex_q, SpmTableElmt_::name, MpmTableElmt_::name, ThreadVars_::next, offset, PacketEnqueue(), PacketGetFromAlloc(), PatternMatchDefaultMatcher(), PKT_PSEUDO_STREAM_END, TmModule_::PktAcqBreakLoop, TmModule_::PktAcqLoop, DetectEngineAppInspectionEngine_::progress, Flow_::proto, SC_ATOMIC_GET, SC_ERR_LIVE_RULE_SWAP, SCClassConfLoadClassficationConfigFile(), SCCondSignal, SCEnter, SCLogDebug, SCLogError, SCLogInfo, SCMalloc, SCMutexLock, SCMutexUnlock, SCRConfLoadReferenceConfigFile(), DetectEngineCtx_::sig_stat, DetectEngineCtx_::sigerror, SigGroupHeadHashInit(), SinglePatternMatchDefaultMatcher(), TmSlot_::slot_next, DetectEngineAppInspectionEngine_::sm_list, DetectEngineAppInspectionEngine_::smd, DetectEngineCtx_::spm_global_thread_ctx, DetectEngineCtx_::spm_matcher, spm_table, SpmInitGlobalThreadCtx(), SRepInit(), SRepReloadComplete(), strlcpy(), suricata_ctl_flags, TAILQ_INIT, ThresholdHashInit(), THV_CAPTURE_INJECT_PKT, THV_RUNNING_DONE, TM_FLAG_DETECT_TM, TM_FLAG_RECEIVE_TM, TmSlot_::tm_id, ThreadVars_::tm_slots, TmModuleGetById(), TmThreadsCheckFlag(), TmThreadsSetFlag(), trans_q, DetectEngineAppInspectionEngine_::transforms, tv_root, tv_root_lock, TVT_PPT, type, DetectEngineCtx_::type, unlikely, DetectEngineAppInspectionEngine_::v2, VarNameStoreSetupStaging(), and DetectEngineCtx_::version.

Referenced by DetectAppLayerInspectEngineRegister2(), DetectDceStubDataRegister(), DetectFiledataRegister(), DetectHttpClientBodyRegister(), DetectHttpCookieRegister(), DetectHttpHHRegister(), DetectHttpMethodRegister(), DetectHttpProtocolRegister(), DetectHttpRawHeaderRegister(), DetectHttpRequestLineRegister(), DetectHttpResponseLineRegister(), DetectHttpStatCodeRegister(), DetectHttpStatMsgRegister(), DetectHttpUARegister(), DetectHttpUriRegister(), DetectSmbNamedPipeRegister(), DetectSmbShareRegister(), DetectSNMPCommunityRegister(), DetectSshProtocolRegister(), DetectSshSoftwareRegister(), DetectTemplateBufferRegister(), DetectTlsFingerprintRegister(), DetectTlsIssuerRegister(), DetectTlsJa3HashRegister(), DetectTlsJa3SHashRegister(), DetectTlsJa3SStringRegister(), DetectTlsJa3StringRegister(), DetectTlsSerialRegister(), DetectTlsSniRegister(), and DetectTlsSubjectRegister().

Here is the call graph for this function:

Here is the caller graph for this function:

int DetectEngineInspectGenericList ( ThreadVars tv,
const DetectEngineCtx de_ctx,
DetectEngineThreadCtx det_ctx,
const Signature s,
const SigMatchData smd,
Flow f,
const uint8_t  flags,
void *  alstate,
void *  txv,
uint64_t  tx_id 
)

Do the content inspection & validation for a signature.

Parameters
de_ctxDetection engine context
det_ctxDetection engine thread context
sSignature to inspect
smSigMatch to inspect
fFlow
flagsapp layer flags
stateApp layer state
Return values
0no match
1match

Definition at line 1193 of file detect-engine.c.

References SigMatchData_::ctx, DETECT_ENGINE_INSPECT_SIG_CANT_MATCH, DETECT_ENGINE_INSPECT_SIG_MATCH, DETECT_ENGINE_INSPECT_SIG_NO_MATCH, SigMatchData_::is_last, KEYWORD_PROFILING_END, KEYWORD_PROFILING_START, SCLogDebug, sigmatch_table, and SigMatchData_::type.

Referenced by DetectDceIfaceRegister(), DetectEngineInspectDnsRequest(), DetectEngineInspectDnsResponse(), DetectFtpbounceRegister(), DetectFtpdataRegister(), DetectLuaRegister(), DetectNfsProcedureRegister(), DetectNfsVersionRegister(), DetectSNMPPduTypeRegister(), DetectSNMPVersionRegister(), DetectSslStateRegister(), and DetectTlsValidityRegister().

Here is the caller graph for this function:

int DetectEngineLoadTenantBlocking ( uint32_t  tenant_id,
const char *  yaml 
)

Load a tenant and wait for loading to complete.

Definition at line 3008 of file detect-engine.c.

References DetectLoadersSync().

Referenced by UnixSocketPcapFile().

Here is the call graph for this function:

Here is the caller graph for this function:

int DetectEngineMoveToFreeList ( DetectEngineCtx de_ctx)

Definition at line 3523 of file detect-engine.c.

References DetectEngineMasterCtx_::free_list, DetectEngineMasterCtx_::list, DetectEngineMasterCtx_::lock, next, DetectEngineCtx_::next, DetectEngineCtx_::ref_cnt, SCLogDebug, SCMutexLock, and SCMutexUnlock.

Referenced by DetectEngineMultiTenantEnabled(), DetectEngineReload(), DetectReplaceFreeInternal(), GlobalsInitPreConfig(), and UnixSocketPcapFile().

Here is the caller graph for this function:

int DetectEngineMTApply ( void  )

Definition at line 3714 of file detect-engine.c.

References DETECT_ENGINE_TYPE_DD_STUB, DETECT_ENGINE_TYPE_MT_STUB, DETECT_ENGINE_TYPE_NORMAL, DetectEngineCtxInitStubForMT(), DetectEnginePruneFreeList(), DetectEngineMasterCtx_::list, DetectEngineMasterCtx_::lock, DetectEngineCtx_::next, SCLogDebug, SCLogInfo, SCMutexLock, SCMutexUnlock, DetectEngineCtx_::tenant_id, DetectEngineMasterCtx_::tenant_selector, TENANT_SELECTOR_UNKNOWN, and DetectEngineCtx_::type.

Referenced by UnixSocketPcapFile().

Here is the call graph for this function:

Here is the caller graph for this function:

int DetectEngineMultiTenantEnabled ( void  )

TODO locking? Not needed if this is a one time setting at startup

Definition at line 2814 of file detect-engine.c.

References ConfGetNode(), DetectEngineCtx_::config_prefix, ConfYamlLoadFileWithPrefix(), DETECT_ENGINE_TYPE_TENANT, DetectEngineAddToMaster(), DetectEngineCtxFree(), DetectEngineCtxInitWithPrefix(), DetectEngineDeReference(), DetectEngineGetByTenantId(), DetectEngineMoveToFreeList(), DetectEngineCtx_::loader_id, DetectEngineMasterCtx_::multi_tenant_enabled, SC_ERR_CONF_YAML_ERROR, SC_ERR_FOPEN, SC_ERR_INITIALIZATION, SC_ERR_MT_DUPLICATE_TENANT, SC_ERR_NO_RULES_LOADED, SCLogDebug, SCLogError, SigLoadSignatures(), DetectEngineCtx_::tenant_id, and DetectEngineCtx_::type.

Referenced by DetectEngineThreadCtxInit(), SigGroupBuild(), and UnixSocketPcapFile().

Here is the call graph for this function:

Here is the caller graph for this function:

int DetectEngineMultiTenantSetup ( void  )

setup multi-detect / multi-tenancy

See if MT is enabled. If so, setup the selector, tenants and mappings. Tenants and mappings are optional, and can also dynamically be added and removed from the unix socket.

Definition at line 3157 of file detect-engine.c.

References ByteExtractStringUint32(), ConfGet(), ConfGetBool(), ConfGetNode(), ConfNodeLookupChild(), ConfUnixSocketIsEnable(), ConfYamlLoadFileWithPrefix(), DetectLoadersInit(), DetectLoadersSync(), DetectLoaderThreadSpawn(), LiveDevice_::dev, EngineModeIsIPS(), Packet_::livedev, DetectEngineMasterCtx_::lock, DetectEngineSyncer_::m, DetectEngineMasterCtx_::multi_tenant_enabled, next, DetectEngineTenantMapping_::next, SC_ERR_CONF_YAML_ERROR, SC_ERR_INVALID_ARGUMENT, SC_ERR_INVALID_VALUE, SC_ERR_MT_NO_MAPPING, SCCalloc, SCFree, SCLogDebug, SCLogError, SCLogInfo, SCLogNotice, SCLogWarning, SCMutexLock, SCMutexUnlock, TAILQ_FOREACH, DetectEngineThreadCtx_::tenant_array, DetectEngineThreadCtx_::tenant_array_size, LiveDevice_::tenant_id, DetectEngineTenantMapping_::tenant_id, DetectEngineMasterCtx_::tenant_mapping_list, DetectEngineMasterCtx_::tenant_selector, TENANT_SELECTOR_DIRECT, TENANT_SELECTOR_LIVEDEV, TENANT_SELECTOR_UNKNOWN, TENANT_SELECTOR_VLAN, TmModuleDetectLoaderRegister(), TmThreadContinueDetectLoaderThreads(), DetectEngineTenantMapping_::traffic_id, ConfNode_::val, VarNameStoreActivateStaging(), Packet_::vlan_id, and Packet_::vlan_idx.

Referenced by PostRunDeinit().

Here is the call graph for this function:

Here is the caller graph for this function:

int DetectEngineMustParseMetadata ( void  )

Definition at line 3779 of file detect-engine.c.

Referenced by DetectMetadataHashFree(), and DetectMetadataHashInit().

Here is the caller graph for this function:

void DetectEnginePruneFreeList ( void  )

Definition at line 3574 of file detect-engine.c.

References DetectEngineCtxFree(), DetectEngineMasterCtx_::free_list, DetectEngineMasterCtx_::lock, next, DetectEngineCtx_::next, DetectEngineCtx_::ref_cnt, SCLogDebug, SCMutexLock, and SCMutexUnlock.

Referenced by DetectEngineMTApply(), DetectEngineReload(), DetectReplaceFreeInternal(), GlobalsInitPreConfig(), and UnixSocketPcapFile().

Here is the call graph for this function:

Here is the caller graph for this function:

DetectEngineCtx* DetectEngineReference ( DetectEngineCtx de_ctx)

Definition at line 2805 of file detect-engine.c.

References DetectEngineCtx_::ref_cnt.

Referenced by DetectEngineThreadCtxInit().

Here is the caller graph for this function:

void DetectEngineRegisterTests ( void  )

Definition at line 4080 of file detect-engine.c.

References UtRegisterTest().

Here is the call graph for this function:

int DetectEngineReload ( const SCInstance suri)

Reload the detection engine.

Parameters
filenameYAML file to load for the detect config
Return values
-1error
0ok

Definition at line 3613 of file detect-engine.c.

References HashTable_::array_size, SCInstance_::conf_filename, ConfDump(), ConfGetNode(), ConfYamlLoadFileWithPrefix(), DETECT_ENGINE_TYPE_DD_STUB, DETECT_ENGINE_TYPE_NORMAL, DetectEngineAddToMaster(), DetectEngineBumpVersion(), DetectEngineCtxFree(), DetectEngineCtxInitWithPrefix(), DetectEngineDeReference(), DetectEngineGetCurrent(), DetectEngineMoveToFreeList(), DetectEnginePruneFreeList(), SC_ERR_CONF_YAML_ERROR, SC_ERR_INITIALIZATION, SCLogDebug, SCLogError, SCLogNotice, SCInstance_::sig_file, SCInstance_::sig_file_exclusive, SigLoadSignatures(), DetectEngineThreadCtx_::tenant_id, and DetectEngineCtx_::type.

Referenced by PostRunDeinit().

Here is the call graph for this function:

Here is the caller graph for this function:

int DetectEngineReloadIsIdle ( void  )

Definition at line 1169 of file detect-engine.c.

References DetectEngineSyncer_::m, SCMutexLock, SCMutexUnlock, and DetectEngineSyncer_::state.

int DetectEngineReloadIsStart ( void  )

Definition at line 1149 of file detect-engine.c.

References DetectEngineSyncer_::m, RELOAD, SCMutexLock, SCMutexUnlock, and DetectEngineSyncer_::state.

Referenced by PostRunDeinit().

Here is the caller graph for this function:

void DetectEngineReloadSetIdle ( void  )

Definition at line 1161 of file detect-engine.c.

References IDLE, DetectEngineSyncer_::m, SCMutexLock, SCMutexUnlock, and DetectEngineSyncer_::state.

Referenced by PostRunDeinit().

Here is the caller graph for this function:

int DetectEngineReloadStart ( void  )

Definition at line 1135 of file detect-engine.c.

References DetectEngineSyncer_::m, RELOAD, SCMutexLock, SCMutexUnlock, and DetectEngineSyncer_::state.

Referenced by PostRunDeinit().

Here is the caller graph for this function:

int DetectEngineReloadTenantBlocking ( uint32_t  tenant_id,
const char *  yaml,
int  reload_cnt 
)

Reload a tenant and wait for loading to complete.

Definition at line 3022 of file detect-engine.c.

References ByteExtractStringUint16(), ByteExtractStringUint32(), ConfNodeLookupChild(), DetectEngineTentantRegisterLivedev(), DetectEngineTentantRegisterVlanId(), DetectLoadersSync(), LiveDevice_::id, LiveGetDevice(), next, SC_ERR_INVALID_ARGUMENT, SC_ERR_MT_NO_MAPPING, SCLogError, SCLogWarning, TAILQ_FOREACH, LiveDevice_::tenant_id, LiveDevice_::tenant_id_set, and ConfNode_::val.

Referenced by UnixSocketPcapFile().

Here is the call graph for this function:

Here is the caller graph for this function:

void DetectEngineResetMaxSigId ( DetectEngineCtx de_ctx)

Definition at line 2061 of file detect-engine.c.

References DetectEngineCtx_::base64_decode_max_len, DetectEngineThreadCtx_::base64_decoded, DetectEngineThreadCtx_::base64_decoded_len, DetectEngineThreadCtx_::base64_decoded_len_max, DetectEngineThreadCtx_::bj_values, DetectEngineCtx_::buffer_type_id, DetectEngineThreadCtx_::buffers, DetectEngineThreadCtx_::buffers_size, BUG_ON, DetectEngineCtx_::byte_extract_max_local_id, DetectEngineThreadKeywordCtxItem_::data, DetectEngineIPOnlyThreadInit(), DetectEngineThreadKeywordCtxItem_::FreeFunc, DetectEngineThreadCtx_::global_keyword_ctxs_array, DetectEngineThreadCtx_::global_keyword_ctxs_size, HashTableAdd(), HashTableFree(), HashTableInit(), DetectEngineThreadKeywordCtxItem_::id, DetectEngineThreadKeywordCtxItem_::InitFunc, DetectEngineThreadCtx_::inspect, DetectEngineThreadCtx_::io_ctx, DetectEngineThreadCtx_::keyword_ctxs_array, DetectEngineThreadCtx_::keyword_ctxs_size, DetectEngineCtx_::keyword_id, DetectEngineMasterCtx_::keyword_id, DetectEngineCtx_::keyword_list, DetectEngineMasterCtx_::keyword_list, DetectEngineMasterCtx_::list, DetectEngineThreadCtx_::match_array, DetectEngineThreadCtx_::match_array_len, DetectEngineCtx_::mpm_matcher, DetectEngineThreadCtx_::mt_det_ctxs_cnt, DetectEngineThreadCtx_::mt_det_ctxs_hash, DetectEngineThreadCtx_::mtc, DetectEngineThreadCtx_::mtcs, DetectEngineThreadCtx_::mtcu, DetectEngineThreadCtx_::multi_inspect, DetectEngineThreadKeywordCtxItem_::name, DetectEngineThreadKeywordCtxItem_::next, DetectEngineCtx_::next, DetectEngineTenantMapping_::next, DetectEngineThreadCtx_::non_pf_id_array, DetectEngineCtx_::non_pf_store_cnt_max, PatternMatchThreadPrepare(), DetectEngineThreadCtx_::pmq, PmqSetup(), DetectEngineCtx_::profile_ctx, DetectEngineCtx_::profile_keyword_ctx, DetectEngineCtx_::profile_prefilter_ctx, DetectEngineCtx_::profile_sgh_ctx, RuleMatchCandidateTxArrayInit(), SC_ATOMIC_INIT, SC_ERR_DETECT_PREPARE, SC_ERR_MT_NO_SELECTOR, SCCalloc, SCFree, SCLogDebug, SCLogError, SCLogInfo, SCMalloc, SCProfilingKeywordThreadSetup(), SCProfilingPrefilterThreadSetup(), SCProfilingRuleThreadSetup(), SCProfilingSghThreadSetup(), DetectEngineCtx_::sig_array_len, SigIntId, DetectEngineCtx_::signum, DetectEngineCtx_::spm_global_thread_ctx, DetectEngineThreadCtx_::spm_thread_ctx, SpmMakeThreadCtx(), DetectEngineThreadCtx_::tenant_array, DetectEngineThreadCtx_::tenant_array_size, DetectEngineCtx_::tenant_id, DetectEngineTenantMapping_::tenant_id, DetectEngineMasterCtx_::tenant_mapping_list, DetectEngineMasterCtx_::tenant_selector, TENANT_SELECTOR_DIRECT, TENANT_SELECTOR_LIVEDEV, TENANT_SELECTOR_UNKNOWN, TENANT_SELECTOR_VLAN, DetectEngineThreadCtx_::TenantGetId, TM_ECODE_FAILED, TM_ECODE_OK, DetectEngineThreadCtx_::to_clear_idx, DetectEngineThreadCtx_::to_clear_queue, and DetectEngineTenantMapping_::traffic_id.

Referenced by SigCleanSignatures().

Here is the call graph for this function:

Here is the caller graph for this function:

void DetectEngineSetEvent ( DetectEngineThreadCtx det_ctx,
uint8_t  e 
)

Definition at line 3813 of file detect-engine.c.

References AppLayerDecoderEventsSetEventRaw(), DetectEngineThreadCtx_::decoder_events, and DetectEngineThreadCtx_::events.

Referenced by FileSwfDecompression(), and FileSwfZlibDecompression().

Here is the call graph for this function:

Here is the caller graph for this function:

void DetectEngineSetParseMetadata ( void  )

Definition at line 3769 of file detect-engine.c.

Referenced by DetectMetadataHashFree().

Here is the caller graph for this function:

int DetectEngineTentantRegisterLivedev ( uint32_t  tenant_id,
int  device_id 
)

Definition at line 3425 of file detect-engine.c.

References TENANT_SELECTOR_LIVEDEV.

Referenced by DetectEngineReloadTenantBlocking().

Here is the caller graph for this function:

int DetectEngineTentantRegisterPcapFile ( uint32_t  tenant_id)

Definition at line 3440 of file detect-engine.c.

References SCLogInfo, and TENANT_SELECTOR_DIRECT.

Referenced by UnixSocketPcapFile().

Here is the caller graph for this function:

int DetectEngineTentantRegisterVlanId ( uint32_t  tenant_id,
uint16_t  vlan_id 
)

Definition at line 3430 of file detect-engine.c.

References TENANT_SELECTOR_VLAN.

Referenced by DetectEngineReloadTenantBlocking(), and UnixSocketPcapFile().

Here is the caller graph for this function:

int DetectEngineTentantUnregisterPcapFile ( uint32_t  tenant_id)

Definition at line 3446 of file detect-engine.c.

References Packet_::pcap_v, SCLogInfo, PcapPacketVars_::tenant_id, and TENANT_SELECTOR_DIRECT.

Referenced by UnixSocketPcapFile().

Here is the caller graph for this function:

int DetectEngineTentantUnregisterVlanId ( uint32_t  tenant_id,
uint16_t  vlan_id 
)

Definition at line 3435 of file detect-engine.c.

References TENANT_SELECTOR_VLAN.

Referenced by UnixSocketPcapFile().

Here is the caller graph for this function:

TmEcode DetectEngineThreadCtxDeinit ( ThreadVars tv,
void *  data 
)

Definition at line 2592 of file detect-engine.c.

References HashTableFree(), DetectEngineThreadCtx_::mt_det_ctxs_hash, SC_ERR_INVALID_ARGUMENTS, SCLogWarning, and TM_ECODE_OK.

Referenced by AlertFastLogInitCtx(), DetectAckRegister(), DetectBase64DecodeDoMatch(), DetectDceIfaceRegister(), DetectDceOpnumRegister(), DetectDceStubDataRegister(), DetectDetectionFilterRegister(), DetectDNP3Register(), DetectDnsQueryRegister(), DetectEngineInspectBufferGeneric(), DetectEngineInspectENIP(), DetectEngineInspectModbus(), DetectEngineInspectStream(), DetectEngineStateResetTxs(), DetectEngineThreadCtxInit(), DetectFastPatternRegister(), DetectFlowbitsAnalyze(), DetectFlowFree(), DetectFlowintFree(), DetectFragOffsetFree(), DetectFtpbounceRegister(), DetectGeoipRegister(), DetectHostbitFree(), DetectIcmpIdFree(), DetectIcmpSeqFree(), DetectICodeFree(), DetectIPProtoRemoveAllSMs(), DetectIPRepFree(), DetectITypeFree(), DetectL3ProtoRegister(), DetectPcrePayloadMatch(), DetectProtoContainsProto(), DetectReplaceFreeInternal(), DetectRpcFree(), DetectSameipRegister(), DetectSetupParseRegexes(), DetectSshSoftwareVersionRegister(), DetectSshVersionRegister(), DetectTemplateRustBufferRegister(), DetectThresholdRegister(), DetectTransformCompressWhitespaceRegister(), DetectTransformStripWhitespaceRegister(), DetectUricontentRegister(), DetectXbitFree(), MpmACRegister(), MpmACTileRegister(), RegisterModbusParsers(), SCACBSPrintInfo(), SCThresholdConfParseFile(), SigParseApplyDsizeToContent(), SMTPParserCleanup(), TagTimeoutCheck(), UTHMatchPackets(), UTHMatchPacketsWithResults(), UTHPacketMatchSig(), and UTHPacketMatchSigMpm().

Here is the call graph for this function:

void DetectEngineThreadCtxInfo ( ThreadVars t,
DetectEngineThreadCtx det_ctx 
)

Definition at line 2610 of file detect-engine.c.

References DetectEngineThreadCtx_::de_ctx, DetectEngineCtx_::mpm_matcher, DetectEngineThreadCtx_::mtc, DetectEngineThreadCtx_::mtcu, and PatternMatchThreadPrint().

Here is the call graph for this function:

TmEcode DetectEngineThreadCtxInit ( ThreadVars tv,
void *  initdata,
void **  data 
)

initialize thread specific detection engine context

Note
there is a special case when using delayed detect. In this case the function is called twice per thread. The first time the rules are not yet loaded. de_ctx->delayed_detect_initialized will be 0. The 2nd time they will be loaded. de_ctx->delayed_detect_initialized will be 1. This is needed to do the per thread counter registration before the packet runtime starts. In delayed detect mode, the first call will return a NULL ptr through the data ptr.
Parameters
tvThreadVars for this thread
initdatapointer to de_ctx
data[out]pointer to store our thread detection ctx
Return values
TM_ECODE_OKif all went well
TM_ECODE_FAILEDon serious erro

alert counter setup

Definition at line 2384 of file detect-engine.c.

References AppLayerDecoderEventsFreeEvents(), DetectEngineThreadCtx_::base64_decoded, DetectEngineThreadCtx_::bj_values, DetectEngineThreadCtx_::buffers, DetectEngineThreadCtx_::buffers_size, DetectEngineThreadCtx_::counter_alerts, DetectEngineThreadCtx_::counter_fnonmpm_list, DetectEngineThreadCtx_::counter_match_list, DetectEngineThreadCtx_::counter_mpm_list, DetectEngineThreadCtx_::counter_nonmpm_list, DetectEngineThreadCtx_::de_ctx, DetectEngineThreadCtx_::decoder_events, DETECT_ENGINE_TYPE_NORMAL, DETECT_ENGINE_TYPE_TENANT, DetectEngineDeReference(), DetectEngineGetCurrent(), DetectEngineIPOnlyThreadDeinit(), DetectEngineMultiTenantEnabled(), DetectEngineReference(), DetectEngineThreadCtxDeinit(), DetectEngineThreadCtx_::inspect, InspectionBufferMultipleForList::inspection_buffers, InspectionBufferFree(), DetectEngineThreadCtx_::io_ctx, DetectEngineThreadCtx_::match_array, DetectEngineCtx_::mpm_matcher, DetectEngineThreadCtx_::mtc, DetectEngineThreadCtx_::mtcs, DetectEngineThreadCtx_::mtcu, DetectEngineThreadCtx_::multi_inspect, DetectEngineThreadCtx_::non_pf_id_array, PatternMatchThreadDestroy(), DetectEngineThreadCtx_::pmq, PmqFree(), DetectEngineCtx_::ref_cnt, RuleMatchCandidateTxArrayFree(), RunmodeIsUnittests(), SCFree, SCLogDebug, SCMalloc, SCProfilingKeywordThreadCleanup(), SCProfilingPrefilterThreadCleanup(), SCProfilingRuleThreadCleanup(), SCProfilingSghThreadCleanup(), InspectionBufferMultipleForList::size, DetectEngineThreadCtx_::spm_thread_ctx, SpmDestroyThreadCtx(), StatsRegisterAvgCounter(), StatsRegisterCounter(), DetectEngineThreadCtx_::tenant_array, DetectEngineCtx_::tenant_id, DetectEngineThreadCtx_::tenant_id, TM_ECODE_FAILED, TM_ECODE_OK, DetectEngineThreadCtx_::to_clear_queue, DetectEngineThreadCtx_::tv, DetectEngineCtx_::type, and unlikely.

Referenced by AlertFastLogInitCtx(), DetectAckRegister(), DetectBase64DecodeDoMatch(), DetectBypassRegister(), DetectDceIfaceRegister(), DetectDceOpnumRegister(), DetectDceStubDataRegister(), DetectDetectionFilterRegister(), DetectDNP3Register(), DetectDnsQueryRegister(), DetectEngineInspectENIP(), DetectEngineInspectModbus(), DetectEngineInspectStream(), DetectEngineStateResetTxs(), DetectFastPatternRegister(), DetectFlowbitsAnalyze(), DetectFlowFree(), DetectFlowintFree(), DetectFragOffsetFree(), DetectFtpbounceRegister(), DetectGeoipRegister(), DetectHostbitFree(), DetectHttpRequestLineRegister(), DetectHttpResponseLineRegister(), DetectIcmpIdFree(), DetectIcmpSeqFree(), DetectICodeFree(), DetectIPProtoRemoveAllSMs(), DetectIPRepFree(), DetectITypeFree(), DetectL3ProtoRegister(), DetectLuaRegister(), DetectPcrePayloadMatch(), DetectProtoContainsProto(), DetectReplaceFreeInternal(), DetectRpcFree(), DetectSameipRegister(), DetectSetupParseRegexes(), DetectSshSoftwareVersionRegister(), DetectSshVersionRegister(), DetectTemplateRustBufferRegister(), DetectThresholdRegister(), DetectTransformCompressWhitespaceRegister(), DetectTransformStripWhitespaceRegister(), DetectUricontentRegister(), DetectUrilenValidateContent(), DetectXbitFree(), MpmACRegister(), MpmACTileRegister(), RegisterModbusParsers(), SCACBSPrintInfo(), SCThresholdConfParseFile(), SigGroupHeadContainsSigId(), SigParseApplyDsizeToContent(), SMTPParserCleanup(), TagTimeoutCheck(), UTHMatchPackets(), UTHMatchPacketsWithResults(), UTHPacketMatchSig(), and UTHPacketMatchSigMpm().

Here is the call graph for this function:

void DetectEngineUnsetParseMetadata ( void  )

Definition at line 3774 of file detect-engine.c.

Referenced by DetectMetadataHashFree().

Here is the caller graph for this function:

int DetectRegisterThreadCtxFuncs ( DetectEngineCtx de_ctx,
const char *  name,
void *(*)(void *)  InitFunc,
void *  data,
void(*)(void *)  FreeFunc,
int  mode 
)

Register Thread keyword context Funcs.

Parameters
de_ctxdetection engine to register in
namekeyword name for error printing
InitFuncfunction ptr
datakeyword init data to pass to Func. Can be NULL.
FreeFuncfunction ptr
mode0 normal (ctx per keyword instance) 1 shared (one ctx per det_ct)
Return values
idfor retrieval of ctx at runtime
-1on error
Note
make sure "data" remains valid and it free'd elsewhere. It's recommended to store it in the keywords global ctx so that it's freed when the de_ctx is freed.

Definition at line 2633 of file detect-engine.c.

References BUG_ON, DetectEngineThreadKeywordCtxItem_::data, DetectEngineThreadKeywordCtxItem_::FreeFunc, DetectEngineThreadKeywordCtxItem_::id, DetectEngineThreadKeywordCtxItem_::InitFunc, DetectEngineCtx_::keyword_id, DetectEngineCtx_::keyword_list, DetectEngineThreadKeywordCtxItem_::name, DetectEngineThreadKeywordCtxItem_::next, SCMalloc, and unlikely.

Referenced by DetectFilemagicRegister(), and DetectLuaRegister().

Here is the caller graph for this function:

int DetectRegisterThreadCtxGlobalFuncs ( const char *  name,
void *(*)(void *)  InitFunc,
void *  data,
void(*)(void *)  FreeFunc 
)

Register Thread keyword context Funcs (Global)

IDs stay static over reloads and between tenants

Parameters
namekeyword name for error printing
InitFuncfunction ptr
FreeFuncfunction ptr
Return values
idfor retrieval of ctx at runtime
-1on error

Definition at line 2693 of file detect-engine.c.

References BUG_ON, DetectEngineThreadKeywordCtxItem_::data, DetectEngineThreadKeywordCtxItem_::FreeFunc, DetectEngineThreadKeywordCtxItem_::id, DetectEngineThreadKeywordCtxItem_::InitFunc, DetectEngineMasterCtx_::keyword_id, DetectEngineMasterCtx_::keyword_list, DetectEngineThreadKeywordCtxItem_::name, DetectEngineThreadKeywordCtxItem_::next, SCCalloc, and unlikely.

Referenced by DetectHttpHeaderNamesRegister(), DetectHttpHeaderRegister(), and DetectHttpStartRegister().

Here is the caller graph for this function:

const char* DetectSigmatchListEnumToString ( enum DetectSigmatchListEnum  type)

Definition at line 3784 of file detect-engine.c.

References DETECT_SM_LIST_BASE64_DATA, DETECT_SM_LIST_MATCH, DETECT_SM_LIST_MAX, DETECT_SM_LIST_PMATCH, DETECT_SM_LIST_POSTMATCH, DETECT_SM_LIST_SUPPRESS, DETECT_SM_LIST_THRESHOLD, and DETECT_SM_LIST_TMATCH.

Referenced by CleanupFPAnalyzer(), EngineAnalysisRulesFailure(), and SCProfilingKeywordsGlobalInit().

Here is the caller graph for this function:

void* DetectThreadCtxGetGlobalKeywordThreadCtx ( DetectEngineThreadCtx det_ctx,
int  id 
)

Retrieve thread local keyword ctx by id.

Parameters
det_ctxdetection engine thread ctx to retrieve the ctx from
idid of the ctx returned by DetectRegisterThreadCtxInitFunc at keyword init.
Return values
ctxor NULL on error

Definition at line 2737 of file detect-engine.c.

References DetectEngineThreadCtx_::global_keyword_ctxs_array, and DetectEngineThreadCtx_::global_keyword_ctxs_size.

Referenced by HttpHeaderGetBufferSpaceForTXID().

Here is the caller graph for this function:

void* DetectThreadCtxGetKeywordThreadCtx ( DetectEngineThreadCtx det_ctx,
int  id 
)

Retrieve thread local keyword ctx by id.

Parameters
det_ctxdetection engine thread ctx to retrieve the ctx from
idid of the ctx returned by DetectRegisterThreadCtxInitFunc at keyword init.
Return values
ctxor NULL on error

Definition at line 2673 of file detect-engine.c.

References DetectEngineThreadCtx_::keyword_ctxs_array, and DetectEngineThreadCtx_::keyword_ctxs_size.

Referenced by DetectFilemagicRegister(), and DetectLuaRegister().

Here is the caller graph for this function:

void InspectionBufferApplyTransforms ( InspectionBuffer buffer,
const DetectEngineTransforms transforms 
)

Definition at line 978 of file detect-engine.c.

References DetectEngineCtx_::app_inspect_engines, DetectEngineCtx_::app_mpms_list, DetectEngineCtx_::buffer_type_hash, DetectEngineCtx_::buffer_type_id, DetectEngineCtx_::buffer_type_map, DetectEngineCtx_::buffer_type_map_elements, BUG_ON, DetectBufferType_::description, DETECT_SM_LIST_DYNAMIC_START, DETECT_TRANSFORMS_MAX, DetectMpmInitializeAppMpms(), HashListTableFree(), HashListTableGetListData, HashListTableGetListHead(), HashListTableGetListNext, HashListTableInit(), DetectBufferType_::id, DetectBufferType_::mpm, DetectEngineAppInspectionEngine_::next, next, DetectMpmAppLayerRegistery_::next, DetectBufferType_::packet, PrefilterDeinit(), PrefilterInit(), SCCalloc, SCFree, SCLogDebug, DetectBufferType_::SetupCallback, sigmatch_table, DetectBufferType_::string, SigTableElmt_::Transform, DetectEngineTransforms::transforms, and DetectBufferType_::ValidateCallback.

Referenced by DetectFilemagicRegister(), DetectFilenameRegister(), DetectHttpCookieRegister(), DetectHttpHHRegister(), DetectHttpMethodRegister(), DetectHttpRawHeaderRegister(), DetectHttpRequestLineRegister(), DetectHttpResponseLineRegister(), DetectHttpStatCodeRegister(), DetectHttpStatMsgRegister(), DetectHttpUARegister(), DetectHttpUriSetup(), DetectSNMPCommunityRegister(), DetectTemplateBufferRegister(), DetectTlsCertsRegister(), DetectTlsFingerprintRegister(), DetectTlsIssuerRegister(), DetectTlsJa3HashRegister(), DetectTlsJa3SHashRegister(), DetectTlsJa3SStringRegister(), DetectTlsJa3StringRegister(), DetectTlsSerialRegister(), DetectTlsSniRegister(), and DetectTlsSubjectRegister().

Here is the call graph for this function:

Here is the caller graph for this function:

void InspectionBufferCheckAndExpand ( InspectionBuffer buffer,
uint32_t  min_size 
)

make sure that the buffer has at least 'min_size' bytes Expand the buffer if necessary

Definition at line 949 of file detect-engine.c.

References InspectionBuffer::buf, likely, SCRealloc, and InspectionBuffer::size.

Referenced by FileSwfDecompression(), and InspectionBufferCopy().

Here is the caller graph for this function:

void InspectionBufferClean ( DetectEngineThreadCtx det_ctx)

Definition at line 845 of file detect-engine.c.

References DetectEngineThreadCtx_::buffers, InspectionBufferMultipleForList::init, InspectionBuffer::inspect, DetectEngineThreadCtx_::inspect, InspectionBufferMultipleForList::inspection_buffers, InspectionBufferMultipleForList::max, DetectEngineThreadCtx_::multi_inspect, DetectEngineThreadCtx_::to_clear_idx, and DetectEngineThreadCtx_::to_clear_queue.

void InspectionBufferCopy ( InspectionBuffer buffer,
uint8_t *  buf,
uint32_t  buf_len 
)

Definition at line 966 of file detect-engine.c.

References InspectionBuffer::buf, InspectionBuffer::inspect, InspectionBuffer::inspect_len, InspectionBufferCheckAndExpand(), MIN, and InspectionBuffer::size.

Referenced by DetectTransformCompressWhitespaceRegister(), DetectTransformMd5Register(), DetectTransformSha1Register(), DetectTransformSha256Register(), and DetectTransformStripWhitespaceRegister().

Here is the call graph for this function:

Here is the caller graph for this function:

void InspectionBufferFree ( InspectionBuffer buffer)

Definition at line 937 of file detect-engine.c.

References InspectionBuffer::buf, and SCFree.

Referenced by DetectEngineThreadCtxInit(), DetectTransformCompressWhitespaceRegister(), DetectTransformMd5Register(), DetectTransformSha1Register(), DetectTransformSha256Register(), and DetectTransformStripWhitespaceRegister().

Here is the caller graph for this function:

InspectionBuffer* InspectionBufferGet ( DetectEngineThreadCtx det_ctx,
const int  list_id 
)

Definition at line 871 of file detect-engine.c.

References DetectEngineThreadCtx_::buffers, InspectionBuffer::inspect, DetectEngineThreadCtx_::inspect, DetectEngineThreadCtx_::to_clear_idx, and DetectEngineThreadCtx_::to_clear_queue.

Referenced by DetectHttpClientBodyRegister(), DetectHttpCookieRegister(), DetectHttpHHRegister(), DetectHttpMethodRegister(), DetectHttpRawHeaderRegister(), DetectHttpRequestLineRegister(), DetectHttpResponseLineRegister(), DetectHttpStatCodeRegister(), DetectHttpStatMsgRegister(), DetectHttpUARegister(), DetectHttpUriSetup(), DetectSNMPCommunityRegister(), DetectTemplateBufferRegister(), DetectTlsFingerprintRegister(), DetectTlsIssuerRegister(), DetectTlsJa3HashRegister(), DetectTlsJa3SHashRegister(), DetectTlsJa3SStringRegister(), DetectTlsJa3StringRegister(), DetectTlsSerialRegister(), DetectTlsSniRegister(), and DetectTlsSubjectRegister().

Here is the caller graph for this function:

InspectionBufferMultipleForList* InspectionBufferGetMulti ( DetectEngineThreadCtx det_ctx,
const int  list_id 
)

Definition at line 910 of file detect-engine.c.

References DetectEngineThreadCtx_::buffers, InspectionBufferMultipleForList::init, DetectEngineThreadCtx_::multi_inspect, DetectEngineThreadCtx_::to_clear_idx, and DetectEngineThreadCtx_::to_clear_queue.

Referenced by DetectFilemagicRegister(), DetectFilenameRegister(), and DetectTlsCertsRegister().

Here is the caller graph for this function:

void InspectionBufferInit ( InspectionBuffer buffer,
uint32_t  initial_size 
)

Definition at line 920 of file detect-engine.c.

References InspectionBuffer::buf, SCCalloc, and InspectionBuffer::size.

Referenced by DetectTransformCompressWhitespaceRegister(), DetectTransformMd5Register(), DetectTransformSha1Register(), DetectTransformSha256Register(), and DetectTransformStripWhitespaceRegister().

Here is the caller graph for this function:

InspectionBuffer* InspectionBufferMultipleForListGet ( InspectionBufferMultipleForList fb,
uint32_t  local_id 
)

for a InspectionBufferMultipleForList get a InspectionBuffer

Parameters
fbthe multiple buffer array
local_idthe index to get a buffer
bufferthe inspect buffer or NULL in case of error

Definition at line 884 of file detect-engine.c.

References InspectionBufferMultipleForList::inspection_buffers, MAX, InspectionBufferMultipleForList::max, SCLogDebug, SCRealloc, and InspectionBufferMultipleForList::size.

Referenced by DetectFilemagicRegister(), DetectFilenameRegister(), and DetectTlsCertsRegister().

Here is the caller graph for this function:

void InspectionBufferSetup ( InspectionBuffer buffer,
const uint8_t *  data,
const uint32_t  data_len 
)

setup the buffer with our initial data

Definition at line 930 of file detect-engine.c.

References InspectionBuffer::inspect, InspectionBuffer::inspect_len, InspectionBuffer::len, InspectionBuffer::orig, and InspectionBuffer::orig_len.

Referenced by DetectFilemagicRegister(), DetectFilenameRegister(), DetectHttpClientBodyRegister(), DetectHttpCookieRegister(), DetectHttpHHRegister(), DetectHttpMethodRegister(), DetectHttpRawHeaderRegister(), DetectHttpRequestLineRegister(), DetectHttpResponseLineRegister(), DetectHttpStatCodeRegister(), DetectHttpStatMsgRegister(), DetectHttpUARegister(), DetectHttpUriSetup(), DetectSNMPCommunityRegister(), DetectTemplateBufferRegister(), DetectTlsCertsRegister(), DetectTlsFingerprintRegister(), DetectTlsIssuerRegister(), DetectTlsJa3HashRegister(), DetectTlsJa3SHashRegister(), DetectTlsJa3SStringRegister(), DetectTlsJa3StringRegister(), DetectTlsSerialRegister(), DetectTlsSniRegister(), DetectTlsSubjectRegister(), DetectTransformCompressWhitespaceRegister(), DetectTransformMd5Register(), DetectTransformSha1Register(), DetectTransformSha256Register(), and DetectTransformStripWhitespaceRegister().

Here is the caller graph for this function:

Variable Documentation

SCEnumCharMap det_ctx_event_table[]
Initial value:
= {
{ "TEST", DET_CTX_EVENT_TEST },
{ "NO_MEMORY", FILE_DECODER_EVENT_NO_MEM },
{ "INVALID_SWF_LENGTH", FILE_DECODER_EVENT_INVALID_SWF_LENGTH },
{ "INVALID_SWF_VERSION", FILE_DECODER_EVENT_INVALID_SWF_VERSION },
{ "Z_DATA_ERROR", FILE_DECODER_EVENT_Z_DATA_ERROR },
{ "Z_STREAM_ERROR", FILE_DECODER_EVENT_Z_STREAM_ERROR },
{ "Z_BUF_ERROR", FILE_DECODER_EVENT_Z_BUF_ERROR },
{ "Z_UNKNOWN_ERROR", FILE_DECODER_EVENT_Z_UNKNOWN_ERROR },
{ "LZMA_DECODER_ERROR", FILE_DECODER_EVENT_LZMA_DECODER_ERROR },
{ "LZMA_MEMLIMIT_ERROR", FILE_DECODER_EVENT_LZMA_MEMLIMIT_ERROR },
{ "LZMA_OPTIONS_ERROR", FILE_DECODER_EVENT_LZMA_OPTIONS_ERROR },
{ "LZMA_FORMAT_ERROR", FILE_DECODER_EVENT_LZMA_FORMAT_ERROR },
{ "LZMA_DATA_ERROR", FILE_DECODER_EVENT_LZMA_DATA_ERROR },
{ "LZMA_BUF_ERROR", FILE_DECODER_EVENT_LZMA_BUF_ERROR },
{ "LZMA_UNKNOWN_ERROR", FILE_DECODER_EVENT_LZMA_UNKNOWN_ERROR },
{ NULL, -1 },
}

Definition at line 105 of file detect-engine.c.