suricata
detect-engine.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2022 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Victor Julien <victor@inliniac.net>
22  */
23 
24 #include "suricata-common.h"
25 #include "suricata.h"
26 #include "detect.h"
27 #include "flow.h"
28 #include "flow-private.h"
29 #include "flow-util.h"
30 #include "flow-worker.h"
31 #include "conf.h"
32 #include "conf-yaml-loader.h"
33 #include "datasets.h"
34 
35 #include "app-layer-parser.h"
36 #include "app-layer-events.h"
37 #include "app-layer-htp.h"
38 
39 #include "detect-parse.h"
40 #include "detect-engine-sigorder.h"
41 
42 #include "detect-engine-build.h"
43 #include "detect-engine-siggroup.h"
44 #include "detect-engine-address.h"
45 #include "detect-engine-port.h"
46 #include "detect-engine-prefilter.h"
47 #include "detect-engine-mpm.h"
48 #include "detect-engine-iponly.h"
49 #include "detect-engine-tag.h"
50 #include "detect-engine-frame.h"
51 
52 #include "detect-engine-file.h"
53 
54 #include "detect-engine.h"
55 #include "detect-engine-state.h"
56 #include "detect-engine-payload.h"
57 #include "detect-fast-pattern.h"
58 #include "detect-byte-extract.h"
59 #include "detect-content.h"
60 #include "detect-uricontent.h"
61 #include "detect-tcphdr.h"
62 #include "detect-engine-threshold.h"
63 #include "detect-engine-content-inspection.h"
64 
65 #include "detect-engine-loader.h"
66 
67 #include "detect-engine-alert.h"
68 
69 #include "util-classification-config.h"
70 #include "util-reference-config.h"
71 #include "util-threshold-config.h"
72 #include "util-error.h"
73 #include "util-hash.h"
74 #include "util-byte.h"
75 #include "util-debug.h"
76 #include "util-unittest.h"
77 #include "util-action.h"
78 #include "util-magic.h"
79 #include "util-signal.h"
80 #include "util-spm.h"
81 #include "util-device-private.h"
82 #include "util-var-name.h"
83 #include "util-path.h"
84 #include "util-profiling.h"
85 #include "util-validate.h"
86 #include "util-hash-string.h"
87 #include "util-enum.h"
88 #include "util-conf.h"
89 
90 #include "tm-threads.h"
91 #include "runmodes.h"
92 
93 #include "reputation.h"
94 
95 #define DETECT_ENGINE_DEFAULT_INSPECTION_RECURSION_LIMIT 3000
96 
97 static int DetectEngineCtxLoadConf(DetectEngineCtx *);
98 
99 static DetectEngineMasterCtx g_master_de_ctx = { SCMUTEX_INITIALIZER,
100  0, 99, NULL, NULL, TENANT_SELECTOR_UNKNOWN, NULL, NULL, 0};
101 
102 static uint32_t TenantIdHash(HashTable *h, void *data, uint16_t data_len);
103 static char TenantIdCompare(void *d1, uint16_t d1_len, void *d2, uint16_t d2_len);
104 static void TenantIdFree(void *d);
105 static uint32_t DetectEngineTenantGetIdFromLivedev(const void *ctx, const Packet *p);
106 static uint32_t DetectEngineTenantGetIdFromVlanId(const void *ctx, const Packet *p);
107 static uint32_t DetectEngineTenantGetIdFromPcap(const void *ctx, const Packet *p);
108 
109 static DetectEngineAppInspectionEngine *g_app_inspect_engines = NULL;
110 static DetectEnginePktInspectionEngine *g_pkt_inspect_engines = NULL;
111 static DetectEngineFrameInspectionEngine *g_frame_inspect_engines = NULL;
112 
113 // clang-format off
114 // rule types documentation tag start: SignatureProperties
115 const struct SignatureProperties signature_properties[SIG_TYPE_MAX] = {
116  /* SIG_TYPE_NOT_SET */ { SIG_PROP_FLOW_ACTION_PACKET, },
117  /* SIG_TYPE_IPONLY */ { SIG_PROP_FLOW_ACTION_FLOW, },
118  /* SIG_TYPE_LIKE_IPONLY */ { SIG_PROP_FLOW_ACTION_FLOW, },
119  /* SIG_TYPE_PDONLY */ { SIG_PROP_FLOW_ACTION_FLOW, },
120  /* SIG_TYPE_DEONLY */ { SIG_PROP_FLOW_ACTION_PACKET, },
121  /* SIG_TYPE_PKT */ { SIG_PROP_FLOW_ACTION_PACKET, },
122  /* SIG_TYPE_PKT_STREAM */ { SIG_PROP_FLOW_ACTION_FLOW_IF_STATEFUL, },
123  /* SIG_TYPE_STREAM */ { SIG_PROP_FLOW_ACTION_FLOW_IF_STATEFUL, },
124  /* SIG_TYPE_APPLAYER */ { SIG_PROP_FLOW_ACTION_FLOW, },
125  /* SIG_TYPE_APP_TX */ { SIG_PROP_FLOW_ACTION_FLOW, },
126 };
127 // rule types documentation tag end: SignatureProperties
128 // clang-format on
129 
130 const char *DetectTableToString(enum DetectTable table)
131 {
132  switch (table) {
133  case DETECT_TABLE_NOT_SET:
134  return "not_set";
135  case DETECT_TABLE_PACKET_PRE_FLOW:
136  return "pre_flow";
137  case DETECT_TABLE_PACKET_PRE_STREAM:
138  return "pre_stream";
139  case DETECT_TABLE_PACKET_FILTER:
140  return "packet_filter";
141  case DETECT_TABLE_PACKET_TD:
142  return "packet_td";
143  case DETECT_TABLE_APP_FILTER:
144  return "app_filter";
145  case DETECT_TABLE_APP_TD:
146  return "app_td";
147  default:
148  return "unknown";
149  }
150 }
151 
152 /** \brief register inspect engine at start up time
153  *
154  * \note errors are fatal */
155 void DetectPktInspectEngineRegister(const char *name,
156  InspectionBufferGetPktDataPtr GetPktData,
157  InspectionBufferPktInspectFunc Callback)
158 {
159  DetectBufferTypeRegister(name);
160  const int sm_list = DetectBufferTypeGetByName(name);
161  if (sm_list == -1) {
162  FatalError("failed to register inspect engine %s", name);
163  }
164 
165  if ((sm_list < DETECT_SM_LIST_MATCH) || (sm_list >= SHRT_MAX) ||
166  (Callback == NULL))
167  {
168  SCLogError("Invalid arguments");
169  BUG_ON(1);
170  }
171 
172  DetectEnginePktInspectionEngine *new_engine = SCCalloc(1, sizeof(*new_engine));
173  if (unlikely(new_engine == NULL)) {
174  FatalError("failed to register inspect engine %s: %s", name, strerror(errno));
175  }
176  new_engine->sm_list = (uint16_t)sm_list;
177  new_engine->sm_list_base = (uint16_t)sm_list;
178  new_engine->v1.Callback = Callback;
179  new_engine->v1.GetData = GetPktData;
180 
181  if (g_pkt_inspect_engines == NULL) {
182  g_pkt_inspect_engines = new_engine;
183  } else {
184  DetectEnginePktInspectionEngine *t = g_pkt_inspect_engines;
185  while (t->next != NULL) {
186  t = t->next;
187  }
188 
189  t->next = new_engine;
190  }
191 }
192 
193 /** \brief register inspect engine at start up time
194  *
195  * \note errors are fatal */
196 static void AppLayerInspectEngineRegisterInternal(const char *name, AppProto alproto, uint32_t dir,
197  int progress, InspectEngineFuncPtr Callback, InspectionBufferGetDataPtr GetData,
198  InspectionSingleBufferGetDataPtr GetDataSingle,
199  InspectionMultiBufferGetDataPtr GetMultiData)
200 {
201  BUG_ON(progress >= 48);
202 
203  DetectBufferTypeRegister(name);
204  const int sm_list = DetectBufferTypeGetByName(name);
205  if (sm_list == -1) {
206  FatalError("failed to register inspect engine %s", name);
207  }
208  SCLogDebug("name %s id %d", name, sm_list);
209 
210  if ((alproto == ALPROTO_FAILED) || (!(dir == SIG_FLAG_TOSERVER || dir == SIG_FLAG_TOCLIENT)) ||
211  (sm_list < DETECT_SM_LIST_MATCH) || (sm_list >= SHRT_MAX) ||
212  (progress < 0 || progress >= SHRT_MAX) || (Callback == NULL)) {
213  SCLogError("Invalid arguments");
214  BUG_ON(1);
215  } else if (Callback == DetectEngineInspectBufferGeneric && GetData == NULL) {
216  SCLogError("Invalid arguments: must register "
217  "GetData with DetectEngineInspectBufferGeneric");
218  BUG_ON(1);
219  } else if (Callback == DetectEngineInspectBufferSingle && GetDataSingle == NULL) {
220  SCLogError("Invalid arguments: must register "
221  "GetData with DetectEngineInspectBufferGeneric");
222  BUG_ON(1);
223  } else if (Callback == DetectEngineInspectMultiBufferGeneric && GetMultiData == NULL) {
224  SCLogError("Invalid arguments: must register "
225  "GetData with DetectEngineInspectMultiBufferGeneric");
226  BUG_ON(1);
227  }
228 
229  uint8_t direction;
230  if (dir == SIG_FLAG_TOSERVER) {
231  direction = 0;
232  } else {
233  direction = 1;
234  }
235  // every DNS or HTTP2 can be accessed from DOH2
236  if (alproto == ALPROTO_HTTP2 || alproto == ALPROTO_DNS) {
237  AppLayerInspectEngineRegisterInternal(
238  name, ALPROTO_DOH2, dir, progress, Callback, GetData, GetDataSingle, GetMultiData);
239  }
240 
241  DetectEngineAppInspectionEngine *new_engine =
242  SCCalloc(1, sizeof(DetectEngineAppInspectionEngine));
243  if (unlikely(new_engine == NULL)) {
244  exit(EXIT_FAILURE);
245  }
246  new_engine->alproto = alproto;
247  new_engine->dir = direction;
248  new_engine->sm_list = (uint16_t)sm_list;
249  new_engine->sm_list_base = (uint16_t)sm_list;
250  new_engine->progress = (int16_t)progress;
251  new_engine->v2.Callback = Callback;
252  if (Callback == DetectEngineInspectBufferGeneric) {
253  new_engine->v2.GetData = GetData;
254  } else if (Callback == DetectEngineInspectBufferSingle) {
255  new_engine->v2.GetDataSingle = GetDataSingle;
256  } else if (Callback == DetectEngineInspectMultiBufferGeneric) {
257  new_engine->v2.GetMultiData = GetMultiData;
258  }
259 
260  if (g_app_inspect_engines == NULL) {
261  g_app_inspect_engines = new_engine;
262  } else {
263  DetectEngineAppInspectionEngine *t = g_app_inspect_engines;
264  while (t->next != NULL) {
265  t = t->next;
266  }
267 
268  t->next = new_engine;
269  }
270 }
271 
272 void DetectAppLayerInspectEngineRegister(const char *name, AppProto alproto, uint32_t dir,
273  int progress, InspectEngineFuncPtr Callback, InspectionBufferGetDataPtr GetData)
274 {
275  /* before adding, check that we don't add a duplicate entry, which will
276  * propegate all the way into the packet runtime if allowed. */
277  DetectEngineAppInspectionEngine *t = g_app_inspect_engines;
278  while (t != NULL) {
279  const uint32_t t_direction = t->dir == 0 ? SIG_FLAG_TOSERVER : SIG_FLAG_TOCLIENT;
280  const int sm_list = DetectBufferTypeGetByName(name);
281 
282  if (t->sm_list == sm_list && t->alproto == alproto && t_direction == dir &&
283  t->progress == progress && t->v2.Callback == Callback && t->v2.GetData == GetData) {
284  DEBUG_VALIDATE_BUG_ON(1);
285  return;
286  }
287  t = t->next;
288  }
289 
290  AppLayerInspectEngineRegisterInternal(
291  name, alproto, dir, progress, Callback, GetData, NULL, NULL);
292 }
293 
294 void DetectAppLayerInspectEngineRegisterSingle(const char *name, AppProto alproto, uint32_t dir,
295  int progress, InspectEngineFuncPtr Callback, InspectionSingleBufferGetDataPtr GetData)
296 {
297  /* before adding, check that we don't add a duplicate entry, which will
298  * propegate all the way into the packet runtime if allowed. */
299  DetectEngineAppInspectionEngine *t = g_app_inspect_engines;
300  while (t != NULL) {
301  const uint32_t t_direction = t->dir == 0 ? SIG_FLAG_TOSERVER : SIG_FLAG_TOCLIENT;
302  const int sm_list = DetectBufferTypeGetByName(name);
303 
304  if (t->sm_list == sm_list && t->alproto == alproto && t_direction == dir &&
305  t->progress == progress && t->v2.Callback == Callback &&
306  t->v2.GetDataSingle == GetData) {
307  DEBUG_VALIDATE_BUG_ON(1);
308  return;
309  }
310  t = t->next;
311  }
312 
313  AppLayerInspectEngineRegisterInternal(
314  name, alproto, dir, progress, Callback, NULL, GetData, NULL);
315 }
316 
317 /* copy an inspect engine with transforms to a new list id. */
318 static void DetectAppLayerInspectEngineCopy(
319  DetectEngineCtx *de_ctx,
320  int sm_list, int new_list,
321  const DetectEngineTransforms *transforms)
322 {
323  const DetectEngineAppInspectionEngine *t = g_app_inspect_engines;
324  while (t) {
325  if (t->sm_list == sm_list) {
326  DetectEngineAppInspectionEngine *new_engine = SCCalloc(1, sizeof(DetectEngineAppInspectionEngine));
327  if (unlikely(new_engine == NULL)) {
328  exit(EXIT_FAILURE);
329  }
330  new_engine->alproto = t->alproto;
331  new_engine->dir = t->dir;
332  DEBUG_VALIDATE_BUG_ON(new_list < 0 || new_list > UINT16_MAX);
333  new_engine->sm_list = (uint16_t)new_list; /* use new list id */
334  DEBUG_VALIDATE_BUG_ON(sm_list < 0 || sm_list > UINT16_MAX);
335  new_engine->sm_list_base = (uint16_t)sm_list;
336  new_engine->progress = t->progress;
337  new_engine->v2 = t->v2;
338  new_engine->v2.transforms = transforms; /* assign transforms */
339 
340  if (de_ctx->app_inspect_engines == NULL) {
341  de_ctx->app_inspect_engines = new_engine;
342  } else {
343  DetectEngineAppInspectionEngine *list = de_ctx->app_inspect_engines;
344  while (list->next != NULL) {
345  list = list->next;
346  }
347 
348  list->next = new_engine;
349  }
350  }
351  t = t->next;
352  }
353 }
354 
355 /* copy inspect engines from global registrations to de_ctx list */
356 static void DetectAppLayerInspectEngineCopyListToDetectCtx(DetectEngineCtx *de_ctx)
357 {
358  const DetectEngineAppInspectionEngine *t = g_app_inspect_engines;
359  DetectEngineAppInspectionEngine *list = de_ctx->app_inspect_engines;
360  while (t) {
361  DetectEngineAppInspectionEngine *new_engine = SCCalloc(1, sizeof(DetectEngineAppInspectionEngine));
362  if (unlikely(new_engine == NULL)) {
363  exit(EXIT_FAILURE);
364  }
365  new_engine->alproto = t->alproto;
366  new_engine->dir = t->dir;
367  new_engine->sm_list = t->sm_list;
368  new_engine->sm_list_base = t->sm_list;
369  new_engine->progress = t->progress;
370  new_engine->v2 = t->v2;
371 
372  if (list == NULL) {
373  de_ctx->app_inspect_engines = new_engine;
374  } else {
375  list->next = new_engine;
376  }
377  list = new_engine;
378 
379  t = t->next;
380  }
381 }
382 
383 /* copy an inspect engine with transforms to a new list id. */
384 static void DetectPktInspectEngineCopy(
385  DetectEngineCtx *de_ctx,
386  int sm_list, int new_list,
387  const DetectEngineTransforms *transforms)
388 {
389  const DetectEnginePktInspectionEngine *t = g_pkt_inspect_engines;
390  while (t) {
391  if (t->sm_list == sm_list) {
392  DetectEnginePktInspectionEngine *new_engine = SCCalloc(1, sizeof(DetectEnginePktInspectionEngine));
393  if (unlikely(new_engine == NULL)) {
394  exit(EXIT_FAILURE);
395  }
396  DEBUG_VALIDATE_BUG_ON(new_list < 0 || new_list > UINT16_MAX);
397  new_engine->sm_list = (uint16_t)new_list; /* use new list id */
398  DEBUG_VALIDATE_BUG_ON(sm_list < 0 || sm_list > UINT16_MAX);
399  new_engine->sm_list_base = (uint16_t)sm_list;
400  new_engine->v1 = t->v1;
401  new_engine->v1.transforms = transforms; /* assign transforms */
402 
403  if (de_ctx->pkt_inspect_engines == NULL) {
404  de_ctx->pkt_inspect_engines = new_engine;
405  } else {
406  DetectEnginePktInspectionEngine *list = de_ctx->pkt_inspect_engines;
407  while (list->next != NULL) {
408  list = list->next;
409  }
410 
411  list->next = new_engine;
412  }
413  }
414  t = t->next;
415  }
416 }
417 
418 /* copy inspect engines from global registrations to de_ctx list */
419 static void DetectPktInspectEngineCopyListToDetectCtx(DetectEngineCtx *de_ctx)
420 {
421  const DetectEnginePktInspectionEngine *t = g_pkt_inspect_engines;
422  while (t) {
423  SCLogDebug("engine %p", t);
424  DetectEnginePktInspectionEngine *new_engine = SCCalloc(1, sizeof(DetectEnginePktInspectionEngine));
425  if (unlikely(new_engine == NULL)) {
426  exit(EXIT_FAILURE);
427  }
428  new_engine->sm_list = t->sm_list;
429  new_engine->sm_list_base = t->sm_list;
430  new_engine->v1 = t->v1;
431 
432  if (de_ctx->pkt_inspect_engines == NULL) {
433  de_ctx->pkt_inspect_engines = new_engine;
434  } else {
435  DetectEnginePktInspectionEngine *list = de_ctx->pkt_inspect_engines;
436  while (list->next != NULL) {
437  list = list->next;
438  }
439 
440  list->next = new_engine;
441  }
442 
443  t = t->next;
444  }
445 }
446 
447 /** \brief register inspect engine at start up time
448  *
449  * \note errors are fatal */
450 void DetectEngineFrameInspectEngineRegister(DetectEngineCtx *de_ctx, const char *name, int dir,
451  InspectionBufferFrameInspectFunc Callback, AppProto alproto, uint8_t type)
452 {
453  const int sm_list = DetectEngineBufferTypeRegister(de_ctx, name);
454  if (sm_list < 0) {
455  FatalError("failed to register inspect engine %s", name);
456  }
457 
458  if ((sm_list < DETECT_SM_LIST_MATCH) || (sm_list >= SHRT_MAX) || (Callback == NULL)) {
459  SCLogError("Invalid arguments");
460  BUG_ON(1);
461  }
462 
463  uint8_t direction;
464  if (dir == SIG_FLAG_TOSERVER) {
465  direction = 0;
466  } else {
467  direction = 1;
468  }
469 
470  DetectEngineFrameInspectionEngine *new_engine = SCCalloc(1, sizeof(*new_engine));
471  if (unlikely(new_engine == NULL)) {
472  FatalError("failed to register inspect engine %s: %s", name, strerror(errno));
473  }
474  new_engine->sm_list = (uint16_t)sm_list;
475  new_engine->sm_list_base = (uint16_t)sm_list;
476  new_engine->dir = direction;
477  new_engine->v1.Callback = Callback;
478  new_engine->alproto = alproto;
479  new_engine->type = type;
480 
481  if (de_ctx->frame_inspect_engines == NULL) {
482  de_ctx->frame_inspect_engines = new_engine;
483  } else {
484  DetectEngineFrameInspectionEngine *list = de_ctx->frame_inspect_engines;
485  while (list->next != NULL) {
486  list = list->next;
487  }
488 
489  list->next = new_engine;
490  }
491 }
492 
493 /* copy an inspect engine with transforms to a new list id. */
494 static void DetectFrameInspectEngineCopy(DetectEngineCtx *de_ctx, int sm_list, int new_list,
495  const DetectEngineTransforms *transforms)
496 {
497  /* take the list from the detect engine as the buffers can be registered
498  * dynamically. */
499  DetectEngineFrameInspectionEngine *t = de_ctx->frame_inspect_engines;
500  while (t) {
501  if (t->sm_list == sm_list) {
502  DetectEngineFrameInspectionEngine *new_engine =
503  SCCalloc(1, sizeof(DetectEngineFrameInspectionEngine));
504  if (unlikely(new_engine == NULL)) {
505  exit(EXIT_FAILURE);
506  }
507  DEBUG_VALIDATE_BUG_ON(new_list < 0 || new_list > UINT16_MAX);
508  new_engine->sm_list = (uint16_t)new_list; /* use new list id */
509  DEBUG_VALIDATE_BUG_ON(sm_list < 0 || sm_list > UINT16_MAX);
510  new_engine->sm_list_base = (uint16_t)sm_list;
511  new_engine->dir = t->dir;
512  new_engine->alproto = t->alproto;
513  new_engine->type = t->type;
514  new_engine->v1 = t->v1;
515  new_engine->v1.transforms = transforms; /* assign transforms */
516 
517  /* append to the list */
518  DetectEngineFrameInspectionEngine *list = t;
519  while (list->next != NULL) {
520  list = list->next;
521  }
522 
523  list->next = new_engine;
524  }
525  t = t->next;
526  }
527 }
528 
529 /* copy inspect engines from global registrations to de_ctx list */
530 static void DetectFrameInspectEngineCopyListToDetectCtx(DetectEngineCtx *de_ctx)
531 {
532  const DetectEngineFrameInspectionEngine *t = g_frame_inspect_engines;
533  while (t) {
534  SCLogDebug("engine %p", t);
535  DetectEngineFrameInspectionEngine *new_engine =
536  SCCalloc(1, sizeof(DetectEngineFrameInspectionEngine));
537  if (unlikely(new_engine == NULL)) {
538  exit(EXIT_FAILURE);
539  }
540  new_engine->sm_list = t->sm_list;
541  new_engine->sm_list_base = t->sm_list;
542  new_engine->dir = t->dir;
543  new_engine->alproto = t->alproto;
544  new_engine->type = t->type;
545  new_engine->v1 = t->v1;
546 
547  if (de_ctx->frame_inspect_engines == NULL) {
548  de_ctx->frame_inspect_engines = new_engine;
549  } else {
550  DetectEngineFrameInspectionEngine *list = de_ctx->frame_inspect_engines;
551  while (list->next != NULL) {
552  list = list->next;
553  }
554 
555  list->next = new_engine;
556  }
557 
558  t = t->next;
559  }
560 }
561 
562 /** \internal
563  * \brief append the stream inspection
564  *
565  * If stream inspection is MPM, then prepend it.
566  */
567 static void AppendStreamInspectEngine(
568  Signature *s, SigMatchData *stream, uint8_t direction, uint8_t id)
569 {
570  bool prepend = false;
571 
572  DetectEngineAppInspectionEngine *new_engine = SCCalloc(1, sizeof(DetectEngineAppInspectionEngine));
573  if (unlikely(new_engine == NULL)) {
574  exit(EXIT_FAILURE);
575  }
576  if (s->init_data->mpm_sm_list == DETECT_SM_LIST_PMATCH) {
577  SCLogDebug("stream is mpm");
578  prepend = true;
579  new_engine->mpm = true;
580  }
581  new_engine->alproto = ALPROTO_UNKNOWN; /* all */
582  new_engine->dir = direction;
583  new_engine->stream = true;
584  new_engine->sm_list = DETECT_SM_LIST_PMATCH;
585  new_engine->sm_list_base = DETECT_SM_LIST_PMATCH;
586  new_engine->smd = stream;
587  new_engine->v2.Callback = DetectEngineInspectStream;
588  new_engine->progress = 0;
589 
590  /* append */
591  if (s->app_inspect == NULL) {
592  s->app_inspect = new_engine;
593  new_engine->id = DE_STATE_FLAG_BASE; /* id is used as flag in stateful detect */
594  } else if (prepend) {
595  new_engine->next = s->app_inspect;
596  s->app_inspect = new_engine;
597  new_engine->id = id;
598 
599  } else {
600  DetectEngineAppInspectionEngine *a = s->app_inspect;
601  while (a->next != NULL) {
602  a = a->next;
603  }
604 
605  a->next = new_engine;
606  new_engine->id = id;
607  }
608  SCLogDebug("sid %u: engine %p/%u added", s->id, new_engine, new_engine->id);
609 }
610 
611 static void AppendFrameInspectEngine(DetectEngineCtx *de_ctx,
612  const DetectEngineFrameInspectionEngine *u, Signature *s, SigMatchData *smd,
613  const int mpm_list)
614 {
615  bool prepend = false;
616 
617  if (u->alproto == ALPROTO_UNKNOWN) {
618  /* special case, inspect engine applies to all protocols */
619  } else if (s->alproto != ALPROTO_UNKNOWN && !AppProtoEquals(s->alproto, u->alproto))
620  return;
621 
622  if (s->flags & SIG_FLAG_TOSERVER && !(s->flags & SIG_FLAG_TOCLIENT)) {
623  if (u->dir == 1)
624  return;
625  } else if (s->flags & SIG_FLAG_TOCLIENT && !(s->flags & SIG_FLAG_TOSERVER)) {
626  if (u->dir == 0)
627  return;
628  }
629 
630  DetectEngineFrameInspectionEngine *new_engine =
631  SCCalloc(1, sizeof(DetectEngineFrameInspectionEngine));
632  if (unlikely(new_engine == NULL)) {
633  exit(EXIT_FAILURE);
634  }
635  if (mpm_list == u->sm_list) {
636  SCLogDebug("%s is mpm", DetectEngineBufferTypeGetNameById(de_ctx, u->sm_list));
637  prepend = true;
638  new_engine->mpm = true;
639  }
640 
641  new_engine->type = u->type;
642  new_engine->sm_list = u->sm_list;
643  new_engine->sm_list_base = u->sm_list_base;
644  new_engine->smd = smd;
645  new_engine->v1 = u->v1;
646  SCLogDebug("sm_list %d new_engine->v1 %p/%p", new_engine->sm_list, new_engine->v1.Callback,
647  new_engine->v1.transforms);
648 
649  if (s->frame_inspect == NULL) {
650  s->frame_inspect = new_engine;
651  } else if (prepend) {
652  new_engine->next = s->frame_inspect;
653  s->frame_inspect = new_engine;
654  } else {
655  DetectEngineFrameInspectionEngine *a = s->frame_inspect;
656  while (a->next != NULL) {
657  a = a->next;
658  }
659  new_engine->next = a->next;
660  a->next = new_engine;
661  }
662 }
663 
664 static void AppendPacketInspectEngine(DetectEngineCtx *de_ctx,
665  const DetectEnginePktInspectionEngine *e, Signature *s, SigMatchData *smd,
666  const int mpm_list)
667 {
668  bool prepend = false;
669 
670  DetectEnginePktInspectionEngine *new_engine =
671  SCCalloc(1, sizeof(DetectEnginePktInspectionEngine));
672  if (unlikely(new_engine == NULL)) {
673  exit(EXIT_FAILURE);
674  }
675  if (mpm_list == e->sm_list) {
676  SCLogDebug("%s is mpm", DetectEngineBufferTypeGetNameById(de_ctx, e->sm_list));
677  prepend = true;
678  new_engine->mpm = true;
679  }
680 
681  new_engine->sm_list = e->sm_list;
682  new_engine->sm_list_base = e->sm_list_base;
683  new_engine->smd = smd;
684  new_engine->v1 = e->v1;
685  SCLogDebug("sm_list %d new_engine->v1 %p/%p/%p", new_engine->sm_list, new_engine->v1.Callback,
686  new_engine->v1.GetData, new_engine->v1.transforms);
687 
688  if (s->pkt_inspect == NULL) {
689  s->pkt_inspect = new_engine;
690  } else if (prepend) {
691  new_engine->next = s->pkt_inspect;
692  s->pkt_inspect = new_engine;
693  } else {
694  DetectEnginePktInspectionEngine *a = s->pkt_inspect;
695  while (a->next != NULL) {
696  a = a->next;
697  }
698  new_engine->next = a->next;
699  a->next = new_engine;
700  }
701 }
702 
703 static void AppendAppInspectEngine(DetectEngineCtx *de_ctx,
704  const DetectEngineAppInspectionEngine *t, Signature *s, SigMatchData *smd,
705  const int mpm_list, const int files_id, uint8_t *last_id, bool *head_is_mpm)
706 {
707  if (t->alproto == ALPROTO_UNKNOWN) {
708  /* special case, inspect engine applies to all protocols */
709  } else if (s->alproto != ALPROTO_UNKNOWN && !AppProtoEquals(s->alproto, t->alproto))
710  return;
711 
712  if (s->flags & SIG_FLAG_TOSERVER && !(s->flags & SIG_FLAG_TOCLIENT)) {
713  if (t->dir == 1)
714  return;
715  } else if (s->flags & SIG_FLAG_TOCLIENT && !(s->flags & SIG_FLAG_TOSERVER)) {
716  if (t->dir == 0)
717  return;
718  }
719  SCLogDebug("app engine: t %p t->id %u => alproto:%s files:%s", t, t->id,
720  AppProtoToString(t->alproto), BOOL2STR(t->sm_list == files_id));
721 
722  DetectEngineAppInspectionEngine *new_engine =
723  SCCalloc(1, sizeof(DetectEngineAppInspectionEngine));
724  if (unlikely(new_engine == NULL)) {
725  exit(EXIT_FAILURE);
726  }
727  bool prepend = false;
728  if (mpm_list == t->sm_list) {
729  SCLogDebug("%s is mpm", DetectEngineBufferTypeGetNameById(de_ctx, t->sm_list));
730  prepend = true;
731  *head_is_mpm = true;
732  new_engine->mpm = true;
733  }
734 
735  new_engine->alproto = t->alproto;
736  new_engine->dir = t->dir;
737  new_engine->sm_list = t->sm_list;
738  new_engine->sm_list_base = t->sm_list_base;
739  new_engine->smd = smd;
740  new_engine->match_on_null = smd ? DetectContentInspectionMatchOnAbsentBuffer(smd) : false;
741  new_engine->progress = t->progress;
742  new_engine->v2 = t->v2;
743  SCLogDebug("sm_list %d new_engine->v2 %p/%p/%p", new_engine->sm_list, new_engine->v2.Callback,
744  new_engine->v2.GetData, new_engine->v2.transforms);
745 
746  if (s->app_inspect == NULL) {
747  s->app_inspect = new_engine;
748  if (new_engine->sm_list == files_id) {
749  new_engine->id = DE_STATE_ID_FILE_INSPECT;
750  SCLogDebug("sid %u: engine %p/%u is FILE ENGINE", s->id, new_engine, new_engine->id);
751  } else {
752  new_engine->id = DE_STATE_FLAG_BASE; /* id is used as flag in stateful detect */
753  SCLogDebug("sid %u: engine %p/%u %s", s->id, new_engine, new_engine->id,
754  DetectEngineBufferTypeGetNameById(de_ctx, new_engine->sm_list));
755  }
756 
757  /* prepend engine if forced or if our engine has a lower progress. */
758  } else if (prepend || (!(*head_is_mpm) && s->app_inspect->progress > new_engine->progress)) {
759  new_engine->next = s->app_inspect;
760  s->app_inspect = new_engine;
761  if (new_engine->sm_list == files_id) {
762  new_engine->id = DE_STATE_ID_FILE_INSPECT;
763  SCLogDebug("sid %u: engine %p/%u is FILE ENGINE", s->id, new_engine, new_engine->id);
764  } else {
765  new_engine->id = ++(*last_id);
766  SCLogDebug("sid %u: engine %p/%u %s", s->id, new_engine, new_engine->id,
767  DetectEngineBufferTypeGetNameById(de_ctx, new_engine->sm_list));
768  }
769 
770  } else {
771  DetectEngineAppInspectionEngine *a = s->app_inspect;
772  while (a->next != NULL) {
773  if (a->next && a->next->progress > new_engine->progress) {
774  break;
775  }
776  a = a->next;
777  }
778 
779  new_engine->next = a->next;
780  a->next = new_engine;
781  if (new_engine->sm_list == files_id) {
782  new_engine->id = DE_STATE_ID_FILE_INSPECT;
783  SCLogDebug("sid %u: engine %p/%u is FILE ENGINE", s->id, new_engine, new_engine->id);
784  } else {
785  new_engine->id = ++(*last_id);
786  SCLogDebug("sid %u: engine %p/%u %s", s->id, new_engine, new_engine->id,
787  DetectEngineBufferTypeGetNameById(de_ctx, new_engine->sm_list));
788  }
789  }
790 
791  SCLogDebug("sid %u: engine %p/%u added", s->id, new_engine, new_engine->id);
792 
793  s->init_data->init_flags |= SIG_FLAG_INIT_STATE_MATCH;
794 }
795 
796 /**
797  * \note for the file inspect engine, the id DE_STATE_ID_FILE_INSPECT
798  * is assigned.
799  */
800 int DetectEngineAppInspectionEngine2Signature(DetectEngineCtx *de_ctx, Signature *s)
801 {
802  const int mpm_list = s->init_data->mpm_sm ? s->init_data->mpm_sm_list : -1;
803  const int files_id = DetectBufferTypeGetByName("files");
804  bool head_is_mpm = false;
805  uint8_t last_id = DE_STATE_FLAG_BASE;
806  SCLogDebug("%u: setup app inspect engines. %u buffers", s->id, s->init_data->buffer_index);
807 
808  for (uint32_t x = 0; x < s->init_data->buffer_index; x++) {
809  SigMatchData *smd = SigMatchList2DataArray(s->init_data->buffers[x].head);
810  SCLogDebug("smd %p, id %u", smd, s->init_data->buffers[x].id);
811 
812  const DetectBufferType *b =
813  DetectEngineBufferTypeGetById(de_ctx, s->init_data->buffers[x].id);
814  if (b == NULL)
815  FatalError("unknown buffer");
816 
817  if (b->frame) {
818  for (const DetectEngineFrameInspectionEngine *u = de_ctx->frame_inspect_engines;
819  u != NULL; u = u->next) {
820  if (u->sm_list == s->init_data->buffers[x].id) {
821  AppendFrameInspectEngine(de_ctx, u, s, smd, mpm_list);
822  }
823  }
824  } else if (b->packet) {
825  /* set up pkt inspect engines */
826  for (const DetectEnginePktInspectionEngine *e = de_ctx->pkt_inspect_engines; e != NULL;
827  e = e->next) {
828  SCLogDebug("e %p sm_list %u", e, e->sm_list);
829  if (e->sm_list == s->init_data->buffers[x].id) {
830  AppendPacketInspectEngine(de_ctx, e, s, smd, mpm_list);
831  }
832  }
833  } else {
834  SCLogDebug("app %s id %u parent %u rule %u xforms %u", b->name, b->id, b->parent_id,
835  s->init_data->buffers[x].id, b->transforms.cnt);
836  for (const DetectEngineAppInspectionEngine *t = de_ctx->app_inspect_engines; t != NULL;
837  t = t->next) {
838  if (t->sm_list == s->init_data->buffers[x].id) {
839  if (s->flags & SIG_FLAG_TXBOTHDIR) {
840  // ambiguous keywords have app engines in both directions
841  // so we skip the wrong direction for this buffer
842  if (s->init_data->buffers[x].only_tc && t->dir == 0) {
843  continue;
844  } else if (s->init_data->buffers[x].only_ts && t->dir == 1) {
845  continue;
846  }
847  }
848  AppendAppInspectEngine(
849  de_ctx, t, s, smd, mpm_list, files_id, &last_id, &head_is_mpm);
850  }
851  }
852  }
853  }
854 
855  /* handle rules that have an app-layer hook w/o bringing their own app inspect engine,
856  * e.g. `alert dns:request_complete ... (sid:1;)`
857  *
858  * Here we use a minimal stub inspect engine in which we set:
859  * - alproto
860  * - progress
861  * - sm_list/sm_list_base to get the mapping to the hook name
862  * - dir based on sig direction
863  *
864  * The inspect engine has no callback and is thus considered a straight match.
865  */
866  if (s->init_data->buffer_index == 0 && s->init_data->hook.type == SIGNATURE_HOOK_TYPE_APP) {
867  uint8_t dir = 0;
868  if ((s->flags & (SIG_FLAG_TOSERVER | SIG_FLAG_TOCLIENT)) ==
869  (SIG_FLAG_TOSERVER | SIG_FLAG_TOCLIENT))
870  abort();
871  if ((s->flags & (SIG_FLAG_TOSERVER | SIG_FLAG_TOCLIENT)) == 0)
872  abort();
873  if (s->flags & SIG_FLAG_TOSERVER)
874  dir = 0;
875  else if (s->flags & SIG_FLAG_TOCLIENT)
876  dir = 1;
877 
878  DetectEngineAppInspectionEngine t = {
879  .alproto = s->init_data->hook.t.app.alproto,
880  .progress = (uint16_t)s->init_data->hook.t.app.app_progress,
881  .sm_list = (uint16_t)s->init_data->hook.sm_list,
882  .sm_list_base = (uint16_t)s->init_data->hook.sm_list,
883  .dir = dir,
884  };
885  AppendAppInspectEngine(de_ctx, &t, s, NULL, mpm_list, files_id, &last_id, &head_is_mpm);
886  }
887 
888  if ((s->init_data->init_flags & SIG_FLAG_INIT_STATE_MATCH) &&
889  s->init_data->smlists[DETECT_SM_LIST_PMATCH] != NULL)
890  {
891  /* if engine is added multiple times, we pass it the same list */
892  SigMatchData *stream = SigMatchList2DataArray(s->init_data->smlists[DETECT_SM_LIST_PMATCH]);
893  BUG_ON(stream == NULL);
894  if (s->flags & SIG_FLAG_TOSERVER && !(s->flags & SIG_FLAG_TOCLIENT)) {
895  AppendStreamInspectEngine(s, stream, 0, last_id + 1);
896  } else if (s->flags & SIG_FLAG_TOCLIENT && !(s->flags & SIG_FLAG_TOSERVER)) {
897  AppendStreamInspectEngine(s, stream, 1, last_id + 1);
898  } else {
899  AppendStreamInspectEngine(s, stream, 0, last_id + 1);
900  AppendStreamInspectEngine(s, stream, 1, last_id + 1);
901  }
902 
903  if (s->init_data->init_flags & SIG_FLAG_INIT_NEED_FLUSH) {
904  SCLogDebug("set SIG_FLAG_FLUSH on %u", s->id);
905  s->flags |= SIG_FLAG_FLUSH;
906  }
907  }
908 
909 #ifdef DEBUG
910  const DetectEngineAppInspectionEngine *iter = s->app_inspect;
911  while (iter) {
912  SCLogDebug("%u: engine %s id %u progress %d %s", s->id,
913  DetectEngineBufferTypeGetNameById(de_ctx, iter->sm_list), iter->id, iter->progress,
914  iter->sm_list == mpm_list ? "MPM" : "");
915  iter = iter->next;
916  }
917 #endif
918  return 0;
919 }
920 
921 /** \brief free app inspect engines for a signature
922  *
923  * For lists that are registered multiple times, like http_header and
924  * http_cookie, making the engines owner of the lists is complicated.
925  * Multiple engines in a sig may be pointing to the same list. To
926  * address this the 'free' code needs to be extra careful about not
927  * double freeing, so it takes an approach to first fill an array
928  * of the to-free pointers before freeing them.
929  */
930 void DetectEngineAppInspectionEngineSignatureFree(DetectEngineCtx *de_ctx, Signature *s)
931 {
932  int engines = 0;
933 
934  DetectEngineAppInspectionEngine *ie = s->app_inspect;
935  while (ie) {
936  ie = ie->next;
937  engines++;
938  }
939  DetectEnginePktInspectionEngine *e = s->pkt_inspect;
940  while (e) {
941  e = e->next;
942  engines++;
943  }
944  DetectEngineFrameInspectionEngine *u = s->frame_inspect;
945  while (u) {
946  u = u->next;
947  engines++;
948  }
949  if (engines == 0) {
950  BUG_ON(s->pkt_inspect);
951  BUG_ON(s->frame_inspect);
952  return;
953  }
954 
955  SigMatchData *bufs[engines];
956  memset(&bufs, 0, (engines * sizeof(SigMatchData *)));
957  int arrays = 0;
958 
959  /* free engines and put smd in the array */
960  ie = s->app_inspect;
961  while (ie) {
962  DetectEngineAppInspectionEngine *next = ie->next;
963 
964  bool skip = false;
965  for (int i = 0; i < arrays; i++) {
966  if (bufs[i] == ie->smd) {
967  skip = true;
968  break;
969  }
970  }
971  if (!skip) {
972  bufs[arrays++] = ie->smd;
973  }
974  SCFree(ie);
975  ie = next;
976  }
977  e = s->pkt_inspect;
978  while (e) {
979  DetectEnginePktInspectionEngine *next = e->next;
980 
981  bool skip = false;
982  for (int i = 0; i < arrays; i++) {
983  if (bufs[i] == e->smd) {
984  skip = true;
985  break;
986  }
987  }
988  if (!skip) {
989  bufs[arrays++] = e->smd;
990  }
991  SCFree(e);
992  e = next;
993  }
994  u = s->frame_inspect;
995  while (u) {
996  DetectEngineFrameInspectionEngine *next = u->next;
997 
998  bool skip = false;
999  for (int i = 0; i < arrays; i++) {
1000  if (bufs[i] == u->smd) {
1001  skip = true;
1002  break;
1003  }
1004  }
1005  if (!skip) {
1006  bufs[arrays++] = u->smd;
1007  }
1008  SCFree(u);
1009  u = next;
1010  }
1011 
1012  for (int i = 0; i < engines; i++) {
1013  if (bufs[i] == NULL)
1014  continue;
1015  SigMatchData *smd = bufs[i];
1016  while (1) {
1017  if (sigmatch_table[smd->type].Free != NULL) {
1018  sigmatch_table[smd->type].Free(de_ctx, smd->ctx);
1019  }
1020  if (smd->is_last)
1021  break;
1022  smd++;
1023  }
1024  SCFree(bufs[i]);
1025  }
1026 }
1027 
1028 /* code for registering buffers */
1029 
1030 #include "util-hash-lookup3.h"
1031 
1032 static HashListTable *g_buffer_type_hash = NULL;
1033 static int g_buffer_type_id = DETECT_SM_LIST_DYNAMIC_START;
1034 static int g_buffer_type_reg_closed = 0;
1035 
1036 int DetectBufferTypeMaxId(void)
1037 {
1038  return g_buffer_type_id;
1039 }
1040 
1041 static void DetectBufferAddTransformData(DetectBufferType *map)
1042 {
1043  for (int i = 0; i < map->transforms.cnt; i++) {
1044  const TransformData *t = &map->transforms.transforms[i];
1045  if (sigmatch_table[t->transform].TransformId) {
1046  sigmatch_table[t->transform].TransformId(
1047  &map->xform_id[i].id_data, &map->xform_id[i].id_data_len, t->options);
1048  SCLogDebug("transform identity data: [%p] \"%s\" [%d]", map->xform_id[i].id_data,
1049  (char *)map->xform_id[i].id_data, map->xform_id[i].id_data_len);
1050  }
1051  }
1052 }
1053 
1054 static uint32_t DetectBufferTypeHashNameFunc(HashListTable *ht, void *data, uint16_t datalen)
1055 {
1056  const DetectBufferType *map = (DetectBufferType *)data;
1057  uint32_t hash = hashlittle_safe(map->name, strlen(map->name), 0);
1058 
1059  // Add the transform data
1060  // - Collect transform id and position
1061  // - Collect identity data, if any
1062  hash += hashlittle_safe((uint8_t *)&map->transforms.cnt, sizeof(map->transforms.cnt), 0);
1063  for (int i = 0; i < map->transforms.cnt; i++) {
1064  const TransformData *t = &map->transforms.transforms[i];
1065  int tval = t->transform;
1066  hash += hashlittle_safe((uint8_t *)&tval, sizeof(tval), 0);
1067  if (map->xform_id[i].id_data) {
1068  hash += hashlittle_safe(
1069  &map->xform_id[i].id_data_len, sizeof(map->xform_id[i].id_data_len), 0);
1070  hash += hashlittle_safe(map->xform_id[i].id_data, map->xform_id[i].id_data_len, 0);
1071  }
1072  }
1073  hash %= ht->array_size;
1074  SCLogDebug("map->name %s, hash %d", map->name, hash);
1075  return hash;
1076 }
1077 
1078 static uint32_t DetectBufferTypeHashIdFunc(HashListTable *ht, void *data, uint16_t datalen)
1079 {
1080  const DetectBufferType *map = (DetectBufferType *)data;
1081  uint32_t hash = map->id;
1082  hash %= ht->array_size;
1083  return hash;
1084 }
1085 
1086 static char DetectBufferTypeCompareNameFunc(void *data1, uint16_t len1, void *data2, uint16_t len2)
1087 {
1088  DetectBufferType *map1 = (DetectBufferType *)data1;
1089  DetectBufferType *map2 = (DetectBufferType *)data2;
1090 
1091  char r = (strcmp(map1->name, map2->name) == 0);
1092 
1093  // Compare the transforms
1094  // the transform supports identity, that data will also be added.
1095  r &= map1->transforms.cnt == map2->transforms.cnt;
1096  if (r && map1->transforms.cnt) {
1097  for (int i = 0; i < map1->transforms.cnt; i++) {
1098  if (map1->transforms.transforms[i].transform !=
1099  map2->transforms.transforms[i].transform) {
1100  r = 0;
1101  break;
1102  }
1103 
1104  SCLogDebug("%s: transform ids match; checking specialized data", map1->name);
1105  // Checks
1106  // - Both NULL: --> ok, continue
1107  // - One NULL: --> no match, break?
1108  // - identity data lengths match: --> ok, continue
1109  // - identity data matches: ok
1110 
1111  // Stop if only one is NULL
1112  if ((map1->xform_id[i].id_data == NULL) ^ (map2->xform_id[i].id_data == NULL)) {
1113  SCLogDebug("identity data: only one is null");
1114  r = 0;
1115  break;
1116  } else if (map1->xform_id[i].id_data == NULL) { /* continue when both are null */
1117  SCLogDebug("identity data: both null");
1118  r = 1;
1119  continue;
1120  } else if (map1->xform_id[i].id_data_len != map2->xform_id[i].id_data_len) {
1121  // Stop when id data lengths aren't equal
1122  SCLogDebug("id data: unequal lengths");
1123  r = 0;
1124  break;
1125  }
1126 
1127  // stop if the identity data is different
1128  r &= memcmp(map1->xform_id[i].id_data, map2->xform_id[i].id_data,
1129  map1->xform_id[i].id_data_len) == 0;
1130  if (r == 0)
1131  break;
1132  SCLogDebug("identity data: data matches");
1133  }
1134  }
1135  return r;
1136 }
1137 
1138 static char DetectBufferTypeCompareIdFunc(void *data1, uint16_t len1, void *data2, uint16_t len2)
1139 {
1140  DetectBufferType *map1 = (DetectBufferType *)data1;
1141  DetectBufferType *map2 = (DetectBufferType *)data2;
1142  return map1->id == map2->id;
1143 }
1144 
1145 static void DetectBufferTypeFreeFunc(void *data)
1146 {
1147  DetectBufferType *map = (DetectBufferType *)data;
1148 
1149  if (map == NULL) {
1150  return;
1151  }
1152 
1153  /* Release transformation option memory, if any */
1154  for (int i = 0; i < map->transforms.cnt; i++) {
1155  if (map->transforms.transforms[i].options == NULL)
1156  continue;
1157 
1158  if (sigmatch_table[map->transforms.transforms[i].transform].Free == NULL) {
1159  SCLogError("%s allocates transform option memory but has no free routine",
1160  sigmatch_table[map->transforms.transforms[i].transform].name);
1161  continue;
1162  }
1163  sigmatch_table[map->transforms.transforms[i].transform].Free(NULL, map->transforms.transforms[i].options);
1164  }
1165 
1166  SCFree(map);
1167 }
1168 
1169 static int DetectBufferTypeInit(void)
1170 {
1171  BUG_ON(g_buffer_type_hash);
1172  g_buffer_type_hash = HashListTableInit(256, DetectBufferTypeHashNameFunc,
1173  DetectBufferTypeCompareNameFunc, DetectBufferTypeFreeFunc);
1174  if (g_buffer_type_hash == NULL)
1175  return -1;
1176 
1177  return 0;
1178 }
1179 #if 0
1180 static void DetectBufferTypeFree(void)
1181 {
1182  if (g_buffer_type_hash == NULL)
1183  return;
1184 
1185  HashListTableFree(g_buffer_type_hash);
1186  g_buffer_type_hash = NULL;
1187 }
1188 #endif
1189 static int DetectBufferTypeAdd(const char *string)
1190 {
1191  BUG_ON(string == NULL || strlen(string) >= 64);
1192 
1193  DetectBufferType *map = SCCalloc(1, sizeof(*map));
1194  if (map == NULL)
1195  return -1;
1196 
1197  strlcpy(map->name, string, sizeof(map->name));
1198  map->id = g_buffer_type_id++;
1199 
1200  BUG_ON(HashListTableAdd(g_buffer_type_hash, (void *)map, 0) != 0);
1201  SCLogDebug("buffer %s registered with id %d", map->name, map->id);
1202  return map->id;
1203 }
1204 
1205 static DetectBufferType *DetectBufferTypeLookupByName(const char *string)
1206 {
1207  DetectBufferType map;
1208  memset(&map, 0, sizeof(map));
1209  strlcpy(map.name, string, sizeof(map.name));
1210 
1211  DetectBufferType *res = HashListTableLookup(g_buffer_type_hash, &map, 0);
1212  return res;
1213 }
1214 
1215 int DetectBufferTypeRegister(const char *name)
1216 {
1217  BUG_ON(g_buffer_type_reg_closed);
1218  if (g_buffer_type_hash == NULL)
1219  DetectBufferTypeInit();
1220 
1221  DetectBufferType *exists = DetectBufferTypeLookupByName(name);
1222  if (!exists) {
1223  return DetectBufferTypeAdd(name);
1224  } else {
1225  return exists->id;
1226  }
1227 }
1228 
1229 void DetectBufferTypeSupportsMultiInstance(const char *name)
1230 {
1231  BUG_ON(g_buffer_type_reg_closed);
1232  DetectBufferTypeRegister(name);
1233  DetectBufferType *exists = DetectBufferTypeLookupByName(name);
1234  BUG_ON(!exists);
1235  exists->multi_instance = true;
1236  SCLogDebug("%p %s -- %d supports multi instance", exists, name, exists->id);
1237 }
1238 
1239 void DetectBufferTypeSupportsFrames(const char *name)
1240 {
1241  BUG_ON(g_buffer_type_reg_closed);
1242  DetectBufferTypeRegister(name);
1243  DetectBufferType *exists = DetectBufferTypeLookupByName(name);
1244  BUG_ON(!exists);
1245  exists->frame = true;
1246  SCLogDebug("%p %s -- %d supports frame inspection", exists, name, exists->id);
1247 }
1248 
1249 void DetectBufferTypeSupportsPacket(const char *name)
1250 {
1251  BUG_ON(g_buffer_type_reg_closed);
1252  DetectBufferTypeRegister(name);
1253  DetectBufferType *exists = DetectBufferTypeLookupByName(name);
1254  BUG_ON(!exists);
1255  exists->packet = true;
1256  SCLogDebug("%p %s -- %d supports packet inspection", exists, name, exists->id);
1257 }
1258 
1259 void DetectBufferTypeSupportsMpm(const char *name)
1260 {
1261  BUG_ON(g_buffer_type_reg_closed);
1262  DetectBufferTypeRegister(name);
1263  DetectBufferType *exists = DetectBufferTypeLookupByName(name);
1264  BUG_ON(!exists);
1265  exists->mpm = true;
1266  SCLogDebug("%p %s -- %d supports mpm", exists, name, exists->id);
1267 }
1268 
1269 void DetectBufferTypeSupportsTransformations(const char *name)
1270 {
1271  BUG_ON(g_buffer_type_reg_closed);
1272  DetectBufferTypeRegister(name);
1273  DetectBufferType *exists = DetectBufferTypeLookupByName(name);
1274  BUG_ON(!exists);
1275  exists->supports_transforms = true;
1276  SCLogDebug("%p %s -- %d supports transformations", exists, name, exists->id);
1277 }
1278 
1279 int DetectBufferTypeGetByName(const char *name)
1280 {
1281  DetectBufferType *exists = DetectBufferTypeLookupByName(name);
1282  if (!exists) {
1283  return -1;
1284  }
1285  return exists->id;
1286 }
1287 
1288 static DetectBufferType *DetectEngineBufferTypeLookupByName(
1289  const DetectEngineCtx *de_ctx, const char *string)
1290 {
1291  DetectBufferType map;
1292  memset(&map, 0, sizeof(map));
1293  strlcpy(map.name, string, sizeof(map.name));
1294 
1295  DetectBufferType *res = HashListTableLookup(de_ctx->buffer_type_hash_name, &map, 0);
1296  return res;
1297 }
1298 
1299 const DetectBufferType *DetectEngineBufferTypeGetById(const DetectEngineCtx *de_ctx, const int id)
1300 {
1301  DetectBufferType lookup;
1302  memset(&lookup, 0, sizeof(lookup));
1303  lookup.id = id;
1304  const DetectBufferType *res =
1305  HashListTableLookup(de_ctx->buffer_type_hash_id, (void *)&lookup, 0);
1306  return res;
1307 }
1308 
1309 const char *DetectEngineBufferTypeGetNameById(const DetectEngineCtx *de_ctx, const int id)
1310 {
1311  const DetectBufferType *res = DetectEngineBufferTypeGetById(de_ctx, id);
1312  return res ? res->name : NULL;
1313 }
1314 
1315 static int DetectEngineBufferTypeAdd(DetectEngineCtx *de_ctx, const char *string)
1316 {
1317  BUG_ON(string == NULL || strlen(string) >= 32);
1318 
1319  DetectBufferType *map = SCCalloc(1, sizeof(*map));
1320  if (map == NULL)
1321  return -1;
1322 
1323  strlcpy(map->name, string, sizeof(map->name));
1324  map->id = de_ctx->buffer_type_id++;
1325 
1326  BUG_ON(HashListTableAdd(de_ctx->buffer_type_hash_name, (void *)map, 0) != 0);
1327  BUG_ON(HashListTableAdd(de_ctx->buffer_type_hash_id, (void *)map, 0) != 0);
1328  SCLogDebug("buffer %s registered with id %d", map->name, map->id);
1329  return map->id;
1330 }
1331 
1332 int DetectEngineBufferTypeRegisterWithFrameEngines(DetectEngineCtx *de_ctx, const char *name,
1333  const int direction, const AppProto alproto, const uint8_t frame_type)
1334 {
1335  DetectBufferType *exists = DetectEngineBufferTypeLookupByName(de_ctx, name);
1336  if (exists) {
1337  return exists->id;
1338  }
1339 
1340  const int buffer_id = DetectEngineBufferTypeAdd(de_ctx, name);
1341  if (buffer_id < 0) {
1342  return -1;
1343  }
1344 
1345  /* TODO hack we need the map to get the name. Should we return the map at reg? */
1346  const DetectBufferType *map = DetectEngineBufferTypeGetById(de_ctx, buffer_id);
1347  BUG_ON(!map);
1348 
1349  /* register MPM/inspect engines */
1350  if (direction & SIG_FLAG_TOSERVER) {
1351  DetectEngineFrameMpmRegister(de_ctx, map->name, SIG_FLAG_TOSERVER, 2,
1352  PrefilterGenericMpmFrameRegister, alproto, frame_type);
1353  DetectEngineFrameInspectEngineRegister(de_ctx, map->name, SIG_FLAG_TOSERVER,
1354  DetectEngineInspectFrameBufferGeneric, alproto, frame_type);
1355  }
1356  if (direction & SIG_FLAG_TOCLIENT) {
1357  DetectEngineFrameMpmRegister(de_ctx, map->name, SIG_FLAG_TOCLIENT, 2,
1358  PrefilterGenericMpmFrameRegister, alproto, frame_type);
1359  DetectEngineFrameInspectEngineRegister(de_ctx, map->name, SIG_FLAG_TOCLIENT,
1360  DetectEngineInspectFrameBufferGeneric, alproto, frame_type);
1361  }
1362 
1363  return buffer_id;
1364 }
1365 
1366 int DetectEngineBufferTypeRegister(DetectEngineCtx *de_ctx, const char *name)
1367 {
1368  DetectBufferType *exists = DetectEngineBufferTypeLookupByName(de_ctx, name);
1369  if (!exists) {
1370  return DetectEngineBufferTypeAdd(de_ctx, name);
1371  } else {
1372  return exists->id;
1373  }
1374 }
1375 
1376 void DetectBufferTypeSetDescriptionByName(const char *name, const char *desc)
1377 {
1378  BUG_ON(desc == NULL || strlen(desc) >= 128);
1379 
1380  DetectBufferType *exists = DetectBufferTypeLookupByName(name);
1381  if (!exists) {
1382  return;
1383  }
1384  strlcpy(exists->description, desc, sizeof(exists->description));
1385 }
1386 
1387 const char *DetectEngineBufferTypeGetDescriptionById(const DetectEngineCtx *de_ctx, const int id)
1388 {
1389  const DetectBufferType *exists = DetectEngineBufferTypeGetById(de_ctx, id);
1390  if (!exists) {
1391  return NULL;
1392  }
1393  return exists->description;
1394 }
1395 
1396 const char *DetectBufferTypeGetDescriptionByName(const char *name)
1397 {
1398  const DetectBufferType *exists = DetectBufferTypeLookupByName(name);
1399  if (!exists) {
1400  return NULL;
1401  }
1402  return exists->description;
1403 }
1404 
1405 void DetectEngineBufferTypeSupportsFrames(DetectEngineCtx *de_ctx, const char *name)
1406 {
1407  DetectBufferType *exists = DetectEngineBufferTypeLookupByName(de_ctx, name);
1408  BUG_ON(!exists);
1409  exists->frame = true;
1410  SCLogDebug("%p %s -- %d supports frame inspection", exists, name, exists->id);
1411 }
1412 
1413 void DetectEngineBufferTypeSupportsPacket(DetectEngineCtx *de_ctx, const char *name)
1414 {
1415  DetectBufferType *exists = DetectEngineBufferTypeLookupByName(de_ctx, name);
1416  BUG_ON(!exists);
1417  exists->packet = true;
1418  SCLogDebug("%p %s -- %d supports packet inspection", exists, name, exists->id);
1419 }
1420 
1421 void DetectEngineBufferTypeSupportsMpm(DetectEngineCtx *de_ctx, const char *name)
1422 {
1423  DetectBufferType *exists = DetectEngineBufferTypeLookupByName(de_ctx, name);
1424  BUG_ON(!exists);
1425  exists->mpm = true;
1426  SCLogDebug("%p %s -- %d supports mpm", exists, name, exists->id);
1427 }
1428 
1429 void DetectEngineBufferTypeSupportsTransformations(DetectEngineCtx *de_ctx, const char *name)
1430 {
1431  DetectBufferType *exists = DetectEngineBufferTypeLookupByName(de_ctx, name);
1432  BUG_ON(!exists);
1433  exists->supports_transforms = true;
1434  SCLogDebug("%p %s -- %d supports transformations", exists, name, exists->id);
1435 }
1436 
1437 bool DetectEngineBufferTypeSupportsMultiInstanceGetById(const DetectEngineCtx *de_ctx, const int id)
1438 {
1439  const DetectBufferType *map = DetectEngineBufferTypeGetById(de_ctx, id);
1440  if (map == NULL)
1441  return false;
1442  SCLogDebug("map %p id %d multi_instance? %s", map, id, BOOL2STR(map->multi_instance));
1443  return map->multi_instance;
1444 }
1445 
1446 bool DetectEngineBufferTypeSupportsPacketGetById(const DetectEngineCtx *de_ctx, const int id)
1447 {
1448  const DetectBufferType *map = DetectEngineBufferTypeGetById(de_ctx, id);
1449  if (map == NULL)
1450  return false;
1451  SCLogDebug("map %p id %d packet? %d", map, id, map->packet);
1452  return map->packet;
1453 }
1454 
1455 bool DetectEngineBufferTypeSupportsMpmGetById(const DetectEngineCtx *de_ctx, const int id)
1456 {
1457  const DetectBufferType *map = DetectEngineBufferTypeGetById(de_ctx, id);
1458  if (map == NULL)
1459  return false;
1460  SCLogDebug("map %p id %d mpm? %d", map, id, map->mpm);
1461  return map->mpm;
1462 }
1463 
1464 bool DetectEngineBufferTypeSupportsFramesGetById(const DetectEngineCtx *de_ctx, const int id)
1465 {
1466  const DetectBufferType *map = DetectEngineBufferTypeGetById(de_ctx, id);
1467  if (map == NULL)
1468  return false;
1469  SCLogDebug("map %p id %d frame? %d", map, id, map->frame);
1470  return map->frame;
1471 }
1472 
1473 void DetectBufferTypeRegisterSetupCallback(const char *name,
1474  void (*SetupCallback)(const DetectEngineCtx *, Signature *))
1475 {
1476  BUG_ON(g_buffer_type_reg_closed);
1477  DetectBufferTypeRegister(name);
1478  DetectBufferType *exists = DetectBufferTypeLookupByName(name);
1479  BUG_ON(!exists);
1480  exists->SetupCallback = SetupCallback;
1481 }
1482 
1483 void DetectEngineBufferRunSetupCallback(const DetectEngineCtx *de_ctx, const int id, Signature *s)
1484 {
1485  const DetectBufferType *map = DetectEngineBufferTypeGetById(de_ctx, id);
1486  if (map && map->SetupCallback) {
1487  map->SetupCallback(de_ctx, s);
1488  }
1489 }
1490 
1491 void DetectBufferTypeRegisterValidateCallback(
1492  const char *name, bool (*ValidateCallback)(const Signature *, const char **sigerror,
1493  const DetectBufferType *))
1494 {
1495  BUG_ON(g_buffer_type_reg_closed);
1496  DetectBufferTypeRegister(name);
1497  DetectBufferType *exists = DetectBufferTypeLookupByName(name);
1498  BUG_ON(!exists);
1499  exists->ValidateCallback = ValidateCallback;
1500 }
1501 
1502 bool DetectEngineBufferRunValidateCallback(
1503  const DetectEngineCtx *de_ctx, const int id, const Signature *s, const char **sigerror)
1504 {
1505  const DetectBufferType *map = DetectEngineBufferTypeGetById(de_ctx, id);
1506  // only run validation if the buffer is not transformed
1507  if (map && map->ValidateCallback && map->transforms.cnt == 0) {
1508  return map->ValidateCallback(s, sigerror, map);
1509  }
1510  return true;
1511 }
1512 
1513 bool DetectBufferIsPresent(const Signature *s, const uint32_t buf_id)
1514 {
1515  for (uint32_t i = 0; i < s->init_data->buffer_index; i++) {
1516  if (buf_id == s->init_data->buffers[i].id) {
1517  return true;
1518  }
1519  }
1520  return false;
1521 }
1522 
1523 /** \brief Check content byte array compatibility with transforms
1524  *
1525  * The "content" array is presented to the transforms so that each
1526  * transform may validate that it's compatible with the transform.
1527  *
1528  * When a transform indicates the byte array is incompatible, none of the
1529  * subsequent transforms, if any, are invoked. This means the first validation
1530  * failure terminates the loop.
1531  *
1532  * \param de_ctx Detection engine context.
1533  * \param sm_list The SM list id.
1534  * \param content The byte array being validated
1535  * \param namestr returns the name of the transform that is incompatible with
1536  * content.
1537  *
1538  * \retval true (false) If any of the transforms indicate the byte array is
1539  * (is not) compatible.
1540  **/
1541 bool DetectEngineBufferTypeValidateTransform(DetectEngineCtx *de_ctx, int sm_list,
1542  const uint8_t *content, uint16_t content_len, const char **namestr)
1543 {
1544  const DetectBufferType *dbt = DetectEngineBufferTypeGetById(de_ctx, sm_list);
1545  BUG_ON(dbt == NULL);
1546 
1547  for (int i = 0; i < dbt->transforms.cnt; i++) {
1548  const TransformData *t = &dbt->transforms.transforms[i];
1549  if (!sigmatch_table[t->transform].TransformValidate)
1550  continue;
1551 
1552  if (sigmatch_table[t->transform].TransformValidate(content, content_len, t->options)) {
1553  continue;
1554  }
1555 
1556  if (namestr) {
1557  *namestr = sigmatch_table[t->transform].name;
1558  }
1559 
1560  return false;
1561  }
1562 
1563  return true;
1564 }
1565 
1566 static void DetectBufferTypeSetupDetectEngine(DetectEngineCtx *de_ctx)
1567 {
1568  const int size = g_buffer_type_id;
1569  BUG_ON(!(size > 0));
1570 
1571  de_ctx->buffer_type_hash_name = HashListTableInit(256, DetectBufferTypeHashNameFunc,
1572  DetectBufferTypeCompareNameFunc, DetectBufferTypeFreeFunc);
1573  BUG_ON(de_ctx->buffer_type_hash_name == NULL);
1574  de_ctx->buffer_type_hash_id =
1575  HashListTableInit(256, DetectBufferTypeHashIdFunc, DetectBufferTypeCompareIdFunc,
1576  NULL); // entries owned by buffer_type_hash_name
1577  BUG_ON(de_ctx->buffer_type_hash_id == NULL);
1578  de_ctx->buffer_type_id = g_buffer_type_id;
1579 
1580  SCLogDebug("DETECT_SM_LIST_DYNAMIC_START %u", DETECT_SM_LIST_DYNAMIC_START);
1581  HashListTableBucket *b = HashListTableGetListHead(g_buffer_type_hash);
1582  while (b) {
1583  DetectBufferType *map = HashListTableGetListData(b);
1584 
1585  DetectBufferType *copy = SCCalloc(1, sizeof(*copy));
1586  BUG_ON(!copy);
1587  memcpy(copy, map, sizeof(*copy));
1588  int r = HashListTableAdd(de_ctx->buffer_type_hash_name, (void *)copy, 0);
1589  BUG_ON(r != 0);
1590  r = HashListTableAdd(de_ctx->buffer_type_hash_id, (void *)copy, 0);
1591  BUG_ON(r != 0);
1592 
1593  SCLogDebug("name %s id %d mpm %s packet %s -- %s. "
1594  "Callbacks: Setup %p Validate %p",
1595  map->name, map->id, map->mpm ? "true" : "false", map->packet ? "true" : "false",
1596  map->description, map->SetupCallback, map->ValidateCallback);
1597  b = HashListTableGetListNext(b);
1598  }
1599 
1600  PrefilterInit(de_ctx);
1601  DetectMpmInitializeAppMpms(de_ctx);
1602  DetectAppLayerInspectEngineCopyListToDetectCtx(de_ctx);
1603  DetectMpmInitializeFrameMpms(de_ctx);
1604  DetectFrameInspectEngineCopyListToDetectCtx(de_ctx);
1605  DetectMpmInitializePktMpms(de_ctx);
1606  DetectPktInspectEngineCopyListToDetectCtx(de_ctx);
1607 }
1608 
1609 static void DetectBufferTypeFreeDetectEngine(DetectEngineCtx *de_ctx)
1610 {
1611  if (de_ctx) {
1612  if (de_ctx->buffer_type_hash_name)
1613  HashListTableFree(de_ctx->buffer_type_hash_name);
1614  if (de_ctx->buffer_type_hash_id)
1615  HashListTableFree(de_ctx->buffer_type_hash_id);
1616 
1617  DetectEngineAppInspectionEngine *ilist = de_ctx->app_inspect_engines;
1618  while (ilist) {
1619  DetectEngineAppInspectionEngine *next = ilist->next;
1620  SCFree(ilist);
1621  ilist = next;
1622  }
1623  DetectBufferMpmRegistry *mlist = de_ctx->app_mpms_list;
1624  while (mlist) {
1625  DetectBufferMpmRegistry *next = mlist->next;
1626  SCFree(mlist);
1627  mlist = next;
1628  }
1629  DetectEnginePktInspectionEngine *plist = de_ctx->pkt_inspect_engines;
1630  while (plist) {
1631  DetectEnginePktInspectionEngine *next = plist->next;
1632  SCFree(plist);
1633  plist = next;
1634  }
1635  DetectBufferMpmRegistry *pmlist = de_ctx->pkt_mpms_list;
1636  while (pmlist) {
1637  DetectBufferMpmRegistry *next = pmlist->next;
1638  SCFree(pmlist);
1639  pmlist = next;
1640  }
1641  DetectEngineFrameInspectionEngine *framelist = de_ctx->frame_inspect_engines;
1642  while (framelist) {
1643  DetectEngineFrameInspectionEngine *next = framelist->next;
1644  SCFree(framelist);
1645  framelist = next;
1646  }
1647  DetectBufferMpmRegistry *framemlist = de_ctx->frame_mpms_list;
1648  while (framemlist) {
1649  DetectBufferMpmRegistry *next = framemlist->next;
1650  SCFree(framemlist);
1651  framemlist = next;
1652  }
1653  PrefilterDeinit(de_ctx);
1654  }
1655 }
1656 
1657 void DetectBufferTypeCloseRegistration(void)
1658 {
1659  BUG_ON(g_buffer_type_hash == NULL);
1660 
1661  g_buffer_type_reg_closed = 1;
1662 }
1663 
1664 int DetectEngineBufferTypeGetByIdTransforms(
1665  DetectEngineCtx *de_ctx, const int id, TransformData *transforms, int transform_cnt)
1666 {
1667  const DetectBufferType *base_map = DetectEngineBufferTypeGetById(de_ctx, id);
1668  if (!base_map) {
1669  return -1;
1670  }
1671  if (!base_map->supports_transforms) {
1672  SCLogError("buffer '%s' does not support transformations", base_map->name);
1673  return -1;
1674  }
1675 
1676  SCLogDebug("base_map %s", base_map->name);
1677 
1678  DetectEngineTransforms t;
1679  memset(&t, 0, sizeof(t));
1680  for (int i = 0; i < transform_cnt; i++) {
1681  t.transforms[i] = transforms[i];
1682  }
1683  t.cnt = transform_cnt;
1684 
1685  DetectBufferType lookup_map;
1686  memset(&lookup_map, 0, sizeof(lookup_map));
1687  strlcpy(lookup_map.name, base_map->name, sizeof(lookup_map.name));
1688  lookup_map.transforms = t;
1689 
1690  /* Add transform identity data from transforms */
1691  if (t.cnt) {
1692  DetectBufferAddTransformData(&lookup_map);
1693  }
1694  DetectBufferType *res = HashListTableLookup(de_ctx->buffer_type_hash_name, &lookup_map, 0);
1695 
1696  SCLogDebug("res %p", res);
1697  if (res != NULL) {
1698  return res->id;
1699  }
1700 
1701  DetectBufferType *map = SCCalloc(1, sizeof(*map));
1702  if (map == NULL)
1703  return -1;
1704 
1705  strlcpy(map->name, base_map->name, sizeof(map->name));
1706  map->id = de_ctx->buffer_type_id++;
1707  map->parent_id = base_map->id;
1708  map->transforms = t;
1709  map->mpm = base_map->mpm;
1710  map->packet = base_map->packet;
1711  map->frame = base_map->frame;
1712  map->SetupCallback = base_map->SetupCallback;
1713  map->ValidateCallback = base_map->ValidateCallback;
1714  if (map->frame) {
1715  DetectFrameMpmRegisterByParentId(de_ctx, map->id, map->parent_id, &map->transforms);
1716  } else if (map->packet) {
1717  DetectPktMpmRegisterByParentId(de_ctx,
1718  map->id, map->parent_id, &map->transforms);
1719  } else {
1720  DetectAppLayerMpmRegisterByParentId(de_ctx,
1721  map->id, map->parent_id, &map->transforms);
1722  }
1723 
1724  BUG_ON(HashListTableAdd(de_ctx->buffer_type_hash_name, (void *)map, 0) != 0);
1725  BUG_ON(HashListTableAdd(de_ctx->buffer_type_hash_id, (void *)map, 0) != 0);
1726  SCLogDebug("buffer %s registered with id %d, parent %d", map->name, map->id, map->parent_id);
1727 
1728  if (map->frame) {
1729  DetectFrameInspectEngineCopy(de_ctx, map->parent_id, map->id, &map->transforms);
1730  } else if (map->packet) {
1731  DetectPktInspectEngineCopy(de_ctx, map->parent_id, map->id, &map->transforms);
1732  } else {
1733  DetectAppLayerInspectEngineCopy(de_ctx, map->parent_id, map->id, &map->transforms);
1734  }
1735  return map->id;
1736 }
1737 
1738 /* returns false if no match, true if match */
1739 static int DetectEngineInspectRulePacketMatches(
1740  DetectEngineThreadCtx *det_ctx,
1741  const DetectEnginePktInspectionEngine *engine,
1742  const Signature *s,
1743  Packet *p, uint8_t *_alert_flags)
1744 {
1745  SCEnter();
1746 
1747  /* run the packet match functions */
1748  KEYWORD_PROFILING_SET_LIST(det_ctx, DETECT_SM_LIST_MATCH);
1749  const SigMatchData *smd = s->sm_arrays[DETECT_SM_LIST_MATCH];
1750 
1751  SCLogDebug("running match functions, sm %p", smd);
1752  while (1) {
1753  KEYWORD_PROFILING_START;
1754  if (sigmatch_table[smd->type].Match(det_ctx, p, s, smd->ctx) <= 0) {
1755  KEYWORD_PROFILING_END(det_ctx, smd->type, 0);
1756  SCLogDebug("no match");
1757  return DETECT_ENGINE_INSPECT_SIG_NO_MATCH;
1758  }
1759  KEYWORD_PROFILING_END(det_ctx, smd->type, 1);
1760  if (smd->is_last) {
1761  SCLogDebug("match and is_last");
1762  break;
1763  }
1764  smd++;
1765  }
1766  return DETECT_ENGINE_INSPECT_SIG_MATCH;
1767 }
1768 
1769 static int DetectEngineInspectRulePayloadMatches(
1770  DetectEngineThreadCtx *det_ctx,
1771  const DetectEnginePktInspectionEngine *engine,
1772  const Signature *s, Packet *p, uint8_t *alert_flags)
1773 {
1774  SCEnter();
1775 
1776  DetectEngineCtx *de_ctx = det_ctx->de_ctx;
1777 
1778  KEYWORD_PROFILING_SET_LIST(det_ctx, DETECT_SM_LIST_PMATCH);
1779  /* if we have stream msgs, inspect against those first,
1780  * but not for a "dsize" signature */
1781  if (s->flags & SIG_FLAG_REQUIRE_STREAM) {
1782  int pmatch = 0;
1783  if (p->flags & PKT_DETECT_HAS_STREAMDATA) {
1784  pmatch = DetectEngineInspectStreamPayload(de_ctx, det_ctx, s, p->flow, p);
1785  if (pmatch) {
1786  *alert_flags |= PACKET_ALERT_FLAG_STREAM_MATCH;
1787  }
1788  }
1789  /* no match? then inspect packet payload */
1790  if (pmatch == 0) {
1791  SCLogDebug("no match in stream, fall back to packet payload");
1792 
1793  /* skip if we don't have to inspect the packet and segment was
1794  * added to stream */
1795  if (!(s->flags & SIG_FLAG_REQUIRE_PACKET) && (p->flags & PKT_STREAM_ADD)) {
1796  return DETECT_ENGINE_INSPECT_SIG_NO_MATCH;
1797  }
1798  if (s->flags & SIG_FLAG_REQUIRE_STREAM_ONLY) {
1799  SCLogDebug("SIG_FLAG_REQUIRE_STREAM_ONLY, so no match");
1800  return DETECT_ENGINE_INSPECT_SIG_NO_MATCH;
1801  }
1802  if (DetectEngineInspectPacketPayload(de_ctx, det_ctx, s, p->flow, p) != 1) {
1803  return DETECT_ENGINE_INSPECT_SIG_NO_MATCH;
1804  }
1805  }
1806  } else {
1807  if (DetectEngineInspectPacketPayload(de_ctx, det_ctx, s, p->flow, p) != 1) {
1808  return DETECT_ENGINE_INSPECT_SIG_NO_MATCH;
1809  }
1810  }
1811  return DETECT_ENGINE_INSPECT_SIG_MATCH;
1812 }
1813 
1814 bool DetectEnginePktInspectionRun(ThreadVars *tv,
1815  DetectEngineThreadCtx *det_ctx, const Signature *s,
1816  Flow *f, Packet *p,
1817  uint8_t *alert_flags)
1818 {
1819  SCEnter();
1820 
1821  for (DetectEnginePktInspectionEngine *e = s->pkt_inspect; e != NULL; e = e->next) {
1822  if (e->v1.Callback(det_ctx, e, s, p, alert_flags) != DETECT_ENGINE_INSPECT_SIG_MATCH) {
1823  SCLogDebug("sid %u: e %p Callback returned no match", s->id, e);
1824  return false;
1825  }
1826  SCLogDebug("sid %u: e %p Callback returned true", s->id, e);
1827  }
1828 
1829  SCLogDebug("sid %u: returning true", s->id);
1830  return true;
1831 }
1832 
1833 /**
1834  * \param data pointer to SigMatchData. Allowed to be NULL.
1835  */
1836 static int DetectEnginePktInspectionAppend(Signature *s, InspectionBufferPktInspectFunc Callback,
1837  SigMatchData *data, const int list_id)
1838 {
1839  DetectEnginePktInspectionEngine *e = SCCalloc(1, sizeof(*e));
1840  if (e == NULL)
1841  return -1;
1842 
1843  e->mpm = s->init_data->mpm_sm_list == list_id;
1844  DEBUG_VALIDATE_BUG_ON(list_id < 0 || list_id > UINT16_MAX);
1845  e->sm_list = (uint16_t)list_id;
1846  e->sm_list_base = (uint16_t)list_id;
1847  e->v1.Callback = Callback;
1848  e->smd = data;
1849 
1850  if (s->pkt_inspect == NULL) {
1851  s->pkt_inspect = e;
1852  } else {
1853  DetectEnginePktInspectionEngine *a = s->pkt_inspect;
1854  while (a->next != NULL) {
1855  a = a->next;
1856  }
1857  a->next = e;
1858  }
1859  return 0;
1860 }
1861 
1862 int DetectEnginePktInspectionSetup(Signature *s)
1863 {
1864  /* only handle PMATCH here if we're not an app inspect rule */
1865  if (s->sm_arrays[DETECT_SM_LIST_PMATCH] && (s->init_data->init_flags & SIG_FLAG_INIT_STATE_MATCH) == 0) {
1866  if (DetectEnginePktInspectionAppend(
1867  s, DetectEngineInspectRulePayloadMatches, NULL, DETECT_SM_LIST_PMATCH) < 0)
1868  return -1;
1869  SCLogDebug("sid %u: DetectEngineInspectRulePayloadMatches appended", s->id);
1870  }
1871 
1872  if (s->sm_arrays[DETECT_SM_LIST_MATCH]) {
1873  if (DetectEnginePktInspectionAppend(
1874  s, DetectEngineInspectRulePacketMatches, NULL, DETECT_SM_LIST_MATCH) < 0)
1875  return -1;
1876  SCLogDebug("sid %u: DetectEngineInspectRulePacketMatches appended", s->id);
1877  }
1878 
1879  return 0;
1880 }
1881 
1882 /* code to control the main thread to do a reload */
1883 
1884 enum DetectEngineSyncState {
1885  IDLE, /**< ready to start a reload */
1886  RELOAD, /**< command main thread to do the reload */
1887 };
1888 
1889 
1890 typedef struct DetectEngineSyncer_ {
1891  SCMutex m;
1892  enum DetectEngineSyncState state;
1893 } DetectEngineSyncer;
1894 
1895 static DetectEngineSyncer detect_sync = { SCMUTEX_INITIALIZER, IDLE };
1896 
1897 /* tell main to start reloading */
1898 int DetectEngineReloadStart(void)
1899 {
1900  int r = 0;
1901  SCMutexLock(&detect_sync.m);
1902  if (detect_sync.state == IDLE) {
1903  detect_sync.state = RELOAD;
1904  } else {
1905  r = -1;
1906  }
1907  SCMutexUnlock(&detect_sync.m);
1908  return r;
1909 }
1910 
1911 /* main thread checks this to see if it should start */
1912 int DetectEngineReloadIsStart(void)
1913 {
1914  int r = 0;
1915  SCMutexLock(&detect_sync.m);
1916  if (detect_sync.state == RELOAD) {
1917  r = 1;
1918  }
1919  SCMutexUnlock(&detect_sync.m);
1920  return r;
1921 }
1922 
1923 /* main thread sets done when it's done */
1924 void DetectEngineReloadSetIdle(void)
1925 {
1926  SCMutexLock(&detect_sync.m);
1927  detect_sync.state = IDLE;
1928  SCMutexUnlock(&detect_sync.m);
1929 }
1930 
1931 /* caller loops this until it returns 1 */
1932 int DetectEngineReloadIsIdle(void)
1933 {
1934  int r = 0;
1935  SCMutexLock(&detect_sync.m);
1936  if (detect_sync.state == IDLE) {
1937  r = 1;
1938  }
1939  SCMutexUnlock(&detect_sync.m);
1940  return r;
1941 }
1942 
1943 /** \brief Do the content inspection & validation for a signature
1944  *
1945  * \param de_ctx Detection engine context
1946  * \param det_ctx Detection engine thread context
1947  * \param s Signature to inspect
1948  * \param sm SigMatch to inspect
1949  * \param f Flow
1950  * \param flags app layer flags
1951  * \param state App layer state
1952  *
1953  * \retval 0 no match
1954  * \retval 1 match
1955  */
1956 uint8_t DetectEngineInspectGenericList(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx,
1957  const struct DetectEngineAppInspectionEngine_ *engine, const Signature *s, Flow *f,
1958  uint8_t flags, void *alstate, void *txv, uint64_t tx_id)
1959 {
1960  SigMatchData *smd = engine->smd;
1961  SCLogDebug("running match functions, sm %p", smd);
1962  if (smd != NULL) {
1963  while (1) {
1964  int match = 0;
1965  KEYWORD_PROFILING_START;
1966  match = sigmatch_table[smd->type].
1967  AppLayerTxMatch(det_ctx, f, flags, alstate, txv, s, smd->ctx);
1968  KEYWORD_PROFILING_END(det_ctx, smd->type, (match == 1));
1969  if (match == 0)
1970  return DETECT_ENGINE_INSPECT_SIG_NO_MATCH;
1971  if (match == 2) {
1972  return DETECT_ENGINE_INSPECT_SIG_CANT_MATCH;
1973  }
1974 
1975  if (smd->is_last)
1976  break;
1977  smd++;
1978  }
1979  }
1980 
1981  return DETECT_ENGINE_INSPECT_SIG_MATCH;
1982 }
1983 
1984 /**
1985  * \brief Do the content inspection & validation for a signature
1986  *
1987  * \param de_ctx Detection engine context
1988  * \param det_ctx Detection engine thread context
1989  * \param s Signature to inspect
1990  * \param f Flow
1991  * \param flags app layer flags
1992  * \param state App layer state
1993  *
1994  * \retval 0 no match.
1995  * \retval 1 match.
1996  * \retval 2 Sig can't match.
1997  */
1998 uint8_t DetectEngineInspectBufferSingle(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx,
1999  const DetectEngineAppInspectionEngine *engine, const Signature *s, Flow *f, uint8_t flags,
2000  void *alstate, void *txv, uint64_t tx_id)
2001 {
2002  const int list_id = engine->sm_list;
2003  SCLogDebug("running inspect on %d", list_id);
2004 
2005  const bool eof =
2006  (AppLayerParserGetStateProgress(f->proto, f->alproto, txv, flags) > engine->progress);
2007 
2008  SCLogDebug("list %d mpm? %s transforms %p", engine->sm_list, engine->mpm ? "true" : "false",
2009  engine->v2.transforms);
2010 
2011  /* if prefilter didn't already run, we need to consider transformations */
2012  const DetectEngineTransforms *transforms = NULL;
2013  if (!engine->mpm) {
2014  transforms = engine->v2.transforms;
2015  }
2016 
2017  const InspectionBuffer *buffer = DetectGetSingleData(
2018  det_ctx, transforms, f, flags, txv, list_id, engine->v2.GetDataSingle);
2019  if (unlikely(buffer == NULL)) {
2020  if (eof && engine->match_on_null) {
2021  return DETECT_ENGINE_INSPECT_SIG_MATCH;
2022  }
2023  return eof ? DETECT_ENGINE_INSPECT_SIG_CANT_MATCH : DETECT_ENGINE_INSPECT_SIG_NO_MATCH;
2024  }
2025 
2026  const uint32_t data_len = buffer->inspect_len;
2027  const uint8_t *data = buffer->inspect;
2028  const uint64_t offset = buffer->inspect_offset;
2029 
2030  uint8_t ci_flags = eof ? DETECT_CI_FLAGS_END : 0;
2031  ci_flags |= (offset == 0 ? DETECT_CI_FLAGS_START : 0);
2032  ci_flags |= buffer->flags;
2033 
2034  /* Inspect all the uricontents fetched on each
2035  * transaction at the app layer */
2036  const bool match = DetectEngineContentInspection(de_ctx, det_ctx, s, engine->smd, NULL, f, data,
2037  data_len, offset, ci_flags, DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE);
2038  if (match) {
2039  return DETECT_ENGINE_INSPECT_SIG_MATCH;
2040  } else {
2041  return eof ? DETECT_ENGINE_INSPECT_SIG_CANT_MATCH : DETECT_ENGINE_INSPECT_SIG_NO_MATCH;
2042  }
2043 }
2044 
2045 /**
2046  * \brief Do the content inspection & validation for a signature
2047  *
2048  * \param de_ctx Detection engine context
2049  * \param det_ctx Detection engine thread context
2050  * \param s Signature to inspect
2051  * \param f Flow
2052  * \param flags app layer flags
2053  * \param state App layer state
2054  *
2055  * \retval 0 no match.
2056  * \retval 1 match.
2057  * \retval 2 Sig can't match.
2058  */
2059 uint8_t DetectEngineInspectBufferGeneric(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx,
2060  const DetectEngineAppInspectionEngine *engine, const Signature *s, Flow *f, uint8_t flags,
2061  void *alstate, void *txv, uint64_t tx_id)
2062 {
2063  const int list_id = engine->sm_list;
2064  SCLogDebug("running inspect on %d", list_id);
2065 
2066  const bool eof = (AppLayerParserGetStateProgress(f->proto, f->alproto, txv, flags) > engine->progress);
2067 
2068  SCLogDebug("list %d mpm? %s transforms %p",
2069  engine->sm_list, engine->mpm ? "true" : "false", engine->v2.transforms);
2070 
2071  /* if prefilter didn't already run, we need to consider transformations */
2072  const DetectEngineTransforms *transforms = NULL;
2073  if (!engine->mpm) {
2074  transforms = engine->v2.transforms;
2075  }
2076 
2077  const InspectionBuffer *buffer = engine->v2.GetData(det_ctx, transforms,
2078  f, flags, txv, list_id);
2079  if (unlikely(buffer == NULL)) {
2080  if (eof && engine->match_on_null) {
2081  return DETECT_ENGINE_INSPECT_SIG_MATCH;
2082  }
2083  return eof ? DETECT_ENGINE_INSPECT_SIG_CANT_MATCH :
2084  DETECT_ENGINE_INSPECT_SIG_NO_MATCH;
2085  }
2086 
2087  const uint32_t data_len = buffer->inspect_len;
2088  const uint8_t *data = buffer->inspect;
2089  const uint64_t offset = buffer->inspect_offset;
2090 
2091  uint8_t ci_flags = eof ? DETECT_CI_FLAGS_END : 0;
2092  ci_flags |= (offset == 0 ? DETECT_CI_FLAGS_START : 0);
2093  ci_flags |= buffer->flags;
2094 
2095  /* Inspect all the uricontents fetched on each
2096  * transaction at the app layer */
2097  const bool match = DetectEngineContentInspection(de_ctx, det_ctx, s, engine->smd, NULL, f, data,
2098  data_len, offset, ci_flags, DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE);
2099  if (match) {
2100  return DETECT_ENGINE_INSPECT_SIG_MATCH;
2101  } else {
2102  return eof ? DETECT_ENGINE_INSPECT_SIG_CANT_MATCH :
2103  DETECT_ENGINE_INSPECT_SIG_NO_MATCH;
2104  }
2105 }
2106 
2107 // wrapper for both DetectAppLayerInspectEngineRegister and DetectAppLayerMpmRegister
2108 // with cast of callback function
2109 void DetectAppLayerMultiRegister(const char *name, AppProto alproto, uint32_t dir, int progress,
2110  InspectionMultiBufferGetDataPtr GetData, int priority)
2111 {
2112  AppLayerInspectEngineRegisterInternal(name, alproto, dir, progress,
2113  DetectEngineInspectMultiBufferGeneric, NULL, NULL, GetData);
2114  DetectAppLayerMpmMultiRegister(
2115  name, dir, priority, PrefilterMultiGenericMpmRegister, GetData, alproto, progress);
2116 }
2117 
2118 InspectionBuffer *DetectGetSingleData(struct DetectEngineThreadCtx_ *det_ctx,
2119  const DetectEngineTransforms *transforms, Flow *f, const uint8_t flow_flags, void *txv,
2120  const int list_id, InspectionSingleBufferGetDataPtr GetBuf)
2121 {
2122  InspectionBuffer *buffer = InspectionBufferGet(det_ctx, list_id);
2123  if (buffer->inspect == NULL) {
2124  const uint8_t *b = NULL;
2125  uint32_t b_len = 0;
2126 
2127  if (!GetBuf(txv, flow_flags, &b, &b_len))
2128  return NULL;
2129 
2130  InspectionBufferSetupAndApplyTransforms(det_ctx, list_id, buffer, b, b_len, transforms);
2131  }
2132  return buffer;
2133 }
2134 
2135 InspectionBuffer *DetectGetMultiData(struct DetectEngineThreadCtx_ *det_ctx,
2136  const DetectEngineTransforms *transforms, Flow *f, const uint8_t flow_flags, void *txv,
2137  const int list_id, uint32_t index, InspectionMultiBufferGetDataPtr GetBuf)
2138 {
2139  InspectionBuffer *buffer = InspectionBufferMultipleForListGet(det_ctx, list_id, index);
2140  if (buffer == NULL) {
2141  return NULL;
2142  }
2143  if (buffer->initialized) {
2144  return buffer;
2145  }
2146 
2147  const uint8_t *data = NULL;
2148  uint32_t data_len = 0;
2149 
2150  if (!GetBuf(det_ctx, txv, flow_flags, index, &data, &data_len)) {
2151  InspectionBufferSetupMultiEmpty(buffer);
2152  return NULL;
2153  }
2154  InspectionBufferSetupMulti(det_ctx, buffer, transforms, data, data_len);
2155  buffer->flags = DETECT_CI_FLAGS_SINGLE;
2156  return buffer;
2157 }
2158 
2159 uint8_t DetectEngineInspectMultiBufferGeneric(DetectEngineCtx *de_ctx,
2160  DetectEngineThreadCtx *det_ctx, const DetectEngineAppInspectionEngine *engine,
2161  const Signature *s, Flow *f, uint8_t flags, void *alstate, void *txv, uint64_t tx_id)
2162 {
2163  uint32_t local_id = 0;
2164  const DetectEngineTransforms *transforms = NULL;
2165  if (!engine->mpm) {
2166  transforms = engine->v2.transforms;
2167  }
2168 
2169  do {
2170  InspectionBuffer *buffer = DetectGetMultiData(det_ctx, transforms, f, flags, txv,
2171  engine->sm_list, local_id, engine->v2.GetMultiData);
2172 
2173  if (buffer == NULL || buffer->inspect == NULL)
2174  break;
2175 
2176  // The GetData functions set buffer->flags to DETECT_CI_FLAGS_SINGLE
2177  // This is not meant for streaming buffers
2178  const bool match = DetectEngineContentInspectionBuffer(de_ctx, det_ctx, s, engine->smd,
2179  NULL, f, buffer, DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE);
2180  if (match) {
2181  return DETECT_ENGINE_INSPECT_SIG_MATCH;
2182  }
2183  local_id++;
2184  } while (1);
2185  if (local_id == 0) {
2186  // That means we did not get even one buffer value from the multi-buffer
2187  const bool eof = (AppLayerParserGetStateProgress(f->proto, f->alproto, txv, flags) >
2188  engine->progress);
2189  if (eof && engine->match_on_null) {
2190  return DETECT_ENGINE_INSPECT_SIG_MATCH;
2191  }
2192  }
2193  return DETECT_ENGINE_INSPECT_SIG_NO_MATCH;
2194 }
2195 
2196 /**
2197  * \brief Do the content inspection & validation for a signature
2198  *
2199  * \param de_ctx Detection engine context
2200  * \param det_ctx Detection engine thread context
2201  * \param s Signature to inspect
2202  * \param p Packet
2203  *
2204  * \retval 0 no match.
2205  * \retval 1 match.
2206  */
2207 int DetectEngineInspectPktBufferGeneric(
2208  DetectEngineThreadCtx *det_ctx,
2209  const DetectEnginePktInspectionEngine *engine,
2210  const Signature *s, Packet *p, uint8_t *_alert_flags)
2211 {
2212  const int list_id = engine->sm_list;
2213  SCLogDebug("running inspect on %d", list_id);
2214 
2215  SCLogDebug("list %d transforms %p",
2216  engine->sm_list, engine->v1.transforms);
2217 
2218  /* if prefilter didn't already run, we need to consider transformations */
2219  const DetectEngineTransforms *transforms = NULL;
2220  if (!engine->mpm) {
2221  transforms = engine->v1.transforms;
2222  }
2223 
2224  const InspectionBuffer *buffer = engine->v1.GetData(det_ctx, transforms, p,
2225  list_id);
2226  if (unlikely(buffer == NULL)) {
2227  return DETECT_ENGINE_INSPECT_SIG_NO_MATCH;
2228  }
2229 
2230  uint8_t ci_flags = DETECT_CI_FLAGS_START|DETECT_CI_FLAGS_END;
2231  ci_flags |= buffer->flags;
2232 
2233  /* Inspect all the uricontents fetched on each
2234  * transaction at the app layer */
2235  const bool match = DetectEngineContentInspection(det_ctx->de_ctx, det_ctx, s, engine->smd, p,
2236  p->flow, buffer->inspect, buffer->inspect_len, 0, ci_flags,
2237  DETECT_ENGINE_CONTENT_INSPECTION_MODE_HEADER);
2238  if (match) {
2239  return DETECT_ENGINE_INSPECT_SIG_MATCH;
2240  } else {
2241  return DETECT_ENGINE_INSPECT_SIG_NO_MATCH;
2242  }
2243 }
2244 
2245 /** \internal
2246  * \brief inject a pseudo packet into each detect thread
2247  * if the thread should flush its output logs.
2248  */
2249 void InjectPacketsForFlush(ThreadVars **detect_tvs, int no_of_detect_tvs)
2250 {
2251  /* inject a fake packet if the detect thread that needs it. This function
2252  * is called when a heartbeat log-flush request has been made
2253  * and it should process a pseudo packet and flush its output logs
2254  * to speed the process. */
2255 #if DEBUG
2256  int count = 0;
2257 #endif
2258  for (int i = 0; i < no_of_detect_tvs; i++) {
2259  if (detect_tvs[i]) { // && detect_tvs[i]->inq != NULL) {
2260  Packet *p = PacketGetFromAlloc();
2261  if (p != NULL) {
2262  SCLogDebug("Injecting pkt for tv %s[i=%d] %d", detect_tvs[i]->name, i, count++);
2263  p->flags |= PKT_PSEUDO_STREAM_END;
2264  p->flags |= PKT_PSEUDO_LOG_FLUSH;
2265  PKT_SET_SRC(p, PKT_SRC_DETECT_RELOAD_FLUSH);
2266  PacketQueue *q = detect_tvs[i]->stream_pq;
2267  SCMutexLock(&q->mutex_q);
2268  PacketEnqueue(q, p);
2269  SCCondSignal(&q->cond_q);
2270  SCMutexUnlock(&q->mutex_q);
2271  }
2272  }
2273  }
2274  SCLogDebug("leaving: thread notification count = %d", count);
2275 }
2276 
2277 /** \internal
2278  * \brief inject a pseudo packet into each detect thread
2279  * -that doesn't use the new det_ctx yet
2280  * -*or*, if the thread should flush its output logs.
2281  */
2282 static void InjectPackets(
2283  ThreadVars **detect_tvs, DetectEngineThreadCtx **new_det_ctx, int no_of_detect_tvs)
2284 {
2285  /* inject a fake packet if the detect thread that needs it. This function
2286  * is called if
2287  * - A thread isn't using a DE ctx and should
2288  * - Or, it should process a pseudo packet and flush its output logs.
2289  * to speed the process. */
2290  for (int i = 0; i < no_of_detect_tvs; i++) {
2291  if (SC_ATOMIC_GET(new_det_ctx[i]->so_far_used_by_detect) != 1) {
2292  if (detect_tvs[i]->inq != NULL) {
2293  Packet *p = PacketGetFromAlloc();
2294  if (p != NULL) {
2295  p->flags |= PKT_PSEUDO_STREAM_END;
2296  PKT_SET_SRC(p, PKT_SRC_DETECT_RELOAD_FLUSH);
2297  PacketQueue *q = detect_tvs[i]->inq->pq;
2298  SCMutexLock(&q->mutex_q);
2299  PacketEnqueue(q, p);
2300  SCCondSignal(&q->cond_q);
2301  SCMutexUnlock(&q->mutex_q);
2302  }
2303  }
2304  }
2305  }
2306 }
2307 
2308 /** \internal
2309  * \brief Update detect threads with new detect engine
2310  *
2311  * Atomically update each detect thread with a new thread context
2312  * that is associated to the new detection engine(s).
2313  *
2314  * If called in unix socket mode, it's possible that we don't have
2315  * detect threads yet.
2316  *
2317  * \retval -1 error
2318  * \retval 0 no detection threads
2319  * \retval 1 successful reload
2320  */
2321 static int DetectEngineReloadThreads(DetectEngineCtx *new_de_ctx)
2322 {
2323  SCEnter();
2324  uint32_t i = 0;
2325 
2326  /* count detect threads in use */
2327  uint32_t no_of_detect_tvs = TmThreadCountThreadsByTmmFlags(TM_FLAG_FLOWWORKER_TM);
2328  /* can be zero in unix socket mode */
2329  if (no_of_detect_tvs == 0) {
2330  return 0;
2331  }
2332 
2333  /* prepare swap structures */
2334  DetectEngineThreadCtx *old_det_ctx[no_of_detect_tvs];
2335  DetectEngineThreadCtx *new_det_ctx[no_of_detect_tvs];
2336  ThreadVars *detect_tvs[no_of_detect_tvs];
2337  memset(old_det_ctx, 0x00, (no_of_detect_tvs * sizeof(DetectEngineThreadCtx *)));
2338  memset(new_det_ctx, 0x00, (no_of_detect_tvs * sizeof(DetectEngineThreadCtx *)));
2339  memset(detect_tvs, 0x00, (no_of_detect_tvs * sizeof(ThreadVars *)));
2340 
2341  /* start the process of swapping detect threads ctxs */
2342 
2343  /* get reference to tv's and setup new_det_ctx array */
2344  SCMutexLock(&tv_root_lock);
2345  for (ThreadVars *tv = tv_root[TVT_PPT]; tv != NULL; tv = tv->next) {
2346  if ((tv->tmm_flags & TM_FLAG_FLOWWORKER_TM) == 0) {
2347  continue;
2348  }
2349  for (TmSlot *s = tv->tm_slots; s != NULL; s = s->slot_next) {
2350  TmModule *tm = TmModuleGetById(s->tm_id);
2351  if (!(tm->flags & TM_FLAG_FLOWWORKER_TM)) {
2352  continue;
2353  }
2354 
2355  if (suricata_ctl_flags != 0) {
2356  SCMutexUnlock(&tv_root_lock);
2357  goto error;
2358  }
2359 
2360  old_det_ctx[i] = FlowWorkerGetDetectCtxPtr(SC_ATOMIC_GET(s->slot_data));
2361  detect_tvs[i] = tv;
2362 
2363  new_det_ctx[i] = DetectEngineThreadCtxInitForReload(tv, new_de_ctx, 1);
2364  if (new_det_ctx[i] == NULL) {
2365  SCLogError("Detect engine thread init "
2366  "failure in live rule swap. Let's get out of here");
2367  SCMutexUnlock(&tv_root_lock);
2368  goto error;
2369  }
2370  SCLogDebug("live rule swap created new det_ctx - %p and de_ctx "
2371  "- %p\n", new_det_ctx[i], new_de_ctx);
2372  i++;
2373  break;
2374  }
2375  }
2376  BUG_ON(i != no_of_detect_tvs);
2377 
2378  /* atomically replace the det_ctx data */
2379  i = 0;
2380  for (ThreadVars *tv = tv_root[TVT_PPT]; tv != NULL; tv = tv->next) {
2381  if ((tv->tmm_flags & TM_FLAG_FLOWWORKER_TM) == 0) {
2382  continue;
2383  }
2384  for (TmSlot *s = tv->tm_slots; s != NULL; s = s->slot_next) {
2385  TmModule *tm = TmModuleGetById(s->tm_id);
2386  if (!(tm->flags & TM_FLAG_FLOWWORKER_TM)) {
2387  continue;
2388  }
2389  SCLogDebug("swapping new det_ctx - %p with older one - %p",
2390  new_det_ctx[i], SC_ATOMIC_GET(s->slot_data));
2391  FlowWorkerReplaceDetectCtx(SC_ATOMIC_GET(s->slot_data), new_det_ctx[i++]);
2392  break;
2393  }
2394  }
2395  SCMutexUnlock(&tv_root_lock);
2396 
2397  /* threads now all have new data, however they may not have started using
2398  * it and may still use the old data */
2399 
2400  SCLogDebug("Live rule swap has swapped %d old det_ctx's with new ones, "
2401  "along with the new de_ctx", no_of_detect_tvs);
2402 
2403  InjectPackets(detect_tvs, new_det_ctx, no_of_detect_tvs);
2404 
2405  /* loop waiting for detect threads to switch to the new det_ctx. Try to
2406  * wake up capture if needed (break loop). */
2407  uint32_t threads_done = 0;
2408 retry:
2409  for (i = 0; i < no_of_detect_tvs; i++) {
2410  if (suricata_ctl_flags != 0) {
2411  threads_done = no_of_detect_tvs;
2412  break;
2413  }
2414  SleepMsec(1);
2415  if (SC_ATOMIC_GET(new_det_ctx[i]->so_far_used_by_detect) == 1) {
2416  SCLogDebug("new_det_ctx - %p used by detect engine", new_det_ctx[i]);
2417  threads_done++;
2418  } else {
2419  TmThreadsCaptureBreakLoop(detect_tvs[i]);
2420  }
2421  }
2422  if (threads_done < no_of_detect_tvs) {
2423  threads_done = 0;
2424  SleepMsec(250);
2425  goto retry;
2426  }
2427 
2428  /* this is to make sure that if someone initiated shutdown during a live
2429  * rule swap, the live rule swap won't clean up the old det_ctx and
2430  * de_ctx, till all detect threads have stopped working and sitting
2431  * silently after setting RUNNING_DONE flag and while waiting for
2432  * THV_DEINIT flag */
2433  if (i != no_of_detect_tvs) { // not all threads we swapped
2434  for (ThreadVars *tv = tv_root[TVT_PPT]; tv != NULL; tv = tv->next) {
2435  if ((tv->tmm_flags & TM_FLAG_FLOWWORKER_TM) == 0) {
2436  continue;
2437  }
2438 
2439  while (!TmThreadsCheckFlag(tv, THV_RUNNING_DONE)) {
2440  SleepUsec(100);
2441  }
2442  }
2443  }
2444 
2445  /* free all the ctxs */
2446  for (i = 0; i < no_of_detect_tvs; i++) {
2447  SCLogDebug("Freeing old_det_ctx - %p used by detect",
2448  old_det_ctx[i]);
2449  DetectEngineThreadCtxDeinit(NULL, old_det_ctx[i]);
2450  }
2451 
2452  SRepReloadComplete();
2453 
2454  return 1;
2455 
2456  error:
2457  for (i = 0; i < no_of_detect_tvs; i++) {
2458  if (new_det_ctx[i] != NULL)
2459  DetectEngineThreadCtxDeinit(NULL, new_det_ctx[i]);
2460  }
2461  return -1;
2462 }
2463 
2464 bool DetectEngineMpmCachingEnabled(void)
2465 {
2466  int sgh_mpm_caching = 0;
2467  if (SCConfGetBool("detect.sgh-mpm-caching", &sgh_mpm_caching) != 1) {
2468  return false;
2469  }
2470  return (bool)sgh_mpm_caching;
2471 }
2472 
2473 const char *DetectEngineMpmCachingGetPath(void)
2474 {
2475  if (DetectEngineMpmCachingEnabled() == false) {
2476  return NULL;
2477  }
2478 
2479  char yamlpath[] = "detect.sgh-mpm-caching-path";
2480  const char *strval = NULL;
2481  if (SCConfGet(yamlpath, &strval) == 1 && strval != NULL) {
2482  return strval;
2483  }
2484 
2485  static bool notified = false;
2486  if (!notified) {
2487  SCLogInfo("%s has no path specified, using %s", yamlpath, SGH_CACHE_DIR);
2488  notified = true;
2489  }
2490  return SGH_CACHE_DIR;
2491 }
2492 
2493 static DetectEngineCtx *DetectEngineCtxInitReal(
2494  enum DetectEngineType type, const char *prefix, uint32_t tenant_id)
2495 {
2496  DetectEngineCtx *de_ctx = SCCalloc(1, sizeof(DetectEngineCtx));
2497  if (unlikely(de_ctx == NULL))
2498  goto error;
2499 
2500  memset(&de_ctx->sig_stat, 0, sizeof(SigFileLoaderStat));
2501  TAILQ_INIT(&de_ctx->sig_stat.failed_sigs);
2502  de_ctx->sigerror = NULL;
2503  de_ctx->type = type;
2504  de_ctx->filemagic_thread_ctx_id = -1;
2505  de_ctx->tenant_id = tenant_id;
2506 
2507  if (type == DETECT_ENGINE_TYPE_DD_STUB || type == DETECT_ENGINE_TYPE_MT_STUB) {
2508  de_ctx->version = DetectEngineGetVersion();
2509  SCLogDebug("stub %u with version %u", type, de_ctx->version);
2510  return de_ctx;
2511  }
2512 
2513  if (prefix != NULL) {
2514  strlcpy(de_ctx->config_prefix, prefix, sizeof(de_ctx->config_prefix));
2515  }
2516 
2517  int failure_fatal = 0;
2518  if (SCConfGetBool("engine.init-failure-fatal", (int *)&failure_fatal) != 1) {
2519  SCLogDebug("ConfGetBool could not load the value.");
2520  }
2521  de_ctx->failure_fatal = (failure_fatal == 1);
2522 
2523  de_ctx->mpm_matcher = PatternMatchDefaultMatcher();
2524  de_ctx->spm_matcher = SinglePatternMatchDefaultMatcher();
2525  SCLogConfig("pattern matchers: MPM: %s, SPM: %s",
2526  mpm_table[de_ctx->mpm_matcher].name,
2527  spm_table[de_ctx->spm_matcher].name);
2528 
2529  if (mpm_table[de_ctx->mpm_matcher].ConfigInit) {
2530  de_ctx->mpm_cfg = mpm_table[de_ctx->mpm_matcher].ConfigInit();
2531  if (de_ctx->mpm_cfg == NULL) {
2532  goto error;
2533  }
2534  }
2535  if (DetectEngineMpmCachingEnabled() && mpm_table[de_ctx->mpm_matcher].ConfigCacheDirSet) {
2536  mpm_table[de_ctx->mpm_matcher].ConfigCacheDirSet(
2537  de_ctx->mpm_cfg, DetectEngineMpmCachingGetPath());
2538  }
2539 
2540  de_ctx->spm_global_thread_ctx = SpmInitGlobalThreadCtx(de_ctx->spm_matcher);
2541  if (de_ctx->spm_global_thread_ctx == NULL) {
2542  SCLogDebug("Unable to alloc SpmGlobalThreadCtx.");
2543  goto error;
2544  }
2545 
2546  de_ctx->sm_types_prefilter = SCCalloc(DETECT_TBLSIZE, sizeof(bool));
2547  if (de_ctx->sm_types_prefilter == NULL) {
2548  goto error;
2549  }
2550  de_ctx->sm_types_silent_error = SCCalloc(DETECT_TBLSIZE, sizeof(bool));
2551  if (de_ctx->sm_types_silent_error == NULL) {
2552  goto error;
2553  }
2554  if (DetectEngineCtxLoadConf(de_ctx) == -1) {
2555  goto error;
2556  }
2557 
2558  SigGroupHeadHashInit(de_ctx);
2559  MpmStoreInit(de_ctx);
2560  DetectParseDupSigHashInit(de_ctx);
2561  DetectAddressMapInit(de_ctx);
2562  DetectMetadataHashInit(de_ctx);
2563  DetectBufferTypeSetupDetectEngine(de_ctx);
2564  DetectEngineInitializeFastPatternList(de_ctx);
2565 
2566  /* init iprep... ignore errors for now */
2567  (void)SRepInit(de_ctx);
2568 
2569  SCClassSCConfInit(de_ctx);
2570  if (!SCClassConfLoadClassificationConfigFile(de_ctx, NULL)) {
2571  if (SCRunmodeGet() == RUNMODE_CONF_TEST)
2572  goto error;
2573  }
2574 
2575  if (ActionInitConfig() < 0) {
2576  goto error;
2577  }
2578  SCReferenceSCConfInit(de_ctx);
2579  if (SCRConfLoadReferenceConfigFile(de_ctx, NULL) < 0) {
2580  if (SCRunmodeGet() == RUNMODE_CONF_TEST)
2581  goto error;
2582  }
2583 
2584  de_ctx->version = DetectEngineGetVersion();
2585  SCLogDebug("dectx with version %u", de_ctx->version);
2586  return de_ctx;
2587 error:
2588  if (de_ctx != NULL) {
2589  DetectEngineCtxFree(de_ctx);
2590  }
2591  return NULL;
2592 }
2593 
2594 DetectEngineCtx *DetectEngineCtxInitStubForMT(void)
2595 {
2596  return DetectEngineCtxInitReal(DETECT_ENGINE_TYPE_MT_STUB, NULL, 0);
2597 }
2598 
2599 DetectEngineCtx *DetectEngineCtxInitStubForDD(void)
2600 {
2601  return DetectEngineCtxInitReal(DETECT_ENGINE_TYPE_DD_STUB, NULL, 0);
2602 }
2603 
2604 DetectEngineCtx *DetectEngineCtxInit(void)
2605 {
2606  return DetectEngineCtxInitReal(DETECT_ENGINE_TYPE_NORMAL, NULL, 0);
2607 }
2608 
2609 DetectEngineCtx *DetectEngineCtxInitWithPrefix(const char *prefix, uint32_t tenant_id)
2610 {
2611  if (prefix == NULL || strlen(prefix) == 0)
2612  return DetectEngineCtxInit();
2613  else
2614  return DetectEngineCtxInitReal(DETECT_ENGINE_TYPE_NORMAL, prefix, tenant_id);
2615 }
2616 
2617 static void DetectEngineCtxFreeThreadKeywordData(DetectEngineCtx *de_ctx)
2618 {
2619  HashListTableFree(de_ctx->keyword_hash);
2620 }
2621 
2622 static void DetectEngineCtxFreeFailedSigs(DetectEngineCtx *de_ctx)
2623 {
2624  SigString *item = NULL;
2625  SigString *sitem;
2626 
2627  TAILQ_FOREACH_SAFE(item, &de_ctx->sig_stat.failed_sigs, next, sitem) {
2628  SCFree(item->filename);
2629  SCFree(item->sig_str);
2630  if (item->sig_error) {
2631  SCFree(item->sig_error);
2632  }
2633  TAILQ_REMOVE(&de_ctx->sig_stat.failed_sigs, item, next);
2634  SCFree(item);
2635  }
2636 }
2637 
2638 /**
2639  * \brief Free a DetectEngineCtx::
2640  *
2641  * \param de_ctx DetectEngineCtx:: to be freed
2642  */
2643 void DetectEngineCtxFree(DetectEngineCtx *de_ctx)
2644 {
2645 
2646  if (de_ctx == NULL)
2647  return;
2648 
2649 #ifdef PROFILE_RULES
2650  if (de_ctx->profile_ctx != NULL) {
2651  SCProfilingRuleDestroyCtx(de_ctx->profile_ctx);
2652  de_ctx->profile_ctx = NULL;
2653  }
2654 #endif
2655 #ifdef PROFILING
2656  if (de_ctx->profile_keyword_ctx != NULL) {
2657  SCProfilingKeywordDestroyCtx(de_ctx);//->profile_keyword_ctx);
2658 // de_ctx->profile_keyword_ctx = NULL;
2659  }
2660  if (de_ctx->profile_sgh_ctx != NULL) {
2661  SCProfilingSghDestroyCtx(de_ctx);
2662  }
2663  SCProfilingPrefilterDestroyCtx(de_ctx);
2664 #endif
2665 
2666  if (mpm_table[de_ctx->mpm_matcher].ConfigDeinit) {
2667  mpm_table[de_ctx->mpm_matcher].ConfigDeinit(&de_ctx->mpm_cfg);
2668  }
2669  /* Normally the hashes are freed elsewhere, but
2670  * to be sure look at them again here.
2671  */
2672  SigGroupHeadHashFree(de_ctx);
2673  MpmStoreFree(de_ctx);
2674  DetectParseDupSigHashFree(de_ctx);
2675  SCSigSignatureOrderingModuleCleanup(de_ctx);
2676  SigCleanSignatures(de_ctx);
2677  if (de_ctx->sig_array)
2678  SCFree(de_ctx->sig_array);
2679 
2680  if (de_ctx->filedata_config)
2681  SCFree(de_ctx->filedata_config);
2682 
2683  DetectEngineFreeFastPatternList(de_ctx);
2684  SCClassConfDeInitContext(de_ctx);
2685  SCRConfDeInitContext(de_ctx);
2686 
2687  SigGroupCleanup(de_ctx);
2688 
2689  SpmDestroyGlobalThreadCtx(de_ctx->spm_global_thread_ctx);
2690  SCFree(de_ctx->sm_types_prefilter);
2691  SCFree(de_ctx->sm_types_silent_error);
2692 
2693  MpmFactoryDeRegisterAllMpmCtxProfiles(de_ctx);
2694 
2695  DetectEngineCtxFreeThreadKeywordData(de_ctx);
2696  SRepDestroy(de_ctx);
2697  DetectEngineCtxFreeFailedSigs(de_ctx);
2698 
2699  DetectAddressMapFree(de_ctx);
2700  DetectMetadataHashFree(de_ctx);
2701 
2702  /* if we have a config prefix, remove the config from the tree */
2703  if (strlen(de_ctx->config_prefix) > 0) {
2704  /* remove config */
2705  SCConfNode *node = SCConfGetNode(de_ctx->config_prefix);
2706  if (node != NULL) {
2707  SCConfNodeRemove(node); /* frees node */
2708  }
2709 #if 0
2710  ConfDump();
2711 #endif
2712  }
2713 
2714  DetectPortCleanupList(de_ctx, de_ctx->tcp_priorityports);
2715  DetectPortCleanupList(de_ctx, de_ctx->udp_priorityports);
2716 
2717  DetectBufferTypeFreeDetectEngine(de_ctx);
2718  SCClassConfDeinit(de_ctx);
2719  SCReferenceConfDeinit(de_ctx);
2720 
2721  if (de_ctx->tenant_path) {
2722  SCFree(de_ctx->tenant_path);
2723  }
2724 
2725  if (de_ctx->requirements) {
2726  SCDetectRequiresStatusFree(de_ctx->requirements);
2727  }
2728 
2729  if (de_ctx->non_pf_engine_names) {
2730  HashTableFree(de_ctx->non_pf_engine_names);
2731  }
2732  SCFree(de_ctx);
2733  //DetectAddressGroupPrintMemory();
2734  //DetectSigGroupPrintMemory();
2735  //DetectPortPrintMemory();
2736 }
2737 
2738 /** \brief Function that load DetectEngineCtx config for grouping sigs
2739  * used by the engine
2740  * \retval 0 if no config provided, 1 if config was provided
2741  * and loaded successfully
2742  */
2743 static int DetectEngineCtxLoadConf(DetectEngineCtx *de_ctx)
2744 {
2745  uint8_t profile = ENGINE_PROFILE_MEDIUM;
2746  const char *max_uniq_toclient_groups_str = NULL;
2747  const char *max_uniq_toserver_groups_str = NULL;
2748  const char *sgh_mpm_context = NULL;
2749  const char *de_ctx_profile = NULL;
2750 
2751  (void)SCConfGet("detect.profile", &de_ctx_profile);
2752  (void)SCConfGet("detect.sgh-mpm-context", &sgh_mpm_context);
2753 
2754  SCConfNode *de_ctx_custom = SCConfGetNode("detect-engine");
2755  SCConfNode *opt = NULL;
2756 
2757  if (de_ctx_custom != NULL) {
2758  TAILQ_FOREACH(opt, &de_ctx_custom->head, next) {
2759  if (de_ctx_profile == NULL) {
2760  if (opt->val && strcmp(opt->val, "profile") == 0) {
2761  de_ctx_profile = opt->head.tqh_first->val;
2762  }
2763  }
2764 
2765  if (sgh_mpm_context == NULL) {
2766  if (opt->val && strcmp(opt->val, "sgh-mpm-context") == 0) {
2767  sgh_mpm_context = opt->head.tqh_first->val;
2768  }
2769  }
2770  }
2771  }
2772 
2773  if (de_ctx_profile != NULL) {
2774  if (strcmp(de_ctx_profile, "low") == 0 ||
2775  strcmp(de_ctx_profile, "lowest") == 0) { // legacy
2776  profile = ENGINE_PROFILE_LOW;
2777  } else if (strcmp(de_ctx_profile, "medium") == 0) {
2778  profile = ENGINE_PROFILE_MEDIUM;
2779  } else if (strcmp(de_ctx_profile, "high") == 0 ||
2780  strcmp(de_ctx_profile, "highest") == 0) { // legacy
2781  profile = ENGINE_PROFILE_HIGH;
2782  } else if (strcmp(de_ctx_profile, "custom") == 0) {
2783  profile = ENGINE_PROFILE_CUSTOM;
2784  } else {
2785  SCLogError("invalid value for detect.profile: '%s'. "
2786  "Valid options: low, medium, high and custom.",
2787  de_ctx_profile);
2788  return -1;
2789  }
2790 
2791  SCLogDebug("Profile for detection engine groups is \"%s\"", de_ctx_profile);
2792  } else {
2793  SCLogDebug("Profile for detection engine groups not provided "
2794  "at suricata.yaml. Using default (\"medium\").");
2795  }
2796 
2797  /* detect-engine.sgh-mpm-context option parsing */
2798  if (sgh_mpm_context == NULL || strcmp(sgh_mpm_context, "auto") == 0) {
2799  /* for now, since we still haven't implemented any intelligence into
2800  * understanding the patterns and distributing mpm_ctx across sgh */
2801  if (de_ctx->mpm_matcher == MPM_AC || de_ctx->mpm_matcher == MPM_AC_KS ||
2802  de_ctx->mpm_matcher == MPM_HS) {
2803  de_ctx->sgh_mpm_ctx_cnf = ENGINE_SGH_MPM_FACTORY_CONTEXT_SINGLE;
2804  } else {
2805  de_ctx->sgh_mpm_ctx_cnf = ENGINE_SGH_MPM_FACTORY_CONTEXT_FULL;
2806  }
2807  } else {
2808  if (strcmp(sgh_mpm_context, "single") == 0) {
2809  de_ctx->sgh_mpm_ctx_cnf = ENGINE_SGH_MPM_FACTORY_CONTEXT_SINGLE;
2810  } else if (strcmp(sgh_mpm_context, "full") == 0) {
2811  de_ctx->sgh_mpm_ctx_cnf = ENGINE_SGH_MPM_FACTORY_CONTEXT_FULL;
2812  } else {
2813  SCLogError("You have supplied an "
2814  "invalid conf value for detect-engine.sgh-mpm-context-"
2815  "%s",
2816  sgh_mpm_context);
2817  exit(EXIT_FAILURE);
2818  }
2819  }
2820 
2821  if (RunmodeIsUnittests()) {
2822  de_ctx->sgh_mpm_ctx_cnf = ENGINE_SGH_MPM_FACTORY_CONTEXT_FULL;
2823  }
2824 
2825  /* parse profile custom-values */
2826  opt = NULL;
2827  switch (profile) {
2828  case ENGINE_PROFILE_LOW:
2829  de_ctx->max_uniq_toclient_groups = 15;
2830  de_ctx->max_uniq_toserver_groups = 25;
2831  break;
2832 
2833  case ENGINE_PROFILE_HIGH:
2834  de_ctx->max_uniq_toclient_groups = 75;
2835  de_ctx->max_uniq_toserver_groups = 75;
2836  break;
2837 
2838  case ENGINE_PROFILE_CUSTOM:
2839  (void)SCConfGet("detect.custom-values.toclient-groups", &max_uniq_toclient_groups_str);
2840  (void)SCConfGet("detect.custom-values.toserver-groups", &max_uniq_toserver_groups_str);
2841 
2842  if (de_ctx_custom != NULL) {
2843  TAILQ_FOREACH(opt, &de_ctx_custom->head, next) {
2844  if (opt->val && strcmp(opt->val, "custom-values") == 0) {
2845  if (max_uniq_toclient_groups_str == NULL) {
2846  max_uniq_toclient_groups_str = (char *)SCConfNodeLookupChildValue(
2847  opt->head.tqh_first, "toclient-sp-groups");
2848  }
2849  if (max_uniq_toclient_groups_str == NULL) {
2850  max_uniq_toclient_groups_str = (char *)SCConfNodeLookupChildValue(
2851  opt->head.tqh_first, "toclient-groups");
2852  }
2853  if (max_uniq_toserver_groups_str == NULL) {
2854  max_uniq_toserver_groups_str = (char *)SCConfNodeLookupChildValue(
2855  opt->head.tqh_first, "toserver-dp-groups");
2856  }
2857  if (max_uniq_toserver_groups_str == NULL) {
2858  max_uniq_toserver_groups_str = (char *)SCConfNodeLookupChildValue(
2859  opt->head.tqh_first, "toserver-groups");
2860  }
2861  }
2862  }
2863  }
2864  if (max_uniq_toclient_groups_str != NULL) {
2865  if (StringParseUint16(&de_ctx->max_uniq_toclient_groups, 10,
2866  (uint16_t)strlen(max_uniq_toclient_groups_str),
2867  (const char *)max_uniq_toclient_groups_str) <= 0) {
2868  de_ctx->max_uniq_toclient_groups = 20;
2869 
2870  SCLogWarning("parsing '%s' for "
2871  "toclient-groups failed, using %u",
2872  max_uniq_toclient_groups_str, de_ctx->max_uniq_toclient_groups);
2873  }
2874  } else {
2875  de_ctx->max_uniq_toclient_groups = 20;
2876  }
2877  SCLogConfig("toclient-groups %u", de_ctx->max_uniq_toclient_groups);
2878 
2879  if (max_uniq_toserver_groups_str != NULL) {
2880  if (StringParseUint16(&de_ctx->max_uniq_toserver_groups, 10,
2881  (uint16_t)strlen(max_uniq_toserver_groups_str),
2882  (const char *)max_uniq_toserver_groups_str) <= 0) {
2883  de_ctx->max_uniq_toserver_groups = 40;
2884 
2885  SCLogWarning("parsing '%s' for "
2886  "toserver-groups failed, using %u",
2887  max_uniq_toserver_groups_str, de_ctx->max_uniq_toserver_groups);
2888  }
2889  } else {
2890  de_ctx->max_uniq_toserver_groups = 40;
2891  }
2892  SCLogConfig("toserver-groups %u", de_ctx->max_uniq_toserver_groups);
2893  break;
2894 
2895  /* Default (or no config provided) is profile medium */
2896  case ENGINE_PROFILE_MEDIUM:
2897  case ENGINE_PROFILE_UNKNOWN:
2898  default:
2899  de_ctx->max_uniq_toclient_groups = 20;
2900  de_ctx->max_uniq_toserver_groups = 40;
2901  break;
2902  }
2903 
2904  intmax_t value = 0;
2905  de_ctx->inspection_recursion_limit = DETECT_ENGINE_DEFAULT_INSPECTION_RECURSION_LIMIT;
2906  if (SCConfGetInt("detect.inspection-recursion-limit", &value) == 1) {
2907  if (value >= 0 && value <= INT_MAX) {
2908  de_ctx->inspection_recursion_limit = (int)value;
2909  }
2910 
2911  /* fall back to old config parsing */
2912  } else {
2913  SCConfNode *insp_recursion_limit_node = NULL;
2914  char *insp_recursion_limit = NULL;
2915 
2916  if (de_ctx_custom != NULL) {
2917  opt = NULL;
2918  TAILQ_FOREACH(opt, &de_ctx_custom->head, next) {
2919  if (opt->val && strcmp(opt->val, "inspection-recursion-limit") != 0)
2920  continue;
2921 
2922  insp_recursion_limit_node = SCConfNodeLookupChild(opt, opt->val);
2923  if (insp_recursion_limit_node == NULL) {
2924  SCLogError("Error retrieving conf "
2925  "entry for detect-engine:inspection-recursion-limit");
2926  break;
2927  }
2928  insp_recursion_limit = insp_recursion_limit_node->val;
2929  SCLogDebug("Found detect-engine.inspection-recursion-limit - %s:%s",
2930  insp_recursion_limit_node->name, insp_recursion_limit_node->val);
2931  break;
2932  }
2933 
2934  if (insp_recursion_limit != NULL) {
2935  if (StringParseInt32(&de_ctx->inspection_recursion_limit, 10,
2936  0, (const char *)insp_recursion_limit) < 0) {
2937  SCLogWarning("Invalid value for "
2938  "detect-engine.inspection-recursion-limit: %s "
2939  "resetting to %d",
2940  insp_recursion_limit, DETECT_ENGINE_DEFAULT_INSPECTION_RECURSION_LIMIT);
2941  de_ctx->inspection_recursion_limit =
2942  DETECT_ENGINE_DEFAULT_INSPECTION_RECURSION_LIMIT;
2943  }
2944  }
2945  }
2946  }
2947 
2948  if (de_ctx->inspection_recursion_limit == 0)
2949  de_ctx->inspection_recursion_limit = -1;
2950 
2951  SCLogDebug("de_ctx->inspection_recursion_limit: %d",
2952  de_ctx->inspection_recursion_limit);
2953 
2954  // default value is 4
2955  de_ctx->guess_applayer_log_limit = 4;
2956  if (SCConfGetInt("detect.stream-tx-log-limit", &value) == 1) {
2957  if (value >= 0 && value <= UINT8_MAX) {
2958  de_ctx->guess_applayer_log_limit = (uint8_t)value;
2959  } else {
2960  SCLogWarning("Invalid value for detect-engine.stream-tx-log-limit: must be between 0 "
2961  "and 255, will default to 4");
2962  }
2963  }
2964  int guess_applayer = 0;
2965  if ((SCConfGetBool("detect.guess-applayer-tx", &guess_applayer)) == 1) {
2966  if (guess_applayer == 1) {
2967  de_ctx->guess_applayer = true;
2968  }
2969  }
2970 
2971  /* parse port grouping priority settings */
2972 
2973  const char *ports = NULL;
2974  (void)SCConfGet("detect.grouping.tcp-priority-ports", &ports);
2975  if (ports) {
2976  SCLogConfig("grouping: tcp-priority-ports %s", ports);
2977  } else {
2978  (void)SCConfGet("detect.grouping.tcp-whitelist", &ports);
2979  if (ports) {
2980  SCLogConfig(
2981  "grouping: tcp-priority-ports from legacy 'tcp-whitelist' setting: %s", ports);
2982  } else {
2983  ports = "53, 80, 139, 443, 445, 1433, 3306, 3389, 6666, 6667, 8080";
2984  SCLogConfig("grouping: tcp-priority-ports (default) %s", ports);
2985  }
2986  }
2987  if (DetectPortParse(de_ctx, &de_ctx->tcp_priorityports, ports) != 0) {
2988  SCLogWarning("'%s' is not a valid value "
2989  "for detect.grouping.tcp-priority-ports",
2990  ports);
2991  }
2992  DetectPort *x = de_ctx->tcp_priorityports;
2993  for ( ; x != NULL; x = x->next) {
2994  if (x->port != x->port2) {
2995  SCLogWarning("'%s' is not a valid value "
2996  "for detect.grouping.tcp-priority-ports: only single ports allowed",
2997  ports);
2998  DetectPortCleanupList(de_ctx, de_ctx->tcp_priorityports);
2999  de_ctx->tcp_priorityports = NULL;
3000  break;
3001  }
3002  }
3003 
3004  ports = NULL;
3005  (void)SCConfGet("detect.grouping.udp-priority-ports", &ports);
3006  if (ports) {
3007  SCLogConfig("grouping: udp-priority-ports %s", ports);
3008  } else {
3009  (void)SCConfGet("detect.grouping.udp-whitelist", &ports);
3010  if (ports) {
3011  SCLogConfig(
3012  "grouping: udp-priority-ports from legacy 'udp-whitelist' setting: %s", ports);
3013  } else {
3014  ports = "53, 135, 5060";
3015  SCLogConfig("grouping: udp-priority-ports (default) %s", ports);
3016  }
3017  }
3018  if (DetectPortParse(de_ctx, &de_ctx->udp_priorityports, ports) != 0) {
3019  SCLogWarning("'%s' is not a valid value "
3020  "for detect.grouping.udp-priority-ports",
3021  ports);
3022  }
3023  for (x = de_ctx->udp_priorityports; x != NULL; x = x->next) {
3024  if (x->port != x->port2) {
3025  SCLogWarning("'%s' is not a valid value "
3026  "for detect.grouping.udp-priority-ports: only single ports allowed",
3027  ports);
3028  DetectPortCleanupList(de_ctx, de_ctx->udp_priorityports);
3029  de_ctx->udp_priorityports = NULL;
3030  break;
3031  }
3032  }
3033 
3034  de_ctx->prefilter_setting = DETECT_PREFILTER_MPM;
3035  const char *pf_setting = NULL;
3036  if (SCConfGet("detect.prefilter.default", &pf_setting) == 1 && pf_setting) {
3037  if (strcasecmp(pf_setting, "mpm") == 0) {
3038  de_ctx->prefilter_setting = DETECT_PREFILTER_MPM;
3039  } else if (strcasecmp(pf_setting, "auto") == 0) {
3040  de_ctx->prefilter_setting = DETECT_PREFILTER_AUTO;
3041  }
3042  }
3043  switch (de_ctx->prefilter_setting) {
3044  case DETECT_PREFILTER_MPM:
3045  SCLogConfig("prefilter engines: MPM");
3046  break;
3047  case DETECT_PREFILTER_AUTO:
3048  SCLogConfig("prefilter engines: MPM and keywords");
3049  break;
3050  }
3051 
3052  return 0;
3053 }
3054 
3055 void DetectEngineResetMaxSigId(DetectEngineCtx *de_ctx)
3056 {
3057  de_ctx->signum = 0;
3058 }
3059 
3060 static int DetectEngineThreadCtxInitGlobalKeywords(DetectEngineThreadCtx *det_ctx)
3061 {
3062  const DetectEngineMasterCtx *master = &g_master_de_ctx;
3063 
3064  if (master->keyword_id > 0) {
3065  // coverity[suspicious_sizeof : FALSE]
3066  det_ctx->global_keyword_ctxs_array = (void **)SCCalloc(master->keyword_id, sizeof(void *));
3067  if (det_ctx->global_keyword_ctxs_array == NULL) {
3068  SCLogError("setting up thread local detect ctx");
3069  return TM_ECODE_FAILED;
3070  }
3071  det_ctx->global_keyword_ctxs_size = master->keyword_id;
3072 
3073  const DetectEngineThreadKeywordCtxItem *item = master->keyword_list;
3074  while (item) {
3075  det_ctx->global_keyword_ctxs_array[item->id] = item->InitFunc(item->data);
3076  if (det_ctx->global_keyword_ctxs_array[item->id] == NULL) {
3077  SCLogError("setting up thread local detect ctx "
3078  "for keyword \"%s\" failed",
3079  item->name);
3080  return TM_ECODE_FAILED;
3081  }
3082  item = item->next;
3083  }
3084  }
3085  return TM_ECODE_OK;
3086 }
3087 
3088 static void DetectEngineThreadCtxDeinitGlobalKeywords(DetectEngineThreadCtx *det_ctx)
3089 {
3090  if (det_ctx->global_keyword_ctxs_array == NULL ||
3091  det_ctx->global_keyword_ctxs_size == 0) {
3092  return;
3093  }
3094 
3095  const DetectEngineMasterCtx *master = &g_master_de_ctx;
3096  if (master->keyword_id > 0) {
3097  const DetectEngineThreadKeywordCtxItem *item = master->keyword_list;
3098  while (item) {
3099  if (det_ctx->global_keyword_ctxs_array[item->id] != NULL)
3100  item->FreeFunc(det_ctx->global_keyword_ctxs_array[item->id]);
3101 
3102  item = item->next;
3103  }
3104  det_ctx->global_keyword_ctxs_size = 0;
3105  SCFree(det_ctx->global_keyword_ctxs_array);
3106  det_ctx->global_keyword_ctxs_array = NULL;
3107  }
3108 }
3109 
3110 static int DetectEngineThreadCtxInitKeywords(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx)
3111 {
3112  if (de_ctx->keyword_id > 0) {
3113  // coverity[suspicious_sizeof : FALSE]
3114  det_ctx->keyword_ctxs_array = SCCalloc(de_ctx->keyword_id, sizeof(void *));
3115  if (det_ctx->keyword_ctxs_array == NULL) {
3116  SCLogError("setting up thread local detect ctx");
3117  return TM_ECODE_FAILED;
3118  }
3119 
3120  det_ctx->keyword_ctxs_size = de_ctx->keyword_id;
3121 
3122  HashListTableBucket *hb = HashListTableGetListHead(de_ctx->keyword_hash);
3123  for (; hb != NULL; hb = HashListTableGetListNext(hb)) {
3124  DetectEngineThreadKeywordCtxItem *item = HashListTableGetListData(hb);
3125 
3126  det_ctx->keyword_ctxs_array[item->id] = item->InitFunc(item->data);
3127  if (det_ctx->keyword_ctxs_array[item->id] == NULL) {
3128  SCLogError("setting up thread local detect ctx "
3129  "for keyword \"%s\" failed",
3130  item->name);
3131  return TM_ECODE_FAILED;
3132  }
3133  }
3134  }
3135  return TM_ECODE_OK;
3136 }
3137 
3138 static void DetectEngineThreadCtxDeinitKeywords(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx)
3139 {
3140  if (de_ctx->keyword_id > 0) {
3141  HashListTableBucket *hb = HashListTableGetListHead(de_ctx->keyword_hash);
3142  for (; hb != NULL; hb = HashListTableGetListNext(hb)) {
3143  DetectEngineThreadKeywordCtxItem *item = HashListTableGetListData(hb);
3144 
3145  if (det_ctx->keyword_ctxs_array[item->id] != NULL)
3146  item->FreeFunc(det_ctx->keyword_ctxs_array[item->id]);
3147  }
3148  det_ctx->keyword_ctxs_size = 0;
3149  SCFree(det_ctx->keyword_ctxs_array);
3150  det_ctx->keyword_ctxs_array = NULL;
3151  }
3152 }
3153 
3154 /** NOTE: master MUST be locked before calling this */
3155 static TmEcode DetectEngineThreadCtxInitForMT(ThreadVars *tv, DetectEngineThreadCtx *det_ctx)
3156 {
3157  DetectEngineMasterCtx *master = &g_master_de_ctx;
3158  DetectEngineTenantMapping *map_array = NULL;
3159  uint32_t map_array_size = 0;
3160  uint32_t map_cnt = 0;
3161  uint32_t max_tenant_id = 0;
3162  DetectEngineCtx *list = master->list;
3163  HashTable *mt_det_ctxs_hash = NULL;
3164 
3165  if (master->tenant_selector == TENANT_SELECTOR_UNKNOWN) {
3166  SCLogError("no tenant selector set: "
3167  "set using multi-detect.selector");
3168  return TM_ECODE_FAILED;
3169  }
3170 
3171  uint32_t tcnt = 0;
3172  while (list) {
3173  if (list->tenant_id > max_tenant_id)
3174  max_tenant_id = list->tenant_id;
3175 
3176  list = list->next;
3177  tcnt++;
3178  }
3179 
3180  mt_det_ctxs_hash = HashTableInit(tcnt * 2, TenantIdHash, TenantIdCompare, TenantIdFree);
3181  if (mt_det_ctxs_hash == NULL) {
3182  goto error;
3183  }
3184 
3185  if (tcnt == 0) {
3186  SCLogInfo("no tenants left, or none registered yet");
3187  } else {
3188  max_tenant_id++;
3189 
3190  DetectEngineTenantMapping *map = master->tenant_mapping_list;
3191  while (map) {
3192  map_cnt++;
3193  map = map->next;
3194  }
3195 
3196  if (map_cnt > 0) {
3197  map_array_size = map_cnt + 1;
3198 
3199  map_array = SCCalloc(map_array_size, sizeof(*map_array));
3200  if (map_array == NULL)
3201  goto error;
3202 
3203  /* fill the array */
3204  map_cnt = 0;
3205  map = master->tenant_mapping_list;
3206  while (map) {
3207  if (map_cnt >= map_array_size) {
3208  goto error;
3209  }
3210  map_array[map_cnt].traffic_id = map->traffic_id;
3211  map_array[map_cnt].tenant_id = map->tenant_id;
3212  map_cnt++;
3213  map = map->next;
3214  }
3215 
3216  }
3217 
3218  /* set up hash for tenant lookup */
3219  list = master->list;
3220  while (list) {
3221  SCLogDebug("tenant-id %u", list->tenant_id);
3222  if (list->tenant_id != 0) {
3223  DetectEngineThreadCtx *mt_det_ctx = DetectEngineThreadCtxInitForReload(tv, list, 0);
3224  if (mt_det_ctx == NULL)
3225  goto error;
3226  if (HashTableAdd(mt_det_ctxs_hash, mt_det_ctx, 0) != 0) {
3227  goto error;
3228  }
3229  }
3230  list = list->next;
3231  }
3232  }
3233 
3234  det_ctx->mt_det_ctxs_hash = mt_det_ctxs_hash;
3235  mt_det_ctxs_hash = NULL;
3236 
3237  det_ctx->mt_det_ctxs_cnt = max_tenant_id;
3238 
3239  det_ctx->tenant_array = map_array;
3240  det_ctx->tenant_array_size = map_array_size;
3241 
3242  switch (master->tenant_selector) {
3243  case TENANT_SELECTOR_UNKNOWN:
3244  SCLogDebug("TENANT_SELECTOR_UNKNOWN");
3245  break;
3246  case TENANT_SELECTOR_VLAN:
3247  det_ctx->TenantGetId = DetectEngineTenantGetIdFromVlanId;
3248  SCLogDebug("TENANT_SELECTOR_VLAN");
3249  break;
3250  case TENANT_SELECTOR_LIVEDEV:
3251  det_ctx->TenantGetId = DetectEngineTenantGetIdFromLivedev;
3252  SCLogDebug("TENANT_SELECTOR_LIVEDEV");
3253  break;
3254  case TENANT_SELECTOR_DIRECT:
3255  det_ctx->TenantGetId = DetectEngineTenantGetIdFromPcap;
3256  SCLogDebug("TENANT_SELECTOR_DIRECT");
3257  break;
3258  }
3259 
3260  return TM_ECODE_OK;
3261 error:
3262  if (map_array != NULL)
3263  SCFree(map_array);
3264  if (mt_det_ctxs_hash != NULL)
3265  HashTableFree(mt_det_ctxs_hash);
3266 
3267  return TM_ECODE_FAILED;
3268 }
3269 
3270 /** \internal
3271  * \brief Helper for DetectThread setup functions
3272  */
3273 static TmEcode ThreadCtxDoInit (DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx)
3274 {
3275  PatternMatchThreadPrepare(&det_ctx->mtc, de_ctx->mpm_matcher);
3276 
3277  PmqSetup(&det_ctx->pmq);
3278 
3279  det_ctx->spm_thread_ctx = SpmMakeThreadCtx(de_ctx->spm_global_thread_ctx);
3280  if (det_ctx->spm_thread_ctx == NULL) {
3281  return TM_ECODE_FAILED;
3282  }
3283 
3284  /* DeState */
3285  if (de_ctx->sig_array_len > 0) {
3286  det_ctx->match_array_len = de_ctx->sig_array_len;
3287  det_ctx->match_array = SCCalloc(det_ctx->match_array_len, sizeof(Signature *));
3288  if (det_ctx->match_array == NULL) {
3289  return TM_ECODE_FAILED;
3290  }
3291 
3292  RuleMatchCandidateTxArrayInit(det_ctx, de_ctx->sig_array_len);
3293  }
3294 
3295  /* Alert processing queue */
3296  AlertQueueInit(det_ctx);
3297 
3298  /* byte_extract storage */
3299  det_ctx->byte_values = SCMalloc(sizeof(*det_ctx->byte_values) *
3300  (de_ctx->byte_extract_max_local_id + 1));
3301  if (det_ctx->byte_values == NULL) {
3302  return TM_ECODE_FAILED;
3303  }
3304 
3305  /* Allocate space for base64 decoded data. */
3306  if (de_ctx->base64_decode_max_len) {
3307  det_ctx->base64_decoded = SCMalloc(de_ctx->base64_decode_max_len);
3308  if (det_ctx->base64_decoded == NULL) {
3309  return TM_ECODE_FAILED;
3310  }
3311  det_ctx->base64_decoded_len = 0;
3312  }
3313 
3314  det_ctx->inspect.buffers_size = de_ctx->buffer_type_id;
3315  det_ctx->inspect.buffers = SCCalloc(det_ctx->inspect.buffers_size, sizeof(InspectionBuffer));
3316  if (det_ctx->inspect.buffers == NULL) {
3317  return TM_ECODE_FAILED;
3318  }
3319  det_ctx->inspect.to_clear_queue = SCCalloc(det_ctx->inspect.buffers_size, sizeof(uint32_t));
3320  if (det_ctx->inspect.to_clear_queue == NULL) {
3321  return TM_ECODE_FAILED;
3322  }
3323  det_ctx->inspect.to_clear_idx = 0;
3324 
3325  det_ctx->multi_inspect.buffers_size = de_ctx->buffer_type_id;
3326  det_ctx->multi_inspect.buffers = SCCalloc(det_ctx->multi_inspect.buffers_size, sizeof(InspectionBufferMultipleForList));
3327  if (det_ctx->multi_inspect.buffers == NULL) {
3328  return TM_ECODE_FAILED;
3329  }
3330  det_ctx->multi_inspect.to_clear_queue = SCCalloc(det_ctx->multi_inspect.buffers_size, sizeof(uint32_t));
3331  if (det_ctx->multi_inspect.to_clear_queue == NULL) {
3332  return TM_ECODE_FAILED;
3333  }
3334  det_ctx->multi_inspect.to_clear_idx = 0;
3335 
3336 
3337  DetectEngineThreadCtxInitKeywords(de_ctx, det_ctx);
3338  DetectEngineThreadCtxInitGlobalKeywords(det_ctx);
3339 #ifdef PROFILE_RULES
3340  SCProfilingRuleThreadSetup(de_ctx->profile_ctx, det_ctx);
3341 #endif
3342 #ifdef PROFILING
3343  SCProfilingKeywordThreadSetup(de_ctx->profile_keyword_ctx, det_ctx);
3344  SCProfilingPrefilterThreadSetup(de_ctx->profile_prefilter_ctx, det_ctx);
3345  SCProfilingSghThreadSetup(de_ctx->profile_sgh_ctx, det_ctx);
3346 #endif
3347  SC_ATOMIC_INIT(det_ctx->so_far_used_by_detect);
3348 
3349  return TM_ECODE_OK;
3350 }
3351 
3352 /** \brief initialize thread specific detection engine context
3353  *
3354  * \note there is a special case when using delayed detect. In this case the
3355  * function is called twice per thread. The first time the rules are not
3356  * yet loaded. de_ctx->delayed_detect_initialized will be 0. The 2nd
3357  * time they will be loaded. de_ctx->delayed_detect_initialized will be 1.
3358  * This is needed to do the per thread counter registration before the
3359  * packet runtime starts. In delayed detect mode, the first call will
3360  * return a NULL ptr through the data ptr.
3361  *
3362  * \param tv ThreadVars for this thread
3363  * \param initdata pointer to de_ctx
3364  * \param data[out] pointer to store our thread detection ctx
3365  *
3366  * \retval TM_ECODE_OK if all went well
3367  * \retval TM_ECODE_FAILED on serious errors
3368  */
3369 TmEcode DetectEngineThreadCtxInit(ThreadVars *tv, void *initdata, void **data)
3370 {
3371  DetectEngineThreadCtx *det_ctx = SCCalloc(1, sizeof(DetectEngineThreadCtx));
3372  if (unlikely(det_ctx == NULL))
3373  return TM_ECODE_FAILED;
3374 
3375  det_ctx->tv = tv;
3376  det_ctx->de_ctx = DetectEngineGetCurrent();
3377  if (det_ctx->de_ctx == NULL) {
3378 #ifdef UNITTESTS
3379  if (RunmodeIsUnittests()) {
3380  det_ctx->de_ctx = (DetectEngineCtx *)initdata;
3381  } else {
3382  DetectEngineThreadCtxDeinit(tv, det_ctx);
3383  return TM_ECODE_FAILED;
3384  }
3385 #else
3386  DetectEngineThreadCtxDeinit(tv, det_ctx);
3387  return TM_ECODE_FAILED;
3388 #endif
3389  }
3390 
3391  if (det_ctx->de_ctx->type == DETECT_ENGINE_TYPE_NORMAL ||
3392  det_ctx->de_ctx->type == DETECT_ENGINE_TYPE_TENANT)
3393  {
3394  if (ThreadCtxDoInit(det_ctx->de_ctx, det_ctx) != TM_ECODE_OK) {
3395  DetectEngineThreadCtxDeinit(tv, det_ctx);
3396  return TM_ECODE_FAILED;
3397  }
3398  }
3399 
3400  /** alert counter setup */
3401  det_ctx->counter_alerts = StatsRegisterCounter("detect.alert", tv);
3402  det_ctx->counter_alerts_overflow = StatsRegisterCounter("detect.alert_queue_overflow", tv);
3403  det_ctx->counter_alerts_suppressed = StatsRegisterCounter("detect.alerts_suppressed", tv);
3404 
3405  /* Register counter for Lua rule errors. */
3406  det_ctx->lua_rule_errors = StatsRegisterCounter("detect.lua.errors", tv);
3407 
3408  /* Register a counter for Lua blocked function attempts. */
3409  det_ctx->lua_blocked_function_errors =
3410  StatsRegisterCounter("detect.lua.blocked_function_errors", tv);
3411 
3412  /* Register a counter for Lua instruction limit errors. */
3413  det_ctx->lua_instruction_limit_errors =
3414  StatsRegisterCounter("detect.lua.instruction_limit_errors", tv);
3415 
3416  /* Register a counter for Lua memory limit errors. */
3417  det_ctx->lua_memory_limit_errors = StatsRegisterCounter("detect.lua.memory_limit_errors", tv);
3418 
3419  det_ctx->json_content = NULL;
3420  det_ctx->json_content_capacity = 0;
3421  det_ctx->json_content_len = 0;
3422 
3423 #ifdef PROFILING
3424  det_ctx->counter_mpm_list = StatsRegisterAvgCounter("detect.mpm_list", tv);
3425  det_ctx->counter_nonmpm_list = StatsRegisterAvgCounter("detect.nonmpm_list", tv);
3426  det_ctx->counter_fnonmpm_list = StatsRegisterAvgCounter("detect.fnonmpm_list", tv);
3427  det_ctx->counter_match_list = StatsRegisterAvgCounter("detect.match_list", tv);
3428 #endif
3429 
3430  if (DetectEngineMultiTenantEnabled()) {
3431  if (DetectEngineThreadCtxInitForMT(tv, det_ctx) != TM_ECODE_OK) {
3432  DetectEngineThreadCtxDeinit(tv, det_ctx);
3433  return TM_ECODE_FAILED;
3434  }
3435  }
3436 
3437  /* pass thread data back to caller */
3438  *data = (void *)det_ctx;
3439 
3440  return TM_ECODE_OK;
3441 }
3442 
3443 /**
3444  * \internal
3445  * \brief initialize a det_ctx for reload cases
3446  * \param new_de_ctx the new detection engine
3447  * \param mt flag to indicate if MT should be set up for this det_ctx
3448  * this should only be done for the 'root' det_ctx
3449  *
3450  * \retval det_ctx detection engine thread ctx or NULL in case of error
3451  */
3452 DetectEngineThreadCtx *DetectEngineThreadCtxInitForReload(
3453  ThreadVars *tv, DetectEngineCtx *new_de_ctx, int mt)
3454 {
3455  DetectEngineThreadCtx *det_ctx = SCCalloc(1, sizeof(DetectEngineThreadCtx));
3456  if (unlikely(det_ctx == NULL))
3457  return NULL;
3458 
3459  det_ctx->tenant_id = new_de_ctx->tenant_id;
3460  det_ctx->tv = tv;
3461  det_ctx->de_ctx = DetectEngineReference(new_de_ctx);
3462  if (det_ctx->de_ctx == NULL) {
3463  SCFree(det_ctx);
3464  return NULL;
3465  }
3466 
3467  /* most of the init happens here */
3468  if (det_ctx->de_ctx->type == DETECT_ENGINE_TYPE_NORMAL ||
3469  det_ctx->de_ctx->type == DETECT_ENGINE_TYPE_TENANT)
3470  {
3471  if (ThreadCtxDoInit(det_ctx->de_ctx, det_ctx) != TM_ECODE_OK) {
3472  DetectEngineDeReference(&det_ctx->de_ctx);
3473  SCFree(det_ctx);
3474  return NULL;
3475  }
3476  }
3477 
3478  /** alert counter setup */
3479  det_ctx->counter_alerts = StatsRegisterCounter("detect.alert", tv);
3480  det_ctx->counter_alerts_overflow = StatsRegisterCounter("detect.alert_queue_overflow", tv);
3481  det_ctx->counter_alerts_suppressed = StatsRegisterCounter("detect.alerts_suppressed", tv);
3482 #ifdef PROFILING
3483  uint16_t counter_mpm_list = StatsRegisterAvgCounter("detect.mpm_list", tv);
3484  uint16_t counter_nonmpm_list = StatsRegisterAvgCounter("detect.nonmpm_list", tv);
3485  uint16_t counter_fnonmpm_list = StatsRegisterAvgCounter("detect.fnonmpm_list", tv);
3486  uint16_t counter_match_list = StatsRegisterAvgCounter("detect.match_list", tv);
3487  det_ctx->counter_mpm_list = counter_mpm_list;
3488  det_ctx->counter_nonmpm_list = counter_nonmpm_list;
3489  det_ctx->counter_fnonmpm_list = counter_fnonmpm_list;
3490  det_ctx->counter_match_list = counter_match_list;
3491 #endif
3492 
3493  if (mt && DetectEngineMultiTenantEnabled()) {
3494  if (DetectEngineThreadCtxInitForMT(tv, det_ctx) != TM_ECODE_OK) {
3495  DetectEngineDeReference(&det_ctx->de_ctx);
3496  SCFree(det_ctx);
3497  return NULL;
3498  }
3499  }
3500 
3501  return det_ctx;
3502 }
3503 
3504 static void DetectEngineThreadCtxFree(DetectEngineThreadCtx *det_ctx)
3505 {
3506 #if DEBUG
3507  SCLogDebug("PACKET PKT_STREAM_ADD: %"PRIu64, det_ctx->pkt_stream_add_cnt);
3508 
3509  SCLogDebug("PAYLOAD MPM %"PRIu64"/%"PRIu64, det_ctx->payload_mpm_cnt, det_ctx->payload_mpm_size);
3510  SCLogDebug("STREAM MPM %"PRIu64"/%"PRIu64, det_ctx->stream_mpm_cnt, det_ctx->stream_mpm_size);
3511 
3512  SCLogDebug("PAYLOAD SIG %"PRIu64"/%"PRIu64, det_ctx->payload_persig_cnt, det_ctx->payload_persig_size);
3513  SCLogDebug("STREAM SIG %"PRIu64"/%"PRIu64, det_ctx->stream_persig_cnt, det_ctx->stream_persig_size);
3514 #endif
3515 
3516  if (det_ctx->tenant_array != NULL) {
3517  SCFree(det_ctx->tenant_array);
3518  det_ctx->tenant_array = NULL;
3519  }
3520 
3521 #ifdef PROFILE_RULES
3522  SCProfilingRuleThreadCleanup(det_ctx);
3523 #endif
3524 #ifdef PROFILING
3525  SCProfilingKeywordThreadCleanup(det_ctx);
3526  SCProfilingPrefilterThreadCleanup(det_ctx);
3527  SCProfilingSghThreadCleanup(det_ctx);
3528 #endif
3529 
3530  /** \todo get rid of this static */
3531  if (det_ctx->de_ctx != NULL) {
3532  PatternMatchThreadDestroy(&det_ctx->mtc, det_ctx->de_ctx->mpm_matcher);
3533  }
3534 
3535  PmqFree(&det_ctx->pmq);
3536 
3537  if (det_ctx->spm_thread_ctx != NULL) {
3538  SpmDestroyThreadCtx(det_ctx->spm_thread_ctx);
3539  }
3540  if (det_ctx->match_array != NULL)
3541  SCFree(det_ctx->match_array);
3542 
3543  RuleMatchCandidateTxArrayFree(det_ctx);
3544 
3545  AlertQueueFree(det_ctx);
3546 
3547  if (det_ctx->post_rule_work_queue.q)
3548  SCFree(det_ctx->post_rule_work_queue.q);
3549 
3550  if (det_ctx->byte_values != NULL)
3551  SCFree(det_ctx->byte_values);
3552 
3553  /* Decoded base64 data. */
3554  if (det_ctx->base64_decoded != NULL) {
3555  SCFree(det_ctx->base64_decoded);
3556  }
3557 
3558  if (det_ctx->inspect.buffers) {
3559  for (uint32_t i = 0; i < det_ctx->inspect.buffers_size; i++) {
3560  InspectionBufferFree(&det_ctx->inspect.buffers[i]);
3561  }
3562  SCFree(det_ctx->inspect.buffers);
3563  }
3564  if (det_ctx->inspect.to_clear_queue) {
3565  SCFree(det_ctx->inspect.to_clear_queue);
3566  }
3567  if (det_ctx->multi_inspect.buffers) {
3568  for (uint32_t i = 0; i < det_ctx->multi_inspect.buffers_size; i++) {
3569  InspectionBufferMultipleForList *fb = &det_ctx->multi_inspect.buffers[i];
3570  for (uint32_t x = 0; x < fb->size; x++) {
3571  InspectionBufferFree(&fb->inspection_buffers[x]);
3572  }
3573  SCFree(fb->inspection_buffers);
3574  }
3575  SCFree(det_ctx->multi_inspect.buffers);
3576  }
3577  if (det_ctx->multi_inspect.to_clear_queue) {
3578  SCFree(det_ctx->multi_inspect.to_clear_queue);
3579  }
3580 
3581  DetectEngineThreadCtxDeinitGlobalKeywords(det_ctx);
3582  if (det_ctx->de_ctx != NULL) {
3583  DetectEngineThreadCtxDeinitKeywords(det_ctx->de_ctx, det_ctx);
3584 #ifdef UNITTESTS
3585  if (!RunmodeIsUnittests() || det_ctx->de_ctx->ref_cnt > 0)
3586  DetectEngineDeReference(&det_ctx->de_ctx);
3587 #else
3588  DetectEngineDeReference(&det_ctx->de_ctx);
3589 #endif
3590  }
3591 
3592  if (det_ctx->json_content) {
3593  SCFree(det_ctx->json_content);
3594  det_ctx->json_content = NULL;
3595  det_ctx->json_content_capacity = 0;
3596  }
3597 
3598  AppLayerDecoderEventsFreeEvents(&det_ctx->decoder_events);
3599  PrefilterPktNonPFStatsDump();
3600  SCFree(det_ctx);
3601 
3602  ThresholdCacheThreadFree();
3603 }
3604 
3605 TmEcode DetectEngineThreadCtxDeinit(ThreadVars *tv, void *data)
3606 {
3607  DetectEngineThreadCtx *det_ctx = (DetectEngineThreadCtx *)data;
3608 
3609  if (det_ctx == NULL) {
3610  SCLogWarning("argument \"data\" NULL");
3611  return TM_ECODE_OK;
3612  }
3613 
3614  if (det_ctx->mt_det_ctxs_hash != NULL) {
3615  HashTableFree(det_ctx->mt_det_ctxs_hash);
3616  det_ctx->mt_det_ctxs_hash = NULL;
3617  }
3618  DetectEngineThreadCtxFree(det_ctx);
3619 
3620  return TM_ECODE_OK;
3621 }
3622 
3623 static uint32_t DetectKeywordCtxHashFunc(HashListTable *ht, void *data, uint16_t datalen)
3624 {
3625  DetectEngineThreadKeywordCtxItem *ctx = data;
3626  const char *name = ctx->name;
3627  uint64_t hash =
3628  StringHashDjb2((const uint8_t *)name, (uint32_t)strlen(name)) + (ptrdiff_t)ctx->data;
3629  hash %= ht->array_size;
3630  return (uint32_t)hash;
3631 }
3632 
3633 static char DetectKeywordCtxCompareFunc(void *data1, uint16_t len1, void *data2, uint16_t len2)
3634 {
3635  DetectEngineThreadKeywordCtxItem *ctx1 = data1;
3636  DetectEngineThreadKeywordCtxItem *ctx2 = data2;
3637  const char *name1 = ctx1->name;
3638  const char *name2 = ctx2->name;
3639  return (strcmp(name1, name2) == 0 && ctx1->data == ctx2->data);
3640 }
3641 
3642 static void DetectKeywordCtxFreeFunc(void *ptr)
3643 {
3644  SCFree(ptr);
3645 }
3646 
3647 /** \brief Register Thread keyword context Funcs
3648  *
3649  * \param de_ctx detection engine to register in
3650  * \param name keyword name for error printing
3651  * \param InitFunc function ptr
3652  * \param data keyword init data to pass to Func. Can be NULL.
3653  * \param FreeFunc function ptr
3654  * \param mode 0 normal (ctx per keyword instance) 1 shared (one ctx per det_ct)
3655  *
3656  * \retval id for retrieval of ctx at runtime
3657  * \retval -1 on error
3658  *
3659  * \note make sure "data" remains valid and it free'd elsewhere. It's
3660  * recommended to store it in the keywords global ctx so that
3661  * it's freed when the de_ctx is freed.
3662  */
3663 int DetectRegisterThreadCtxFuncs(DetectEngineCtx *de_ctx, const char *name, void *(*InitFunc)(void *), void *data, void (*FreeFunc)(void *), int mode)
3664 {
3665  BUG_ON(de_ctx == NULL || InitFunc == NULL || FreeFunc == NULL);
3666 
3667  if (de_ctx->keyword_hash == NULL) {
3668  de_ctx->keyword_hash = HashListTableInit(4096, // TODO
3669  DetectKeywordCtxHashFunc, DetectKeywordCtxCompareFunc, DetectKeywordCtxFreeFunc);
3670  BUG_ON(de_ctx->keyword_hash == NULL);
3671  }
3672 
3673  if (mode) {
3674  DetectEngineThreadKeywordCtxItem search = { .data = data, .name = name };
3675 
3676  DetectEngineThreadKeywordCtxItem *item =
3677  HashListTableLookup(de_ctx->keyword_hash, (void *)&search, 0);
3678  if (item)
3679  return item->id;
3680 
3681  /* fall through */
3682  }
3683 
3684  DetectEngineThreadKeywordCtxItem *item = SCCalloc(1, sizeof(DetectEngineThreadKeywordCtxItem));
3685  if (unlikely(item == NULL))
3686  return -1;
3687 
3688  item->InitFunc = InitFunc;
3689  item->FreeFunc = FreeFunc;
3690  item->data = data;
3691  item->name = name;
3692  item->id = de_ctx->keyword_id++;
3693 
3694  if (HashListTableAdd(de_ctx->keyword_hash, (void *)item, 0) < 0) {
3695  SCFree(item);
3696  return -1;
3697  }
3698  return item->id;
3699 }
3700 
3701 /** \brief Remove Thread keyword context registration
3702  *
3703  * \param de_ctx detection engine to deregister from
3704  * \param det_ctx detection engine thread context to deregister from
3705  * \param data keyword init data to pass to Func. Can be NULL.
3706  * \param name keyword name for error printing
3707  *
3708  * \retval 1 Item unregistered
3709  * \retval 0 otherwise
3710  *
3711  * \note make sure "data" remains valid and it free'd elsewhere. It's
3712  * recommended to store it in the keywords global ctx so that
3713  * it's freed when the de_ctx is freed.
3714  */
3715 int DetectUnregisterThreadCtxFuncs(DetectEngineCtx *de_ctx, void *data, const char *name)
3716 {
3717  /* might happen if we call this before a call to *Register* */
3718  if (de_ctx->keyword_hash == NULL)
3719  return 1;
3720  DetectEngineThreadKeywordCtxItem remove = { .data = data, .name = name };
3721  if (HashListTableRemove(de_ctx->keyword_hash, (void *)&remove, 0) == 0)
3722  return 1;
3723  return 0;
3724 }
3725 /** \brief Retrieve thread local keyword ctx by id
3726  *
3727  * \param det_ctx detection engine thread ctx to retrieve the ctx from
3728  * \param id id of the ctx returned by DetectRegisterThreadCtxInitFunc at
3729  * keyword init.
3730  *
3731  * \retval ctx or NULL on error
3732  */
3733 void *DetectThreadCtxGetKeywordThreadCtx(DetectEngineThreadCtx *det_ctx, int id)
3734 {
3735  if (id < 0 || id > det_ctx->keyword_ctxs_size || det_ctx->keyword_ctxs_array == NULL)
3736  return NULL;
3737 
3738  return det_ctx->keyword_ctxs_array[id];
3739 }
3740 
3741 
3742 /** \brief Register Thread keyword context Funcs (Global)
3743  *
3744  * IDs stay static over reloads and between tenants
3745  *
3746  * \param name keyword name for error printing
3747  * \param InitFunc function ptr
3748  * \param FreeFunc function ptr
3749  *
3750  * \retval id for retrieval of ctx at runtime
3751  * \retval -1 on error
3752  */
3753 int DetectRegisterThreadCtxGlobalFuncs(const char *name,
3754  void *(*InitFunc)(void *), void *data, void (*FreeFunc)(void *))
3755 {
3756  int id;
3757  BUG_ON(InitFunc == NULL || FreeFunc == NULL);
3758 
3759  DetectEngineMasterCtx *master = &g_master_de_ctx;
3760 
3761  /* if already registered, return existing id */
3762  DetectEngineThreadKeywordCtxItem *item = master->keyword_list;
3763  while (item != NULL) {
3764  if (strcmp(name, item->name) == 0) {
3765  id = item->id;
3766  return id;
3767  }
3768 
3769  item = item->next;
3770  }
3771 
3772  item = SCCalloc(1, sizeof(*item));
3773  if (unlikely(item == NULL)) {
3774  return -1;
3775  }
3776  item->InitFunc = InitFunc;
3777  item->FreeFunc = FreeFunc;
3778  item->name = name;
3779  item->data = data;
3780 
3781  item->next = master->keyword_list;
3782  master->keyword_list = item;
3783  item->id = master->keyword_id++;
3784 
3785  id = item->id;
3786  return id;
3787 }
3788 
3789 /** \brief Retrieve thread local keyword ctx by id
3790  *
3791  * \param det_ctx detection engine thread ctx to retrieve the ctx from
3792  * \param id id of the ctx returned by DetectRegisterThreadCtxInitFunc at
3793  * keyword init.
3794  *
3795  * \retval ctx or NULL on error
3796  */
3797 void *DetectThreadCtxGetGlobalKeywordThreadCtx(DetectEngineThreadCtx *det_ctx, int id)
3798 {
3799  if (id < 0 || id > det_ctx->global_keyword_ctxs_size ||
3800  det_ctx->global_keyword_ctxs_array == NULL) {
3801  return NULL;
3802  }
3803 
3804  return det_ctx->global_keyword_ctxs_array[id];
3805 }
3806 
3807 /** \brief Check if detection is enabled
3808  * \retval bool true or false */
3809 int DetectEngineEnabled(void)
3810 {
3811  DetectEngineMasterCtx *master = &g_master_de_ctx;
3812  SCMutexLock(&master->lock);
3813 
3814  if (master->list == NULL) {
3815  SCMutexUnlock(&master->lock);
3816  return 0;
3817  }
3818 
3819  SCMutexUnlock(&master->lock);
3820  return 1;
3821 }
3822 
3823 uint32_t DetectEngineGetVersion(void)
3824 {
3825  uint32_t version;
3826  DetectEngineMasterCtx *master = &g_master_de_ctx;
3827  SCMutexLock(&master->lock);
3828  version = master->version;
3829  SCMutexUnlock(&master->lock);
3830  return version;
3831 }
3832 
3833 void DetectEngineBumpVersion(void)
3834 {
3835  DetectEngineMasterCtx *master = &g_master_de_ctx;
3836  SCMutexLock(&master->lock);
3837  master->version++;
3838  SCLogDebug("master version now %u", master->version);
3839  SCMutexUnlock(&master->lock);
3840 }
3841 
3842 DetectEngineCtx *DetectEngineGetCurrent(void)
3843 {
3844  DetectEngineMasterCtx *master = &g_master_de_ctx;
3845  SCMutexLock(&master->lock);
3846 
3847  DetectEngineCtx *de_ctx = master->list;
3848  while (de_ctx) {
3849  if (de_ctx->type == DETECT_ENGINE_TYPE_NORMAL ||
3850  de_ctx->type == DETECT_ENGINE_TYPE_DD_STUB ||
3851  de_ctx->type == DETECT_ENGINE_TYPE_MT_STUB)
3852  {
3853  de_ctx->ref_cnt++;
3854  SCLogDebug("de_ctx %p ref_cnt %u", de_ctx, de_ctx->ref_cnt);
3855  SCMutexUnlock(&master->lock);
3856  return de_ctx;
3857  }
3858  de_ctx = de_ctx->next;
3859  }
3860 
3861  SCMutexUnlock(&master->lock);
3862  return NULL;
3863 }
3864 
3865 DetectEngineCtx *DetectEngineReference(DetectEngineCtx *de_ctx)
3866 {
3867  if (de_ctx == NULL)
3868  return NULL;
3869  de_ctx->ref_cnt++;
3870  return de_ctx;
3871 }
3872 
3873 /** TODO locking? Not needed if this is a one time setting at startup */
3874 int DetectEngineMultiTenantEnabled(void)
3875 {
3876  DetectEngineMasterCtx *master = &g_master_de_ctx;
3877  return (master->multi_tenant_enabled);
3878 }
3879 
3880 /** \internal
3881  * \brief load a tenant from a yaml file
3882  *
3883  * \param tenant_id the tenant id by which the config is known
3884  * \param filename full path of a yaml file
3885  * \param loader_id id of loader thread or -1
3886  *
3887  * \retval 0 ok
3888  * \retval -1 failed
3889  */
3890 static int DetectEngineMultiTenantLoadTenant(uint32_t tenant_id, const char *filename, int loader_id)
3891 {
3892  DetectEngineCtx *de_ctx = NULL;
3893  char prefix[64];
3894 
3895  snprintf(prefix, sizeof(prefix), "multi-detect.%u", tenant_id);
3896 
3897  SCStat st;
3898  if (SCStatFn(filename, &st) != 0) {
3899  SCLogError("failed to stat file %s", filename);
3900  goto error;
3901  }
3902 
3903  de_ctx = DetectEngineGetByTenantId(tenant_id);
3904  if (de_ctx != NULL) {
3905  SCLogError("tenant %u already registered", tenant_id);
3906  DetectEngineDeReference(&de_ctx);
3907  goto error;
3908  }
3909 
3910  SCConfNode *node = SCConfGetNode(prefix);
3911  if (node == NULL) {
3912  SCLogError("failed to properly setup yaml %s", filename);
3913  goto error;
3914  }
3915 
3916  de_ctx = DetectEngineCtxInitWithPrefix(prefix, tenant_id);
3917  if (de_ctx == NULL) {
3918  SCLogError("initializing detection engine "
3919  "context failed.");
3920  goto error;
3921  }
3922  SCLogDebug("de_ctx %p with prefix %s", de_ctx, de_ctx->config_prefix);
3923 
3924  de_ctx->type = DETECT_ENGINE_TYPE_TENANT;
3925  de_ctx->tenant_id = tenant_id;
3926  de_ctx->loader_id = loader_id;
3927  de_ctx->tenant_path = SCStrdup(filename);
3928  if (de_ctx->tenant_path == NULL) {
3929  SCLogError("Failed to duplicate path");
3930  goto error;
3931  }
3932 
3933  if (SigLoadSignatures(de_ctx, NULL, false) < 0) {
3934  SCLogError("Loading signatures failed.");
3935  goto error;
3936  }
3937 
3938  DetectEngineAddToMaster(de_ctx);
3939 
3940  return 0;
3941 
3942 error:
3943  if (de_ctx != NULL) {
3944  DetectEngineCtxFree(de_ctx);
3945  }
3946  return -1;
3947 }
3948 
3949 static int DetectEngineMultiTenantReloadTenant(uint32_t tenant_id, const char *filename, int reload_cnt)
3950 {
3951  DetectEngineCtx *old_de_ctx = DetectEngineGetByTenantId(tenant_id);
3952  if (old_de_ctx == NULL) {
3953  SCLogError("tenant detect engine not found");
3954  return -1;
3955  }
3956 
3957  if (filename == NULL)
3958  filename = old_de_ctx->tenant_path;
3959 
3960  char prefix[64];
3961  snprintf(prefix, sizeof(prefix), "multi-detect.%u.reload.%d", tenant_id, reload_cnt);
3962  reload_cnt++;
3963  SCLogDebug("prefix %s", prefix);
3964 
3965  if (SCConfYamlLoadFileWithPrefix(filename, prefix) != 0) {
3966  SCLogError("failed to load yaml");
3967  goto error;
3968  }
3969 
3970  SCConfNode *node = SCConfGetNode(prefix);
3971  if (node == NULL) {
3972  SCLogError("failed to properly setup yaml %s", filename);
3973  goto error;
3974  }
3975 
3976  DetectEngineCtx *new_de_ctx = DetectEngineCtxInitWithPrefix(prefix, tenant_id);
3977  if (new_de_ctx == NULL) {
3978  SCLogError("initializing detection engine "
3979  "context failed.");
3980  goto error;
3981  }
3982  SCLogDebug("de_ctx %p with prefix %s", new_de_ctx, new_de_ctx->config_prefix);
3983 
3984  new_de_ctx->type = DETECT_ENGINE_TYPE_TENANT;
3985  new_de_ctx->tenant_id = tenant_id;
3986  new_de_ctx->loader_id = old_de_ctx->loader_id;
3987  new_de_ctx->tenant_path = SCStrdup(filename);
3988  if (new_de_ctx->tenant_path == NULL) {
3989  SCLogError("Failed to duplicate path");
3990  goto new_de_ctx_error;
3991  }
3992 
3993  if (SigLoadSignatures(new_de_ctx, NULL, false) < 0) {
3994  SCLogError("Loading signatures failed.");
3995  goto new_de_ctx_error;
3996  }
3997 
3998  DetectEngineAddToMaster(new_de_ctx);
3999 
4000  /* move to free list */
4001  DetectEngineMoveToFreeList(old_de_ctx);
4002  DetectEngineDeReference(&old_de_ctx);
4003  return 0;
4004 
4005 new_de_ctx_error:
4006  DetectEngineCtxFree(new_de_ctx);
4007 
4008 error:
4009  DetectEngineDeReference(&old_de_ctx);
4010  return -1;
4011 }
4012 
4013 
4014 typedef struct TenantLoaderCtx_ {
4015  uint32_t tenant_id;
4016  int reload_cnt; /**< used by reload */
4017  char *yaml; /**< heap alloc'd copy of file path for the yaml */
4018 } TenantLoaderCtx;
4019 
4020 static void DetectLoaderFreeTenant(void *ctx)
4021 {
4022  TenantLoaderCtx *t = (TenantLoaderCtx *)ctx;
4023  if (t->yaml != NULL) {
4024  SCFree(t->yaml);
4025  }
4026  SCFree(t);
4027 }
4028 
4029 static int DetectLoaderFuncLoadTenant(void *vctx, int loader_id)
4030 {
4031  TenantLoaderCtx *ctx = (TenantLoaderCtx *)vctx;
4032 
4033  SCLogDebug("loader %d", loader_id);
4034  if (DetectEngineMultiTenantLoadTenant(ctx->tenant_id, ctx->yaml, loader_id) != 0) {
4035  return -1;
4036  }
4037  return 0;
4038 }
4039 
4040 static int DetectLoaderSetupLoadTenant(uint32_t tenant_id, const char *yaml)
4041 {
4042  TenantLoaderCtx *t = SCCalloc(1, sizeof(*t));
4043  if (t == NULL)
4044  return -ENOMEM;
4045 
4046  t->tenant_id = tenant_id;
4047  t->yaml = SCStrdup(yaml);
4048  if (t->yaml == NULL) {
4049  SCFree(t);
4050  return -ENOMEM;
4051  }
4052 
4053  return DetectLoaderQueueTask(-1, DetectLoaderFuncLoadTenant, t, DetectLoaderFreeTenant);
4054 }
4055 
4056 static int DetectLoaderFuncReloadTenant(void *vctx, int loader_id)
4057 {
4058  TenantLoaderCtx *ctx = (TenantLoaderCtx *)vctx;
4059 
4060  SCLogDebug("loader_id %d", loader_id);
4061 
4062  if (DetectEngineMultiTenantReloadTenant(ctx->tenant_id, ctx->yaml, ctx->reload_cnt) != 0) {
4063  return -1;
4064  }
4065  return 0;
4066 }
4067 
4068 static int DetectLoaderSetupReloadTenants(const int reload_cnt)
4069 {
4070  int ret = 0;
4071  DetectEngineMasterCtx *master = &g_master_de_ctx;
4072  SCMutexLock(&master->lock);
4073 
4074  DetectEngineCtx *de_ctx = master->list;
4075  while (de_ctx) {
4076  if (de_ctx->type == DETECT_ENGINE_TYPE_TENANT) {
4077  TenantLoaderCtx *t = SCCalloc(1, sizeof(*t));
4078  if (t == NULL) {
4079  ret = -1;
4080  goto error;
4081  }
4082  t->tenant_id = de_ctx->tenant_id;
4083  t->reload_cnt = reload_cnt;
4084  int loader_id = de_ctx->loader_id;
4085 
4086  int r = DetectLoaderQueueTask(
4087  loader_id, DetectLoaderFuncReloadTenant, t, DetectLoaderFreeTenant);
4088  if (r < 0) {
4089  ret = -2;
4090  goto error;
4091  }
4092  }
4093 
4094  de_ctx = de_ctx->next;
4095  }
4096 error:
4097  SCMutexUnlock(&master->lock);
4098  return ret;
4099 }
4100 
4101 static int DetectLoaderSetupReloadTenant(uint32_t tenant_id, const char *yaml, int reload_cnt)
4102 {
4103  DetectEngineCtx *old_de_ctx = DetectEngineGetByTenantId(tenant_id);
4104  if (old_de_ctx == NULL)
4105  return -ENOENT;
4106  int loader_id = old_de_ctx->loader_id;
4107  DetectEngineDeReference(&old_de_ctx);
4108 
4109  TenantLoaderCtx *t = SCCalloc(1, sizeof(*t));
4110  if (t == NULL)
4111  return -ENOMEM;
4112 
4113  t->tenant_id = tenant_id;
4114  if (yaml != NULL) {
4115  t->yaml = SCStrdup(yaml);
4116  if (t->yaml == NULL) {
4117  SCFree(t);
4118  return -ENOMEM;
4119  }
4120  }
4121  t->reload_cnt = reload_cnt;
4122 
4123  SCLogDebug("loader_id %d", loader_id);
4124 
4125  return DetectLoaderQueueTask(
4126  loader_id, DetectLoaderFuncReloadTenant, t, DetectLoaderFreeTenant);
4127 }
4128 
4129 /** \brief Load a tenant and wait for loading to complete
4130  */
4131 int DetectEngineLoadTenantBlocking(uint32_t tenant_id, const char *yaml)
4132 {
4133  int r = DetectLoaderSetupLoadTenant(tenant_id, yaml);
4134  if (r < 0)
4135  return r;
4136 
4137  if (DetectLoadersSync() != 0)
4138  return -1;
4139 
4140  return 0;
4141 }
4142 
4143 /** \brief Reload a tenant and wait for loading to complete
4144  */
4145 int DetectEngineReloadTenantBlocking(uint32_t tenant_id, const char *yaml, int reload_cnt)
4146 {
4147  int r = DetectLoaderSetupReloadTenant(tenant_id, yaml, reload_cnt);
4148  if (r < 0)
4149  return r;
4150 
4151  if (DetectLoadersSync() != 0)
4152  return -1;
4153 
4154  return 0;
4155 }
4156 
4157 /** \brief Reload all tenants and wait for loading to complete
4158  */
4159 int DetectEngineReloadTenantsBlocking(const int reload_cnt)
4160 {
4161  int r = DetectLoaderSetupReloadTenants(reload_cnt);
4162  if (r < 0)
4163  return r;
4164 
4165  if (DetectLoadersSync() != 0)
4166  return -1;
4167 
4168  return 0;
4169 }
4170 
4171 static int DetectEngineMultiTenantSetupLoadLivedevMappings(
4172  const SCConfNode *mappings_root_node, bool failure_fatal)
4173 {
4174  SCConfNode *mapping_node = NULL;
4175 
4176  int mapping_cnt = 0;
4177  if (mappings_root_node != NULL) {
4178  TAILQ_FOREACH(mapping_node, &mappings_root_node->head, next) {
4179  SCConfNode *tenant_id_node = SCConfNodeLookupChild(mapping_node, "tenant-id");
4180  if (tenant_id_node == NULL)
4181  goto bad_mapping;
4182  SCConfNode *device_node = SCConfNodeLookupChild(mapping_node, "device");
4183  if (device_node == NULL)
4184  goto bad_mapping;
4185 
4186  uint32_t tenant_id = 0;
4187  if (StringParseUint32(&tenant_id, 10, (uint16_t)strlen(tenant_id_node->val),
4188  tenant_id_node->val) < 0) {
4189  SCLogError("tenant-id "
4190  "of %s is invalid",
4191  tenant_id_node->val);
4192  goto bad_mapping;
4193  }
4194 
4195  const char *dev = device_node->val;
4196  LiveDevice *ld = LiveGetDevice(dev);
4197  if (ld == NULL) {
4198  SCLogWarning("device %s not found", dev);
4199  goto bad_mapping;
4200  }
4201 
4202  if (ld->tenant_id_set) {
4203  SCLogWarning("device %s already mapped to tenant-id %u", dev, ld->tenant_id);
4204  goto bad_mapping;
4205  }
4206 
4207  ld->tenant_id = tenant_id;
4208  ld->tenant_id_set = true;
4209 
4210  if (DetectEngineTenantRegisterLivedev(tenant_id, ld->id) != 0) {
4211  goto error;
4212  }
4213 
4214  SCLogConfig("device %s connected to tenant-id %u", dev, tenant_id);
4215  mapping_cnt++;
4216  continue;
4217 
4218  bad_mapping:
4219  if (failure_fatal)
4220  goto error;
4221  }
4222  }
4223  SCLogConfig("%d device - tenant-id mappings defined", mapping_cnt);
4224  return mapping_cnt;
4225 
4226 error:
4227  return 0;
4228 }
4229 
4230 static int DetectEngineMultiTenantSetupLoadVlanMappings(
4231  const SCConfNode *mappings_root_node, bool failure_fatal)
4232 {
4233  SCConfNode *mapping_node = NULL;
4234 
4235  int mapping_cnt = 0;
4236  if (mappings_root_node != NULL) {
4237  TAILQ_FOREACH(mapping_node, &mappings_root_node->head, next) {
4238  SCConfNode *tenant_id_node = SCConfNodeLookupChild(mapping_node, "tenant-id");
4239  if (tenant_id_node == NULL)
4240  goto bad_mapping;
4241  SCConfNode *vlan_id_node = SCConfNodeLookupChild(mapping_node, "vlan-id");
4242  if (vlan_id_node == NULL)
4243  goto bad_mapping;
4244 
4245  uint32_t tenant_id = 0;
4246  if (StringParseUint32(&tenant_id, 10, (uint16_t)strlen(tenant_id_node->val),
4247  tenant_id_node->val) < 0) {
4248  SCLogError("tenant-id "
4249  "of %s is invalid",
4250  tenant_id_node->val);
4251  goto bad_mapping;
4252  }
4253 
4254  uint16_t vlan_id = 0;
4255  if (StringParseUint16(
4256  &vlan_id, 10, (uint16_t)strlen(vlan_id_node->val), vlan_id_node->val) < 0) {
4257  SCLogError("vlan-id "
4258  "of %s is invalid",
4259  vlan_id_node->val);
4260  goto bad_mapping;
4261  }
4262  if (vlan_id == 0 || vlan_id >= 4095) {
4263  SCLogError("vlan-id "
4264  "of %s is invalid. Valid range 1-4094.",
4265  vlan_id_node->val);
4266  goto bad_mapping;
4267  }
4268 
4269  if (DetectEngineTenantRegisterVlanId(tenant_id, vlan_id) != 0) {
4270  goto error;
4271  }
4272  SCLogConfig("vlan %u connected to tenant-id %u", vlan_id, tenant_id);
4273  mapping_cnt++;
4274  continue;
4275 
4276  bad_mapping:
4277  if (failure_fatal)
4278  goto error;
4279  }
4280  }
4281  return mapping_cnt;
4282 
4283 error:
4284  return 0;
4285 }
4286 
4287 /**
4288  * \brief setup multi-detect / multi-tenancy
4289  *
4290  * See if MT is enabled. If so, setup the selector, tenants and mappings.
4291  * Tenants and mappings are optional, and can also dynamically be added
4292  * and removed from the unix socket.
4293  */
4294 int DetectEngineMultiTenantSetup(const bool unix_socket)
4295 {
4296  enum DetectEngineTenantSelectors tenant_selector = TENANT_SELECTOR_UNKNOWN;
4297  DetectEngineMasterCtx *master = &g_master_de_ctx;
4298  int failure_fatal = 0;
4299  (void)SCConfGetBool("engine.init-failure-fatal", &failure_fatal);
4300 
4301  int enabled = 0;
4302  (void)SCConfGetBool("multi-detect.enabled", &enabled);
4303  if (enabled == 1) {
4304  DetectLoadersInit();
4305  TmModuleDetectLoaderRegister();
4306  DetectLoaderThreadSpawn();
4307  TmThreadContinueDetectLoaderThreads();
4308 
4309  SCMutexLock(&master->lock);
4310  master->multi_tenant_enabled = 1;
4311 
4312  const char *handler = NULL;
4313  if (SCConfGet("multi-detect.selector", &handler) == 1) {
4314  SCLogConfig("multi-tenant selector type %s", handler);
4315 
4316  if (strcmp(handler, "vlan") == 0) {
4317  tenant_selector = master->tenant_selector = TENANT_SELECTOR_VLAN;
4318 
4319  int vlanbool = 0;
4320  if ((SCConfGetBool("vlan.use-for-tracking", &vlanbool)) == 1 && vlanbool == 0) {
4321  SCLogError("vlan tracking is disabled, "
4322  "can't use multi-detect selector 'vlan'");
4323  SCMutexUnlock(&master->lock);
4324  goto error;
4325  }
4326 
4327  } else if (strcmp(handler, "direct") == 0) {
4328  tenant_selector = master->tenant_selector = TENANT_SELECTOR_DIRECT;
4329  } else if (strcmp(handler, "device") == 0) {
4330  tenant_selector = master->tenant_selector = TENANT_SELECTOR_LIVEDEV;
4331  if (EngineModeIsIPS()) {
4332  SCLogWarning("multi-tenant 'device' mode not supported for IPS");
4333  SCMutexUnlock(&master->lock);
4334  goto error;
4335  }
4336 
4337  } else {
4338  SCLogError("unknown value %s "
4339  "multi-detect.selector",
4340  handler);
4341  SCMutexUnlock(&master->lock);
4342  goto error;
4343  }
4344  }
4345  SCMutexUnlock(&master->lock);
4346  SCLogConfig("multi-detect is enabled (multi tenancy). Selector: %s", handler);
4347 
4348  /* traffic -- tenant mappings */
4349  SCConfNode *mappings_root_node = SCConfGetNode("multi-detect.mappings");
4350 
4351  if (tenant_selector == TENANT_SELECTOR_VLAN) {
4352  int mapping_cnt = DetectEngineMultiTenantSetupLoadVlanMappings(mappings_root_node,
4353  failure_fatal);
4354  if (mapping_cnt == 0) {
4355  /* no mappings are valid when we're in unix socket mode,
4356  * they can be added on the fly. Otherwise warn/error
4357  * depending on failure_fatal */
4358 
4359  if (unix_socket) {
4360  SCLogNotice("no tenant traffic mappings defined, "
4361  "tenants won't be used until mappings are added");
4362  } else {
4363  if (failure_fatal) {
4364  SCLogError("no multi-detect mappings defined");
4365  goto error;
4366  } else {
4367  SCLogWarning("no multi-detect mappings defined");
4368  }
4369  }
4370  }
4371  } else if (tenant_selector == TENANT_SELECTOR_LIVEDEV) {
4372  int mapping_cnt = DetectEngineMultiTenantSetupLoadLivedevMappings(mappings_root_node,
4373  failure_fatal);
4374  if (mapping_cnt == 0) {
4375  if (failure_fatal) {
4376  SCLogError("no multi-detect mappings defined");
4377  goto error;
4378  } else {
4379  SCLogWarning("no multi-detect mappings defined");
4380  }
4381  }
4382  }
4383 
4384  /* tenants */
4385  SCConfNode *tenants_root_node = SCConfGetNode("multi-detect.tenants");
4386  SCConfNode *tenant_node = NULL;
4387 
4388  if (tenants_root_node != NULL) {
4389  const char *path = NULL;
4390  SCConfNode *path_node = SCConfGetNode("multi-detect.config-path");
4391  if (path_node) {
4392  path = path_node->val;
4393  SCLogConfig("tenants config path: %s", path);
4394  }
4395 
4396  TAILQ_FOREACH(tenant_node, &tenants_root_node->head, next) {
4397  SCConfNode *id_node = SCConfNodeLookupChild(tenant_node, "id");
4398  if (id_node == NULL) {
4399  goto bad_tenant;
4400  }
4401  SCConfNode *yaml_node = SCConfNodeLookupChild(tenant_node, "yaml");
4402  if (yaml_node == NULL) {
4403  goto bad_tenant;
4404  }
4405 
4406  uint32_t tenant_id = 0;
4407  if (StringParseUint32(
4408  &tenant_id, 10, (uint16_t)strlen(id_node->val), id_node->val) < 0) {
4409  SCLogError("tenant_id "
4410  "of %s is invalid",
4411  id_node->val);
4412  goto bad_tenant;
4413  }
4414  SCLogDebug("tenant id: %u, %s", tenant_id, yaml_node->val);
4415 
4416  char yaml_path[PATH_MAX] = "";
4417  if (path) {
4418  PathMerge(yaml_path, PATH_MAX, path, yaml_node->val);
4419  } else {
4420  strlcpy(yaml_path, yaml_node->val, sizeof(yaml_path));
4421  }
4422  SCLogDebug("tenant path: %s", yaml_path);
4423 
4424  /* setup the yaml in this loop so that it's not done by the loader
4425  * threads. SCConfYamlLoadFileWithPrefix is not thread safe. */
4426  char prefix[64];
4427  snprintf(prefix, sizeof(prefix), "multi-detect.%u", tenant_id);
4428  if (SCConfYamlLoadFileWithPrefix(yaml_path, prefix) != 0) {
4429  SCLogError("failed to load yaml %s", yaml_path);
4430  goto bad_tenant;
4431  }
4432 
4433  int r = DetectLoaderSetupLoadTenant(tenant_id, yaml_path);
4434  if (r < 0) {
4435  /* error logged already */
4436  goto bad_tenant;
4437  }
4438  continue;
4439 
4440  bad_tenant:
4441  if (failure_fatal)
4442  goto error;
4443  }
4444  }
4445 
4446  /* wait for our loaders to complete their tasks */
4447  if (DetectLoadersSync() != 0) {
4448  goto error;
4449  }
4450 
4451  VarNameStoreActivate();
4452 
4453  } else {
4454  SCLogDebug("multi-detect not enabled (multi tenancy)");
4455  }
4456  return 0;
4457 error:
4458  return -1;
4459 }
4460 
4461 static uint32_t DetectEngineTenantGetIdFromVlanId(const void *ctx, const Packet *p)
4462 {
4463  const DetectEngineThreadCtx *det_ctx = ctx;
4464  uint32_t x = 0;
4465  uint32_t vlan_id = 0;
4466 
4467  if (p->vlan_idx == 0)
4468  return 0;
4469 
4470  vlan_id = p->vlan_id[0];
4471 
4472  if (det_ctx == NULL || det_ctx->tenant_array == NULL || det_ctx->tenant_array_size == 0)
4473  return 0;
4474 
4475  /* not very efficient, but for now we're targeting only limited amounts.
4476  * Can use hash/tree approach later. */
4477  for (x = 0; x < det_ctx->tenant_array_size; x++) {
4478  if (det_ctx->tenant_array[x].traffic_id == vlan_id)
4479  return det_ctx->tenant_array[x].tenant_id;
4480  }
4481 
4482  return 0;
4483 }
4484 
4485 static uint32_t DetectEngineTenantGetIdFromLivedev(const void *ctx, const Packet *p)
4486 {
4487  const DetectEngineThreadCtx *det_ctx = ctx;
4488  const LiveDevice *ld = p->livedev;
4489 
4490  if (ld == NULL || det_ctx == NULL)
4491  return 0;
4492 
4493  SCLogDebug("using tenant-id %u for packet on device %s", ld->tenant_id, ld->dev);
4494  return ld->tenant_id;
4495 }
4496 
4497 static int DetectEngineTenantRegisterSelector(
4498  enum DetectEngineTenantSelectors selector, uint32_t tenant_id, uint32_t traffic_id)
4499 {
4500  DetectEngineMasterCtx *master = &g_master_de_ctx;
4501  SCMutexLock(&master->lock);
4502 
4503  if (!(master->tenant_selector == TENANT_SELECTOR_UNKNOWN || master->tenant_selector == selector)) {
4504  SCLogInfo("conflicting selector already set");
4505  SCMutexUnlock(&master->lock);
4506  return -1;
4507  }
4508 
4509  DetectEngineTenantMapping *m = master->tenant_mapping_list;
4510  while (m) {
4511  if (m->traffic_id == traffic_id) {
4512  SCLogInfo("traffic id already registered");
4513  SCMutexUnlock(&master->lock);
4514  return -1;
4515  }
4516  m = m->next;
4517  }
4518 
4519  DetectEngineTenantMapping *map = SCCalloc(1, sizeof(*map));
4520  if (map == NULL) {
4521  SCLogInfo("memory fail");
4522  SCMutexUnlock(&master->lock);
4523  return -1;
4524  }
4525  map->traffic_id = traffic_id;
4526  map->tenant_id = tenant_id;
4527 
4528  map->next = master->tenant_mapping_list;
4529  master->tenant_mapping_list = map;
4530 
4531  master->tenant_selector = selector;
4532 
4533  SCLogDebug("tenant handler %u %u %u registered", selector, tenant_id, traffic_id);
4534  SCMutexUnlock(&master->lock);
4535  return 0;
4536 }
4537 
4538 static int DetectEngineTenantUnregisterSelector(
4539  enum DetectEngineTenantSelectors selector, uint32_t tenant_id, uint32_t traffic_id)
4540 {
4541  DetectEngineMasterCtx *master = &g_master_de_ctx;
4542  SCMutexLock(&master->lock);
4543 
4544  if (master->tenant_mapping_list == NULL) {
4545  SCMutexUnlock(&master->lock);
4546  return -1;
4547  }
4548 
4549  DetectEngineTenantMapping *prev = NULL;
4550  DetectEngineTenantMapping *map = master->tenant_mapping_list;
4551  while (map) {
4552  if (map->traffic_id == traffic_id &&
4553  map->tenant_id == tenant_id)
4554  {
4555  if (prev != NULL)
4556  prev->next = map->next;
4557  else
4558  master->tenant_mapping_list = map->next;
4559 
4560  map->next = NULL;
4561  SCFree(map);
4562  SCLogInfo("tenant handler %u %u %u unregistered", selector, tenant_id, traffic_id);
4563  SCMutexUnlock(&master->lock);
4564  return 0;
4565  }
4566  prev = map;
4567  map = map->next;
4568  }
4569 
4570  SCMutexUnlock(&master->lock);
4571  return -1;
4572 }
4573 
4574 int DetectEngineTenantRegisterLivedev(uint32_t tenant_id, int device_id)
4575 {
4576  return DetectEngineTenantRegisterSelector(
4577  TENANT_SELECTOR_LIVEDEV, tenant_id, (uint32_t)device_id);
4578 }
4579 
4580 int DetectEngineTenantRegisterVlanId(uint32_t tenant_id, uint16_t vlan_id)
4581 {
4582  return DetectEngineTenantRegisterSelector(TENANT_SELECTOR_VLAN, tenant_id, (uint32_t)vlan_id);
4583 }
4584 
4585 int DetectEngineTenantUnregisterVlanId(uint32_t tenant_id, uint16_t vlan_id)
4586 {
4587  return DetectEngineTenantUnregisterSelector(TENANT_SELECTOR_VLAN, tenant_id, (uint32_t)vlan_id);
4588 }
4589 
4590 int DetectEngineTenantRegisterPcapFile(uint32_t tenant_id)
4591 {
4592  SCLogInfo("registering %u %d 0", TENANT_SELECTOR_DIRECT, tenant_id);
4593  return DetectEngineTenantRegisterSelector(TENANT_SELECTOR_DIRECT, tenant_id, 0);
4594 }
4595 
4596 int DetectEngineTenantUnregisterPcapFile(uint32_t tenant_id)
4597 {
4598  SCLogInfo("unregistering %u %d 0", TENANT_SELECTOR_DIRECT, tenant_id);
4599  return DetectEngineTenantUnregisterSelector(TENANT_SELECTOR_DIRECT, tenant_id, 0);
4600 }
4601 
4602 static uint32_t DetectEngineTenantGetIdFromPcap(const void *ctx, const Packet *p)
4603 {
4604  return p->pcap_v.tenant_id;
4605 }
4606 
4607 DetectEngineCtx *DetectEngineGetByTenantId(uint32_t tenant_id)
4608 {
4609  DetectEngineMasterCtx *master = &g_master_de_ctx;
4610  SCMutexLock(&master->lock);
4611 
4612  if (master->list == NULL) {
4613  SCMutexUnlock(&master->lock);
4614  return NULL;
4615  }
4616 
4617  DetectEngineCtx *de_ctx = master->list;
4618  while (de_ctx) {
4619  if (de_ctx->type == DETECT_ENGINE_TYPE_TENANT &&
4620  de_ctx->tenant_id == tenant_id)
4621  {
4622  de_ctx->ref_cnt++;
4623  break;
4624  }
4625 
4626  de_ctx = de_ctx->next;
4627  }
4628 
4629  SCMutexUnlock(&master->lock);
4630  return de_ctx;
4631 }
4632 
4633 void DetectEngineDeReference(DetectEngineCtx **de_ctx)
4634 {
4635  BUG_ON((*de_ctx)->ref_cnt == 0);
4636  (*de_ctx)->ref_cnt--;
4637  *de_ctx = NULL;
4638 }
4639 
4640 static int DetectEngineAddToList(DetectEngineCtx *instance)
4641 {
4642  DetectEngineMasterCtx *master = &g_master_de_ctx;
4643 
4644  if (instance == NULL)
4645  return -1;
4646 
4647  if (master->list == NULL) {
4648  master->list = instance;
4649  } else {
4650  instance->next = master->list;
4651  master->list = instance;
4652  }
4653 
4654  return 0;
4655 }
4656 
4657 int DetectEngineAddToMaster(DetectEngineCtx *de_ctx)
4658 {
4659  int r;
4660 
4661  if (de_ctx == NULL)
4662  return -1;
4663 
4664  SCLogDebug("adding de_ctx %p to master", de_ctx);
4665 
4666  DetectEngineMasterCtx *master = &g_master_de_ctx;
4667  SCMutexLock(&master->lock);
4668  r = DetectEngineAddToList(de_ctx);
4669  SCMutexUnlock(&master->lock);
4670  return r;
4671 }
4672 
4673 static int DetectEngineMoveToFreeListNoLock(DetectEngineMasterCtx *master, DetectEngineCtx *de_ctx)
4674 {
4675  DetectEngineCtx *instance = master->list;
4676  if (instance == NULL) {
4677  return -1;
4678  }
4679 
4680  /* remove from active list */
4681  if (instance == de_ctx) {
4682  master->list = instance->next;
4683  } else {
4684  DetectEngineCtx *prev = instance;
4685  instance = instance->next; /* already checked first element */
4686 
4687  while (instance) {
4688  DetectEngineCtx *next = instance->next;
4689 
4690  if (instance == de_ctx) {
4691  prev->next = instance->next;
4692  break;
4693  }
4694 
4695  prev = instance;
4696  instance = next;
4697  }
4698  if (instance == NULL) {
4699  return -1;
4700  }
4701  }
4702 
4703  /* instance is now detached from list */
4704  instance->next = NULL;
4705 
4706  /* add to free list */
4707  if (master->free_list == NULL) {
4708  master->free_list = instance;
4709  } else {
4710  instance->next = master->free_list;
4711  master->free_list = instance;
4712  }
4713  SCLogDebug("detect engine %p moved to free list (%u refs)", de_ctx, de_ctx->ref_cnt);
4714  return 0;
4715 }
4716 
4717 int DetectEngineMoveToFreeList(DetectEngineCtx *de_ctx)
4718 {
4719  int ret = 0;
4720  DetectEngineMasterCtx *master = &g_master_de_ctx;
4721  SCMutexLock(&master->lock);
4722  ret = DetectEngineMoveToFreeListNoLock(master, de_ctx);
4723  SCMutexUnlock(&master->lock);
4724  return ret;
4725 }
4726 
4727 void DetectEnginePruneFreeList(void)
4728 {
4729  DetectEngineMasterCtx *master = &g_master_de_ctx;
4730  SCMutexLock(&master->lock);
4731 
4732  DetectEngineCtx *prev = NULL;
4733  DetectEngineCtx *instance = master->free_list;
4734  while (instance) {
4735  DetectEngineCtx *next = instance->next;
4736 
4737  SCLogDebug("detect engine %p has %u ref(s)", instance, instance->ref_cnt);
4738 
4739  if (instance->ref_cnt == 0) {
4740  if (prev == NULL) {
4741  master->free_list = next;
4742  } else {
4743  prev->next = next;
4744  }
4745 
4746  SCLogDebug("freeing detect engine %p", instance);
4747  DetectEngineCtxFree(instance);
4748  instance = NULL;
4749  }
4750 
4751  prev = instance;
4752  instance = next;
4753  }
4754  SCMutexUnlock(&master->lock);
4755 }
4756 
4757 void DetectEngineClearMaster(void)
4758 {
4759  DetectEngineMasterCtx *master = &g_master_de_ctx;
4760  SCMutexLock(&master->lock);
4761 
4762  DetectEngineCtx *instance = master->list;
4763  while (instance) {
4764  DetectEngineCtx *next = instance->next;
4765  DEBUG_VALIDATE_BUG_ON(instance->ref_cnt);
4766  SCLogDebug("detect engine %p has %u ref(s)", instance, instance->ref_cnt);
4767  instance->ref_cnt = 0;
4768  DetectEngineMoveToFreeListNoLock(master, instance);
4769  instance = next;
4770  }
4771  SCMutexUnlock(&master->lock);
4772  DetectEnginePruneFreeList();
4773 }
4774 
4775 static int reloads = 0;
4776 
4777 /** \brief Reload the detection engine
4778  *
4779  * \param filename YAML file to load for the detect config
4780  *
4781  * \retval -1 error
4782  * \retval 0 ok
4783  */
4784 int DetectEngineReload(const SCInstance *suri)
4785 {
4786  DetectEngineCtx *new_de_ctx = NULL;
4787  DetectEngineCtx *old_de_ctx = NULL;
4788 
4789  char prefix[128];
4790  memset(prefix, 0, sizeof(prefix));
4791 
4792  SCLogNotice("rule reload starting");
4793 
4794  if (suri->conf_filename != NULL) {
4795  snprintf(prefix, sizeof(prefix), "detect-engine-reloads.%d", reloads++);
4796  SCLogConfig("Reloading %s", suri->conf_filename);
4797  if (SCConfYamlLoadFileWithPrefix(suri->conf_filename, prefix) != 0) {
4798  SCLogError("failed to load yaml %s", suri->conf_filename);
4799  return -1;
4800  }
4801 
4802  SCConfNode *node = SCConfGetNode(prefix);
4803  if (node == NULL) {
4804  SCLogError("failed to properly setup yaml %s", suri->conf_filename);
4805  return -1;
4806  }
4807 
4808  if (suri->additional_configs) {
4809  for (int i = 0; suri->additional_configs[i] != NULL; i++) {
4810  SCLogConfig("Reloading %s", suri->additional_configs[i]);
4811  SCConfYamlHandleInclude(node, suri->additional_configs[i]);
4812  }
4813  }
4814 
4815 #if 0
4816  ConfDump();
4817 #endif
4818  }
4819 
4820  /* get a reference to the current de_ctx */
4821  old_de_ctx = DetectEngineGetCurrent();
4822  if (old_de_ctx == NULL)
4823  return -1;
4824  SCLogDebug("get ref to old_de_ctx %p", old_de_ctx);
4825  DatasetReload();
4826 
4827  /* only reload a regular 'normal' and 'delayed detect stub' detect engines */
4828  if (!(old_de_ctx->type == DETECT_ENGINE_TYPE_NORMAL ||
4829  old_de_ctx->type == DETECT_ENGINE_TYPE_DD_STUB))
4830  {
4831  DetectEngineDeReference(&old_de_ctx);
4832  SCLogNotice("rule reload complete");
4833  return -1;
4834  }
4835 
4836  /* get new detection engine */
4837  new_de_ctx = DetectEngineCtxInitWithPrefix(prefix, old_de_ctx->tenant_id);
4838  if (new_de_ctx == NULL) {
4839  SCLogError("initializing detection engine "
4840  "context failed.");
4841  DetectEngineDeReference(&old_de_ctx);
4842  return -1;
4843  }
4844  if (SigLoadSignatures(new_de_ctx,
4845  suri->sig_file, suri->sig_file_exclusive) != 0) {
4846  DetectEngineCtxFree(new_de_ctx);
4847  DetectEngineDeReference(&old_de_ctx);
4848  return -1;
4849  }
4850  SCLogDebug("set up new_de_ctx %p", new_de_ctx);
4851 
4852  /* Copy over callbacks. */
4853  new_de_ctx->RateFilterCallback = old_de_ctx->RateFilterCallback;
4854  new_de_ctx->rate_filter_callback_arg = old_de_ctx->rate_filter_callback_arg;
4855 
4856  /* add to master */
4857  DetectEngineAddToMaster(new_de_ctx);
4858 
4859  /* move to old free list */
4860  DetectEngineMoveToFreeList(old_de_ctx);
4861  DetectEngineDeReference(&old_de_ctx);
4862 
4863  SCLogDebug("going to reload the threads to use new_de_ctx %p", new_de_ctx);
4864  /* update the threads */
4865  DetectEngineReloadThreads(new_de_ctx);
4866  SCLogDebug("threads now run new_de_ctx %p", new_de_ctx);
4867 
4868  /* walk free list, freeing the old_de_ctx */
4869  DetectEnginePruneFreeList();
4870 
4871  DatasetPostReloadCleanup();
4872 
4873  DetectEngineBumpVersion();
4874 
4875  SCLogDebug("old_de_ctx should have been freed");
4876 
4877  SCLogNotice("rule reload complete");
4878 
4879 #ifdef HAVE_MALLOC_TRIM
4880  /* The reload process potentially frees up large amounts of memory.
4881  * Encourage the memory management system to reclaim as much as it
4882  * can.
4883  */
4884  malloc_trim(0);
4885 #endif
4886 
4887  return 0;
4888 }
4889 
4890 static uint32_t TenantIdHash(HashTable *h, void *data, uint16_t data_len)
4891 {
4892  DetectEngineThreadCtx *det_ctx = (DetectEngineThreadCtx *)data;
4893  return det_ctx->tenant_id % h->array_size;
4894 }
4895 
4896 static char TenantIdCompare(void *d1, uint16_t d1_len, void *d2, uint16_t d2_len)
4897 {
4898  DetectEngineThreadCtx *det1 = (DetectEngineThreadCtx *)d1;
4899  DetectEngineThreadCtx *det2 = (DetectEngineThreadCtx *)d2;
4900  return (det1->tenant_id == det2->tenant_id);
4901 }
4902 
4903 static void TenantIdFree(void *d)
4904 {
4905  DetectEngineThreadCtxFree(d);
4906 }
4907 
4908 int DetectEngineMTApply(void)
4909 {
4910  DetectEngineMasterCtx *master = &g_master_de_ctx;
4911  SCMutexLock(&master->lock);
4912 
4913  if (master->tenant_selector == TENANT_SELECTOR_UNKNOWN) {
4914  SCLogInfo("error, no tenant selector");
4915  SCMutexUnlock(&master->lock);
4916  return -1;
4917  }
4918 
4919  DetectEngineCtx *stub_de_ctx = NULL;
4920  DetectEngineCtx *list = master->list;
4921  for ( ; list != NULL; list = list->next) {
4922  SCLogDebug("list %p tenant %u", list, list->tenant_id);
4923 
4924  if (list->type == DETECT_ENGINE_TYPE_NORMAL ||
4925  list->type == DETECT_ENGINE_TYPE_MT_STUB ||
4926  list->type == DETECT_ENGINE_TYPE_DD_STUB)
4927  {
4928  stub_de_ctx = list;
4929  break;
4930  }
4931  }
4932  if (stub_de_ctx == NULL) {
4933  stub_de_ctx = DetectEngineCtxInitStubForMT();
4934  if (stub_de_ctx == NULL) {
4935  SCMutexUnlock(&master->lock);
4936  return -1;
4937  }
4938 
4939  if (master->list == NULL) {
4940  master->list = stub_de_ctx;
4941  } else {
4942  stub_de_ctx->next = master->list;
4943  master->list = stub_de_ctx;
4944  }
4945  }
4946 
4947  /* update the threads */
4948  SCLogDebug("MT reload starting");
4949  DetectEngineReloadThreads(stub_de_ctx);
4950  SCLogDebug("MT reload done");
4951 
4952  SCMutexUnlock(&master->lock);
4953 
4954  /* walk free list, freeing the old_de_ctx */
4955  DetectEnginePruneFreeList();
4956  // needed for VarNameStoreFree
4957  DetectEngineBumpVersion();
4958 
4959  SCLogDebug("old_de_ctx should have been freed");
4960  return 0;
4961 }
4962 
4963 static int g_parse_metadata = 0;
4964 
4965 void DetectEngineSetParseMetadata(void)
4966 {
4967  g_parse_metadata = 1;
4968 }
4969 
4970 void DetectEngineUnsetParseMetadata(void)
4971 {
4972  g_parse_metadata = 0;
4973 }
4974 
4975 int DetectEngineMustParseMetadata(void)
4976 {
4977  return g_parse_metadata;
4978 }
4979 
4980 const char *DetectSigmatchListEnumToString(enum DetectSigmatchListEnum type)
4981 {
4982  switch (type) {
4983  case DETECT_SM_LIST_MATCH:
4984  return "packet";
4985  case DETECT_SM_LIST_PMATCH:
4986  return "packet/stream payload";
4987 
4988  case DETECT_SM_LIST_TMATCH:
4989  return "tag";
4990 
4991  case DETECT_SM_LIST_BASE64_DATA:
4992  return "base64_data";
4993 
4994  case DETECT_SM_LIST_POSTMATCH:
4995  return "post-match";
4996 
4997  case DETECT_SM_LIST_SUPPRESS:
4998  return "suppress";
4999  case DETECT_SM_LIST_THRESHOLD:
5000  return "threshold";
5001 
5002  case DETECT_SM_LIST_MAX:
5003  return "max (internal)";
5004  }
5005  return "error";
5006 }
5007 
5008 /* events api */
5009 void DetectEngineSetEvent(DetectEngineThreadCtx *det_ctx, uint8_t e)
5010 {
5011  AppLayerDecoderEventsSetEventRaw(&det_ctx->decoder_events, e);
5012  det_ctx->events++;
5013 }
5014 
5015 bool DetectMd5ValidateCallback(
5016  const Signature *s, const char **sigerror, const DetectBufferType *map)
5017 {
5018  for (uint32_t x = 0; x < s->init_data->buffer_index; x++) {
5019  if (s->init_data->buffers[x].id != (uint32_t)map->id)
5020  continue;
5021  const SigMatch *sm = s->init_data->buffers[x].head;
5022  for (; sm != NULL; sm = sm->next) {
5023  if (sm->type != DETECT_CONTENT)
5024  continue;
5025 
5026  const DetectContentData *cd = (DetectContentData *)sm->ctx;
5027  if (cd->flags & DETECT_CONTENT_NOCASE) {
5028  *sigerror = "md5-like keyword should not be used together with "
5029  "nocase, since the rule is automatically "
5030  "lowercased anyway which makes nocase redundant.";
5031  SCLogWarning("rule %u: buffer %s: %s", s->id, map->name, *sigerror);
5032  }
5033 
5034  if (cd->content_len != SC_MD5_HEX_LEN) {
5035  *sigerror = "Invalid length for md5-like keyword (should "
5036  "be 32 characters long). This rule will therefore "
5037  "never match.";
5038  SCLogError("rule %u: buffer %s: %s", s->id, map->name, *sigerror);
5039  return false;
5040  }
5041 
5042  for (size_t i = 0; i < cd->content_len; ++i) {
5043  if (!isxdigit(cd->content[i])) {
5044  *sigerror =
5045  "Invalid md5-like string (should be string of hexadecimal characters)."
5046  "This rule will therefore never match.";
5047  SCLogWarning("rule %u: buffer %s: %s", s->id, map->name, *sigerror);
5048  return false;
5049  }
5050  }
5051  }
5052  }
5053  return true;
5054 }
5055 
5056 void SCDetectEngineRegisterRateFilterCallback(SCDetectRateFilterFunc fn, void *arg)
5057 {
5058  DetectEngineCtx *de_ctx = DetectEngineGetCurrent();
5059  de_ctx->RateFilterCallback = fn;
5060  de_ctx->rate_filter_callback_arg = arg;
5061  DetectEngineDeReference(&de_ctx);
5062 }
5063 
5064 int DetectEngineThreadCtxGetJsonContext(DetectEngineThreadCtx *det_ctx)
5065 {
5066  if (det_ctx->json_content_len > SIG_JSON_CONTENT_ARRAY_LEN - 1) {
5067  SCLogDebug("json content length %u exceeds maximum %u", det_ctx->json_content_len,
5068  SIG_JSON_CONTENT_ARRAY_LEN);
5069  return -1;
5070  }
5071  if (det_ctx->json_content_len >= det_ctx->json_content_capacity) {
5072  if (det_ctx->json_content_capacity == 0) {
5073  det_ctx->json_content_capacity = 1;
5074  } else {
5075  det_ctx->json_content_capacity *= 2;
5076  }
5077  void *tmp = SCRealloc(
5078  det_ctx->json_content, det_ctx->json_content_capacity * sizeof(SigJsonContent));
5079  if (unlikely(tmp == NULL)) {
5080  return -1;
5081  }
5082  SCLogDebug("reallocated json content array to %u items", det_ctx->json_content_capacity);
5083  det_ctx->json_content = tmp;
5084  }
5085  return 0;
5086 }
5087 
5088 /*************************************Unittest*********************************/
5089 
5090 #ifdef UNITTESTS
5091 
5092 static int DetectEngineInitYamlConf(const char *conf)
5093 {
5094  SCConfCreateContextBackup();
5095  SCConfInit();
5096  return SCConfYamlLoadString(conf, strlen(conf));
5097 }
5098 
5099 static void DetectEngineDeInitYamlConf(void)
5100 {
5101  SCConfDeInit();
5102  SCConfRestoreContextBackup();
5103 }
5104 
5105 static int DetectEngineTest01(void)
5106 {
5107  const char *conf =
5108  "%YAML 1.1\n"
5109  "---\n"
5110  "detect-engine:\n"
5111  " - profile: medium\n"
5112  " - custom-values:\n"
5113  " toclient_src_groups: 2\n"
5114  " toclient_dst_groups: 2\n"
5115  " toclient_sp_groups: 2\n"
5116  " toclient_dp_groups: 3\n"
5117  " toserver_src_groups: 2\n"
5118  " toserver_dst_groups: 4\n"
5119  " toserver_sp_groups: 2\n"
5120  " toserver_dp_groups: 25\n"
5121  " - inspection-recursion-limit: 0\n";
5122 
5123  FAIL_IF(DetectEngineInitYamlConf(conf) == -1);
5124 
5125  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
5126  FAIL_IF_NULL(de_ctx);
5127 
5128  FAIL_IF_NOT(de_ctx->inspection_recursion_limit == -1);
5129 
5130  DetectEngineCtxFree(de_ctx);
5131 
5132  DetectEngineDeInitYamlConf();
5133 
5134  PASS;
5135 }
5136 
5137 static int DetectEngineTest02(void)
5138 {
5139  const char *conf =
5140  "%YAML 1.1\n"
5141  "---\n"
5142  "detect-engine:\n"
5143  " - profile: medium\n"
5144  " - custom-values:\n"
5145  " toclient_src_groups: 2\n"
5146  " toclient_dst_groups: 2\n"
5147  " toclient_sp_groups: 2\n"
5148  " toclient_dp_groups: 3\n"
5149  " toserver_src_groups: 2\n"
5150  " toserver_dst_groups: 4\n"
5151  " toserver_sp_groups: 2\n"
5152  " toserver_dp_groups: 25\n"
5153  " - inspection-recursion-limit:\n";
5154 
5155  FAIL_IF(DetectEngineInitYamlConf(conf) == -1);
5156 
5157  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
5158  FAIL_IF_NULL(de_ctx);
5159 
5160  FAIL_IF_NOT(
5161  de_ctx->inspection_recursion_limit == DETECT_ENGINE_DEFAULT_INSPECTION_RECURSION_LIMIT);
5162 
5163  DetectEngineCtxFree(de_ctx);
5164 
5165  DetectEngineDeInitYamlConf();
5166 
5167  PASS;
5168 }
5169 
5170 static int DetectEngineTest03(void)
5171 {
5172  const char *conf =
5173  "%YAML 1.1\n"
5174  "---\n"
5175  "detect-engine:\n"
5176  " - profile: medium\n"
5177  " - custom-values:\n"
5178  " toclient_src_groups: 2\n"
5179  " toclient_dst_groups: 2\n"
5180  " toclient_sp_groups: 2\n"
5181  " toclient_dp_groups: 3\n"
5182  " toserver_src_groups: 2\n"
5183  " toserver_dst_groups: 4\n"
5184  " toserver_sp_groups: 2\n"
5185  " toserver_dp_groups: 25\n";
5186 
5187  FAIL_IF(DetectEngineInitYamlConf(conf) == -1);
5188 
5189  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
5190  FAIL_IF_NULL(de_ctx);
5191 
5192  FAIL_IF_NOT(
5193  de_ctx->inspection_recursion_limit == DETECT_ENGINE_DEFAULT_INSPECTION_RECURSION_LIMIT);
5194 
5195  DetectEngineCtxFree(de_ctx);
5196 
5197  DetectEngineDeInitYamlConf();
5198 
5199  PASS;
5200 }
5201 
5202 static int DetectEngineTest04(void)
5203 {
5204  const char *conf =
5205  "%YAML 1.1\n"
5206  "---\n"
5207  "detect-engine:\n"
5208  " - profile: medium\n"
5209  " - custom-values:\n"
5210  " toclient_src_groups: 2\n"
5211  " toclient_dst_groups: 2\n"
5212  " toclient_sp_groups: 2\n"
5213  " toclient_dp_groups: 3\n"
5214  " toserver_src_groups: 2\n"
5215  " toserver_dst_groups: 4\n"
5216  " toserver_sp_groups: 2\n"
5217  " toserver_dp_groups: 25\n"
5218  " - inspection-recursion-limit: 10\n";
5219 
5220  FAIL_IF(DetectEngineInitYamlConf(conf) == -1);
5221 
5222  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
5223  FAIL_IF_NULL(de_ctx);
5224 
5225  FAIL_IF_NOT(de_ctx->inspection_recursion_limit == 10);
5226 
5227  DetectEngineCtxFree(de_ctx);
5228 
5229  DetectEngineDeInitYamlConf();
5230 
5231  PASS;
5232 }
5233 
5234 static int DetectEngineTest08(void)
5235 {
5236  const char *conf =
5237  "%YAML 1.1\n"
5238  "---\n"
5239  "detect-engine:\n"
5240  " - profile: custom\n"
5241  " - custom-values:\n"
5242  " toclient-groups: 23\n"
5243  " toserver-groups: 27\n";
5244 
5245  FAIL_IF(DetectEngineInitYamlConf(conf) == -1);
5246 
5247  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
5248  FAIL_IF_NULL(de_ctx);
5249 
5250  FAIL_IF_NOT(de_ctx->max_uniq_toclient_groups == 23);
5251  FAIL_IF_NOT(de_ctx->max_uniq_toserver_groups == 27);
5252 
5253  DetectEngineCtxFree(de_ctx);
5254 
5255  DetectEngineDeInitYamlConf();
5256 
5257  PASS;
5258 }
5259 
5260 /** \test bug 892 bad values */
5261 static int DetectEngineTest09(void)
5262 {
5263  const char *conf =
5264  "%YAML 1.1\n"
5265  "---\n"
5266  "detect-engine:\n"
5267  " - profile: custom\n"
5268  " - custom-values:\n"
5269  " toclient-groups: BA\n"
5270  " toserver-groups: BA\n"
5271  " - inspection-recursion-limit: 10\n";
5272 
5273  FAIL_IF(DetectEngineInitYamlConf(conf) == -1);
5274 
5275  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
5276  FAIL_IF_NULL(de_ctx);
5277 
5278  FAIL_IF_NOT(de_ctx->max_uniq_toclient_groups == 20);
5279  FAIL_IF_NOT(de_ctx->max_uniq_toserver_groups == 40);
5280 
5281  DetectEngineCtxFree(de_ctx);
5282 
5283  DetectEngineDeInitYamlConf();
5284 
5285  PASS;
5286 }
5287 
5288 #endif
5289 
5290 void DetectEngineRegisterTests(void)
5291 {
5292 #ifdef UNITTESTS
5293  UtRegisterTest("DetectEngineTest01", DetectEngineTest01);
5294  UtRegisterTest("DetectEngineTest02", DetectEngineTest02);
5295  UtRegisterTest("DetectEngineTest03", DetectEngineTest03);
5296  UtRegisterTest("DetectEngineTest04", DetectEngineTest04);
5297  UtRegisterTest("DetectEngineTest08", DetectEngineTest08);
5298  UtRegisterTest("DetectEngineTest09", DetectEngineTest09);
5299 #endif
5300 }
DetectEngineThreadCtx_::byte_values
uint64_t * byte_values
Definition: detect.h:1279
DETECT_CONTENT_NOCASE
#define DETECT_CONTENT_NOCASE
Definition: detect-content.h:29
DETECT_TABLE_APP_TD
@ DETECT_TABLE_APP_TD
Definition: detect.h:559
DetectEngineAppInspectionEngine_::stream
bool stream
Definition: detect.h:421
HashListTableGetListData
#define HashListTableGetListData(hb)
Definition: util-hashlist.h:56
DE_STATE_ID_FILE_INSPECT
#define DE_STATE_ID_FILE_INSPECT
Definition: detect-engine-state.h:59
SCProfilingSghThreadCleanup
void SCProfilingSghThreadCleanup(DetectEngineThreadCtx *det_ctx)
Definition: util-profiling-rulegroups.c:329
DetectEngineCtxInitWithPrefix
DetectEngineCtx * DetectEngineCtxInitWithPrefix(const char *prefix, uint32_t tenant_id)
Definition: detect-engine.c:2609
DetectEngineTenantMapping_
Definition: detect.h:1694
util-device-private.h
util-byte.h
DetectAppLayerMpmMultiRegister
void DetectAppLayerMpmMultiRegister(const char *name, int direction, int priority, PrefilterRegisterFunc PrefilterRegister, InspectionMultiBufferGetDataPtr GetData, AppProto alproto, int tx_min_progress)
Definition: detect-engine-mpm.c:170
SCConfYamlLoadString
int SCConfYamlLoadString(const char *string, size_t len)
Load configuration from a YAML string.
Definition: conf-yaml-loader.c:523
tm-threads.h
DetectEngineAppInspectionEngine_
Definition: detect.h:416
DetectGetMultiData
InspectionBuffer * DetectGetMultiData(struct DetectEngineThreadCtx_ *det_ctx, const DetectEngineTransforms *transforms, Flow *f, const uint8_t flow_flags, void *txv, const int list_id, uint32_t index, InspectionMultiBufferGetDataPtr GetBuf)
Definition: detect-engine.c:2135
util-hash-string.h
DetectBufferType_::supports_transforms
bool supports_transforms
Definition: detect.h:457
SignatureInitDataBuffer_::head
SigMatch * head
Definition: detect.h:534
DetectEngineSyncer_::m
SCMutex m
Definition: detect-engine.c:1891
DetectEngineAppInspectionEngine_::mpm
bool mpm
Definition: detect.h:420
DetectBufferType_::mpm
bool mpm
Definition: detect.h:454
detect-content.h
detect-engine.h
DetectEngineResetMaxSigId
void DetectEngineResetMaxSigId(DetectEngineCtx *de_ctx)
Definition: detect-engine.c:3055
DetectEngineMTApply
int DetectEngineMTApply(void)
Definition: detect-engine.c:4908
SCProfilingKeywordDestroyCtx
void SCProfilingKeywordDestroyCtx(DetectEngineCtx *de_ctx)
Definition: util-profiling-keywords.c:268
DetectEngineBufferTypeSupportsPacketGetById
bool DetectEngineBufferTypeSupportsPacketGetById(const DetectEngineCtx *de_ctx, const int id)
Definition: detect-engine.c:1446
DETECT_SM_LIST_PMATCH
@ DETECT_SM_LIST_PMATCH
Definition: detect.h:119
DetectEngineThreadCtxInitForReload
DetectEngineThreadCtx * DetectEngineThreadCtxInitForReload(ThreadVars *tv, DetectEngineCtx *new_de_ctx, int mt)
Definition: detect-engine.c:3452
DetectEngineThreadCtx_::to_clear_idx
uint32_t to_clear_idx
Definition: detect.h:1304
FAIL_IF_NULL
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
Definition: util-unittest.h:89
SCConfNodeRemove
void SCConfNodeRemove(SCConfNode *node)
Remove (and SCFree) the provided configuration node.
Definition: conf.c:653
SignatureInitData_::smlists
struct SigMatch_ * smlists[DETECT_SM_LIST_MAX]
Definition: detect.h:642
SCProfilingKeywordThreadCleanup
void SCProfilingKeywordThreadCleanup(DetectEngineThreadCtx *det_ctx)
Definition: util-profiling-keywords.c:338
THashDataGetResult::data
THashData * data
Definition: util-thash.h:192
AlertQueueFree
void AlertQueueFree(DetectEngineThreadCtx *det_ctx)
Definition: detect-engine-alert.c:258
SCProfilingSghThreadSetup
void SCProfilingSghThreadSetup(SCProfileSghDetectCtx *ctx, DetectEngineThreadCtx *det_ctx)
Definition: util-profiling-rulegroups.c:294
DetectParseDupSigHashInit
int DetectParseDupSigHashInit(DetectEngineCtx *de_ctx)
Initializes the hash table that is used to cull duplicate sigs.
Definition: detect-parse.c:3170
RELOAD
@ RELOAD
Definition: detect-engine.c:1886
DetectGetSingleData
InspectionBuffer * DetectGetSingleData(struct DetectEngineThreadCtx_ *det_ctx, const DetectEngineTransforms *transforms, Flow *f, const uint8_t flow_flags, void *txv, const int list_id, InspectionSingleBufferGetDataPtr GetBuf)
Definition: detect-engine.c:2118
sigmatch_table
SigTableElmt * sigmatch_table
Definition: detect-parse.c:79
SIG_JSON_CONTENT_ARRAY_LEN
#define SIG_JSON_CONTENT_ARRAY_LEN
Definition: detect.h:1231
DetectLoaderThreadSpawn
void DetectLoaderThreadSpawn(void)
spawn the detect loader manager thread
Definition: detect-engine-loader.c:740
offset
uint64_t offset
Definition: util-streaming-buffer.h:0
SinglePatternMatchDefaultMatcher
uint8_t SinglePatternMatchDefaultMatcher(void)
Returns the single pattern matcher algorithm to be used, based on the spm-algo setting in yaml.
Definition: util-spm.c:68
DetectEngineDeReference
void DetectEngineDeReference(DetectEngineCtx **de_ctx)
Definition: detect-engine.c:4633
DETECT_CI_FLAGS_START
#define DETECT_CI_FLAGS_START
Definition: detect-engine-content-inspection.h:40
ENGINE_SGH_MPM_FACTORY_CONTEXT_SINGLE
@ ENGINE_SGH_MPM_FACTORY_CONTEXT_SINGLE
Definition: detect.h:1184
DetectEngineInspectBufferGeneric
uint8_t DetectEngineInspectBufferGeneric(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const DetectEngineAppInspectionEngine *engine, const Signature *s, Flow *f, uint8_t flags, void *alstate, void *txv, uint64_t tx_id)
Do the content inspection & validation for a signature.
Definition: detect-engine.c:2059
SigTableElmt_::Free
void(* Free)(DetectEngineCtx *, void *)
Definition: detect.h:1446
DetectEngineMustParseMetadata
int DetectEngineMustParseMetadata(void)
Definition: detect-engine.c:4975
PKT_PSEUDO_LOG_FLUSH
#define PKT_PSEUDO_LOG_FLUSH
Definition: decode.h:1316
TAILQ_INIT
#define TAILQ_INIT(head)
Definition: queue.h:262
SignatureHook_::sm_list
int sm_list
Definition: detect.h:573
MpmFactoryDeRegisterAllMpmCtxProfiles
void MpmFactoryDeRegisterAllMpmCtxProfiles(DetectEngineCtx *de_ctx)
Definition: util-mpm.c:168
DETECT_TABLE_APP_FILTER
@ DETECT_TABLE_APP_FILTER
Definition: detect.h:558
DetectEngineThreadCtx_::counter_match_list
uint16_t counter_match_list
Definition: detect.h:1298
flow-util.h
DetectEnginePktInspectionEngine
Definition: detect.h:483
DetectEngineMasterCtx_::tenant_mapping_list
DetectEngineTenantMapping * tenant_mapping_list
Definition: detect.h:1725
SC_ATOMIC_INIT
#define SC_ATOMIC_INIT(name)
wrapper for initializing an atomic variable.
Definition: util-atomic.h:314
ALPROTO_DNS
@ ALPROTO_DNS
Definition: app-layer-protos.h:47
DetectEngineAppInspectionEngine_::next
struct DetectEngineAppInspectionEngine_ * next
Definition: detect.h:441
DetectEngineInspectMultiBufferGeneric
uint8_t DetectEngineInspectMultiBufferGeneric(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const DetectEngineAppInspectionEngine *engine, const Signature *s, Flow *f, uint8_t flags, void *alstate, void *txv, uint64_t tx_id)
Definition: detect-engine.c:2159
detect-engine-siggroup.h
SigTableElmt_::name
const char * name
Definition: detect.h:1459
DetectEngineMasterCtx_::list
DetectEngineCtx * list
Definition: detect.h:1714
InspectionBuffer::initialized
bool initialized
Definition: detect-engine-inspect-buffer.h:38
MpmStoreFree
void MpmStoreFree(DetectEngineCtx *de_ctx)
Frees the hash table - DetectEngineCtx->mpm_hash_table, allocated by MpmStoreInit() function.
Definition: detect-engine-mpm.c:1573
DetectFrameMpmRegisterByParentId
void DetectFrameMpmRegisterByParentId(DetectEngineCtx *de_ctx, const int id, const int parent_id, DetectEngineTransforms *transforms)
copy a mpm engine from parent_id, add in transforms
Definition: detect-engine-mpm.c:370
DetectEngineBufferTypeSupportsPacket
void DetectEngineBufferTypeSupportsPacket(DetectEngineCtx *de_ctx, const char *name)
Definition: detect-engine.c:1413
DetectEngineBufferRunSetupCallback
void DetectEngineBufferRunSetupCallback(const DetectEngineCtx *de_ctx, const int id, Signature *s)
Definition: detect-engine.c:1483
DetectEngineCtx_::type
enum DetectEngineType type
Definition: detect.h:1053
DetectEnginePruneFreeList
void DetectEnginePruneFreeList(void)
Definition: detect-engine.c:4727
SigLoadSignatures
int SigLoadSignatures(DetectEngineCtx *de_ctx, char *sig_file, bool sig_file_exclusive)
Load signatures.
Definition: detect-engine-loader.c:372
DetectEngineInspectBufferSingle
uint8_t DetectEngineInspectBufferSingle(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const DetectEngineAppInspectionEngine *engine, const Signature *s, Flow *f, uint8_t flags, void *alstate, void *txv, uint64_t tx_id)
Do the content inspection & validation for a signature.
Definition: detect-engine.c:1998
DetectThreadCtxGetKeywordThreadCtx
void * DetectThreadCtxGetKeywordThreadCtx(DetectEngineThreadCtx *det_ctx, int id)
Retrieve thread local keyword ctx by id.
Definition: detect-engine.c:3733
DetectEngineCtx_::guess_applayer
bool guess_applayer
Definition: detect.h:979
unlikely
#define unlikely(expr)
Definition: util-optimize.h:35
MPM_AC_KS
@ MPM_AC_KS
Definition: util-mpm.h:37
DetectAppLayerInspectEngineRegisterSingle
void DetectAppLayerInspectEngineRegisterSingle(const char *name, AppProto alproto, uint32_t dir, int progress, InspectEngineFuncPtr Callback, InspectionSingleBufferGetDataPtr GetData)
Definition: detect-engine.c:294
DetectEngineTransforms
Definition: detect.h:391
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
SIG_FLAG_INIT_NEED_FLUSH
#define SIG_FLAG_INIT_NEED_FLUSH
Definition: detect.h:297
MpmTableElmt_::name
const char * name
Definition: util-mpm.h:151
SCClassSCConfInit
void SCClassSCConfInit(DetectEngineCtx *de_ctx)
Definition: util-classification-config.c:61
DetectEngineCtxInitStubForDD
DetectEngineCtx * DetectEngineCtxInitStubForDD(void)
Definition: detect-engine.c:2599
KEYWORD_PROFILING_SET_LIST
#define KEYWORD_PROFILING_SET_LIST(ctx, list)
Definition: util-profiling.h:46
DETECT_CONTENT
@ DETECT_CONTENT
Definition: detect-engine-register.h:69
DetectEngineCtx_::max_uniq_toclient_groups
uint16_t max_uniq_toclient_groups
Definition: detect.h:990
ActionInitConfig
int ActionInitConfig(void)
Load the action order from config. If none is provided, it will be default to ACTION_PASS,...
Definition: util-action.c:105
IDLE
@ IDLE
Definition: detect-engine.c:1885
DetectEngineCtx_::ref_cnt
uint32_t ref_cnt
Definition: detect.h:1056
DetectEngineAppInspectionEngine_::Callback
InspectEngineFuncPtr Callback
Definition: detect.h:434
PathMerge
int PathMerge(char *out_buf, size_t buf_size, const char *const dir, const char *const fname)
Definition: util-path.c:74
Signature_::alproto
AppProto alproto
Definition: detect.h:673
DETECT_TABLE_PACKET_PRE_STREAM
@ DETECT_TABLE_PACKET_PRE_STREAM
Definition: detect.h:555
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:275
SigString_
Definition: detect.h:867
PacketEnqueue
void PacketEnqueue(PacketQueue *q, Packet *p)
Definition: packet-queue.c:175
DetectEngineCtx_::filedata_config
DetectFileDataCfg * filedata_config
Definition: detect.h:1039
next
struct HtpBodyChunk_ * next
Definition: app-layer-htp.h:0
DetectEngineFrameInspectionEngine::sm_list_base
uint16_t sm_list_base
Definition: detect.h:514
DetectPort_::port
uint16_t port
Definition: detect.h:221
SigMatchData_::is_last
bool is_last
Definition: detect.h:367
DetectBufferTypeSupportsFrames
void DetectBufferTypeSupportsFrames(const char *name)
Definition: detect-engine.c:1239
DetectMpmInitializeFrameMpms
void DetectMpmInitializeFrameMpms(DetectEngineCtx *de_ctx)
Definition: detect-engine-mpm.c:472
PacketQueue_
simple fifo queue for packets with mutex and cond Calling the mutex or triggering the cond is respons...
Definition: packet-queue.h:49
Flow_::proto
uint8_t proto
Definition: flow.h:378
AppProto
uint16_t AppProto
Definition: app-layer-protos.h:86
DETECT_SM_LIST_DYNAMIC_START
@ DETECT_SM_LIST_DYNAMIC_START
Definition: detect.h:138
AppLayerParserGetStateProgress
int AppLayerParserGetStateProgress(uint8_t ipproto, AppProto alproto, void *alstate, uint8_t flags)
get the progress value for a tx/protocol
Definition: app-layer-parser.c:1087
DetectEngineThreadCtx_::decoder_events
AppLayerDecoderEvents * decoder_events
Definition: detect.h:1372
SigMatchData_::ctx
SigMatchCtx * ctx
Definition: detect.h:368
InspectionBuffer
Definition: detect-engine-inspect-buffer.h:34
DetectEngineThreadKeywordCtxItem_::InitFunc
void *(* InitFunc)(void *)
Definition: detect.h:886
Packet_::flags
uint32_t flags
Definition: decode.h:544
DetectEngineAppInspectionEngine_::GetData
InspectionBufferGetDataPtr GetData
Definition: detect.h:430
DetectEngineThreadKeywordCtxItem_
Definition: detect.h:885
DetectTable
DetectTable
Definition: detect.h:552
DetectEngineCtx_::pkt_mpms_list
DetectBufferMpmRegistry * pkt_mpms_list
Definition: detect.h:1089
Tmq_::pq
PacketQueue * pq
Definition: tm-queues.h:35
Packet_::vlan_idx
uint8_t vlan_idx
Definition: decode.h:529
flow-private.h
Flow_
Flow data structure.
Definition: flow.h:356
TmThreadContinueDetectLoaderThreads
void TmThreadContinueDetectLoaderThreads(void)
Unpauses all threads present in tv_root.
Definition: detect-engine-loader.c:649
DETECT_SM_LIST_THRESHOLD
@ DETECT_SM_LIST_THRESHOLD
Definition: detect.h:133
DetectBufferTypeRegisterSetupCallback
void DetectBufferTypeRegisterSetupCallback(const char *name, void(*SetupCallback)(const DetectEngineCtx *, Signature *))
Definition: detect-engine.c:1473
SCConfYamlHandleInclude
int SCConfYamlHandleInclude(SCConfNode *parent, const char *filename)
Include a file in the configuration.
Definition: conf-yaml-loader.c:115
DetectEngineThreadKeywordCtxItem_::data
void * data
Definition: detect.h:888
DetectEngineThreadCtx_::pmq
PrefilterRuleStore pmq
Definition: detect.h:1349
util-hash.h
AppProtoToString
const char * AppProtoToString(AppProto alproto)
Maps the ALPROTO_*, to its string equivalent.
Definition: app-layer-protos.c:40
DetectEngineReloadTenantBlocking
int DetectEngineReloadTenantBlocking(uint32_t tenant_id, const char *yaml, int reload_cnt)
Reload a tenant and wait for loading to complete.
Definition: detect-engine.c:4145
ctx
struct Thresholds ctx
LiveDevice_
Definition: util-device-private.h:32
DetectEngineCtx_::inspection_recursion_limit
int inspection_recursion_limit
Definition: detect.h:973
SpmTableElmt_::name
const char * name
Definition: util-spm.h:60
LiveDevice_::tenant_id_set
bool tenant_id_set
Definition: util-device-private.h:36
DetectAddressMapFree
void DetectAddressMapFree(DetectEngineCtx *de_ctx)
Definition: detect-engine-address.c:1337
DetectEngineFrameInspectionEngine::transforms
const DetectEngineTransforms * transforms
Definition: detect.h:518
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:932
StringParseUint16
int StringParseUint16(uint16_t *res, int base, size_t len, const char *str)
Definition: util-byte.c:337
DetectEngineReloadSetIdle
void DetectEngineReloadSetIdle(void)
Definition: detect-engine.c:1924
DetectBufferTypeRegisterValidateCallback
void DetectBufferTypeRegisterValidateCallback(const char *name, bool(*ValidateCallback)(const Signature *, const char **sigerror, const DetectBufferType *))
Definition: detect-engine.c:1491
LiveDevice_::id
uint16_t id
Definition: util-device-private.h:38
DetectEngineFrameInspectionEngine::v1
struct DetectEngineFrameInspectionEngine::@94 v1
DetectEnginePktInspectionEngine::smd
SigMatchData * smd
Definition: detect.h:484
DetectMetadataHashInit
int DetectMetadataHashInit(DetectEngineCtx *de_ctx)
Definition: detect-metadata.c:69
SCConfGet
int SCConfGet(const char *name, const char **vptr)
Retrieve the value of a configuration node.
Definition: conf.c:350
DetectEngineThreadCtx_::lua_blocked_function_errors
uint16_t lua_blocked_function_errors
Definition: detect.h:1379
DetectEngineThreadCtx_::global_keyword_ctxs_array
void ** global_keyword_ctxs_array
Definition: detect.h:1370
DetectEngineGetCurrent
DetectEngineCtx * DetectEngineGetCurrent(void)
Definition: detect-engine.c:3842
TransformData_::options
void * options
Definition: detect.h:388
DetectEngineFrameInspectionEngine::mpm
bool mpm
Definition: detect.h:512
SCDetectRateFilterFunc
uint8_t(* SCDetectRateFilterFunc)(const Packet *p, uint32_t sid, uint32_t gid, uint32_t rev, uint8_t original_action, uint8_t new_action, void *arg)
Function type for rate filter callback.
Definition: detect.h:928
TmThreadCountThreadsByTmmFlags
uint32_t TmThreadCountThreadsByTmmFlags(uint8_t flags)
returns a count of all the threads that match the flag
Definition: tm-threads.c:2092
DetectBufferTypeSupportsMultiInstance
void DetectBufferTypeSupportsMultiInstance(const char *name)
Definition: detect-engine.c:1229
HashListTableGetListHead
HashListTableBucket * HashListTableGetListHead(HashListTable *ht)
Definition: util-hashlist.c:287
TAILQ_FOREACH
#define TAILQ_FOREACH(var, head, field)
Definition: queue.h:252
DetectEngineInspectPacketPayload
uint8_t DetectEngineInspectPacketPayload(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const Signature *s, Flow *f, Packet *p)
Do the content inspection & validation for a signature.
Definition: detect-engine-payload.c:152
DetectEngineAddToMaster
int DetectEngineAddToMaster(DetectEngineCtx *de_ctx)
Definition: detect-engine.c:4657
DetectEngineCtx_::mpm_cfg
MpmConfig * mpm_cfg
Definition: detect.h:936
InspectionBufferGetPktDataPtr
InspectionBuffer *(* InspectionBufferGetPktDataPtr)(struct DetectEngineThreadCtx_ *det_ctx, const DetectEngineTransforms *transforms, Packet *p, const int list_id)
Definition: detect.h:478
SCSigSignatureOrderingModuleCleanup
void SCSigSignatureOrderingModuleCleanup(DetectEngineCtx *de_ctx)
De-registers all the signature ordering functions registered.
Definition: detect-engine-sigorder.c:939
DetectEngineBufferTypeGetNameById
const char * DetectEngineBufferTypeGetNameById(const DetectEngineCtx *de_ctx, const int id)
Definition: detect-engine.c:1309
DetectEngineCtx_::keyword_id
int keyword_id
Definition: detect.h:1035
DetectEngineMultiTenantSetup
int DetectEngineMultiTenantSetup(const bool unix_socket)
setup multi-detect / multi-tenancy
Definition: detect-engine.c:4294
PrefilterDeinit
void PrefilterDeinit(DetectEngineCtx *de_ctx)
Definition: detect-engine-prefilter.c:1420
SignatureProperties
Definition: detect.h:89
SCMutexLock
#define SCMutexLock(mut)
Definition: threads-debug.h:117
DetectBufferMpmRegistry_::next
struct DetectBufferMpmRegistry_ * next
Definition: detect.h:804
util-var-name.h
SIG_FLAG_REQUIRE_STREAM
#define SIG_FLAG_REQUIRE_STREAM
Definition: detect.h:255
HashTable_
Definition: util-hash.h:35
DetectEngineTenantMapping_::next
struct DetectEngineTenantMapping_ * next
Definition: detect.h:1700
DetectEngineSetEvent
void DetectEngineSetEvent(DetectEngineThreadCtx *det_ctx, uint8_t e)
Definition: detect-engine.c:5009
SIG_FLAG_TXBOTHDIR
#define SIG_FLAG_TXBOTHDIR
Definition: detect.h:250
DetectEngineThreadCtx_::buffers_size
uint32_t buffers_size
Definition: detect.h:1303
DetectContentInspectionMatchOnAbsentBuffer
bool DetectContentInspectionMatchOnAbsentBuffer(const SigMatchData *smd)
tells if we should match on absent buffer, because there is an absent keyword being used
Definition: detect-engine-content-inspection.c:793
AppLayerDecoderEventsFreeEvents
void AppLayerDecoderEventsFreeEvents(AppLayerDecoderEvents **events)
Definition: app-layer-events.c:136
SCConfGetBool
int SCConfGetBool(const char *name, int *val)
Retrieve a configuration value as a boolean.
Definition: conf.c:497
DetectEngineCtx_::profile_sgh_ctx
struct SCProfileSghDetectCtx_ * profile_sgh_ctx
Definition: detect.h:1048
tv_root
ThreadVars * tv_root[TVT_MAX]
Definition: tm-threads.c:82
DetectBufferMpmRegistry_
one time registration of keywords at start up
Definition: detect.h:762
SCReferenceConfDeinit
void SCReferenceConfDeinit(DetectEngineCtx *de_ctx)
Definition: util-reference-config.c:72
DetectPort_::next
struct DetectPort_ * next
Definition: detect.h:234
DetectEngineCtx_::tcp_priorityports
DetectPort * tcp_priorityports
Definition: detect.h:1068
DetectEngineCtxFree
void DetectEngineCtxFree(DetectEngineCtx *de_ctx)
Free a DetectEngineCtx::
Definition: detect-engine.c:2643
DetectEngineAppInspectionEngine_::sm_list_base
uint16_t sm_list_base
Definition: detect.h:425
DetectEngineThreadCtx_::spm_thread_ctx
SpmThreadCtx * spm_thread_ctx
Definition: detect.h:1276
DetectEngineReloadTenantsBlocking
int DetectEngineReloadTenantsBlocking(const int reload_cnt)
Reload all tenants and wait for loading to complete.
Definition: detect-engine.c:4159
InspectionBuffer::flags
uint8_t flags
Definition: detect-engine-inspect-buffer.h:39
detect-engine-frame.h
SCMUTEX_INITIALIZER
#define SCMUTEX_INITIALIZER
Definition: threads-debug.h:121
Signature_::sm_arrays
SigMatchData * sm_arrays[DETECT_SM_LIST_MAX]
Definition: detect.h:731
SCInstance_::conf_filename
const char * conf_filename
Definition: suricata.h:175
DetectEngineCtx_::prefilter_setting
enum DetectEnginePrefilterSetting prefilter_setting
Definition: detect.h:1064
SignatureInitData_::init_flags
uint32_t init_flags
Definition: detect.h:608
DetectParseDupSigHashFree
void DetectParseDupSigHashFree(DetectEngineCtx *de_ctx)
Frees the hash table that is used to cull duplicate sigs.
Definition: detect-parse.c:3187
DetectBufferType_
Definition: detect.h:449
m
SCMutex m
Definition: flow-hash.h:6
DetectEngineThreadCtx_::multi_inspect
struct DetectEngineThreadCtx_::@110 multi_inspect
DetectEngineCtx_::udp_priorityports
DetectPort * udp_priorityports
Definition: detect.h:1069
DetectContentData_
Definition: detect-content.h:93
SCConfYamlLoadFileWithPrefix
int SCConfYamlLoadFileWithPrefix(const char *filename, const char *prefix)
Load configuration from a YAML file, insert in tree at 'prefix'.
Definition: conf-yaml-loader.c:553
StringParseInt32
int StringParseInt32(int32_t *res, int base, size_t len, const char *str)
Definition: util-byte.c:622
PrefilterGenericMpmFrameRegister
int PrefilterGenericMpmFrameRegister(DetectEngineCtx *de_ctx, SigGroupHead *sgh, MpmCtx *mpm_ctx, const DetectBufferMpmRegistry *mpm_reg, int list_id)
Definition: detect-engine-frame.c:208
DetectEngineGetVersion
uint32_t DetectEngineGetVersion(void)
Definition: detect-engine.c:3823
SCConfNodeLookupChildValue
const char * SCConfNodeLookupChildValue(const SCConfNode *node, const char *name)
Lookup the value of a child configuration node by name.
Definition: conf.c:824
SleepUsec
#define SleepUsec(usec)
Definition: tm-threads.h:44
SigCleanSignatures
void SigCleanSignatures(DetectEngineCtx *de_ctx)
Definition: detect-engine-build.c:56
ENGINE_SGH_MPM_FACTORY_CONTEXT_FULL
@ ENGINE_SGH_MPM_FACTORY_CONTEXT_FULL
Definition: detect.h:1183
HashListTableLookup
void * HashListTableLookup(HashListTable *ht, void *data, uint16_t datalen)
Definition: util-hashlist.c:245
detect-engine-payload.h
TVT_PPT
@ TVT_PPT
Definition: tm-threads-common.h:88
DetectEngineThreadCtx_::lua_instruction_limit_errors
uint16_t lua_instruction_limit_errors
Definition: detect.h:1382
SIG_FLAG_TOCLIENT
#define SIG_FLAG_TOCLIENT
Definition: detect.h:272
DetectMd5ValidateCallback
bool DetectMd5ValidateCallback(const Signature *s, const char **sigerror, const DetectBufferType *map)
Definition: detect-engine.c:5015
TM_ECODE_FAILED
@ TM_ECODE_FAILED
Definition: tm-threads-common.h:82
DetectEngineMpmCachingEnabled
bool DetectEngineMpmCachingEnabled(void)
Definition: detect-engine.c:2464
DetectBufferIsPresent
bool DetectBufferIsPresent(const Signature *s, const uint32_t buf_id)
Definition: detect-engine.c:1513
InspectionBufferGet
InspectionBuffer * InspectionBufferGet(DetectEngineThreadCtx *det_ctx, const int list_id)
Definition: detect-engine-inspect-buffer.c:56
SigMatchData_
Data needed for Match()
Definition: detect.h:365
KEYWORD_PROFILING_START
#define KEYWORD_PROFILING_START
Definition: util-profiling.h:50
DetectEngineThreadCtx_::counter_fnonmpm_list
uint16_t counter_fnonmpm_list
Definition: detect.h:1297
SigMatchData_::type
uint16_t type
Definition: detect.h:366
DetectEngineCtx_::version
uint32_t version
Definition: detect.h:1013
ENGINE_PROFILE_HIGH
@ ENGINE_PROFILE_HIGH
Definition: detect.h:1177
DetectEnginePktInspectionEngine::v1
struct DetectEnginePktInspectionEngine::@93 v1
DetectPort_::port2
uint16_t port2
Definition: detect.h:222
DetectEngineCtx_::non_pf_engine_names
HashTable * non_pf_engine_names
Definition: detect.h:1142
DetectEngineThreadCtx_::counter_nonmpm_list
uint16_t counter_nonmpm_list
Definition: detect.h:1296
DetectEngineThreadCtx_::events
uint16_t events
Definition: detect.h:1373
detect-engine-prefilter.h
util-unittest.h
TransformData_
Definition: detect.h:386
PrefilterMultiGenericMpmRegister
int PrefilterMultiGenericMpmRegister(DetectEngineCtx *de_ctx, SigGroupHead *sgh, MpmCtx *mpm_ctx, const DetectBufferMpmRegistry *mpm_reg, int list_id)
Definition: detect-engine-prefilter.c:1658
Signature_::frame_inspect
DetectEngineFrameInspectionEngine * frame_inspect
Definition: detect.h:727
DetectBufferTypeCloseRegistration
void DetectBufferTypeCloseRegistration(void)
Definition: detect-engine.c:1657
DetectEnginePktInspectionEngine::transforms
const DetectEngineTransforms * transforms
Definition: detect.h:492
FAIL_IF_NOT
#define FAIL_IF_NOT(expr)
Fail a test if expression evaluates to false.
Definition: util-unittest.h:82
TM_ECODE_OK
@ TM_ECODE_OK
Definition: tm-threads-common.h:81
HashTableFree
void HashTableFree(HashTable *ht)
Definition: util-hash.c:78
TenantLoaderCtx_
Definition: detect-engine.c:4014
DetectBufferTypeGetByName
int DetectBufferTypeGetByName(const char *name)
Definition: detect-engine.c:1279
KEYWORD_PROFILING_END
#define KEYWORD_PROFILING_END(ctx, type, m)
Definition: util-profiling.h:64
DetectBufferTypeSupportsPacket
void DetectBufferTypeSupportsPacket(const char *name)
Definition: detect-engine.c:1249
DetectEngineFrameInspectionEngine::Callback
InspectionBufferFrameInspectFunc Callback
Definition: detect.h:516
HashListTableAdd
int HashListTableAdd(HashListTable *ht, void *data, uint16_t datalen)
Definition: util-hashlist.c:114
HashTable_::array_size
uint32_t array_size
Definition: util-hash.h:37
SigGroupHeadHashInit
int SigGroupHeadHashInit(DetectEngineCtx *de_ctx)
Initializes the hash table in the detection engine context to hold the SigGroupHeads.
Definition: detect-engine-siggroup.c:244
InspectionBufferMultipleForList::size
uint32_t size
Definition: detect.h:381
SCRConfDeInitContext
void SCRConfDeInitContext(DetectEngineCtx *de_ctx)
Releases de_ctx resources related to Reference Config API.
Definition: util-reference-config.c:179
DetectEngineThreadCtx_::mt_det_ctxs_hash
HashTable * mt_det_ctxs_hash
Definition: detect.h:1256
strlcpy
size_t strlcpy(char *dst, const char *src, size_t siz)
Definition: util-strlcpyu.c:43
DetectEnginePktInspectionRun
bool DetectEnginePktInspectionRun(ThreadVars *tv, DetectEngineThreadCtx *det_ctx, const Signature *s, Flow *f, Packet *p, uint8_t *alert_flags)
Definition: detect-engine.c:1814
DETECT_PREFILTER_AUTO
@ DETECT_PREFILTER_AUTO
Definition: detect.h:897
DetectEngineThreadCtx_::keyword_ctxs_size
int keyword_ctxs_size
Definition: detect.h:1367
HashListTable_::array_size
uint32_t array_size
Definition: util-hashlist.h:41
DetectAppLayerMpmRegisterByParentId
void DetectAppLayerMpmRegisterByParentId(DetectEngineCtx *de_ctx, const int id, const int parent_id, DetectEngineTransforms *transforms)
copy a mpm engine from parent_id, add in transforms
Definition: detect-engine-mpm.c:179
AlertQueueInit
void AlertQueueInit(DetectEngineThreadCtx *det_ctx)
Definition: detect-engine-alert.c:245
DetectEngineThreadCtx_::lua_rule_errors
uint16_t lua_rule_errors
Definition: detect.h:1376
SigString_::sig_error
char * sig_error
Definition: detect.h:870
DetectEngineAppInspectionEngine_::id
uint8_t id
Definition: detect.h:419
DetectEngineThreadCtx_::counter_alerts_suppressed
uint16_t counter_alerts_suppressed
Definition: detect.h:1293
PacketQueue_::mutex_q
SCMutex mutex_q
Definition: packet-queue.h:56
DetectEngineCtx_::base64_decode_max_len
uint16_t base64_decode_max_len
Definition: detect.h:1020
SIGNATURE_HOOK_TYPE_APP
@ SIGNATURE_HOOK_TYPE_APP
Definition: detect.h:549
THV_RUNNING_DONE
#define THV_RUNNING_DONE
Definition: threadvars.h:46
PKT_SET_SRC
#define PKT_SET_SRC(p, src_val)
Definition: decode.h:1323
SCConfInit
void SCConfInit(void)
Initialize the configuration system.
Definition: conf.c:120
util-signal.h
DetectEngineAppInspectionEngine_::sm_list
uint16_t sm_list
Definition: detect.h:424
TENANT_SELECTOR_UNKNOWN
@ TENANT_SELECTOR_UNKNOWN
Definition: detect.h:1688
DetectEngineMultiTenantEnabled
int DetectEngineMultiTenantEnabled(void)
Definition: detect-engine.c:3874
HashListTableGetListNext
#define HashListTableGetListNext(hb)
Definition: util-hashlist.h:55
InspectionBufferMultipleForList
Definition: detect.h:379
DetectEngineTenantMapping_::tenant_id
uint32_t tenant_id
Definition: detect.h:1695
ThreadVars_::tmm_flags
uint8_t tmm_flags
Definition: threadvars.h:79
DETECT_SM_LIST_POSTMATCH
@ DETECT_SM_LIST_POSTMATCH
Definition: detect.h:127
SIG_FLAG_TOSERVER
#define SIG_FLAG_TOSERVER
Definition: detect.h:271
app-layer-htp.h
DetectEngineTenantSelectors
DetectEngineTenantSelectors
Definition: detect.h:1687
DetectPortParse
int DetectPortParse(const DetectEngineCtx *de_ctx, DetectPort **head, const char *str)
Function for parsing port strings.
Definition: detect-engine-port.c:1182
InspectionBufferPktInspectFunc
int(* InspectionBufferPktInspectFunc)(struct DetectEngineThreadCtx_ *, const struct DetectEnginePktInspectionEngine *engine, const struct Signature_ *s, Packet *p, uint8_t *alert_flags)
Definition: detect.h:471
datasets.h
InspectionBufferFree
void InspectionBufferFree(InspectionBuffer *buffer)
Definition: detect-engine-inspect-buffer.c:205
HashListTableInit
HashListTable * HashListTableInit(uint32_t size, uint32_t(*Hash)(struct HashListTable_ *, void *, uint16_t), char(*Compare)(void *, uint16_t, void *, uint16_t), void(*Free)(void *))
Definition: util-hashlist.c:35
DetectEngineCtx_::requirements
SCDetectRequiresStatus * requirements
Definition: detect.h:1135
TAILQ_REMOVE
#define TAILQ_REMOVE(head, elm, field)
Definition: queue.h:312
SCRunmodeGet
SCRunMode SCRunmodeGet(void)
Get the current run mode.
Definition: suricata.c:279
SigTableElmt_::TransformValidate
bool(* TransformValidate)(const uint8_t *content, uint16_t content_len, void *context)
Definition: detect.h:1435
DetectEngineThreadCtx_::counter_alerts_overflow
uint16_t counter_alerts_overflow
Definition: detect.h:1291
util-debug.h
DetectBufferType_::ValidateCallback
bool(* ValidateCallback)(const struct Signature_ *, const char **sigerror, const struct DetectBufferType_ *)
Definition: detect.h:460
DetectEngineMoveToFreeList
int DetectEngineMoveToFreeList(DetectEngineCtx *de_ctx)
Definition: detect-engine.c:4717
PASS
#define PASS
Pass the test.
Definition: util-unittest.h:105
util-error.h
DetectTableToString
const char * DetectTableToString(enum DetectTable table)
Definition: detect-engine.c:130
SpmInitGlobalThreadCtx
SpmGlobalThreadCtx * SpmInitGlobalThreadCtx(uint8_t matcher)
Definition: util-spm.c:138
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:18
SCProfilingPrefilterDestroyCtx
void SCProfilingPrefilterDestroyCtx(DetectEngineCtx *de_ctx)
Definition: util-profiling-prefilter.c:236
DetectEnginePktInspectionEngine::sm_list
uint16_t sm_list
Definition: detect.h:486
DetectEngineThreadCtx_::match_array_len
uint32_t match_array_len
Definition: detect.h:1338
DetectMpmInitializePktMpms
void DetectMpmInitializePktMpms(DetectEngineCtx *de_ctx)
Definition: detect-engine-mpm.c:639
DetectEngineThreadCtx_
Definition: detect.h:1244
ENGINE_PROFILE_LOW
@ ENGINE_PROFILE_LOW
Definition: detect.h:1175
PKT_STREAM_ADD
#define PKT_STREAM_ADD
Definition: decode.h:1258
DetectLoadersInit
void DetectLoadersInit(void)
Definition: detect-engine-loader.c:604
ThreadVars_::tm_slots
struct TmSlot_ * tm_slots
Definition: threadvars.h:96
SignatureInitData_::mpm_sm
SigMatch * mpm_sm
Definition: detect.h:623
DetectEngineBufferTypeGetDescriptionById
const char * DetectEngineBufferTypeGetDescriptionById(const DetectEngineCtx *de_ctx, const int id)
Definition: detect-engine.c:1387
SCMutexUnlock
#define SCMutexUnlock(mut)
Definition: threads-debug.h:119
DETECT_SM_LIST_BASE64_DATA
@ DETECT_SM_LIST_BASE64_DATA
Definition: detect.h:124
SIG_FLAG_FLUSH
#define SIG_FLAG_FLUSH
Definition: detect.h:259
DetectEngineThreadKeywordCtxItem_::id
int id
Definition: detect.h:890
PKT_PSEUDO_STREAM_END
#define PKT_PSEUDO_STREAM_END
Definition: decode.h:1266
DetectEngineThreadCtx_::buffers
InspectionBuffer * buffers
Definition: detect.h:1302
detect-engine-file.h
DetectEngineMasterCtx_::keyword_list
DetectEngineThreadKeywordCtxItem * keyword_list
Definition: detect.h:1730
SignatureInitData_::mpm_sm_list
int mpm_sm_list
Definition: detect.h:621
LiveGetDevice
LiveDevice * LiveGetDevice(const char *name)
Get a pointer to the device at idx.
Definition: util-device.c:268
flow-worker.h
SCConfGetInt
int SCConfGetInt(const char *name, intmax_t *val)
Retrieve a configuration value as an integer.
Definition: conf.c:414
DetectEngineMasterCtx_::tenant_selector
enum DetectEngineTenantSelectors tenant_selector
Definition: detect.h:1721
DetectEngineCtx_::keyword_hash
HashListTable * keyword_hash
Definition: detect.h:1037
BOOL2STR
#define BOOL2STR(b)
Definition: util-debug.h:535
DetectPktInspectEngineRegister
void DetectPktInspectEngineRegister(const char *name, InspectionBufferGetPktDataPtr GetPktData, InspectionBufferPktInspectFunc Callback)
register inspect engine at start up time
Definition: detect-engine.c:155
DetectEngineInspectStreamPayload
int DetectEngineInspectStreamPayload(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const Signature *s, Flow *f, Packet *p)
Do the content inspection & validation for a signature on the raw stream.
Definition: detect-engine-payload.c:248
util-reference-config.h
Packet_::pcap_v
PcapPacketVars pcap_v
Definition: decode.h:587
DetectEngineCtx_::failure_fatal
bool failure_fatal
Definition: detect.h:933
Signature_::pkt_inspect
DetectEnginePktInspectionEngine * pkt_inspect
Definition: detect.h:726
DetectEngineAppInspectionEngine_::GetMultiData
InspectionMultiBufferGetDataPtr GetMultiData
Definition: detect.h:432
SCEnter
#define SCEnter(...)
Definition: util-debug.h:277
detect-engine-mpm.h
DetectMetadataHashFree
void DetectMetadataHashFree(DetectEngineCtx *de_ctx)
Definition: detect-metadata.c:80
DetectBufferTypeMaxId
int DetectBufferTypeMaxId(void)
Definition: detect-engine.c:1036
DatasetPostReloadCleanup
void DatasetPostReloadCleanup(void)
Definition: datasets.c:569
detect.h
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:58
DetectEngineBufferTypeValidateTransform
bool DetectEngineBufferTypeValidateTransform(DetectEngineCtx *de_ctx, int sm_list, const uint8_t *content, uint16_t content_len, const char **namestr)
Check content byte array compatibility with transforms.
Definition: detect-engine.c:1541
DetectEngineCtx_::sm_types_prefilter
bool * sm_types_prefilter
Definition: detect.h:1111
DetectEngineEnabled
int DetectEngineEnabled(void)
Check if detection is enabled.
Definition: detect-engine.c:3809
SigMatchList2DataArray
SigMatchData * SigMatchList2DataArray(SigMatch *head)
convert SigMatch list to SigMatchData array
Definition: detect-parse.c:2365
DetectEngineThreadCtxInit
TmEcode DetectEngineThreadCtxInit(ThreadVars *tv, void *initdata, void **data)
initialize thread specific detection engine context
Definition: detect-engine.c:3369
DetectEngineReloadIsIdle
int DetectEngineReloadIsIdle(void)
Definition: detect-engine.c:1932
DetectEngineFrameInspectionEngine::sm_list
uint16_t sm_list
Definition: detect.h:513
DETECT_ENGINE_INSPECT_SIG_MATCH
#define DETECT_ENGINE_INSPECT_SIG_MATCH
Definition: detect-engine-state.h:38
PKT_DETECT_HAS_STREAMDATA
#define PKT_DETECT_HAS_STREAMDATA
Definition: decode.h:1303
InspectionSingleBufferGetDataPtr
bool(* InspectionSingleBufferGetDataPtr)(const void *txv, const uint8_t flow_flags, const uint8_t **buf, uint32_t *buf_len)
Definition: detect-engine-helper.h:45
SigMatch_::next
struct SigMatch_ * next
Definition: detect.h:360
DetectEngineCtx_::mpm_matcher
uint8_t mpm_matcher
Definition: detect.h:935
DETECT_TABLE_PACKET_PRE_FLOW
@ DETECT_TABLE_PACKET_PRE_FLOW
Definition: detect.h:554
detect-engine-port.h
LiveDevice_::tenant_id
uint32_t tenant_id
Definition: util-device-private.h:46
SCClassConfDeinit
void SCClassConfDeinit(DetectEngineCtx *de_ctx)
Definition: util-classification-config.c:81
InspectionBuffer::inspect_offset
uint64_t inspect_offset
Definition: detect-engine-inspect-buffer.h:36
ENGINE_PROFILE_CUSTOM
@ ENGINE_PROFILE_CUSTOM
Definition: detect.h:1178
DETECT_TABLE_PACKET_FILTER
@ DETECT_TABLE_PACKET_FILTER
Definition: detect.h:556
DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE
@ DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE
Definition: detect-engine-content-inspection.h:36
DetectEngineCtx_::frame_inspect_engines
DetectEngineFrameInspectionEngine * frame_inspect_engines
Definition: detect.h:1091
DetectEngineMasterCtx_::free_list
DetectEngineCtx * free_list
Definition: detect.h:1719
StringParseUint32
int StringParseUint32(uint32_t *res, int base, size_t len, const char *str)
Definition: util-byte.c:313
ENGINE_PROFILE_UNKNOWN
@ ENGINE_PROFILE_UNKNOWN
Definition: detect.h:1174
DetectEngineSyncState
DetectEngineSyncState
Definition: detect-engine.c:1884
LiveDevice_::dev
char * dev
Definition: util-device-private.h:33
PatternMatchThreadPrepare
void PatternMatchThreadPrepare(MpmThreadCtx *mpm_thread_ctx, uint16_t mpm_matcher)
Definition: detect-engine-mpm.c:922
DetectEngineThreadKeywordCtxItem_::next
struct DetectEngineThreadKeywordCtxItem_ * next
Definition: detect.h:889
DETECT_SM_LIST_MATCH
@ DETECT_SM_LIST_MATCH
Definition: detect.h:117
SCLogWarning
#define SCLogWarning(...)
Macro used to log WARNING messages.
Definition: util-debug.h:255
HashTableAdd
int HashTableAdd(HashTable *ht, void *data, uint16_t datalen)
Definition: util-hash.c:104
DetectEngineBufferTypeRegister
int DetectEngineBufferTypeRegister(DetectEngineCtx *de_ctx, const char *name)
Definition: detect-engine.c:1366
DetectPort_
Port structure for detection engine.
Definition: detect.h:220
DetectEngineThreadCtx_::json_content_capacity
uint8_t json_content_capacity
Definition: detect.h:1282
app-layer-parser.h
Signature_::app_inspect
DetectEngineAppInspectionEngine * app_inspect
Definition: detect.h:725
SigMatch_::ctx
SigMatchCtx * ctx
Definition: detect.h:359
ThreadVars_::next
struct ThreadVars_ * next
Definition: threadvars.h:125
DetectEngineContentInspection
bool DetectEngineContentInspection(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const Signature *s, const SigMatchData *smd, Packet *p, Flow *f, const uint8_t *buffer, const uint32_t buffer_len, const uint64_t stream_start_offset, const uint8_t flags, const enum DetectContentInspectionType inspection_mode)
wrapper around DetectEngineContentInspectionInternal to return true/false only
Definition: detect-engine-content-inspection.c:749
SignatureInitData_::hook
SignatureHook hook
Definition: detect.h:590
SignatureHook_::t
union SignatureHook_::@95 t
BUG_ON
#define BUG_ON(x)
Definition: suricata-common.h:317
hashlittle_safe
uint32_t hashlittle_safe(const void *key, size_t length, uint32_t initval)
Definition: util-hash-lookup3.c:482
DetectEngineThreadCtx_::base64_decoded_len
int base64_decoded_len
Definition: detect.h:1327
SigGroupCleanup
int SigGroupCleanup(DetectEngineCtx *de_ctx)
Definition: detect-engine-build.c:2275
detect-engine-tag.h
DetectEngineThreadCtx_::lua_memory_limit_errors
uint16_t lua_memory_limit_errors
Definition: detect.h:1385
util-profiling.h
tv_root_lock
SCMutex tv_root_lock
Definition: tm-threads.c:85
DetectEngineInspectStream
uint8_t DetectEngineInspectStream(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const struct DetectEngineAppInspectionEngine_ *engine, const Signature *s, Flow *f, uint8_t flags, void *alstate, void *txv, uint64_t tx_id)
inspect engine for stateful rules
Definition: detect-engine-payload.c:298
SCDetectEngineRegisterRateFilterCallback
void SCDetectEngineRegisterRateFilterCallback(SCDetectRateFilterFunc fn, void *arg)
Register a callback when a rate_filter has been applied to an alert.
Definition: detect-engine.c:5056
DetectEngineLoadTenantBlocking
int DetectEngineLoadTenantBlocking(uint32_t tenant_id, const char *yaml)
Load a tenant and wait for loading to complete.
Definition: detect-engine.c:4131
TmModuleDetectLoaderRegister
void TmModuleDetectLoaderRegister(void)
Definition: detect-engine-loader.c:756
Signature_::flags
uint32_t flags
Definition: detect.h:669
DetectBufferType_::xform_id
TransformIdData xform_id[DETECT_TRANSFORMS_MAX]
Definition: detect.h:463
DetectEngineCtxInit
DetectEngineCtx * DetectEngineCtxInit(void)
Definition: detect-engine.c:2604
RuleMatchCandidateTxArrayFree
void RuleMatchCandidateTxArrayFree(DetectEngineThreadCtx *det_ctx)
Definition: detect.c:1086
DetectEngineInitializeFastPatternList
void DetectEngineInitializeFastPatternList(DetectEngineCtx *de_ctx)
Definition: detect-fast-pattern.c:149
Packet_
Definition: decode.h:501
DetectEngineFrameInspectionEngine::alproto
AppProto alproto
Definition: detect.h:509
DE_STATE_FLAG_BASE
#define DE_STATE_FLAG_BASE
Definition: detect-engine-state.h:63
detect-engine-build.h
type
uint16_t type
Definition: decode-vlan.c:106
conf-yaml-loader.h
SCRConfLoadReferenceConfigFile
int SCRConfLoadReferenceConfigFile(DetectEngineCtx *de_ctx, FILE *fd)
Loads the Reference info from the reference.config file.
Definition: util-reference-config.c:485
DetectEngineTenantRegisterLivedev
int DetectEngineTenantRegisterLivedev(uint32_t tenant_id, int device_id)
Definition: detect-engine.c:4574
PcapPacketVars_::tenant_id
uint32_t tenant_id
Definition: source-pcap.h:37
DETECT_CI_FLAGS_END
#define DETECT_CI_FLAGS_END
Definition: detect-engine-content-inspection.h:42
DetectEngineBufferTypeSupportsFrames
void DetectEngineBufferTypeSupportsFrames(DetectEngineCtx *de_ctx, const char *name)
Definition: detect-engine.c:1405
InspectionBufferFrameInspectFunc
int(* InspectionBufferFrameInspectFunc)(struct DetectEngineThreadCtx_ *, const struct DetectEngineFrameInspectionEngine *engine, const struct Signature_ *s, Packet *p, const struct Frames *frames, const struct Frame *frame)
Definition: detect.h:504
DetectEngineCtx_::frame_mpms_list
DetectBufferMpmRegistry * frame_mpms_list
Definition: detect.h:1092
detect-engine-alert.h
conf.h
DetectEngineCtx_::sgh_mpm_ctx_cnf
uint8_t sgh_mpm_ctx_cnf
Definition: detect.h:1033
DetectEngineAppInspectionEngine_::match_on_null
bool match_on_null
Definition: detect.h:423
DetectBufferType_::packet
bool packet
Definition: detect.h:455
DetectContentData_::flags
uint32_t flags
Definition: detect-content.h:104
DetectEngineMasterCtx_::multi_tenant_enabled
int multi_tenant_enabled
Definition: detect.h:1707
TmModuleGetById
TmModule * TmModuleGetById(int id)
Returns a TM Module by its id.
Definition: tm-modules.c:69
TmSlot_
Definition: tm-threads.h:53
DetectEngineFrameInspectionEngine
Definition: detect.h:508
TenantLoaderCtx
struct TenantLoaderCtx_ TenantLoaderCtx
util-magic.h
DetectEngineCtx_::max_uniq_toserver_groups
uint16_t max_uniq_toserver_groups
Definition: detect.h:991
DetectEngineBufferTypeGetById
const DetectBufferType * DetectEngineBufferTypeGetById(const DetectEngineCtx *de_ctx, const int id)
Definition: detect-engine.c:1299
Packet_::livedev
struct LiveDevice_ * livedev
Definition: decode.h:618
DETECT_TABLE_PACKET_TD
@ DETECT_TABLE_PACKET_TD
Definition: detect.h:557
TmEcode
TmEcode
Definition: tm-threads-common.h:80
DetectEnginePktInspectionEngine::Callback
InspectionBufferPktInspectFunc Callback
Definition: detect.h:490
DetectBufferType_::name
char name[64]
Definition: detect.h:450
ALPROTO_DOH2
@ ALPROTO_DOH2
Definition: app-layer-protos.h:66
Signature_::init_data
SignatureInitData * init_data
Definition: detect.h:747
name
const char * name
Definition: tm-threads.c:2163
DetectEngineSyncer_::state
enum DetectEngineSyncState state
Definition: detect-engine.c:1892
SpmMakeThreadCtx
SpmThreadCtx * SpmMakeThreadCtx(const SpmGlobalThreadCtx *global_thread_ctx)
Definition: util-spm.c:153
SCReferenceSCConfInit
void SCReferenceSCConfInit(DetectEngineCtx *de_ctx)
Definition: util-reference-config.c:52
DetectEngineCtx_::profile_keyword_ctx
struct SCProfileKeywordDetectCtx_ * profile_keyword_ctx
Definition: detect.h:1045
DetectEngineAppInspectionEngine_::GetDataSingle
InspectionSingleBufferGetDataPtr GetDataSingle
Definition: detect.h:431
SCInstance_::additional_configs
const char ** additional_configs
Definition: suricata.h:176
detect-engine-state.h
Data structures and function prototypes for keeping state for the detection engine.
SigTableElmt_::Match
int(* Match)(DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *)
Definition: detect.h:1421
reputation.h
SCProfilingPrefilterThreadCleanup
void SCProfilingPrefilterThreadCleanup(DetectEngineThreadCtx *det_ctx)
Definition: util-profiling-prefilter.c:281
SCConfCreateContextBackup
void SCConfCreateContextBackup(void)
Creates a backup of the conf_hash hash_table used by the conf API.
Definition: conf.c:684
util-action.h
HashListTable_
Definition: util-hashlist.h:37
DetectEngineThreadCtxGetJsonContext
int DetectEngineThreadCtxGetJsonContext(DetectEngineThreadCtx *det_ctx)
Definition: detect-engine.c:5064
DetectEngineCtx_::byte_extract_max_local_id
int32_t byte_extract_max_local_id
Definition: detect.h:1010
DetectEngineTransforms::transforms
TransformData transforms[DETECT_TRANSFORMS_MAX]
Definition: detect.h:392
DetectEnginePktInspectionEngine::sm_list_base
uint16_t sm_list_base
Definition: detect.h:487
ALPROTO_HTTP2
@ ALPROTO_HTTP2
Definition: app-layer-protos.h:69
SIG_PROP_FLOW_ACTION_PACKET
@ SIG_PROP_FLOW_ACTION_PACKET
Definition: detect.h:84
signature_properties
const struct SignatureProperties signature_properties[SIG_TYPE_MAX]
Definition: detect-engine.c:115
DetectEngineCtx_::RateFilterCallback
SCDetectRateFilterFunc RateFilterCallback
Definition: detect.h:1147
runmodes.h
RunmodeIsUnittests
int RunmodeIsUnittests(void)
Definition: suricata.c:270
PacketQueue_::cond_q
SCCondT cond_q
Definition: packet-queue.h:57
SCLogInfo
#define SCLogInfo(...)
Macro used to log INFORMATIONAL messages.
Definition: util-debug.h:225
TAILQ_FOREACH_SAFE
#define TAILQ_FOREACH_SAFE(var, head, field, tvar)
Definition: queue.h:329
DetectEngineFrameInspectionEngine::dir
uint8_t dir
Definition: detect.h:510
SIG_FLAG_REQUIRE_STREAM_ONLY
#define SIG_FLAG_REQUIRE_STREAM_ONLY
Definition: detect.h:261
SpmDestroyGlobalThreadCtx
void SpmDestroyGlobalThreadCtx(SpmGlobalThreadCtx *global_thread_ctx)
Definition: util-spm.c:144
DETECT_ENGINE_INSPECT_SIG_CANT_MATCH
#define DETECT_ENGINE_INSPECT_SIG_CANT_MATCH
Definition: detect-engine-state.h:39
DetectEngineThreadCtx_::mtc
MpmThreadCtx mtc
Definition: detect.h:1345
DetectEngineRegisterTests
void DetectEngineRegisterTests(void)
Definition: detect-engine.c:5290
SigString_::filename
char * filename
Definition: detect.h:868
DetectBufferType_::multi_instance
bool multi_instance
Definition: detect.h:458
DetectLoaderQueueTask
int DetectLoaderQueueTask(int loader_id, LoaderFunc Func, void *func_ctx, LoaderFreeFunc FreeFunc)
Definition: detect-engine-loader.c:527
DETECT_ENGINE_TYPE_TENANT
@ DETECT_ENGINE_TYPE_TENANT
Definition: detect.h:905
DetectEngineBufferTypeSupportsTransformations
void DetectEngineBufferTypeSupportsTransformations(DetectEngineCtx *de_ctx, const char *name)
Definition: detect-engine.c:1429
PACKET_ALERT_FLAG_STREAM_MATCH
#define PACKET_ALERT_FLAG_STREAM_MATCH
Definition: decode.h:270
InspectionMultiBufferGetDataPtr
bool(* InspectionMultiBufferGetDataPtr)(struct DetectEngineThreadCtx_ *det_ctx, const void *txv, const uint8_t flow_flags, uint32_t local_id, const uint8_t **buf, uint32_t *buf_len)
Definition: detect-engine-helper.h:42
DetectEngineBufferTypeSupportsMpmGetById
bool DetectEngineBufferTypeSupportsMpmGetById(const DetectEngineCtx *de_ctx, const int id)
Definition: detect-engine.c:1455
DetectEngineCtx_::config_prefix
char config_prefix[64]
Definition: detect.h:1051
DetectSigmatchListEnumToString
const char * DetectSigmatchListEnumToString(enum DetectSigmatchListEnum type)
Definition: detect-engine.c:4980
TmModule_
Definition: tm-modules.h:47
SCRealloc
#define SCRealloc(ptr, sz)
Definition: util-mem.h:50
DetectEngineAppInspectionEngine_::alproto
AppProto alproto
Definition: detect.h:417
SRepReloadComplete
void SRepReloadComplete(void)
Increment effective reputation version after a rule/reputation reload is complete.
Definition: reputation.c:161
SIG_FLAG_INIT_STATE_MATCH
#define SIG_FLAG_INIT_STATE_MATCH
Definition: detect.h:296
detect-engine-content-inspection.h
ThreadVars_::stream_pq
struct PacketQueue_ * stream_pq
Definition: threadvars.h:116
DetectEngineAppInspectionEngine_::smd
SigMatchData * smd
Definition: detect.h:439
DetectEngineBufferTypeSupportsFramesGetById
bool DetectEngineBufferTypeSupportsFramesGetById(const DetectEngineCtx *de_ctx, const int id)
Definition: detect-engine.c:1464
DetectBufferType_::id
int id
Definition: detect.h:452
DetectEngineCtx_::spm_matcher
uint8_t spm_matcher
Definition: detect.h:937
DetectEngineBufferTypeRegisterWithFrameEngines
int DetectEngineBufferTypeRegisterWithFrameEngines(DetectEngineCtx *de_ctx, const char *name, const int direction, const AppProto alproto, const uint8_t frame_type)
Definition: detect-engine.c:1332
DetectEnginePktInspectionEngine::GetData
InspectionBufferGetPktDataPtr GetData
Definition: detect.h:489
SCConfNodeLookupChild
SCConfNode * SCConfNodeLookupChild(const SCConfNode *node, const char *name)
Lookup a child configuration node by name.
Definition: conf.c:796
DETECT_ENGINE_TYPE_NORMAL
@ DETECT_ENGINE_TYPE_NORMAL
Definition: detect.h:902
FlowWorkerGetDetectCtxPtr
void * FlowWorkerGetDetectCtxPtr(void *flow_worker)
Definition: flow-worker.c:747
detect-fast-pattern.h
DetectBufferType_::frame
bool frame
Definition: detect.h:456
DetectEngineBufferTypeSupportsMultiInstanceGetById
bool DetectEngineBufferTypeSupportsMultiInstanceGetById(const DetectEngineCtx *de_ctx, const int id)
Definition: detect-engine.c:1437
SCCondSignal
#define SCCondSignal
Definition: threads-debug.h:139
ThreadVars_::inq
Tmq * inq
Definition: threadvars.h:90
util-conf.h
DetectEngineCtx_::sig_stat
SigFileLoaderStat sig_stat
Definition: detect.h:1102
Packet_::flow
struct Flow_ * flow
Definition: decode.h:546
DetectEngineFrameMpmRegister
void DetectEngineFrameMpmRegister(DetectEngineCtx *de_ctx, const char *name, int direction, int priority, int(*PrefilterRegister)(DetectEngineCtx *de_ctx, SigGroupHead *sgh, MpmCtx *mpm_ctx, const DetectBufferMpmRegistry *mpm_reg, int list_id), AppProto alproto, uint8_t type)
Definition: detect-engine-mpm.c:409
DetectEngineThreadCtx_::to_clear_queue
uint32_t * to_clear_queue
Definition: detect.h:1305
DetectEngineAppInspectionEngine_::v2
struct DetectEngineAppInspectionEngine_::@90 v2
SpmDestroyThreadCtx
void SpmDestroyThreadCtx(SpmThreadCtx *thread_ctx)
Definition: util-spm.c:163
DetectEngineCtx_::profile_prefilter_ctx
struct SCProfilePrefilterDetectCtx_ * profile_prefilter_ctx
Definition: detect.h:1046
FAIL_IF
#define FAIL_IF(expr)
Fail a test if expression evaluates to true.
Definition: util-unittest.h:71
TENANT_SELECTOR_DIRECT
@ TENANT_SELECTOR_DIRECT
Definition: detect.h:1689
DETECT_CI_FLAGS_SINGLE
#define DETECT_CI_FLAGS_SINGLE
Definition: detect-engine-content-inspection.h:49
DetectEnginePktInspectionSetup
int DetectEnginePktInspectionSetup(Signature *s)
Definition: detect-engine.c:1862
DetectBufferTypeRegister
int DetectBufferTypeRegister(const char *name)
Definition: detect-engine.c:1215
InspectEngineFuncPtr
uint8_t(* InspectEngineFuncPtr)(struct DetectEngineCtx_ *de_ctx, struct DetectEngineThreadCtx_ *det_ctx, const struct DetectEngineAppInspectionEngine_ *engine, const struct Signature_ *s, Flow *f, uint8_t flags, void *alstate, void *txv, uint64_t tx_id)
Definition: detect.h:411
SleepMsec
#define SleepMsec(msec)
Definition: tm-threads.h:45
flags
uint8_t flags
Definition: decode-gre.h:0
DetectRegisterThreadCtxFuncs
int DetectRegisterThreadCtxFuncs(DetectEngineCtx *de_ctx, const char *name, void *(*InitFunc)(void *), void *data, void(*FreeFunc)(void *), int mode)
Register Thread keyword context Funcs.
Definition: detect-engine.c:3663
MpmStoreInit
int MpmStoreInit(DetectEngineCtx *de_ctx)
Initializes the MpmStore mpm hash table to be used by the detection engine context.
Definition: detect-engine-mpm.c:1410
DetectEngineMasterCtx_::keyword_id
int keyword_id
Definition: detect.h:1731
DetectEngineCtx_::app_mpms_list
DetectBufferMpmRegistry * app_mpms_list
Definition: detect.h:1084
suricata-common.h
SIG_PROP_FLOW_ACTION_FLOW_IF_STATEFUL
@ SIG_PROP_FLOW_ACTION_FLOW_IF_STATEFUL
Definition: detect.h:86
DetectEngineCtxInitStubForMT
DetectEngineCtx * DetectEngineCtxInitStubForMT(void)
Definition: detect-engine.c:2594
SigMatch_::type
uint16_t type
Definition: detect.h:357
DetectBufferTypeSupportsMpm
void DetectBufferTypeSupportsMpm(const char *name)
Definition: detect-engine.c:1259
util-path.h
DetectEngineThreadCtx_::tenant_id
uint32_t tenant_id
Definition: detect.h:1247
HashListTableFree
void HashListTableFree(HashListTable *ht)
Definition: util-hashlist.c:88
detect-byte-extract.h
DetectEngineCtx_::buffer_type_hash_name
HashListTable * buffer_type_hash_name
Definition: detect.h:1079
DetectEngineCtx_::next
struct DetectEngineCtx_ * next
Definition: detect.h:1058
DETECT_TABLE_NOT_SET
@ DETECT_TABLE_NOT_SET
Definition: detect.h:553
DETECT_ENGINE_TYPE_DD_STUB
@ DETECT_ENGINE_TYPE_DD_STUB
Definition: detect.h:903
TENANT_SELECTOR_VLAN
@ TENANT_SELECTOR_VLAN
Definition: detect.h:1690
DetectEngineBumpVersion
void DetectEngineBumpVersion(void)
Definition: detect-engine.c:3833
AppLayerDecoderEventsSetEventRaw
void AppLayerDecoderEventsSetEventRaw(AppLayerDecoderEvents **sevents, uint8_t event)
Set an app layer decoder event.
Definition: app-layer-events.c:94
DetectEngineFrameInspectionEngine::next
struct DetectEngineFrameInspectionEngine * next
Definition: detect.h:521
SignatureHook_::type
enum SignatureHookType type
Definition: detect.h:572
DetectEngineInspectFrameBufferGeneric
int DetectEngineInspectFrameBufferGeneric(DetectEngineThreadCtx *det_ctx, const DetectEngineFrameInspectionEngine *engine, const Signature *s, Packet *p, const Frames *frames, const Frame *frame)
Do the content inspection & validation for a signature.
Definition: detect-engine-frame.c:560
DetectEngineThreadCtxDeinit
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *tv, void *data)
Definition: detect-engine.c:3605
util-spm.h
DetectEnginePktInspectionEngine::next
struct DetectEnginePktInspectionEngine * next
Definition: detect.h:494
DetectContentData_::content
uint8_t * content
Definition: detect-content.h:94
DetectEngineCtx_::rate_filter_callback_arg
void * rate_filter_callback_arg
Definition: detect.h:1150
DETECT_ENGINE_DEFAULT_INSPECTION_RECURSION_LIMIT
#define DETECT_ENGINE_DEFAULT_INSPECTION_RECURSION_LIMIT
Definition: detect-engine.c:95
version
uint8_t version
Definition: decode-gre.h:1
PostRuleMatchWorkQueue::q
PostRuleMatchWorkQueueItem * q
Definition: detect.h:1226
TransformIdData_::id_data_len
uint32_t id_data_len
Definition: detect.h:446
PatternMatchDefaultMatcher
uint8_t PatternMatchDefaultMatcher(void)
Function to return the multi pattern matcher algorithm to be used by the engine, based on the mpm-alg...
Definition: detect-engine-mpm.c:865
util-classification-config.h
SCConfDeInit
void SCConfDeInit(void)
De-initializes the configuration system.
Definition: conf.c:703
DetectEngineTenantRegisterPcapFile
int DetectEngineTenantRegisterPcapFile(uint32_t tenant_id)
Definition: detect-engine.c:4590
SCStrdup
#define SCStrdup(s)
Definition: util-mem.h:56
FatalError
#define FatalError(...)
Definition: util-debug.h:510
SigGroupHeadHashFree
void SigGroupHeadHashFree(DetectEngineCtx *de_ctx)
Frees the hash table - DetectEngineCtx->sgh_hash_table, allocated by SigGroupHeadHashInit() function.
Definition: detect-engine-siggroup.c:299
DetectEngineInspectGenericList
uint8_t DetectEngineInspectGenericList(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const struct DetectEngineAppInspectionEngine_ *engine, const Signature *s, Flow *f, uint8_t flags, void *alstate, void *txv, uint64_t tx_id)
Do the content inspection & validation for a signature.
Definition: detect-engine.c:1956
DetectEngineAppInspectionEngineSignatureFree
void DetectEngineAppInspectionEngineSignatureFree(DetectEngineCtx *de_ctx, Signature *s)
free app inspect engines for a signature
Definition: detect-engine.c:930
DETECT_ENGINE_CONTENT_INSPECTION_MODE_HEADER
@ DETECT_ENGINE_CONTENT_INSPECTION_MODE_HEADER
Definition: detect-engine-content-inspection.h:33
util-hash-lookup3.h
DETECT_SM_LIST_TMATCH
@ DETECT_SM_LIST_TMATCH
Definition: detect.h:129
DetectEngineCtx_::loader_id
int loader_id
Definition: detect.h:1061
SCInstance_::sig_file
char * sig_file
Definition: suricata.h:138
TransformData_::transform
int transform
Definition: detect.h:387
DETECT_ENGINE_INSPECT_SIG_NO_MATCH
#define DETECT_ENGINE_INSPECT_SIG_NO_MATCH
Definition: detect-engine-state.h:37
DetectEngineCtx_::pkt_inspect_engines
DetectEnginePktInspectionEngine * pkt_inspect_engines
Definition: detect.h:1088
DetectEngineBufferTypeSupportsMpm
void DetectEngineBufferTypeSupportsMpm(DetectEngineCtx *de_ctx, const char *name)
Definition: detect-engine.c:1421
SIG_TYPE_MAX
@ SIG_TYPE_MAX
Definition: detect.h:79
tv
ThreadVars * tv
Definition: fuzz_decodepcapfile.c:32
DetectEngineCtx_::sm_types_silent_error
bool * sm_types_silent_error
Definition: detect.h:1112
DetectEngineAppInspectionEngine_::progress
int16_t progress
Definition: detect.h:426
DetectEngineThreadKeywordCtxItem_::FreeFunc
void(* FreeFunc)(void *)
Definition: detect.h:887
DetectBufferTypeGetDescriptionByName
const char * DetectBufferTypeGetDescriptionByName(const char *name)
Definition: detect-engine.c:1396
DetectEngineThreadCtx_::inspect
struct DetectEngineThreadCtx_::@109 inspect
app-layer-events.h
SignatureInitDataBuffer_::only_ts
bool only_ts
Definition: detect.h:532
util-validate.h
PacketGetFromAlloc
Packet * PacketGetFromAlloc(void)
Get a malloced packet.
Definition: decode.c:258
DetectEngineFreeFastPatternList
void DetectEngineFreeFastPatternList(DetectEngineCtx *de_ctx)
Definition: detect-fast-pattern.c:171
DetectBufferTypeSupportsTransformations
void DetectBufferTypeSupportsTransformations(const char *name)
Definition: detect-engine.c:1269
detect-engine-sigorder.h
SCMalloc
#define SCMalloc(sz)
Definition: util-mem.h:47
DetectEngineMpmCachingGetPath
const char * DetectEngineMpmCachingGetPath(void)
Definition: detect-engine.c:2473
SCLogConfig
struct SCLogConfig_ SCLogConfig
Holds the config state used by the logging api.
DetectAddressMapInit
int DetectAddressMapInit(DetectEngineCtx *de_ctx)
Definition: detect-engine-address.c:1326
InjectPacketsForFlush
void InjectPacketsForFlush(ThreadVars **detect_tvs, int no_of_detect_tvs)
Definition: detect-engine.c:2249
InspectionBuffer::inspect_len
uint32_t inspect_len
Definition: detect-engine-inspect-buffer.h:37
SignatureInitData_::buffers
SignatureInitDataBuffer * buffers
Definition: detect.h:647
DetectEngineCtx_::app_inspect_engines
DetectEngineAppInspectionEngine * app_inspect_engines
Definition: detect.h:1087
DetectEngineCtx_::filemagic_thread_ctx_id
int filemagic_thread_ctx_id
Definition: detect.h:982
SigJsonContent
Definition: detect.h:1236
DetectEngineSyncer_
Definition: detect-engine.c:1890
DetectEngineThreadCtx_::global_keyword_ctxs_size
int global_keyword_ctxs_size
Definition: detect.h:1369
MPM_HS
@ MPM_HS
Definition: util-mpm.h:38
DetectEngineThreadCtx_::json_content
SigJsonContent * json_content
Definition: detect.h:1281
PrefilterInit
void PrefilterInit(DetectEngineCtx *de_ctx)
Definition: detect-engine-prefilter.c:1427
InspectionBuffer::inspect
const uint8_t * inspect
Definition: detect-engine-inspect-buffer.h:35
DetectEngineThreadCtx_::tv
ThreadVars * tv
Definition: detect.h:1252
DetectThreadCtxGetGlobalKeywordThreadCtx
void * DetectThreadCtxGetGlobalKeywordThreadCtx(DetectEngineThreadCtx *det_ctx, int id)
Retrieve thread local keyword ctx by id.
Definition: detect-engine.c:3797
SCConfGetNode
SCConfNode * SCConfGetNode(const char *name)
Get a SCConfNode by name.
Definition: conf.c:181
SCLogError
#define SCLogError(...)
Macro used to log ERROR messages.
Definition: util-debug.h:267
DETECT_TBLSIZE
int DETECT_TBLSIZE
Definition: detect-engine-register.c:290
SRepInit
int SRepInit(DetectEngineCtx *de_ctx)
init reputation
Definition: reputation.c:566
DetectEngineReloadStart
int DetectEngineReloadStart(void)
Definition: detect-engine.c:1898
DetectEngineUnsetParseMetadata
void DetectEngineUnsetParseMetadata(void)
Definition: detect-engine.c:4970
PKT_SRC_DETECT_RELOAD_FLUSH
@ PKT_SRC_DETECT_RELOAD_FLUSH
Definition: decode.h:61
DetectEngineThreadCtx_::counter_alerts
uint16_t counter_alerts
Definition: detect.h:1289
DetectEngineThreadCtx_::keyword_ctxs_array
void ** keyword_ctxs_array
Definition: detect.h:1366
SCFree
#define SCFree(p)
Definition: util-mem.h:61
DetectEngineMasterCtx_
Definition: detect.h:1703
Signature_::id
uint32_t id
Definition: detect.h:713
HashListTableBucket_
Definition: util-hashlist.h:28
DetectEngineThreadKeywordCtxItem_::name
const char * name
Definition: detect.h:891
detect-tcphdr.h
DetectEngineCtx_::guess_applayer_log_limit
uint8_t guess_applayer_log_limit
Definition: detect.h:976
HashListTableRemove
int HashListTableRemove(HashListTable *ht, void *data, uint16_t datalen)
Definition: util-hashlist.c:154
DatasetReload
void DatasetReload(void)
Definition: datasets.c:543
DetectBufferType_::transforms
DetectEngineTransforms transforms
Definition: detect.h:462
detect-engine-iponly.h
SCConfRestoreContextBackup
void SCConfRestoreContextBackup(void)
Restores the backup of the hash_table present in backup_conf_hash back to conf_hash.
Definition: conf.c:694
DetectEngineType
DetectEngineType
Definition: detect.h:901
detect-parse.h
SignatureInitDataBuffer_::id
uint32_t id
Definition: detect.h:525
Signature_
Signature container.
Definition: detect.h:668
SigMatch_
a single match condition for a signature
Definition: detect.h:356
DetectEngineCtx_::tenant_path
char * tenant_path
Definition: detect.h:1132
DetectEngineAppInspectionEngine_::transforms
const DetectEngineTransforms * transforms
Definition: detect.h:436
DETECT_SM_LIST_MAX
@ DETECT_SM_LIST_MAX
Definition: detect.h:135
DetectBufferType_::parent_id
int parent_id
Definition: detect.h:453
DETECT_PREFILTER_MPM
@ DETECT_PREFILTER_MPM
Definition: detect.h:896
TenantLoaderCtx_::yaml
char * yaml
Definition: detect-engine.c:4017
InspectionBufferSetupAndApplyTransforms
void InspectionBufferSetupAndApplyTransforms(DetectEngineThreadCtx *det_ctx, const int list_id, InspectionBuffer *buffer, const uint8_t *data, const uint32_t data_len, const DetectEngineTransforms *transforms)
setup the buffer with our initial data
Definition: detect-engine-inspect-buffer.c:197
TransformIdData_::id_data
const uint8_t * id_data
Definition: detect.h:445
DetectLoadersSync
int DetectLoadersSync(void)
wait for loader tasks to complete
Definition: detect-engine-loader.c:561
SCProfilingSghDestroyCtx
void SCProfilingSghDestroyCtx(DetectEngineCtx *de_ctx)
Definition: util-profiling-rulegroups.c:285
HashTableInit
HashTable * HashTableInit(uint32_t size, uint32_t(*Hash)(struct HashTable_ *, void *, uint16_t), char(*Compare)(void *, uint16_t, void *, uint16_t), void(*Free)(void *))
Definition: util-hash.c:35
DetectEngineTenantMapping_::traffic_id
uint32_t traffic_id
Definition: detect.h:1698
ALPROTO_UNKNOWN
@ ALPROTO_UNKNOWN
Definition: app-layer-protos.h:29
ALPROTO_FAILED
@ ALPROTO_FAILED
Definition: app-layer-protos.h:33
spm_table
SpmTableElmt spm_table[SPM_TABLE_SIZE]
Definition: util-spm.c:62
DetectEngineReference
DetectEngineCtx * DetectEngineReference(DetectEngineCtx *de_ctx)
Definition: detect-engine.c:3865
DetectEngineThreadCtx_::base64_decoded
uint8_t * base64_decoded
Definition: detect.h:1326
TenantLoaderCtx_::reload_cnt
int reload_cnt
Definition: detect-engine.c:4016
ENGINE_PROFILE_MEDIUM
@ ENGINE_PROFILE_MEDIUM
Definition: detect.h:1176
mpm_table
MpmTableElmt mpm_table[MPM_TABLE_SIZE]
Definition: util-mpm.c:47
DetectEngineSyncer
struct DetectEngineSyncer_ DetectEngineSyncer
DetectMpmInitializeAppMpms
void DetectMpmInitializeAppMpms(DetectEngineCtx *de_ctx)
Definition: detect-engine-mpm.c:247
EngineModeIsIPS
int EngineModeIsIPS(void)
Definition: suricata.c:242
MpmTableElmt_::ConfigDeinit
void(* ConfigDeinit)(MpmConfig **)
Definition: util-mpm.h:158
DetectEngineTransforms::cnt
int cnt
Definition: detect.h:393
DetectEngineThreadCtx_::de_ctx
DetectEngineCtx * de_ctx
Definition: detect.h:1364
InspectionBufferSetupMultiEmpty
void InspectionBufferSetupMultiEmpty(InspectionBuffer *buffer)
setup the buffer empty
Definition: detect-engine-inspect-buffer.c:144
suricata.h
DetectEngineCtx_::sig_array
Signature ** sig_array
Definition: detect.h:950
MpmTableElmt_::ConfigCacheDirSet
void(* ConfigCacheDirSet)(MpmConfig *, const char *dir_path)
Definition: util-mpm.h:159
InspectionBufferGetDataPtr
InspectionBuffer *(* InspectionBufferGetDataPtr)(struct DetectEngineThreadCtx_ *det_ctx, const DetectEngineTransforms *transforms, Flow *f, const uint8_t flow_flags, void *txv, const int list_id)
Definition: detect-engine-helper.h:39
DetectEngineAppInspectionEngine_::dir
uint8_t dir
Definition: detect.h:418
PmqFree
void PmqFree(PrefilterRuleStore *pmq)
Cleanup and free a Pmq.
Definition: util-prefilter.c:126
DetectContentData_::content_len
uint16_t content_len
Definition: detect-content.h:95
DETECT_ENGINE_TYPE_MT_STUB
@ DETECT_ENGINE_TYPE_MT_STUB
Definition: detect.h:904
SCConfNode_::name
char * name
Definition: conf.h:38
SignatureInitDataBuffer_::only_tc
bool only_tc
Definition: detect.h:531
detect-uricontent.h
DetectEngineCtx_::buffer_type_id
uint32_t buffer_type_id
Definition: detect.h:1081
ThresholdCacheThreadFree
void ThresholdCacheThreadFree(void)
Definition: detect-engine-threshold.c:454
Packet_::vlan_id
uint16_t vlan_id[VLAN_MAX_LAYERS]
Definition: decode.h:528
SignatureHook_::app
struct SignatureHook_::@95::@96 app
RUNMODE_CONF_TEST
@ RUNMODE_CONF_TEST
Definition: runmodes.h:54
DetectEngineReload
int DetectEngineReload(const SCInstance *suri)
Reload the detection engine.
Definition: detect-engine.c:4784
DetectEngineBufferRunValidateCallback
bool DetectEngineBufferRunValidateCallback(const DetectEngineCtx *de_ctx, const int id, const Signature *s, const char **sigerror)
Definition: detect-engine.c:1502
DetectEngineCtx_::sigerror
const char * sigerror
Definition: detect.h:1025
DetectEngineThreadCtx_::json_content_len
uint8_t json_content_len
Definition: detect.h:1283
DetectBufferType_::SetupCallback
void(* SetupCallback)(const struct DetectEngineCtx_ *, struct Signature_ *)
Definition: detect.h:459
DetectAppLayerInspectEngineRegister
void DetectAppLayerInspectEngineRegister(const char *name, AppProto alproto, uint32_t dir, int progress, InspectEngineFuncPtr Callback, InspectionBufferGetDataPtr GetData)
Registers an app inspection engine.
Definition: detect-engine.c:272
DetectEngineThreadCtx_::mt_det_ctxs_cnt
uint32_t mt_det_ctxs_cnt
Definition: detect.h:1254
DetectEngineContentInspectionBuffer
bool DetectEngineContentInspectionBuffer(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const Signature *s, const SigMatchData *smd, Packet *p, Flow *f, const InspectionBuffer *b, const enum DetectContentInspectionType inspection_mode)
wrapper around DetectEngineContentInspectionInternal to return true/false only
Definition: detect-engine-content-inspection.c:773
DetectEngineMasterCtx_::lock
SCMutex lock
Definition: detect.h:1704
DetectEnginePktInspectionEngine::mpm
bool mpm
Definition: detect.h:485
SCInstance_
Definition: suricata.h:133
DetectEngineCtx_::spm_global_thread_ctx
SpmGlobalThreadCtx * spm_global_thread_ctx
Definition: detect.h:986
DetectEngineClearMaster
void DetectEngineClearMaster(void)
Definition: detect-engine.c:4757
id
uint32_t id
Definition: detect-flowbits.c:938
SRepDestroy
void SRepDestroy(DetectEngineCtx *de_ctx)
Definition: reputation.c:649
MpmTableElmt_::ConfigInit
MpmConfig *(* ConfigInit)(void)
Definition: util-mpm.h:157
StatsRegisterAvgCounter
uint16_t StatsRegisterAvgCounter(const char *name, struct ThreadVars_ *tv)
Registers a counter, whose value holds the average of all the values assigned to it.
Definition: counters.c:972
SIG_PROP_FLOW_ACTION_FLOW
@ SIG_PROP_FLOW_ACTION_FLOW
Definition: detect.h:85
DetectBufferTypeSetDescriptionByName
void DetectBufferTypeSetDescriptionByName(const char *name, const char *desc)
Definition: detect-engine.c:1376
SigString_::sig_str
char * sig_str
Definition: detect.h:869
SCStatFn
#define SCStatFn(pathname, statbuf)
Definition: util-path.h:35
DetectUnregisterThreadCtxFuncs
int DetectUnregisterThreadCtxFuncs(DetectEngineCtx *de_ctx, void *data, const char *name)
Remove Thread keyword context registration.
Definition: detect-engine.c:3715
SC_ATOMIC_GET
#define SC_ATOMIC_GET(name)
Get the value from the atomic variable.
Definition: util-atomic.h:375
SCInstance_::sig_file_exclusive
bool sig_file_exclusive
Definition: suricata.h:139
DetectAppLayerMultiRegister
void DetectAppLayerMultiRegister(const char *name, AppProto alproto, uint32_t dir, int progress, InspectionMultiBufferGetDataPtr GetData, int priority)
Definition: detect-engine.c:2109
DetectEngineFrameInspectEngineRegister
void DetectEngineFrameInspectEngineRegister(DetectEngineCtx *de_ctx, const char *name, int dir, InspectionBufferFrameInspectFunc Callback, AppProto alproto, uint8_t type)
register inspect engine at start up time
Definition: detect-engine.c:450
DetectEngineTenantRegisterVlanId
int DetectEngineTenantRegisterVlanId(uint32_t tenant_id, uint16_t vlan_id)
Definition: detect-engine.c:4580
flow.h
DetectEngineSetParseMetadata
void DetectEngineSetParseMetadata(void)
Definition: detect-engine.c:4965
TmThreadsCheckFlag
int TmThreadsCheckFlag(ThreadVars *tv, uint32_t flag)
Check if a thread flag is set.
Definition: tm-threads.c:93
SCLogNotice
#define SCLogNotice(...)
Macro used to log NOTICE messages.
Definition: util-debug.h:243
DetectPktMpmRegisterByParentId
void DetectPktMpmRegisterByParentId(DetectEngineCtx *de_ctx, const int id, const int parent_id, DetectEngineTransforms *transforms)
copy a mpm engine from parent_id, add in transforms
Definition: detect-engine-mpm.c:601
TENANT_SELECTOR_LIVEDEV
@ TENANT_SELECTOR_LIVEDEV
Definition: detect.h:1691
Flow_::alproto
AppProto alproto
application level protocol
Definition: flow.h:450
DetectEngineFrameInspectionEngine::type
uint8_t type
Definition: detect.h:511
StatsRegisterCounter
uint16_t StatsRegisterCounter(const char *name, struct ThreadVars_ *tv)
Registers a normal, unqualified counter.
Definition: counters.c:952
DetectSigmatchListEnum
DetectSigmatchListEnum
Definition: detect.h:115
DetectEngineMasterCtx_::version
uint32_t version
Definition: detect.h:1710
SCCalloc
#define SCCalloc(nm, sz)
Definition: util-mem.h:53
DetectEngineCtx_::sig_array_len
uint32_t sig_array_len
Definition: detect.h:951
util-enum.h
SCConfNode_
Definition: conf.h:37
DetectEngineTenantUnregisterPcapFile
int DetectEngineTenantUnregisterPcapFile(uint32_t tenant_id)
Definition: detect-engine.c:4596
TenantLoaderCtx_::tenant_id
uint32_t tenant_id
Definition: detect-engine.c:4015
DetectEngineCtx_::signum
uint32_t signum
Definition: detect.h:953
DetectEngineCtx_::tenant_id
uint32_t tenant_id
Definition: detect.h:939
SignatureInitData_::buffer_index
uint32_t buffer_index
Definition: detect.h:648
detect-engine-loader.h
SigFileLoaderStat_
Signature loader statistics.
Definition: detect.h:876
SCConfNode_::val
char * val
Definition: conf.h:39
DetectEngineInspectPktBufferGeneric
int DetectEngineInspectPktBufferGeneric(DetectEngineThreadCtx *det_ctx, const DetectEnginePktInspectionEngine *engine, const Signature *s, Packet *p, uint8_t *_alert_flags)
Do the content inspection & validation for a signature.
Definition: detect-engine.c:2207
DetectEngineCtx_::buffer_type_hash_id
HashListTable * buffer_type_hash_id
Definition: detect.h:1080
DetectEngineGetByTenantId
DetectEngineCtx * DetectEngineGetByTenantId(uint32_t tenant_id)
Definition: detect-engine.c:4607
DetectPortCleanupList
void DetectPortCleanupList(const DetectEngineCtx *de_ctx, DetectPort *head)
Free a DetectPort list and each of its members.
Definition: detect-engine-port.c:124
SigTableElmt_::TransformId
void(* TransformId)(const uint8_t **data, uint32_t *length, void *context)
Definition: detect.h:1438
DETECT_SM_LIST_SUPPRESS
@ DETECT_SM_LIST_SUPPRESS
Definition: detect.h:132
SCMutex
#define SCMutex
Definition: threads-debug.h:114
InspectionBufferMultipleForList::inspection_buffers
InspectionBuffer * inspection_buffers
Definition: detect.h:380
DEBUG_VALIDATE_BUG_ON
#define DEBUG_VALIDATE_BUG_ON(exp)
Definition: util-validate.h:102
DetectEngineAppInspectionEngine2Signature
int DetectEngineAppInspectionEngine2Signature(DetectEngineCtx *de_ctx, Signature *s)
Definition: detect-engine.c:800
SCClassConfLoadClassificationConfigFile
bool SCClassConfLoadClassificationConfigFile(DetectEngineCtx *de_ctx, FILE *fd)
Loads the Classtype info from the classification.config file.
Definition: util-classification-config.c:524
InspectionBufferSetupMulti
void InspectionBufferSetupMulti(DetectEngineThreadCtx *det_ctx, InspectionBuffer *buffer, const DetectEngineTransforms *transforms, const uint8_t *data, const uint32_t data_len)
setup the buffer with our initial data
Definition: detect-engine-inspect-buffer.c:157
DetectEngineTenantUnregisterVlanId
int DetectEngineTenantUnregisterVlanId(uint32_t tenant_id, uint16_t vlan_id)
Definition: detect-engine.c:4585
SCStat
struct stat SCStat
Definition: util-path.h:33
detect-engine-address.h
PmqSetup
int PmqSetup(PrefilterRuleStore *pmq)
Setup a pmq.
Definition: util-prefilter.c:37
PatternMatchThreadDestroy
void PatternMatchThreadDestroy(MpmThreadCtx *mpm_thread_ctx, uint16_t mpm_matcher)
Definition: detect-engine-mpm.c:917
TmModule_::flags
uint8_t flags
Definition: tm-modules.h:80
VarNameStoreActivate
int VarNameStoreActivate(void)
Definition: util-var-name.c:214
DetectEngineThreadCtx_::counter_mpm_list
uint16_t counter_mpm_list
Definition: detect.h:1295
InspectionBufferMultipleForListGet
InspectionBuffer * InspectionBufferMultipleForListGet(DetectEngineThreadCtx *det_ctx, const int list_id, const uint32_t local_id)
for a InspectionBufferMultipleForList get a InspectionBuffer
Definition: detect-engine-inspect-buffer.c:76
RuleMatchCandidateTxArrayInit
void RuleMatchCandidateTxArrayInit(DetectEngineThreadCtx *det_ctx, uint32_t size)
Definition: detect.c:1073
SCProfilingKeywordThreadSetup
void SCProfilingKeywordThreadSetup(SCProfileKeywordDetectCtx *ctx, DetectEngineThreadCtx *det_ctx)
Definition: util-profiling-keywords.c:284
util-threshold-config.h
DetectEngineReloadIsStart
int DetectEngineReloadIsStart(void)
Definition: detect-engine.c:1912
DetectRegisterThreadCtxGlobalFuncs
int DetectRegisterThreadCtxGlobalFuncs(const char *name, void *(*InitFunc)(void *), void *data, void(*FreeFunc)(void *))
Register Thread keyword context Funcs (Global)
Definition: detect-engine.c:3753
DetectEngineThreadCtx_::post_rule_work_queue
PostRuleMatchWorkQueue post_rule_work_queue
Definition: detect.h:1347
DetectEngineThreadCtx_::tenant_array_size
uint32_t tenant_array_size
Definition: detect.h:1259
DetectEngineThreadCtx_::tenant_array
struct DetectEngineTenantMapping_ * tenant_array
Definition: detect.h:1258
suricata_ctl_flags
volatile uint8_t suricata_ctl_flags
Definition: suricata.c:172
detect-engine-threshold.h
TM_FLAG_FLOWWORKER_TM
#define TM_FLAG_FLOWWORKER_TM
Definition: tm-modules.h:34
FlowWorkerReplaceDetectCtx
void FlowWorkerReplaceDetectCtx(void *flow_worker, void *detect_ctx)
Definition: flow-worker.c:740
StringHashDjb2
uint32_t StringHashDjb2(const uint8_t *data, uint32_t datalen)
Definition: util-hash-string.c:22
DetectEngineBufferTypeGetByIdTransforms
int DetectEngineBufferTypeGetByIdTransforms(DetectEngineCtx *de_ctx, const int id, TransformData *transforms, int transform_cnt)
Definition: detect-engine.c:1664
DetectEngineThreadCtx_::TenantGetId
uint32_t(* TenantGetId)(const void *, const Packet *p)
Definition: detect.h:1261
SCProfilingPrefilterThreadSetup
void SCProfilingPrefilterThreadSetup(SCProfilePrefilterDetectCtx *ctx, DetectEngineThreadCtx *det_ctx)
Definition: util-profiling-prefilter.c:245
SCClassConfDeInitContext
void SCClassConfDeInitContext(DetectEngineCtx *de_ctx)
Releases resources used by the Classification Config API.
Definition: util-classification-config.c:190
PrefilterPktNonPFStatsDump
void PrefilterPktNonPFStatsDump(void)
Definition: detect-engine-prefilter.c:590
DetectBufferType_::description
char description[128]
Definition: detect.h:451
SIG_FLAG_REQUIRE_PACKET
#define SIG_FLAG_REQUIRE_PACKET
Definition: detect.h:254
DetectEngineFrameInspectionEngine::smd
SigMatchData * smd
Definition: detect.h:520
DetectEngineThreadCtx_::match_array
Signature ** match_array
Definition: detect.h:1335
MPM_AC
@ MPM_AC
Definition: util-mpm.h:36