Go to the documentation of this file.
94 #define DETECT_ENGINE_DEFAULT_INSPECTION_RECURSION_LIMIT 3000
101 static uint32_t TenantIdHash(
HashTable *h,
void *
data, uint16_t data_len);
102 static char TenantIdCompare(
void *d1, uint16_t d1_len,
void *d2, uint16_t d2_len);
103 static void TenantIdFree(
void *d);
104 static uint32_t DetectEngineTenantGetIdFromLivedev(
const void *
ctx,
const Packet *p);
105 static uint32_t DetectEngineTenantGetIdFromVlanId(
const void *
ctx,
const Packet *p);
106 static uint32_t DetectEngineTenantGetIdFromPcap(
const void *
ctx,
const Packet *p);
151 FatalError(
"failed to register inspect engine %s: %s",
name, strerror(errno));
153 new_engine->
sm_list = (uint16_t)sm_list;
158 if (g_pkt_inspect_engines == NULL) {
159 g_pkt_inspect_engines = new_engine;
162 while (t->
next != NULL) {
166 t->
next = new_engine;
173 static void AppLayerInspectEngineRegisterInternal(
const char *
name,
AppProto alproto, uint32_t dir,
189 (progress < 0 || progress >= SHRT_MAX) || (Callback == NULL)) {
193 SCLogError(
"Invalid arguments: must register "
194 "GetData with DetectEngineInspectBufferGeneric");
197 SCLogError(
"Invalid arguments: must register "
198 "GetData with DetectEngineInspectBufferGeneric");
201 SCLogError(
"Invalid arguments: must register "
202 "GetData with DetectEngineInspectMultiBufferGeneric");
214 AppLayerInspectEngineRegisterInternal(
215 name,
ALPROTO_DOH2, dir, progress, Callback, GetData, GetDataSingle, GetMultiData);
224 new_engine->
dir = direction;
225 new_engine->
sm_list = (uint16_t)sm_list;
227 new_engine->
progress = (int16_t)progress;
237 if (g_app_inspect_engines == NULL) {
238 g_app_inspect_engines = new_engine;
241 while (t->
next != NULL) {
245 t->
next = new_engine;
259 if (t->
sm_list == sm_list && t->
alproto == alproto && t_direction == dir &&
267 AppLayerInspectEngineRegisterInternal(
268 name, alproto, dir, progress, Callback, GetData, NULL, NULL);
281 if (t->
sm_list == sm_list && t->
alproto == alproto && t_direction == dir &&
290 AppLayerInspectEngineRegisterInternal(
291 name, alproto, dir, progress, Callback, NULL, GetData, NULL);
295 static void DetectAppLayerInspectEngineCopy(
297 int sm_list,
int new_list,
310 new_engine->
sm_list = (uint16_t)new_list;
314 new_engine->
v2 = t->
v2;
321 while (list->
next != NULL) {
325 list->
next = new_engine;
347 new_engine->
v2 = t->
v2;
352 list->
next = new_engine;
361 static void DetectPktInspectEngineCopy(
363 int sm_list,
int new_list,
374 new_engine->
sm_list = (uint16_t)new_list;
377 new_engine->
v1 = t->
v1;
384 while (list->
next != NULL) {
388 list->
next = new_engine;
407 new_engine->
v1 = t->
v1;
413 while (list->
next != NULL) {
417 list->
next = new_engine;
449 FatalError(
"failed to register inspect engine %s: %s",
name, strerror(errno));
451 new_engine->
sm_list = (uint16_t)sm_list;
453 new_engine->
dir = direction;
462 while (list->
next != NULL) {
466 list->
next = new_engine;
485 new_engine->
sm_list = (uint16_t)new_list;
491 new_engine->
v1 = t->
v1;
496 while (list->
next != NULL) {
500 list->
next = new_engine;
522 new_engine->
v1 = t->
v1;
528 while (list->
next != NULL) {
532 list->
next = new_engine;
544 static void AppendStreamInspectEngine(
547 bool prepend =
false;
556 new_engine->
mpm =
true;
559 new_engine->
dir = direction;
560 new_engine->
stream =
true;
563 new_engine->
smd = stream;
571 }
else if (prepend) {
578 while (a->
next != NULL) {
582 a->
next = new_engine;
585 SCLogDebug(
"sid %u: engine %p/%u added", s->
id, new_engine, new_engine->
id);
592 bool prepend =
false;
615 new_engine->
mpm =
true;
621 new_engine->
smd = smd;
622 new_engine->
v1 = u->
v1;
628 }
else if (prepend) {
633 while (a->
next != NULL) {
637 a->
next = new_engine;
645 bool prepend =
false;
655 new_engine->
mpm =
true;
660 new_engine->
smd = smd;
661 new_engine->
v1 = e->
v1;
667 }
else if (prepend) {
672 while (a->
next != NULL) {
676 a->
next = new_engine;
682 const int mpm_list,
const int files_id, uint8_t *last_id,
bool *head_is_mpm)
696 SCLogDebug(
"app engine: t %p t->id %u => alproto:%s files:%s", t, t->
id,
704 bool prepend =
false;
709 new_engine->
mpm =
true;
716 new_engine->
smd = smd;
719 new_engine->
v2 = t->
v2;
725 if (new_engine->
sm_list == files_id) {
727 SCLogDebug(
"sid %u: engine %p/%u is FILE ENGINE", s->
id, new_engine, new_engine->
id);
730 SCLogDebug(
"sid %u: engine %p/%u %s", s->
id, new_engine, new_engine->
id,
738 if (new_engine->
sm_list == files_id) {
740 SCLogDebug(
"sid %u: engine %p/%u is FILE ENGINE", s->
id, new_engine, new_engine->
id);
742 new_engine->
id = ++(*last_id);
743 SCLogDebug(
"sid %u: engine %p/%u %s", s->
id, new_engine, new_engine->
id,
749 while (a->
next != NULL) {
757 a->
next = new_engine;
758 if (new_engine->
sm_list == files_id) {
760 SCLogDebug(
"sid %u: engine %p/%u is FILE ENGINE", s->
id, new_engine, new_engine->
id);
762 new_engine->
id = ++(*last_id);
763 SCLogDebug(
"sid %u: engine %p/%u %s", s->
id, new_engine, new_engine->
id,
768 SCLogDebug(
"sid %u: engine %p/%u added", s->
id, new_engine, new_engine->
id);
781 bool head_is_mpm =
false;
796 u != NULL; u = u->
next) {
798 AppendFrameInspectEngine(
de_ctx, u, s, smd, mpm_list);
807 AppendPacketInspectEngine(
de_ctx, e, s, smd, mpm_list);
825 AppendAppInspectEngine(
826 de_ctx, t, s, smd, mpm_list, files_id, &last_id, &head_is_mpm);
862 AppendAppInspectEngine(
de_ctx, &t, s, NULL, mpm_list, files_id, &last_id, &head_is_mpm);
872 AppendStreamInspectEngine(s, stream, 0, last_id + 1);
874 AppendStreamInspectEngine(s, stream, 1, last_id + 1);
876 AppendStreamInspectEngine(s, stream, 0, last_id + 1);
877 AppendStreamInspectEngine(s, stream, 1, last_id + 1);
891 iter->
sm_list == mpm_list ?
"MPM" :
"");
942 for (
int i = 0; i < arrays; i++) {
943 if (bufs[i] == ie->
smd) {
949 bufs[arrays++] = ie->
smd;
959 for (
int i = 0; i < arrays; i++) {
960 if (bufs[i] == e->
smd) {
966 bufs[arrays++] = e->
smd;
976 for (
int i = 0; i < arrays; i++) {
977 if (bufs[i] == u->
smd) {
983 bufs[arrays++] = u->
smd;
989 for (
int i = 0; i < engines; i++) {
1011 static int g_buffer_type_reg_closed = 0;
1015 return g_buffer_type_id;
1031 static uint32_t DetectBufferTypeHashNameFunc(
HashListTable *ht,
void *data, uint16_t datalen)
1055 static uint32_t DetectBufferTypeHashIdFunc(
HashListTable *ht,
void *data, uint16_t datalen)
1058 uint32_t hash = map->
id;
1063 static char DetectBufferTypeCompareNameFunc(
void *data1, uint16_t len1,
void *data2, uint16_t len2)
1068 char r = (strcmp(map1->
name, map2->
name) == 0);
1081 SCLogDebug(
"%s: transform ids match; checking specialized data", map1->
name);
1090 SCLogDebug(
"identity data: only one is null");
1115 static char DetectBufferTypeCompareIdFunc(
void *data1, uint16_t len1,
void *data2, uint16_t len2)
1119 return map1->
id == map2->
id;
1122 static void DetectBufferTypeFreeFunc(
void *data)
1136 SCLogError(
"%s allocates transform option memory but has no free routine",
1146 static int DetectBufferTypeInit(
void)
1148 BUG_ON(g_buffer_type_hash);
1150 DetectBufferTypeCompareNameFunc, DetectBufferTypeFreeFunc);
1151 if (g_buffer_type_hash == NULL)
1157 static void DetectBufferTypeFree(
void)
1159 if (g_buffer_type_hash == NULL)
1163 g_buffer_type_hash = NULL;
1166 static int DetectBufferTypeAdd(
const char *
string)
1168 BUG_ON(
string == NULL || strlen(
string) >= 64);
1175 map->
id = g_buffer_type_id++;
1185 memset(&map, 0,
sizeof(map));
1194 BUG_ON(g_buffer_type_reg_closed);
1195 if (g_buffer_type_hash == NULL)
1196 DetectBufferTypeInit();
1200 return DetectBufferTypeAdd(
name);
1208 BUG_ON(g_buffer_type_reg_closed);
1213 SCLogDebug(
"%p %s -- %d supports multi instance", exists,
name, exists->
id);
1218 BUG_ON(g_buffer_type_reg_closed);
1222 exists->
frame =
true;
1223 SCLogDebug(
"%p %s -- %d supports frame inspection", exists,
name, exists->
id);
1228 BUG_ON(g_buffer_type_reg_closed);
1233 SCLogDebug(
"%p %s -- %d supports packet inspection", exists,
name, exists->
id);
1238 BUG_ON(g_buffer_type_reg_closed);
1248 BUG_ON(g_buffer_type_reg_closed);
1253 SCLogDebug(
"%p %s -- %d supports transformations", exists,
name, exists->
id);
1269 memset(&map, 0,
sizeof(map));
1279 memset(&lookup, 0,
sizeof(lookup));
1289 return res ? res->
name : NULL;
1294 BUG_ON(
string == NULL || strlen(
string) >= 32);
1310 const int direction,
const AppProto alproto,
const uint8_t frame_type)
1317 const int buffer_id = DetectEngineBufferTypeAdd(
de_ctx,
name);
1318 if (buffer_id < 0) {
1347 return DetectEngineBufferTypeAdd(
de_ctx,
name);
1355 BUG_ON(desc == NULL || strlen(desc) >= 128);
1386 exists->
frame =
true;
1387 SCLogDebug(
"%p %s -- %d supports frame inspection", exists,
name, exists->
id);
1395 SCLogDebug(
"%p %s -- %d supports packet inspection", exists,
name, exists->
id);
1411 SCLogDebug(
"%p %s -- %d supports transformations", exists,
name, exists->
id);
1453 BUG_ON(g_buffer_type_reg_closed);
1469 const char *
name,
bool (*ValidateCallback)(
const Signature *,
const char **sigerror,
1472 BUG_ON(g_buffer_type_reg_closed);
1519 const uint8_t *content, uint16_t content_len,
const char **namestr)
1545 const int size = g_buffer_type_id;
1549 DetectBufferTypeCompareNameFunc, DetectBufferTypeFreeFunc);
1552 HashListTableInit(256, DetectBufferTypeHashIdFunc, DetectBufferTypeCompareIdFunc,
1564 memcpy(copy, map,
sizeof(*copy));
1570 SCLogDebug(
"name %s id %d mpm %s packet %s -- %s. "
1571 "Callbacks: Setup %p Validate %p",
1572 map->
name, map->
id, map->
mpm ?
"true" :
"false", map->
packet ?
"true" :
"false",
1579 DetectAppLayerInspectEngineCopyListToDetectCtx(
de_ctx);
1581 DetectFrameInspectEngineCopyListToDetectCtx(
de_ctx);
1583 DetectPktInspectEngineCopyListToDetectCtx(
de_ctx);
1625 while (framemlist) {
1636 BUG_ON(g_buffer_type_hash == NULL);
1638 g_buffer_type_reg_closed = 1;
1649 SCLogError(
"buffer '%s' does not support transformations", base_map->
name);
1656 memset(&t, 0,
sizeof(t));
1657 for (
int i = 0; i < transform_cnt; i++) {
1660 t.
cnt = transform_cnt;
1663 memset(&lookup_map, 0,
sizeof(lookup_map));
1669 DetectBufferAddTransformData(&lookup_map);
1686 map->
mpm = base_map->
mpm;
1693 }
else if (map->
packet) {
1703 SCLogDebug(
"buffer %s registered with id %d, parent %d", map->name, map->id, map->parent_id);
1706 DetectFrameInspectEngineCopy(
de_ctx, map->parent_id, map->id, &map->transforms);
1707 }
else if (map->packet) {
1708 DetectPktInspectEngineCopy(
de_ctx, map->parent_id, map->id, &map->transforms);
1710 DetectAppLayerInspectEngineCopy(
de_ctx, map->parent_id, map->id, &map->transforms);
1716 static int DetectEngineInspectRulePacketMatches(
1720 Packet *p, uint8_t *_alert_flags)
1728 SCLogDebug(
"running match functions, sm %p", smd);
1746 static int DetectEngineInspectRulePayloadMatches(
1768 SCLogDebug(
"no match in stream, fall back to packet payload");
1776 SCLogDebug(
"SIG_FLAG_REQUIRE_STREAM_ONLY, so no match");
1794 uint8_t *alert_flags)
1800 SCLogDebug(
"sid %u: e %p Callback returned no match", s->
id, e);
1803 SCLogDebug(
"sid %u: e %p Callback returned true", s->
id, e);
1822 e->
sm_list = (uint16_t)list_id;
1831 while (a->
next != NULL) {
1843 if (DetectEnginePktInspectionAppend(
1846 SCLogDebug(
"sid %u: DetectEngineInspectRulePayloadMatches appended", s->
id);
1850 if (DetectEnginePktInspectionAppend(
1853 SCLogDebug(
"sid %u: DetectEngineInspectRulePacketMatches appended", s->
id);
1935 uint8_t
flags,
void *alstate,
void *txv, uint64_t tx_id)
1938 SCLogDebug(
"running match functions, sm %p", smd);
1944 AppLayerTxMatch(det_ctx, f,
flags, alstate, txv, s, smd->
ctx);
1977 void *alstate,
void *txv, uint64_t tx_id)
1979 const int list_id = engine->
sm_list;
1980 SCLogDebug(
"running inspect on %d", list_id);
2004 const uint8_t *data = buffer->
inspect;
2009 ci_flags |= buffer->
flags;
2038 void *alstate,
void *txv, uint64_t tx_id)
2040 const int list_id = engine->
sm_list;
2041 SCLogDebug(
"running inspect on %d", list_id);
2055 f,
flags, txv, list_id);
2065 const uint8_t *data = buffer->
inspect;
2070 ci_flags |= buffer->
flags;
2089 AppLayerInspectEngineRegisterInternal(
name, alproto, dir, progress,
2100 if (buffer->
inspect == NULL) {
2101 const uint8_t *b = NULL;
2104 if (!GetBuf(txv, flow_flags, &b, &b_len))
2117 if (buffer == NULL) {
2124 const uint8_t *data = NULL;
2125 uint32_t data_len = 0;
2127 if (!GetBuf(det_ctx, txv, flow_flags, index, &data, &data_len)) {
2138 const Signature *s,
Flow *f, uint8_t
flags,
void *alstate,
void *txv, uint64_t tx_id)
2140 uint32_t local_id = 0;
2150 if (buffer == NULL || buffer->
inspect == NULL)
2162 if (local_id == 0) {
2189 const int list_id = engine->
sm_list;
2190 SCLogDebug(
"running inspect on %d", list_id);
2208 ci_flags |= buffer->
flags;
2235 for (
int i = 0; i < no_of_detect_tvs; i++) {
2236 if (detect_tvs[i]) {
2239 SCLogDebug(
"Injecting pkt for tv %s[i=%d] %d", detect_tvs[i]->
name, i, count++);
2251 SCLogDebug(
"leaving: thread notification count = %d", count);
2259 static void InjectPackets(
2267 for (
int i = 0; i < no_of_detect_tvs; i++) {
2268 if (
SC_ATOMIC_GET(new_det_ctx[i]->so_far_used_by_detect) != 1) {
2269 if (detect_tvs[i]->inq != NULL) {
2306 if (no_of_detect_tvs == 0) {
2316 memset(detect_tvs, 0x00, (no_of_detect_tvs *
sizeof(
ThreadVars *)));
2341 if (new_det_ctx[i] == NULL) {
2343 "failure in live rule swap. Let's get out of here");
2347 SCLogDebug(
"live rule swap created new det_ctx - %p and de_ctx "
2348 "- %p\n", new_det_ctx[i], new_de_ctx);
2353 BUG_ON(i != no_of_detect_tvs);
2366 SCLogDebug(
"swapping new det_ctx - %p with older one - %p",
2377 SCLogDebug(
"Live rule swap has swapped %d old det_ctx's with new ones, "
2378 "along with the new de_ctx", no_of_detect_tvs);
2380 InjectPackets(detect_tvs, new_det_ctx, no_of_detect_tvs);
2384 uint32_t threads_done = 0;
2386 for (i = 0; i < no_of_detect_tvs; i++) {
2388 threads_done = no_of_detect_tvs;
2392 if (
SC_ATOMIC_GET(new_det_ctx[i]->so_far_used_by_detect) == 1) {
2393 SCLogDebug(
"new_det_ctx - %p used by detect engine", new_det_ctx[i]);
2396 TmThreadsCaptureBreakLoop(detect_tvs[i]);
2399 if (threads_done < no_of_detect_tvs) {
2410 if (i != no_of_detect_tvs) {
2423 for (i = 0; i < no_of_detect_tvs; i++) {
2424 SCLogDebug(
"Freeing old_det_ctx - %p used by detect",
2434 for (i = 0; i < no_of_detect_tvs; i++) {
2435 if (new_det_ctx[i] != NULL)
2443 const char *strval = NULL;
2444 if (
SCConfGet(
"detect.sgh-mpm-caching", &strval) != 1)
2447 int sgh_mpm_caching = 0;
2448 (void)
SCConfGetBool(
"detect.sgh-mpm-caching", &sgh_mpm_caching);
2449 return (
bool)sgh_mpm_caching;
2458 char yamlpath[] =
"detect.sgh-mpm-caching-path";
2459 const char *strval = NULL;
2462 if (strval != NULL) {
2466 static bool notified =
false;
2468 SCLogInfo(
"%s has no path specified, using %s", yamlpath, SGH_CACHE_DIR);
2471 return SGH_CACHE_DIR;
2494 if (prefix != NULL) {
2498 int failure_fatal = 0;
2499 if (
SCConfGetBool(
"engine.init-failure-fatal", (
int *)&failure_fatal) != 1) {
2500 SCLogDebug(
"ConfGetBool could not load the value.");
2523 SCLogDebug(
"Unable to alloc SpmGlobalThreadCtx.");
2535 if (DetectEngineCtxLoadConf(
de_ctx) == -1) {
2544 DetectBufferTypeSetupDetectEngine(
de_ctx);
2592 if (prefix == NULL || strlen(prefix) == 0)
2630 #ifdef PROFILE_RULES
2631 if (
de_ctx->profile_ctx != NULL) {
2632 SCProfilingRuleDestroyCtx(
de_ctx->profile_ctx);
2633 de_ctx->profile_ctx = NULL;
2676 DetectEngineCtxFreeThreadKeywordData(
de_ctx);
2678 DetectEngineCtxFreeFailedSigs(
de_ctx);
2698 DetectBufferTypeFreeDetectEngine(
de_ctx);
2727 const char *max_uniq_toclient_groups_str = NULL;
2728 const char *max_uniq_toserver_groups_str = NULL;
2729 const char *sgh_mpm_context = NULL;
2730 const char *de_ctx_profile = NULL;
2732 (void)
SCConfGet(
"detect.profile", &de_ctx_profile);
2733 (void)
SCConfGet(
"detect.sgh-mpm-context", &sgh_mpm_context);
2738 if (de_ctx_custom != NULL) {
2740 if (de_ctx_profile == NULL) {
2741 if (opt->
val && strcmp(opt->
val,
"profile") == 0) {
2742 de_ctx_profile = opt->head.tqh_first->
val;
2746 if (sgh_mpm_context == NULL) {
2747 if (opt->
val && strcmp(opt->
val,
"sgh-mpm-context") == 0) {
2748 sgh_mpm_context = opt->head.tqh_first->
val;
2754 if (de_ctx_profile != NULL) {
2755 if (strcmp(de_ctx_profile,
"low") == 0 ||
2756 strcmp(de_ctx_profile,
"lowest") == 0) {
2758 }
else if (strcmp(de_ctx_profile,
"medium") == 0) {
2760 }
else if (strcmp(de_ctx_profile,
"high") == 0 ||
2761 strcmp(de_ctx_profile,
"highest") == 0) {
2763 }
else if (strcmp(de_ctx_profile,
"custom") == 0) {
2766 SCLogError(
"invalid value for detect.profile: '%s'. "
2767 "Valid options: low, medium, high and custom.",
2772 SCLogDebug(
"Profile for detection engine groups is \"%s\"", de_ctx_profile);
2774 SCLogDebug(
"Profile for detection engine groups not provided "
2775 "at suricata.yaml. Using default (\"medium\").");
2779 if (sgh_mpm_context == NULL || strcmp(sgh_mpm_context,
"auto") == 0) {
2789 if (strcmp(sgh_mpm_context,
"single") == 0) {
2791 }
else if (strcmp(sgh_mpm_context,
"full") == 0) {
2795 "invalid conf value for detect-engine.sgh-mpm-context-"
2820 (void)
SCConfGet(
"detect.custom-values.toclient-groups", &max_uniq_toclient_groups_str);
2821 (void)
SCConfGet(
"detect.custom-values.toserver-groups", &max_uniq_toserver_groups_str);
2823 if (de_ctx_custom != NULL) {
2825 if (opt->
val && strcmp(opt->
val,
"custom-values") == 0) {
2826 if (max_uniq_toclient_groups_str == NULL) {
2828 opt->head.tqh_first,
"toclient-sp-groups");
2830 if (max_uniq_toclient_groups_str == NULL) {
2832 opt->head.tqh_first,
"toclient-groups");
2834 if (max_uniq_toserver_groups_str == NULL) {
2836 opt->head.tqh_first,
"toserver-dp-groups");
2838 if (max_uniq_toserver_groups_str == NULL) {
2840 opt->head.tqh_first,
"toserver-groups");
2845 if (max_uniq_toclient_groups_str != NULL) {
2847 (uint16_t)strlen(max_uniq_toclient_groups_str),
2848 (
const char *)max_uniq_toclient_groups_str) <= 0) {
2852 "toclient-groups failed, using %u",
2860 if (max_uniq_toserver_groups_str != NULL) {
2862 (uint16_t)strlen(max_uniq_toserver_groups_str),
2863 (
const char *)max_uniq_toserver_groups_str) <= 0) {
2867 "toserver-groups failed, using %u",
2887 if (
SCConfGetInt(
"detect.inspection-recursion-limit", &value) == 1) {
2888 if (value >= 0 && value <= INT_MAX) {
2894 SCConfNode *insp_recursion_limit_node = NULL;
2895 char *insp_recursion_limit = NULL;
2897 if (de_ctx_custom != NULL) {
2900 if (opt->
val && strcmp(opt->
val,
"inspection-recursion-limit") != 0)
2904 if (insp_recursion_limit_node == NULL) {
2906 "entry for detect-engine:inspection-recursion-limit");
2909 insp_recursion_limit = insp_recursion_limit_node->
val;
2910 SCLogDebug(
"Found detect-engine.inspection-recursion-limit - %s:%s",
2911 insp_recursion_limit_node->
name, insp_recursion_limit_node->
val);
2915 if (insp_recursion_limit != NULL) {
2917 0, (
const char *)insp_recursion_limit) < 0) {
2919 "detect-engine.inspection-recursion-limit: %s "
2932 SCLogDebug(
"de_ctx->inspection_recursion_limit: %d",
2937 if (
SCConfGetInt(
"detect.stream-tx-log-limit", &value) == 1) {
2938 if (value >= 0 && value <= UINT8_MAX) {
2941 SCLogWarning(
"Invalid value for detect-engine.stream-tx-log-limit: must be between 0 "
2942 "and 255, will default to 4");
2945 int guess_applayer = 0;
2946 if ((
SCConfGetBool(
"detect.guess-applayer-tx", &guess_applayer)) == 1) {
2947 if (guess_applayer == 1) {
2954 const char *ports = NULL;
2955 (void)
SCConfGet(
"detect.grouping.tcp-priority-ports", &ports);
2957 SCLogConfig(
"grouping: tcp-priority-ports %s", ports);
2959 (void)
SCConfGet(
"detect.grouping.tcp-whitelist", &ports);
2962 "grouping: tcp-priority-ports from legacy 'tcp-whitelist' setting: %s", ports);
2964 ports =
"53, 80, 139, 443, 445, 1433, 3306, 3389, 6666, 6667, 8080";
2965 SCLogConfig(
"grouping: tcp-priority-ports (default) %s", ports);
2970 "for detect.grouping.tcp-priority-ports",
2974 for ( ; x != NULL; x = x->
next) {
2977 "for detect.grouping.tcp-priority-ports: only single ports allowed",
2986 (void)
SCConfGet(
"detect.grouping.udp-priority-ports", &ports);
2988 SCLogConfig(
"grouping: udp-priority-ports %s", ports);
2990 (void)
SCConfGet(
"detect.grouping.udp-whitelist", &ports);
2993 "grouping: udp-priority-ports from legacy 'udp-whitelist' setting: %s", ports);
2995 ports =
"53, 135, 5060";
2996 SCLogConfig(
"grouping: udp-priority-ports (default) %s", ports);
3001 "for detect.grouping.udp-priority-ports",
3007 "for detect.grouping.udp-priority-ports: only single ports allowed",
3016 const char *pf_setting = NULL;
3017 if (
SCConfGet(
"detect.prefilter.default", &pf_setting) == 1 && pf_setting) {
3018 if (strcasecmp(pf_setting,
"mpm") == 0) {
3020 }
else if (strcasecmp(pf_setting,
"auto") == 0) {
3029 SCLogConfig(
"prefilter engines: MPM and keywords");
3049 SCLogError(
"setting up thread local detect ctx");
3058 SCLogError(
"setting up thread local detect ctx "
3059 "for keyword \"%s\" failed",
3097 SCLogError(
"setting up thread local detect ctx");
3109 SCLogError(
"setting up thread local detect ctx "
3110 "for keyword \"%s\" failed",
3140 uint32_t map_array_size = 0;
3141 uint32_t map_cnt = 0;
3142 uint32_t max_tenant_id = 0;
3148 "set using multi-detect.selector");
3161 mt_det_ctxs_hash =
HashTableInit(tcnt * 2, TenantIdHash, TenantIdCompare, TenantIdFree);
3162 if (mt_det_ctxs_hash == NULL) {
3167 SCLogInfo(
"no tenants left, or none registered yet");
3178 map_array_size = map_cnt + 1;
3180 map_array =
SCCalloc(map_array_size,
sizeof(*map_array));
3181 if (map_array == NULL)
3188 if (map_cnt >= map_array_size) {
3200 list = master->
list;
3205 if (mt_det_ctx == NULL)
3207 if (
HashTableAdd(mt_det_ctxs_hash, mt_det_ctx, 0) != 0) {
3216 mt_det_ctxs_hash = NULL;
3228 det_ctx->
TenantGetId = DetectEngineTenantGetIdFromVlanId;
3232 det_ctx->
TenantGetId = DetectEngineTenantGetIdFromLivedev;
3236 det_ctx->
TenantGetId = DetectEngineTenantGetIdFromPcap;
3243 if (map_array != NULL)
3245 if (mt_det_ctxs_hash != NULL)
3318 DetectEngineThreadCtxInitKeywords(
de_ctx, det_ctx);
3319 DetectEngineThreadCtxInitGlobalKeywords(det_ctx);
3320 #ifdef PROFILE_RULES
3321 SCProfilingRuleThreadSetup(
de_ctx->profile_ctx, det_ctx);
3358 if (det_ctx->
de_ctx == NULL) {
3408 if (DetectEngineThreadCtxInitForMT(
tv, det_ctx) !=
TM_ECODE_OK) {
3415 *data = (
void *)det_ctx;
3439 if (det_ctx->
de_ctx == NULL) {
3471 if (DetectEngineThreadCtxInitForMT(
tv, det_ctx) !=
TM_ECODE_OK) {
3484 SCLogDebug(
"PACKET PKT_STREAM_ADD: %"PRIu64, det_ctx->pkt_stream_add_cnt);
3486 SCLogDebug(
"PAYLOAD MPM %"PRIu64
"/%"PRIu64, det_ctx->payload_mpm_cnt, det_ctx->payload_mpm_size);
3487 SCLogDebug(
"STREAM MPM %"PRIu64
"/%"PRIu64, det_ctx->stream_mpm_cnt, det_ctx->stream_mpm_size);
3489 SCLogDebug(
"PAYLOAD SIG %"PRIu64
"/%"PRIu64, det_ctx->payload_persig_cnt, det_ctx->payload_persig_size);
3490 SCLogDebug(
"STREAM SIG %"PRIu64
"/%"PRIu64, det_ctx->stream_persig_cnt, det_ctx->stream_persig_size);
3498 #ifdef PROFILE_RULES
3499 SCProfilingRuleThreadCleanup(det_ctx);
3508 if (det_ctx->
de_ctx != NULL) {
3547 for (uint32_t x = 0; x < fb->
size; x++) {
3558 DetectEngineThreadCtxDeinitGlobalKeywords(det_ctx);
3559 if (det_ctx->
de_ctx != NULL) {
3560 DetectEngineThreadCtxDeinitKeywords(det_ctx->
de_ctx, det_ctx);
3580 if (det_ctx == NULL) {
3589 DetectEngineThreadCtxFree(det_ctx);
3594 static uint32_t DetectKeywordCtxHashFunc(
HashListTable *ht,
void *data, uint16_t datalen)
3601 return (uint32_t)hash;
3604 static char DetectKeywordCtxCompareFunc(
void *data1, uint16_t len1,
void *data2, uint16_t len2)
3608 const char *name1 = ctx1->
name;
3609 const char *name2 = ctx2->
name;
3610 return (strcmp(name1, name2) == 0 && ctx1->
data == ctx2->
data);
3613 static void DetectKeywordCtxFreeFunc(
void *ptr)
3636 BUG_ON(
de_ctx == NULL || InitFunc == NULL || FreeFunc == NULL);
3640 DetectKeywordCtxHashFunc, DetectKeywordCtxCompareFunc, DetectKeywordCtxFreeFunc);
3725 void *(*InitFunc)(
void *),
void *data,
void (*FreeFunc)(
void *))
3728 BUG_ON(InitFunc == NULL || FreeFunc == NULL);
3734 while (item != NULL) {
3735 if (strcmp(
name, item->
name) == 0) {
3785 if (master->
list == NULL) {
3861 static int DetectEngineMultiTenantLoadTenant(uint32_t tenant_id,
const char *filename,
int loader_id)
3866 snprintf(prefix,
sizeof(prefix),
"multi-detect.%u", tenant_id);
3869 if (
SCStatFn(filename, &st) != 0) {
3870 SCLogError(
"failed to stat file %s", filename);
3876 SCLogError(
"tenant %u already registered", tenant_id);
3883 SCLogError(
"failed to properly setup yaml %s", filename);
3920 static int DetectEngineMultiTenantReloadTenant(uint32_t tenant_id,
const char *filename,
int reload_cnt)
3923 if (old_de_ctx == NULL) {
3924 SCLogError(
"tenant detect engine not found");
3928 if (filename == NULL)
3932 snprintf(prefix,
sizeof(prefix),
"multi-detect.%u.reload.%d", tenant_id, reload_cnt);
3943 SCLogError(
"failed to properly setup yaml %s", filename);
3948 if (new_de_ctx == NULL) {
3961 goto new_de_ctx_error;
3966 goto new_de_ctx_error;
3991 static void DetectLoaderFreeTenant(
void *
ctx)
3994 if (t->
yaml != NULL) {
4000 static int DetectLoaderFuncLoadTenant(
void *vctx,
int loader_id)
4005 if (DetectEngineMultiTenantLoadTenant(
ctx->tenant_id,
ctx->yaml, loader_id) != 0) {
4011 static int DetectLoaderSetupLoadTenant(uint32_t tenant_id,
const char *yaml)
4019 if (t->
yaml == NULL) {
4027 static int DetectLoaderFuncReloadTenant(
void *vctx,
int loader_id)
4033 if (DetectEngineMultiTenantReloadTenant(
ctx->tenant_id,
ctx->yaml,
ctx->reload_cnt) != 0) {
4039 static int DetectLoaderSetupReloadTenants(
const int reload_cnt)
4058 loader_id, DetectLoaderFuncReloadTenant, t, DetectLoaderFreeTenant);
4072 static int DetectLoaderSetupReloadTenant(uint32_t tenant_id,
const char *yaml,
int reload_cnt)
4075 if (old_de_ctx == NULL)
4087 if (t->
yaml == NULL) {
4097 loader_id, DetectLoaderFuncReloadTenant, t, DetectLoaderFreeTenant);
4104 int r = DetectLoaderSetupLoadTenant(tenant_id, yaml);
4118 int r = DetectLoaderSetupReloadTenant(tenant_id, yaml, reload_cnt);
4132 int r = DetectLoaderSetupReloadTenants(reload_cnt);
4142 static int DetectEngineMultiTenantSetupLoadLivedevMappings(
4143 const SCConfNode *mappings_root_node,
bool failure_fatal)
4147 int mapping_cnt = 0;
4148 if (mappings_root_node != NULL) {
4151 if (tenant_id_node == NULL)
4154 if (device_node == NULL)
4157 uint32_t tenant_id = 0;
4159 tenant_id_node->
val) < 0) {
4162 tenant_id_node->
val);
4166 const char *dev = device_node->
val;
4185 SCLogConfig(
"device %s connected to tenant-id %u", dev, tenant_id);
4194 SCLogConfig(
"%d device - tenant-id mappings defined", mapping_cnt);
4201 static int DetectEngineMultiTenantSetupLoadVlanMappings(
4202 const SCConfNode *mappings_root_node,
bool failure_fatal)
4206 int mapping_cnt = 0;
4207 if (mappings_root_node != NULL) {
4210 if (tenant_id_node == NULL)
4213 if (vlan_id_node == NULL)
4216 uint32_t tenant_id = 0;
4218 tenant_id_node->
val) < 0) {
4221 tenant_id_node->
val);
4225 uint16_t vlan_id = 0;
4227 &vlan_id, 10, (uint16_t)strlen(vlan_id_node->
val), vlan_id_node->
val) < 0) {
4233 if (vlan_id == 0 || vlan_id >= 4095) {
4235 "of %s is invalid. Valid range 1-4094.",
4243 SCLogConfig(
"vlan %u connected to tenant-id %u", vlan_id, tenant_id);
4269 int failure_fatal = 0;
4270 (void)
SCConfGetBool(
"engine.init-failure-fatal", &failure_fatal);
4283 const char *handler = NULL;
4284 if (
SCConfGet(
"multi-detect.selector", &handler) == 1) {
4285 SCLogConfig(
"multi-tenant selector type %s", handler);
4287 if (strcmp(handler,
"vlan") == 0) {
4291 if ((
SCConfGetBool(
"vlan.use-for-tracking", &vlanbool)) == 1 && vlanbool == 0) {
4293 "can't use multi-detect selector 'vlan'");
4298 }
else if (strcmp(handler,
"direct") == 0) {
4300 }
else if (strcmp(handler,
"device") == 0) {
4303 SCLogWarning(
"multi-tenant 'device' mode not supported for IPS");
4310 "multi-detect.selector",
4317 SCLogConfig(
"multi-detect is enabled (multi tenancy). Selector: %s", handler);
4323 int mapping_cnt = DetectEngineMultiTenantSetupLoadVlanMappings(mappings_root_node,
4325 if (mapping_cnt == 0) {
4331 SCLogNotice(
"no tenant traffic mappings defined, "
4332 "tenants won't be used until mappings are added");
4334 if (failure_fatal) {
4335 SCLogError(
"no multi-detect mappings defined");
4343 int mapping_cnt = DetectEngineMultiTenantSetupLoadLivedevMappings(mappings_root_node,
4345 if (mapping_cnt == 0) {
4346 if (failure_fatal) {
4347 SCLogError(
"no multi-detect mappings defined");
4359 if (tenants_root_node != NULL) {
4360 const char *path = NULL;
4363 path = path_node->
val;
4369 if (id_node == NULL) {
4373 if (yaml_node == NULL) {
4377 uint32_t tenant_id = 0;
4379 &tenant_id, 10, (uint16_t)strlen(id_node->
val), id_node->
val) < 0) {
4387 char yaml_path[PATH_MAX] =
"";
4391 strlcpy(yaml_path, yaml_node->
val,
sizeof(yaml_path));
4398 snprintf(prefix,
sizeof(prefix),
"multi-detect.%u", tenant_id);
4400 SCLogError(
"failed to load yaml %s", yaml_path);
4404 int r = DetectLoaderSetupLoadTenant(tenant_id, yaml_path);
4425 SCLogDebug(
"multi-detect not enabled (multi tenancy)");
4432 static uint32_t DetectEngineTenantGetIdFromVlanId(
const void *
ctx,
const Packet *p)
4436 uint32_t vlan_id = 0;
4456 static uint32_t DetectEngineTenantGetIdFromLivedev(
const void *
ctx,
const Packet *p)
4461 if (ld == NULL || det_ctx == NULL)
4468 static int DetectEngineTenantRegisterSelector(
4475 SCLogInfo(
"conflicting selector already set");
4482 if (
m->traffic_id == traffic_id) {
4483 SCLogInfo(
"traffic id already registered");
4504 SCLogDebug(
"tenant handler %u %u %u registered", selector, tenant_id, traffic_id);
4509 static int DetectEngineTenantUnregisterSelector(
4533 SCLogInfo(
"tenant handler %u %u %u unregistered", selector, tenant_id, traffic_id);
4547 return DetectEngineTenantRegisterSelector(
4558 return DetectEngineTenantUnregisterSelector(
TENANT_SELECTOR_VLAN, tenant_id, (uint32_t)vlan_id);
4573 static uint32_t DetectEngineTenantGetIdFromPcap(
const void *
ctx,
const Packet *p)
4583 if (master->
list == NULL) {
4606 BUG_ON((*de_ctx)->ref_cnt == 0);
4607 (*de_ctx)->ref_cnt--;
4615 if (instance == NULL)
4618 if (master->
list == NULL) {
4619 master->
list = instance;
4622 master->
list = instance;
4639 r = DetectEngineAddToList(
de_ctx);
4647 if (instance == NULL) {
4652 if (instance ==
de_ctx) {
4656 instance = instance->
next;
4661 if (instance ==
de_ctx) {
4669 if (instance == NULL) {
4675 instance->
next = NULL;
4693 ret = DetectEngineMoveToFreeListNoLock(master,
de_ctx);
4717 SCLogDebug(
"freeing detect engine %p", instance);
4739 DetectEngineMoveToFreeListNoLock(master, instance);
4746 static int reloads = 0;
4761 memset(prefix, 0,
sizeof(prefix));
4766 snprintf(prefix,
sizeof(prefix),
"detect-engine-reloads.%d", reloads++);
4793 if (old_de_ctx == NULL)
4795 SCLogDebug(
"get ref to old_de_ctx %p", old_de_ctx);
4809 if (new_de_ctx == NULL) {
4821 SCLogDebug(
"set up new_de_ctx %p", new_de_ctx);
4834 SCLogDebug(
"going to reload the threads to use new_de_ctx %p", new_de_ctx);
4836 DetectEngineReloadThreads(new_de_ctx);
4837 SCLogDebug(
"threads now run new_de_ctx %p", new_de_ctx);
4846 SCLogDebug(
"old_de_ctx should have been freed");
4850 #ifdef HAVE_MALLOC_TRIM
4861 static uint32_t TenantIdHash(
HashTable *h,
void *data, uint16_t data_len)
4867 static char TenantIdCompare(
void *d1, uint16_t d1_len,
void *d2, uint16_t d2_len)
4874 static void TenantIdFree(
void *d)
4876 DetectEngineThreadCtxFree(d);
4892 for ( ; list != NULL; list = list->
next) {
4903 if (stub_de_ctx == NULL) {
4905 if (stub_de_ctx == NULL) {
4910 if (master->
list == NULL) {
4911 master->
list = stub_de_ctx;
4914 master->
list = stub_de_ctx;
4920 DetectEngineReloadThreads(stub_de_ctx);
4930 SCLogDebug(
"old_de_ctx should have been freed");
4934 static int g_parse_metadata = 0;
4938 g_parse_metadata = 1;
4943 g_parse_metadata = 0;
4948 return g_parse_metadata;
4957 return "packet/stream payload";
4963 return "base64_data";
4966 return "post-match";
4974 return "max (internal)";
4993 for (; sm != NULL; sm = sm->
next) {
4999 *sigerror =
"md5-like keyword should not be used together with "
5000 "nocase, since the rule is automatically "
5001 "lowercased anyway which makes nocase redundant.";
5006 *sigerror =
"Invalid length for md5-like keyword (should "
5007 "be 32 characters long). This rule will therefore "
5014 if (!isxdigit(cd->
content[i])) {
5016 "Invalid md5-like string (should be string of hexadecimal characters)."
5017 "This rule will therefore never match.";
5039 static int DetectEngineInitYamlConf(
const char *conf)
5046 static void DetectEngineDeInitYamlConf(
void)
5052 static int DetectEngineTest01(
void)
5058 " - profile: medium\n"
5059 " - custom-values:\n"
5060 " toclient_src_groups: 2\n"
5061 " toclient_dst_groups: 2\n"
5062 " toclient_sp_groups: 2\n"
5063 " toclient_dp_groups: 3\n"
5064 " toserver_src_groups: 2\n"
5065 " toserver_dst_groups: 4\n"
5066 " toserver_sp_groups: 2\n"
5067 " toserver_dp_groups: 25\n"
5068 " - inspection-recursion-limit: 0\n";
5070 FAIL_IF(DetectEngineInitYamlConf(conf) == -1);
5079 DetectEngineDeInitYamlConf();
5084 static int DetectEngineTest02(
void)
5090 " - profile: medium\n"
5091 " - custom-values:\n"
5092 " toclient_src_groups: 2\n"
5093 " toclient_dst_groups: 2\n"
5094 " toclient_sp_groups: 2\n"
5095 " toclient_dp_groups: 3\n"
5096 " toserver_src_groups: 2\n"
5097 " toserver_dst_groups: 4\n"
5098 " toserver_sp_groups: 2\n"
5099 " toserver_dp_groups: 25\n"
5100 " - inspection-recursion-limit:\n";
5102 FAIL_IF(DetectEngineInitYamlConf(conf) == -1);
5112 DetectEngineDeInitYamlConf();
5117 static int DetectEngineTest03(
void)
5123 " - profile: medium\n"
5124 " - custom-values:\n"
5125 " toclient_src_groups: 2\n"
5126 " toclient_dst_groups: 2\n"
5127 " toclient_sp_groups: 2\n"
5128 " toclient_dp_groups: 3\n"
5129 " toserver_src_groups: 2\n"
5130 " toserver_dst_groups: 4\n"
5131 " toserver_sp_groups: 2\n"
5132 " toserver_dp_groups: 25\n";
5134 FAIL_IF(DetectEngineInitYamlConf(conf) == -1);
5144 DetectEngineDeInitYamlConf();
5149 static int DetectEngineTest04(
void)
5155 " - profile: medium\n"
5156 " - custom-values:\n"
5157 " toclient_src_groups: 2\n"
5158 " toclient_dst_groups: 2\n"
5159 " toclient_sp_groups: 2\n"
5160 " toclient_dp_groups: 3\n"
5161 " toserver_src_groups: 2\n"
5162 " toserver_dst_groups: 4\n"
5163 " toserver_sp_groups: 2\n"
5164 " toserver_dp_groups: 25\n"
5165 " - inspection-recursion-limit: 10\n";
5167 FAIL_IF(DetectEngineInitYamlConf(conf) == -1);
5176 DetectEngineDeInitYamlConf();
5181 static int DetectEngineTest08(
void)
5187 " - profile: custom\n"
5188 " - custom-values:\n"
5189 " toclient-groups: 23\n"
5190 " toserver-groups: 27\n";
5192 FAIL_IF(DetectEngineInitYamlConf(conf) == -1);
5202 DetectEngineDeInitYamlConf();
5208 static int DetectEngineTest09(
void)
5214 " - profile: custom\n"
5215 " - custom-values:\n"
5216 " toclient-groups: BA\n"
5217 " toserver-groups: BA\n"
5218 " - inspection-recursion-limit: 10\n";
5220 FAIL_IF(DetectEngineInitYamlConf(conf) == -1);
5230 DetectEngineDeInitYamlConf();
#define DETECT_CONTENT_NOCASE
#define HashListTableGetListData(hb)
#define DE_STATE_ID_FILE_INSPECT
void SCProfilingSghThreadCleanup(DetectEngineThreadCtx *det_ctx)
DetectEngineCtx * DetectEngineCtxInitWithPrefix(const char *prefix, uint32_t tenant_id)
void DetectAppLayerMpmMultiRegister(const char *name, int direction, int priority, PrefilterRegisterFunc PrefilterRegister, InspectionMultiBufferGetDataPtr GetData, AppProto alproto, int tx_min_progress)
int SCConfYamlLoadString(const char *string, size_t len)
Load configuration from a YAML string.
InspectionBuffer * DetectGetMultiData(struct DetectEngineThreadCtx_ *det_ctx, const DetectEngineTransforms *transforms, Flow *f, const uint8_t flow_flags, void *txv, const int list_id, uint32_t index, InspectionMultiBufferGetDataPtr GetBuf)
void DetectEngineResetMaxSigId(DetectEngineCtx *de_ctx)
int DetectEngineMTApply(void)
void SCProfilingKeywordDestroyCtx(DetectEngineCtx *de_ctx)
bool DetectEngineBufferTypeSupportsPacketGetById(const DetectEngineCtx *de_ctx, const int id)
DetectEngineThreadCtx * DetectEngineThreadCtxInitForReload(ThreadVars *tv, DetectEngineCtx *new_de_ctx, int mt)
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
void SCConfNodeRemove(SCConfNode *node)
Remove (and SCFree) the provided configuration node.
struct SigMatch_ * smlists[DETECT_SM_LIST_MAX]
void SCProfilingKeywordThreadCleanup(DetectEngineThreadCtx *det_ctx)
void AlertQueueFree(DetectEngineThreadCtx *det_ctx)
void SCProfilingSghThreadSetup(SCProfileSghDetectCtx *ctx, DetectEngineThreadCtx *det_ctx)
int DetectParseDupSigHashInit(DetectEngineCtx *de_ctx)
Initializes the hash table that is used to cull duplicate sigs.
InspectionBuffer * DetectGetSingleData(struct DetectEngineThreadCtx_ *det_ctx, const DetectEngineTransforms *transforms, Flow *f, const uint8_t flow_flags, void *txv, const int list_id, InspectionSingleBufferGetDataPtr GetBuf)
SigTableElmt * sigmatch_table
void DetectLoaderThreadSpawn(void)
spawn the detect loader manager thread
uint8_t SinglePatternMatchDefaultMatcher(void)
Returns the single pattern matcher algorithm to be used, based on the spm-algo setting in yaml.
void DetectEngineDeReference(DetectEngineCtx **de_ctx)
#define DETECT_CI_FLAGS_START
uint8_t DetectEngineInspectBufferGeneric(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const DetectEngineAppInspectionEngine *engine, const Signature *s, Flow *f, uint8_t flags, void *alstate, void *txv, uint64_t tx_id)
Do the content inspection & validation for a signature.
void(* Free)(DetectEngineCtx *, void *)
int DetectEngineMustParseMetadata(void)
#define PKT_PSEUDO_LOG_FLUSH
void MpmFactoryDeRegisterAllMpmCtxProfiles(DetectEngineCtx *de_ctx)
uint16_t counter_match_list
DetectEngineTenantMapping * tenant_mapping_list
#define SC_ATOMIC_INIT(name)
wrapper for initializing an atomic variable.
struct DetectEngineAppInspectionEngine_ * next
uint8_t DetectEngineInspectMultiBufferGeneric(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const DetectEngineAppInspectionEngine *engine, const Signature *s, Flow *f, uint8_t flags, void *alstate, void *txv, uint64_t tx_id)
void MpmStoreFree(DetectEngineCtx *de_ctx)
Frees the hash table - DetectEngineCtx->mpm_hash_table, allocated by MpmStoreInit() function.
void DetectFrameMpmRegisterByParentId(DetectEngineCtx *de_ctx, const int id, const int parent_id, DetectEngineTransforms *transforms)
copy a mpm engine from parent_id, add in transforms
void DetectEngineBufferTypeSupportsPacket(DetectEngineCtx *de_ctx, const char *name)
void DetectEngineBufferRunSetupCallback(const DetectEngineCtx *de_ctx, const int id, Signature *s)
enum DetectEngineType type
void DetectEnginePruneFreeList(void)
int SigLoadSignatures(DetectEngineCtx *de_ctx, char *sig_file, bool sig_file_exclusive)
Load signatures.
uint8_t DetectEngineInspectBufferSingle(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const DetectEngineAppInspectionEngine *engine, const Signature *s, Flow *f, uint8_t flags, void *alstate, void *txv, uint64_t tx_id)
Do the content inspection & validation for a signature.
void * DetectThreadCtxGetKeywordThreadCtx(DetectEngineThreadCtx *det_ctx, int id)
Retrieve thread local keyword ctx by id.
void DetectAppLayerInspectEngineRegisterSingle(const char *name, AppProto alproto, uint32_t dir, int progress, InspectEngineFuncPtr Callback, InspectionSingleBufferGetDataPtr GetData)
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
#define SIG_FLAG_INIT_NEED_FLUSH
void SCClassSCConfInit(DetectEngineCtx *de_ctx)
DetectEngineCtx * DetectEngineCtxInitStubForDD(void)
#define KEYWORD_PROFILING_SET_LIST(ctx, list)
uint16_t max_uniq_toclient_groups
int ActionInitConfig(void)
Load the action order from config. If none is provided, it will be default to ACTION_PASS,...
InspectEngineFuncPtr Callback
int PathMerge(char *out_buf, size_t buf_size, const char *const dir, const char *const fname)
void PacketEnqueue(PacketQueue *q, Packet *p)
DetectFileDataCfg * filedata_config
struct HtpBodyChunk_ * next
void DetectBufferTypeSupportsFrames(const char *name)
#define TM_FLAG_DETECT_TM
void DetectMpmInitializeFrameMpms(DetectEngineCtx *de_ctx)
simple fifo queue for packets with mutex and cond Calling the mutex or triggering the cond is respons...
@ DETECT_SM_LIST_DYNAMIC_START
int AppLayerParserGetStateProgress(uint8_t ipproto, AppProto alproto, void *alstate, uint8_t flags)
get the progress value for a tx/protocol
AppLayerDecoderEvents * decoder_events
void *(* InitFunc)(void *)
InspectionBufferGetDataPtr GetData
DetectBufferMpmRegistry * pkt_mpms_list
void TmThreadContinueDetectLoaderThreads(void)
Unpauses all threads present in tv_root.
@ DETECT_SM_LIST_THRESHOLD
void DetectBufferTypeRegisterSetupCallback(const char *name, void(*SetupCallback)(const DetectEngineCtx *, Signature *))
int SCConfYamlHandleInclude(SCConfNode *parent, const char *filename)
Include a file in the configuration.
const char * AppProtoToString(AppProto alproto)
Maps the ALPROTO_*, to its string equivalent.
int DetectEngineReloadTenantBlocking(uint32_t tenant_id, const char *yaml, int reload_cnt)
Reload a tenant and wait for loading to complete.
int inspection_recursion_limit
void DetectAddressMapFree(DetectEngineCtx *de_ctx)
const DetectEngineTransforms * transforms
main detection engine ctx
int StringParseUint16(uint16_t *res, int base, size_t len, const char *str)
void DetectEngineReloadSetIdle(void)
void DetectBufferTypeRegisterValidateCallback(const char *name, bool(*ValidateCallback)(const Signature *, const char **sigerror, const DetectBufferType *))
int SCConfGet(const char *name, const char **vptr)
Retrieve the value of a configuration node.
uint16_t lua_blocked_function_errors
void ** global_keyword_ctxs_array
DetectEngineCtx * DetectEngineGetCurrent(void)
uint8_t(* SCDetectRateFilterFunc)(const Packet *p, uint32_t sid, uint32_t gid, uint32_t rev, uint8_t original_action, uint8_t new_action, void *arg)
Function type for rate filter callback.
uint32_t TmThreadCountThreadsByTmmFlags(uint8_t flags)
returns a count of all the threads that match the flag
void DetectBufferTypeSupportsMultiInstance(const char *name)
HashListTableBucket * HashListTableGetListHead(HashListTable *ht)
#define TAILQ_FOREACH(var, head, field)
uint8_t DetectEngineInspectPacketPayload(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const Signature *s, Flow *f, Packet *p)
Do the content inspection & validation for a signature.
int DetectEngineAddToMaster(DetectEngineCtx *de_ctx)
InspectionBuffer *(* InspectionBufferGetPktDataPtr)(struct DetectEngineThreadCtx_ *det_ctx, const DetectEngineTransforms *transforms, Packet *p, const int list_id)
void SCSigSignatureOrderingModuleCleanup(DetectEngineCtx *de_ctx)
De-registers all the signature ordering functions registered.
const char * DetectEngineBufferTypeGetNameById(const DetectEngineCtx *de_ctx, const int id)
int DetectEngineMultiTenantSetup(const bool unix_socket)
setup multi-detect / multi-tenancy
void PrefilterDeinit(DetectEngineCtx *de_ctx)
struct DetectBufferMpmRegistry_ * next
#define SIG_FLAG_REQUIRE_STREAM
struct DetectEngineTenantMapping_ * next
void DetectEngineSetEvent(DetectEngineThreadCtx *det_ctx, uint8_t e)
#define SIG_FLAG_TXBOTHDIR
bool DetectContentInspectionMatchOnAbsentBuffer(const SigMatchData *smd)
tells if we should match on absent buffer, because there is an absent keyword being used
void AppLayerDecoderEventsFreeEvents(AppLayerDecoderEvents **events)
int SCConfGetBool(const char *name, int *val)
Retrieve a configuration value as a boolean.
struct SCProfileSghDetectCtx_ * profile_sgh_ctx
ThreadVars * tv_root[TVT_MAX]
one time registration of keywords at start up
void SCReferenceConfDeinit(DetectEngineCtx *de_ctx)
struct DetectPort_ * next
DetectPort * tcp_priorityports
void DetectEngineCtxFree(DetectEngineCtx *de_ctx)
Free a DetectEngineCtx::
SpmThreadCtx * spm_thread_ctx
int DetectEngineReloadTenantsBlocking(const int reload_cnt)
Reload all tenants and wait for loading to complete.
#define SCMUTEX_INITIALIZER
SigMatchData * sm_arrays[DETECT_SM_LIST_MAX]
const char * conf_filename
enum DetectEnginePrefilterSetting prefilter_setting
void DetectParseDupSigHashFree(DetectEngineCtx *de_ctx)
Frees the hash table that is used to cull duplicate sigs.
DetectPort * udp_priorityports
int SCConfYamlLoadFileWithPrefix(const char *filename, const char *prefix)
Load configuration from a YAML file, insert in tree at 'prefix'.
int StringParseInt32(int32_t *res, int base, size_t len, const char *str)
int PrefilterGenericMpmFrameRegister(DetectEngineCtx *de_ctx, SigGroupHead *sgh, MpmCtx *mpm_ctx, const DetectBufferMpmRegistry *mpm_reg, int list_id)
uint32_t DetectEngineGetVersion(void)
const char * SCConfNodeLookupChildValue(const SCConfNode *node, const char *name)
Lookup the value of a child configuration node by name.
void SigCleanSignatures(DetectEngineCtx *de_ctx)
void * HashListTableLookup(HashListTable *ht, void *data, uint16_t datalen)
uint16_t lua_instruction_limit_errors
#define SIG_FLAG_TOCLIENT
bool DetectMd5ValidateCallback(const Signature *s, const char **sigerror, const DetectBufferType *map)
bool DetectEngineMpmCachingEnabled(void)
bool DetectBufferIsPresent(const Signature *s, const uint32_t buf_id)
InspectionBuffer * InspectionBufferGet(DetectEngineThreadCtx *det_ctx, const int list_id)
#define KEYWORD_PROFILING_START
uint16_t counter_fnonmpm_list
HashTable * non_pf_engine_names
uint16_t counter_nonmpm_list
int PrefilterMultiGenericMpmRegister(DetectEngineCtx *de_ctx, SigGroupHead *sgh, MpmCtx *mpm_ctx, const DetectBufferMpmRegistry *mpm_reg, int list_id)
DetectEngineFrameInspectionEngine * frame_inspect
void DetectBufferTypeCloseRegistration(void)
const DetectEngineTransforms * transforms
#define FAIL_IF_NOT(expr)
Fail a test if expression evaluates to false.
void HashTableFree(HashTable *ht)
int DetectBufferTypeGetByName(const char *name)
#define KEYWORD_PROFILING_END(ctx, type, m)
void DetectBufferTypeSupportsPacket(const char *name)
InspectionBufferFrameInspectFunc Callback
int HashListTableAdd(HashListTable *ht, void *data, uint16_t datalen)
int SigGroupHeadHashInit(DetectEngineCtx *de_ctx)
Initializes the hash table in the detection engine context to hold the SigGroupHeads.
void SCRConfDeInitContext(DetectEngineCtx *de_ctx)
Releases de_ctx resources related to Reference Config API.
HashTable * mt_det_ctxs_hash
size_t strlcpy(char *dst, const char *src, size_t siz)
bool DetectEnginePktInspectionRun(ThreadVars *tv, DetectEngineThreadCtx *det_ctx, const Signature *s, Flow *f, Packet *p, uint8_t *alert_flags)
void DetectAppLayerMpmRegisterByParentId(DetectEngineCtx *de_ctx, const int id, const int parent_id, DetectEngineTransforms *transforms)
copy a mpm engine from parent_id, add in transforms
void AlertQueueInit(DetectEngineThreadCtx *det_ctx)
uint16_t counter_alerts_suppressed
uint16_t base64_decode_max_len
@ SIGNATURE_HOOK_TYPE_APP
#define PKT_SET_SRC(p, src_val)
void SCConfInit(void)
Initialize the configuration system.
@ TENANT_SELECTOR_UNKNOWN
int DetectEngineMultiTenantEnabled(void)
#define HashListTableGetListNext(hb)
@ DETECT_SM_LIST_POSTMATCH
#define SIG_FLAG_TOSERVER
DetectEngineTenantSelectors
int DetectPortParse(const DetectEngineCtx *de_ctx, DetectPort **head, const char *str)
Function for parsing port strings.
int(* InspectionBufferPktInspectFunc)(struct DetectEngineThreadCtx_ *, const struct DetectEnginePktInspectionEngine *engine, const struct Signature_ *s, Packet *p, uint8_t *alert_flags)
void InspectionBufferFree(InspectionBuffer *buffer)
HashListTable * HashListTableInit(uint32_t size, uint32_t(*Hash)(struct HashListTable_ *, void *, uint16_t), char(*Compare)(void *, uint16_t, void *, uint16_t), void(*Free)(void *))
SCDetectRequiresStatus * requirements
#define TAILQ_REMOVE(head, elm, field)
SCRunMode SCRunmodeGet(void)
Get the current run mode.
bool(* TransformValidate)(const uint8_t *content, uint16_t content_len, void *context)
uint16_t counter_alerts_overflow
bool(* ValidateCallback)(const struct Signature_ *, const char **sigerror, const struct DetectBufferType_ *)
int DetectEngineMoveToFreeList(DetectEngineCtx *de_ctx)
#define PASS
Pass the test.
SpmGlobalThreadCtx * SpmInitGlobalThreadCtx(uint8_t matcher)
void SCProfilingPrefilterDestroyCtx(DetectEngineCtx *de_ctx)
void DetectMpmInitializePktMpms(DetectEngineCtx *de_ctx)
void DetectLoadersInit(void)
struct TmSlot_ * tm_slots
const char * DetectEngineBufferTypeGetDescriptionById(const DetectEngineCtx *de_ctx, const int id)
#define SCMutexUnlock(mut)
@ DETECT_SM_LIST_BASE64_DATA
#define PKT_PSEUDO_STREAM_END
InspectionBuffer * buffers
DetectEngineThreadKeywordCtxItem * keyword_list
LiveDevice * LiveGetDevice(const char *name)
Get a pointer to the device at idx.
int SCConfGetInt(const char *name, intmax_t *val)
Retrieve a configuration value as an integer.
enum DetectEngineTenantSelectors tenant_selector
HashListTable * keyword_hash
void DetectPktInspectEngineRegister(const char *name, InspectionBufferGetPktDataPtr GetPktData, InspectionBufferPktInspectFunc Callback)
register inspect engine at start up time
int DetectEngineInspectStreamPayload(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const Signature *s, Flow *f, Packet *p)
Do the content inspection & validation for a signature on the raw stream.
DetectEnginePktInspectionEngine * pkt_inspect
InspectionMultiBufferGetDataPtr GetMultiData
int DetectBufferTypeMaxId(void)
void DatasetPostReloadCleanup(void)
Per thread variable structure.
bool DetectEngineBufferTypeValidateTransform(DetectEngineCtx *de_ctx, int sm_list, const uint8_t *content, uint16_t content_len, const char **namestr)
Check content byte array compatibility with transforms.
bool * sm_types_prefilter
int DetectEngineEnabled(void)
Check if detection is enabled.
SigMatchData * SigMatchList2DataArray(SigMatch *head)
convert SigMatch list to SigMatchData array
TmEcode DetectEngineThreadCtxInit(ThreadVars *tv, void *initdata, void **data)
initialize thread specific detection engine context
int DetectEngineReloadIsIdle(void)
#define DETECT_ENGINE_INSPECT_SIG_MATCH
#define PKT_DETECT_HAS_STREAMDATA
bool(* InspectionSingleBufferGetDataPtr)(const void *txv, const uint8_t flow_flags, const uint8_t **buf, uint32_t *buf_len)
void SCClassConfDeinit(DetectEngineCtx *de_ctx)
@ DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE
DetectEngineFrameInspectionEngine * frame_inspect_engines
DetectEngineCtx * free_list
int StringParseUint32(uint32_t *res, int base, size_t len, const char *str)
void PatternMatchThreadPrepare(MpmThreadCtx *mpm_thread_ctx, uint16_t mpm_matcher)
struct DetectEngineThreadKeywordCtxItem_ * next
#define SCLogWarning(...)
Macro used to log WARNING messages.
int HashTableAdd(HashTable *ht, void *data, uint16_t datalen)
int DetectEngineBufferTypeRegister(DetectEngineCtx *de_ctx, const char *name)
Port structure for detection engine.
DetectEngineAppInspectionEngine * app_inspect
struct ThreadVars_ * next
bool DetectEngineContentInspection(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const Signature *s, const SigMatchData *smd, Packet *p, Flow *f, const uint8_t *buffer, const uint32_t buffer_len, const uint64_t stream_start_offset, const uint8_t flags, const enum DetectContentInspectionType inspection_mode)
wrapper around DetectEngineContentInspectionInternal to return true/false only
uint32_t hashlittle_safe(const void *key, size_t length, uint32_t initval)
int SigGroupCleanup(DetectEngineCtx *de_ctx)
uint16_t lua_memory_limit_errors
uint8_t DetectEngineInspectStream(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const struct DetectEngineAppInspectionEngine_ *engine, const Signature *s, Flow *f, uint8_t flags, void *alstate, void *txv, uint64_t tx_id)
inspect engine for stateful rules
void SCDetectEngineRegisterRateFilterCallback(SCDetectRateFilterFunc fn, void *arg)
Register a callback when a rate_filter has been applied to an alert.
int DetectEngineLoadTenantBlocking(uint32_t tenant_id, const char *yaml)
Load a tenant and wait for loading to complete.
void TmModuleDetectLoaderRegister(void)
struct SignatureHook_::@85::@86 app
TransformIdData xform_id[DETECT_TRANSFORMS_MAX]
DetectEngineCtx * DetectEngineCtxInit(void)
void RuleMatchCandidateTxArrayFree(DetectEngineThreadCtx *det_ctx)
void DetectEngineInitializeFastPatternList(DetectEngineCtx *de_ctx)
@ ENGINE_SGH_MPM_FACTORY_CONTEXT_SINGLE
#define DE_STATE_FLAG_BASE
int SCRConfLoadReferenceConfigFile(DetectEngineCtx *de_ctx, FILE *fd)
Loads the Reference info from the reference.config file.
int DetectEngineTenantRegisterLivedev(uint32_t tenant_id, int device_id)
#define DETECT_CI_FLAGS_END
void DetectEngineBufferTypeSupportsFrames(DetectEngineCtx *de_ctx, const char *name)
int(* InspectionBufferFrameInspectFunc)(struct DetectEngineThreadCtx_ *, const struct DetectEngineFrameInspectionEngine *engine, const struct Signature_ *s, Packet *p, const struct Frames *frames, const struct Frame *frame)
DetectBufferMpmRegistry * frame_mpms_list
struct DetectEngineAppInspectionEngine_::@80 v2
TmModule * TmModuleGetById(int id)
Returns a TM Module by its id.
struct TenantLoaderCtx_ TenantLoaderCtx
uint16_t max_uniq_toserver_groups
const DetectBufferType * DetectEngineBufferTypeGetById(const DetectEngineCtx *de_ctx, const int id)
struct LiveDevice_ * livedev
InspectionBufferPktInspectFunc Callback
SignatureInitData * init_data
enum DetectEngineSyncState state
SpmThreadCtx * SpmMakeThreadCtx(const SpmGlobalThreadCtx *global_thread_ctx)
void SCReferenceSCConfInit(DetectEngineCtx *de_ctx)
struct SCProfileKeywordDetectCtx_ * profile_keyword_ctx
InspectionSingleBufferGetDataPtr GetDataSingle
const char ** additional_configs
Data structures and function prototypes for keeping state for the detection engine.
int(* Match)(DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *)
void SCProfilingPrefilterThreadCleanup(DetectEngineThreadCtx *det_ctx)
void SCConfCreateContextBackup(void)
Creates a backup of the conf_hash hash_table used by the conf API.
int32_t byte_extract_max_local_id
@ SIG_PROP_FLOW_ACTION_PACKET
const struct SignatureProperties signature_properties[SIG_TYPE_MAX]
SCDetectRateFilterFunc RateFilterCallback
int RunmodeIsUnittests(void)
#define SCLogInfo(...)
Macro used to log INFORMATIONAL messages.
#define TAILQ_FOREACH_SAFE(var, head, field, tvar)
#define SIG_FLAG_REQUIRE_STREAM_ONLY
void SpmDestroyGlobalThreadCtx(SpmGlobalThreadCtx *global_thread_ctx)
#define DETECT_ENGINE_INSPECT_SIG_CANT_MATCH
void DetectEngineRegisterTests(void)
int DetectLoaderQueueTask(int loader_id, LoaderFunc Func, void *func_ctx, LoaderFreeFunc FreeFunc)
@ DETECT_ENGINE_TYPE_TENANT
void DetectEngineBufferTypeSupportsTransformations(DetectEngineCtx *de_ctx, const char *name)
#define PACKET_ALERT_FLAG_STREAM_MATCH
bool(* InspectionMultiBufferGetDataPtr)(struct DetectEngineThreadCtx_ *det_ctx, const void *txv, const uint8_t flow_flags, uint32_t local_id, const uint8_t **buf, uint32_t *buf_len)
bool DetectEngineBufferTypeSupportsMpmGetById(const DetectEngineCtx *de_ctx, const int id)
const char * DetectSigmatchListEnumToString(enum DetectSigmatchListEnum type)
void SRepReloadComplete(void)
Increment effective reputation version after a rule/reputation reload is complete.
#define SIG_FLAG_INIT_STATE_MATCH
struct PacketQueue_ * stream_pq
bool DetectEngineBufferTypeSupportsFramesGetById(const DetectEngineCtx *de_ctx, const int id)
int DetectEngineBufferTypeRegisterWithFrameEngines(DetectEngineCtx *de_ctx, const char *name, const int direction, const AppProto alproto, const uint8_t frame_type)
InspectionBufferGetPktDataPtr GetData
SCConfNode * SCConfNodeLookupChild(const SCConfNode *node, const char *name)
Lookup a child configuration node by name.
@ DETECT_ENGINE_TYPE_NORMAL
void * FlowWorkerGetDetectCtxPtr(void *flow_worker)
bool DetectEngineBufferTypeSupportsMultiInstanceGetById(const DetectEngineCtx *de_ctx, const int id)
SigFileLoaderStat sig_stat
void DetectEngineFrameMpmRegister(DetectEngineCtx *de_ctx, const char *name, int direction, int priority, int(*PrefilterRegister)(DetectEngineCtx *de_ctx, SigGroupHead *sgh, MpmCtx *mpm_ctx, const DetectBufferMpmRegistry *mpm_reg, int list_id), AppProto alproto, uint8_t type)
uint32_t * to_clear_queue
void SpmDestroyThreadCtx(SpmThreadCtx *thread_ctx)
struct SCProfilePrefilterDetectCtx_ * profile_prefilter_ctx
#define FAIL_IF(expr)
Fail a test if expression evaluates to true.
struct DetectEnginePktInspectionEngine::@83 v1
#define DETECT_CI_FLAGS_SINGLE
int DetectEnginePktInspectionSetup(Signature *s)
int DetectBufferTypeRegister(const char *name)
uint8_t(* InspectEngineFuncPtr)(struct DetectEngineCtx_ *de_ctx, struct DetectEngineThreadCtx_ *det_ctx, const struct DetectEngineAppInspectionEngine_ *engine, const struct Signature_ *s, Flow *f, uint8_t flags, void *alstate, void *txv, uint64_t tx_id)
int DetectRegisterThreadCtxFuncs(DetectEngineCtx *de_ctx, const char *name, void *(*InitFunc)(void *), void *data, void(*FreeFunc)(void *), int mode)
Register Thread keyword context Funcs.
int MpmStoreInit(DetectEngineCtx *de_ctx)
Initializes the MpmStore mpm hash table to be used by the detection engine context.
DetectBufferMpmRegistry * app_mpms_list
@ SIG_PROP_FLOW_ACTION_FLOW_IF_STATEFUL
DetectEngineCtx * DetectEngineCtxInitStubForMT(void)
void DetectBufferTypeSupportsMpm(const char *name)
void HashListTableFree(HashListTable *ht)
HashListTable * buffer_type_hash_name
struct DetectEngineCtx_ * next
@ DETECT_ENGINE_TYPE_DD_STUB
void DetectEngineBumpVersion(void)
void AppLayerDecoderEventsSetEventRaw(AppLayerDecoderEvents **sevents, uint8_t event)
Set an app layer decoder event.
struct DetectEngineFrameInspectionEngine * next
enum SignatureHookType type
int DetectEngineInspectFrameBufferGeneric(DetectEngineThreadCtx *det_ctx, const DetectEngineFrameInspectionEngine *engine, const Signature *s, Packet *p, const Frames *frames, const Frame *frame)
Do the content inspection & validation for a signature.
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *tv, void *data)
struct DetectEnginePktInspectionEngine * next
void * rate_filter_callback_arg
#define DETECT_ENGINE_DEFAULT_INSPECTION_RECURSION_LIMIT
PostRuleMatchWorkQueueItem * q
uint8_t PatternMatchDefaultMatcher(void)
Function to return the multi pattern matcher algorithm to be used by the engine, based on the mpm-alg...
struct DetectEngineFrameInspectionEngine::@84 v1
void SCConfDeInit(void)
De-initializes the configuration system.
int DetectEngineTenantRegisterPcapFile(uint32_t tenant_id)
void SigGroupHeadHashFree(DetectEngineCtx *de_ctx)
Frees the hash table - DetectEngineCtx->sgh_hash_table, allocated by SigGroupHeadHashInit() function.
uint8_t DetectEngineInspectGenericList(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const struct DetectEngineAppInspectionEngine_ *engine, const Signature *s, Flow *f, uint8_t flags, void *alstate, void *txv, uint64_t tx_id)
Do the content inspection & validation for a signature.
void DetectEngineAppInspectionEngineSignatureFree(DetectEngineCtx *de_ctx, Signature *s)
free app inspect engines for a signature
@ DETECT_ENGINE_CONTENT_INSPECTION_MODE_HEADER
#define DETECT_ENGINE_INSPECT_SIG_NO_MATCH
DetectEnginePktInspectionEngine * pkt_inspect_engines
void DetectEngineBufferTypeSupportsMpm(DetectEngineCtx *de_ctx, const char *name)
bool * sm_types_silent_error
const char * DetectBufferTypeGetDescriptionByName(const char *name)
Packet * PacketGetFromAlloc(void)
Get a malloced packet.
void DetectEngineFreeFastPatternList(DetectEngineCtx *de_ctx)
void DetectBufferTypeSupportsTransformations(const char *name)
const char * DetectEngineMpmCachingGetPath(void)
struct SCLogConfig_ SCLogConfig
Holds the config state used by the logging api.
int DetectAddressMapInit(DetectEngineCtx *de_ctx)
void InjectPacketsForFlush(ThreadVars **detect_tvs, int no_of_detect_tvs)
SignatureInitDataBuffer * buffers
DetectEngineAppInspectionEngine * app_inspect_engines
int filemagic_thread_ctx_id
int global_keyword_ctxs_size
void PrefilterInit(DetectEngineCtx *de_ctx)
void * DetectThreadCtxGetGlobalKeywordThreadCtx(DetectEngineThreadCtx *det_ctx, int id)
Retrieve thread local keyword ctx by id.
SCConfNode * SCConfGetNode(const char *name)
Get a SCConfNode by name.
#define SCLogError(...)
Macro used to log ERROR messages.
int SRepInit(DetectEngineCtx *de_ctx)
init reputation
int DetectEngineReloadStart(void)
void DetectEngineUnsetParseMetadata(void)
@ PKT_SRC_DETECT_RELOAD_FLUSH
void ** keyword_ctxs_array
uint8_t guess_applayer_log_limit
int HashListTableRemove(HashListTable *ht, void *data, uint16_t datalen)
struct DetectEngineThreadCtx_::@99 inspect
DetectEngineTransforms transforms
void SCConfRestoreContextBackup(void)
Restores the backup of the hash_table present in backup_conf_hash back to conf_hash.
a single match condition for a signature
const DetectEngineTransforms * transforms
struct DetectEngineThreadCtx_::@100 multi_inspect
@ ENGINE_SGH_MPM_FACTORY_CONTEXT_FULL
void InspectionBufferSetupAndApplyTransforms(DetectEngineThreadCtx *det_ctx, const int list_id, InspectionBuffer *buffer, const uint8_t *data, const uint32_t data_len, const DetectEngineTransforms *transforms)
setup the buffer with our initial data
int DetectLoadersSync(void)
wait for loader tasks to complete
void SCProfilingSghDestroyCtx(DetectEngineCtx *de_ctx)
HashTable * HashTableInit(uint32_t size, uint32_t(*Hash)(struct HashTable_ *, void *, uint16_t), char(*Compare)(void *, uint16_t, void *, uint16_t), void(*Free)(void *))
SpmTableElmt spm_table[SPM_TABLE_SIZE]
DetectEngineCtx * DetectEngineReference(DetectEngineCtx *de_ctx)
MpmTableElmt mpm_table[MPM_TABLE_SIZE]
struct DetectEngineSyncer_ DetectEngineSyncer
void DetectMpmInitializeAppMpms(DetectEngineCtx *de_ctx)
int EngineModeIsIPS(void)
void(* ConfigDeinit)(MpmConfig **)
void InspectionBufferSetupMultiEmpty(InspectionBuffer *buffer)
setup the buffer empty
void(* ConfigCacheDirSet)(MpmConfig *, const char *dir_path)
InspectionBuffer *(* InspectionBufferGetDataPtr)(struct DetectEngineThreadCtx_ *det_ctx, const DetectEngineTransforms *transforms, Flow *f, const uint8_t flow_flags, void *txv, const int list_id)
void PmqFree(PrefilterRuleStore *pmq)
Cleanup and free a Pmq.
@ DETECT_ENGINE_TYPE_MT_STUB
void ThresholdCacheThreadFree(void)
uint16_t vlan_id[VLAN_MAX_LAYERS]
int DetectEngineReload(const SCInstance *suri)
Reload the detection engine.
bool DetectEngineBufferRunValidateCallback(const DetectEngineCtx *de_ctx, const int id, const Signature *s, const char **sigerror)
void(* SetupCallback)(const struct DetectEngineCtx_ *, struct Signature_ *)
void DetectAppLayerInspectEngineRegister(const char *name, AppProto alproto, uint32_t dir, int progress, InspectEngineFuncPtr Callback, InspectionBufferGetDataPtr GetData)
Registers an app inspection engine.
bool DetectEngineContentInspectionBuffer(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const Signature *s, const SigMatchData *smd, Packet *p, Flow *f, const InspectionBuffer *b, const enum DetectContentInspectionType inspection_mode)
wrapper around DetectEngineContentInspectionInternal to return true/false only
SpmGlobalThreadCtx * spm_global_thread_ctx
void DetectEngineClearMaster(void)
void SRepDestroy(DetectEngineCtx *de_ctx)
MpmConfig *(* ConfigInit)(void)
uint16_t StatsRegisterAvgCounter(const char *name, struct ThreadVars_ *tv)
Registers a counter, whose value holds the average of all the values assigned to it.
@ SIG_PROP_FLOW_ACTION_FLOW
void DetectBufferTypeSetDescriptionByName(const char *name, const char *desc)
#define SCStatFn(pathname, statbuf)
int DetectUnregisterThreadCtxFuncs(DetectEngineCtx *de_ctx, void *data, const char *name)
Remove Thread keyword context registration.
#define SC_ATOMIC_GET(name)
Get the value from the atomic variable.
void DetectAppLayerMultiRegister(const char *name, AppProto alproto, uint32_t dir, int progress, InspectionMultiBufferGetDataPtr GetData, int priority)
void DetectEngineFrameInspectEngineRegister(DetectEngineCtx *de_ctx, const char *name, int dir, InspectionBufferFrameInspectFunc Callback, AppProto alproto, uint8_t type)
register inspect engine at start up time
int DetectEngineTenantRegisterVlanId(uint32_t tenant_id, uint16_t vlan_id)
void DetectEngineSetParseMetadata(void)
int TmThreadsCheckFlag(ThreadVars *tv, uint32_t flag)
Check if a thread flag is set.
#define SCLogNotice(...)
Macro used to log NOTICE messages.
void DetectPktMpmRegisterByParentId(DetectEngineCtx *de_ctx, const int id, const int parent_id, DetectEngineTransforms *transforms)
copy a mpm engine from parent_id, add in transforms
@ TENANT_SELECTOR_LIVEDEV
AppProto alproto
application level protocol
uint16_t StatsRegisterCounter(const char *name, struct ThreadVars_ *tv)
Registers a normal, unqualified counter.
int DetectEngineTenantUnregisterPcapFile(uint32_t tenant_id)
Signature loader statistics.
int DetectEngineInspectPktBufferGeneric(DetectEngineThreadCtx *det_ctx, const DetectEnginePktInspectionEngine *engine, const Signature *s, Packet *p, uint8_t *_alert_flags)
Do the content inspection & validation for a signature.
HashListTable * buffer_type_hash_id
DetectEngineCtx * DetectEngineGetByTenantId(uint32_t tenant_id)
void DetectPortCleanupList(const DetectEngineCtx *de_ctx, DetectPort *head)
Free a DetectPort list and each of its members.
void(* TransformId)(const uint8_t **data, uint32_t *length, void *context)
@ DETECT_SM_LIST_SUPPRESS
InspectionBuffer * inspection_buffers
#define DEBUG_VALIDATE_BUG_ON(exp)
int DetectEngineAppInspectionEngine2Signature(DetectEngineCtx *de_ctx, Signature *s)
bool SCClassConfLoadClassificationConfigFile(DetectEngineCtx *de_ctx, FILE *fd)
Loads the Classtype info from the classification.config file.
void InspectionBufferSetupMulti(DetectEngineThreadCtx *det_ctx, InspectionBuffer *buffer, const DetectEngineTransforms *transforms, const uint8_t *data, const uint32_t data_len)
setup the buffer with our initial data
int DetectEngineTenantUnregisterVlanId(uint32_t tenant_id, uint16_t vlan_id)
union SignatureHook_::@85 t
int PmqSetup(PrefilterRuleStore *pmq)
Setup a pmq.
void PatternMatchThreadDestroy(MpmThreadCtx *mpm_thread_ctx, uint16_t mpm_matcher)
int VarNameStoreActivate(void)
uint16_t counter_mpm_list
InspectionBuffer * InspectionBufferMultipleForListGet(DetectEngineThreadCtx *det_ctx, const int list_id, const uint32_t local_id)
for a InspectionBufferMultipleForList get a InspectionBuffer
void RuleMatchCandidateTxArrayInit(DetectEngineThreadCtx *det_ctx, uint32_t size)
void SCProfilingKeywordThreadSetup(SCProfileKeywordDetectCtx *ctx, DetectEngineThreadCtx *det_ctx)
int DetectEngineReloadIsStart(void)
int DetectRegisterThreadCtxGlobalFuncs(const char *name, void *(*InitFunc)(void *), void *data, void(*FreeFunc)(void *))
Register Thread keyword context Funcs (Global)
PostRuleMatchWorkQueue post_rule_work_queue
uint32_t tenant_array_size
struct DetectEngineTenantMapping_ * tenant_array
volatile uint8_t suricata_ctl_flags
void FlowWorkerReplaceDetectCtx(void *flow_worker, void *detect_ctx)
uint32_t StringHashDjb2(const uint8_t *data, uint32_t datalen)
int DetectEngineBufferTypeGetByIdTransforms(DetectEngineCtx *de_ctx, const int id, TransformData *transforms, int transform_cnt)
uint32_t(* TenantGetId)(const void *, const Packet *p)
void SCProfilingPrefilterThreadSetup(SCProfilePrefilterDetectCtx *ctx, DetectEngineThreadCtx *det_ctx)
void SCClassConfDeInitContext(DetectEngineCtx *de_ctx)
Releases resources used by the Classification Config API.
void PrefilterPktNonPFStatsDump(void)
#define SIG_FLAG_REQUIRE_PACKET