Go to the documentation of this file.
95 #define DETECT_ENGINE_DEFAULT_INSPECTION_RECURSION_LIMIT 3000
102 static uint32_t TenantIdHash(
HashTable *h,
void *
data, uint16_t data_len);
103 static char TenantIdCompare(
void *d1, uint16_t d1_len,
void *d2, uint16_t d2_len);
104 static void TenantIdFree(
void *d);
105 static uint32_t DetectEngineTenantGetIdFromLivedev(
const void *
ctx,
const Packet *p);
106 static uint32_t DetectEngineTenantGetIdFromVlanId(
const void *
ctx,
const Packet *p);
107 static uint32_t DetectEngineTenantGetIdFromPcap(
const void *
ctx,
const Packet *p);
140 return "packet_filter";
174 FatalError(
"failed to register inspect engine %s: %s",
name, strerror(errno));
176 new_engine->
sm_list = (uint16_t)sm_list;
181 if (g_pkt_inspect_engines == NULL) {
182 g_pkt_inspect_engines = new_engine;
185 while (t->
next != NULL) {
189 t->
next = new_engine;
196 static void AppLayerInspectEngineRegisterInternal(
const char *
name,
AppProto alproto, uint32_t dir,
212 (progress < 0 || progress >= SHRT_MAX) || (Callback == NULL)) {
216 SCLogError(
"Invalid arguments: must register "
217 "GetData with DetectEngineInspectBufferGeneric");
220 SCLogError(
"Invalid arguments: must register "
221 "GetData with DetectEngineInspectBufferGeneric");
224 SCLogError(
"Invalid arguments: must register "
225 "GetData with DetectEngineInspectMultiBufferGeneric");
237 AppLayerInspectEngineRegisterInternal(
238 name,
ALPROTO_DOH2, dir, progress, Callback, GetData, GetDataSingle, GetMultiData);
247 new_engine->
dir = direction;
248 new_engine->
sm_list = (uint16_t)sm_list;
250 new_engine->
progress = (int16_t)progress;
260 if (g_app_inspect_engines == NULL) {
261 g_app_inspect_engines = new_engine;
264 while (t->
next != NULL) {
268 t->
next = new_engine;
282 if (t->
sm_list == sm_list && t->
alproto == alproto && t_direction == dir &&
290 AppLayerInspectEngineRegisterInternal(
291 name, alproto, dir, progress, Callback, GetData, NULL, NULL);
304 if (t->
sm_list == sm_list && t->
alproto == alproto && t_direction == dir &&
313 AppLayerInspectEngineRegisterInternal(
314 name, alproto, dir, progress, Callback, NULL, GetData, NULL);
318 static void DetectAppLayerInspectEngineCopy(
320 int sm_list,
int new_list,
333 new_engine->
sm_list = (uint16_t)new_list;
337 new_engine->
v2 = t->
v2;
344 while (list->
next != NULL) {
348 list->
next = new_engine;
370 new_engine->
v2 = t->
v2;
375 list->
next = new_engine;
384 static void DetectPktInspectEngineCopy(
386 int sm_list,
int new_list,
397 new_engine->
sm_list = (uint16_t)new_list;
400 new_engine->
v1 = t->
v1;
407 while (list->
next != NULL) {
411 list->
next = new_engine;
430 new_engine->
v1 = t->
v1;
436 while (list->
next != NULL) {
440 list->
next = new_engine;
472 FatalError(
"failed to register inspect engine %s: %s",
name, strerror(errno));
474 new_engine->
sm_list = (uint16_t)sm_list;
476 new_engine->
dir = direction;
485 while (list->
next != NULL) {
489 list->
next = new_engine;
508 new_engine->
sm_list = (uint16_t)new_list;
514 new_engine->
v1 = t->
v1;
519 while (list->
next != NULL) {
523 list->
next = new_engine;
545 new_engine->
v1 = t->
v1;
551 while (list->
next != NULL) {
555 list->
next = new_engine;
567 static void AppendStreamInspectEngine(
570 bool prepend =
false;
579 new_engine->
mpm =
true;
582 new_engine->
dir = direction;
583 new_engine->
stream =
true;
586 new_engine->
smd = stream;
594 }
else if (prepend) {
601 while (a->
next != NULL) {
605 a->
next = new_engine;
608 SCLogDebug(
"sid %u: engine %p/%u added", s->
id, new_engine, new_engine->
id);
615 bool prepend =
false;
638 new_engine->
mpm =
true;
644 new_engine->
smd = smd;
645 new_engine->
v1 = u->
v1;
651 }
else if (prepend) {
656 while (a->
next != NULL) {
660 a->
next = new_engine;
668 bool prepend =
false;
678 new_engine->
mpm =
true;
683 new_engine->
smd = smd;
684 new_engine->
v1 = e->
v1;
690 }
else if (prepend) {
695 while (a->
next != NULL) {
699 a->
next = new_engine;
705 const int mpm_list,
const int files_id, uint8_t *last_id,
bool *head_is_mpm)
719 SCLogDebug(
"app engine: t %p t->id %u => alproto:%s files:%s", t, t->
id,
727 bool prepend =
false;
732 new_engine->
mpm =
true;
739 new_engine->
smd = smd;
742 new_engine->
v2 = t->
v2;
748 if (new_engine->
sm_list == files_id) {
750 SCLogDebug(
"sid %u: engine %p/%u is FILE ENGINE", s->
id, new_engine, new_engine->
id);
753 SCLogDebug(
"sid %u: engine %p/%u %s", s->
id, new_engine, new_engine->
id,
761 if (new_engine->
sm_list == files_id) {
763 SCLogDebug(
"sid %u: engine %p/%u is FILE ENGINE", s->
id, new_engine, new_engine->
id);
765 new_engine->
id = ++(*last_id);
766 SCLogDebug(
"sid %u: engine %p/%u %s", s->
id, new_engine, new_engine->
id,
772 while (a->
next != NULL) {
780 a->
next = new_engine;
781 if (new_engine->
sm_list == files_id) {
783 SCLogDebug(
"sid %u: engine %p/%u is FILE ENGINE", s->
id, new_engine, new_engine->
id);
785 new_engine->
id = ++(*last_id);
786 SCLogDebug(
"sid %u: engine %p/%u %s", s->
id, new_engine, new_engine->
id,
791 SCLogDebug(
"sid %u: engine %p/%u added", s->
id, new_engine, new_engine->
id);
804 bool head_is_mpm =
false;
819 u != NULL; u = u->
next) {
821 AppendFrameInspectEngine(
de_ctx, u, s, smd, mpm_list);
830 AppendPacketInspectEngine(
de_ctx, e, s, smd, mpm_list);
848 AppendAppInspectEngine(
849 de_ctx, t, s, smd, mpm_list, files_id, &last_id, &head_is_mpm);
883 AppendAppInspectEngine(
de_ctx, &t, s, NULL, mpm_list, files_id, &last_id, &head_is_mpm);
893 AppendStreamInspectEngine(s, stream, 0, last_id + 1);
895 AppendStreamInspectEngine(s, stream, 1, last_id + 1);
897 AppendStreamInspectEngine(s, stream, 0, last_id + 1);
898 AppendStreamInspectEngine(s, stream, 1, last_id + 1);
912 iter->
sm_list == mpm_list ?
"MPM" :
"");
963 for (
int i = 0; i < arrays; i++) {
964 if (bufs[i] == ie->
smd) {
970 bufs[arrays++] = ie->
smd;
980 for (
int i = 0; i < arrays; i++) {
981 if (bufs[i] == e->
smd) {
987 bufs[arrays++] = e->
smd;
997 for (
int i = 0; i < arrays; i++) {
998 if (bufs[i] == u->
smd) {
1004 bufs[arrays++] = u->
smd;
1010 for (
int i = 0; i < engines; i++) {
1011 if (bufs[i] == NULL)
1032 static int g_buffer_type_reg_closed = 0;
1036 return g_buffer_type_id;
1052 static uint32_t DetectBufferTypeHashNameFunc(
HashListTable *ht,
void *data, uint16_t datalen)
1076 static uint32_t DetectBufferTypeHashIdFunc(
HashListTable *ht,
void *data, uint16_t datalen)
1079 uint32_t hash = map->
id;
1084 static char DetectBufferTypeCompareNameFunc(
void *data1, uint16_t len1,
void *data2, uint16_t len2)
1089 char r = (strcmp(map1->
name, map2->
name) == 0);
1102 SCLogDebug(
"%s: transform ids match; checking specialized data", map1->
name);
1111 SCLogDebug(
"identity data: only one is null");
1136 static char DetectBufferTypeCompareIdFunc(
void *data1, uint16_t len1,
void *data2, uint16_t len2)
1140 return map1->
id == map2->
id;
1143 static void DetectBufferTypeFreeFunc(
void *data)
1157 SCLogError(
"%s allocates transform option memory but has no free routine",
1167 static int DetectBufferTypeInit(
void)
1169 BUG_ON(g_buffer_type_hash);
1171 DetectBufferTypeCompareNameFunc, DetectBufferTypeFreeFunc);
1172 if (g_buffer_type_hash == NULL)
1178 static void DetectBufferTypeFree(
void)
1180 if (g_buffer_type_hash == NULL)
1184 g_buffer_type_hash = NULL;
1187 static int DetectBufferTypeAdd(
const char *
string)
1189 BUG_ON(
string == NULL || strlen(
string) >= 64);
1196 map->
id = g_buffer_type_id++;
1206 memset(&map, 0,
sizeof(map));
1215 BUG_ON(g_buffer_type_reg_closed);
1216 if (g_buffer_type_hash == NULL)
1217 DetectBufferTypeInit();
1221 return DetectBufferTypeAdd(
name);
1229 BUG_ON(g_buffer_type_reg_closed);
1234 SCLogDebug(
"%p %s -- %d supports multi instance", exists,
name, exists->
id);
1239 BUG_ON(g_buffer_type_reg_closed);
1243 exists->
frame =
true;
1244 SCLogDebug(
"%p %s -- %d supports frame inspection", exists,
name, exists->
id);
1249 BUG_ON(g_buffer_type_reg_closed);
1254 SCLogDebug(
"%p %s -- %d supports packet inspection", exists,
name, exists->
id);
1259 BUG_ON(g_buffer_type_reg_closed);
1269 BUG_ON(g_buffer_type_reg_closed);
1274 SCLogDebug(
"%p %s -- %d supports transformations", exists,
name, exists->
id);
1290 memset(&map, 0,
sizeof(map));
1300 memset(&lookup, 0,
sizeof(lookup));
1310 return res ? res->
name : NULL;
1315 BUG_ON(
string == NULL || strlen(
string) >= 32);
1331 const int direction,
const AppProto alproto,
const uint8_t frame_type)
1338 const int buffer_id = DetectEngineBufferTypeAdd(
de_ctx,
name);
1339 if (buffer_id < 0) {
1368 return DetectEngineBufferTypeAdd(
de_ctx,
name);
1376 BUG_ON(desc == NULL || strlen(desc) >= 128);
1407 exists->
frame =
true;
1408 SCLogDebug(
"%p %s -- %d supports frame inspection", exists,
name, exists->
id);
1416 SCLogDebug(
"%p %s -- %d supports packet inspection", exists,
name, exists->
id);
1432 SCLogDebug(
"%p %s -- %d supports transformations", exists,
name, exists->
id);
1474 BUG_ON(g_buffer_type_reg_closed);
1490 const char *
name,
bool (*ValidateCallback)(
const Signature *,
const char **sigerror,
1493 BUG_ON(g_buffer_type_reg_closed);
1540 const uint8_t *content, uint16_t content_len,
const char **namestr)
1566 const int size = g_buffer_type_id;
1570 DetectBufferTypeCompareNameFunc, DetectBufferTypeFreeFunc);
1573 HashListTableInit(256, DetectBufferTypeHashIdFunc, DetectBufferTypeCompareIdFunc,
1585 memcpy(copy, map,
sizeof(*copy));
1591 SCLogDebug(
"name %s id %d mpm %s packet %s -- %s. "
1592 "Callbacks: Setup %p Validate %p",
1593 map->
name, map->
id, map->
mpm ?
"true" :
"false", map->
packet ?
"true" :
"false",
1600 DetectAppLayerInspectEngineCopyListToDetectCtx(
de_ctx);
1602 DetectFrameInspectEngineCopyListToDetectCtx(
de_ctx);
1604 DetectPktInspectEngineCopyListToDetectCtx(
de_ctx);
1646 while (framemlist) {
1657 BUG_ON(g_buffer_type_hash == NULL);
1659 g_buffer_type_reg_closed = 1;
1670 SCLogError(
"buffer '%s' does not support transformations", base_map->
name);
1677 memset(&t, 0,
sizeof(t));
1678 for (
int i = 0; i < transform_cnt; i++) {
1681 t.
cnt = transform_cnt;
1684 memset(&lookup_map, 0,
sizeof(lookup_map));
1690 DetectBufferAddTransformData(&lookup_map);
1707 map->
mpm = base_map->
mpm;
1714 }
else if (map->
packet) {
1724 SCLogDebug(
"buffer %s registered with id %d, parent %d", map->name, map->id, map->parent_id);
1727 DetectFrameInspectEngineCopy(
de_ctx, map->parent_id, map->id, &map->transforms);
1728 }
else if (map->packet) {
1729 DetectPktInspectEngineCopy(
de_ctx, map->parent_id, map->id, &map->transforms);
1731 DetectAppLayerInspectEngineCopy(
de_ctx, map->parent_id, map->id, &map->transforms);
1737 static int DetectEngineInspectRulePacketMatches(
1741 Packet *p, uint8_t *_alert_flags)
1749 SCLogDebug(
"running match functions, sm %p", smd);
1767 static int DetectEngineInspectRulePayloadMatches(
1789 SCLogDebug(
"no match in stream, fall back to packet payload");
1797 SCLogDebug(
"SIG_FLAG_REQUIRE_STREAM_ONLY, so no match");
1815 uint8_t *alert_flags)
1821 SCLogDebug(
"sid %u: e %p Callback returned no match", s->
id, e);
1824 SCLogDebug(
"sid %u: e %p Callback returned true", s->
id, e);
1843 e->
sm_list = (uint16_t)list_id;
1852 while (a->
next != NULL) {
1864 if (DetectEnginePktInspectionAppend(
1867 SCLogDebug(
"sid %u: DetectEngineInspectRulePayloadMatches appended", s->
id);
1871 if (DetectEnginePktInspectionAppend(
1874 SCLogDebug(
"sid %u: DetectEngineInspectRulePacketMatches appended", s->
id);
1956 uint8_t
flags,
void *alstate,
void *txv, uint64_t tx_id)
1959 SCLogDebug(
"running match functions, sm %p", smd);
1965 AppLayerTxMatch(det_ctx, f,
flags, alstate, txv, s, smd->
ctx);
1998 void *alstate,
void *txv, uint64_t tx_id)
2000 const int list_id = engine->
sm_list;
2001 SCLogDebug(
"running inspect on %d", list_id);
2025 const uint8_t *data = buffer->
inspect;
2030 ci_flags |= buffer->
flags;
2059 void *alstate,
void *txv, uint64_t tx_id)
2061 const int list_id = engine->
sm_list;
2062 SCLogDebug(
"running inspect on %d", list_id);
2076 f,
flags, txv, list_id);
2086 const uint8_t *data = buffer->
inspect;
2091 ci_flags |= buffer->
flags;
2110 AppLayerInspectEngineRegisterInternal(
name, alproto, dir, progress,
2121 if (buffer->
inspect == NULL) {
2122 const uint8_t *b = NULL;
2125 if (!GetBuf(txv, flow_flags, &b, &b_len))
2138 if (buffer == NULL) {
2145 const uint8_t *data = NULL;
2146 uint32_t data_len = 0;
2148 if (!GetBuf(det_ctx, txv, flow_flags, index, &data, &data_len)) {
2159 const Signature *s,
Flow *f, uint8_t
flags,
void *alstate,
void *txv, uint64_t tx_id)
2161 uint32_t local_id = 0;
2171 if (buffer == NULL || buffer->
inspect == NULL)
2183 if (local_id == 0) {
2210 const int list_id = engine->
sm_list;
2211 SCLogDebug(
"running inspect on %d", list_id);
2229 ci_flags |= buffer->
flags;
2256 for (
int i = 0; i < no_of_detect_tvs; i++) {
2257 if (detect_tvs[i]) {
2260 SCLogDebug(
"Injecting pkt for tv %s[i=%d] %d", detect_tvs[i]->
name, i, count++);
2272 SCLogDebug(
"leaving: thread notification count = %d", count);
2280 static void InjectPackets(
2288 for (
int i = 0; i < no_of_detect_tvs; i++) {
2289 if (
SC_ATOMIC_GET(new_det_ctx[i]->so_far_used_by_detect) != 1) {
2290 if (detect_tvs[i]->inq != NULL) {
2327 if (no_of_detect_tvs == 0) {
2337 memset(detect_tvs, 0x00, (no_of_detect_tvs *
sizeof(
ThreadVars *)));
2362 if (new_det_ctx[i] == NULL) {
2364 "failure in live rule swap. Let's get out of here");
2368 SCLogDebug(
"live rule swap created new det_ctx - %p and de_ctx "
2369 "- %p\n", new_det_ctx[i], new_de_ctx);
2374 BUG_ON(i != no_of_detect_tvs);
2387 SCLogDebug(
"swapping new det_ctx - %p with older one - %p",
2398 SCLogDebug(
"Live rule swap has swapped %d old det_ctx's with new ones, "
2399 "along with the new de_ctx", no_of_detect_tvs);
2401 InjectPackets(detect_tvs, new_det_ctx, no_of_detect_tvs);
2405 uint32_t threads_done = 0;
2407 for (i = 0; i < no_of_detect_tvs; i++) {
2409 threads_done = no_of_detect_tvs;
2413 if (
SC_ATOMIC_GET(new_det_ctx[i]->so_far_used_by_detect) == 1) {
2414 SCLogDebug(
"new_det_ctx - %p used by detect engine", new_det_ctx[i]);
2417 TmThreadsCaptureBreakLoop(detect_tvs[i]);
2420 if (threads_done < no_of_detect_tvs) {
2431 if (i != no_of_detect_tvs) {
2444 for (i = 0; i < no_of_detect_tvs; i++) {
2445 SCLogDebug(
"Freeing old_det_ctx - %p used by detect",
2455 for (i = 0; i < no_of_detect_tvs; i++) {
2456 if (new_det_ctx[i] != NULL)
2464 int sgh_mpm_caching = 0;
2465 if (
SCConfGetBool(
"detect.sgh-mpm-caching", &sgh_mpm_caching) != 1) {
2468 return (
bool)sgh_mpm_caching;
2477 char yamlpath[] =
"detect.sgh-mpm-caching-path";
2478 const char *strval = NULL;
2479 if (
SCConfGet(yamlpath, &strval) == 1 && strval != NULL) {
2483 static bool notified =
false;
2485 SCLogInfo(
"%s has no path specified, using %s", yamlpath, SGH_CACHE_DIR);
2488 return SGH_CACHE_DIR;
2511 if (prefix != NULL) {
2515 int failure_fatal = 0;
2516 if (
SCConfGetBool(
"engine.init-failure-fatal", (
int *)&failure_fatal) != 1) {
2517 SCLogDebug(
"ConfGetBool could not load the value.");
2540 SCLogDebug(
"Unable to alloc SpmGlobalThreadCtx.");
2552 if (DetectEngineCtxLoadConf(
de_ctx) == -1) {
2561 DetectBufferTypeSetupDetectEngine(
de_ctx);
2609 if (prefix == NULL || strlen(prefix) == 0)
2647 #ifdef PROFILE_RULES
2648 if (
de_ctx->profile_ctx != NULL) {
2649 SCProfilingRuleDestroyCtx(
de_ctx->profile_ctx);
2650 de_ctx->profile_ctx = NULL;
2693 DetectEngineCtxFreeThreadKeywordData(
de_ctx);
2695 DetectEngineCtxFreeFailedSigs(
de_ctx);
2715 DetectBufferTypeFreeDetectEngine(
de_ctx);
2744 const char *max_uniq_toclient_groups_str = NULL;
2745 const char *max_uniq_toserver_groups_str = NULL;
2746 const char *sgh_mpm_context = NULL;
2747 const char *de_ctx_profile = NULL;
2749 (void)
SCConfGet(
"detect.profile", &de_ctx_profile);
2750 (void)
SCConfGet(
"detect.sgh-mpm-context", &sgh_mpm_context);
2755 if (de_ctx_custom != NULL) {
2757 if (de_ctx_profile == NULL) {
2758 if (opt->
val && strcmp(opt->
val,
"profile") == 0) {
2759 de_ctx_profile = opt->head.tqh_first->
val;
2763 if (sgh_mpm_context == NULL) {
2764 if (opt->
val && strcmp(opt->
val,
"sgh-mpm-context") == 0) {
2765 sgh_mpm_context = opt->head.tqh_first->
val;
2771 if (de_ctx_profile != NULL) {
2772 if (strcmp(de_ctx_profile,
"low") == 0 ||
2773 strcmp(de_ctx_profile,
"lowest") == 0) {
2775 }
else if (strcmp(de_ctx_profile,
"medium") == 0) {
2777 }
else if (strcmp(de_ctx_profile,
"high") == 0 ||
2778 strcmp(de_ctx_profile,
"highest") == 0) {
2780 }
else if (strcmp(de_ctx_profile,
"custom") == 0) {
2783 SCLogError(
"invalid value for detect.profile: '%s'. "
2784 "Valid options: low, medium, high and custom.",
2789 SCLogDebug(
"Profile for detection engine groups is \"%s\"", de_ctx_profile);
2791 SCLogDebug(
"Profile for detection engine groups not provided "
2792 "at suricata.yaml. Using default (\"medium\").");
2796 if (sgh_mpm_context == NULL || strcmp(sgh_mpm_context,
"auto") == 0) {
2806 if (strcmp(sgh_mpm_context,
"single") == 0) {
2808 }
else if (strcmp(sgh_mpm_context,
"full") == 0) {
2812 "invalid conf value for detect-engine.sgh-mpm-context-"
2837 (void)
SCConfGet(
"detect.custom-values.toclient-groups", &max_uniq_toclient_groups_str);
2838 (void)
SCConfGet(
"detect.custom-values.toserver-groups", &max_uniq_toserver_groups_str);
2840 if (de_ctx_custom != NULL) {
2842 if (opt->
val && strcmp(opt->
val,
"custom-values") == 0) {
2843 if (max_uniq_toclient_groups_str == NULL) {
2845 opt->head.tqh_first,
"toclient-sp-groups");
2847 if (max_uniq_toclient_groups_str == NULL) {
2849 opt->head.tqh_first,
"toclient-groups");
2851 if (max_uniq_toserver_groups_str == NULL) {
2853 opt->head.tqh_first,
"toserver-dp-groups");
2855 if (max_uniq_toserver_groups_str == NULL) {
2857 opt->head.tqh_first,
"toserver-groups");
2862 if (max_uniq_toclient_groups_str != NULL) {
2864 (uint16_t)strlen(max_uniq_toclient_groups_str),
2865 (
const char *)max_uniq_toclient_groups_str) <= 0) {
2869 "toclient-groups failed, using %u",
2877 if (max_uniq_toserver_groups_str != NULL) {
2879 (uint16_t)strlen(max_uniq_toserver_groups_str),
2880 (
const char *)max_uniq_toserver_groups_str) <= 0) {
2884 "toserver-groups failed, using %u",
2904 if (
SCConfGetInt(
"detect.inspection-recursion-limit", &value) == 1) {
2905 if (value >= 0 && value <= INT_MAX) {
2911 SCConfNode *insp_recursion_limit_node = NULL;
2912 char *insp_recursion_limit = NULL;
2914 if (de_ctx_custom != NULL) {
2917 if (opt->
val && strcmp(opt->
val,
"inspection-recursion-limit") != 0)
2921 if (insp_recursion_limit_node == NULL) {
2923 "entry for detect-engine:inspection-recursion-limit");
2926 insp_recursion_limit = insp_recursion_limit_node->
val;
2927 SCLogDebug(
"Found detect-engine.inspection-recursion-limit - %s:%s",
2928 insp_recursion_limit_node->
name, insp_recursion_limit_node->
val);
2932 if (insp_recursion_limit != NULL) {
2934 0, (
const char *)insp_recursion_limit) < 0) {
2936 "detect-engine.inspection-recursion-limit: %s "
2949 SCLogDebug(
"de_ctx->inspection_recursion_limit: %d",
2954 if (
SCConfGetInt(
"detect.stream-tx-log-limit", &value) == 1) {
2955 if (value >= 0 && value <= UINT8_MAX) {
2958 SCLogWarning(
"Invalid value for detect-engine.stream-tx-log-limit: must be between 0 "
2959 "and 255, will default to 4");
2962 int guess_applayer = 0;
2963 if ((
SCConfGetBool(
"detect.guess-applayer-tx", &guess_applayer)) == 1) {
2964 if (guess_applayer == 1) {
2971 const char *ports = NULL;
2972 (void)
SCConfGet(
"detect.grouping.tcp-priority-ports", &ports);
2974 SCLogConfig(
"grouping: tcp-priority-ports %s", ports);
2976 (void)
SCConfGet(
"detect.grouping.tcp-whitelist", &ports);
2979 "grouping: tcp-priority-ports from legacy 'tcp-whitelist' setting: %s", ports);
2981 ports =
"53, 80, 139, 443, 445, 1433, 3306, 3389, 6666, 6667, 8080";
2982 SCLogConfig(
"grouping: tcp-priority-ports (default) %s", ports);
2987 "for detect.grouping.tcp-priority-ports",
2991 for ( ; x != NULL; x = x->
next) {
2994 "for detect.grouping.tcp-priority-ports: only single ports allowed",
3003 (void)
SCConfGet(
"detect.grouping.udp-priority-ports", &ports);
3005 SCLogConfig(
"grouping: udp-priority-ports %s", ports);
3007 (void)
SCConfGet(
"detect.grouping.udp-whitelist", &ports);
3010 "grouping: udp-priority-ports from legacy 'udp-whitelist' setting: %s", ports);
3012 ports =
"53, 135, 5060";
3013 SCLogConfig(
"grouping: udp-priority-ports (default) %s", ports);
3018 "for detect.grouping.udp-priority-ports",
3024 "for detect.grouping.udp-priority-ports: only single ports allowed",
3033 const char *pf_setting = NULL;
3034 if (
SCConfGet(
"detect.prefilter.default", &pf_setting) == 1 && pf_setting) {
3035 if (strcasecmp(pf_setting,
"mpm") == 0) {
3037 }
else if (strcasecmp(pf_setting,
"auto") == 0) {
3046 SCLogConfig(
"prefilter engines: MPM and keywords");
3066 SCLogError(
"setting up thread local detect ctx");
3075 SCLogError(
"setting up thread local detect ctx "
3076 "for keyword \"%s\" failed",
3114 SCLogError(
"setting up thread local detect ctx");
3126 SCLogError(
"setting up thread local detect ctx "
3127 "for keyword \"%s\" failed",
3159 uint32_t map_array_size = 0;
3160 uint32_t map_cnt = 0;
3161 uint32_t max_tenant_id = 0;
3166 "set using multi-detect.selector");
3181 HashTableInit(tcnt * 2, TenantIdHash, TenantIdCompare, TenantIdFree);
3182 if (mt_det_ctxs_hash == NULL) {
3187 SCLogInfo(
"no tenants left, or none registered yet");
3198 map_array_size = map_cnt + 1;
3200 map_array =
SCCalloc(map_array_size,
sizeof(*map_array));
3201 if (map_array == NULL)
3208 if (map_cnt >= map_array_size) {
3220 list = master->
list;
3225 if (mt_det_ctx == NULL)
3227 if (
HashTableAdd(mt_det_ctxs_hash, mt_det_ctx, 0) != 0) {
3236 mt_det_ctxs_hash = NULL;
3248 det_ctx->
TenantGetId = DetectEngineTenantGetIdFromVlanId;
3252 det_ctx->
TenantGetId = DetectEngineTenantGetIdFromLivedev;
3256 det_ctx->
TenantGetId = DetectEngineTenantGetIdFromPcap;
3264 if (map_array != NULL)
3266 if (mt_det_ctxs_hash != NULL)
3340 DetectEngineThreadCtxInitKeywords(
de_ctx, det_ctx);
3341 DetectEngineThreadCtxInitGlobalKeywords(det_ctx);
3342 #ifdef PROFILE_RULES
3343 SCProfilingRuleThreadSetup(
de_ctx->profile_ctx, det_ctx);
3380 if (det_ctx->
de_ctx == NULL) {
3434 if (DetectEngineThreadCtxInitForMT(
tv, det_ctx) !=
TM_ECODE_OK) {
3441 *data = (
void *)det_ctx;
3465 if (det_ctx->
de_ctx == NULL) {
3497 if (DetectEngineThreadCtxInitForMT(
tv, det_ctx) !=
TM_ECODE_OK) {
3510 SCLogDebug(
"PACKET PKT_STREAM_ADD: %"PRIu64, det_ctx->pkt_stream_add_cnt);
3512 SCLogDebug(
"PAYLOAD MPM %"PRIu64
"/%"PRIu64, det_ctx->payload_mpm_cnt, det_ctx->payload_mpm_size);
3513 SCLogDebug(
"STREAM MPM %"PRIu64
"/%"PRIu64, det_ctx->stream_mpm_cnt, det_ctx->stream_mpm_size);
3515 SCLogDebug(
"PAYLOAD SIG %"PRIu64
"/%"PRIu64, det_ctx->payload_persig_cnt, det_ctx->payload_persig_size);
3516 SCLogDebug(
"STREAM SIG %"PRIu64
"/%"PRIu64, det_ctx->stream_persig_cnt, det_ctx->stream_persig_size);
3524 #ifdef PROFILE_RULES
3525 SCProfilingRuleThreadCleanup(det_ctx);
3534 if (det_ctx->
de_ctx != NULL) {
3573 for (uint32_t x = 0; x < fb->
size; x++) {
3584 DetectEngineThreadCtxDeinitGlobalKeywords(det_ctx);
3585 if (det_ctx->
de_ctx != NULL) {
3586 DetectEngineThreadCtxDeinitKeywords(det_ctx->
de_ctx, det_ctx);
3612 if (det_ctx == NULL) {
3621 DetectEngineThreadCtxFree(det_ctx);
3626 static uint32_t DetectKeywordCtxHashFunc(
HashListTable *ht,
void *data, uint16_t datalen)
3633 return (uint32_t)hash;
3636 static char DetectKeywordCtxCompareFunc(
void *data1, uint16_t len1,
void *data2, uint16_t len2)
3640 const char *name1 = ctx1->
name;
3641 const char *name2 = ctx2->
name;
3642 return (strcmp(name1, name2) == 0 && ctx1->
data == ctx2->
data);
3645 static void DetectKeywordCtxFreeFunc(
void *ptr)
3668 BUG_ON(
de_ctx == NULL || InitFunc == NULL || FreeFunc == NULL);
3672 DetectKeywordCtxHashFunc, DetectKeywordCtxCompareFunc, DetectKeywordCtxFreeFunc);
3757 void *(*InitFunc)(
void *),
void *data,
void (*FreeFunc)(
void *))
3760 BUG_ON(InitFunc == NULL || FreeFunc == NULL);
3766 while (item != NULL) {
3767 if (strcmp(
name, item->
name) == 0) {
3817 if (master->
list == NULL) {
3895 static int DetectEngineMultiTenantLoadTenant(uint32_t tenant_id,
const char *filename,
int loader_id)
3900 snprintf(prefix,
sizeof(prefix),
"multi-detect.%u", tenant_id);
3903 if (
SCStatFn(filename, &st) != 0) {
3904 SCLogError(
"failed to stat file %s", filename);
3910 SCLogError(
"tenant %u already registered", tenant_id);
3917 SCLogError(
"failed to properly setup yaml %s", filename);
3954 static int DetectEngineMultiTenantReloadTenant(uint32_t tenant_id,
const char *filename,
int reload_cnt)
3957 if (old_de_ctx == NULL) {
3958 SCLogError(
"tenant detect engine not found");
3962 if (filename == NULL)
3966 snprintf(prefix,
sizeof(prefix),
"multi-detect.%u.reload.%d", tenant_id, reload_cnt);
3977 SCLogError(
"failed to properly setup yaml %s", filename);
3982 if (new_de_ctx == NULL) {
3995 goto new_de_ctx_error;
4000 goto new_de_ctx_error;
4025 static void DetectLoaderFreeTenant(
void *
ctx)
4028 if (t->
yaml != NULL) {
4034 static int DetectLoaderFuncLoadTenant(
void *vctx,
int loader_id)
4039 if (DetectEngineMultiTenantLoadTenant(
ctx->tenant_id,
ctx->yaml, loader_id) != 0) {
4045 static int DetectLoaderSetupLoadTenant(uint32_t tenant_id,
const char *yaml)
4053 if (t->
yaml == NULL) {
4061 static int DetectLoaderFuncReloadTenant(
void *vctx,
int loader_id)
4067 if (DetectEngineMultiTenantReloadTenant(
ctx->tenant_id,
ctx->yaml,
ctx->reload_cnt) != 0) {
4073 static int DetectLoaderSetupReloadTenants(
const int reload_cnt)
4092 loader_id, DetectLoaderFuncReloadTenant, t, DetectLoaderFreeTenant);
4106 static int DetectLoaderSetupReloadTenant(uint32_t tenant_id,
const char *yaml,
int reload_cnt)
4109 if (old_de_ctx == NULL)
4121 if (t->
yaml == NULL) {
4131 loader_id, DetectLoaderFuncReloadTenant, t, DetectLoaderFreeTenant);
4138 int r = DetectLoaderSetupLoadTenant(tenant_id, yaml);
4152 int r = DetectLoaderSetupReloadTenant(tenant_id, yaml, reload_cnt);
4166 int r = DetectLoaderSetupReloadTenants(reload_cnt);
4176 static int DetectEngineMultiTenantSetupLoadLivedevMappings(
4177 const SCConfNode *mappings_root_node,
bool failure_fatal)
4181 int mapping_cnt = 0;
4182 if (mappings_root_node != NULL) {
4185 if (tenant_id_node == NULL)
4188 if (device_node == NULL)
4191 uint32_t tenant_id = 0;
4193 tenant_id_node->
val) < 0) {
4196 tenant_id_node->
val);
4200 const char *dev = device_node->
val;
4219 SCLogConfig(
"device %s connected to tenant-id %u", dev, tenant_id);
4228 SCLogConfig(
"%d device - tenant-id mappings defined", mapping_cnt);
4235 static int DetectEngineMultiTenantSetupLoadVlanMappings(
4236 const SCConfNode *mappings_root_node,
bool failure_fatal)
4240 int mapping_cnt = 0;
4241 if (mappings_root_node != NULL) {
4244 if (tenant_id_node == NULL)
4247 if (vlan_id_node == NULL)
4250 uint32_t tenant_id = 0;
4252 tenant_id_node->
val) < 0) {
4255 tenant_id_node->
val);
4259 uint16_t vlan_id = 0;
4261 &vlan_id, 10, (uint16_t)strlen(vlan_id_node->
val), vlan_id_node->
val) < 0) {
4267 if (vlan_id == 0 || vlan_id >= 4095) {
4269 "of %s is invalid. Valid range 1-4094.",
4277 SCLogConfig(
"vlan %u connected to tenant-id %u", vlan_id, tenant_id);
4303 int failure_fatal = 0;
4304 (void)
SCConfGetBool(
"engine.init-failure-fatal", &failure_fatal);
4317 const char *handler = NULL;
4318 if (
SCConfGet(
"multi-detect.selector", &handler) == 1) {
4319 SCLogConfig(
"multi-tenant selector type %s", handler);
4321 if (strcmp(handler,
"vlan") == 0) {
4325 if ((
SCConfGetBool(
"vlan.use-for-tracking", &vlanbool)) == 1 && vlanbool == 0) {
4327 "can't use multi-detect selector 'vlan'");
4332 }
else if (strcmp(handler,
"direct") == 0) {
4334 }
else if (strcmp(handler,
"device") == 0) {
4337 SCLogWarning(
"multi-tenant 'device' mode not supported for IPS");
4344 "multi-detect.selector",
4351 SCLogConfig(
"multi-detect is enabled (multi tenancy). Selector: %s", handler);
4357 int mapping_cnt = DetectEngineMultiTenantSetupLoadVlanMappings(mappings_root_node,
4359 if (mapping_cnt == 0) {
4365 SCLogNotice(
"no tenant traffic mappings defined, "
4366 "tenants won't be used until mappings are added");
4368 if (failure_fatal) {
4369 SCLogError(
"no multi-detect mappings defined");
4377 int mapping_cnt = DetectEngineMultiTenantSetupLoadLivedevMappings(mappings_root_node,
4379 if (mapping_cnt == 0) {
4380 if (failure_fatal) {
4381 SCLogError(
"no multi-detect mappings defined");
4393 if (tenants_root_node != NULL) {
4394 const char *path = NULL;
4397 path = path_node->
val;
4403 if (id_node == NULL) {
4407 if (yaml_node == NULL) {
4411 uint32_t tenant_id = 0;
4413 &tenant_id, 10, (uint16_t)strlen(id_node->
val), id_node->
val) < 0) {
4421 char yaml_path[PATH_MAX] =
"";
4425 strlcpy(yaml_path, yaml_node->
val,
sizeof(yaml_path));
4432 snprintf(prefix,
sizeof(prefix),
"multi-detect.%u", tenant_id);
4434 SCLogError(
"failed to load yaml %s", yaml_path);
4438 int r = DetectLoaderSetupLoadTenant(tenant_id, yaml_path);
4459 SCLogDebug(
"multi-detect not enabled (multi tenancy)");
4466 static uint32_t DetectEngineTenantGetIdFromVlanId(
const void *
ctx,
const Packet *p)
4470 uint32_t vlan_id = 0;
4490 static uint32_t DetectEngineTenantGetIdFromLivedev(
const void *
ctx,
const Packet *p)
4495 if (ld == NULL || det_ctx == NULL)
4502 static int DetectEngineTenantRegisterSelector(
4509 SCLogInfo(
"conflicting selector already set");
4516 if (
m->traffic_id == traffic_id) {
4517 SCLogInfo(
"traffic id already registered");
4538 SCLogDebug(
"tenant handler %u %u %u registered", selector, tenant_id, traffic_id);
4543 static int DetectEngineTenantUnregisterSelector(
4567 SCLogInfo(
"tenant handler %u %u %u unregistered", selector, tenant_id, traffic_id);
4581 return DetectEngineTenantRegisterSelector(
4592 return DetectEngineTenantUnregisterSelector(
TENANT_SELECTOR_VLAN, tenant_id, (uint32_t)vlan_id);
4607 static uint32_t DetectEngineTenantGetIdFromPcap(
const void *
ctx,
const Packet *p)
4617 if (master->
list == NULL) {
4641 (*de_ctx)->ref_cnt--;
4649 if (instance == NULL)
4652 if (master->
list == NULL) {
4653 master->
list = instance;
4656 master->
list = instance;
4673 r = DetectEngineAddToList(
de_ctx);
4681 if (instance == NULL) {
4686 if (instance ==
de_ctx) {
4690 instance = instance->
next;
4695 if (instance ==
de_ctx) {
4703 if (instance == NULL) {
4709 instance->
next = NULL;
4727 ret = DetectEngineMoveToFreeListNoLock(master,
de_ctx);
4751 SCLogDebug(
"freeing detect engine %p", instance);
4773 DetectEngineMoveToFreeListNoLock(master, instance);
4780 static int reloads = 0;
4795 memset(prefix, 0,
sizeof(prefix));
4800 snprintf(prefix,
sizeof(prefix),
"detect-engine-reloads.%d", reloads++);
4827 if (old_de_ctx == NULL)
4829 SCLogDebug(
"get ref to old_de_ctx %p", old_de_ctx);
4843 if (new_de_ctx == NULL) {
4855 SCLogDebug(
"set up new_de_ctx %p", new_de_ctx);
4868 SCLogDebug(
"going to reload the threads to use new_de_ctx %p", new_de_ctx);
4870 DetectEngineReloadThreads(new_de_ctx);
4871 SCLogDebug(
"threads now run new_de_ctx %p", new_de_ctx);
4880 SCLogDebug(
"old_de_ctx should have been freed");
4884 #ifdef HAVE_MALLOC_TRIM
4895 static uint32_t TenantIdHash(
HashTable *h,
void *data, uint16_t data_len)
4901 static char TenantIdCompare(
void *d1, uint16_t d1_len,
void *d2, uint16_t d2_len)
4908 static void TenantIdFree(
void *d)
4910 DetectEngineThreadCtxFree(d);
4926 for ( ; list != NULL; list = list->
next) {
4937 if (stub_de_ctx == NULL) {
4939 if (stub_de_ctx == NULL) {
4944 if (master->
list == NULL) {
4945 master->
list = stub_de_ctx;
4948 master->
list = stub_de_ctx;
4954 DetectEngineReloadThreads(stub_de_ctx);
4964 SCLogDebug(
"old_de_ctx should have been freed");
4968 static int g_parse_metadata = 0;
4972 g_parse_metadata = 1;
4977 g_parse_metadata = 0;
4982 return g_parse_metadata;
4991 return "packet/stream payload";
4997 return "base64_data";
5000 return "post-match";
5008 return "max (internal)";
5027 for (; sm != NULL; sm = sm->
next) {
5033 *sigerror =
"md5-like keyword should not be used together with "
5034 "nocase, since the rule is automatically "
5035 "lowercased anyway which makes nocase redundant.";
5040 *sigerror =
"Invalid length for md5-like keyword (should "
5041 "be 32 characters long). This rule will therefore "
5048 if (!isxdigit(cd->
content[i])) {
5050 "Invalid md5-like string (should be string of hexadecimal characters)."
5051 "This rule will therefore never match.";
5097 static int DetectEngineInitYamlConf(
const char *conf)
5104 static void DetectEngineDeInitYamlConf(
void)
5110 static int DetectEngineTest01(
void)
5116 " - profile: medium\n"
5117 " - custom-values:\n"
5118 " toclient_src_groups: 2\n"
5119 " toclient_dst_groups: 2\n"
5120 " toclient_sp_groups: 2\n"
5121 " toclient_dp_groups: 3\n"
5122 " toserver_src_groups: 2\n"
5123 " toserver_dst_groups: 4\n"
5124 " toserver_sp_groups: 2\n"
5125 " toserver_dp_groups: 25\n"
5126 " - inspection-recursion-limit: 0\n";
5128 FAIL_IF(DetectEngineInitYamlConf(conf) == -1);
5137 DetectEngineDeInitYamlConf();
5142 static int DetectEngineTest02(
void)
5148 " - profile: medium\n"
5149 " - custom-values:\n"
5150 " toclient_src_groups: 2\n"
5151 " toclient_dst_groups: 2\n"
5152 " toclient_sp_groups: 2\n"
5153 " toclient_dp_groups: 3\n"
5154 " toserver_src_groups: 2\n"
5155 " toserver_dst_groups: 4\n"
5156 " toserver_sp_groups: 2\n"
5157 " toserver_dp_groups: 25\n"
5158 " - inspection-recursion-limit:\n";
5160 FAIL_IF(DetectEngineInitYamlConf(conf) == -1);
5170 DetectEngineDeInitYamlConf();
5175 static int DetectEngineTest03(
void)
5181 " - profile: medium\n"
5182 " - custom-values:\n"
5183 " toclient_src_groups: 2\n"
5184 " toclient_dst_groups: 2\n"
5185 " toclient_sp_groups: 2\n"
5186 " toclient_dp_groups: 3\n"
5187 " toserver_src_groups: 2\n"
5188 " toserver_dst_groups: 4\n"
5189 " toserver_sp_groups: 2\n"
5190 " toserver_dp_groups: 25\n";
5192 FAIL_IF(DetectEngineInitYamlConf(conf) == -1);
5202 DetectEngineDeInitYamlConf();
5207 static int DetectEngineTest04(
void)
5213 " - profile: medium\n"
5214 " - custom-values:\n"
5215 " toclient_src_groups: 2\n"
5216 " toclient_dst_groups: 2\n"
5217 " toclient_sp_groups: 2\n"
5218 " toclient_dp_groups: 3\n"
5219 " toserver_src_groups: 2\n"
5220 " toserver_dst_groups: 4\n"
5221 " toserver_sp_groups: 2\n"
5222 " toserver_dp_groups: 25\n"
5223 " - inspection-recursion-limit: 10\n";
5225 FAIL_IF(DetectEngineInitYamlConf(conf) == -1);
5234 DetectEngineDeInitYamlConf();
5239 static int DetectEngineTest08(
void)
5245 " - profile: custom\n"
5246 " - custom-values:\n"
5247 " toclient-groups: 23\n"
5248 " toserver-groups: 27\n";
5250 FAIL_IF(DetectEngineInitYamlConf(conf) == -1);
5260 DetectEngineDeInitYamlConf();
5266 static int DetectEngineTest09(
void)
5272 " - profile: custom\n"
5273 " - custom-values:\n"
5274 " toclient-groups: BA\n"
5275 " toserver-groups: BA\n"
5276 " - inspection-recursion-limit: 10\n";
5278 FAIL_IF(DetectEngineInitYamlConf(conf) == -1);
5288 DetectEngineDeInitYamlConf();
#define DETECT_CONTENT_NOCASE
#define HashListTableGetListData(hb)
#define DE_STATE_ID_FILE_INSPECT
void SCProfilingSghThreadCleanup(DetectEngineThreadCtx *det_ctx)
DetectEngineCtx * DetectEngineCtxInitWithPrefix(const char *prefix, uint32_t tenant_id)
void DetectAppLayerMpmMultiRegister(const char *name, int direction, int priority, PrefilterRegisterFunc PrefilterRegister, InspectionMultiBufferGetDataPtr GetData, AppProto alproto, int tx_min_progress)
int SCConfYamlLoadString(const char *string, size_t len)
Load configuration from a YAML string.
InspectionBuffer * DetectGetMultiData(struct DetectEngineThreadCtx_ *det_ctx, const DetectEngineTransforms *transforms, Flow *f, const uint8_t flow_flags, void *txv, const int list_id, uint32_t index, InspectionMultiBufferGetDataPtr GetBuf)
void DetectEngineResetMaxSigId(DetectEngineCtx *de_ctx)
int DetectEngineMTApply(void)
void SCProfilingKeywordDestroyCtx(DetectEngineCtx *de_ctx)
bool DetectEngineBufferTypeSupportsPacketGetById(const DetectEngineCtx *de_ctx, const int id)
DetectEngineThreadCtx * DetectEngineThreadCtxInitForReload(ThreadVars *tv, DetectEngineCtx *new_de_ctx, int mt)
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
void SCConfNodeRemove(SCConfNode *node)
Remove (and SCFree) the provided configuration node.
struct SigMatch_ * smlists[DETECT_SM_LIST_MAX]
void SCProfilingKeywordThreadCleanup(DetectEngineThreadCtx *det_ctx)
void AlertQueueFree(DetectEngineThreadCtx *det_ctx)
void SCProfilingSghThreadSetup(SCProfileSghDetectCtx *ctx, DetectEngineThreadCtx *det_ctx)
int DetectParseDupSigHashInit(DetectEngineCtx *de_ctx)
Initializes the hash table that is used to cull duplicate sigs.
InspectionBuffer * DetectGetSingleData(struct DetectEngineThreadCtx_ *det_ctx, const DetectEngineTransforms *transforms, Flow *f, const uint8_t flow_flags, void *txv, const int list_id, InspectionSingleBufferGetDataPtr GetBuf)
SigTableElmt * sigmatch_table
#define SIG_JSON_CONTENT_ARRAY_LEN
void DetectLoaderThreadSpawn(void)
spawn the detect loader manager thread
uint8_t SinglePatternMatchDefaultMatcher(void)
Returns the single pattern matcher algorithm to be used, based on the spm-algo setting in yaml.
void DetectEngineDeReference(DetectEngineCtx **de_ctx)
#define DETECT_CI_FLAGS_START
@ ENGINE_SGH_MPM_FACTORY_CONTEXT_SINGLE
uint8_t DetectEngineInspectBufferGeneric(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const DetectEngineAppInspectionEngine *engine, const Signature *s, Flow *f, uint8_t flags, void *alstate, void *txv, uint64_t tx_id)
Do the content inspection & validation for a signature.
void(* Free)(DetectEngineCtx *, void *)
int DetectEngineMustParseMetadata(void)
#define PKT_PSEUDO_LOG_FLUSH
void MpmFactoryDeRegisterAllMpmCtxProfiles(DetectEngineCtx *de_ctx)
@ DETECT_TABLE_APP_FILTER
uint16_t counter_match_list
DetectEngineTenantMapping * tenant_mapping_list
#define SC_ATOMIC_INIT(name)
wrapper for initializing an atomic variable.
struct DetectEngineAppInspectionEngine_ * next
uint8_t DetectEngineInspectMultiBufferGeneric(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const DetectEngineAppInspectionEngine *engine, const Signature *s, Flow *f, uint8_t flags, void *alstate, void *txv, uint64_t tx_id)
void MpmStoreFree(DetectEngineCtx *de_ctx)
Frees the hash table - DetectEngineCtx->mpm_hash_table, allocated by MpmStoreInit() function.
void DetectFrameMpmRegisterByParentId(DetectEngineCtx *de_ctx, const int id, const int parent_id, DetectEngineTransforms *transforms)
copy a mpm engine from parent_id, add in transforms
void DetectEngineBufferTypeSupportsPacket(DetectEngineCtx *de_ctx, const char *name)
void DetectEngineBufferRunSetupCallback(const DetectEngineCtx *de_ctx, const int id, Signature *s)
enum DetectEngineType type
void DetectEnginePruneFreeList(void)
int SigLoadSignatures(DetectEngineCtx *de_ctx, char *sig_file, bool sig_file_exclusive)
Load signatures.
uint8_t DetectEngineInspectBufferSingle(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const DetectEngineAppInspectionEngine *engine, const Signature *s, Flow *f, uint8_t flags, void *alstate, void *txv, uint64_t tx_id)
Do the content inspection & validation for a signature.
void * DetectThreadCtxGetKeywordThreadCtx(DetectEngineThreadCtx *det_ctx, int id)
Retrieve thread local keyword ctx by id.
void DetectAppLayerInspectEngineRegisterSingle(const char *name, AppProto alproto, uint32_t dir, int progress, InspectEngineFuncPtr Callback, InspectionSingleBufferGetDataPtr GetData)
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
#define SIG_FLAG_INIT_NEED_FLUSH
void SCClassSCConfInit(DetectEngineCtx *de_ctx)
DetectEngineCtx * DetectEngineCtxInitStubForDD(void)
#define KEYWORD_PROFILING_SET_LIST(ctx, list)
uint16_t max_uniq_toclient_groups
int ActionInitConfig(void)
Load the action order from config. If none is provided, it will be default to ACTION_PASS,...
InspectEngineFuncPtr Callback
int PathMerge(char *out_buf, size_t buf_size, const char *const dir, const char *const fname)
@ DETECT_TABLE_PACKET_PRE_STREAM
void PacketEnqueue(PacketQueue *q, Packet *p)
DetectFileDataCfg * filedata_config
struct HtpBodyChunk_ * next
void DetectBufferTypeSupportsFrames(const char *name)
void DetectMpmInitializeFrameMpms(DetectEngineCtx *de_ctx)
simple fifo queue for packets with mutex and cond Calling the mutex or triggering the cond is respons...
@ DETECT_SM_LIST_DYNAMIC_START
int AppLayerParserGetStateProgress(uint8_t ipproto, AppProto alproto, void *alstate, uint8_t flags)
get the progress value for a tx/protocol
AppLayerDecoderEvents * decoder_events
void *(* InitFunc)(void *)
InspectionBufferGetDataPtr GetData
DetectBufferMpmRegistry * pkt_mpms_list
void TmThreadContinueDetectLoaderThreads(void)
Unpauses all threads present in tv_root.
@ DETECT_SM_LIST_THRESHOLD
void DetectBufferTypeRegisterSetupCallback(const char *name, void(*SetupCallback)(const DetectEngineCtx *, Signature *))
int SCConfYamlHandleInclude(SCConfNode *parent, const char *filename)
Include a file in the configuration.
const char * AppProtoToString(AppProto alproto)
Maps the ALPROTO_*, to its string equivalent.
int DetectEngineReloadTenantBlocking(uint32_t tenant_id, const char *yaml, int reload_cnt)
Reload a tenant and wait for loading to complete.
int inspection_recursion_limit
void DetectAddressMapFree(DetectEngineCtx *de_ctx)
const DetectEngineTransforms * transforms
main detection engine ctx
int StringParseUint16(uint16_t *res, int base, size_t len, const char *str)
void DetectEngineReloadSetIdle(void)
void DetectBufferTypeRegisterValidateCallback(const char *name, bool(*ValidateCallback)(const Signature *, const char **sigerror, const DetectBufferType *))
struct DetectEngineFrameInspectionEngine::@94 v1
int SCConfGet(const char *name, const char **vptr)
Retrieve the value of a configuration node.
uint16_t lua_blocked_function_errors
void ** global_keyword_ctxs_array
DetectEngineCtx * DetectEngineGetCurrent(void)
uint8_t(* SCDetectRateFilterFunc)(const Packet *p, uint32_t sid, uint32_t gid, uint32_t rev, uint8_t original_action, uint8_t new_action, void *arg)
Function type for rate filter callback.
uint32_t TmThreadCountThreadsByTmmFlags(uint8_t flags)
returns a count of all the threads that match the flag
void DetectBufferTypeSupportsMultiInstance(const char *name)
HashListTableBucket * HashListTableGetListHead(HashListTable *ht)
#define TAILQ_FOREACH(var, head, field)
uint8_t DetectEngineInspectPacketPayload(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const Signature *s, Flow *f, Packet *p)
Do the content inspection & validation for a signature.
int DetectEngineAddToMaster(DetectEngineCtx *de_ctx)
InspectionBuffer *(* InspectionBufferGetPktDataPtr)(struct DetectEngineThreadCtx_ *det_ctx, const DetectEngineTransforms *transforms, Packet *p, const int list_id)
void SCSigSignatureOrderingModuleCleanup(DetectEngineCtx *de_ctx)
De-registers all the signature ordering functions registered.
const char * DetectEngineBufferTypeGetNameById(const DetectEngineCtx *de_ctx, const int id)
int DetectEngineMultiTenantSetup(const bool unix_socket)
setup multi-detect / multi-tenancy
void PrefilterDeinit(DetectEngineCtx *de_ctx)
struct DetectBufferMpmRegistry_ * next
#define SIG_FLAG_REQUIRE_STREAM
struct DetectEngineTenantMapping_ * next
void DetectEngineSetEvent(DetectEngineThreadCtx *det_ctx, uint8_t e)
#define SIG_FLAG_TXBOTHDIR
bool DetectContentInspectionMatchOnAbsentBuffer(const SigMatchData *smd)
tells if we should match on absent buffer, because there is an absent keyword being used
void AppLayerDecoderEventsFreeEvents(AppLayerDecoderEvents **events)
int SCConfGetBool(const char *name, int *val)
Retrieve a configuration value as a boolean.
struct SCProfileSghDetectCtx_ * profile_sgh_ctx
ThreadVars * tv_root[TVT_MAX]
one time registration of keywords at start up
void SCReferenceConfDeinit(DetectEngineCtx *de_ctx)
struct DetectPort_ * next
DetectPort * tcp_priorityports
void DetectEngineCtxFree(DetectEngineCtx *de_ctx)
Free a DetectEngineCtx::
SpmThreadCtx * spm_thread_ctx
int DetectEngineReloadTenantsBlocking(const int reload_cnt)
Reload all tenants and wait for loading to complete.
#define SCMUTEX_INITIALIZER
SigMatchData * sm_arrays[DETECT_SM_LIST_MAX]
const char * conf_filename
enum DetectEnginePrefilterSetting prefilter_setting
void DetectParseDupSigHashFree(DetectEngineCtx *de_ctx)
Frees the hash table that is used to cull duplicate sigs.
struct DetectEngineThreadCtx_::@110 multi_inspect
DetectPort * udp_priorityports
int SCConfYamlLoadFileWithPrefix(const char *filename, const char *prefix)
Load configuration from a YAML file, insert in tree at 'prefix'.
int StringParseInt32(int32_t *res, int base, size_t len, const char *str)
int PrefilterGenericMpmFrameRegister(DetectEngineCtx *de_ctx, SigGroupHead *sgh, MpmCtx *mpm_ctx, const DetectBufferMpmRegistry *mpm_reg, int list_id)
uint32_t DetectEngineGetVersion(void)
const char * SCConfNodeLookupChildValue(const SCConfNode *node, const char *name)
Lookup the value of a child configuration node by name.
void SigCleanSignatures(DetectEngineCtx *de_ctx)
@ ENGINE_SGH_MPM_FACTORY_CONTEXT_FULL
void * HashListTableLookup(HashListTable *ht, void *data, uint16_t datalen)
uint16_t lua_instruction_limit_errors
#define SIG_FLAG_TOCLIENT
bool DetectMd5ValidateCallback(const Signature *s, const char **sigerror, const DetectBufferType *map)
bool DetectEngineMpmCachingEnabled(void)
bool DetectBufferIsPresent(const Signature *s, const uint32_t buf_id)
InspectionBuffer * InspectionBufferGet(DetectEngineThreadCtx *det_ctx, const int list_id)
#define KEYWORD_PROFILING_START
uint16_t counter_fnonmpm_list
struct DetectEnginePktInspectionEngine::@93 v1
HashTable * non_pf_engine_names
uint16_t counter_nonmpm_list
int PrefilterMultiGenericMpmRegister(DetectEngineCtx *de_ctx, SigGroupHead *sgh, MpmCtx *mpm_ctx, const DetectBufferMpmRegistry *mpm_reg, int list_id)
DetectEngineFrameInspectionEngine * frame_inspect
void DetectBufferTypeCloseRegistration(void)
const DetectEngineTransforms * transforms
#define FAIL_IF_NOT(expr)
Fail a test if expression evaluates to false.
void HashTableFree(HashTable *ht)
int DetectBufferTypeGetByName(const char *name)
#define KEYWORD_PROFILING_END(ctx, type, m)
void DetectBufferTypeSupportsPacket(const char *name)
InspectionBufferFrameInspectFunc Callback
int HashListTableAdd(HashListTable *ht, void *data, uint16_t datalen)
int SigGroupHeadHashInit(DetectEngineCtx *de_ctx)
Initializes the hash table in the detection engine context to hold the SigGroupHeads.
void SCRConfDeInitContext(DetectEngineCtx *de_ctx)
Releases de_ctx resources related to Reference Config API.
HashTable * mt_det_ctxs_hash
size_t strlcpy(char *dst, const char *src, size_t siz)
bool DetectEnginePktInspectionRun(ThreadVars *tv, DetectEngineThreadCtx *det_ctx, const Signature *s, Flow *f, Packet *p, uint8_t *alert_flags)
void DetectAppLayerMpmRegisterByParentId(DetectEngineCtx *de_ctx, const int id, const int parent_id, DetectEngineTransforms *transforms)
copy a mpm engine from parent_id, add in transforms
void AlertQueueInit(DetectEngineThreadCtx *det_ctx)
uint16_t counter_alerts_suppressed
uint16_t base64_decode_max_len
@ SIGNATURE_HOOK_TYPE_APP
#define PKT_SET_SRC(p, src_val)
void SCConfInit(void)
Initialize the configuration system.
void SCConfDump(void)
Dump configuration to stdout.
@ TENANT_SELECTOR_UNKNOWN
#define HashListTableGetListNext(hb)
@ DETECT_SM_LIST_POSTMATCH
#define SIG_FLAG_TOSERVER
DetectEngineTenantSelectors
int DetectPortParse(const DetectEngineCtx *de_ctx, DetectPort **head, const char *str)
Function for parsing port strings.
int(* InspectionBufferPktInspectFunc)(struct DetectEngineThreadCtx_ *, const struct DetectEnginePktInspectionEngine *engine, const struct Signature_ *s, Packet *p, uint8_t *alert_flags)
void InspectionBufferFree(InspectionBuffer *buffer)
HashListTable * HashListTableInit(uint32_t size, uint32_t(*Hash)(struct HashListTable_ *, void *, uint16_t), char(*Compare)(void *, uint16_t, void *, uint16_t), void(*Free)(void *))
SCDetectRequiresStatus * requirements
#define TAILQ_REMOVE(head, elm, field)
SCRunMode SCRunmodeGet(void)
Get the current run mode.
bool(* TransformValidate)(const uint8_t *content, uint16_t content_len, void *context)
uint16_t counter_alerts_overflow
bool(* ValidateCallback)(const struct Signature_ *, const char **sigerror, const struct DetectBufferType_ *)
int DetectEngineMoveToFreeList(DetectEngineCtx *de_ctx)
#define PASS
Pass the test.
const char * DetectTableToString(enum DetectTable table)
SpmGlobalThreadCtx * SpmInitGlobalThreadCtx(uint8_t matcher)
void SCProfilingPrefilterDestroyCtx(DetectEngineCtx *de_ctx)
void DetectMpmInitializePktMpms(DetectEngineCtx *de_ctx)
void DetectLoadersInit(void)
struct TmSlot_ * tm_slots
const char * DetectEngineBufferTypeGetDescriptionById(const DetectEngineCtx *de_ctx, const int id)
#define SCMutexUnlock(mut)
@ DETECT_SM_LIST_BASE64_DATA
#define PKT_PSEUDO_STREAM_END
InspectionBuffer * buffers
DetectEngineThreadKeywordCtxItem * keyword_list
LiveDevice * LiveGetDevice(const char *name)
Get a pointer to the device at idx.
int SCConfGetInt(const char *name, intmax_t *val)
Retrieve a configuration value as an integer.
enum DetectEngineTenantSelectors tenant_selector
HashListTable * keyword_hash
void DetectPktInspectEngineRegister(const char *name, InspectionBufferGetPktDataPtr GetPktData, InspectionBufferPktInspectFunc Callback)
register inspect engine at start up time
int DetectEngineInspectStreamPayload(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const Signature *s, Flow *f, Packet *p)
Do the content inspection & validation for a signature on the raw stream.
DetectEnginePktInspectionEngine * pkt_inspect
InspectionMultiBufferGetDataPtr GetMultiData
int DetectBufferTypeMaxId(void)
void DatasetPostReloadCleanup(void)
Per thread variable structure.
bool DetectEngineBufferTypeValidateTransform(DetectEngineCtx *de_ctx, int sm_list, const uint8_t *content, uint16_t content_len, const char **namestr)
Check content byte array compatibility with transforms.
bool * sm_types_prefilter
int DetectEngineEnabled(void)
Check if detection is enabled.
SigMatchData * SigMatchList2DataArray(SigMatch *head)
convert SigMatch list to SigMatchData array
TmEcode DetectEngineThreadCtxInit(ThreadVars *tv, void *initdata, void **data)
initialize thread specific detection engine context
int DetectEngineReloadIsIdle(void)
#define DETECT_ENGINE_INSPECT_SIG_MATCH
#define PKT_DETECT_HAS_STREAMDATA
bool(* InspectionSingleBufferGetDataPtr)(const void *txv, const uint8_t flow_flags, const uint8_t **buf, uint32_t *buf_len)
@ DETECT_TABLE_PACKET_PRE_FLOW
void SCClassConfDeinit(DetectEngineCtx *de_ctx)
@ DETECT_TABLE_PACKET_FILTER
@ DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE
DetectEngineFrameInspectionEngine * frame_inspect_engines
DetectEngineCtx * free_list
int StringParseUint32(uint32_t *res, int base, size_t len, const char *str)
void PatternMatchThreadPrepare(MpmThreadCtx *mpm_thread_ctx, uint16_t mpm_matcher)
struct DetectEngineThreadKeywordCtxItem_ * next
#define SCLogWarning(...)
Macro used to log WARNING messages.
int HashTableAdd(HashTable *ht, void *data, uint16_t datalen)
int DetectEngineBufferTypeRegister(DetectEngineCtx *de_ctx, const char *name)
Port structure for detection engine.
uint8_t json_content_capacity
DetectEngineAppInspectionEngine * app_inspect
struct ThreadVars_ * next
bool DetectEngineContentInspection(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const Signature *s, const SigMatchData *smd, Packet *p, Flow *f, const uint8_t *buffer, const uint32_t buffer_len, const uint64_t stream_start_offset, const uint8_t flags, const enum DetectContentInspectionType inspection_mode)
wrapper around DetectEngineContentInspectionInternal to return true/false only
union SignatureHook_::@95 t
uint32_t hashlittle_safe(const void *key, size_t length, uint32_t initval)
int SigGroupCleanup(DetectEngineCtx *de_ctx)
uint16_t lua_memory_limit_errors
uint8_t DetectEngineInspectStream(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const struct DetectEngineAppInspectionEngine_ *engine, const Signature *s, Flow *f, uint8_t flags, void *alstate, void *txv, uint64_t tx_id)
inspect engine for stateful rules
void SCDetectEngineRegisterRateFilterCallback(SCDetectRateFilterFunc fn, void *arg)
Register a callback when a rate_filter has been applied to an alert.
int DetectEngineLoadTenantBlocking(uint32_t tenant_id, const char *yaml)
Load a tenant and wait for loading to complete.
void TmModuleDetectLoaderRegister(void)
TransformIdData xform_id[DETECT_TRANSFORMS_MAX]
DetectEngineCtx * DetectEngineCtxInit(void)
void RuleMatchCandidateTxArrayFree(DetectEngineThreadCtx *det_ctx)
void DetectEngineInitializeFastPatternList(DetectEngineCtx *de_ctx)
#define DE_STATE_FLAG_BASE
int SCRConfLoadReferenceConfigFile(DetectEngineCtx *de_ctx, FILE *fd)
Loads the Reference info from the reference.config file.
int DetectEngineTenantRegisterLivedev(uint32_t tenant_id, int device_id)
#define DETECT_CI_FLAGS_END
void DetectEngineBufferTypeSupportsFrames(DetectEngineCtx *de_ctx, const char *name)
int(* InspectionBufferFrameInspectFunc)(struct DetectEngineThreadCtx_ *, const struct DetectEngineFrameInspectionEngine *engine, const struct Signature_ *s, Packet *p, const struct Frames *frames, const struct Frame *frame)
DetectBufferMpmRegistry * frame_mpms_list
TmModule * TmModuleGetById(int id)
Returns a TM Module by its id.
struct TenantLoaderCtx_ TenantLoaderCtx
uint16_t max_uniq_toserver_groups
const DetectBufferType * DetectEngineBufferTypeGetById(const DetectEngineCtx *de_ctx, const int id)
struct LiveDevice_ * livedev
InspectionBufferPktInspectFunc Callback
SignatureInitData * init_data
enum DetectEngineSyncState state
SpmThreadCtx * SpmMakeThreadCtx(const SpmGlobalThreadCtx *global_thread_ctx)
void SCReferenceSCConfInit(DetectEngineCtx *de_ctx)
struct SCProfileKeywordDetectCtx_ * profile_keyword_ctx
InspectionSingleBufferGetDataPtr GetDataSingle
const char ** additional_configs
Data structures and function prototypes for keeping state for the detection engine.
int(* Match)(DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *)
void SCProfilingPrefilterThreadCleanup(DetectEngineThreadCtx *det_ctx)
void SCConfCreateContextBackup(void)
Creates a backup of the conf_hash hash_table used by the conf API.
int DetectEngineThreadCtxGetJsonContext(DetectEngineThreadCtx *det_ctx)
int32_t byte_extract_max_local_id
@ SIG_PROP_FLOW_ACTION_PACKET
bool DetectEngineMultiTenantEnabled(void)
const struct SignatureProperties signature_properties[SIG_TYPE_MAX]
SCDetectRateFilterFunc RateFilterCallback
int RunmodeIsUnittests(void)
#define SCLogInfo(...)
Macro used to log INFORMATIONAL messages.
#define TAILQ_FOREACH_SAFE(var, head, field, tvar)
#define SIG_FLAG_REQUIRE_STREAM_ONLY
void SpmDestroyGlobalThreadCtx(SpmGlobalThreadCtx *global_thread_ctx)
#define DETECT_ENGINE_INSPECT_SIG_CANT_MATCH
void DetectEngineRegisterTests(void)
int DetectLoaderQueueTask(int loader_id, LoaderFunc Func, void *func_ctx, LoaderFreeFunc FreeFunc)
@ DETECT_ENGINE_TYPE_TENANT
void DetectEngineBufferTypeSupportsTransformations(DetectEngineCtx *de_ctx, const char *name)
#define PACKET_ALERT_FLAG_STREAM_MATCH
bool(* InspectionMultiBufferGetDataPtr)(struct DetectEngineThreadCtx_ *det_ctx, const void *txv, const uint8_t flow_flags, uint32_t local_id, const uint8_t **buf, uint32_t *buf_len)
bool DetectEngineBufferTypeSupportsMpmGetById(const DetectEngineCtx *de_ctx, const int id)
const char * DetectSigmatchListEnumToString(enum DetectSigmatchListEnum type)
#define SCRealloc(ptr, sz)
void SRepReloadComplete(void)
Increment effective reputation version after a rule/reputation reload is complete.
#define SIG_FLAG_INIT_STATE_MATCH
struct PacketQueue_ * stream_pq
bool DetectEngineBufferTypeSupportsFramesGetById(const DetectEngineCtx *de_ctx, const int id)
int DetectEngineBufferTypeRegisterWithFrameEngines(DetectEngineCtx *de_ctx, const char *name, const int direction, const AppProto alproto, const uint8_t frame_type)
InspectionBufferGetPktDataPtr GetData
SCConfNode * SCConfNodeLookupChild(const SCConfNode *node, const char *name)
Lookup a child configuration node by name.
@ DETECT_ENGINE_TYPE_NORMAL
void * FlowWorkerGetDetectCtxPtr(void *flow_worker)
bool DetectEngineBufferTypeSupportsMultiInstanceGetById(const DetectEngineCtx *de_ctx, const int id)
SigFileLoaderStat sig_stat
void DetectEngineFrameMpmRegister(DetectEngineCtx *de_ctx, const char *name, int direction, int priority, int(*PrefilterRegister)(DetectEngineCtx *de_ctx, SigGroupHead *sgh, MpmCtx *mpm_ctx, const DetectBufferMpmRegistry *mpm_reg, int list_id), AppProto alproto, uint8_t type)
uint32_t * to_clear_queue
struct DetectEngineAppInspectionEngine_::@90 v2
void SpmDestroyThreadCtx(SpmThreadCtx *thread_ctx)
struct SCProfilePrefilterDetectCtx_ * profile_prefilter_ctx
#define FAIL_IF(expr)
Fail a test if expression evaluates to true.
#define DETECT_CI_FLAGS_SINGLE
int DetectEnginePktInspectionSetup(Signature *s)
int DetectBufferTypeRegister(const char *name)
uint8_t(* InspectEngineFuncPtr)(struct DetectEngineCtx_ *de_ctx, struct DetectEngineThreadCtx_ *det_ctx, const struct DetectEngineAppInspectionEngine_ *engine, const struct Signature_ *s, Flow *f, uint8_t flags, void *alstate, void *txv, uint64_t tx_id)
int DetectRegisterThreadCtxFuncs(DetectEngineCtx *de_ctx, const char *name, void *(*InitFunc)(void *), void *data, void(*FreeFunc)(void *), int mode)
Register Thread keyword context Funcs.
int MpmStoreInit(DetectEngineCtx *de_ctx)
Initializes the MpmStore mpm hash table to be used by the detection engine context.
DetectBufferMpmRegistry * app_mpms_list
@ SIG_PROP_FLOW_ACTION_FLOW_IF_STATEFUL
DetectEngineCtx * DetectEngineCtxInitStubForMT(void)
void DetectBufferTypeSupportsMpm(const char *name)
void HashListTableFree(HashListTable *ht)
HashListTable * buffer_type_hash_name
struct DetectEngineCtx_ * next
@ DETECT_ENGINE_TYPE_DD_STUB
void DetectEngineBumpVersion(void)
void AppLayerDecoderEventsSetEventRaw(AppLayerDecoderEvents **sevents, uint8_t event)
Set an app layer decoder event.
struct DetectEngineFrameInspectionEngine * next
enum SignatureHookType type
int DetectEngineInspectFrameBufferGeneric(DetectEngineThreadCtx *det_ctx, const DetectEngineFrameInspectionEngine *engine, const Signature *s, Packet *p, const Frames *frames, const Frame *frame)
Do the content inspection & validation for a signature.
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *tv, void *data)
struct DetectEnginePktInspectionEngine * next
void * rate_filter_callback_arg
#define DETECT_ENGINE_DEFAULT_INSPECTION_RECURSION_LIMIT
PostRuleMatchWorkQueueItem * q
uint8_t PatternMatchDefaultMatcher(void)
Function to return the multi pattern matcher algorithm to be used by the engine, based on the mpm-alg...
void SCConfDeInit(void)
De-initializes the configuration system.
int DetectEngineTenantRegisterPcapFile(uint32_t tenant_id)
void SigGroupHeadHashFree(DetectEngineCtx *de_ctx)
Frees the hash table - DetectEngineCtx->sgh_hash_table, allocated by SigGroupHeadHashInit() function.
uint8_t DetectEngineInspectGenericList(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const struct DetectEngineAppInspectionEngine_ *engine, const Signature *s, Flow *f, uint8_t flags, void *alstate, void *txv, uint64_t tx_id)
Do the content inspection & validation for a signature.
void DetectEngineAppInspectionEngineSignatureFree(DetectEngineCtx *de_ctx, Signature *s)
free app inspect engines for a signature
@ DETECT_ENGINE_CONTENT_INSPECTION_MODE_HEADER
#define DETECT_ENGINE_INSPECT_SIG_NO_MATCH
DetectEnginePktInspectionEngine * pkt_inspect_engines
void DetectEngineBufferTypeSupportsMpm(DetectEngineCtx *de_ctx, const char *name)
bool * sm_types_silent_error
const char * DetectBufferTypeGetDescriptionByName(const char *name)
struct DetectEngineThreadCtx_::@109 inspect
Packet * PacketGetFromAlloc(void)
Get a malloced packet.
void DetectEngineFreeFastPatternList(DetectEngineCtx *de_ctx)
void DetectBufferTypeSupportsTransformations(const char *name)
const char * DetectEngineMpmCachingGetPath(void)
struct SCLogConfig_ SCLogConfig
Holds the config state used by the logging api.
int DetectAddressMapInit(DetectEngineCtx *de_ctx)
void InjectPacketsForFlush(ThreadVars **detect_tvs, int no_of_detect_tvs)
SignatureInitDataBuffer * buffers
DetectEngineAppInspectionEngine * app_inspect_engines
int filemagic_thread_ctx_id
int global_keyword_ctxs_size
SigJsonContent * json_content
void PrefilterInit(DetectEngineCtx *de_ctx)
void * DetectThreadCtxGetGlobalKeywordThreadCtx(DetectEngineThreadCtx *det_ctx, int id)
Retrieve thread local keyword ctx by id.
SCConfNode * SCConfGetNode(const char *name)
Get a SCConfNode by name.
#define SCLogError(...)
Macro used to log ERROR messages.
int SRepInit(DetectEngineCtx *de_ctx)
init reputation
int DetectEngineReloadStart(void)
void DetectEngineUnsetParseMetadata(void)
@ PKT_SRC_DETECT_RELOAD_FLUSH
void ** keyword_ctxs_array
uint8_t guess_applayer_log_limit
int HashListTableRemove(HashListTable *ht, void *data, uint16_t datalen)
DetectEngineTransforms transforms
void SCConfRestoreContextBackup(void)
Restores the backup of the hash_table present in backup_conf_hash back to conf_hash.
a single match condition for a signature
const DetectEngineTransforms * transforms
void InspectionBufferSetupAndApplyTransforms(DetectEngineThreadCtx *det_ctx, const int list_id, InspectionBuffer *buffer, const uint8_t *data, const uint32_t data_len, const DetectEngineTransforms *transforms)
setup the buffer with our initial data
int DetectLoadersSync(void)
wait for loader tasks to complete
void SCProfilingSghDestroyCtx(DetectEngineCtx *de_ctx)
HashTable * HashTableInit(uint32_t size, uint32_t(*Hash)(struct HashTable_ *, void *, uint16_t), char(*Compare)(void *, uint16_t, void *, uint16_t), void(*Free)(void *))
SpmTableElmt spm_table[SPM_TABLE_SIZE]
DetectEngineCtx * DetectEngineReference(DetectEngineCtx *de_ctx)
MpmTableElmt mpm_table[MPM_TABLE_SIZE]
struct DetectEngineSyncer_ DetectEngineSyncer
void DetectMpmInitializeAppMpms(DetectEngineCtx *de_ctx)
int EngineModeIsIPS(void)
void(* ConfigDeinit)(MpmConfig **)
void InspectionBufferSetupMultiEmpty(InspectionBuffer *buffer)
setup the buffer empty
void(* ConfigCacheDirSet)(MpmConfig *, const char *dir_path)
InspectionBuffer *(* InspectionBufferGetDataPtr)(struct DetectEngineThreadCtx_ *det_ctx, const DetectEngineTransforms *transforms, Flow *f, const uint8_t flow_flags, void *txv, const int list_id)
void PmqFree(PrefilterRuleStore *pmq)
Cleanup and free a Pmq.
@ DETECT_ENGINE_TYPE_MT_STUB
void ThresholdCacheThreadFree(void)
uint16_t vlan_id[VLAN_MAX_LAYERS]
struct SignatureHook_::@95::@96 app
int DetectEngineReload(const SCInstance *suri)
Reload the detection engine.
bool DetectEngineBufferRunValidateCallback(const DetectEngineCtx *de_ctx, const int id, const Signature *s, const char **sigerror)
void(* SetupCallback)(const struct DetectEngineCtx_ *, struct Signature_ *)
void DetectAppLayerInspectEngineRegister(const char *name, AppProto alproto, uint32_t dir, int progress, InspectEngineFuncPtr Callback, InspectionBufferGetDataPtr GetData)
Registers an app inspection engine.
bool DetectEngineContentInspectionBuffer(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const Signature *s, const SigMatchData *smd, Packet *p, Flow *f, const InspectionBuffer *b, const enum DetectContentInspectionType inspection_mode)
wrapper around DetectEngineContentInspectionInternal to return true/false only
SpmGlobalThreadCtx * spm_global_thread_ctx
void DetectEngineClearMaster(void)
void SRepDestroy(DetectEngineCtx *de_ctx)
MpmConfig *(* ConfigInit)(void)
uint16_t StatsRegisterAvgCounter(const char *name, struct ThreadVars_ *tv)
Registers a counter, whose value holds the average of all the values assigned to it.
@ SIG_PROP_FLOW_ACTION_FLOW
void DetectBufferTypeSetDescriptionByName(const char *name, const char *desc)
#define SCStatFn(pathname, statbuf)
int DetectUnregisterThreadCtxFuncs(DetectEngineCtx *de_ctx, void *data, const char *name)
Remove Thread keyword context registration.
#define SC_ATOMIC_GET(name)
Get the value from the atomic variable.
void DetectAppLayerMultiRegister(const char *name, AppProto alproto, uint32_t dir, int progress, InspectionMultiBufferGetDataPtr GetData, int priority)
void DetectEngineFrameInspectEngineRegister(DetectEngineCtx *de_ctx, const char *name, int dir, InspectionBufferFrameInspectFunc Callback, AppProto alproto, uint8_t type)
register inspect engine at start up time
int DetectEngineTenantRegisterVlanId(uint32_t tenant_id, uint16_t vlan_id)
void DetectEngineSetParseMetadata(void)
int TmThreadsCheckFlag(ThreadVars *tv, uint32_t flag)
Check if a thread flag is set.
#define SCLogNotice(...)
Macro used to log NOTICE messages.
void DetectPktMpmRegisterByParentId(DetectEngineCtx *de_ctx, const int id, const int parent_id, DetectEngineTransforms *transforms)
copy a mpm engine from parent_id, add in transforms
@ TENANT_SELECTOR_LIVEDEV
AppProto alproto
application level protocol
uint16_t StatsRegisterCounter(const char *name, struct ThreadVars_ *tv)
Registers a normal, unqualified counter.
int DetectEngineTenantUnregisterPcapFile(uint32_t tenant_id)
Signature loader statistics.
int DetectEngineInspectPktBufferGeneric(DetectEngineThreadCtx *det_ctx, const DetectEnginePktInspectionEngine *engine, const Signature *s, Packet *p, uint8_t *_alert_flags)
Do the content inspection & validation for a signature.
HashListTable * buffer_type_hash_id
DetectEngineCtx * DetectEngineGetByTenantId(uint32_t tenant_id)
void DetectPortCleanupList(const DetectEngineCtx *de_ctx, DetectPort *head)
Free a DetectPort list and each of its members.
void(* TransformId)(const uint8_t **data, uint32_t *length, void *context)
@ DETECT_SM_LIST_SUPPRESS
InspectionBuffer * inspection_buffers
#define DEBUG_VALIDATE_BUG_ON(exp)
int DetectEngineAppInspectionEngine2Signature(DetectEngineCtx *de_ctx, Signature *s)
bool SCClassConfLoadClassificationConfigFile(DetectEngineCtx *de_ctx, FILE *fd)
Loads the Classtype info from the classification.config file.
void InspectionBufferSetupMulti(DetectEngineThreadCtx *det_ctx, InspectionBuffer *buffer, const DetectEngineTransforms *transforms, const uint8_t *data, const uint32_t data_len)
setup the buffer with our initial data
int DetectEngineTenantUnregisterVlanId(uint32_t tenant_id, uint16_t vlan_id)
int PmqSetup(PrefilterRuleStore *pmq)
Setup a pmq.
void PatternMatchThreadDestroy(MpmThreadCtx *mpm_thread_ctx, uint16_t mpm_matcher)
int VarNameStoreActivate(void)
uint16_t counter_mpm_list
InspectionBuffer * InspectionBufferMultipleForListGet(DetectEngineThreadCtx *det_ctx, const int list_id, const uint32_t local_id)
for a InspectionBufferMultipleForList get a InspectionBuffer
void RuleMatchCandidateTxArrayInit(DetectEngineThreadCtx *det_ctx, uint32_t size)
void SCProfilingKeywordThreadSetup(SCProfileKeywordDetectCtx *ctx, DetectEngineThreadCtx *det_ctx)
int DetectEngineReloadIsStart(void)
int DetectRegisterThreadCtxGlobalFuncs(const char *name, void *(*InitFunc)(void *), void *data, void(*FreeFunc)(void *))
Register Thread keyword context Funcs (Global)
PostRuleMatchWorkQueue post_rule_work_queue
uint32_t tenant_array_size
struct DetectEngineTenantMapping_ * tenant_array
volatile uint8_t suricata_ctl_flags
#define TM_FLAG_FLOWWORKER_TM
void FlowWorkerReplaceDetectCtx(void *flow_worker, void *detect_ctx)
uint32_t StringHashDjb2(const uint8_t *data, uint32_t datalen)
int DetectEngineBufferTypeGetByIdTransforms(DetectEngineCtx *de_ctx, const int id, TransformData *transforms, int transform_cnt)
uint32_t(* TenantGetId)(const void *, const Packet *p)
void SCProfilingPrefilterThreadSetup(SCProfilePrefilterDetectCtx *ctx, DetectEngineThreadCtx *det_ctx)
void SCClassConfDeInitContext(DetectEngineCtx *de_ctx)
Releases resources used by the Classification Config API.
void PrefilterPktNonPFStatsDump(void)
#define SIG_FLAG_REQUIRE_PACKET