suricata
detect-engine.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2022 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Victor Julien <victor@inliniac.net>
22  */
23 
24 #include "suricata-common.h"
25 #include "suricata.h"
26 #include "detect.h"
27 #include "flow.h"
28 #include "flow-private.h"
29 #include "flow-util.h"
30 #include "flow-worker.h"
31 #include "conf.h"
32 #include "conf-yaml-loader.h"
33 #include "datasets.h"
34 
35 #include "app-layer-parser.h"
36 #include "app-layer-events.h"
37 #include "app-layer-htp.h"
38 
39 #include "detect-parse.h"
40 #include "detect-engine-sigorder.h"
41 
42 #include "detect-engine-build.h"
43 #include "detect-engine-buffer.h"
44 #include "detect-engine-siggroup.h"
45 #include "detect-engine-address.h"
46 #include "detect-engine-port.h"
48 #include "detect-engine-mpm.h"
49 #include "detect-engine-iponly.h"
50 #include "detect-engine-tag.h"
51 #include "detect-engine-frame.h"
52 
53 #include "detect-engine-file.h"
54 
55 #include "detect-engine.h"
56 #include "detect-engine-state.h"
57 #include "detect-engine-payload.h"
58 #include "detect-fast-pattern.h"
59 #include "detect-byte-extract.h"
60 #include "detect-content.h"
61 #include "detect-uricontent.h"
62 #include "detect-tcphdr.h"
65 
66 #include "detect-engine-loader.h"
67 
68 #include "detect-engine-alert.h"
69 
71 #include "util-reference-config.h"
72 #include "util-threshold-config.h"
73 #include "util-error.h"
74 #include "util-hash.h"
75 #include "util-byte.h"
76 #include "util-debug.h"
77 #include "util-unittest.h"
78 #include "util-action.h"
79 #include "util-magic.h"
80 #include "util-signal.h"
81 #include "util-spm.h"
82 #include "util-device-private.h"
83 #include "util-var-name.h"
84 #include "util-path.h"
85 #include "util-profiling.h"
86 #include "util-validate.h"
87 #include "util-hash-string.h"
88 #include "util-enum.h"
89 #include "util-conf.h"
90 
91 #include "tm-threads.h"
92 #include "runmodes.h"
93 
94 #include "reputation.h"
95 
96 #define DETECT_ENGINE_DEFAULT_INSPECTION_RECURSION_LIMIT 3000
97 
98 #define DEFAULT_MAX_FLOWBITS_PER_SIGNATURE 8
99 
100 static int DetectEngineCtxLoadConf(DetectEngineCtx *);
101 
102 static DetectEngineMasterCtx g_master_de_ctx = { SCMUTEX_INITIALIZER,
103  0, 99, NULL, NULL, TENANT_SELECTOR_UNKNOWN, NULL, NULL, 0};
104 
105 static uint32_t TenantIdHash(HashTable *h, void *data, uint16_t data_len);
106 static char TenantIdCompare(void *d1, uint16_t d1_len, void *d2, uint16_t d2_len);
107 static void TenantIdFree(void *d);
108 static uint32_t DetectEngineTenantGetIdFromLivedev(const void *ctx, const Packet *p);
109 static uint32_t DetectEngineTenantGetIdFromVlanId(const void *ctx, const Packet *p);
110 static uint32_t DetectEngineTenantGetIdFromPcap(const void *ctx, const Packet *p);
111 
112 static bool DetectEngineMultiTenantEnabledWithLock(void);
113 static DetectEngineAppInspectionEngine *g_app_inspect_engines = NULL;
114 static DetectEnginePktInspectionEngine *g_pkt_inspect_engines = NULL;
115 static DetectEngineFrameInspectionEngine *g_frame_inspect_engines = NULL;
116 
117 // clang-format off
118 // rule types documentation tag start: SignatureProperties
120  /* SIG_TYPE_NOT_SET */ { SIG_PROP_FLOW_ACTION_PACKET, },
121  /* SIG_TYPE_IPONLY */ { SIG_PROP_FLOW_ACTION_FLOW, },
122  /* SIG_TYPE_LIKE_IPONLY */ { SIG_PROP_FLOW_ACTION_FLOW, },
123  /* SIG_TYPE_PDONLY */ { SIG_PROP_FLOW_ACTION_FLOW, },
124  /* SIG_TYPE_DEONLY */ { SIG_PROP_FLOW_ACTION_PACKET, },
125  /* SIG_TYPE_PKT */ { SIG_PROP_FLOW_ACTION_PACKET, },
126  /* SIG_TYPE_PKT_STREAM */ { SIG_PROP_FLOW_ACTION_FLOW_IF_STATEFUL, },
127  /* SIG_TYPE_STREAM */ { SIG_PROP_FLOW_ACTION_FLOW_IF_STATEFUL, },
128  /* SIG_TYPE_APPLAYER */ { SIG_PROP_FLOW_ACTION_FLOW, },
129  /* SIG_TYPE_APP_TX */ { SIG_PROP_FLOW_ACTION_FLOW, },
130 };
131 // rule types documentation tag end: SignatureProperties
132 // clang-format on
133 
134 const char *DetectTableToString(enum DetectTable table)
135 {
136  switch (table) {
138  return "not_set";
140  return "pre_flow";
142  return "pre_stream";
144  return "packet_filter";
146  return "packet_td";
148  return "app_filter";
149  case DETECT_TABLE_APP_TD:
150  return "app_td";
151  default:
152  return "unknown";
153  }
154 }
155 
156 /** \brief register inspect engine at start up time
157  *
158  * \note errors are fatal */
162 {
164  const int sm_list = DetectBufferTypeGetByName(name);
165  if (sm_list == -1) {
166  FatalError("failed to register inspect engine %s", name);
167  }
168 
169  if ((sm_list < DETECT_SM_LIST_MATCH) || (sm_list >= SHRT_MAX) ||
170  (Callback == NULL))
171  {
172  SCLogError("Invalid arguments");
173  BUG_ON(1);
174  }
175 
176  DetectEnginePktInspectionEngine *new_engine = SCCalloc(1, sizeof(*new_engine));
177  if (unlikely(new_engine == NULL)) {
178  FatalError("failed to register inspect engine %s: %s", name, strerror(errno));
179  }
180  new_engine->sm_list = (uint16_t)sm_list;
181  new_engine->sm_list_base = (uint16_t)sm_list;
182  new_engine->v1.Callback = Callback;
183  new_engine->v1.GetData = GetPktData;
184 
185  if (g_pkt_inspect_engines == NULL) {
186  g_pkt_inspect_engines = new_engine;
187  } else {
188  DetectEnginePktInspectionEngine *t = g_pkt_inspect_engines;
189  while (t->next != NULL) {
190  t = t->next;
191  }
192 
193  t->next = new_engine;
194  }
195 }
196 
197 /** \brief register inspect engine at start up time
198  *
199  * \note errors are fatal */
200 static void AppLayerInspectEngineRegisterInternal(const char *name, AppProto alproto, uint32_t dir,
201  uint8_t sub_state, uint8_t progress, InspectEngineFuncPtr Callback,
203  InspectionMultiBufferGetDataPtr GetMultiData)
204 {
205  /* ignore special case unknown */
206  if (alproto != ALPROTO_UNKNOWN && AppLayerParserIsEnabled(alproto)) {
207  DEBUG_VALIDATE_BUG_ON(AppLayerParserSupportsSubStates(alproto) && sub_state == 0);
208  DEBUG_VALIDATE_BUG_ON(!AppLayerParserSupportsSubStates(alproto) && sub_state != 0);
209  }
210  BUG_ON(progress >= APP_LAYER_MAX_PROGRESS);
211 
213  const int sm_list = DetectBufferTypeGetByName(name);
214  if (sm_list == -1) {
215  FatalError("failed to register inspect engine %s", name);
216  }
217  SCLogDebug("name %s id %d", name, sm_list);
218 
219  if ((alproto == ALPROTO_FAILED) || (!(dir == SIG_FLAG_TOSERVER || dir == SIG_FLAG_TOCLIENT)) ||
220  (sm_list < DETECT_SM_LIST_MATCH) || (sm_list >= SHRT_MAX) || (progress >= 48) ||
221  (Callback == NULL)) {
222  SCLogError("Invalid arguments");
223  BUG_ON(1);
224  } else if (Callback == DetectEngineInspectBufferGeneric && GetData == NULL) {
225  SCLogError("Invalid arguments: must register "
226  "GetData with DetectEngineInspectBufferGeneric");
227  BUG_ON(1);
228  } else if (Callback == DetectEngineInspectBufferSingle && GetDataSingle == NULL) {
229  SCLogError("Invalid arguments: must register "
230  "GetData with DetectEngineInspectBufferGeneric");
231  BUG_ON(1);
232  } else if (Callback == DetectEngineInspectMultiBufferGeneric && GetMultiData == NULL) {
233  SCLogError("Invalid arguments: must register "
234  "GetData with DetectEngineInspectMultiBufferGeneric");
235  BUG_ON(1);
236  }
237 
238  uint8_t direction;
239  if (dir == SIG_FLAG_TOSERVER) {
240  direction = 0;
241  } else {
242  direction = 1;
243  }
244  DetectEngineAppInspectionEngine *new_engine =
246  if (unlikely(new_engine == NULL)) {
247  exit(EXIT_FAILURE);
248  }
249  new_engine->alproto = alproto;
250  new_engine->dir = direction;
251  new_engine->sm_list = (uint16_t)sm_list;
252  new_engine->sm_list_base = (uint16_t)sm_list;
253  new_engine->progress = progress;
254  new_engine->sub_state = sub_state;
255  new_engine->v2.Callback = Callback;
256  if (Callback == DetectEngineInspectBufferGeneric) {
257  new_engine->v2.GetData = GetData;
258  } else if (Callback == DetectEngineInspectBufferSingle) {
259  new_engine->v2.GetDataSingle = GetDataSingle;
260  } else if (Callback == DetectEngineInspectMultiBufferGeneric) {
261  new_engine->v2.GetMultiData = GetMultiData;
262  }
263 
264  if (g_app_inspect_engines == NULL) {
265  g_app_inspect_engines = new_engine;
266  } else {
267  DetectEngineAppInspectionEngine *t = g_app_inspect_engines;
268  while (t->next != NULL) {
269  t = t->next;
270  }
271 
272  t->next = new_engine;
273  }
274 }
275 
276 void DetectAppLayerInspectEngineRegister(const char *name, AppProto alproto, uint32_t dir,
277  uint8_t progress, InspectEngineFuncPtr Callback, InspectionBufferGetDataPtr GetData)
278 {
279  /* before adding, check that we don't add a duplicate entry, which will
280  * propagate all the way into the packet runtime if allowed. */
281  DetectEngineAppInspectionEngine *t = g_app_inspect_engines;
282  while (t != NULL) {
283  const uint32_t t_direction = t->dir == 0 ? SIG_FLAG_TOSERVER : SIG_FLAG_TOCLIENT;
284  const int sm_list = DetectBufferTypeGetByName(name);
285 
286  if (t->sm_list == sm_list && t->alproto == alproto && t_direction == dir &&
287  t->sub_state == 0 && t->progress == progress && t->v2.Callback == Callback &&
288  t->v2.GetData == GetData) {
290  return;
291  }
292  t = t->next;
293  }
294 
295  AppLayerInspectEngineRegisterInternal(
296  name, alproto, dir, 0, (uint8_t)progress, Callback, GetData, NULL, NULL);
297 }
298 
299 void DetectAppLayerInspectEngineRegisterSubState(const char *name, AppProto alproto, uint32_t dir,
300  uint8_t sub_state, uint8_t progress, InspectEngineFuncPtr Callback,
302 {
303  /* before adding, check that we don't add a duplicate entry, which will
304  * propagate all the way into the packet runtime if allowed. */
305  DetectEngineAppInspectionEngine *t = g_app_inspect_engines;
306  while (t != NULL) {
307  const uint32_t t_direction = t->dir == 0 ? SIG_FLAG_TOSERVER : SIG_FLAG_TOCLIENT;
308  const int sm_list = DetectBufferTypeGetByName(name);
309 
310  if (t->sm_list == sm_list && t->alproto == alproto && t_direction == dir &&
311  t->sub_state == sub_state && t->progress == progress &&
312  t->v2.Callback == Callback && t->v2.GetData == GetData) {
314  return;
315  }
316  t = t->next;
317  }
318 
319  AppLayerInspectEngineRegisterInternal(
320  name, alproto, dir, sub_state, progress, Callback, GetData, NULL, NULL);
321 }
322 void DetectAppLayerInspectEngineRegisterSingle(const char *name, AppProto alproto, uint32_t dir,
323  uint8_t progress, InspectEngineFuncPtr Callback, InspectionSingleBufferGetDataPtr GetData)
324 {
325  /* before adding, check that we don't add a duplicate entry, which will
326  * propagate all the way into the packet runtime if allowed. */
327  DetectEngineAppInspectionEngine *t = g_app_inspect_engines;
328  while (t != NULL) {
329  const uint32_t t_direction = t->dir == 0 ? SIG_FLAG_TOSERVER : SIG_FLAG_TOCLIENT;
330  const int sm_list = DetectBufferTypeGetByName(name);
331 
332  if (t->sm_list == sm_list && t->alproto == alproto && t_direction == dir &&
333  t->progress == progress && t->v2.Callback == Callback &&
334  t->v2.GetDataSingle == GetData) {
336  return;
337  }
338  t = t->next;
339  }
340 
341  AppLayerInspectEngineRegisterInternal(
342  name, alproto, dir, 0, (uint8_t)progress, Callback, NULL, GetData, NULL);
343 }
344 
345 /* copy an inspect engine with transforms to a new list id. */
346 static void DetectAppLayerInspectEngineCopy(
348  int sm_list, int new_list,
349  const DetectEngineTransforms *transforms)
350 {
351  const DetectEngineAppInspectionEngine *t = g_app_inspect_engines;
352  while (t) {
353  if (t->sm_list == sm_list) {
355  if (unlikely(new_engine == NULL)) {
356  exit(EXIT_FAILURE);
357  }
358  new_engine->alproto = t->alproto;
359  new_engine->dir = t->dir;
360  DEBUG_VALIDATE_BUG_ON(new_list < 0 || new_list > UINT16_MAX);
361  new_engine->sm_list = (uint16_t)new_list; /* use new list id */
362  DEBUG_VALIDATE_BUG_ON(sm_list < 0 || sm_list > UINT16_MAX);
363  new_engine->sm_list_base = (uint16_t)sm_list;
364  new_engine->progress = t->progress;
365  new_engine->sub_state = t->sub_state;
366  new_engine->v2 = t->v2;
367  new_engine->v2.transforms = transforms; /* assign transforms */
368 
369  if (de_ctx->app_inspect_engines == NULL) {
370  de_ctx->app_inspect_engines = new_engine;
371  } else {
373  while (list->next != NULL) {
374  list = list->next;
375  }
376 
377  list->next = new_engine;
378  }
379  }
380  t = t->next;
381  }
382 }
383 
384 /* copy inspect engines from global registrations to de_ctx list */
385 static void DetectAppLayerInspectEngineCopyListToDetectCtx(DetectEngineCtx *de_ctx)
386 {
387  const DetectEngineAppInspectionEngine *t = g_app_inspect_engines;
389  while (t) {
391  if (unlikely(new_engine == NULL)) {
392  exit(EXIT_FAILURE);
393  }
394  new_engine->alproto = t->alproto;
395  new_engine->dir = t->dir;
396  new_engine->sm_list = t->sm_list;
397  new_engine->sm_list_base = t->sm_list;
398  new_engine->progress = t->progress;
399  new_engine->sub_state = t->sub_state;
400  new_engine->v2 = t->v2;
401 
402  if (list == NULL) {
403  de_ctx->app_inspect_engines = new_engine;
404  } else {
405  list->next = new_engine;
406  }
407  list = new_engine;
408 
409  t = t->next;
410  }
411 }
412 
413 /* copy an inspect engine with transforms to a new list id. */
414 static void DetectPktInspectEngineCopy(
416  int sm_list, int new_list,
417  const DetectEngineTransforms *transforms)
418 {
419  const DetectEnginePktInspectionEngine *t = g_pkt_inspect_engines;
420  while (t) {
421  if (t->sm_list == sm_list) {
423  if (unlikely(new_engine == NULL)) {
424  exit(EXIT_FAILURE);
425  }
426  DEBUG_VALIDATE_BUG_ON(new_list < 0 || new_list > UINT16_MAX);
427  new_engine->sm_list = (uint16_t)new_list; /* use new list id */
428  DEBUG_VALIDATE_BUG_ON(sm_list < 0 || sm_list > UINT16_MAX);
429  new_engine->sm_list_base = (uint16_t)sm_list;
430  new_engine->v1 = t->v1;
431  new_engine->v1.transforms = transforms; /* assign transforms */
432 
433  if (de_ctx->pkt_inspect_engines == NULL) {
434  de_ctx->pkt_inspect_engines = new_engine;
435  } else {
437  while (list->next != NULL) {
438  list = list->next;
439  }
440 
441  list->next = new_engine;
442  }
443  }
444  t = t->next;
445  }
446 }
447 
448 /* copy inspect engines from global registrations to de_ctx list */
449 static void DetectPktInspectEngineCopyListToDetectCtx(DetectEngineCtx *de_ctx)
450 {
451  const DetectEnginePktInspectionEngine *t = g_pkt_inspect_engines;
452  while (t) {
453  SCLogDebug("engine %p", t);
455  if (unlikely(new_engine == NULL)) {
456  exit(EXIT_FAILURE);
457  }
458  new_engine->sm_list = t->sm_list;
459  new_engine->sm_list_base = t->sm_list;
460  new_engine->v1 = t->v1;
461 
462  if (de_ctx->pkt_inspect_engines == NULL) {
463  de_ctx->pkt_inspect_engines = new_engine;
464  } else {
466  while (list->next != NULL) {
467  list = list->next;
468  }
469 
470  list->next = new_engine;
471  }
472 
473  t = t->next;
474  }
475 }
476 
477 /** \brief register inspect engine at start up time
478  *
479  * \note errors are fatal */
481  InspectionBufferFrameInspectFunc Callback, AppProto alproto, uint8_t type)
482 {
483  const int sm_list = DetectEngineBufferTypeRegister(de_ctx, name);
484  if (sm_list < 0) {
485  FatalError("failed to register inspect engine %s", name);
486  }
487 
488  if ((sm_list < DETECT_SM_LIST_MATCH) || (sm_list >= SHRT_MAX) || (Callback == NULL)) {
489  SCLogError("Invalid arguments");
490  BUG_ON(1);
491  }
492 
493  uint8_t direction;
494  if (dir == SIG_FLAG_TOSERVER) {
495  direction = 0;
496  } else {
497  direction = 1;
498  }
499 
500  DetectEngineFrameInspectionEngine *new_engine = SCCalloc(1, sizeof(*new_engine));
501  if (unlikely(new_engine == NULL)) {
502  FatalError("failed to register inspect engine %s: %s", name, strerror(errno));
503  }
504  new_engine->sm_list = (uint16_t)sm_list;
505  new_engine->sm_list_base = (uint16_t)sm_list;
506  new_engine->dir = direction;
507  new_engine->v1.Callback = Callback;
508  new_engine->alproto = alproto;
509  new_engine->type = type;
510 
511  if (de_ctx->frame_inspect_engines == NULL) {
512  de_ctx->frame_inspect_engines = new_engine;
513  } else {
515  while (list->next != NULL) {
516  list = list->next;
517  }
518 
519  list->next = new_engine;
520  }
521 }
522 
523 /* copy an inspect engine with transforms to a new list id. */
524 static void DetectFrameInspectEngineCopy(DetectEngineCtx *de_ctx, int sm_list, int new_list,
525  const DetectEngineTransforms *transforms)
526 {
527  /* take the list from the detect engine as the buffers can be registered
528  * dynamically. */
530  while (t) {
531  if (t->sm_list == sm_list) {
534  if (unlikely(new_engine == NULL)) {
535  exit(EXIT_FAILURE);
536  }
537  DEBUG_VALIDATE_BUG_ON(new_list < 0 || new_list > UINT16_MAX);
538  new_engine->sm_list = (uint16_t)new_list; /* use new list id */
539  DEBUG_VALIDATE_BUG_ON(sm_list < 0 || sm_list > UINT16_MAX);
540  new_engine->sm_list_base = (uint16_t)sm_list;
541  new_engine->dir = t->dir;
542  new_engine->alproto = t->alproto;
543  new_engine->type = t->type;
544  new_engine->v1 = t->v1;
545  new_engine->v1.transforms = transforms; /* assign transforms */
546 
547  /* append to the list */
549  while (list->next != NULL) {
550  list = list->next;
551  }
552 
553  list->next = new_engine;
554  }
555  t = t->next;
556  }
557 }
558 
559 /* copy inspect engines from global registrations to de_ctx list */
560 static void DetectFrameInspectEngineCopyListToDetectCtx(DetectEngineCtx *de_ctx)
561 {
562  const DetectEngineFrameInspectionEngine *t = g_frame_inspect_engines;
563  while (t) {
564  SCLogDebug("engine %p", t);
567  if (unlikely(new_engine == NULL)) {
568  exit(EXIT_FAILURE);
569  }
570  new_engine->sm_list = t->sm_list;
571  new_engine->sm_list_base = t->sm_list;
572  new_engine->dir = t->dir;
573  new_engine->alproto = t->alproto;
574  new_engine->type = t->type;
575  new_engine->v1 = t->v1;
576 
577  if (de_ctx->frame_inspect_engines == NULL) {
578  de_ctx->frame_inspect_engines = new_engine;
579  } else {
581  while (list->next != NULL) {
582  list = list->next;
583  }
584 
585  list->next = new_engine;
586  }
587 
588  t = t->next;
589  }
590 }
591 
592 /** \internal
593  * \brief append the stream inspection
594  *
595  * If stream inspection is MPM, then prepend it.
596  */
597 static void AppendStreamInspectEngine(
598  Signature *s, SigMatchData *stream, uint8_t direction, uint8_t id)
599 {
600  bool prepend = false;
601 
603  if (unlikely(new_engine == NULL)) {
604  exit(EXIT_FAILURE);
605  }
607  SCLogDebug("stream is mpm");
608  prepend = true;
609  new_engine->mpm = true;
610  }
611  new_engine->alproto = ALPROTO_UNKNOWN; /* all */
612  new_engine->dir = direction;
613  new_engine->stream = true;
614  new_engine->sm_list = DETECT_SM_LIST_PMATCH;
615  new_engine->sm_list_base = DETECT_SM_LIST_PMATCH;
616  new_engine->smd = stream;
617  new_engine->v2.Callback = DetectEngineInspectStream;
618  new_engine->progress = 0;
619 
620  /* append */
621  if (s->app_inspect == NULL) {
622  s->app_inspect = new_engine;
623  new_engine->id = DE_STATE_FLAG_BASE; /* id is used as flag in stateful detect */
624  } else if (prepend) {
625  new_engine->next = s->app_inspect;
626  s->app_inspect = new_engine;
627  new_engine->id = id;
628 
629  } else {
631  while (a->next != NULL) {
632  a = a->next;
633  }
634 
635  a->next = new_engine;
636  new_engine->id = id;
637  }
638  SCLogDebug("sid %u: engine %p/%u added", s->id, new_engine, new_engine->id);
639 }
640 
641 static void AppendFrameInspectEngine(DetectEngineCtx *de_ctx,
643  const int mpm_list)
644 {
645  bool prepend = false;
646 
647  if (u->alproto == ALPROTO_UNKNOWN) {
648  /* special case, inspect engine applies to all protocols */
649  } else if (s->alproto != ALPROTO_UNKNOWN && !AppProtoEquals(s->alproto, u->alproto))
650  return;
651 
652  if (s->flags & SIG_FLAG_TOSERVER && !(s->flags & SIG_FLAG_TOCLIENT)) {
653  if (u->dir == 1)
654  return;
655  } else if (s->flags & SIG_FLAG_TOCLIENT && !(s->flags & SIG_FLAG_TOSERVER)) {
656  if (u->dir == 0)
657  return;
658  }
659 
662  if (unlikely(new_engine == NULL)) {
663  exit(EXIT_FAILURE);
664  }
665  if (mpm_list == u->sm_list) {
667  prepend = true;
668  new_engine->mpm = true;
669  }
670 
671  new_engine->type = u->type;
672  new_engine->sm_list = u->sm_list;
673  new_engine->sm_list_base = u->sm_list_base;
674  new_engine->smd = smd;
675  new_engine->v1 = u->v1;
676  SCLogDebug("sm_list %d new_engine->v1 %p/%p", new_engine->sm_list, new_engine->v1.Callback,
677  new_engine->v1.transforms);
678 
679  if (s->frame_inspect == NULL) {
680  s->frame_inspect = new_engine;
681  } else if (prepend) {
682  new_engine->next = s->frame_inspect;
683  s->frame_inspect = new_engine;
684  } else {
686  while (a->next != NULL) {
687  a = a->next;
688  }
689  new_engine->next = a->next;
690  a->next = new_engine;
691  }
692 }
693 
694 static void AppendPacketInspectEngine(DetectEngineCtx *de_ctx,
696  const int mpm_list)
697 {
698  bool prepend = false;
699 
700  DetectEnginePktInspectionEngine *new_engine =
702  if (unlikely(new_engine == NULL)) {
703  exit(EXIT_FAILURE);
704  }
705  if (mpm_list == e->sm_list) {
707  prepend = true;
708  new_engine->mpm = true;
709  }
710 
711  new_engine->sm_list = e->sm_list;
712  new_engine->sm_list_base = e->sm_list_base;
713  new_engine->smd = smd;
714  new_engine->v1 = e->v1;
715  SCLogDebug("sm_list %d new_engine->v1 %p/%p/%p", new_engine->sm_list, new_engine->v1.Callback,
716  new_engine->v1.GetData, new_engine->v1.transforms);
717 
718  if (s->pkt_inspect == NULL) {
719  s->pkt_inspect = new_engine;
720  } else if (prepend) {
721  new_engine->next = s->pkt_inspect;
722  s->pkt_inspect = new_engine;
723  } else {
725  while (a->next != NULL) {
726  a = a->next;
727  }
728  new_engine->next = a->next;
729  a->next = new_engine;
730  }
731 }
732 
733 static void AppendAppInspectEngine(DetectEngineCtx *de_ctx,
735  const int mpm_list, const int files_id, uint8_t *last_id, bool *head_is_mpm)
736 {
737  if (t->alproto == ALPROTO_UNKNOWN) {
738  /* special case, inspect engine applies to all protocols */
739  } else if (s->alproto != ALPROTO_UNKNOWN) {
741  /* SIGNATURE_HOOK_TYPE_APP rules are exact about their protocol */
742  if (!(AppProtoEqualsStrict(s->alproto, t->alproto))) {
743  return;
744  }
745 
746  /* skip engines not for us */
747  if (s->init_data->hook.t.app.sub_state != t->sub_state) {
748  return;
749  }
750  } else {
751  /* other rules use the more relax AppProtoEquals logic */
752  if (!AppProtoEquals(s->alproto, t->alproto)) {
753  return;
754  }
755  }
756  }
757 
758  if (s->flags & SIG_FLAG_TOSERVER && !(s->flags & SIG_FLAG_TOCLIENT)) {
759  if (t->dir == 1)
760  return;
761  } else if (s->flags & SIG_FLAG_TOCLIENT && !(s->flags & SIG_FLAG_TOSERVER)) {
762  if (t->dir == 0)
763  return;
764  }
765  SCLogDebug("app engine: t %p t->id %u => alproto:%s files:%s", t, t->id,
766  AppProtoToString(t->alproto), BOOL2STR(t->sm_list == files_id));
767 
768  DetectEngineAppInspectionEngine *new_engine =
770  if (unlikely(new_engine == NULL)) {
771  exit(EXIT_FAILURE);
772  }
773  bool prepend = false;
774  if (mpm_list == t->sm_list) {
776  prepend = true;
777  *head_is_mpm = true;
778  new_engine->mpm = true;
779  }
780 
781  new_engine->alproto = t->alproto;
782  new_engine->dir = t->dir;
783  new_engine->sm_list = t->sm_list;
784  new_engine->sm_list_base = t->sm_list_base;
785  new_engine->smd = smd;
786  new_engine->match_on_null = smd ? DetectContentInspectionMatchOnAbsentBuffer(smd) : false;
787  new_engine->progress = t->progress;
788  new_engine->sub_state = t->sub_state;
789  new_engine->v2 = t->v2;
790  SCLogDebug("sm_list %d new_engine->v2 %p/%p/%p", new_engine->sm_list, new_engine->v2.Callback,
791  new_engine->v2.GetData, new_engine->v2.transforms);
792 
793  if (s->app_inspect == NULL) {
794  s->app_inspect = new_engine;
795  if (new_engine->sm_list == files_id) {
796  new_engine->id = DE_STATE_ID_FILE_INSPECT;
797  SCLogDebug("sid %u: engine %p/%u is FILE ENGINE", s->id, new_engine, new_engine->id);
798  } else {
799  new_engine->id = DE_STATE_FLAG_BASE; /* id is used as flag in stateful detect */
800  SCLogDebug("sid %u: engine %p/%u %s", s->id, new_engine, new_engine->id,
802  }
803 
804  /* prepend engine if forced or if our engine has a lower progress. */
805  } else if (prepend || (!(*head_is_mpm) && s->app_inspect->progress > new_engine->progress)) {
806  new_engine->next = s->app_inspect;
807  s->app_inspect = new_engine;
808  if (new_engine->sm_list == files_id) {
809  new_engine->id = DE_STATE_ID_FILE_INSPECT;
810  SCLogDebug("sid %u: engine %p/%u is FILE ENGINE", s->id, new_engine, new_engine->id);
811  } else {
812  new_engine->id = ++(*last_id);
813  SCLogDebug("sid %u: engine %p/%u %s", s->id, new_engine, new_engine->id,
815  }
816 
817  } else {
819  while (a->next != NULL) {
820  if (a->next && a->next->progress > new_engine->progress) {
821  break;
822  }
823  a = a->next;
824  }
825 
826  new_engine->next = a->next;
827  a->next = new_engine;
828  if (new_engine->sm_list == files_id) {
829  new_engine->id = DE_STATE_ID_FILE_INSPECT;
830  SCLogDebug("sid %u: engine %p/%u is FILE ENGINE", s->id, new_engine, new_engine->id);
831  } else {
832  new_engine->id = ++(*last_id);
833  SCLogDebug("sid %u: engine %p/%u %s", s->id, new_engine, new_engine->id,
835  }
836  }
837 
838  SCLogDebug("sid %u: engine %p/%u added", s->id, new_engine, new_engine->id);
839 
841 }
842 
843 /**
844  * \param direction STREAM_TOSERVER or STREAM_TOCLIENT
845  */
847  const AppProto p, const uint8_t sub_state, const uint8_t state, const uint8_t direction)
848 {
849  if (!((direction & (STREAM_TOSERVER | STREAM_TOCLIENT)) == STREAM_TOSERVER) &&
850  !((direction & (STREAM_TOSERVER | STREAM_TOCLIENT)) == STREAM_TOCLIENT))
851  return NULL;
852 
853  if (sub_state == 0) {
854  const char *pname = AppLayerParserGetStateNameById(IPPROTO_TCP, // TODO
855  p, state, direction);
856  if (pname == NULL) {
857  if (state == 0) {
858  if (direction == STREAM_TOSERVER) {
859  pname = "request_started";
860  } else {
861  pname = "response_started";
862  }
863  } else {
864  const int complete = AppLayerParserGetStateProgressCompletionStatus(p, direction);
865  if (state == complete) {
866  if (direction == STREAM_TOSERVER) {
867  pname = "request_complete";
868  } else {
869  pname = "response_complete";
870  }
871  }
872  }
873  }
874  return pname;
875  } else {
877  const char *name = AppLayerParserGetSubStateProgressName(p, sub_state, state, direction);
878  return name;
879  }
880 }
881 
882 /** \brief get the sm_list for a app hook
883  * \param sub_state sub_state to use or 0 if not in use
884  * */
886  const AppProto p, const uint8_t sub_state, const uint8_t state, const uint8_t direction)
887 {
888  const char *app_proto = AppProtoToString(p);
889  if (app_proto == NULL) {
890  SCLogError("unknown app_proto %u", p);
891  return -1;
892  }
893  if (strcmp(app_proto, "http") == 0)
894  app_proto = "http1";
895 
896  char generic_hook_name[256];
897  if (sub_state == 0) {
898  const char *name = DetectEngineAppHookToName(
899  p, 0, state, direction & (STREAM_TOSERVER | STREAM_TOCLIENT));
900  if (name == NULL) {
901  return -1;
902  }
903 
904  snprintf(generic_hook_name, sizeof(generic_hook_name), "%s:%s:generic", app_proto, name);
905 
906  int list = DetectBufferTypeGetByName(generic_hook_name);
907  if (list < 0) {
908  SCLogError(
909  "no list registered as %s for %s hook %s", generic_hook_name, app_proto, name);
910  return -1;
911  }
912  return list;
913  } else {
915 
916  const char *sname = AppLayerParserGetSubStateName(p, sub_state);
917  if (sname == NULL)
918  return -1;
919 
920  const char *name = AppLayerParserGetSubStateProgressName(p, sub_state, state, direction);
921  if (name == NULL)
922  return -1;
923 
924  snprintf(generic_hook_name, sizeof(generic_hook_name), "%s:%s:%s:generic", app_proto, sname,
925  name);
926 
927  int list = DetectBufferTypeGetByName(generic_hook_name);
928  if (list < 0) {
929  SCLogError("no list registered as %s for %s sub_state %s hook %s", generic_hook_name,
930  app_proto, sname, name);
931  return -1;
932  }
933  return list;
934  }
935 }
936 
937 /**
938  * \note for the file inspect engine, the id DE_STATE_ID_FILE_INSPECT
939  * is assigned.
940  */
942 {
943  const int mpm_list = s->init_data->mpm_sm ? s->init_data->mpm_sm_list : -1;
944  const int files_id = DetectBufferTypeGetByName("files");
945  bool head_is_mpm = false;
946  uint8_t last_id = DE_STATE_FLAG_BASE;
947  SCLogDebug("%u: setup app inspect engines. %u buffers", s->id, s->init_data->buffer_index);
948 
949  if (s->flags & SIG_FLAG_FW_HOOK_LTE) {
950  SCLogDebug("need an inspect engine per state, range 0-%u", s->app_progress_hook);
951  for (uint8_t state = 0; state < s->app_progress_hook; state++) {
952  uint8_t dir = 0;
953  uint8_t direction = 0;
957  if (s->flags & SIG_FLAG_TOSERVER) {
958  direction = STREAM_TOSERVER;
959  dir = 0;
960  } else if (s->flags & SIG_FLAG_TOCLIENT) {
961  direction = STREAM_TOCLIENT;
962  dir = 1;
963  }
964 
965  int sm_list = DetectEngineAppHookToSmlist(s->init_data->hook.t.app.alproto,
966  s->init_data->hook.t.app.sub_state, 0, direction);
967  if (sm_list < 0)
968  return -1;
969 
971  .alproto = s->init_data->hook.t.app.alproto,
972  .progress = state,
973  .sub_state = s->init_data->hook.t.app.sub_state,
974  .sm_list = (uint16_t)sm_list,
975  .sm_list_base = (uint16_t)sm_list,
976  .dir = dir,
977  };
978  AppendAppInspectEngine(de_ctx, &t, s, NULL, mpm_list, files_id, &last_id, &head_is_mpm);
979  SCLogDebug("sid %u: appended pass-tru engine at hook:%u sm_list:%d for "
980  "SIG_FLAG_INIT_HOOK_LTE",
981  s->id, state, sm_list);
982  }
983  }
984 
985  for (uint32_t x = 0; x < s->init_data->buffer_index; x++) {
987  SCLogDebug("smd %p, id %u", smd, s->init_data->buffers[x].id);
988 
989  const DetectBufferType *b =
991  if (b == NULL)
992  FatalError("unknown buffer");
993 
994  if (b->frame) {
996  u != NULL; u = u->next) {
997  if (u->sm_list == s->init_data->buffers[x].id) {
998  AppendFrameInspectEngine(de_ctx, u, s, smd, mpm_list);
999  }
1000  }
1001  } else if (b->packet) {
1002  /* set up pkt inspect engines */
1003  for (const DetectEnginePktInspectionEngine *e = de_ctx->pkt_inspect_engines; e != NULL;
1004  e = e->next) {
1005  SCLogDebug("e %p sm_list %u", e, e->sm_list);
1006  if (e->sm_list == s->init_data->buffers[x].id) {
1007  AppendPacketInspectEngine(de_ctx, e, s, smd, mpm_list);
1008  }
1009  }
1010  } else {
1011  SCLogDebug("app %s id %u parent %u rule %u xforms %u", b->name, b->id, b->parent_id,
1012  s->init_data->buffers[x].id, b->transforms.cnt);
1013  for (const DetectEngineAppInspectionEngine *t = de_ctx->app_inspect_engines; t != NULL;
1014  t = t->next) {
1015  if (t->sm_list == s->init_data->buffers[x].id) {
1016  if (s->flags & SIG_FLAG_TXBOTHDIR) {
1017  // ambiguous keywords have app engines in both directions
1018  // so we skip the wrong direction for this buffer
1019  if (s->init_data->buffers[x].only_tc && t->dir == 0) {
1020  continue;
1021  } else if (s->init_data->buffers[x].only_ts && t->dir == 1) {
1022  continue;
1023  }
1024  }
1025  AppendAppInspectEngine(
1026  de_ctx, t, s, smd, mpm_list, files_id, &last_id, &head_is_mpm);
1027  }
1028  }
1029  }
1030  }
1031 
1032  /* handle rules that have an app-layer hook w/o bringing their own app inspect engine,
1033  * e.g. `alert dns:request_complete ... (sid:1;)`
1034  *
1035  * Here we use a minimal stub inspect engine in which we set:
1036  * - alproto
1037  * - progress
1038  * - sm_list/sm_list_base to get the mapping to the hook name
1039  * - dir based on sig direction
1040  *
1041  * The inspect engine has no callback and is thus considered a straight match.
1042  */
1044  uint8_t dir = 0;
1048  if (s->flags & SIG_FLAG_TOSERVER)
1049  dir = 0;
1050  else if (s->flags & SIG_FLAG_TOCLIENT)
1051  dir = 1;
1052 
1054  .alproto = s->init_data->hook.t.app.alproto,
1055  .progress = s->init_data->hook.t.app.app_progress,
1056  .sub_state = s->init_data->hook.t.app.sub_state,
1057  .sm_list = (uint16_t)s->init_data->hook.sm_list,
1058  .sm_list_base = (uint16_t)s->init_data->hook.sm_list,
1059  .dir = dir,
1060  };
1061  AppendAppInspectEngine(de_ctx, &t, s, NULL, mpm_list, files_id, &last_id, &head_is_mpm);
1062  }
1063 
1066  {
1067  /* if engine is added multiple times, we pass it the same list */
1069  BUG_ON(stream == NULL);
1070  if (s->flags & SIG_FLAG_TOSERVER && !(s->flags & SIG_FLAG_TOCLIENT)) {
1071  AppendStreamInspectEngine(s, stream, 0, last_id + 1);
1072  } else if (s->flags & SIG_FLAG_TOCLIENT && !(s->flags & SIG_FLAG_TOSERVER)) {
1073  AppendStreamInspectEngine(s, stream, 1, last_id + 1);
1074  } else {
1075  AppendStreamInspectEngine(s, stream, 0, last_id + 1);
1076  AppendStreamInspectEngine(s, stream, 1, last_id + 1);
1077  }
1078 
1080  SCLogDebug("set SIG_FLAG_FLUSH on %u", s->id);
1081  s->flags |= SIG_FLAG_FLUSH;
1082  }
1083  }
1084 
1085 #ifdef DEBUG
1087  while (iter) {
1088  SCLogDebug("%u: engine %s id %u progress %d %s", s->id,
1090  iter->sm_list == mpm_list ? "MPM" : "");
1091  iter = iter->next;
1092  }
1093 #endif
1094  return 0;
1095 }
1096 
1097 /** \brief free app inspect engines for a signature
1098  *
1099  * For lists that are registered multiple times, like http_header and
1100  * http_cookie, making the engines owner of the lists is complicated.
1101  * Multiple engines in a sig may be pointing to the same list. To
1102  * address this the 'free' code needs to be extra careful about not
1103  * double freeing, so it takes an approach to first fill an array
1104  * of the to-free pointers before freeing them.
1105  */
1107 {
1108  int engines = 0;
1109 
1111  while (ie) {
1112  ie = ie->next;
1113  engines++;
1114  }
1116  while (e) {
1117  e = e->next;
1118  engines++;
1119  }
1121  while (u) {
1122  u = u->next;
1123  engines++;
1124  }
1125  if (engines == 0) {
1126  BUG_ON(s->pkt_inspect);
1127  BUG_ON(s->frame_inspect);
1128  return;
1129  }
1130 
1131  SigMatchData *bufs[engines];
1132  memset(&bufs, 0, (engines * sizeof(SigMatchData *)));
1133  int arrays = 0;
1134 
1135  /* free engines and put smd in the array */
1136  ie = s->app_inspect;
1137  while (ie) {
1139 
1140  bool skip = false;
1141  for (int i = 0; i < arrays; i++) {
1142  if (bufs[i] == ie->smd) {
1143  skip = true;
1144  break;
1145  }
1146  }
1147  if (!skip) {
1148  bufs[arrays++] = ie->smd;
1149  }
1150  SCFree(ie);
1151  ie = next;
1152  }
1153  e = s->pkt_inspect;
1154  while (e) {
1156 
1157  bool skip = false;
1158  for (int i = 0; i < arrays; i++) {
1159  if (bufs[i] == e->smd) {
1160  skip = true;
1161  break;
1162  }
1163  }
1164  if (!skip) {
1165  bufs[arrays++] = e->smd;
1166  }
1167  SCFree(e);
1168  e = next;
1169  }
1170  u = s->frame_inspect;
1171  while (u) {
1173 
1174  bool skip = false;
1175  for (int i = 0; i < arrays; i++) {
1176  if (bufs[i] == u->smd) {
1177  skip = true;
1178  break;
1179  }
1180  }
1181  if (!skip) {
1182  bufs[arrays++] = u->smd;
1183  }
1184  SCFree(u);
1185  u = next;
1186  }
1187 
1188  for (int i = 0; i < engines; i++) {
1189  if (bufs[i] == NULL)
1190  continue;
1191  SigMatchData *smd = bufs[i];
1192  while (1) {
1193  if (sigmatch_table[smd->type].Free != NULL) {
1194  sigmatch_table[smd->type].Free(de_ctx, smd->ctx);
1195  }
1196  if (smd->is_last)
1197  break;
1198  smd++;
1199  }
1200  SCFree(bufs[i]);
1201  }
1202 }
1203 
1204 /* code for registering buffers */
1205 
1206 #include "util-hash-lookup3.h"
1207 
1208 static HashListTable *g_buffer_type_hash = NULL;
1209 static int g_buffer_type_id = DETECT_SM_LIST_DYNAMIC_START;
1210 static int g_buffer_type_reg_closed = 0;
1211 
1213 {
1214  return g_buffer_type_id;
1215 }
1216 
1217 static void DetectBufferAddTransformData(DetectBufferType *map)
1218 {
1219  for (int i = 0; i < map->transforms.cnt; i++) {
1220  const TransformData *t = &map->transforms.transforms[i];
1223  &map->xform_id[i].id_data, &map->xform_id[i].id_data_len, t->options);
1224  SCLogDebug("transform identity data: [%p] \"%s\" [%d]", map->xform_id[i].id_data,
1225  (char *)map->xform_id[i].id_data, map->xform_id[i].id_data_len);
1226  }
1227  }
1228 }
1229 
1230 static uint32_t DetectBufferTypeHashNameFunc(HashListTable *ht, void *data, uint16_t datalen)
1231 {
1232  const DetectBufferType *map = (DetectBufferType *)data;
1233  uint32_t hash = hashlittle_safe(map->name, strlen(map->name), 0);
1234 
1235  // Add the transform data
1236  // - Collect transform id and position
1237  // - Collect identity data, if any
1238  hash += hashlittle_safe((uint8_t *)&map->transforms.cnt, sizeof(map->transforms.cnt), 0);
1239  for (int i = 0; i < map->transforms.cnt; i++) {
1240  const TransformData *t = &map->transforms.transforms[i];
1241  int tval = t->transform;
1242  hash += hashlittle_safe((uint8_t *)&tval, sizeof(tval), 0);
1243  if (map->xform_id[i].id_data) {
1244  hash += hashlittle_safe(
1245  &map->xform_id[i].id_data_len, sizeof(map->xform_id[i].id_data_len), 0);
1246  hash += hashlittle_safe(map->xform_id[i].id_data, map->xform_id[i].id_data_len, 0);
1247  }
1248  }
1249  hash %= ht->array_size;
1250  SCLogDebug("map->name %s, hash %d", map->name, hash);
1251  return hash;
1252 }
1253 
1254 static uint32_t DetectBufferTypeHashIdFunc(HashListTable *ht, void *data, uint16_t datalen)
1255 {
1256  const DetectBufferType *map = (DetectBufferType *)data;
1257  uint32_t hash = map->id;
1258  hash %= ht->array_size;
1259  return hash;
1260 }
1261 
1262 static char DetectBufferTypeCompareNameFunc(void *data1, uint16_t len1, void *data2, uint16_t len2)
1263 {
1264  DetectBufferType *map1 = (DetectBufferType *)data1;
1265  DetectBufferType *map2 = (DetectBufferType *)data2;
1266 
1267  char r = (strcmp(map1->name, map2->name) == 0);
1268 
1269  // Compare the transforms
1270  // the transform supports identity, that data will also be added.
1271  r &= map1->transforms.cnt == map2->transforms.cnt;
1272  if (r && map1->transforms.cnt) {
1273  for (int i = 0; i < map1->transforms.cnt; i++) {
1274  if (map1->transforms.transforms[i].transform !=
1275  map2->transforms.transforms[i].transform) {
1276  r = 0;
1277  break;
1278  }
1279 
1280  SCLogDebug("%s: transform ids match; checking specialized data", map1->name);
1281  // Checks
1282  // - Both NULL: --> ok, continue
1283  // - One NULL: --> no match, break?
1284  // - identity data lengths match: --> ok, continue
1285  // - identity data matches: ok
1286 
1287  // Stop if only one is NULL
1288  if ((map1->xform_id[i].id_data == NULL) ^ (map2->xform_id[i].id_data == NULL)) {
1289  SCLogDebug("identity data: only one is null");
1290  r = 0;
1291  break;
1292  } else if (map1->xform_id[i].id_data == NULL) { /* continue when both are null */
1293  SCLogDebug("identity data: both null");
1294  r = 1;
1295  continue;
1296  } else if (map1->xform_id[i].id_data_len != map2->xform_id[i].id_data_len) {
1297  // Stop when id data lengths aren't equal
1298  SCLogDebug("id data: unequal lengths");
1299  r = 0;
1300  break;
1301  }
1302 
1303  // stop if the identity data is different
1304  r &= memcmp(map1->xform_id[i].id_data, map2->xform_id[i].id_data,
1305  map1->xform_id[i].id_data_len) == 0;
1306  if (r == 0)
1307  break;
1308  SCLogDebug("identity data: data matches");
1309  }
1310  }
1311  return r;
1312 }
1313 
1314 static char DetectBufferTypeCompareIdFunc(void *data1, uint16_t len1, void *data2, uint16_t len2)
1315 {
1316  DetectBufferType *map1 = (DetectBufferType *)data1;
1317  DetectBufferType *map2 = (DetectBufferType *)data2;
1318  return map1->id == map2->id;
1319 }
1320 
1321 static void DetectBufferTypeFreeFunc(void *data)
1322 {
1323  DetectBufferType *map = (DetectBufferType *)data;
1324 
1325  if (map == NULL) {
1326  return;
1327  }
1328 
1329  /* Release transformation option memory, if any */
1330  for (int i = 0; i < map->transforms.cnt; i++) {
1331  if (map->transforms.transforms[i].options == NULL)
1332  continue;
1333 
1334  if (sigmatch_table[map->transforms.transforms[i].transform].Free == NULL) {
1335  SCLogError("%s allocates transform option memory but has no free routine",
1337  continue;
1338  }
1340  }
1341 
1342  SCFree(map);
1343 }
1344 
1345 static int DetectBufferTypeInit(void)
1346 {
1347  BUG_ON(g_buffer_type_hash);
1348  g_buffer_type_hash = HashListTableInit(256, DetectBufferTypeHashNameFunc,
1349  DetectBufferTypeCompareNameFunc, DetectBufferTypeFreeFunc);
1350  if (g_buffer_type_hash == NULL)
1351  return -1;
1352 
1353  return 0;
1354 }
1355 #if 0
1356 static void DetectBufferTypeFree(void)
1357 {
1358  if (g_buffer_type_hash == NULL)
1359  return;
1360 
1361  HashListTableFree(g_buffer_type_hash);
1362  g_buffer_type_hash = NULL;
1363 }
1364 #endif
1365 static int DetectBufferTypeAdd(const char *string)
1366 {
1367  BUG_ON(string == NULL || strlen(string) >= 64);
1368 
1369  DetectBufferType *map = SCCalloc(1, sizeof(*map));
1370  if (map == NULL)
1371  return -1;
1372 
1373  strlcpy(map->name, string, sizeof(map->name));
1374  map->id = g_buffer_type_id++;
1375 
1376  BUG_ON(HashListTableAdd(g_buffer_type_hash, (void *)map, 0) != 0);
1377  SCLogDebug("buffer %s registered with id %d", map->name, map->id);
1378  return map->id;
1379 }
1380 
1381 static DetectBufferType *DetectBufferTypeLookupByName(const char *string)
1382 {
1383  DetectBufferType map;
1384  memset(&map, 0, sizeof(map));
1385  strlcpy(map.name, string, sizeof(map.name));
1386 
1387  DetectBufferType *res = HashListTableLookup(g_buffer_type_hash, &map, 0);
1388  return res;
1389 }
1390 
1392 {
1393  BUG_ON(g_buffer_type_reg_closed);
1394  if (g_buffer_type_hash == NULL)
1395  DetectBufferTypeInit();
1396 
1397  DetectBufferType *exists = DetectBufferTypeLookupByName(name);
1398  if (!exists) {
1399  return DetectBufferTypeAdd(name);
1400  } else {
1401  return exists->id;
1402  }
1403 }
1404 
1406 {
1407  BUG_ON(g_buffer_type_reg_closed);
1409  DetectBufferType *exists = DetectBufferTypeLookupByName(name);
1410  BUG_ON(!exists);
1411  exists->multi_instance = true;
1412  SCLogDebug("%p %s -- %d supports multi instance", exists, name, exists->id);
1413 }
1414 
1416 {
1417  BUG_ON(g_buffer_type_reg_closed);
1419  DetectBufferType *exists = DetectBufferTypeLookupByName(name);
1420  BUG_ON(!exists);
1421  exists->frame = true;
1422  SCLogDebug("%p %s -- %d supports frame inspection", exists, name, exists->id);
1423 }
1424 
1426 {
1427  BUG_ON(g_buffer_type_reg_closed);
1429  DetectBufferType *exists = DetectBufferTypeLookupByName(name);
1430  BUG_ON(!exists);
1431  exists->packet = true;
1432  SCLogDebug("%p %s -- %d supports packet inspection", exists, name, exists->id);
1433 }
1434 
1436 {
1437  BUG_ON(g_buffer_type_reg_closed);
1439  DetectBufferType *exists = DetectBufferTypeLookupByName(name);
1440  BUG_ON(!exists);
1441  exists->mpm = true;
1442  SCLogDebug("%p %s -- %d supports mpm", exists, name, exists->id);
1443 }
1444 
1446 {
1447  BUG_ON(g_buffer_type_reg_closed);
1449  DetectBufferType *exists = DetectBufferTypeLookupByName(name);
1450  BUG_ON(!exists);
1451  exists->supports_transforms = true;
1452  SCLogDebug("%p %s -- %d supports transformations", exists, name, exists->id);
1453 }
1454 
1456 {
1457  DetectBufferType *exists = DetectBufferTypeLookupByName(name);
1458  if (!exists) {
1459  return -1;
1460  }
1461  return exists->id;
1462 }
1463 
1464 static DetectBufferType *DetectEngineBufferTypeLookupByName(
1465  const DetectEngineCtx *de_ctx, const char *string)
1466 {
1467  DetectBufferType map;
1468  memset(&map, 0, sizeof(map));
1469  strlcpy(map.name, string, sizeof(map.name));
1470 
1472  return res;
1473 }
1474 
1476 {
1477  DetectBufferType lookup;
1478  memset(&lookup, 0, sizeof(lookup));
1479  lookup.id = id;
1480  const DetectBufferType *res =
1481  HashListTableLookup(de_ctx->buffer_type_hash_id, (void *)&lookup, 0);
1482  return res;
1483 }
1484 
1486 {
1488  return res ? res->name : NULL;
1489 }
1490 
1491 static int DetectEngineBufferTypeAdd(DetectEngineCtx *de_ctx, const char *string)
1492 {
1493  BUG_ON(string == NULL || strlen(string) >= 32);
1494 
1495  DetectBufferType *map = SCCalloc(1, sizeof(*map));
1496  if (map == NULL)
1497  return -1;
1498 
1499  strlcpy(map->name, string, sizeof(map->name));
1500  map->id = de_ctx->buffer_type_id++;
1501 
1502  BUG_ON(HashListTableAdd(de_ctx->buffer_type_hash_name, (void *)map, 0) != 0);
1503  BUG_ON(HashListTableAdd(de_ctx->buffer_type_hash_id, (void *)map, 0) != 0);
1504  SCLogDebug("buffer %s registered with id %d", map->name, map->id);
1505  return map->id;
1506 }
1507 
1509  const int direction, const AppProto alproto, const uint8_t frame_type)
1510 {
1511  DetectBufferType *exists = DetectEngineBufferTypeLookupByName(de_ctx, name);
1512  if (exists) {
1513  return exists->id;
1514  }
1515 
1516  const int buffer_id = DetectEngineBufferTypeAdd(de_ctx, name);
1517  if (buffer_id < 0) {
1518  return -1;
1519  }
1520 
1521  /* TODO hack we need the map to get the name. Should we return the map at reg? */
1522  const DetectBufferType *map = DetectEngineBufferTypeGetById(de_ctx, buffer_id);
1523  BUG_ON(!map);
1524 
1525  /* register MPM/inspect engines */
1526  if (direction & SIG_FLAG_TOSERVER) {
1528  PrefilterGenericMpmFrameRegister, alproto, frame_type);
1530  DetectEngineInspectFrameBufferGeneric, alproto, frame_type);
1531  }
1532  if (direction & SIG_FLAG_TOCLIENT) {
1534  PrefilterGenericMpmFrameRegister, alproto, frame_type);
1536  DetectEngineInspectFrameBufferGeneric, alproto, frame_type);
1537  }
1538 
1539  return buffer_id;
1540 }
1541 
1543 {
1544  DetectBufferType *exists = DetectEngineBufferTypeLookupByName(de_ctx, name);
1545  if (!exists) {
1546  return DetectEngineBufferTypeAdd(de_ctx, name);
1547  } else {
1548  return exists->id;
1549  }
1550 }
1551 
1552 void DetectBufferTypeSetDescriptionByName(const char *name, const char *desc)
1553 {
1554  BUG_ON(desc == NULL || strlen(desc) >= 128);
1555 
1556  DetectBufferType *exists = DetectBufferTypeLookupByName(name);
1557  if (!exists) {
1558  return;
1559  }
1560  strlcpy(exists->description, desc, sizeof(exists->description));
1561 }
1562 
1564 {
1566  if (!exists) {
1567  return NULL;
1568  }
1569  return exists->description;
1570 }
1571 
1573 {
1574  DetectBufferType *exists = DetectEngineBufferTypeLookupByName(de_ctx, name);
1575  BUG_ON(!exists);
1576  exists->frame = true;
1577  SCLogDebug("%p %s -- %d supports frame inspection", exists, name, exists->id);
1578 }
1579 
1581 {
1582  DetectBufferType *exists = DetectEngineBufferTypeLookupByName(de_ctx, name);
1583  BUG_ON(!exists);
1584  exists->packet = true;
1585  SCLogDebug("%p %s -- %d supports packet inspection", exists, name, exists->id);
1586 }
1587 
1589 {
1590  DetectBufferType *exists = DetectEngineBufferTypeLookupByName(de_ctx, name);
1591  BUG_ON(!exists);
1592  exists->mpm = true;
1593  SCLogDebug("%p %s -- %d supports mpm", exists, name, exists->id);
1594 }
1595 
1597 {
1598  DetectBufferType *exists = DetectEngineBufferTypeLookupByName(de_ctx, name);
1599  BUG_ON(!exists);
1600  exists->supports_transforms = true;
1601  SCLogDebug("%p %s -- %d supports transformations", exists, name, exists->id);
1602 }
1603 
1605 {
1607  if (map == NULL)
1608  return false;
1609  SCLogDebug("map %p id %d multi_instance? %s", map, id, BOOL2STR(map->multi_instance));
1610  return map->multi_instance;
1611 }
1612 
1614 {
1616  if (map == NULL)
1617  return false;
1618  SCLogDebug("map %p id %d packet? %d", map, id, map->packet);
1619  return map->packet;
1620 }
1621 
1623 {
1625  if (map == NULL)
1626  return false;
1627  SCLogDebug("map %p id %d mpm? %d", map, id, map->mpm);
1628  return map->mpm;
1629 }
1630 
1632 {
1634  if (map == NULL)
1635  return false;
1636  SCLogDebug("map %p id %d frame? %d", map, id, map->frame);
1637  return map->frame;
1638 }
1639 
1641  void (*SetupCallback)(const DetectEngineCtx *, Signature *, const DetectBufferType *))
1642 {
1643  BUG_ON(g_buffer_type_reg_closed);
1645  DetectBufferType *exists = DetectBufferTypeLookupByName(name);
1646  BUG_ON(!exists);
1647  exists->SetupCallback = SetupCallback;
1648 }
1649 
1651 {
1653  if (map && map->SetupCallback) {
1654  map->SetupCallback(de_ctx, s, map);
1655  }
1656 }
1657 
1659  const char *name, bool (*ValidateCallback)(const Signature *, const char **sigerror,
1660  const DetectBufferType *))
1661 {
1662  BUG_ON(g_buffer_type_reg_closed);
1664  DetectBufferType *exists = DetectBufferTypeLookupByName(name);
1665  BUG_ON(!exists);
1666  exists->ValidateCallback = ValidateCallback;
1667 }
1668 
1670  const DetectEngineCtx *de_ctx, const int id, const Signature *s, const char **sigerror)
1671 {
1673  // only run validation if the buffer is not transformed
1674  if (map && map->ValidateCallback && map->transforms.cnt == 0) {
1675  return map->ValidateCallback(s, sigerror, map);
1676  }
1677  return true;
1678 }
1679 
1680 bool DetectBufferIsPresent(const Signature *s, const uint32_t buf_id)
1681 {
1682  for (uint32_t i = 0; i < s->init_data->buffer_index; i++) {
1683  if (buf_id == s->init_data->buffers[i].id) {
1684  return true;
1685  }
1686  }
1687  return false;
1688 }
1689 
1690 /** \brief Check content byte array compatibility with transforms
1691  *
1692  * The "content" array is presented to the transforms so that each
1693  * transform may validate that it's compatible with the transform.
1694  *
1695  * When a transform indicates the byte array is incompatible, none of the
1696  * subsequent transforms, if any, are invoked. This means the first validation
1697  * failure terminates the loop.
1698  *
1699  * \param de_ctx Detection engine context.
1700  * \param sm_list The SM list id.
1701  * \param content The byte array being validated
1702  * \param namestr returns the name of the transform that is incompatible with
1703  * content.
1704  *
1705  * \retval true (false) If any of the transforms indicate the byte array is
1706  * (is not) compatible.
1707  **/
1709  const uint8_t *content, uint16_t content_len, const char **namestr)
1710 {
1711  const DetectBufferType *dbt = DetectEngineBufferTypeGetById(de_ctx, sm_list);
1712  BUG_ON(dbt == NULL);
1713 
1714  for (int i = 0; i < dbt->transforms.cnt; i++) {
1715  const TransformData *t = &dbt->transforms.transforms[i];
1717  continue;
1718 
1719  if (sigmatch_table[t->transform].TransformValidate(content, content_len, t->options)) {
1720  continue;
1721  }
1722 
1723  if (namestr) {
1724  *namestr = sigmatch_table[t->transform].name;
1725  }
1726 
1727  return false;
1728  }
1729 
1730  return true;
1731 }
1732 
1733 static void DetectBufferTypeSetupDetectEngine(DetectEngineCtx *de_ctx)
1734 {
1735  const int size = g_buffer_type_id;
1736  BUG_ON(!(size > 0));
1737 
1738  de_ctx->buffer_type_hash_name = HashListTableInit(256, DetectBufferTypeHashNameFunc,
1739  DetectBufferTypeCompareNameFunc, DetectBufferTypeFreeFunc);
1742  HashListTableInit(256, DetectBufferTypeHashIdFunc, DetectBufferTypeCompareIdFunc,
1743  NULL); // entries owned by buffer_type_hash_name
1744  BUG_ON(de_ctx->buffer_type_hash_id == NULL);
1745  de_ctx->buffer_type_id = g_buffer_type_id;
1746 
1747  SCLogDebug("DETECT_SM_LIST_DYNAMIC_START %u", DETECT_SM_LIST_DYNAMIC_START);
1748  HashListTableBucket *b = HashListTableGetListHead(g_buffer_type_hash);
1749  while (b) {
1751 
1752  DetectBufferType *copy = SCCalloc(1, sizeof(*copy));
1753  BUG_ON(!copy);
1754  memcpy(copy, map, sizeof(*copy));
1755  int r = HashListTableAdd(de_ctx->buffer_type_hash_name, (void *)copy, 0);
1756  BUG_ON(r != 0);
1757  r = HashListTableAdd(de_ctx->buffer_type_hash_id, (void *)copy, 0);
1758  BUG_ON(r != 0);
1759 
1760  SCLogDebug("name %s id %d mpm %s packet %s -- %s. "
1761  "Callbacks: Setup %p Validate %p",
1762  map->name, map->id, map->mpm ? "true" : "false", map->packet ? "true" : "false",
1763  map->description, map->SetupCallback, map->ValidateCallback);
1764  b = HashListTableGetListNext(b);
1765  }
1766 
1769  DetectAppLayerInspectEngineCopyListToDetectCtx(de_ctx);
1771  DetectFrameInspectEngineCopyListToDetectCtx(de_ctx);
1773  DetectPktInspectEngineCopyListToDetectCtx(de_ctx);
1774 }
1775 
1776 static void DetectBufferTypeFreeDetectEngine(DetectEngineCtx *de_ctx)
1777 {
1778  if (de_ctx) {
1783 
1785  while (ilist) {
1787  SCFree(ilist);
1788  ilist = next;
1789  }
1791  while (mlist) {
1792  DetectBufferMpmRegistry *next = mlist->next;
1793  SCFree(mlist);
1794  mlist = next;
1795  }
1797  while (plist) {
1799  SCFree(plist);
1800  plist = next;
1801  }
1803  while (pmlist) {
1804  DetectBufferMpmRegistry *next = pmlist->next;
1805  SCFree(pmlist);
1806  pmlist = next;
1807  }
1809  while (framelist) {
1811  SCFree(framelist);
1812  framelist = next;
1813  }
1815  while (framemlist) {
1816  DetectBufferMpmRegistry *next = framemlist->next;
1817  SCFree(framemlist);
1818  framemlist = next;
1819  }
1821  }
1822 }
1823 
1825 {
1826  BUG_ON(g_buffer_type_hash == NULL);
1827 
1828  g_buffer_type_reg_closed = 1;
1829 }
1830 
1832  DetectEngineCtx *de_ctx, const int id, TransformData *transforms, int transform_cnt)
1833 {
1834  const DetectBufferType *base_map = DetectEngineBufferTypeGetById(de_ctx, id);
1835  if (!base_map) {
1836  return -1;
1837  }
1838  if (!base_map->supports_transforms) {
1839  SCLogError("buffer '%s' does not support transformations", base_map->name);
1840  return -1;
1841  }
1842 
1843  SCLogDebug("base_map %s", base_map->name);
1844 
1846  memset(&t, 0, sizeof(t));
1847  for (int i = 0; i < transform_cnt; i++) {
1848  t.transforms[i] = transforms[i];
1849  }
1850  t.cnt = transform_cnt;
1851 
1852  DetectBufferType lookup_map;
1853  memset(&lookup_map, 0, sizeof(lookup_map));
1854  strlcpy(lookup_map.name, base_map->name, sizeof(lookup_map.name));
1855  lookup_map.transforms = t;
1856 
1857  /* Add transform identity data from transforms */
1858  if (t.cnt) {
1859  DetectBufferAddTransformData(&lookup_map);
1860  }
1862 
1863  SCLogDebug("res %p", res);
1864  if (res != NULL) {
1865  return res->id;
1866  }
1867 
1868  DetectBufferType *map = SCCalloc(1, sizeof(*map));
1869  if (map == NULL)
1870  return -1;
1871 
1872  strlcpy(map->name, base_map->name, sizeof(map->name));
1873  map->id = de_ctx->buffer_type_id++;
1874  map->parent_id = base_map->id;
1875  map->transforms = t;
1876  map->mpm = base_map->mpm;
1877  map->packet = base_map->packet;
1878  map->frame = base_map->frame;
1879  map->SetupCallback = base_map->SetupCallback;
1880  map->ValidateCallback = base_map->ValidateCallback;
1881  if (map->frame) {
1883  } else if (map->packet) {
1885  map->id, map->parent_id, &map->transforms);
1886  } else {
1888  map->id, map->parent_id, &map->transforms);
1889  }
1890 
1891  BUG_ON(HashListTableAdd(de_ctx->buffer_type_hash_name, (void *)map, 0) != 0);
1892  BUG_ON(HashListTableAdd(de_ctx->buffer_type_hash_id, (void *)map, 0) != 0);
1893  SCLogDebug("buffer %s registered with id %d, parent %d", map->name, map->id, map->parent_id);
1894 
1895  if (map->frame) {
1896  DetectFrameInspectEngineCopy(de_ctx, map->parent_id, map->id, &map->transforms);
1897  } else if (map->packet) {
1898  DetectPktInspectEngineCopy(de_ctx, map->parent_id, map->id, &map->transforms);
1899  } else {
1900  DetectAppLayerInspectEngineCopy(de_ctx, map->parent_id, map->id, &map->transforms);
1901  }
1902  return map->id;
1903 }
1904 
1905 /* returns false if no match, true if match */
1906 static int DetectEngineInspectRulePacketMatches(
1907  DetectEngineThreadCtx *det_ctx,
1908  const DetectEnginePktInspectionEngine *engine,
1909  const Signature *s,
1910  Packet *p, uint8_t *_alert_flags)
1911 {
1912  SCEnter();
1913 
1914  /* run the packet match functions */
1916  const SigMatchData *smd = s->sm_arrays[DETECT_SM_LIST_MATCH];
1917 
1918  SCLogDebug("running match functions, sm %p", smd);
1919  while (1) {
1921  if (sigmatch_table[smd->type].Match(det_ctx, p, s, smd->ctx) <= 0) {
1922  KEYWORD_PROFILING_END(det_ctx, smd->type, 0);
1923  SCLogDebug("no match");
1925  }
1926  KEYWORD_PROFILING_END(det_ctx, smd->type, 1);
1927  if (smd->is_last) {
1928  SCLogDebug("match and is_last");
1929  break;
1930  }
1931  smd++;
1932  }
1934 }
1935 
1936 static int DetectEngineInspectRulePayloadMatches(
1937  DetectEngineThreadCtx *det_ctx,
1938  const DetectEnginePktInspectionEngine *engine,
1939  const Signature *s, Packet *p, uint8_t *alert_flags)
1940 {
1941  SCEnter();
1942 
1943  DetectEngineCtx *de_ctx = det_ctx->de_ctx;
1944 
1946  /* if we have stream msgs, inspect against those first,
1947  * but not for a "dsize" signature */
1948  if (s->flags & SIG_FLAG_REQUIRE_STREAM) {
1949  int pmatch = 0;
1951  pmatch = DetectEngineInspectStreamPayload(de_ctx, det_ctx, s, p->flow, p);
1952  if (pmatch) {
1953  *alert_flags |= PACKET_ALERT_FLAG_STREAM_MATCH;
1954  }
1955  }
1956  /* no match? then inspect packet payload */
1957  if (pmatch == 0) {
1958  SCLogDebug("no match in stream, fall back to packet payload");
1959 
1960  /* skip if we don't have to inspect the packet and segment was
1961  * added to stream */
1962  if (!(s->flags & SIG_FLAG_REQUIRE_PACKET) && (p->flags & PKT_STREAM_ADD)) {
1964  }
1966  SCLogDebug("SIG_FLAG_REQUIRE_STREAM_ONLY, so no match");
1968  }
1969  if (DetectEngineInspectPacketPayload(de_ctx, det_ctx, s, p->flow, p) != 1) {
1971  }
1972  }
1973  } else {
1974  if (DetectEngineInspectPacketPayload(de_ctx, det_ctx, s, p->flow, p) != 1) {
1976  }
1977  }
1979 }
1980 
1982  DetectEngineThreadCtx *det_ctx, const Signature *s,
1983  Flow *f, Packet *p,
1984  uint8_t *alert_flags)
1985 {
1986  SCEnter();
1987 
1988  for (DetectEnginePktInspectionEngine *e = s->pkt_inspect; e != NULL; e = e->next) {
1989  if (e->v1.Callback(det_ctx, e, s, p, alert_flags) != DETECT_ENGINE_INSPECT_SIG_MATCH) {
1990  SCLogDebug("sid %u: e %p Callback returned no match", s->id, e);
1991  return false;
1992  }
1993  SCLogDebug("sid %u: e %p Callback returned true", s->id, e);
1994  }
1995 
1996  SCLogDebug("sid %u: returning true", s->id);
1997  return true;
1998 }
1999 
2000 /**
2001  * \param data pointer to SigMatchData. Allowed to be NULL.
2002  */
2003 static int DetectEnginePktInspectionAppend(Signature *s, InspectionBufferPktInspectFunc Callback,
2004  SigMatchData *data, const int list_id)
2005 {
2006  DetectEnginePktInspectionEngine *e = SCCalloc(1, sizeof(*e));
2007  if (e == NULL)
2008  return -1;
2009 
2010  e->mpm = s->init_data->mpm_sm_list == list_id;
2011  DEBUG_VALIDATE_BUG_ON(list_id < 0 || list_id > UINT16_MAX);
2012  e->sm_list = (uint16_t)list_id;
2013  e->sm_list_base = (uint16_t)list_id;
2014  e->v1.Callback = Callback;
2015  e->smd = data;
2016 
2017  if (s->pkt_inspect == NULL) {
2018  s->pkt_inspect = e;
2019  } else {
2021  while (a->next != NULL) {
2022  a = a->next;
2023  }
2024  a->next = e;
2025  }
2026  return 0;
2027 }
2028 
2030 {
2031  /* only handle PMATCH here if we're not an app inspect rule */
2033  if (DetectEnginePktInspectionAppend(
2034  s, DetectEngineInspectRulePayloadMatches, NULL, DETECT_SM_LIST_PMATCH) < 0)
2035  return -1;
2036  SCLogDebug("sid %u: DetectEngineInspectRulePayloadMatches appended", s->id);
2037  }
2038 
2039  if (s->sm_arrays[DETECT_SM_LIST_MATCH]) {
2040  if (DetectEnginePktInspectionAppend(
2041  s, DetectEngineInspectRulePacketMatches, NULL, DETECT_SM_LIST_MATCH) < 0)
2042  return -1;
2043  SCLogDebug("sid %u: DetectEngineInspectRulePacketMatches appended", s->id);
2044  }
2045 
2046  return 0;
2047 }
2048 
2049 /* code to control the main thread to do a reload */
2050 
2052  IDLE, /**< ready to start a reload */
2053  RELOAD, /**< command main thread to do the reload */
2054 };
2055 
2056 
2057 typedef struct DetectEngineSyncer_ {
2061 
2062 static DetectEngineSyncer detect_sync = { SCMUTEX_INITIALIZER, IDLE };
2063 
2064 /* tell main to start reloading */
2066 {
2067  int r = 0;
2068  SCMutexLock(&detect_sync.m);
2069  if (detect_sync.state == IDLE) {
2070  detect_sync.state = RELOAD;
2071  } else {
2072  r = -1;
2073  }
2074  SCMutexUnlock(&detect_sync.m);
2075  return r;
2076 }
2077 
2078 /* main thread checks this to see if it should start */
2080 {
2081  int r = 0;
2082  SCMutexLock(&detect_sync.m);
2083  if (detect_sync.state == RELOAD) {
2084  r = 1;
2085  }
2086  SCMutexUnlock(&detect_sync.m);
2087  return r;
2088 }
2089 
2090 /* main thread sets done when it's done */
2092 {
2093  SCMutexLock(&detect_sync.m);
2094  detect_sync.state = IDLE;
2095  SCMutexUnlock(&detect_sync.m);
2096 }
2097 
2098 /* caller loops this until it returns 1 */
2100 {
2101  int r = 0;
2102  SCMutexLock(&detect_sync.m);
2103  if (detect_sync.state == IDLE) {
2104  r = 1;
2105  }
2106  SCMutexUnlock(&detect_sync.m);
2107  return r;
2108 }
2109 
2110 /** \brief Do the content inspection & validation for a signature
2111  *
2112  * \param de_ctx Detection engine context
2113  * \param det_ctx Detection engine thread context
2114  * \param s Signature to inspect
2115  * \param sm SigMatch to inspect
2116  * \param f Flow
2117  * \param flags app layer flags
2118  * \param state App layer state
2119  *
2120  * \retval 0 no match
2121  * \retval 1 match
2122  */
2124  const struct DetectEngineAppInspectionEngine_ *engine, const Signature *s, Flow *f,
2125  uint8_t flags, void *alstate, void *txv, uint64_t tx_id)
2126 {
2127  SigMatchData *smd = engine->smd;
2128  SCLogDebug("running match functions, sm %p", smd);
2129  if (smd != NULL) {
2130  while (1) {
2131  int match = 0;
2133  match = sigmatch_table[smd->type].
2134  AppLayerTxMatch(det_ctx, f, flags, alstate, txv, s, smd->ctx);
2135  KEYWORD_PROFILING_END(det_ctx, smd->type, (match == 1));
2136  if (match == 0)
2138  if (match == 2) {
2140  }
2141 
2142  if (smd->is_last)
2143  break;
2144  smd++;
2145  }
2146  }
2147 
2149 }
2150 
2151 /**
2152  * \brief Do the content inspection & validation for a signature
2153  *
2154  * \param de_ctx Detection engine context
2155  * \param det_ctx Detection engine thread context
2156  * \param s Signature to inspect
2157  * \param f Flow
2158  * \param flags app layer flags
2159  * \param state App layer state
2160  *
2161  * \retval 0 no match.
2162  * \retval 1 match.
2163  * \retval 2 Sig can't match.
2164  */
2166  const DetectEngineAppInspectionEngine *engine, const Signature *s, Flow *f, uint8_t flags,
2167  void *alstate, void *txv, uint64_t tx_id)
2168 {
2169  const int list_id = engine->sm_list;
2170  SCLogDebug("running inspect on %d", list_id);
2171 
2172  const bool eof =
2173  (AppLayerParserGetStateProgress(f->proto, f->alproto, txv, flags) > engine->progress);
2174 
2175  SCLogDebug("list %d mpm? %s transforms %p", engine->sm_list, engine->mpm ? "true" : "false",
2176  engine->v2.transforms);
2177 
2178  /* if prefilter didn't already run, we need to consider transformations */
2179  const DetectEngineTransforms *transforms = NULL;
2180  if (!engine->mpm) {
2181  transforms = engine->v2.transforms;
2182  }
2183 
2184  const InspectionBuffer *buffer = DetectGetSingleData(
2185  det_ctx, transforms, f, flags, txv, list_id, engine->v2.GetDataSingle);
2186  if (unlikely(buffer == NULL)) {
2187  if (eof && engine->match_on_null) {
2189  }
2191  }
2192 
2193  const uint32_t data_len = buffer->inspect_len;
2194  const uint8_t *data = buffer->inspect;
2195  const uint64_t offset = buffer->inspect_offset;
2196 
2197  uint8_t ci_flags = eof ? DETECT_CI_FLAGS_END : 0;
2198  ci_flags |= (offset == 0 ? DETECT_CI_FLAGS_START : 0);
2199  ci_flags |= buffer->flags;
2200 
2201  /* Inspect all the uricontents fetched on each
2202  * transaction at the app layer */
2203  const bool match = DetectEngineContentInspection(de_ctx, det_ctx, s, engine->smd, NULL, f, data,
2205  if (match) {
2207  } else {
2209  }
2210 }
2211 
2212 /**
2213  * \brief Do the content inspection & validation for a signature
2214  *
2215  * \param de_ctx Detection engine context
2216  * \param det_ctx Detection engine thread context
2217  * \param s Signature to inspect
2218  * \param f Flow
2219  * \param flags app layer flags
2220  * \param state App layer state
2221  *
2222  * \retval 0 no match.
2223  * \retval 1 match.
2224  * \retval 2 Sig can't match.
2225  */
2227  const DetectEngineAppInspectionEngine *engine, const Signature *s, Flow *f, uint8_t flags,
2228  void *alstate, void *txv, uint64_t tx_id)
2229 {
2230  const int list_id = engine->sm_list;
2231  SCLogDebug("running inspect on %d", list_id);
2232 
2233  const bool eof = (AppLayerParserGetStateProgress(f->proto, f->alproto, txv, flags) > engine->progress);
2234 
2235  SCLogDebug("list %d mpm? %s transforms %p",
2236  engine->sm_list, engine->mpm ? "true" : "false", engine->v2.transforms);
2237 
2238  /* if prefilter didn't already run, we need to consider transformations */
2239  const DetectEngineTransforms *transforms = NULL;
2240  if (!engine->mpm) {
2241  transforms = engine->v2.transforms;
2242  }
2243 
2244  const InspectionBuffer *buffer = engine->v2.GetData(det_ctx, transforms,
2245  f, flags, txv, list_id);
2246  if (unlikely(buffer == NULL)) {
2247  if (eof && engine->match_on_null) {
2249  }
2252  }
2253 
2254  const uint32_t data_len = buffer->inspect_len;
2255  const uint8_t *data = buffer->inspect;
2256  const uint64_t offset = buffer->inspect_offset;
2257 
2258  uint8_t ci_flags = eof ? DETECT_CI_FLAGS_END : 0;
2259  ci_flags |= (offset == 0 ? DETECT_CI_FLAGS_START : 0);
2260  ci_flags |= buffer->flags;
2261 
2262  /* Inspect all the uricontents fetched on each
2263  * transaction at the app layer */
2264  const bool match = DetectEngineContentInspection(de_ctx, det_ctx, s, engine->smd, NULL, f, data,
2266  if (match) {
2268  } else {
2271  }
2272 }
2273 
2274 // wrapper for both DetectAppLayerInspectEngineRegister and DetectAppLayerMpmRegister
2275 // with cast of callback function
2276 void DetectAppLayerMultiRegisterSubState(const char *name, AppProto alproto, uint32_t dir,
2277  uint8_t sub_state, uint8_t progress, InspectionMultiBufferGetDataPtr GetData, int priority)
2278 {
2279  BUG_ON(AppLayerParserSupportsSubStates(alproto) && sub_state == 0);
2280  AppLayerInspectEngineRegisterInternal(name, alproto, dir, sub_state, progress,
2281  DetectEngineInspectMultiBufferGeneric, NULL, NULL, GetData);
2283  GetData, alproto, sub_state, progress);
2284 }
2285 
2286 // wrapper for both DetectAppLayerInspectEngineRegister and DetectAppLayerMpmRegister
2287 // with cast of callback function
2288 void DetectAppLayerMultiRegister(const char *name, AppProto alproto, uint32_t dir, uint8_t progress,
2289  InspectionMultiBufferGetDataPtr GetData, int priority)
2290 {
2292  AppLayerInspectEngineRegisterInternal(name, alproto, dir, 0, (uint8_t)progress,
2293  DetectEngineInspectMultiBufferGeneric, NULL, NULL, GetData);
2295  name, dir, priority, PrefilterMultiGenericMpmRegister, GetData, alproto, progress);
2296 }
2297 
2299  const DetectEngineTransforms *transforms, Flow *f, const uint8_t flow_flags, void *txv,
2300  const int list_id, InspectionSingleBufferGetDataPtr GetBuf)
2301 {
2302  InspectionBuffer *buffer = SCInspectionBufferGet(det_ctx, list_id);
2303  if (buffer->inspect == NULL) {
2304  const uint8_t *b = NULL;
2305  uint32_t b_len = 0;
2306 
2307  if (!GetBuf(txv, flow_flags, &b, &b_len))
2308  return NULL;
2309 
2310  SCInspectionBufferSetupAndApplyTransforms(det_ctx, list_id, buffer, b, b_len, transforms);
2311  }
2312  return buffer;
2313 }
2314 
2316  const DetectEngineTransforms *transforms, Flow *f, const uint8_t flow_flags, void *txv,
2317  const int list_id, uint32_t index, InspectionMultiBufferGetDataPtr GetBuf)
2318 {
2319  InspectionBuffer *buffer = InspectionBufferMultipleForListGet(det_ctx, list_id, index);
2320  if (buffer == NULL) {
2321  return NULL;
2322  }
2323  if (buffer->initialized) {
2324  return buffer;
2325  }
2326 
2327  const uint8_t *data = NULL;
2328  uint32_t data_len = 0;
2329 
2330  if (!GetBuf(det_ctx, txv, flow_flags, index, &data, &data_len)) {
2332  return NULL;
2333  }
2334  InspectionBufferSetupMulti(det_ctx, buffer, transforms, data, data_len);
2335  buffer->flags = DETECT_CI_FLAGS_SINGLE;
2336  return buffer;
2337 }
2338 
2341  const Signature *s, Flow *f, uint8_t flags, void *alstate, void *txv, uint64_t tx_id)
2342 {
2343  uint32_t local_id = 0;
2344  const DetectEngineTransforms *transforms = NULL;
2345  if (!engine->mpm) {
2346  transforms = engine->v2.transforms;
2347  }
2348 
2349  do {
2350  InspectionBuffer *buffer = DetectGetMultiData(det_ctx, transforms, f, flags, txv,
2351  engine->sm_list, local_id, engine->v2.GetMultiData);
2352 
2353  if (buffer == NULL || buffer->inspect == NULL)
2354  break;
2355 
2356  // The GetData functions set buffer->flags to DETECT_CI_FLAGS_SINGLE
2357  // This is not meant for streaming buffers
2358  const bool match = DetectEngineContentInspectionBuffer(de_ctx, det_ctx, s, engine->smd,
2360  if (match) {
2362  }
2363  local_id++;
2364  } while (1);
2365  if (local_id == 0) {
2366  // That means we did not get even one buffer value from the multi-buffer
2367  const bool eof = (AppLayerParserGetStateProgress(f->proto, f->alproto, txv, flags) >
2368  engine->progress);
2369  if (eof && engine->match_on_null) {
2371  }
2372  }
2374 }
2375 
2376 /**
2377  * \brief Do the content inspection & validation for a signature
2378  *
2379  * \param de_ctx Detection engine context
2380  * \param det_ctx Detection engine thread context
2381  * \param s Signature to inspect
2382  * \param p Packet
2383  *
2384  * \retval 0 no match.
2385  * \retval 1 match.
2386  */
2388  DetectEngineThreadCtx *det_ctx,
2389  const DetectEnginePktInspectionEngine *engine,
2390  const Signature *s, Packet *p, uint8_t *_alert_flags)
2391 {
2392  const int list_id = engine->sm_list;
2393  SCLogDebug("running inspect on %d", list_id);
2394 
2395  SCLogDebug("list %d transforms %p",
2396  engine->sm_list, engine->v1.transforms);
2397 
2398  /* if prefilter didn't already run, we need to consider transformations */
2399  const DetectEngineTransforms *transforms = NULL;
2400  if (!engine->mpm) {
2401  transforms = engine->v1.transforms;
2402  }
2403 
2404  const InspectionBuffer *buffer = engine->v1.GetData(det_ctx, transforms, p,
2405  list_id);
2406  if (unlikely(buffer == NULL)) {
2408  }
2409 
2410  uint8_t ci_flags = DETECT_CI_FLAGS_START|DETECT_CI_FLAGS_END;
2411  ci_flags |= buffer->flags;
2412 
2413  /* Inspect all the uricontents fetched on each
2414  * transaction at the app layer */
2415  const bool match = DetectEngineContentInspection(det_ctx->de_ctx, det_ctx, s, engine->smd, p,
2416  p->flow, buffer->inspect, buffer->inspect_len, 0, ci_flags,
2418  if (match) {
2420  } else {
2422  }
2423 }
2424 
2425 /** \internal
2426  * \brief inject a pseudo packet into each detect thread
2427  * -that doesn't use the new det_ctx yet
2428  * -*or*, if the thread should flush its output logs.
2429  */
2430 static void InjectPackets(
2431  ThreadVars **detect_tvs, DetectEngineThreadCtx **new_det_ctx, int no_of_detect_tvs)
2432 {
2433  /* inject a fake packet if the detect thread that needs it. This function
2434  * is called if
2435  * - A thread isn't using a DE ctx and should
2436  * - Or, it should process a pseudo packet and flush its output logs.
2437  * to speed the process. */
2438  for (int i = 0; i < no_of_detect_tvs; i++) {
2439  if (SC_ATOMIC_GET(new_det_ctx[i]->so_far_used_by_detect) != 1) {
2440  if (detect_tvs[i]->inq != NULL) {
2442  if (p != NULL) {
2445  PacketQueue *q = detect_tvs[i]->inq->pq;
2446  SCMutexLock(&q->mutex_q);
2447  PacketEnqueue(q, p);
2448  SCCondSignal(&q->cond_q);
2449  SCMutexUnlock(&q->mutex_q);
2450  }
2451  }
2452  }
2453  }
2454 }
2455 
2456 static void DetectEngineLoadFlowbitSettings(DetectEngineCtx *de_ctx)
2457 {
2459  char varname[128] = "detect.flowbits.max-per-signature";
2460  if (strlen(de_ctx->config_prefix) > 0) {
2461  snprintf(varname, sizeof(varname), "%s.detect.flowbits.max-per-signature",
2463  }
2464  const char *str;
2465  if (SCConfGet(varname, &str) == 1) {
2466  uint8_t val = 0;
2467  int ret = StringParseUint8(&val, 10, 0, str);
2468  if (ret > 0) {
2469  if (val > 0) {
2470  de_ctx->max_flowbits = val;
2471  } else {
2472  SCLogWarning("Invalid setting for flowbits.max-per-signature %d, resetting to the "
2473  "default",
2474  val);
2475  }
2476  } else {
2477  SCLogWarning(
2478  "Invalid setting for flowbits.max-per-signature, resetting to the default");
2479  }
2480  }
2481  SCLogConfig("Setting flowbits.max-per-signature to %d", de_ctx->max_flowbits);
2482 }
2483 
2484 /** \internal
2485  * \brief Update detect threads with new detect engine
2486  *
2487  * Atomically update each detect thread with a new thread context
2488  * that is associated to the new detection engine(s).
2489  *
2490  * If called in unix socket mode, it's possible that we don't have
2491  * detect threads yet.
2492  * NOTE: master MUST be locked before calling this
2493  *
2494  * \retval -1 error
2495  * \retval 0 no detection threads
2496  * \retval 1 successful reload
2497  */
2498 static int DetectEngineReloadThreads(DetectEngineCtx *new_de_ctx)
2499 {
2500  SCEnter();
2501  uint32_t i = 0;
2502 
2503  /* count detect threads in use */
2504  const uint32_t no_of_detect_tvs = TmThreadCountThreadsByTmmFlags(TM_FLAG_FLOWWORKER_TM);
2505  /* can be zero in unix socket mode */
2506  if (no_of_detect_tvs == 0) {
2507  return 0;
2508  }
2509 
2510  /* prepare swap structures */
2511  DetectEngineThreadCtx *old_det_ctx[no_of_detect_tvs];
2512  DetectEngineThreadCtx *new_det_ctx[no_of_detect_tvs];
2513  ThreadVars *detect_tvs[no_of_detect_tvs];
2514  memset(old_det_ctx, 0x00, (no_of_detect_tvs * sizeof(DetectEngineThreadCtx *)));
2515  memset(new_det_ctx, 0x00, (no_of_detect_tvs * sizeof(DetectEngineThreadCtx *)));
2516  memset(detect_tvs, 0x00, (no_of_detect_tvs * sizeof(ThreadVars *)));
2517 
2518  /* start the process of swapping detect threads ctxs */
2519 
2520  /* get reference to tv's and setup new_det_ctx array */
2522  for (ThreadVars *tv = tv_root[TVT_PPT]; tv != NULL; tv = tv->next) {
2523  if ((tv->tmm_flags & TM_FLAG_FLOWWORKER_TM) == 0) {
2524  continue;
2525  }
2526  for (TmSlot *s = tv->tm_slots; s != NULL; s = s->slot_next) {
2527  TmModule *tm = TmModuleGetById(s->tm_id);
2528  if (!(tm->flags & TM_FLAG_FLOWWORKER_TM)) {
2529  continue;
2530  }
2531 
2532  if (suricata_ctl_flags != 0) {
2534  goto error;
2535  }
2536 
2537  old_det_ctx[i] = FlowWorkerGetDetectCtxPtr(SC_ATOMIC_GET(s->slot_data));
2538  detect_tvs[i] = tv;
2539 
2540  new_det_ctx[i] = DetectEngineThreadCtxInitForReload(tv, new_de_ctx, 1);
2541  if (new_det_ctx[i] == NULL) {
2542  SCLogError("Detect engine thread init "
2543  "failure in live rule swap. Let's get out of here");
2545  goto error;
2546  }
2547  SCLogDebug("live rule swap created new det_ctx - %p and de_ctx "
2548  "- %p\n", new_det_ctx[i], new_de_ctx);
2549  i++;
2550  break;
2551  }
2552  }
2553  BUG_ON(i != no_of_detect_tvs);
2554 
2555  /* atomically replace the det_ctx data */
2556  i = 0;
2557  for (ThreadVars *tv = tv_root[TVT_PPT]; tv != NULL; tv = tv->next) {
2558  if ((tv->tmm_flags & TM_FLAG_FLOWWORKER_TM) == 0) {
2559  continue;
2560  }
2561  for (TmSlot *s = tv->tm_slots; s != NULL; s = s->slot_next) {
2562  TmModule *tm = TmModuleGetById(s->tm_id);
2563  if (!(tm->flags & TM_FLAG_FLOWWORKER_TM)) {
2564  continue;
2565  }
2566  SCLogDebug("swapping new det_ctx - %p with older one - %p",
2567  new_det_ctx[i], SC_ATOMIC_GET(s->slot_data));
2568  DEBUG_VALIDATE_BUG_ON(i >= no_of_detect_tvs); // help scan-build
2569  FlowWorkerReplaceDetectCtx(SC_ATOMIC_GET(s->slot_data), new_det_ctx[i]);
2570  i++;
2571  break;
2572  }
2573  }
2575 
2576  /* threads now all have new data, however they may not have started using
2577  * it and may still use the old data */
2578 
2579  SCLogDebug("Live rule swap has swapped %d old det_ctx's with new ones, "
2580  "along with the new de_ctx", no_of_detect_tvs);
2581 
2582  InjectPackets(detect_tvs, new_det_ctx, no_of_detect_tvs);
2583 
2584  /* loop waiting for detect threads to switch to the new det_ctx. Try to
2585  * wake up capture if needed (break loop). */
2586  uint32_t threads_done = 0;
2587 retry:
2588  for (i = 0; i < no_of_detect_tvs; i++) {
2589  if (suricata_ctl_flags != 0) {
2590  threads_done = no_of_detect_tvs;
2591  break;
2592  }
2593  SleepMsec(1);
2594  if (SC_ATOMIC_GET(new_det_ctx[i]->so_far_used_by_detect) == 1) {
2595  SCLogDebug("new_det_ctx - %p used by detect engine", new_det_ctx[i]);
2596  threads_done++;
2597  } else {
2598  TmThreadsCaptureBreakLoop(detect_tvs[i]);
2599  }
2600  }
2601  if (threads_done < no_of_detect_tvs) {
2602  threads_done = 0;
2603  SleepMsec(250);
2604  goto retry;
2605  }
2606 
2607  /* this is to make sure that if someone initiated shutdown during a live
2608  * rule swap, the live rule swap won't clean up the old det_ctx and
2609  * de_ctx, till all detect threads have stopped working and sitting
2610  * silently after setting RUNNING_DONE flag and while waiting for
2611  * THV_DEINIT flag */
2612  if (i != no_of_detect_tvs) { // not all threads we swapped
2613  for (ThreadVars *tv = tv_root[TVT_PPT]; tv != NULL; tv = tv->next) {
2614  if ((tv->tmm_flags & TM_FLAG_FLOWWORKER_TM) == 0) {
2615  continue;
2616  }
2617 
2619  SleepUsec(100);
2620  }
2621  }
2622  }
2623 
2624  /* free all the ctxs */
2625  for (i = 0; i < no_of_detect_tvs; i++) {
2626  SCLogDebug("Freeing old_det_ctx - %p used by detect",
2627  old_det_ctx[i]);
2628  DetectEngineThreadCtxDeinit(NULL, old_det_ctx[i]);
2629  }
2630 
2632 
2633  return 1;
2634 
2635  error:
2636  for (i = 0; i < no_of_detect_tvs; i++) {
2637  if (new_det_ctx[i] != NULL)
2638  DetectEngineThreadCtxDeinit(NULL, new_det_ctx[i]);
2639  }
2640  return -1;
2641 }
2642 
2644 {
2645  int sgh_mpm_caching = 0;
2646  if (SCConfGetBool("detect.sgh-mpm-caching", &sgh_mpm_caching) != 1) {
2647  return false;
2648  }
2649  return (bool)sgh_mpm_caching;
2650 }
2651 
2653 {
2654  if (DetectEngineMpmCachingEnabled() == false) {
2655  return NULL;
2656  }
2657 
2658  char yamlpath[] = "detect.sgh-mpm-caching-path";
2659  const char *strval = NULL;
2660  if (SCConfGet(yamlpath, &strval) == 1 && strval != NULL) {
2661  return strval;
2662  }
2663 
2664  static bool notified = false;
2665  if (!notified) {
2666  SCLogInfo("%s has no path specified, using %s", yamlpath, SGH_CACHE_DIR);
2667  notified = true;
2668  }
2669  return SGH_CACHE_DIR;
2670 }
2671 
2672 void DetectEngineMpmCacheService(uint32_t op_flags)
2673 {
2675  if (!de_ctx) {
2676  return;
2677  }
2678 
2679  if (!de_ctx->mpm_cfg || !de_ctx->mpm_cfg->cache_dir_path) {
2680  goto error;
2681  }
2682 
2683  if (mpm_table[de_ctx->mpm_matcher].CacheStatsInit != NULL) {
2685  if (de_ctx->mpm_cfg->cache_stats == NULL) {
2686  goto error;
2687  }
2688  }
2689 
2690  if (op_flags & DETECT_ENGINE_MPM_CACHE_OP_SAVE) {
2691  if (mpm_table[de_ctx->mpm_matcher].CacheRuleset != NULL) {
2693  }
2694  }
2695 
2696  if (op_flags & DETECT_ENGINE_MPM_CACHE_OP_PRUNE) {
2697  if (mpm_table[de_ctx->mpm_matcher].CachePrune != NULL) {
2699  }
2700  }
2701 
2702  if (mpm_table[de_ctx->mpm_matcher].CacheStatsPrint != NULL) {
2704  }
2705 
2706  if (mpm_table[de_ctx->mpm_matcher].CacheStatsDeinit != NULL) {
2708  de_ctx->mpm_cfg->cache_stats = NULL;
2709  }
2710 
2711 error:
2713 }
2714 
2715 static DetectEngineCtx *DetectEngineCtxInitReal(
2716  enum DetectEngineType type, const char *prefix, uint32_t tenant_id)
2717 {
2719  if (unlikely(de_ctx == NULL))
2720  goto error;
2721 
2722  memset(&de_ctx->sig_stat, 0, sizeof(SigFileLoaderStat));
2723  TAILQ_INIT(&de_ctx->sig_stat.failed_sigs);
2724  de_ctx->sigerror = NULL;
2725  de_ctx->type = type;
2727  de_ctx->tenant_id = tenant_id;
2728 
2731 
2734  if (de_ctx->mpm_cfg == NULL) {
2735  goto error;
2736  }
2737 
2741 
2743  if (SCConfGetTime("detect.sgh-mpm-caching-max-age",
2745  de_ctx->mpm_cfg->cache_max_age_seconds = 7ULL * 24ULL * 60ULL * 60ULL;
2746  }
2747  }
2748  }
2749  }
2750 
2753  SCLogDebug("stub %u with version %u", type, de_ctx->version);
2754  return de_ctx;
2755  }
2756 
2757  if (prefix != NULL) {
2758  strlcpy(de_ctx->config_prefix, prefix, sizeof(de_ctx->config_prefix));
2759  }
2760 
2761  int failure_fatal = 0;
2762  if (SCConfGetBool("engine.init-failure-fatal", (int *)&failure_fatal) != 1) {
2763  SCLogDebug("ConfGetBool could not load the value.");
2764  }
2765  de_ctx->failure_fatal = (failure_fatal == 1);
2766 
2767  SCLogConfig("pattern matchers: MPM: %s, SPM: %s", mpm_table[de_ctx->mpm_matcher].name,
2770  if (de_ctx->spm_global_thread_ctx == NULL) {
2771  SCLogDebug("Unable to alloc SpmGlobalThreadCtx.");
2772  goto error;
2773  }
2774 
2776  if (de_ctx->sm_types_prefilter == NULL) {
2777  goto error;
2778  }
2780  if (de_ctx->sm_types_silent_error == NULL) {
2781  goto error;
2782  }
2783  if (DetectEngineCtxLoadConf(de_ctx) == -1) {
2784  goto error;
2785  }
2786 
2792  DetectBufferTypeSetupDetectEngine(de_ctx);
2794 
2795  /* init iprep... ignore errors for now */
2796  (void)SRepInit(de_ctx);
2797 
2801  goto error;
2802  }
2803 
2804  if (ActionInitConfig() < 0) {
2805  goto error;
2806  }
2808  if (SCRConfLoadReferenceConfigFile(de_ctx, NULL) < 0) {
2810  goto error;
2811  }
2812 
2814  SCLogDebug("dectx with version %u", de_ctx->version);
2815  return de_ctx;
2816 error:
2817  if (de_ctx != NULL) {
2819  }
2820  return NULL;
2821 }
2822 
2824 {
2825  return DetectEngineCtxInitReal(DETECT_ENGINE_TYPE_MT_STUB, NULL, 0);
2826 }
2827 
2829 {
2830  return DetectEngineCtxInitReal(DETECT_ENGINE_TYPE_DD_STUB, NULL, 0);
2831 }
2832 
2834 {
2835  return DetectEngineCtxInitReal(DETECT_ENGINE_TYPE_NORMAL, NULL, 0);
2836 }
2837 
2838 DetectEngineCtx *DetectEngineCtxInitWithPrefix(const char *prefix, uint32_t tenant_id)
2839 {
2840  if (prefix == NULL || strlen(prefix) == 0)
2841  return DetectEngineCtxInit();
2842  else
2843  return DetectEngineCtxInitReal(DETECT_ENGINE_TYPE_NORMAL, prefix, tenant_id);
2844 }
2845 
2846 static void DetectEngineCtxFreeThreadKeywordData(DetectEngineCtx *de_ctx)
2847 {
2849 }
2850 
2851 static void DetectEngineCtxFreeFailedSigs(DetectEngineCtx *de_ctx)
2852 {
2853  SigString *item = NULL;
2854  SigString *sitem;
2855 
2856  TAILQ_FOREACH_SAFE(item, &de_ctx->sig_stat.failed_sigs, next, sitem) {
2857  SCFree(item->filename);
2858  SCFree(item->sig_str);
2859  if (item->sig_error) {
2860  SCFree(item->sig_error);
2861  }
2862  TAILQ_REMOVE(&de_ctx->sig_stat.failed_sigs, item, next);
2863  SCFree(item);
2864  }
2865 }
2866 
2867 /**
2868  * \brief Free a DetectEngineCtx::
2869  *
2870  * \param de_ctx DetectEngineCtx:: to be freed
2871  */
2873 {
2874 
2875  if (de_ctx == NULL)
2876  return;
2877 
2878 #ifdef PROFILE_RULES
2879  if (de_ctx->profile_ctx != NULL) {
2880  SCProfilingRuleDestroyCtx(de_ctx->profile_ctx);
2881  de_ctx->profile_ctx = NULL;
2882  }
2883 #endif
2884 #ifdef PROFILING
2885  if (de_ctx->profile_keyword_ctx != NULL) {
2886  SCProfilingKeywordDestroyCtx(de_ctx);//->profile_keyword_ctx);
2887 // de_ctx->profile_keyword_ctx = NULL;
2888  }
2889  if (de_ctx->profile_sgh_ctx != NULL) {
2891  }
2893 #endif
2894 
2897  }
2898  /* Normally the hashes are freed elsewhere, but
2899  * to be sure look at them again here.
2900  */
2906  if (de_ctx->sig_array)
2908 
2909  if (de_ctx->filedata_config)
2911 
2915 
2917 
2921 
2923 
2924  DetectEngineCtxFreeThreadKeywordData(de_ctx);
2926  DetectEngineCtxFreeFailedSigs(de_ctx);
2927 
2930 
2931  /* if we have a config prefix, remove the config from the tree */
2932  if (strlen(de_ctx->config_prefix) > 0) {
2933  /* remove config */
2935  if (node != NULL) {
2936  SCConfNodeRemove(node); /* frees node */
2937  }
2938 #if 0
2939  SCConfDump();
2940 #endif
2941  }
2942 
2945 
2946  DetectBufferTypeFreeDetectEngine(de_ctx);
2949 
2950  if (de_ctx->tenant_path) {
2952  }
2953 
2954  if (de_ctx->requirements) {
2955  SCDetectRequiresStatusFree(de_ctx->requirements);
2956  }
2957 
2958  if (de_ctx->non_pf_engine_names) {
2960  }
2961  if (de_ctx->fw_policies) {
2962  for (uint32_t i = 0; i < DETECT_FIREWALL_POLICY_SIZE; i++) {
2966  }
2967  }
2969  }
2971  SCFree(de_ctx);
2972  //DetectAddressGroupPrintMemory();
2973  //DetectSigGroupPrintMemory();
2974  //DetectPortPrintMemory();
2975 }
2976 
2977 /** \brief Function that load DetectEngineCtx config for grouping sigs
2978  * used by the engine
2979  * \retval 0 if no config provided, 1 if config was provided
2980  * and loaded successfully
2981  */
2982 static int DetectEngineCtxLoadConf(DetectEngineCtx *de_ctx)
2983 {
2984  uint8_t profile = ENGINE_PROFILE_MEDIUM;
2985  const char *max_uniq_toclient_groups_str = NULL;
2986  const char *max_uniq_toserver_groups_str = NULL;
2987  const char *sgh_mpm_context = NULL;
2988  const char *de_ctx_profile = NULL;
2989 
2990  (void)SCConfGet("detect.profile", &de_ctx_profile);
2991  (void)SCConfGet("detect.sgh-mpm-context", &sgh_mpm_context);
2992 
2993  SCConfNode *de_ctx_custom = SCConfGetNode("detect-engine");
2994  SCConfNode *opt = NULL;
2995 
2996  if (de_ctx_custom != NULL) {
2997  TAILQ_FOREACH(opt, &de_ctx_custom->head, next) {
2998  if (de_ctx_profile == NULL) {
2999  if (opt->val && strcmp(opt->val, "profile") == 0) {
3000  de_ctx_profile = opt->head.tqh_first->val;
3001  }
3002  }
3003 
3004  if (sgh_mpm_context == NULL) {
3005  if (opt->val && strcmp(opt->val, "sgh-mpm-context") == 0) {
3006  sgh_mpm_context = opt->head.tqh_first->val;
3007  }
3008  }
3009  }
3010  }
3011 
3012  if (de_ctx_profile != NULL) {
3013  if (strcmp(de_ctx_profile, "low") == 0 ||
3014  strcmp(de_ctx_profile, "lowest") == 0) { // legacy
3015  profile = ENGINE_PROFILE_LOW;
3016  } else if (strcmp(de_ctx_profile, "medium") == 0) {
3017  profile = ENGINE_PROFILE_MEDIUM;
3018  } else if (strcmp(de_ctx_profile, "high") == 0 ||
3019  strcmp(de_ctx_profile, "highest") == 0) { // legacy
3020  profile = ENGINE_PROFILE_HIGH;
3021  } else if (strcmp(de_ctx_profile, "custom") == 0) {
3022  profile = ENGINE_PROFILE_CUSTOM;
3023  } else {
3024  SCLogError("invalid value for detect.profile: '%s'. "
3025  "Valid options: low, medium, high and custom.",
3026  de_ctx_profile);
3027  return -1;
3028  }
3029 
3030  SCLogDebug("Profile for detection engine groups is \"%s\"", de_ctx_profile);
3031  } else {
3032  SCLogDebug("Profile for detection engine groups not provided "
3033  "at suricata.yaml. Using default (\"medium\").");
3034  }
3035 
3036  /* detect-engine.sgh-mpm-context option parsing */
3037  if (sgh_mpm_context == NULL || strcmp(sgh_mpm_context, "auto") == 0) {
3038  /* for now, since we still haven't implemented any intelligence into
3039  * understanding the patterns and distributing mpm_ctx across sgh */
3041  de_ctx->mpm_matcher == MPM_HS) {
3043  } else {
3045  }
3046  } else {
3047  if (strcmp(sgh_mpm_context, "single") == 0) {
3049  } else if (strcmp(sgh_mpm_context, "full") == 0) {
3051  } else {
3052  SCLogError("You have supplied an "
3053  "invalid conf value for detect-engine.sgh-mpm-context-"
3054  "%s",
3055  sgh_mpm_context);
3056  exit(EXIT_FAILURE);
3057  }
3058  }
3059 
3060  if (RunmodeIsUnittests()) {
3062  }
3063 
3064  /* parse profile custom-values */
3065  opt = NULL;
3066  switch (profile) {
3067  case ENGINE_PROFILE_LOW:
3070  break;
3071 
3072  case ENGINE_PROFILE_HIGH:
3075  break;
3076 
3077  case ENGINE_PROFILE_CUSTOM:
3078  (void)SCConfGet("detect.custom-values.toclient-groups", &max_uniq_toclient_groups_str);
3079  (void)SCConfGet("detect.custom-values.toserver-groups", &max_uniq_toserver_groups_str);
3080 
3081  if (de_ctx_custom != NULL) {
3082  TAILQ_FOREACH(opt, &de_ctx_custom->head, next) {
3083  if (opt->val && strcmp(opt->val, "custom-values") == 0) {
3084  if (max_uniq_toclient_groups_str == NULL) {
3085  max_uniq_toclient_groups_str = (char *)SCConfNodeLookupChildValue(
3086  opt->head.tqh_first, "toclient-sp-groups");
3087  }
3088  if (max_uniq_toclient_groups_str == NULL) {
3089  max_uniq_toclient_groups_str = (char *)SCConfNodeLookupChildValue(
3090  opt->head.tqh_first, "toclient-groups");
3091  }
3092  if (max_uniq_toserver_groups_str == NULL) {
3093  max_uniq_toserver_groups_str = (char *)SCConfNodeLookupChildValue(
3094  opt->head.tqh_first, "toserver-dp-groups");
3095  }
3096  if (max_uniq_toserver_groups_str == NULL) {
3097  max_uniq_toserver_groups_str = (char *)SCConfNodeLookupChildValue(
3098  opt->head.tqh_first, "toserver-groups");
3099  }
3100  }
3101  }
3102  }
3103  if (max_uniq_toclient_groups_str != NULL) {
3105  (uint16_t)strlen(max_uniq_toclient_groups_str),
3106  (const char *)max_uniq_toclient_groups_str) <= 0) {
3108 
3109  SCLogWarning("parsing '%s' for "
3110  "toclient-groups failed, using %u",
3111  max_uniq_toclient_groups_str, de_ctx->max_uniq_toclient_groups);
3112  }
3113  } else {
3115  }
3116  SCLogConfig("toclient-groups %u", de_ctx->max_uniq_toclient_groups);
3117 
3118  if (max_uniq_toserver_groups_str != NULL) {
3120  (uint16_t)strlen(max_uniq_toserver_groups_str),
3121  (const char *)max_uniq_toserver_groups_str) <= 0) {
3123 
3124  SCLogWarning("parsing '%s' for "
3125  "toserver-groups failed, using %u",
3126  max_uniq_toserver_groups_str, de_ctx->max_uniq_toserver_groups);
3127  }
3128  } else {
3130  }
3131  SCLogConfig("toserver-groups %u", de_ctx->max_uniq_toserver_groups);
3132  break;
3133 
3134  /* Default (or no config provided) is profile medium */
3135  case ENGINE_PROFILE_MEDIUM:
3137  default:
3140  break;
3141  }
3142 
3143  intmax_t value = 0;
3145  if (SCConfGetInt("detect.inspection-recursion-limit", &value) == 1) {
3146  if (value >= 0 && value <= INT_MAX) {
3147  de_ctx->inspection_recursion_limit = (int)value;
3148  }
3149 
3150  /* fall back to old config parsing */
3151  } else {
3152  SCConfNode *insp_recursion_limit_node = NULL;
3153  char *insp_recursion_limit = NULL;
3154 
3155  if (de_ctx_custom != NULL) {
3156  opt = NULL;
3157  TAILQ_FOREACH(opt, &de_ctx_custom->head, next) {
3158  if (opt->val && strcmp(opt->val, "inspection-recursion-limit") != 0)
3159  continue;
3160 
3161  insp_recursion_limit_node = SCConfNodeLookupChild(opt, opt->val);
3162  if (insp_recursion_limit_node == NULL) {
3163  SCLogError("Error retrieving conf "
3164  "entry for detect-engine:inspection-recursion-limit");
3165  break;
3166  }
3167  insp_recursion_limit = insp_recursion_limit_node->val;
3168  SCLogDebug("Found detect-engine.inspection-recursion-limit - %s:%s",
3169  insp_recursion_limit_node->name, insp_recursion_limit_node->val);
3170  break;
3171  }
3172 
3173  if (insp_recursion_limit != NULL) {
3175  0, (const char *)insp_recursion_limit) < 0) {
3176  SCLogWarning("Invalid value for "
3177  "detect-engine.inspection-recursion-limit: %s "
3178  "resetting to %d",
3179  insp_recursion_limit, DETECT_ENGINE_DEFAULT_INSPECTION_RECURSION_LIMIT);
3182  }
3183  }
3184  }
3185  }
3186 
3189 
3190  SCLogDebug("de_ctx->inspection_recursion_limit: %d",
3192 
3193  // default value is 4
3195  if (SCConfGetInt("detect.stream-tx-log-limit", &value) == 1) {
3196  if (value >= 0 && value <= UINT8_MAX) {
3197  de_ctx->guess_applayer_log_limit = (uint8_t)value;
3198  } else {
3199  SCLogWarning("Invalid value for detect-engine.stream-tx-log-limit: must be between 0 "
3200  "and 255, will default to 4");
3201  }
3202  }
3203  int guess_applayer = 0;
3204  if ((SCConfGetBool("detect.guess-applayer-tx", &guess_applayer)) == 1) {
3205  if (guess_applayer == 1) {
3206  de_ctx->guess_applayer = true;
3207  }
3208  }
3209 
3210  /* parse port grouping priority settings */
3211 
3212  const char *ports = NULL;
3213  (void)SCConfGet("detect.grouping.tcp-priority-ports", &ports);
3214  if (ports) {
3215  SCLogConfig("grouping: tcp-priority-ports %s", ports);
3216  } else {
3217  (void)SCConfGet("detect.grouping.tcp-whitelist", &ports);
3218  if (ports) {
3219  SCLogConfig(
3220  "grouping: tcp-priority-ports from legacy 'tcp-whitelist' setting: %s", ports);
3221  } else {
3222  ports = "53, 80, 139, 443, 445, 1433, 3306, 3389, 6666, 6667, 8080";
3223  SCLogConfig("grouping: tcp-priority-ports (default) %s", ports);
3224  }
3225  }
3226  if (DetectPortParse(de_ctx, &de_ctx->tcp_priorityports, ports) != 0) {
3227  SCLogWarning("'%s' is not a valid value "
3228  "for detect.grouping.tcp-priority-ports",
3229  ports);
3230  }
3232  for ( ; x != NULL; x = x->next) {
3233  if (x->port != x->port2) {
3234  SCLogWarning("'%s' is not a valid value "
3235  "for detect.grouping.tcp-priority-ports: only single ports allowed",
3236  ports);
3238  de_ctx->tcp_priorityports = NULL;
3239  break;
3240  }
3241  }
3242 
3243  ports = NULL;
3244  (void)SCConfGet("detect.grouping.udp-priority-ports", &ports);
3245  if (ports) {
3246  SCLogConfig("grouping: udp-priority-ports %s", ports);
3247  } else {
3248  (void)SCConfGet("detect.grouping.udp-whitelist", &ports);
3249  if (ports) {
3250  SCLogConfig(
3251  "grouping: udp-priority-ports from legacy 'udp-whitelist' setting: %s", ports);
3252  } else {
3253  ports = "53, 135, 5060";
3254  SCLogConfig("grouping: udp-priority-ports (default) %s", ports);
3255  }
3256  }
3257  if (DetectPortParse(de_ctx, &de_ctx->udp_priorityports, ports) != 0) {
3258  SCLogWarning("'%s' is not a valid value "
3259  "for detect.grouping.udp-priority-ports",
3260  ports);
3261  }
3262  for (x = de_ctx->udp_priorityports; x != NULL; x = x->next) {
3263  if (x->port != x->port2) {
3264  SCLogWarning("'%s' is not a valid value "
3265  "for detect.grouping.udp-priority-ports: only single ports allowed",
3266  ports);
3268  de_ctx->udp_priorityports = NULL;
3269  break;
3270  }
3271  }
3272 
3273  DetectEngineLoadFlowbitSettings(de_ctx);
3274 
3276  const char *pf_setting = NULL;
3277  if (SCConfGet("detect.prefilter.default", &pf_setting) == 1 && pf_setting) {
3278  if (strcasecmp(pf_setting, "mpm") == 0) {
3280  } else if (strcasecmp(pf_setting, "auto") == 0) {
3282  }
3283  }
3284  switch (de_ctx->prefilter_setting) {
3285  case DETECT_PREFILTER_MPM:
3286  SCLogConfig("prefilter engines: MPM");
3287  break;
3288  case DETECT_PREFILTER_AUTO:
3289  SCLogConfig("prefilter engines: MPM and keywords");
3290  break;
3291  }
3292 
3293  return 0;
3294 }
3295 
3297 {
3298  de_ctx->signum = 0;
3299 }
3300 
3301 static int DetectEngineThreadCtxInitGlobalKeywords(DetectEngineThreadCtx *det_ctx)
3302 {
3303  const DetectEngineMasterCtx *master = &g_master_de_ctx;
3304 
3305  if (master->keyword_id > 0) {
3306  // coverity[suspicious_sizeof : FALSE]
3307  det_ctx->global_keyword_ctxs_array = (void **)SCCalloc(master->keyword_id, sizeof(void *));
3308  if (det_ctx->global_keyword_ctxs_array == NULL) {
3309  SCLogError("setting up thread local detect ctx");
3310  return TM_ECODE_FAILED;
3311  }
3312  det_ctx->global_keyword_ctxs_size = master->keyword_id;
3313 
3314  const DetectEngineThreadKeywordCtxItem *item = master->keyword_list;
3315  while (item) {
3316  det_ctx->global_keyword_ctxs_array[item->id] = item->InitFunc(item->data);
3317  if (det_ctx->global_keyword_ctxs_array[item->id] == NULL) {
3318  SCLogError("setting up thread local detect ctx "
3319  "for keyword \"%s\" failed",
3320  item->name);
3321  return TM_ECODE_FAILED;
3322  }
3323  item = item->next;
3324  }
3325  }
3326  return TM_ECODE_OK;
3327 }
3328 
3329 static void DetectEngineThreadCtxDeinitGlobalKeywords(DetectEngineThreadCtx *det_ctx)
3330 {
3331  if (det_ctx->global_keyword_ctxs_array == NULL ||
3332  det_ctx->global_keyword_ctxs_size == 0) {
3333  return;
3334  }
3335 
3336  const DetectEngineMasterCtx *master = &g_master_de_ctx;
3337  if (master->keyword_id > 0) {
3338  const DetectEngineThreadKeywordCtxItem *item = master->keyword_list;
3339  while (item) {
3340  if (det_ctx->global_keyword_ctxs_array[item->id] != NULL)
3341  item->FreeFunc(det_ctx->global_keyword_ctxs_array[item->id]);
3342 
3343  item = item->next;
3344  }
3345  det_ctx->global_keyword_ctxs_size = 0;
3347  det_ctx->global_keyword_ctxs_array = NULL;
3348  }
3349 }
3350 
3351 static int DetectEngineThreadCtxInitKeywords(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx)
3352 {
3353  if (de_ctx->keyword_id > 0) {
3354  // coverity[suspicious_sizeof : FALSE]
3355  det_ctx->keyword_ctxs_array = SCCalloc(de_ctx->keyword_id, sizeof(void *));
3356  if (det_ctx->keyword_ctxs_array == NULL) {
3357  SCLogError("setting up thread local detect ctx");
3358  return TM_ECODE_FAILED;
3359  }
3360 
3361  det_ctx->keyword_ctxs_size = de_ctx->keyword_id;
3362 
3364  for (; hb != NULL; hb = HashListTableGetListNext(hb)) {
3366 
3367  det_ctx->keyword_ctxs_array[item->id] = item->InitFunc(item->data);
3368  if (det_ctx->keyword_ctxs_array[item->id] == NULL) {
3369  SCLogError("setting up thread local detect ctx "
3370  "for keyword \"%s\" failed",
3371  item->name);
3372  return TM_ECODE_FAILED;
3373  }
3374  }
3375  }
3376  return TM_ECODE_OK;
3377 }
3378 
3379 static void DetectEngineThreadCtxDeinitKeywords(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx)
3380 {
3381  if (de_ctx->keyword_id > 0) {
3383  for (; hb != NULL; hb = HashListTableGetListNext(hb)) {
3385 
3386  if (det_ctx->keyword_ctxs_array[item->id] != NULL)
3387  item->FreeFunc(det_ctx->keyword_ctxs_array[item->id]);
3388  }
3389  det_ctx->keyword_ctxs_size = 0;
3390  SCFree(det_ctx->keyword_ctxs_array);
3391  det_ctx->keyword_ctxs_array = NULL;
3392  }
3393 }
3394 
3395 /** NOTE: master MUST be locked before calling this */
3396 static TmEcode DetectEngineThreadCtxInitForMT(ThreadVars *tv, DetectEngineThreadCtx *det_ctx)
3397 {
3398  DetectEngineMasterCtx *master = &g_master_de_ctx;
3399 
3400  DetectEngineTenantMapping *map_array = NULL;
3401  uint32_t map_array_size = 0;
3402  uint32_t map_cnt = 0;
3403  uint32_t max_tenant_id = 0;
3404  DetectEngineCtx *list = master->list;
3405 
3407 
3408  /* coverity[missing_lock] */
3409  if (master->tenant_selector == TENANT_SELECTOR_UNKNOWN) {
3410  SCLogError("no tenant selector set: "
3411  "set using multi-detect.selector");
3412  return TM_ECODE_FAILED;
3413  }
3414 
3415  uint32_t tcnt = 0;
3416  while (list) {
3417  if (list->tenant_id > max_tenant_id)
3418  max_tenant_id = list->tenant_id;
3419 
3420  list = list->next;
3421  tcnt++;
3422  }
3423 
3424  HashTable *mt_det_ctxs_hash =
3425  HashTableInit(tcnt * 2, TenantIdHash, TenantIdCompare, TenantIdFree);
3426  if (mt_det_ctxs_hash == NULL) {
3427  goto error;
3428  }
3429 
3430  if (tcnt == 0) {
3431  SCLogInfo("no tenants left, or none registered yet");
3432  } else {
3433  max_tenant_id++;
3434 
3436  while (map) {
3437  map_cnt++;
3438  map = map->next;
3439  }
3440 
3441  if (map_cnt > 0) {
3442  map_array_size = map_cnt + 1;
3443 
3444  map_array = SCCalloc(map_array_size, sizeof(*map_array));
3445  if (map_array == NULL)
3446  goto error;
3447 
3448  /* fill the array */
3449  map_cnt = 0;
3450  map = master->tenant_mapping_list;
3451  while (map) {
3452  if (map_cnt >= map_array_size) {
3453  goto error;
3454  }
3455  map_array[map_cnt].traffic_id = map->traffic_id;
3456  map_array[map_cnt].tenant_id = map->tenant_id;
3457  map_cnt++;
3458  map = map->next;
3459  }
3460 
3461  }
3462 
3463  /* set up hash for tenant lookup */
3464  list = master->list;
3465  while (list) {
3466  SCLogDebug("tenant-id %u", list->tenant_id);
3467  if (list->tenant_id != 0) {
3469  if (mt_det_ctx == NULL)
3470  goto error;
3471  if (HashTableAdd(mt_det_ctxs_hash, mt_det_ctx, 0) != 0) {
3472  goto error;
3473  }
3474  }
3475  list = list->next;
3476  }
3477  }
3478 
3479  det_ctx->mt_det_ctxs_hash = mt_det_ctxs_hash;
3480  mt_det_ctxs_hash = NULL;
3481 
3482  det_ctx->mt_det_ctxs_cnt = max_tenant_id;
3483 
3484  det_ctx->tenant_array = map_array;
3485  det_ctx->tenant_array_size = map_array_size;
3486 
3487  switch (master->tenant_selector) {
3489  SCLogDebug("TENANT_SELECTOR_UNKNOWN");
3490  break;
3491  case TENANT_SELECTOR_VLAN:
3492  det_ctx->TenantGetId = DetectEngineTenantGetIdFromVlanId;
3493  SCLogDebug("TENANT_SELECTOR_VLAN");
3494  break;
3496  det_ctx->TenantGetId = DetectEngineTenantGetIdFromLivedev;
3497  SCLogDebug("TENANT_SELECTOR_LIVEDEV");
3498  break;
3500  det_ctx->TenantGetId = DetectEngineTenantGetIdFromPcap;
3501  SCLogDebug("TENANT_SELECTOR_DIRECT");
3502  break;
3503  }
3504 
3505  return TM_ECODE_OK;
3506 error:
3507  if (map_array != NULL)
3508  SCFree(map_array);
3509  if (mt_det_ctxs_hash != NULL)
3510  HashTableFree(mt_det_ctxs_hash);
3511 
3512  return TM_ECODE_FAILED;
3513 }
3514 
3515 /** \internal
3516  * \brief Helper for DetectThread setup functions
3517  */
3518 static TmEcode ThreadCtxDoInit (DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx)
3519 {
3520  PatternMatchThreadPrepare(&det_ctx->mtc, de_ctx);
3521 
3522  PmqSetup(&det_ctx->pmq);
3523 
3525  if (det_ctx->spm_thread_ctx == NULL) {
3526  return TM_ECODE_FAILED;
3527  }
3528 
3529  /* DeState */
3530  if (de_ctx->sig_array_len > 0) {
3531  det_ctx->match_array_len = de_ctx->sig_array_len;
3532  det_ctx->match_array = SCCalloc(det_ctx->match_array_len, sizeof(Signature *));
3533  if (det_ctx->match_array == NULL) {
3534  return TM_ECODE_FAILED;
3535  }
3536  det_ctx->replace = SCCalloc(de_ctx->sig_array_len, sizeof(Signature *));
3537  if (det_ctx->replace == NULL) {
3538  return TM_ECODE_FAILED;
3539  }
3540 
3542  }
3543 
3544  /* Alert processing queue */
3545  AlertQueueInit(det_ctx);
3546 
3547  /* byte_extract storage */
3548  det_ctx->byte_values = SCMalloc(sizeof(*det_ctx->byte_values) *
3550  if (det_ctx->byte_values == NULL) {
3551  return TM_ECODE_FAILED;
3552  }
3553 
3554  /* Allocate space for base64 decoded data. */
3557  if (det_ctx->base64_decoded == NULL) {
3558  return TM_ECODE_FAILED;
3559  }
3560  det_ctx->base64_decoded_len = 0;
3561  }
3562 
3564  det_ctx->inspect.buffers = SCCalloc(det_ctx->inspect.buffers_size, sizeof(InspectionBuffer));
3565  if (det_ctx->inspect.buffers == NULL) {
3566  return TM_ECODE_FAILED;
3567  }
3568  det_ctx->inspect.to_clear_queue = SCCalloc(det_ctx->inspect.buffers_size, sizeof(uint32_t));
3569  if (det_ctx->inspect.to_clear_queue == NULL) {
3570  return TM_ECODE_FAILED;
3571  }
3572  det_ctx->inspect.to_clear_idx = 0;
3573 
3576  if (det_ctx->multi_inspect.buffers == NULL) {
3577  return TM_ECODE_FAILED;
3578  }
3579  det_ctx->multi_inspect.to_clear_queue = SCCalloc(det_ctx->multi_inspect.buffers_size, sizeof(uint32_t));
3580  if (det_ctx->multi_inspect.to_clear_queue == NULL) {
3581  return TM_ECODE_FAILED;
3582  }
3583  det_ctx->multi_inspect.to_clear_idx = 0;
3584 
3585  if (DetectEngineThreadCtxInitKeywords(de_ctx, det_ctx) != TM_ECODE_OK)
3586  return TM_ECODE_FAILED;
3587  DetectEngineThreadCtxInitGlobalKeywords(det_ctx);
3588 #ifdef PROFILE_RULES
3589  SCProfilingRuleThreadSetup(de_ctx->profile_ctx, det_ctx);
3590 #endif
3591 #ifdef PROFILING
3595 #endif
3596  SC_ATOMIC_INIT(det_ctx->so_far_used_by_detect);
3597 
3598  if (ThresholdCacheThreadInit(det_ctx) != 0)
3599  return TM_ECODE_FAILED;
3600  return TM_ECODE_OK;
3601 }
3602 
3603 /** \brief initialize thread specific detection engine context
3604  *
3605  * \note there is a special case when using delayed detect. In this case the
3606  * function is called twice per thread. The first time the rules are not
3607  * yet loaded. de_ctx->delayed_detect_initialized will be 0. The 2nd
3608  * time they will be loaded. de_ctx->delayed_detect_initialized will be 1.
3609  * This is needed to do the per thread counter registration before the
3610  * packet runtime starts. In delayed detect mode, the first call will
3611  * return a NULL ptr through the data ptr.
3612  *
3613  * \param tv ThreadVars for this thread
3614  * \param initdata pointer to de_ctx
3615  * \param data[out] pointer to store our thread detection ctx
3616  *
3617  * \retval TM_ECODE_OK if all went well
3618  * \retval TM_ECODE_FAILED on serious errors
3619  */
3620 TmEcode DetectEngineThreadCtxInit(ThreadVars *tv, void *initdata, void **data)
3621 {
3622  DetectEngineThreadCtx *det_ctx = SCCalloc(1, sizeof(DetectEngineThreadCtx));
3623  if (unlikely(det_ctx == NULL))
3624  return TM_ECODE_FAILED;
3625 
3626  det_ctx->tv = tv;
3627  det_ctx->de_ctx = DetectEngineGetCurrent();
3628  if (det_ctx->de_ctx == NULL) {
3629 #ifdef UNITTESTS
3630  if (RunmodeIsUnittests()) {
3631  det_ctx->de_ctx = (DetectEngineCtx *)initdata;
3632  } else {
3633  DetectEngineThreadCtxDeinit(tv, det_ctx);
3634  return TM_ECODE_FAILED;
3635  }
3636 #else
3637  DetectEngineThreadCtxDeinit(tv, det_ctx);
3638  return TM_ECODE_FAILED;
3639 #endif
3640  }
3641 
3642  if (det_ctx->de_ctx->type == DETECT_ENGINE_TYPE_NORMAL ||
3643  det_ctx->de_ctx->type == DETECT_ENGINE_TYPE_TENANT)
3644  {
3645  if (ThreadCtxDoInit(det_ctx->de_ctx, det_ctx) != TM_ECODE_OK) {
3646  DetectEngineThreadCtxDeinit(tv, det_ctx);
3647  return TM_ECODE_FAILED;
3648  }
3649  }
3650 
3651  /** alert counter setup */
3652  det_ctx->counter_alerts = StatsRegisterCounter("detect.alert", &tv->stats);
3653  det_ctx->counter_alerts_overflow =
3654  StatsRegisterCounter("detect.alert_queue_overflow", &tv->stats);
3655  if (EngineModeIsFirewall()) {
3657  StatsRegisterCounter("firewall.discarded_alerts", &tv->stats);
3658  }
3659  det_ctx->counter_alerts_suppressed =
3660  StatsRegisterCounter("detect.alerts_suppressed", &tv->stats);
3661 
3662  /* Register counter for Lua rule errors. */
3663  det_ctx->lua_rule_errors = StatsRegisterCounter("detect.lua.errors", &tv->stats);
3664 
3665  /* Register a counter for Lua blocked function attempts. */
3666  det_ctx->lua_blocked_function_errors =
3667  StatsRegisterCounter("detect.lua.blocked_function_errors", &tv->stats);
3668 
3669  /* Register a counter for Lua instruction limit errors. */
3670  det_ctx->lua_instruction_limit_errors =
3671  StatsRegisterCounter("detect.lua.instruction_limit_errors", &tv->stats);
3672 
3673  /* Register a counter for Lua memory limit errors. */
3674  det_ctx->lua_memory_limit_errors =
3675  StatsRegisterCounter("detect.lua.memory_limit_errors", &tv->stats);
3676 
3677  det_ctx->json_content = NULL;
3678  det_ctx->json_content_capacity = 0;
3679  det_ctx->json_content_len = 0;
3680 
3681 #ifdef PROFILING
3682  det_ctx->counter_mpm_list = StatsRegisterAvgCounter("detect.mpm_list", &tv->stats);
3683  det_ctx->counter_match_list = StatsRegisterAvgCounter("detect.match_list", &tv->stats);
3684 #endif
3685 
3687  DetectEngineMasterCtx *master = &g_master_de_ctx;
3688  SCMutexLock(&master->lock);
3689  if (DetectEngineThreadCtxInitForMT(tv, det_ctx) != TM_ECODE_OK) {
3690  DetectEngineThreadCtxDeinit(tv, det_ctx);
3691  SCMutexUnlock(&master->lock);
3692  return TM_ECODE_FAILED;
3693  }
3694  SCMutexUnlock(&master->lock);
3695  }
3696 
3697  /* pass thread data back to caller */
3698  *data = (void *)det_ctx;
3699 
3700  return TM_ECODE_OK;
3701 }
3702 
3703 /**
3704  * \internal
3705  * \brief initialize a det_ctx for reload cases
3706  * \param new_de_ctx the new detection engine
3707  * \param mt flag to indicate if MT should be set up for this det_ctx
3708  * this should only be done for the 'root' det_ctx
3709  *
3710  * \retval det_ctx detection engine thread ctx or NULL in case of error
3711  */
3713  ThreadVars *tv, DetectEngineCtx *new_de_ctx, int mt)
3714 {
3715  DetectEngineThreadCtx *det_ctx = SCCalloc(1, sizeof(DetectEngineThreadCtx));
3716  if (unlikely(det_ctx == NULL))
3717  return NULL;
3718 
3719  det_ctx->tenant_id = new_de_ctx->tenant_id;
3720  det_ctx->tv = tv;
3721  det_ctx->de_ctx = DetectEngineReference(new_de_ctx);
3722  if (det_ctx->de_ctx == NULL) {
3723  SCFree(det_ctx);
3724  return NULL;
3725  }
3726 
3727  /* most of the init happens here */
3728  if (det_ctx->de_ctx->type == DETECT_ENGINE_TYPE_NORMAL ||
3729  det_ctx->de_ctx->type == DETECT_ENGINE_TYPE_TENANT)
3730  {
3731  if (ThreadCtxDoInit(det_ctx->de_ctx, det_ctx) != TM_ECODE_OK) {
3732  DetectEngineDeReference(&det_ctx->de_ctx);
3733  SCFree(det_ctx);
3734  return NULL;
3735  }
3736  }
3737 
3738  /** alert counter setup */
3739  det_ctx->counter_alerts = StatsRegisterCounter("detect.alert", &tv->stats);
3740  det_ctx->counter_alerts_overflow =
3741  StatsRegisterCounter("detect.alert_queue_overflow", &tv->stats);
3742  if (EngineModeIsFirewall()) {
3744  StatsRegisterCounter("firewall.discarded_alerts", &tv->stats);
3745  }
3746  det_ctx->counter_alerts_suppressed =
3747  StatsRegisterCounter("detect.alerts_suppressed", &tv->stats);
3748 #ifdef PROFILING
3749  det_ctx->counter_mpm_list = StatsRegisterAvgCounter("detect.mpm_list", &tv->stats);
3750  det_ctx->counter_match_list = StatsRegisterAvgCounter("detect.match_list", &tv->stats);
3751 #endif
3752 
3753  if (mt && DetectEngineMultiTenantEnabledWithLock()) {
3754  if (DetectEngineThreadCtxInitForMT(tv, det_ctx) != TM_ECODE_OK) {
3755  DetectEngineDeReference(&det_ctx->de_ctx);
3756  SCFree(det_ctx);
3757  return NULL;
3758  }
3759  }
3760 
3761  return det_ctx;
3762 }
3763 
3764 static void DetectEngineThreadCtxFree(DetectEngineThreadCtx *det_ctx)
3765 {
3766 #if DEBUG
3767  SCLogDebug("PACKET PKT_STREAM_ADD: %"PRIu64, det_ctx->pkt_stream_add_cnt);
3768 
3769  SCLogDebug("PAYLOAD MPM %"PRIu64"/%"PRIu64, det_ctx->payload_mpm_cnt, det_ctx->payload_mpm_size);
3770  SCLogDebug("STREAM MPM %"PRIu64"/%"PRIu64, det_ctx->stream_mpm_cnt, det_ctx->stream_mpm_size);
3771 
3772  SCLogDebug("PAYLOAD SIG %"PRIu64"/%"PRIu64, det_ctx->payload_persig_cnt, det_ctx->payload_persig_size);
3773  SCLogDebug("STREAM SIG %"PRIu64"/%"PRIu64, det_ctx->stream_persig_cnt, det_ctx->stream_persig_size);
3774 #endif
3775 
3776  if (det_ctx->tenant_array != NULL) {
3777  SCFree(det_ctx->tenant_array);
3778  det_ctx->tenant_array = NULL;
3779  }
3780 
3781 #ifdef PROFILE_RULES
3782  SCProfilingRuleThreadCleanup(det_ctx);
3783 #endif
3784 #ifdef PROFILING
3787  SCProfilingSghThreadCleanup(det_ctx);
3788 #endif
3789 
3790  /** \todo get rid of this static */
3791  if (det_ctx->de_ctx != NULL) {
3792  PatternMatchThreadDestroy(&det_ctx->mtc, det_ctx->de_ctx->mpm_matcher);
3793  }
3794 
3795  PmqFree(&det_ctx->pmq);
3796 
3797  if (det_ctx->spm_thread_ctx != NULL) {
3799  }
3800  if (det_ctx->match_array != NULL)
3801  SCFree(det_ctx->match_array);
3802  if (det_ctx->replace != NULL)
3803  SCFree(det_ctx->replace);
3804 
3806 
3807  AlertQueueFree(det_ctx);
3808 
3809  if (det_ctx->post_rule_work_queue.q)
3810  SCFree(det_ctx->post_rule_work_queue.q);
3811 
3812  if (det_ctx->byte_values != NULL)
3813  SCFree(det_ctx->byte_values);
3814 
3815  /* Decoded base64 data. */
3816  if (det_ctx->base64_decoded != NULL) {
3817  SCFree(det_ctx->base64_decoded);
3818  }
3819 
3820  if (det_ctx->inspect.buffers) {
3821  for (uint32_t i = 0; i < det_ctx->inspect.buffers_size; i++) {
3822  InspectionBufferFree(&det_ctx->inspect.buffers[i]);
3823  }
3824  SCFree(det_ctx->inspect.buffers);
3825  }
3826  if (det_ctx->inspect.to_clear_queue) {
3827  SCFree(det_ctx->inspect.to_clear_queue);
3828  }
3829  if (det_ctx->multi_inspect.buffers) {
3830  for (uint32_t i = 0; i < det_ctx->multi_inspect.buffers_size; i++) {
3832  for (uint32_t x = 0; x < fb->size; x++) {
3834  }
3836  }
3837  SCFree(det_ctx->multi_inspect.buffers);
3838  }
3839  if (det_ctx->multi_inspect.to_clear_queue) {
3841  }
3842 
3843  DetectEngineThreadCtxDeinitGlobalKeywords(det_ctx);
3844  if (det_ctx->de_ctx != NULL) {
3845  DetectEngineThreadCtxDeinitKeywords(det_ctx->de_ctx, det_ctx);
3846 #ifdef UNITTESTS
3847  if (!RunmodeIsUnittests() || det_ctx->de_ctx->ref_cnt > 0)
3848  DetectEngineDeReference(&det_ctx->de_ctx);
3849 #else
3850  DetectEngineDeReference(&det_ctx->de_ctx);
3851 #endif
3852  }
3853 
3854  if (det_ctx->json_content) {
3855  SCFree(det_ctx->json_content);
3856  det_ctx->json_content = NULL;
3857  det_ctx->json_content_capacity = 0;
3858  }
3859 
3862  SCFree(det_ctx);
3863 }
3864 
3866 {
3867  DetectEngineThreadCtx *det_ctx = (DetectEngineThreadCtx *)data;
3868 
3869  if (det_ctx == NULL) {
3870  SCLogWarning("argument \"data\" NULL");
3871  return TM_ECODE_OK;
3872  }
3873 
3874  if (det_ctx->mt_det_ctxs_hash != NULL) {
3875  HashTableFree(det_ctx->mt_det_ctxs_hash);
3876  det_ctx->mt_det_ctxs_hash = NULL;
3877  }
3878  DetectEngineThreadCtxFree(det_ctx);
3879 
3880  return TM_ECODE_OK;
3881 }
3882 
3883 static uint32_t DetectKeywordCtxHashFunc(HashListTable *ht, void *data, uint16_t datalen)
3884 {
3886  const char *name = ctx->name;
3887  uint64_t hash =
3888  StringHashDjb2((const uint8_t *)name, (uint32_t)strlen(name)) + (ptrdiff_t)ctx->data;
3889  hash %= ht->array_size;
3890  return (uint32_t)hash;
3891 }
3892 
3893 static char DetectKeywordCtxCompareFunc(void *data1, uint16_t len1, void *data2, uint16_t len2)
3894 {
3895  DetectEngineThreadKeywordCtxItem *ctx1 = data1;
3896  DetectEngineThreadKeywordCtxItem *ctx2 = data2;
3897  const char *name1 = ctx1->name;
3898  const char *name2 = ctx2->name;
3899  return (strcmp(name1, name2) == 0 && ctx1->data == ctx2->data);
3900 }
3901 
3902 static void DetectKeywordCtxFreeFunc(void *ptr)
3903 {
3904  SCFree(ptr);
3905 }
3906 
3907 /** \brief Register Thread keyword context Funcs
3908  *
3909  * \param de_ctx detection engine to register in
3910  * \param name keyword name for error printing
3911  * \param InitFunc function ptr
3912  * \param data keyword init data to pass to Func. Can be NULL.
3913  * \param FreeFunc function ptr
3914  * \param mode 0 normal (ctx per keyword instance) 1 shared (one ctx per det_ct)
3915  *
3916  * \retval id for retrieval of ctx at runtime
3917  * \retval -1 on error
3918  *
3919  * \note make sure "data" remains valid and it free'd elsewhere. It's
3920  * recommended to store it in the keywords global ctx so that
3921  * it's freed when the de_ctx is freed.
3922  */
3923 int DetectRegisterThreadCtxFuncs(DetectEngineCtx *de_ctx, const char *name, void *(*InitFunc)(void *), void *data, void (*FreeFunc)(void *), int mode)
3924 {
3925  BUG_ON(de_ctx == NULL || InitFunc == NULL || FreeFunc == NULL);
3926 
3927  if (de_ctx->keyword_hash == NULL) {
3928  de_ctx->keyword_hash = HashListTableInit(4096, // TODO
3929  DetectKeywordCtxHashFunc, DetectKeywordCtxCompareFunc, DetectKeywordCtxFreeFunc);
3930  BUG_ON(de_ctx->keyword_hash == NULL);
3931  }
3932 
3933  if (mode) {
3934  DetectEngineThreadKeywordCtxItem search = { .data = data, .name = name };
3935 
3937  HashListTableLookup(de_ctx->keyword_hash, (void *)&search, 0);
3938  if (item)
3939  return item->id;
3940 
3941  /* fall through */
3942  }
3943 
3945  if (unlikely(item == NULL))
3946  return -1;
3947 
3948  item->InitFunc = InitFunc;
3949  item->FreeFunc = FreeFunc;
3950  item->data = data;
3951  item->name = name;
3952  item->id = de_ctx->keyword_id++;
3953 
3954  if (HashListTableAdd(de_ctx->keyword_hash, (void *)item, 0) < 0) {
3955  SCFree(item);
3956  return -1;
3957  }
3958  return item->id;
3959 }
3960 
3961 /** \brief Remove Thread keyword context registration
3962  *
3963  * \param de_ctx detection engine to deregister from
3964  * \param det_ctx detection engine thread context to deregister from
3965  * \param data keyword init data to pass to Func. Can be NULL.
3966  * \param name keyword name for error printing
3967  *
3968  * \retval 1 Item unregistered
3969  * \retval 0 otherwise
3970  *
3971  * \note make sure "data" remains valid and it free'd elsewhere. It's
3972  * recommended to store it in the keywords global ctx so that
3973  * it's freed when the de_ctx is freed.
3974  */
3976 {
3977  /* might happen if we call this before a call to *Register* */
3978  if (de_ctx->keyword_hash == NULL)
3979  return 1;
3980  DetectEngineThreadKeywordCtxItem remove = { .data = data, .name = name };
3981  if (HashListTableRemove(de_ctx->keyword_hash, (void *)&remove, 0) == 0)
3982  return 1;
3983  return 0;
3984 }
3985 /** \brief Retrieve thread local keyword ctx by id
3986  *
3987  * \param det_ctx detection engine thread ctx to retrieve the ctx from
3988  * \param id id of the ctx returned by DetectRegisterThreadCtxInitFunc at
3989  * keyword init.
3990  *
3991  * \retval ctx or NULL on error
3992  */
3994 {
3995  if (id < 0 || id > det_ctx->keyword_ctxs_size || det_ctx->keyword_ctxs_array == NULL)
3996  return NULL;
3997 
3998  return det_ctx->keyword_ctxs_array[id];
3999 }
4000 
4001 
4002 /** \brief Register Thread keyword context Funcs (Global)
4003  *
4004  * IDs stay static over reloads and between tenants
4005  *
4006  * \param name keyword name for error printing
4007  * \param InitFunc function ptr
4008  * \param FreeFunc function ptr
4009  *
4010  * \retval id for retrieval of ctx at runtime
4011  * \retval -1 on error
4012  */
4014  const char *name, void *(*InitFunc)(void *), void *data, void (*FreeFunc)(void *))
4015 {
4016  int id;
4017  BUG_ON(InitFunc == NULL || FreeFunc == NULL);
4018 
4019  DetectEngineMasterCtx *master = &g_master_de_ctx;
4020 
4021  /* if already registered, return existing id */
4023  while (item != NULL) {
4024  if (strcmp(name, item->name) == 0) {
4025  id = item->id;
4026  return id;
4027  }
4028 
4029  item = item->next;
4030  }
4031 
4032  item = SCCalloc(1, sizeof(*item));
4033  if (unlikely(item == NULL)) {
4034  return -1;
4035  }
4036  item->InitFunc = InitFunc;
4037  item->FreeFunc = FreeFunc;
4038  item->name = name;
4039  item->data = data;
4040 
4041  item->next = master->keyword_list;
4042  master->keyword_list = item;
4043  item->id = master->keyword_id++;
4044 
4045  id = item->id;
4046  return id;
4047 }
4048 
4049 /** \brief Retrieve thread local keyword ctx by id
4050  *
4051  * \param det_ctx detection engine thread ctx to retrieve the ctx from
4052  * \param id id of the ctx returned by DetectRegisterThreadCtxInitFunc at
4053  * keyword init.
4054  *
4055  * \retval ctx or NULL on error
4056  */
4058 {
4059  if (id < 0 || id > det_ctx->global_keyword_ctxs_size ||
4060  det_ctx->global_keyword_ctxs_array == NULL) {
4061  return NULL;
4062  }
4063 
4064  return det_ctx->global_keyword_ctxs_array[id];
4065 }
4066 
4067 /** \brief Check if detection is enabled
4068  * \retval bool true or false */
4070 {
4071  DetectEngineMasterCtx *master = &g_master_de_ctx;
4072  SCMutexLock(&master->lock);
4073 
4074  if (master->list == NULL) {
4075  SCMutexUnlock(&master->lock);
4076  return 0;
4077  }
4078 
4079  SCMutexUnlock(&master->lock);
4080  return 1;
4081 }
4082 
4084 {
4085  uint32_t version;
4086  DetectEngineMasterCtx *master = &g_master_de_ctx;
4087  SCMutexLock(&master->lock);
4088  version = master->version;
4089  SCMutexUnlock(&master->lock);
4090  return version;
4091 }
4092 
4094 {
4095  DetectEngineMasterCtx *master = &g_master_de_ctx;
4096  SCMutexLock(&master->lock);
4097  master->version++;
4098  SCLogDebug("master version now %u", master->version);
4099  SCMutexUnlock(&master->lock);
4100 }
4101 
4103 {
4104  DetectEngineMasterCtx *master = &g_master_de_ctx;
4105  SCMutexLock(&master->lock);
4106 
4107  DetectEngineCtx *de_ctx = master->list;
4108  while (de_ctx) {
4112  {
4113  de_ctx->ref_cnt++;
4114  SCLogDebug("de_ctx %p ref_cnt %u", de_ctx, de_ctx->ref_cnt);
4115  SCMutexUnlock(&master->lock);
4116  return de_ctx;
4117  }
4118  de_ctx = de_ctx->next;
4119  }
4120 
4121  SCMutexUnlock(&master->lock);
4122  return NULL;
4123 }
4124 
4126 {
4127  if (de_ctx == NULL)
4128  return NULL;
4129  de_ctx->ref_cnt++;
4130  return de_ctx;
4131 }
4132 
4133 static bool DetectEngineMultiTenantEnabledWithLock(void)
4134 {
4135  DetectEngineMasterCtx *master = &g_master_de_ctx;
4136  return master->multi_tenant_enabled;
4137 }
4138 
4140 {
4141  DetectEngineMasterCtx *master = &g_master_de_ctx;
4142  SCMutexLock(&master->lock);
4143  bool enabled = DetectEngineMultiTenantEnabledWithLock();
4144  SCMutexUnlock(&master->lock);
4145  return enabled;
4146 }
4147 
4148 /** \internal
4149  * \brief load a tenant from a yaml file
4150  *
4151  * \param tenant_id the tenant id by which the config is known
4152  * \param filename full path of a yaml file
4153  * \param loader_id id of loader thread or -1
4154  *
4155  * \retval 0 ok
4156  * \retval -1 failed
4157  */
4158 static int DetectEngineMultiTenantLoadTenant(uint32_t tenant_id, const char *filename, int loader_id)
4159 {
4160  DetectEngineCtx *de_ctx = NULL;
4161  char prefix[64];
4162 
4163  snprintf(prefix, sizeof(prefix), "multi-detect.%u", tenant_id);
4164 
4165  SCStat st;
4166  if (SCStatFn(filename, &st) != 0) {
4167  SCLogError("failed to stat file %s", filename);
4168  goto error;
4169  }
4170 
4171  de_ctx = DetectEngineGetByTenantId(tenant_id);
4172  if (de_ctx != NULL) {
4173  SCLogError("tenant %u already registered", tenant_id);
4175  goto error;
4176  }
4177 
4178  SCConfNode *node = SCConfGetNode(prefix);
4179  if (node == NULL) {
4180  SCLogError("failed to properly setup yaml %s", filename);
4181  goto error;
4182  }
4183 
4184  de_ctx = DetectEngineCtxInitWithPrefix(prefix, tenant_id);
4185  if (de_ctx == NULL) {
4186  SCLogError("initializing detection engine "
4187  "context failed.");
4188  goto error;
4189  }
4190  SCLogDebug("de_ctx %p with prefix %s", de_ctx, de_ctx->config_prefix);
4191 
4193  de_ctx->tenant_id = tenant_id;
4194  de_ctx->loader_id = loader_id;
4195  de_ctx->tenant_path = SCStrdup(filename);
4196  if (de_ctx->tenant_path == NULL) {
4197  SCLogError("Failed to duplicate path");
4198  goto error;
4199  }
4200 
4201  if (SigLoadSignatures(de_ctx, NULL, false) < 0) {
4202  SCLogError("Loading signatures failed.");
4203  goto error;
4204  }
4206 
4207  return 0;
4208 
4209 error:
4210  if (de_ctx != NULL) {
4212  }
4213  return -1;
4214 }
4215 
4216 static int DetectEngineMultiTenantReloadTenant(uint32_t tenant_id, const char *filename, int reload_cnt)
4217 {
4218  DetectEngineCtx *old_de_ctx = DetectEngineGetByTenantId(tenant_id);
4219  if (old_de_ctx == NULL) {
4220  SCLogError("tenant detect engine not found");
4221  return -1;
4222  }
4223 
4224  if (filename == NULL)
4225  filename = old_de_ctx->tenant_path;
4226 
4227  char prefix[64];
4228  snprintf(prefix, sizeof(prefix), "multi-detect.%u.reload.%d", tenant_id, reload_cnt);
4229  reload_cnt++;
4230  SCLogDebug("prefix %s", prefix);
4231 
4232  if (SCConfYamlLoadFileWithPrefix(filename, prefix) != 0) {
4233  SCLogError("failed to load yaml");
4234  goto error;
4235  }
4236 
4237  SCConfNode *node = SCConfGetNode(prefix);
4238  if (node == NULL) {
4239  SCLogError("failed to properly setup yaml %s", filename);
4240  goto error;
4241  }
4242 
4243  DetectEngineCtx *new_de_ctx = DetectEngineCtxInitWithPrefix(prefix, tenant_id);
4244  if (new_de_ctx == NULL) {
4245  SCLogError("initializing detection engine "
4246  "context failed.");
4247  goto error;
4248  }
4249  SCLogDebug("de_ctx %p with prefix %s", new_de_ctx, new_de_ctx->config_prefix);
4250 
4251  new_de_ctx->type = DETECT_ENGINE_TYPE_TENANT;
4252  new_de_ctx->tenant_id = tenant_id;
4253  new_de_ctx->loader_id = old_de_ctx->loader_id;
4254  new_de_ctx->tenant_path = SCStrdup(filename);
4255  if (new_de_ctx->tenant_path == NULL) {
4256  SCLogError("Failed to duplicate path");
4257  goto new_de_ctx_error;
4258  }
4259 
4260  if (SigLoadSignatures(new_de_ctx, NULL, false) < 0) {
4261  SCLogError("Loading signatures failed.");
4262  goto new_de_ctx_error;
4263  }
4264 
4265  DetectEngineAddToMaster(new_de_ctx);
4266 
4267  /* move to free list */
4268  DetectEngineMoveToFreeList(old_de_ctx);
4269  DetectEngineDeReference(&old_de_ctx);
4270  return 0;
4271 
4272 new_de_ctx_error:
4273  DetectEngineCtxFree(new_de_ctx);
4274 
4275 error:
4276  DetectEngineDeReference(&old_de_ctx);
4277  return -1;
4278 }
4279 
4280 
4281 typedef struct TenantLoaderCtx_ {
4282  uint32_t tenant_id;
4283  int reload_cnt; /**< used by reload */
4284  char *yaml; /**< heap alloc'd copy of file path for the yaml */
4286 
4287 static void DetectLoaderFreeTenant(void *ctx)
4288 {
4290  if (t->yaml != NULL) {
4291  SCFree(t->yaml);
4292  }
4293  SCFree(t);
4294 }
4295 
4296 static int DetectLoaderFuncLoadTenant(void *vctx, int loader_id)
4297 {
4298  TenantLoaderCtx *ctx = (TenantLoaderCtx *)vctx;
4299 
4300  SCLogDebug("loader %d", loader_id);
4301  if (DetectEngineMultiTenantLoadTenant(ctx->tenant_id, ctx->yaml, loader_id) != 0) {
4302  return -1;
4303  }
4304  return 0;
4305 }
4306 
4307 static int DetectLoaderSetupLoadTenant(uint32_t tenant_id, const char *yaml)
4308 {
4309  TenantLoaderCtx *t = SCCalloc(1, sizeof(*t));
4310  if (t == NULL)
4311  return -ENOMEM;
4312 
4313  t->tenant_id = tenant_id;
4314  t->yaml = SCStrdup(yaml);
4315  if (t->yaml == NULL) {
4316  SCFree(t);
4317  return -ENOMEM;
4318  }
4319 
4320  return DetectLoaderQueueTask(-1, DetectLoaderFuncLoadTenant, t, DetectLoaderFreeTenant);
4321 }
4322 
4323 static int DetectLoaderFuncReloadTenant(void *vctx, int loader_id)
4324 {
4325  TenantLoaderCtx *ctx = (TenantLoaderCtx *)vctx;
4326 
4327  SCLogDebug("loader_id %d", loader_id);
4328 
4329  if (DetectEngineMultiTenantReloadTenant(ctx->tenant_id, ctx->yaml, ctx->reload_cnt) != 0) {
4330  return -1;
4331  }
4332  return 0;
4333 }
4334 
4335 static int DetectLoaderSetupReloadTenants(const int reload_cnt)
4336 {
4337  int ret = 0;
4338  DetectEngineMasterCtx *master = &g_master_de_ctx;
4339  SCMutexLock(&master->lock);
4340 
4341  DetectEngineCtx *de_ctx = master->list;
4342  while (de_ctx) {
4344  TenantLoaderCtx *t = SCCalloc(1, sizeof(*t));
4345  if (t == NULL) {
4346  ret = -1;
4347  goto error;
4348  }
4349  t->tenant_id = de_ctx->tenant_id;
4350  t->reload_cnt = reload_cnt;
4351  int loader_id = de_ctx->loader_id;
4352 
4353  int r = DetectLoaderQueueTask(
4354  loader_id, DetectLoaderFuncReloadTenant, t, DetectLoaderFreeTenant);
4355  if (r < 0) {
4356  ret = -2;
4357  goto error;
4358  }
4359  }
4360 
4361  de_ctx = de_ctx->next;
4362  }
4363 error:
4364  SCMutexUnlock(&master->lock);
4365  return ret;
4366 }
4367 
4368 static int DetectLoaderSetupReloadTenant(uint32_t tenant_id, const char *yaml, int reload_cnt)
4369 {
4370  DetectEngineCtx *old_de_ctx = DetectEngineGetByTenantId(tenant_id);
4371  if (old_de_ctx == NULL)
4372  return -ENOENT;
4373  int loader_id = old_de_ctx->loader_id;
4374  DetectEngineDeReference(&old_de_ctx);
4375 
4376  TenantLoaderCtx *t = SCCalloc(1, sizeof(*t));
4377  if (t == NULL)
4378  return -ENOMEM;
4379 
4380  t->tenant_id = tenant_id;
4381  if (yaml != NULL) {
4382  t->yaml = SCStrdup(yaml);
4383  if (t->yaml == NULL) {
4384  SCFree(t);
4385  return -ENOMEM;
4386  }
4387  }
4388  t->reload_cnt = reload_cnt;
4389 
4390  SCLogDebug("loader_id %d", loader_id);
4391 
4392  return DetectLoaderQueueTask(
4393  loader_id, DetectLoaderFuncReloadTenant, t, DetectLoaderFreeTenant);
4394 }
4395 
4396 /** \brief Load a tenant and wait for loading to complete
4397  */
4398 int DetectEngineLoadTenantBlocking(uint32_t tenant_id, const char *yaml)
4399 {
4400  int r = DetectLoaderSetupLoadTenant(tenant_id, yaml);
4401  if (r < 0)
4402  return r;
4403 
4404  if (DetectLoadersSync() != 0)
4405  return -1;
4406 
4407  return 0;
4408 }
4409 
4410 /** \brief Reload a tenant and wait for loading to complete
4411  */
4412 int DetectEngineReloadTenantBlocking(uint32_t tenant_id, const char *yaml, int reload_cnt)
4413 {
4414  int r = DetectLoaderSetupReloadTenant(tenant_id, yaml, reload_cnt);
4415  if (r < 0)
4416  return r;
4417 
4418  if (DetectLoadersSync() != 0)
4419  return -1;
4420 
4421  return 0;
4422 }
4423 
4424 /** \brief Reload all tenants and wait for loading to complete
4425  */
4426 int DetectEngineReloadTenantsBlocking(const int reload_cnt)
4427 {
4428  int r = DetectLoaderSetupReloadTenants(reload_cnt);
4429  if (r < 0)
4430  return r;
4431 
4432  if (DetectLoadersSync() != 0)
4433  return -1;
4434 
4435  return 0;
4436 }
4437 
4438 static int DetectEngineMultiTenantSetupLoadLivedevMappings(
4439  const SCConfNode *mappings_root_node, bool failure_fatal)
4440 {
4441  SCConfNode *mapping_node = NULL;
4442 
4443  int mapping_cnt = 0;
4444  if (mappings_root_node != NULL) {
4445  TAILQ_FOREACH(mapping_node, &mappings_root_node->head, next) {
4446  SCConfNode *tenant_id_node = SCConfNodeLookupChild(mapping_node, "tenant-id");
4447  if (tenant_id_node == NULL)
4448  goto bad_mapping;
4449  SCConfNode *device_node = SCConfNodeLookupChild(mapping_node, "device");
4450  if (device_node == NULL)
4451  goto bad_mapping;
4452 
4453  uint32_t tenant_id = 0;
4454  if (StringParseUint32(&tenant_id, 10, (uint16_t)strlen(tenant_id_node->val),
4455  tenant_id_node->val) < 0) {
4456  SCLogError("tenant-id "
4457  "of %s is invalid",
4458  tenant_id_node->val);
4459  goto bad_mapping;
4460  }
4461 
4462  const char *dev = device_node->val;
4463  LiveDevice *ld = LiveGetDevice(dev);
4464  if (ld == NULL) {
4465  SCLogWarning("device %s not found", dev);
4466  goto bad_mapping;
4467  }
4468 
4469  if (ld->tenant_id_set) {
4470  SCLogWarning("device %s already mapped to tenant-id %u", dev, ld->tenant_id);
4471  goto bad_mapping;
4472  }
4473 
4474  ld->tenant_id = tenant_id;
4475  ld->tenant_id_set = true;
4476 
4477  if (DetectEngineTenantRegisterLivedev(tenant_id, ld->id) != 0) {
4478  goto error;
4479  }
4480 
4481  SCLogConfig("device %s connected to tenant-id %u", dev, tenant_id);
4482  mapping_cnt++;
4483  continue;
4484 
4485  bad_mapping:
4486  if (failure_fatal)
4487  goto error;
4488  }
4489  }
4490  SCLogConfig("%d device - tenant-id mappings defined", mapping_cnt);
4491  return mapping_cnt;
4492 
4493 error:
4494  return 0;
4495 }
4496 
4497 static int DetectEngineMultiTenantSetupLoadVlanMappings(
4498  const SCConfNode *mappings_root_node, bool failure_fatal)
4499 {
4500  SCConfNode *mapping_node = NULL;
4501 
4502  int mapping_cnt = 0;
4503  if (mappings_root_node != NULL) {
4504  TAILQ_FOREACH(mapping_node, &mappings_root_node->head, next) {
4505  SCConfNode *tenant_id_node = SCConfNodeLookupChild(mapping_node, "tenant-id");
4506  if (tenant_id_node == NULL)
4507  goto bad_mapping;
4508  SCConfNode *vlan_id_node = SCConfNodeLookupChild(mapping_node, "vlan-id");
4509  if (vlan_id_node == NULL)
4510  goto bad_mapping;
4511 
4512  uint32_t tenant_id = 0;
4513  if (StringParseUint32(&tenant_id, 10, (uint16_t)strlen(tenant_id_node->val),
4514  tenant_id_node->val) < 0) {
4515  SCLogError("tenant-id "
4516  "of %s is invalid",
4517  tenant_id_node->val);
4518  goto bad_mapping;
4519  }
4520 
4521  uint16_t vlan_id = 0;
4522  if (StringParseUint16(
4523  &vlan_id, 10, (uint16_t)strlen(vlan_id_node->val), vlan_id_node->val) < 0) {
4524  SCLogError("vlan-id "
4525  "of %s is invalid",
4526  vlan_id_node->val);
4527  goto bad_mapping;
4528  }
4529  if (vlan_id == 0 || vlan_id >= 4095) {
4530  SCLogError("vlan-id "
4531  "of %s is invalid. Valid range 1-4094.",
4532  vlan_id_node->val);
4533  goto bad_mapping;
4534  }
4535 
4536  if (DetectEngineTenantRegisterVlanId(tenant_id, vlan_id) != 0) {
4537  goto error;
4538  }
4539  SCLogConfig("vlan %u connected to tenant-id %u", vlan_id, tenant_id);
4540  mapping_cnt++;
4541  continue;
4542 
4543  bad_mapping:
4544  if (failure_fatal)
4545  goto error;
4546  }
4547  }
4548  return mapping_cnt;
4549 
4550 error:
4551  return 0;
4552 }
4553 
4554 /**
4555  * \brief setup multi-detect / multi-tenancy
4556  *
4557  * See if MT is enabled. If so, setup the selector, tenants and mappings.
4558  * Tenants and mappings are optional, and can also dynamically be added
4559  * and removed from the unix socket.
4560  */
4561 int DetectEngineMultiTenantSetup(const bool unix_socket)
4562 {
4564  DetectEngineMasterCtx *master = &g_master_de_ctx;
4565  int failure_fatal = 0;
4566  (void)SCConfGetBool("engine.init-failure-fatal", &failure_fatal);
4567 
4568  int enabled = 0;
4569  (void)SCConfGetBool("multi-detect.enabled", &enabled);
4570  if (enabled == 1) {
4575 
4576  SCMutexLock(&master->lock);
4577  master->multi_tenant_enabled = 1;
4578 
4579  const char *handler = NULL;
4580  if (SCConfGetNonNull("multi-detect.selector", &handler) == 1) {
4581  SCLogConfig("multi-tenant selector type %s", handler);
4582 
4583  if (strcmp(handler, "vlan") == 0) {
4584  tenant_selector = master->tenant_selector = TENANT_SELECTOR_VLAN;
4585 
4586  int vlanbool = 0;
4587  if ((SCConfGetBool("vlan.use-for-tracking", &vlanbool)) == 1 && vlanbool == 0) {
4588  SCLogError("vlan tracking is disabled, "
4589  "can't use multi-detect selector 'vlan'");
4590  SCMutexUnlock(&master->lock);
4591  goto error;
4592  }
4593 
4594  } else if (strcmp(handler, "direct") == 0) {
4595  tenant_selector = master->tenant_selector = TENANT_SELECTOR_DIRECT;
4596  } else if (strcmp(handler, "device") == 0) {
4597  tenant_selector = master->tenant_selector = TENANT_SELECTOR_LIVEDEV;
4598  if (EngineModeIsIPS()) {
4599  SCLogWarning("multi-tenant 'device' mode not supported for IPS");
4600  SCMutexUnlock(&master->lock);
4601  goto error;
4602  }
4603 
4604  } else {
4605  SCLogError("unknown value %s "
4606  "multi-detect.selector",
4607  handler);
4608  SCMutexUnlock(&master->lock);
4609  goto error;
4610  }
4611  }
4612  SCMutexUnlock(&master->lock);
4613  SCLogConfig("multi-detect is enabled (multi tenancy). Selector: %s", handler);
4614 
4615  /* traffic -- tenant mappings */
4616  SCConfNode *mappings_root_node = SCConfGetNode("multi-detect.mappings");
4617 
4618  if (tenant_selector == TENANT_SELECTOR_VLAN) {
4619  int mapping_cnt = DetectEngineMultiTenantSetupLoadVlanMappings(mappings_root_node,
4620  failure_fatal);
4621  if (mapping_cnt == 0) {
4622  /* no mappings are valid when we're in unix socket mode,
4623  * they can be added on the fly. Otherwise warn/error
4624  * depending on failure_fatal */
4625 
4626  if (unix_socket) {
4627  SCLogNotice("no tenant traffic mappings defined, "
4628  "tenants won't be used until mappings are added");
4629  } else {
4630  if (failure_fatal) {
4631  SCLogError("no multi-detect mappings defined");
4632  goto error;
4633  } else {
4634  SCLogWarning("no multi-detect mappings defined");
4635  }
4636  }
4637  }
4638  } else if (tenant_selector == TENANT_SELECTOR_LIVEDEV) {
4639  int mapping_cnt = DetectEngineMultiTenantSetupLoadLivedevMappings(mappings_root_node,
4640  failure_fatal);
4641  if (mapping_cnt == 0) {
4642  if (failure_fatal) {
4643  SCLogError("no multi-detect mappings defined");
4644  goto error;
4645  } else {
4646  SCLogWarning("no multi-detect mappings defined");
4647  }
4648  }
4649  }
4650 
4651  /* tenants */
4652  SCConfNode *tenants_root_node = SCConfGetNode("multi-detect.tenants");
4653  SCConfNode *tenant_node = NULL;
4654 
4655  if (tenants_root_node != NULL) {
4656  const char *path = NULL;
4657  SCConfNode *path_node = SCConfGetNode("multi-detect.config-path");
4658  if (path_node) {
4659  path = path_node->val;
4660  SCLogConfig("tenants config path: %s", path);
4661  }
4662 
4663  TAILQ_FOREACH(tenant_node, &tenants_root_node->head, next) {
4664  SCConfNode *id_node = SCConfNodeLookupChild(tenant_node, "id");
4665  if (id_node == NULL) {
4666  goto bad_tenant;
4667  }
4668  SCConfNode *yaml_node = SCConfNodeLookupChild(tenant_node, "yaml");
4669  if (yaml_node == NULL) {
4670  goto bad_tenant;
4671  }
4672 
4673  uint32_t tenant_id = 0;
4674  if (StringParseUint32(
4675  &tenant_id, 10, (uint16_t)strlen(id_node->val), id_node->val) < 0) {
4676  SCLogError("tenant_id "
4677  "of %s is invalid",
4678  id_node->val);
4679  goto bad_tenant;
4680  }
4681  SCLogDebug("tenant id: %u, %s", tenant_id, yaml_node->val);
4682 
4683  char yaml_path[PATH_MAX] = "";
4684  if (path) {
4685  if (PathMerge(yaml_path, PATH_MAX, path, yaml_node->val) < 0)
4686  goto bad_tenant;
4687  } else {
4688  size_t r = strlcpy(yaml_path, yaml_node->val, sizeof(yaml_path));
4689  if (r >= sizeof(yaml_path))
4690  goto bad_tenant;
4691  }
4692  SCLogDebug("tenant path: %s", yaml_path);
4693 
4694  /* setup the yaml in this loop so that it's not done by the loader
4695  * threads. SCConfYamlLoadFileWithPrefix is not thread safe. */
4696  char prefix[64];
4697  snprintf(prefix, sizeof(prefix), "multi-detect.%u", tenant_id);
4698  if (SCConfYamlLoadFileWithPrefix(yaml_path, prefix) != 0) {
4699  SCLogError("failed to load yaml %s", yaml_path);
4700  goto bad_tenant;
4701  }
4702 
4703  int r = DetectLoaderSetupLoadTenant(tenant_id, yaml_path);
4704  if (r < 0) {
4705  /* error logged already */
4706  goto bad_tenant;
4707  }
4708  continue;
4709 
4710  bad_tenant:
4711  if (failure_fatal)
4712  goto error;
4713  }
4714  }
4715 
4716  /* wait for our loaders to complete their tasks */
4717  if (DetectLoadersSync() != 0) {
4718  goto error;
4719  }
4720 
4722 
4723  } else {
4724  SCLogDebug("multi-detect not enabled (multi tenancy)");
4725  }
4726  return 0;
4727 error:
4728  return -1;
4729 }
4730 
4731 static uint32_t DetectEngineTenantGetIdFromVlanId(const void *ctx, const Packet *p)
4732 {
4733  const DetectEngineThreadCtx *det_ctx = ctx;
4734  uint32_t x = 0;
4735  uint32_t vlan_id = 0;
4736 
4737  if (p->vlan_idx == 0)
4738  return 0;
4739 
4740  vlan_id = p->vlan_id[0];
4741 
4742  if (det_ctx == NULL || det_ctx->tenant_array == NULL || det_ctx->tenant_array_size == 0)
4743  return 0;
4744 
4745  /* not very efficient, but for now we're targeting only limited amounts.
4746  * Can use hash/tree approach later. */
4747  for (x = 0; x < det_ctx->tenant_array_size; x++) {
4748  if (det_ctx->tenant_array[x].traffic_id == vlan_id)
4749  return det_ctx->tenant_array[x].tenant_id;
4750  }
4751 
4752  return 0;
4753 }
4754 
4755 static uint32_t DetectEngineTenantGetIdFromLivedev(const void *ctx, const Packet *p)
4756 {
4757  const DetectEngineThreadCtx *det_ctx = ctx;
4758  const LiveDevice *ld = LiveDeviceGetById(p->livedev_id);
4759 
4760  if (ld == NULL || det_ctx == NULL)
4761  return 0;
4762 
4763  SCLogDebug("using tenant-id %u for packet on device %s", ld->tenant_id, ld->dev);
4764  return ld->tenant_id;
4765 }
4766 
4767 static int DetectEngineTenantRegisterSelector(
4768  enum DetectEngineTenantSelectors selector, uint32_t tenant_id, uint32_t traffic_id)
4769 {
4770  DetectEngineMasterCtx *master = &g_master_de_ctx;
4771  SCMutexLock(&master->lock);
4772 
4773  if (!(master->tenant_selector == TENANT_SELECTOR_UNKNOWN || master->tenant_selector == selector)) {
4774  SCLogInfo("conflicting selector already set");
4775  SCMutexUnlock(&master->lock);
4776  return -1;
4777  }
4778 
4780  while (m) {
4781  if (m->traffic_id == traffic_id) {
4782  SCLogInfo("traffic id already registered");
4783  SCMutexUnlock(&master->lock);
4784  return -1;
4785  }
4786  m = m->next;
4787  }
4788 
4789  DetectEngineTenantMapping *map = SCCalloc(1, sizeof(*map));
4790  if (map == NULL) {
4791  SCLogInfo("memory fail");
4792  SCMutexUnlock(&master->lock);
4793  return -1;
4794  }
4795  map->traffic_id = traffic_id;
4796  map->tenant_id = tenant_id;
4797 
4798  map->next = master->tenant_mapping_list;
4799  master->tenant_mapping_list = map;
4800 
4801  master->tenant_selector = selector;
4802 
4803  SCLogDebug("tenant handler %u %u %u registered", selector, tenant_id, traffic_id);
4804  SCMutexUnlock(&master->lock);
4805  return 0;
4806 }
4807 
4808 static int DetectEngineTenantUnregisterSelector(
4809  enum DetectEngineTenantSelectors selector, uint32_t tenant_id, uint32_t traffic_id)
4810 {
4811  DetectEngineMasterCtx *master = &g_master_de_ctx;
4812  SCMutexLock(&master->lock);
4813 
4814  if (master->tenant_mapping_list == NULL) {
4815  SCMutexUnlock(&master->lock);
4816  return -1;
4817  }
4818 
4819  DetectEngineTenantMapping *prev = NULL;
4821  while (map) {
4822  if (map->traffic_id == traffic_id &&
4823  map->tenant_id == tenant_id)
4824  {
4825  if (prev != NULL)
4826  prev->next = map->next;
4827  else
4828  master->tenant_mapping_list = map->next;
4829 
4830  map->next = NULL;
4831  SCFree(map);
4832  SCLogInfo("tenant handler %u %u %u unregistered", selector, tenant_id, traffic_id);
4833  SCMutexUnlock(&master->lock);
4834  return 0;
4835  }
4836  prev = map;
4837  map = map->next;
4838  }
4839 
4840  SCMutexUnlock(&master->lock);
4841  return -1;
4842 }
4843 
4844 int DetectEngineTenantRegisterLivedev(uint32_t tenant_id, int device_id)
4845 {
4846  return DetectEngineTenantRegisterSelector(
4847  TENANT_SELECTOR_LIVEDEV, tenant_id, (uint32_t)device_id);
4848 }
4849 
4850 int DetectEngineTenantRegisterVlanId(uint32_t tenant_id, uint16_t vlan_id)
4851 {
4852  return DetectEngineTenantRegisterSelector(TENANT_SELECTOR_VLAN, tenant_id, (uint32_t)vlan_id);
4853 }
4854 
4855 int DetectEngineTenantUnregisterVlanId(uint32_t tenant_id, uint16_t vlan_id)
4856 {
4857  return DetectEngineTenantUnregisterSelector(TENANT_SELECTOR_VLAN, tenant_id, (uint32_t)vlan_id);
4858 }
4859 
4860 int DetectEngineTenantRegisterPcapFile(uint32_t tenant_id)
4861 {
4862  SCLogInfo("registering %u %d 0", TENANT_SELECTOR_DIRECT, tenant_id);
4863  return DetectEngineTenantRegisterSelector(TENANT_SELECTOR_DIRECT, tenant_id, 0);
4864 }
4865 
4867 {
4868  SCLogInfo("unregistering %u %d 0", TENANT_SELECTOR_DIRECT, tenant_id);
4869  return DetectEngineTenantUnregisterSelector(TENANT_SELECTOR_DIRECT, tenant_id, 0);
4870 }
4871 
4872 static uint32_t DetectEngineTenantGetIdFromPcap(const void *ctx, const Packet *p)
4873 {
4874  return p->pcap_v.tenant_id;
4875 }
4876 
4878 {
4879  DetectEngineMasterCtx *master = &g_master_de_ctx;
4880  SCMutexLock(&master->lock);
4881 
4882  if (master->list == NULL) {
4883  SCMutexUnlock(&master->lock);
4884  return NULL;
4885  }
4886 
4887  DetectEngineCtx *de_ctx = master->list;
4888  while (de_ctx) {
4890  de_ctx->tenant_id == tenant_id)
4891  {
4892  de_ctx->ref_cnt++;
4893  break;
4894  }
4895 
4896  de_ctx = de_ctx->next;
4897  }
4898 
4899  SCMutexUnlock(&master->lock);
4900  return de_ctx;
4901 }
4902 
4904 {
4905  DEBUG_VALIDATE_BUG_ON((*de_ctx)->ref_cnt == 0);
4906  (*de_ctx)->ref_cnt--;
4907  *de_ctx = NULL;
4908 }
4909 
4910 static int DetectEngineAddToList(DetectEngineCtx *instance)
4911 {
4912  DetectEngineMasterCtx *master = &g_master_de_ctx;
4913 
4914  if (instance == NULL)
4915  return -1;
4916 
4917  if (master->list == NULL) {
4918  master->list = instance;
4919  } else {
4920  instance->next = master->list;
4921  master->list = instance;
4922  }
4923 
4924  return 0;
4925 }
4926 
4928 {
4929  int r;
4930 
4931  if (de_ctx == NULL)
4932  return -1;
4933 
4934  SCLogDebug("adding de_ctx %p to master", de_ctx);
4935 
4936  DetectEngineMasterCtx *master = &g_master_de_ctx;
4937  SCMutexLock(&master->lock);
4938  r = DetectEngineAddToList(de_ctx);
4939  SCMutexUnlock(&master->lock);
4940  return r;
4941 }
4942 
4943 static int DetectEngineMoveToFreeListNoLock(DetectEngineMasterCtx *master, DetectEngineCtx *de_ctx)
4944 {
4945  DetectEngineCtx *instance = master->list;
4946  if (instance == NULL) {
4947  return -1;
4948  }
4949 
4950  /* remove from active list */
4951  if (instance == de_ctx) {
4952  master->list = instance->next;
4953  } else {
4954  DetectEngineCtx *prev = instance;
4955  instance = instance->next; /* already checked first element */
4956 
4957  while (instance) {
4958  DetectEngineCtx *next = instance->next;
4959 
4960  if (instance == de_ctx) {
4961  prev->next = instance->next;
4962  break;
4963  }
4964 
4965  prev = instance;
4966  instance = next;
4967  }
4968  if (instance == NULL) {
4969  return -1;
4970  }
4971  }
4972 
4973  /* instance is now detached from list */
4974  instance->next = NULL;
4975 
4976  /* add to free list */
4977  if (master->free_list == NULL) {
4978  master->free_list = instance;
4979  } else {
4980  instance->next = master->free_list;
4981  master->free_list = instance;
4982  }
4983  SCLogDebug("detect engine %p moved to free list (%u refs)", de_ctx, de_ctx->ref_cnt);
4984  return 0;
4985 }
4986 
4988 {
4989  int ret = 0;
4990  DetectEngineMasterCtx *master = &g_master_de_ctx;
4991  SCMutexLock(&master->lock);
4992  ret = DetectEngineMoveToFreeListNoLock(master, de_ctx);
4993  SCMutexUnlock(&master->lock);
4994  return ret;
4995 }
4996 
4998 {
4999  DetectEngineMasterCtx *master = &g_master_de_ctx;
5000  SCMutexLock(&master->lock);
5001 
5002  DetectEngineCtx *prev = NULL;
5003  DetectEngineCtx *instance = master->free_list;
5004  while (instance) {
5005  DetectEngineCtx *next = instance->next;
5006 
5007  SCLogDebug("detect engine %p has %u ref(s)", instance, instance->ref_cnt);
5008 
5009  if (instance->ref_cnt == 0) {
5010  if (prev == NULL) {
5011  master->free_list = next;
5012  } else {
5013  prev->next = next;
5014  }
5015 
5016  SCLogDebug("freeing detect engine %p", instance);
5017  DetectEngineCtxFree(instance);
5018  instance = NULL;
5019  }
5020 
5021  prev = instance;
5022  instance = next;
5023  }
5024  SCMutexUnlock(&master->lock);
5025 }
5026 
5028 {
5029  DetectEngineMasterCtx *master = &g_master_de_ctx;
5030  SCMutexLock(&master->lock);
5031 
5032  DetectEngineCtx *instance = master->list;
5033  while (instance) {
5034  DetectEngineCtx *next = instance->next;
5035  DEBUG_VALIDATE_BUG_ON(instance->ref_cnt);
5036  SCLogDebug("detect engine %p has %u ref(s)", instance, instance->ref_cnt);
5037  instance->ref_cnt = 0;
5038  DetectEngineMoveToFreeListNoLock(master, instance);
5039  instance = next;
5040  }
5041  SCMutexUnlock(&master->lock);
5043 }
5044 
5045 static int reloads = 0;
5046 
5047 /** \brief Reload the detection engine
5048  *
5049  * \param filename YAML file to load for the detect config
5050  *
5051  * \retval -1 error
5052  * \retval 0 ok
5053  */
5055 {
5056  DetectEngineCtx *new_de_ctx = NULL;
5057  DetectEngineCtx *old_de_ctx = NULL;
5058 
5059  char prefix[128];
5060  memset(prefix, 0, sizeof(prefix));
5061 
5062  SCLogNotice("rule reload starting");
5063 
5064  if (suri->conf_filename != NULL) {
5065  snprintf(prefix, sizeof(prefix), "detect-engine-reloads.%d", reloads++);
5066  SCLogConfig("Reloading %s", suri->conf_filename);
5067  if (SCConfYamlLoadFileWithPrefix(suri->conf_filename, prefix) != 0) {
5068  SCLogError("failed to load yaml %s", suri->conf_filename);
5069  return -1;
5070  }
5071 
5072  SCConfNode *node = SCConfGetNode(prefix);
5073  if (node == NULL) {
5074  SCLogError("failed to properly setup yaml %s", suri->conf_filename);
5075  return -1;
5076  }
5077 
5078  if (suri->additional_configs) {
5079  for (int i = 0; suri->additional_configs[i] != NULL; i++) {
5080  SCLogConfig("Reloading %s", suri->additional_configs[i]);
5082  }
5083  }
5084 
5085 #if 0
5086  SCConfDump();
5087 #endif
5088  }
5089 
5090  /* get a reference to the current de_ctx */
5091  old_de_ctx = DetectEngineGetCurrent();
5092  if (old_de_ctx == NULL)
5093  return -1;
5094  SCLogDebug("get ref to old_de_ctx %p", old_de_ctx);
5095  DatasetReload();
5096 
5097  /* only reload a regular 'normal' and 'delayed detect stub' detect engines */
5098  if (!(old_de_ctx->type == DETECT_ENGINE_TYPE_NORMAL ||
5099  old_de_ctx->type == DETECT_ENGINE_TYPE_DD_STUB))
5100  {
5101  DetectEngineDeReference(&old_de_ctx);
5102  SCLogNotice("rule reload complete");
5103  return -1;
5104  }
5105 
5106  /* get new detection engine */
5107  new_de_ctx = DetectEngineCtxInitWithPrefix(prefix, old_de_ctx->tenant_id);
5108  if (new_de_ctx == NULL) {
5109  SCLogError("initializing detection engine "
5110  "context failed.");
5111  DetectEngineDeReference(&old_de_ctx);
5112  return -1;
5113  }
5114 
5115  if (SigLoadSignatures(new_de_ctx,
5116  suri->sig_file, suri->sig_file_exclusive) != 0) {
5117  DetectEngineCtxFree(new_de_ctx);
5118  DetectEngineDeReference(&old_de_ctx);
5119  return -1;
5120  }
5121  SCLogDebug("set up new_de_ctx %p", new_de_ctx);
5122 
5123  /* Copy over callbacks. */
5124  new_de_ctx->RateFilterCallback = old_de_ctx->RateFilterCallback;
5125  new_de_ctx->rate_filter_callback_arg = old_de_ctx->rate_filter_callback_arg;
5126 
5127  /* add to master */
5128  DetectEngineAddToMaster(new_de_ctx);
5129 
5130  /* move to old free list */
5131  DetectEngineMoveToFreeList(old_de_ctx);
5132  DetectEngineDeReference(&old_de_ctx);
5133 
5134  SCLogDebug("going to reload the threads to use new_de_ctx %p", new_de_ctx);
5135 
5136  DetectEngineMasterCtx *master = &g_master_de_ctx;
5137  SCMutexLock(&master->lock);
5138  /* update the threads */
5139  DetectEngineReloadThreads(new_de_ctx);
5140  SCMutexUnlock(&master->lock);
5141 
5142  SCLogDebug("threads now run new_de_ctx %p", new_de_ctx);
5143 
5144  /* walk free list, freeing the old_de_ctx */
5146 
5148 
5150 
5151  SCLogDebug("old_de_ctx should have been freed");
5152 
5154 
5155  SCLogNotice("rule reload complete");
5156 
5157 #ifdef HAVE_MALLOC_TRIM
5158  /* The reload process potentially frees up large amounts of memory.
5159  * Encourage the memory management system to reclaim as much as it
5160  * can.
5161  */
5162  malloc_trim(0);
5163 #endif
5164 
5165  return 0;
5166 }
5167 
5168 static uint32_t TenantIdHash(HashTable *h, void *data, uint16_t data_len)
5169 {
5170  DetectEngineThreadCtx *det_ctx = (DetectEngineThreadCtx *)data;
5171  return det_ctx->tenant_id % h->array_size;
5172 }
5173 
5174 static char TenantIdCompare(void *d1, uint16_t d1_len, void *d2, uint16_t d2_len)
5175 {
5178  return (det1->tenant_id == det2->tenant_id);
5179 }
5180 
5181 static void TenantIdFree(void *d)
5182 {
5183  DetectEngineThreadCtxFree(d);
5184 }
5185 
5187 {
5188  DetectEngineMasterCtx *master = &g_master_de_ctx;
5189  SCMutexLock(&master->lock);
5190 
5191  if (master->tenant_selector == TENANT_SELECTOR_UNKNOWN) {
5192  SCLogInfo("error, no tenant selector");
5193  SCMutexUnlock(&master->lock);
5194  return -1;
5195  }
5196 
5197  DetectEngineCtx *stub_de_ctx = NULL;
5198  DetectEngineCtx *list = master->list;
5199  for ( ; list != NULL; list = list->next) {
5200  SCLogDebug("list %p tenant %u", list, list->tenant_id);
5201 
5202  if (list->type == DETECT_ENGINE_TYPE_NORMAL ||
5203  list->type == DETECT_ENGINE_TYPE_MT_STUB ||
5205  {
5206  stub_de_ctx = list;
5207  break;
5208  }
5209  }
5210  if (stub_de_ctx == NULL) {
5211  stub_de_ctx = DetectEngineCtxInitStubForMT();
5212  if (stub_de_ctx == NULL) {
5213  SCMutexUnlock(&master->lock);
5214  return -1;
5215  }
5216 
5217  if (master->list == NULL) {
5218  master->list = stub_de_ctx;
5219  } else {
5220  stub_de_ctx->next = master->list;
5221  master->list = stub_de_ctx;
5222  }
5223  }
5224 
5225  /* update the threads */
5226  SCLogDebug("MT reload starting");
5227  DetectEngineReloadThreads(stub_de_ctx);
5228  SCLogDebug("MT reload done");
5229 
5230  SCMutexUnlock(&master->lock);
5231 
5232  /* walk free list, freeing the old_de_ctx */
5234  // needed for VarNameStoreFree
5236 
5237  SCLogDebug("old_de_ctx should have been freed");
5238  return 0;
5239 }
5240 
5241 static int g_parse_metadata = 0;
5242 
5244 {
5245  g_parse_metadata = 1;
5246 }
5247 
5249 {
5250  g_parse_metadata = 0;
5251 }
5252 
5254 {
5255  return g_parse_metadata;
5256 }
5257 
5259 {
5260  switch (type) {
5261  case DETECT_SM_LIST_MATCH:
5262  return "packet";
5263  case DETECT_SM_LIST_PMATCH:
5264  return "packet/stream payload";
5265 
5266  case DETECT_SM_LIST_TMATCH:
5267  return "tag";
5268 
5270  return "base64_data";
5271 
5273  return "post-match";
5274 
5276  return "suppress";
5278  return "threshold";
5279 
5280  case DETECT_SM_LIST_MAX:
5281  return "max (internal)";
5282  }
5283  return "error";
5284 }
5285 
5286 /* events api */
5288 {
5290  det_ctx->events++;
5291 }
5292 
5294  const Signature *s, const char **sigerror, const DetectBufferType *map)
5295 {
5296  for (uint32_t x = 0; x < s->init_data->buffer_index; x++) {
5297  if (s->init_data->buffers[x].id != (uint32_t)map->id)
5298  continue;
5299  const SigMatch *sm = s->init_data->buffers[x].head;
5300  for (; sm != NULL; sm = sm->next) {
5301  if (sm->type != DETECT_CONTENT)
5302  continue;
5303 
5304  const DetectContentData *cd = (DetectContentData *)sm->ctx;
5305  if (cd->flags & DETECT_CONTENT_NOCASE) {
5306  *sigerror = "md5-like keyword should not be used together with "
5307  "nocase, since the rule is automatically "
5308  "lowercased anyway which makes nocase redundant.";
5309  SCLogWarning("rule %u: buffer %s: %s", s->id, map->name, *sigerror);
5310  }
5311 
5312  if (cd->content_len != SC_MD5_HEX_LEN) {
5313  *sigerror = "Invalid length for md5-like keyword (should "
5314  "be 32 characters long). This rule will therefore "
5315  "never match.";
5316  SCLogError("rule %u: buffer %s: %s", s->id, map->name, *sigerror);
5317  return false;
5318  }
5319 
5320  for (size_t i = 0; i < cd->content_len; ++i) {
5321  if (!isxdigit(cd->content[i])) {
5322  *sigerror =
5323  "Invalid md5-like string (should be string of hexadecimal characters)."
5324  "This rule will therefore never match.";
5325  SCLogWarning("rule %u: buffer %s: %s", s->id, map->name, *sigerror);
5326  return false;
5327  }
5328  }
5329  }
5330  }
5331  return true;
5332 }
5333 
5335  const DetectEngineCtx *de_ctx, Signature *s, const DetectBufferType *map)
5336 {
5337  for (uint32_t x = 0; x < s->init_data->buffer_index; x++) {
5338  if (s->init_data->buffers[x].id != (uint32_t)map->id)
5339  continue;
5340  SigMatch *sm = s->init_data->buffers[x].head;
5341  for (; sm != NULL; sm = sm->next) {
5342  if (sm->type != DETECT_CONTENT)
5343  continue;
5344 
5346 
5347  bool changed = false;
5348  uint32_t u;
5349  for (u = 0; u < cd->content_len; u++) {
5350  if (isupper(cd->content[u])) {
5351  cd->content[u] = u8_tolower(cd->content[u]);
5352  changed = true;
5353  }
5354  }
5355 
5356  if (changed) {
5357  SpmDestroyCtx(cd->spm_ctx);
5358  cd->spm_ctx =
5360  }
5361  }
5362  }
5363 }
5364 
5366 {
5368  if (de_ctx == NULL) {
5369  SCLogError("no detection engine available for rate filter callback registration");
5370  return false;
5371  }
5372  de_ctx->RateFilterCallback = fn;
5375  return true;
5376 }
5377 
5379 {
5380  if (det_ctx->json_content_len > SIG_JSON_CONTENT_ARRAY_LEN - 1) {
5381  SCLogDebug("json content length %u exceeds maximum %u", det_ctx->json_content_len,
5383  return -1;
5384  }
5385  if (det_ctx->json_content_len >= det_ctx->json_content_capacity) {
5386  if (det_ctx->json_content_capacity == 0) {
5387  det_ctx->json_content_capacity = 1;
5388  } else {
5389  det_ctx->json_content_capacity *= 2;
5390  }
5391  void *tmp = SCRealloc(
5392  det_ctx->json_content, det_ctx->json_content_capacity * sizeof(SigJsonContent));
5393  if (unlikely(tmp == NULL)) {
5394  return -1;
5395  }
5396  SCLogDebug("reallocated json content array to %u items", det_ctx->json_content_capacity);
5397  det_ctx->json_content = tmp;
5398  }
5399  return 0;
5400 }
5401 
5402 /*************************************Unittest*********************************/
5403 
5404 #ifdef UNITTESTS
5405 
5406 static int DetectEngineInitYamlConf(const char *conf)
5407 {
5409  SCConfInit();
5410  return SCConfYamlLoadString(conf, strlen(conf));
5411 }
5412 
5413 static void DetectEngineDeInitYamlConf(void)
5414 {
5415  SCConfDeInit();
5417 }
5418 
5419 static int DetectEngineTest01(void)
5420 {
5421  const char *conf =
5422  "%YAML 1.1\n"
5423  "---\n"
5424  "detect-engine:\n"
5425  " - profile: medium\n"
5426  " - custom-values:\n"
5427  " toclient_src_groups: 2\n"
5428  " toclient_dst_groups: 2\n"
5429  " toclient_sp_groups: 2\n"
5430  " toclient_dp_groups: 3\n"
5431  " toserver_src_groups: 2\n"
5432  " toserver_dst_groups: 4\n"
5433  " toserver_sp_groups: 2\n"
5434  " toserver_dp_groups: 25\n"
5435  " - inspection-recursion-limit: 0\n";
5436 
5437  FAIL_IF(DetectEngineInitYamlConf(conf) == -1);
5438 
5441 
5443 
5445 
5446  DetectEngineDeInitYamlConf();
5447 
5448  PASS;
5449 }
5450 
5451 static int DetectEngineTest02(void)
5452 {
5453  const char *conf =
5454  "%YAML 1.1\n"
5455  "---\n"
5456  "detect-engine:\n"
5457  " - profile: medium\n"
5458  " - custom-values:\n"
5459  " toclient_src_groups: 2\n"
5460  " toclient_dst_groups: 2\n"
5461  " toclient_sp_groups: 2\n"
5462  " toclient_dp_groups: 3\n"
5463  " toserver_src_groups: 2\n"
5464  " toserver_dst_groups: 4\n"
5465  " toserver_sp_groups: 2\n"
5466  " toserver_dp_groups: 25\n"
5467  " - inspection-recursion-limit:\n";
5468 
5469  FAIL_IF(DetectEngineInitYamlConf(conf) == -1);
5470 
5473 
5474  FAIL_IF_NOT(
5476 
5478 
5479  DetectEngineDeInitYamlConf();
5480 
5481  PASS;
5482 }
5483 
5484 static int DetectEngineTest03(void)
5485 {
5486  const char *conf =
5487  "%YAML 1.1\n"
5488  "---\n"
5489  "detect-engine:\n"
5490  " - profile: medium\n"
5491  " - custom-values:\n"
5492  " toclient_src_groups: 2\n"
5493  " toclient_dst_groups: 2\n"
5494  " toclient_sp_groups: 2\n"
5495  " toclient_dp_groups: 3\n"
5496  " toserver_src_groups: 2\n"
5497  " toserver_dst_groups: 4\n"
5498  " toserver_sp_groups: 2\n"
5499  " toserver_dp_groups: 25\n";
5500 
5501  FAIL_IF(DetectEngineInitYamlConf(conf) == -1);
5502 
5505 
5506  FAIL_IF_NOT(
5508 
5510 
5511  DetectEngineDeInitYamlConf();
5512 
5513  PASS;
5514 }
5515 
5516 static int DetectEngineTest04(void)
5517 {
5518  const char *conf =
5519  "%YAML 1.1\n"
5520  "---\n"
5521  "detect-engine:\n"
5522  " - profile: medium\n"
5523  " - custom-values:\n"
5524  " toclient_src_groups: 2\n"
5525  " toclient_dst_groups: 2\n"
5526  " toclient_sp_groups: 2\n"
5527  " toclient_dp_groups: 3\n"
5528  " toserver_src_groups: 2\n"
5529  " toserver_dst_groups: 4\n"
5530  " toserver_sp_groups: 2\n"
5531  " toserver_dp_groups: 25\n"
5532  " - inspection-recursion-limit: 10\n";
5533 
5534  FAIL_IF(DetectEngineInitYamlConf(conf) == -1);
5535 
5538 
5540 
5542 
5543  DetectEngineDeInitYamlConf();
5544 
5545  PASS;
5546 }
5547 
5548 static int DetectEngineTest08(void)
5549 {
5550  const char *conf =
5551  "%YAML 1.1\n"
5552  "---\n"
5553  "detect-engine:\n"
5554  " - profile: custom\n"
5555  " - custom-values:\n"
5556  " toclient-groups: 23\n"
5557  " toserver-groups: 27\n";
5558 
5559  FAIL_IF(DetectEngineInitYamlConf(conf) == -1);
5560 
5563 
5566 
5568 
5569  DetectEngineDeInitYamlConf();
5570 
5571  PASS;
5572 }
5573 
5574 /** \test bug 892 bad values */
5575 static int DetectEngineTest09(void)
5576 {
5577  const char *conf =
5578  "%YAML 1.1\n"
5579  "---\n"
5580  "detect-engine:\n"
5581  " - profile: custom\n"
5582  " - custom-values:\n"
5583  " toclient-groups: BA\n"
5584  " toserver-groups: BA\n"
5585  " - inspection-recursion-limit: 10\n";
5586 
5587  FAIL_IF(DetectEngineInitYamlConf(conf) == -1);
5588 
5591 
5594 
5596 
5597  DetectEngineDeInitYamlConf();
5598 
5599  PASS;
5600 }
5601 
5602 /** \brief keyword thread-context init stub that always fails, used to mimic a
5603  * failing per-thread keyword init such as DetectFilemagicThreadInit. */
5604 static void *DetectEngineFailingThreadKeywordInit(void *data)
5605 {
5606  (void)data;
5607  return NULL;
5608 }
5609 
5610 static void DetectEngineNoopThreadKeywordFree(void *ctx)
5611 {
5612  (void)ctx;
5613 }
5614 
5615 /** \test Ticket #8237: a failing per-thread keyword init must make the detect
5616  * thread context init fail rather than silently continuing with a partially
5617  * initialized keyword context array. */
5618 static int DetectEngineThreadCtxInitKeywordFailTest(void)
5619 {
5620  ThreadVars th_v;
5621  memset(&th_v, 0, sizeof(th_v));
5622  DetectEngineThreadCtx *det_ctx = NULL;
5623 
5626  de_ctx->flags |= DE_QUIET;
5627 
5628  Signature *s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any (sid:1;)");
5629  FAIL_IF_NULL(s);
5630 
5632 
5633  /* Register a keyword whose per-thread init fails (returns NULL). */
5634  int id = DetectRegisterThreadCtxFuncs(de_ctx, "test_failing_keyword",
5635  DetectEngineFailingThreadKeywordInit, NULL, DetectEngineNoopThreadKeywordFree, 0);
5636  FAIL_IF(id < 0);
5637 
5638  /* Thread context init must report failure and not hand back a context. */
5639  TmEcode r = DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
5640  FAIL_IF(r != TM_ECODE_FAILED);
5641  FAIL_IF_NOT_NULL(det_ctx);
5642 
5644 
5645  PASS;
5646 }
5647 
5648 #endif
5649 
5651 {
5652 #ifdef UNITTESTS
5653  UtRegisterTest("DetectEngineTest01", DetectEngineTest01);
5654  UtRegisterTest("DetectEngineTest02", DetectEngineTest02);
5655  UtRegisterTest("DetectEngineTest03", DetectEngineTest03);
5656  UtRegisterTest("DetectEngineTest04", DetectEngineTest04);
5657  UtRegisterTest("DetectEngineTest08", DetectEngineTest08);
5658  UtRegisterTest("DetectEngineTest09", DetectEngineTest09);
5660  "DetectEngineThreadCtxInitKeywordFailTest", DetectEngineThreadCtxInitKeywordFailTest);
5661 #endif
5662 }
DetectEngineThreadCtx_::byte_values
uint64_t * byte_values
Definition: detect.h:1335
DETECT_CONTENT_NOCASE
#define DETECT_CONTENT_NOCASE
Definition: detect-content.h:29
DETECT_TABLE_APP_TD
@ DETECT_TABLE_APP_TD
Definition: detect.h:564
DetectEngineAppInspectionEngine_::stream
bool stream
Definition: detect.h:421
HashListTableGetListData
#define HashListTableGetListData(hb)
Definition: util-hashlist.h:56
DE_STATE_ID_FILE_INSPECT
#define DE_STATE_ID_FILE_INSPECT
Definition: detect-engine-state.h:62
SCProfilingSghThreadCleanup
void SCProfilingSghThreadCleanup(DetectEngineThreadCtx *det_ctx)
Definition: util-profiling-rulegroups.c:330
DetectEngineCtxInitWithPrefix
DetectEngineCtx * DetectEngineCtxInitWithPrefix(const char *prefix, uint32_t tenant_id)
Definition: detect-engine.c:2838
DetectEngineTenantMapping_
Definition: detect.h:1722
DEFAULT_MAX_FLOWBITS_PER_SIGNATURE
#define DEFAULT_MAX_FLOWBITS_PER_SIGNATURE
Definition: detect-engine.c:98
util-device-private.h
util-byte.h
SCConfYamlLoadString
int SCConfYamlLoadString(const char *string, size_t len)
Load configuration from a YAML string.
Definition: conf-yaml-loader.c:536
tm-threads.h
DetectEngineAppInspectionEngine_
Definition: detect.h:416
DetectGetMultiData
InspectionBuffer * DetectGetMultiData(struct DetectEngineThreadCtx_ *det_ctx, const DetectEngineTransforms *transforms, Flow *f, const uint8_t flow_flags, void *txv, const int list_id, uint32_t index, InspectionMultiBufferGetDataPtr GetBuf)
Definition: detect-engine.c:2315
DetectEngineThreadCtx_::inspect
struct DetectEngineThreadCtx_::@101 inspect
util-hash-string.h
DetectBufferType_::supports_transforms
bool supports_transforms
Definition: detect.h:458
SignatureInitDataBuffer_::head
SigMatch * head
Definition: detect.h:536
DetectEngineSyncer_::m
SCMutex m
Definition: detect-engine.c:2058
DetectEngineAppInspectionEngine_::mpm
bool mpm
Definition: detect.h:420
DETECT_ENGINE_MPM_CACHE_OP_PRUNE
#define DETECT_ENGINE_MPM_CACHE_OP_PRUNE
Definition: detect.h:1767
DetectBufferType_::mpm
bool mpm
Definition: detect.h:455
detect-content.h
DetectEngineAppInspectionEngine_::v2
struct DetectEngineAppInspectionEngine_::@82 v2
detect-engine.h
DetectEngineResetMaxSigId
void DetectEngineResetMaxSigId(DetectEngineCtx *de_ctx)
Definition: detect-engine.c:3296
DetectEngineMTApply
int DetectEngineMTApply(void)
Definition: detect-engine.c:5186
SCProfilingKeywordDestroyCtx
void SCProfilingKeywordDestroyCtx(DetectEngineCtx *de_ctx)
Definition: util-profiling-keywords.c:268
DetectEngineBufferTypeSupportsPacketGetById
bool DetectEngineBufferTypeSupportsPacketGetById(const DetectEngineCtx *de_ctx, const int id)
Definition: detect-engine.c:1613
DETECT_SM_LIST_PMATCH
@ DETECT_SM_LIST_PMATCH
Definition: detect.h:119
DetectEngineThreadCtxInitForReload
DetectEngineThreadCtx * DetectEngineThreadCtxInitForReload(ThreadVars *tv, DetectEngineCtx *new_de_ctx, int mt)
Definition: detect-engine.c:3712
DetectEngineThreadCtx_::to_clear_idx
uint32_t to_clear_idx
Definition: detect.h:1360
FAIL_IF_NULL
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
Definition: util-unittest.h:89
SCConfNodeRemove
void SCConfNodeRemove(SCConfNode *node)
Remove (and SCFree) the provided configuration node.
Definition: conf.c:710
SignatureInitData_::smlists
struct SigMatch_ * smlists[DETECT_SM_LIST_MAX]
Definition: detect.h:656
SCProfilingKeywordThreadCleanup
void SCProfilingKeywordThreadCleanup(DetectEngineThreadCtx *det_ctx)
Definition: util-profiling-keywords.c:338
THashDataGetResult::data
THashData * data
Definition: util-thash.h:192
SCConfGetTime
int SCConfGetTime(const char *name, uint64_t *val)
Retrieve a configuration value as a time duration in seconds.
Definition: conf.c:691
DetectBufferTypeRegisterSetupCallback
void DetectBufferTypeRegisterSetupCallback(const char *name, void(*SetupCallback)(const DetectEngineCtx *, Signature *, const DetectBufferType *))
Definition: detect-engine.c:1640
AlertQueueFree
void AlertQueueFree(DetectEngineThreadCtx *det_ctx)
Definition: detect-engine-alert.c:282
DetectEngineAppHookToName
const char * DetectEngineAppHookToName(const AppProto p, const uint8_t sub_state, const uint8_t state, const uint8_t direction)
Definition: detect-engine.c:846
SCProfilingSghThreadSetup
void SCProfilingSghThreadSetup(SCProfileSghDetectCtx *ctx, DetectEngineThreadCtx *det_ctx)
Definition: util-profiling-rulegroups.c:295
DetectEngineThreadCtx_::counter_alerts
StatsCounterId counter_alerts
Definition: detect.h:1345
DetectParseDupSigHashInit
int DetectParseDupSigHashInit(DetectEngineCtx *de_ctx)
Initializes the hash table that is used to cull duplicate sigs.
Definition: detect-parse.c:3530
RELOAD
@ RELOAD
Definition: detect-engine.c:2053
SIG_FLAG_FW_HOOK_LTE
#define SIG_FLAG_FW_HOOK_LTE
Definition: detect.h:251
DetectGetSingleData
InspectionBuffer * DetectGetSingleData(struct DetectEngineThreadCtx_ *det_ctx, const DetectEngineTransforms *transforms, Flow *f, const uint8_t flow_flags, void *txv, const int list_id, InspectionSingleBufferGetDataPtr GetBuf)
Definition: detect-engine.c:2298
sigmatch_table
SigTableElmt * sigmatch_table
Definition: detect-parse.c:79
SIG_JSON_CONTENT_ARRAY_LEN
#define SIG_JSON_CONTENT_ARRAY_LEN
Definition: detect.h:1287
DetectLoaderThreadSpawn
void DetectLoaderThreadSpawn(void)
spawn the detect loader manager thread
Definition: detect-engine-loader.c:760
AppLayerParserIsEnabled
int AppLayerParserIsEnabled(AppProto alproto)
simple way to globally test if a alproto is registered and fully enabled in the configuration.
Definition: app-layer-parser.c:1787
offset
uint64_t offset
Definition: util-streaming-buffer.h:0
SinglePatternMatchDefaultMatcher
uint8_t SinglePatternMatchDefaultMatcher(void)
Returns the single pattern matcher algorithm to be used, based on the spm-algo setting in yaml.
Definition: util-spm.c:69
DetectEngineDeReference
void DetectEngineDeReference(DetectEngineCtx **de_ctx)
Definition: detect-engine.c:4903
DETECT_CI_FLAGS_START
#define DETECT_CI_FLAGS_START
Definition: detect-engine-content-inspection.h:40
DetectEngineInspectBufferGeneric
uint8_t DetectEngineInspectBufferGeneric(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const DetectEngineAppInspectionEngine *engine, const Signature *s, Flow *f, uint8_t flags, void *alstate, void *txv, uint64_t tx_id)
Do the content inspection & validation for a signature.
Definition: detect-engine.c:2226
SigTableElmt_::Free
void(* Free)(DetectEngineCtx *, void *)
Definition: detect.h:1505
DetectEngineMustParseMetadata
int DetectEngineMustParseMetadata(void)
Definition: detect-engine.c:5253
AppLayerParserGetStateNameById
const char * AppLayerParserGetStateNameById(uint8_t ipproto, AppProto alproto, const int id, const uint8_t direction)
Definition: app-layer-parser.c:1873
TAILQ_INIT
#define TAILQ_INIT(head)
Definition: queue.h:262
SignatureHook_::sm_list
int sm_list
Definition: detect.h:578
MpmFactoryDeRegisterAllMpmCtxProfiles
void MpmFactoryDeRegisterAllMpmCtxProfiles(DetectEngineCtx *de_ctx)
Definition: util-mpm.c:168
DETECT_TABLE_APP_FILTER
@ DETECT_TABLE_APP_FILTER
Definition: detect.h:563
flow-util.h
DetectEnginePktInspectionEngine
Definition: detect.h:485
DetectEngineMasterCtx_::tenant_mapping_list
DetectEngineTenantMapping * tenant_mapping_list
Definition: detect.h:1753
SC_ATOMIC_INIT
#define SC_ATOMIC_INIT(name)
wrapper for initializing an atomic variable.
Definition: util-atomic.h:314
DetectEngineAppInspectionEngine_::next
struct DetectEngineAppInspectionEngine_ * next
Definition: detect.h:442
SCInspectionBufferGet
InspectionBuffer * SCInspectionBufferGet(DetectEngineThreadCtx *det_ctx, const int list_id)
Definition: detect-engine-inspect-buffer.c:56
DetectEngineInspectMultiBufferGeneric
uint8_t DetectEngineInspectMultiBufferGeneric(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const DetectEngineAppInspectionEngine *engine, const Signature *s, Flow *f, uint8_t flags, void *alstate, void *txv, uint64_t tx_id)
Definition: detect-engine.c:2339
detect-engine-siggroup.h
SigTableElmt_::name
const char * name
Definition: detect.h:1518
DetectEngineMasterCtx_::list
DetectEngineCtx * list
Definition: detect.h:1742
InspectionBuffer::initialized
bool initialized
Definition: detect-engine-inspect-buffer.h:38
MpmStoreFree
void MpmStoreFree(DetectEngineCtx *de_ctx)
Frees the hash table - DetectEngineCtx->mpm_hash_table, allocated by MpmStoreInit() function.
Definition: detect-engine-mpm.c:1671
DetectFrameMpmRegisterByParentId
void DetectFrameMpmRegisterByParentId(DetectEngineCtx *de_ctx, const int id, const int parent_id, DetectEngineTransforms *transforms)
copy a mpm engine from parent_id, add in transforms
Definition: detect-engine-mpm.c:439
DetectEngineBufferTypeSupportsPacket
void DetectEngineBufferTypeSupportsPacket(DetectEngineCtx *de_ctx, const char *name)
Definition: detect-engine.c:1580
DetectEngineBufferRunSetupCallback
void DetectEngineBufferRunSetupCallback(const DetectEngineCtx *de_ctx, const int id, Signature *s)
Definition: detect-engine.c:1650
MPM_AC
@ MPM_AC
Definition: util-mpm.h:38
DetectEngineCtx_::type
enum DetectEngineType type
Definition: detect.h:1109
DetectEnginePruneFreeList
void DetectEnginePruneFreeList(void)
Definition: detect-engine.c:4997
SigLoadSignatures
int SigLoadSignatures(DetectEngineCtx *de_ctx, char *sig_file, bool sig_file_exclusive)
Load signatures.
Definition: detect-engine-loader.c:384
DetectEngineInspectBufferSingle
uint8_t DetectEngineInspectBufferSingle(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const DetectEngineAppInspectionEngine *engine, const Signature *s, Flow *f, uint8_t flags, void *alstate, void *txv, uint64_t tx_id)
Do the content inspection & validation for a signature.
Definition: detect-engine.c:2165
DetectThreadCtxGetKeywordThreadCtx
void * DetectThreadCtxGetKeywordThreadCtx(DetectEngineThreadCtx *det_ctx, int id)
Retrieve thread local keyword ctx by id.
Definition: detect-engine.c:3993
DetectEngineCtx_::guess_applayer
bool guess_applayer
Definition: detect.h:1032
unlikely
#define unlikely(expr)
Definition: util-optimize.h:35
DetectEngineTransforms
Definition: detect.h:391
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
SIG_FLAG_INIT_NEED_FLUSH
#define SIG_FLAG_INIT_NEED_FLUSH
Definition: detect.h:297
MpmTableElmt_::name
const char * name
Definition: util-mpm.h:155
SCClassSCConfInit
void SCClassSCConfInit(DetectEngineCtx *de_ctx)
Definition: util-classification-config.c:61
Signature_::app_progress_hook
uint8_t app_progress_hook
Definition: detect.h:719
DetectEngineCtxInitStubForDD
DetectEngineCtx * DetectEngineCtxInitStubForDD(void)
Definition: detect-engine.c:2828
KEYWORD_PROFILING_SET_LIST
#define KEYWORD_PROFILING_SET_LIST(ctx, list)
Definition: util-profiling.h:46
DETECT_CONTENT
@ DETECT_CONTENT
Definition: detect-engine-register.h:76
DetectEngineCtx_::max_uniq_toclient_groups
uint16_t max_uniq_toclient_groups
Definition: detect.h:1043
ActionInitConfig
int ActionInitConfig(void)
Load the action order from config. If none is provided, it will be default to ACTION_PASS,...
Definition: util-action.c:105
IDLE
@ IDLE
Definition: detect-engine.c:2052
DetectEngineAppHookToSmlist
int DetectEngineAppHookToSmlist(const AppProto p, const uint8_t sub_state, const uint8_t state, const uint8_t direction)
get the sm_list for a app hook
Definition: detect-engine.c:885
DetectEngineCtx_::ref_cnt
uint32_t ref_cnt
Definition: detect.h:1112
DetectEngineAppInspectionEngine_::Callback
InspectEngineFuncPtr Callback
Definition: detect.h:435
PathMerge
int PathMerge(char *out_buf, size_t buf_size, const char *const dir, const char *const fname)
Definition: util-path.c:74
Signature_::alproto
AppProto alproto
Definition: detect.h:687
DETECT_TABLE_PACKET_PRE_STREAM
@ DETECT_TABLE_PACKET_PRE_STREAM
Definition: detect.h:560
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:282
SigString_
Definition: detect.h:883
StatsRegisterCounter
StatsCounterId StatsRegisterCounter(const char *name, StatsThreadContext *stats)
Registers a normal, unqualified counter.
Definition: counters.c:1039
PacketEnqueue
void PacketEnqueue(PacketQueue *q, Packet *p)
Definition: packet-queue.c:175
DetectEngineCtx_::filedata_config
DetectFileDataCfg * filedata_config
Definition: detect.h:1095
next
struct HtpBodyChunk_ * next
Definition: app-layer-htp.h:0
DetectEngineFrameInspectionEngine::sm_list_base
uint16_t sm_list_base
Definition: detect.h:516
DetectPort_::port
uint16_t port
Definition: detect.h:220
SigMatchData_::is_last
bool is_last
Definition: detect.h:367
SignatureHook_::app
struct SignatureHook_::@87::@88 app
DetectBufferTypeSupportsFrames
void DetectBufferTypeSupportsFrames(const char *name)
Definition: detect-engine.c:1415
name
const char * name
Definition: detect-engine-proto.c:48
DetectEngineMpmCacheService
void DetectEngineMpmCacheService(uint32_t op_flags)
Definition: detect-engine.c:2672
DetectMpmInitializeFrameMpms
void DetectMpmInitializeFrameMpms(DetectEngineCtx *de_ctx)
Definition: detect-engine-mpm.c:543
PacketQueue_
simple fifo queue for packets with mutex and cond Calling the mutex or triggering the cond is respons...
Definition: packet-queue.h:49
Flow_::proto
uint8_t proto
Definition: flow.h:376
AppProto
uint16_t AppProto
Definition: app-layer-protos.h:87
DETECT_SM_LIST_DYNAMIC_START
@ DETECT_SM_LIST_DYNAMIC_START
Definition: detect.h:138
DetectEngineThreadCtx_::decoder_events
AppLayerDecoderEvents * decoder_events
Definition: detect.h:1431
SigMatchData_::ctx
SigMatchCtx * ctx
Definition: detect.h:368
AppLayerParserGetStateProgressCompletionStatus
uint8_t AppLayerParserGetStateProgressCompletionStatus(AppProto alproto, uint8_t direction)
Definition: app-layer-parser.c:1252
InspectionBuffer
Definition: detect-engine-inspect-buffer.h:34
SignatureHook_::t
union SignatureHook_::@87 t
DetectEngineThreadKeywordCtxItem_::InitFunc
void *(* InitFunc)(void *)
Definition: detect.h:902
Packet_::flags
uint32_t flags
Definition: decode.h:562
type
uint8_t type
Definition: decode-sctp.h:0
SCMutexIsLocked
#define SCMutexIsLocked(mut)
Definition: threads-debug.h:119
DetectEngineAppInspectionEngine_::GetData
InspectionBufferGetDataPtr GetData
Definition: detect.h:431
DetectEngineThreadKeywordCtxItem_
Definition: detect.h:901
DetectTable
DetectTable
Definition: detect.h:557
DetectEngineCtx_::pkt_mpms_list
DetectBufferMpmRegistry * pkt_mpms_list
Definition: detect.h:1145
Tmq_::pq
PacketQueue * pq
Definition: tm-queues.h:35
Packet_::vlan_idx
uint8_t vlan_idx
Definition: decode.h:544
flow-private.h
Flow_
Flow data structure.
Definition: flow.h:354
TmThreadContinueDetectLoaderThreads
void TmThreadContinueDetectLoaderThreads(void)
Unpauses all threads present in tv_root.
Definition: detect-engine-loader.c:660
DETECT_SM_LIST_THRESHOLD
@ DETECT_SM_LIST_THRESHOLD
Definition: detect.h:133
SCConfYamlHandleInclude
int SCConfYamlHandleInclude(SCConfNode *parent, const char *filename)
Include a file in the configuration.
Definition: conf-yaml-loader.c:115
DetectEngineThreadKeywordCtxItem_::data
void * data
Definition: detect.h:904
DetectEngineThreadCtx_::pmq
PrefilterRuleStore pmq
Definition: detect.h:1408
util-hash.h
AppProtoToString
const char * AppProtoToString(AppProto alproto)
Maps the ALPROTO_*, to its string equivalent.
Definition: app-layer-protos.c:41
DetectEngineReloadTenantBlocking
int DetectEngineReloadTenantBlocking(uint32_t tenant_id, const char *yaml, int reload_cnt)
Reload a tenant and wait for loading to complete.
Definition: detect-engine.c:4412
ctx
struct Thresholds ctx
LiveDevice_
Definition: util-device-private.h:32
DetectEngineCtx_::inspection_recursion_limit
int inspection_recursion_limit
Definition: detect.h:1026
SpmTableElmt_::name
const char * name
Definition: util-spm.h:61
LiveDevice_::tenant_id_set
bool tenant_id_set
Definition: util-device-private.h:36
DetectAddressMapFree
void DetectAddressMapFree(DetectEngineCtx *de_ctx)
Definition: detect-engine-address.c:1335
DetectEngineFrameInspectionEngine::transforms
const DetectEngineTransforms * transforms
Definition: detect.h:520
th_v
ThreadVars * th_v
Definition: fuzz_iprep.c:20
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:981
StringParseUint16
int StringParseUint16(uint16_t *res, int base, size_t len, const char *str)
Definition: util-byte.c:296
DetectEngineReloadSetIdle
void DetectEngineReloadSetIdle(void)
Definition: detect-engine.c:2091
DetectBufferTypeRegisterValidateCallback
void DetectBufferTypeRegisterValidateCallback(const char *name, bool(*ValidateCallback)(const Signature *, const char **sigerror, const DetectBufferType *))
Definition: detect-engine.c:1658
LiveDevice_::id
uint16_t id
Definition: util-device-private.h:38
DetectEnginePktInspectionEngine::smd
SigMatchData * smd
Definition: detect.h:486
DetectMetadataHashInit
int DetectMetadataHashInit(DetectEngineCtx *de_ctx)
Definition: detect-metadata.c:69
SCConfGet
int SCConfGet(const char *name, const char **vptr)
Retrieve the value of a configuration node.
Definition: conf.c:353
DetectEngineThreadCtx_::global_keyword_ctxs_array
void ** global_keyword_ctxs_array
Definition: detect.h:1429
DetectEngineGetCurrent
DetectEngineCtx * DetectEngineGetCurrent(void)
Definition: detect-engine.c:4102
TransformData_::options
void * options
Definition: detect.h:388
SCInspectionBufferSetupAndApplyTransforms
void SCInspectionBufferSetupAndApplyTransforms(DetectEngineThreadCtx *det_ctx, const int list_id, InspectionBuffer *buffer, const uint8_t *data, const uint32_t data_len, const DetectEngineTransforms *transforms)
setup the buffer with our initial data
Definition: detect-engine-inspect-buffer.c:197
DetectEngineFrameInspectionEngine::mpm
bool mpm
Definition: detect.h:514
SCDetectRateFilterFunc
uint8_t(* SCDetectRateFilterFunc)(const Packet *p, uint32_t sid, uint32_t gid, uint32_t rev, uint8_t original_action, uint8_t new_action, void *arg)
Function type for rate filter callback.
Definition: detect.h:977
DetectFirewallPolicies::pkt_policy_signatures
Signature * pkt_policy_signatures[DETECT_FIREWALL_POLICY_SIZE]
Definition: detect.h:951
TmThreadCountThreadsByTmmFlags
uint32_t TmThreadCountThreadsByTmmFlags(uint8_t flags)
returns a count of all the threads that match the flag
Definition: tm-threads.c:2070
DetectBufferTypeSupportsMultiInstance
void DetectBufferTypeSupportsMultiInstance(const char *name)
Definition: detect-engine.c:1405
HashListTableGetListHead
HashListTableBucket * HashListTableGetListHead(HashListTable *ht)
Definition: util-hashlist.c:287
TAILQ_FOREACH
#define TAILQ_FOREACH(var, head, field)
Definition: queue.h:252
LiveDeviceGetById
LiveDevice * LiveDeviceGetById(const int id)
Definition: util-device.c:460
DetectEngineInspectPacketPayload
uint8_t DetectEngineInspectPacketPayload(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const Signature *s, Flow *f, Packet *p)
Do the content inspection & validation for a signature.
Definition: detect-engine-payload.c:152
DetectEngineAddToMaster
int DetectEngineAddToMaster(DetectEngineCtx *de_ctx)
Definition: detect-engine.c:4927
DetectEngineCtx_::mpm_cfg
MpmConfig * mpm_cfg
Definition: detect.h:988
InspectionBufferGetPktDataPtr
InspectionBuffer *(* InspectionBufferGetPktDataPtr)(struct DetectEngineThreadCtx_ *det_ctx, const DetectEngineTransforms *transforms, Packet *p, const int list_id)
Definition: detect.h:480
DetectAppLayerMultiRegisterSubState
void DetectAppLayerMultiRegisterSubState(const char *name, AppProto alproto, uint32_t dir, uint8_t sub_state, uint8_t progress, InspectionMultiBufferGetDataPtr GetData, int priority)
Definition: detect-engine.c:2276
SCSigSignatureOrderingModuleCleanup
void SCSigSignatureOrderingModuleCleanup(DetectEngineCtx *de_ctx)
De-registers all the signature ordering functions registered.
Definition: detect-engine-sigorder.c:946
DetectEngineBufferTypeGetNameById
const char * DetectEngineBufferTypeGetNameById(const DetectEngineCtx *de_ctx, const int id)
Definition: detect-engine.c:1485
DetectEngineCtx_::keyword_id
int keyword_id
Definition: detect.h:1091
MpmTableElmt_::CacheStatsPrint
void(* CacheStatsPrint)(void *data)
Definition: util-mpm.h:181
DetectEngineMultiTenantSetup
int DetectEngineMultiTenantSetup(const bool unix_socket)
setup multi-detect / multi-tenancy
Definition: detect-engine.c:4561
PrefilterDeinit
void PrefilterDeinit(DetectEngineCtx *de_ctx)
Definition: detect-engine-prefilter.c:1517
SignatureProperties
Definition: detect.h:89
SCMutexLock
#define SCMutexLock(mut)
Definition: threads-debug.h:117
DetectBufferMpmRegistry_::next
struct DetectBufferMpmRegistry_ * next
Definition: detect.h:820
util-var-name.h
SIG_FLAG_REQUIRE_STREAM
#define SIG_FLAG_REQUIRE_STREAM
Definition: detect.h:254
HashTable_
Definition: util-hash.h:35
DetectEngineTenantMapping_::next
struct DetectEngineTenantMapping_ * next
Definition: detect.h:1728
DetectEngineSetEvent
void DetectEngineSetEvent(DetectEngineThreadCtx *det_ctx, uint8_t e)
Definition: detect-engine.c:5287
SIG_FLAG_TXBOTHDIR
#define SIG_FLAG_TXBOTHDIR
Definition: detect.h:249
DetectEngineThreadCtx_::buffers_size
uint32_t buffers_size
Definition: detect.h:1359
u8_tolower
#define u8_tolower(c)
Definition: suricata-common.h:461
DetectContentInspectionMatchOnAbsentBuffer
bool DetectContentInspectionMatchOnAbsentBuffer(const SigMatchData *smd)
tells if we should match on absent buffer, because there is an absent keyword being used
Definition: detect-engine-content-inspection.c:789
SCConfGetBool
int SCConfGetBool(const char *name, int *val)
Retrieve a configuration value as a boolean.
Definition: conf.c:524
DetectEngineCtx_::profile_sgh_ctx
struct SCProfileSghDetectCtx_ * profile_sgh_ctx
Definition: detect.h:1104
tv_root
ThreadVars * tv_root[TVT_MAX]
Definition: tm-threads.c:84
DetectBufferMpmRegistry_
one time registration of keywords at start up
Definition: detect.h:777
SCReferenceConfDeinit
void SCReferenceConfDeinit(DetectEngineCtx *de_ctx)
Definition: util-reference-config.c:72
DE_QUIET
#define DE_QUIET
Definition: detect.h:330
DetectPort_::next
struct DetectPort_ * next
Definition: detect.h:233
DetectEngineCtx_::tcp_priorityports
DetectPort * tcp_priorityports
Definition: detect.h:1124
DetectEngineCtxFree
void DetectEngineCtxFree(DetectEngineCtx *de_ctx)
Free a DetectEngineCtx::
Definition: detect-engine.c:2872
DetectEngineThreadCtx_::counter_alerts_overflow
StatsCounterId counter_alerts_overflow
Definition: detect.h:1347
DetectEngineAppInspectionEngine_::sm_list_base
uint16_t sm_list_base
Definition: detect.h:425
SigTableElmt_::TransformId
void(* TransformId)(const uint8_t **data, uint32_t *length, const void *context)
Definition: detect.h:1497
DetectEngineThreadCtx_::spm_thread_ctx
SpmThreadCtx * spm_thread_ctx
Definition: detect.h:1332
DetectEngineReloadTenantsBlocking
int DetectEngineReloadTenantsBlocking(const int reload_cnt)
Reload all tenants and wait for loading to complete.
Definition: detect-engine.c:4426
InspectionBuffer::flags
uint8_t flags
Definition: detect-engine-inspect-buffer.h:39
detect-engine-frame.h
SCMUTEX_INITIALIZER
#define SCMUTEX_INITIALIZER
Definition: threads-debug.h:122
Signature_::sm_arrays
SigMatchData * sm_arrays[DETECT_SM_LIST_MAX]
Definition: detect.h:745
SCInstance_::conf_filename
const char * conf_filename
Definition: suricata.h:178
DetectEngineCtx_::prefilter_setting
enum DetectEnginePrefilterSetting prefilter_setting
Definition: detect.h:1120
SignatureInitData_::init_flags
uint32_t init_flags
Definition: detect.h:615
DetectParseDupSigHashFree
void DetectParseDupSigHashFree(DetectEngineCtx *de_ctx)
Frees the hash table that is used to cull duplicate sigs.
Definition: detect-parse.c:3547
DetectBufferType_
Definition: detect.h:450
m
SCMutex m
Definition: flow-hash.h:6
DetectEngineCtx_::udp_priorityports
DetectPort * udp_priorityports
Definition: detect.h:1125
DetectContentData_
Definition: detect-content.h:93
SCConfYamlLoadFileWithPrefix
int SCConfYamlLoadFileWithPrefix(const char *filename, const char *prefix)
Load configuration from a YAML file, insert in tree at 'prefix'.
Definition: conf-yaml-loader.c:566
p
Packet * p
Definition: fuzz_iprep.c:21
StringParseInt32
int StringParseInt32(int32_t *res, int base, size_t len, const char *str)
Definition: util-byte.c:587
PrefilterGenericMpmFrameRegister
int PrefilterGenericMpmFrameRegister(DetectEngineCtx *de_ctx, SigGroupHead *sgh, MpmCtx *mpm_ctx, const DetectBufferMpmRegistry *mpm_reg, int list_id)
Definition: detect-engine-frame.c:209
ENGINE_SGH_MPM_FACTORY_CONTEXT_FULL
@ ENGINE_SGH_MPM_FACTORY_CONTEXT_FULL
Definition: detect.h:1239
DetectEngineGetVersion
uint32_t DetectEngineGetVersion(void)
Definition: detect-engine.c:4083
DetectEngineThreadCtx_::counter_alerts_suppressed
StatsCounterId counter_alerts_suppressed
Definition: detect.h:1351
SCConfNodeLookupChildValue
const char * SCConfNodeLookupChildValue(const SCConfNode *node, const char *name)
Lookup the value of a child configuration node by name.
Definition: conf.c:878
SleepUsec
#define SleepUsec(usec)
Definition: tm-threads.h:44
SigCleanSignatures
void SigCleanSignatures(DetectEngineCtx *de_ctx)
Definition: detect-engine-build.c:56
DetectEngineThreadCtx_::lua_instruction_limit_errors
StatsCounterId lua_instruction_limit_errors
Definition: detect.h:1441
HashListTableLookup
void * HashListTableLookup(HashListTable *ht, void *data, uint16_t datalen)
Definition: util-hashlist.c:245
detect-engine-payload.h
DetectEngineAppendSig
Signature * DetectEngineAppendSig(DetectEngineCtx *, const char *)
Parse and append a Signature into the Detection Engine Context signature list.
Definition: detect-parse.c:3802
DetectEngineThreadCtx_::counter_firewall_discarded_alerts
StatsCounterId counter_firewall_discarded_alerts
Definition: detect.h:1349
EngineModeIsFirewall
bool EngineModeIsFirewall(void)
Definition: suricata.c:239
SIG_FLAG_TOCLIENT
#define SIG_FLAG_TOCLIENT
Definition: detect.h:271
DetectMd5ValidateCallback
bool DetectMd5ValidateCallback(const Signature *s, const char **sigerror, const DetectBufferType *map)
Definition: detect-engine.c:5293
TM_ECODE_FAILED
@ TM_ECODE_FAILED
Definition: tm-threads-common.h:82
DetectEngineMpmCachingEnabled
bool DetectEngineMpmCachingEnabled(void)
Definition: detect-engine.c:2643
DetectBufferIsPresent
bool DetectBufferIsPresent(const Signature *s, const uint32_t buf_id)
Definition: detect-engine.c:1680
SigMatchData_
Data needed for Match()
Definition: detect.h:365
KEYWORD_PROFILING_START
#define KEYWORD_PROFILING_START
Definition: util-profiling.h:50
SigMatchData_::type
uint16_t type
Definition: detect.h:366
DetectEngineCtx_::version
uint32_t version
Definition: detect.h:1066
DetectPort_::port2
uint16_t port2
Definition: detect.h:221
StatsRegisterAvgCounter
StatsCounterAvgId StatsRegisterAvgCounter(const char *name, StatsThreadContext *stats)
Registers a counter, whose value holds the average of all the values assigned to it.
Definition: counters.c:1058
DetectEngineCtx_::non_pf_engine_names
HashTable * non_pf_engine_names
Definition: detect.h:1198
SCDetectThreadCtxGetGlobalKeywordThreadCtx
void * SCDetectThreadCtxGetGlobalKeywordThreadCtx(DetectEngineThreadCtx *det_ctx, int id)
Retrieve thread local keyword ctx by id.
Definition: detect-engine.c:4057
DetectEngineThreadCtx_::events
uint16_t events
Definition: detect.h:1432
detect-engine-prefilter.h
util-unittest.h
TransformData_
Definition: detect.h:386
PrefilterMultiGenericMpmRegister
int PrefilterMultiGenericMpmRegister(DetectEngineCtx *de_ctx, SigGroupHead *sgh, MpmCtx *mpm_ctx, const DetectBufferMpmRegistry *mpm_reg, int list_id)
Definition: detect-engine-prefilter.c:1751
Signature_::frame_inspect
DetectEngineFrameInspectionEngine * frame_inspect
Definition: detect.h:741
DetectAppLayerInspectEngineRegister
void DetectAppLayerInspectEngineRegister(const char *name, AppProto alproto, uint32_t dir, uint8_t progress, InspectEngineFuncPtr Callback, InspectionBufferGetDataPtr GetData)
Registers an app inspection engine.
Definition: detect-engine.c:276
DetectBufferTypeCloseRegistration
void DetectBufferTypeCloseRegistration(void)
Definition: detect-engine.c:1824
DetectEnginePktInspectionEngine::transforms
const DetectEngineTransforms * transforms
Definition: detect.h:494
FAIL_IF_NOT
#define FAIL_IF_NOT(expr)
Fail a test if expression evaluates to false.
Definition: util-unittest.h:82
DetectBufferType_::SetupCallback
void(* SetupCallback)(const struct DetectEngineCtx_ *, struct Signature_ *, const struct DetectBufferType_ *)
Definition: detect.h:460
TM_ECODE_OK
@ TM_ECODE_OK
Definition: tm-threads-common.h:81
HashTableFree
void HashTableFree(HashTable *ht)
Free a HashTable and all its contents.
Definition: util-hash.c:112
MpmConfig_::cache_dir_path
const char * cache_dir_path
Definition: util-mpm.h:92
TenantLoaderCtx_
Definition: detect-engine.c:4281
SCAppLayerDecoderEventsSetEventRaw
void SCAppLayerDecoderEventsSetEventRaw(AppLayerDecoderEvents **sevents, uint8_t event)
Set an app layer decoder event.
Definition: app-layer-events.c:96
DetectBufferTypeGetByName
int DetectBufferTypeGetByName(const char *name)
Definition: detect-engine.c:1455
KEYWORD_PROFILING_END
#define KEYWORD_PROFILING_END(ctx, type, m)
Definition: util-profiling.h:64
DetectBufferTypeSupportsPacket
void DetectBufferTypeSupportsPacket(const char *name)
Definition: detect-engine.c:1425
DetectEngineFrameInspectionEngine::Callback
InspectionBufferFrameInspectFunc Callback
Definition: detect.h:518
HashListTableAdd
int HashListTableAdd(HashListTable *ht, void *data, uint16_t datalen)
Definition: util-hashlist.c:114
HashTable_::array_size
uint32_t array_size
Definition: util-hash.h:37
SigGroupHeadHashInit
int SigGroupHeadHashInit(DetectEngineCtx *de_ctx)
Initializes the hash table in the detection engine context to hold the SigGroupHeads.
Definition: detect-engine-siggroup.c:244
InspectionBufferMultipleForList::size
uint32_t size
Definition: detect.h:381
SCRConfDeInitContext
void SCRConfDeInitContext(DetectEngineCtx *de_ctx)
Releases de_ctx resources related to Reference Config API.
Definition: util-reference-config.c:180
DetectEngineThreadCtx_::mt_det_ctxs_hash
HashTable * mt_det_ctxs_hash
Definition: detect.h:1312
strlcpy
size_t strlcpy(char *dst, const char *src, size_t siz)
Definition: util-strlcpyu.c:43
DetectEnginePktInspectionRun
bool DetectEnginePktInspectionRun(ThreadVars *tv, DetectEngineThreadCtx *det_ctx, const Signature *s, Flow *f, Packet *p, uint8_t *alert_flags)
Definition: detect-engine.c:1981
DETECT_PREFILTER_AUTO
@ DETECT_PREFILTER_AUTO
Definition: detect.h:913
DetectEngineThreadCtx_::keyword_ctxs_size
int keyword_ctxs_size
Definition: detect.h:1426
HashListTable_::array_size
uint32_t array_size
Definition: util-hashlist.h:41
DetectAppLayerMpmRegisterByParentId
void DetectAppLayerMpmRegisterByParentId(DetectEngineCtx *de_ctx, const int id, const int parent_id, DetectEngineTransforms *transforms)
copy a mpm engine from parent_id, add in transforms
Definition: detect-engine-mpm.c:269
AlertQueueInit
void AlertQueueInit(DetectEngineThreadCtx *det_ctx)
Definition: detect-engine-alert.c:269
SigString_::sig_error
char * sig_error
Definition: detect.h:886
DetectEngineAppInspectionEngine_::id
uint8_t id
Definition: detect.h:419
PacketQueue_::mutex_q
SCMutex mutex_q
Definition: packet-queue.h:56
DetectEngineCtx_::base64_decode_max_len
uint16_t base64_decode_max_len
Definition: detect.h:1076
SIGNATURE_HOOK_TYPE_APP
@ SIGNATURE_HOOK_TYPE_APP
Definition: detect.h:551
THV_RUNNING_DONE
#define THV_RUNNING_DONE
Definition: threadvars.h:46
PKT_SET_SRC
#define PKT_SET_SRC(p, src_val)
Definition: decode.h:1366
SCConfInit
void SCConfInit(void)
Initialize the configuration system.
Definition: conf.c:121
DetectEngineThreadCtx_::multi_inspect
struct DetectEngineThreadCtx_::@102 multi_inspect
util-signal.h
SCConfDump
void SCConfDump(void)
Dump configuration to stdout.
Definition: conf.c:818
DetectEngineAppInspectionEngine_::sm_list
uint16_t sm_list
Definition: detect.h:424
TENANT_SELECTOR_UNKNOWN
@ TENANT_SELECTOR_UNKNOWN
Definition: detect.h:1716
HashListTableGetListNext
#define HashListTableGetListNext(hb)
Definition: util-hashlist.h:55
InspectionBufferMultipleForList
Definition: detect.h:379
DetectEngineTenantMapping_::tenant_id
uint32_t tenant_id
Definition: detect.h:1723
ThreadVars_::tmm_flags
uint8_t tmm_flags
Definition: threadvars.h:78
StringParseUint8
int StringParseUint8(uint8_t *res, int base, size_t len, const char *str)
Definition: util-byte.c:323
DETECT_SM_LIST_POSTMATCH
@ DETECT_SM_LIST_POSTMATCH
Definition: detect.h:127
SIG_FLAG_TOSERVER
#define SIG_FLAG_TOSERVER
Definition: detect.h:270
app-layer-htp.h
DetectEngineTenantSelectors
DetectEngineTenantSelectors
Definition: detect.h:1715
DetectPortParse
int DetectPortParse(const DetectEngineCtx *de_ctx, DetectPort **head, const char *str)
Function for parsing port strings.
Definition: detect-engine-port.c:1135
InspectionBufferPktInspectFunc
int(* InspectionBufferPktInspectFunc)(struct DetectEngineThreadCtx_ *, const struct DetectEnginePktInspectionEngine *engine, const struct Signature_ *s, Packet *p, uint8_t *alert_flags)
Definition: detect.h:473
datasets.h
InspectionBufferFree
void InspectionBufferFree(InspectionBuffer *buffer)
Definition: detect-engine-inspect-buffer.c:205
HashListTableInit
HashListTable * HashListTableInit(uint32_t size, uint32_t(*Hash)(struct HashListTable_ *, void *, uint16_t), char(*Compare)(void *, uint16_t, void *, uint16_t), void(*Free)(void *))
Definition: util-hashlist.c:35
DetectEngineCtx_::requirements
SCDetectRequiresStatus * requirements
Definition: detect.h:1191
TAILQ_REMOVE
#define TAILQ_REMOVE(head, elm, field)
Definition: queue.h:312
SCRunmodeGet
SCRunMode SCRunmodeGet(void)
Get the current run mode.
Definition: suricata.c:301
FAIL_IF_NOT_NULL
#define FAIL_IF_NOT_NULL(expr)
Fail a test if expression evaluates to non-NULL.
Definition: util-unittest.h:96
util-debug.h
DetectBufferType_::ValidateCallback
bool(* ValidateCallback)(const struct Signature_ *, const char **sigerror, const struct DetectBufferType_ *)
Definition: detect.h:462
DetectEngineMoveToFreeList
int DetectEngineMoveToFreeList(DetectEngineCtx *de_ctx)
Definition: detect-engine.c:4987
DetectEngineCtx_::fw_policies
struct DetectFirewallPolicies * fw_policies
Definition: detect.h:1012
SigTableElmt_::TransformValidate
bool(* TransformValidate)(const uint8_t *content, uint16_t content_len, const void *context)
Definition: detect.h:1494
DetectEngineThreadCtx_::counter_mpm_list
StatsCounterAvgId counter_mpm_list
Definition: detect.h:1353
PASS
#define PASS
Pass the test.
Definition: util-unittest.h:105
util-error.h
DetectTableToString
const char * DetectTableToString(enum DetectTable table)
Definition: detect-engine.c:134
TVT_PPT
@ TVT_PPT
Definition: tm-threads-common.h:88
SpmInitGlobalThreadCtx
SpmGlobalThreadCtx * SpmInitGlobalThreadCtx(uint8_t matcher)
Definition: util-spm.c:148
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:22
SCProfilingPrefilterDestroyCtx
void SCProfilingPrefilterDestroyCtx(DetectEngineCtx *de_ctx)
Definition: util-profiling-prefilter.c:236
DetectEnginePktInspectionEngine::sm_list
uint16_t sm_list
Definition: detect.h:488
DetectEngineThreadCtx_::match_array_len
uint32_t match_array_len
Definition: detect.h:1397
DetectMpmInitializePktMpms
void DetectMpmInitializePktMpms(DetectEngineCtx *de_ctx)
Definition: detect-engine-mpm.c:710
DetectAppLayerMpmMultiRegisterSubState
void DetectAppLayerMpmMultiRegisterSubState(const char *name, int direction, int priority, PrefilterRegisterFunc PrefilterRegister, InspectionMultiBufferGetDataPtr GetData, AppProto alproto, uint8_t sub_state, uint8_t tx_min_progress)
Definition: detect-engine-mpm.c:192
DetectEngineThreadCtx_
Definition: detect.h:1300
DetectEngineThreadCtx_::lua_memory_limit_errors
StatsCounterId lua_memory_limit_errors
Definition: detect.h:1444
PKT_STREAM_ADD
#define PKT_STREAM_ADD
Definition: decode.h:1305
DetectLoadersInit
void DetectLoadersInit(void)
Definition: detect-engine-loader.c:615
ThreadVars_::tm_slots
struct TmSlot_ * tm_slots
Definition: threadvars.h:95
SignatureInitData_::mpm_sm
SigMatch * mpm_sm
Definition: detect.h:630
DetectEngineBufferTypeGetDescriptionById
const char * DetectEngineBufferTypeGetDescriptionById(const DetectEngineCtx *de_ctx, const int id)
Definition: detect-engine.c:1563
SCMutexUnlock
#define SCMutexUnlock(mut)
Definition: threads-debug.h:120
DETECT_SM_LIST_BASE64_DATA
@ DETECT_SM_LIST_BASE64_DATA
Definition: detect.h:124
SIG_FLAG_FLUSH
#define SIG_FLAG_FLUSH
Definition: detect.h:258
DetectEngineThreadKeywordCtxItem_::id
int id
Definition: detect.h:906
ENGINE_SGH_MPM_FACTORY_CONTEXT_SINGLE
@ ENGINE_SGH_MPM_FACTORY_CONTEXT_SINGLE
Definition: detect.h:1240
PKT_PSEUDO_STREAM_END
#define PKT_PSEUDO_STREAM_END
Definition: decode.h:1313
DetectEngineThreadCtx_::buffers
InspectionBuffer * buffers
Definition: detect.h:1358
detect-engine-file.h
DetectEngineMasterCtx_::keyword_list
DetectEngineThreadKeywordCtxItem * keyword_list
Definition: detect.h:1758
SignatureInitData_::mpm_sm_list
int mpm_sm_list
Definition: detect.h:628
LiveGetDevice
LiveDevice * LiveGetDevice(const char *name)
Get a pointer to the device at idx.
Definition: util-device.c:269
flow-worker.h
SCConfGetInt
int SCConfGetInt(const char *name, intmax_t *val)
Retrieve a configuration value as an integer.
Definition: conf.c:441
DetectEngineMasterCtx_::tenant_selector
enum DetectEngineTenantSelectors tenant_selector
Definition: detect.h:1749
DetectEngineCtx_::keyword_hash
HashListTable * keyword_hash
Definition: detect.h:1093
BOOL2STR
#define BOOL2STR(b)
Definition: util-debug.h:542
DetectPktInspectEngineRegister
void DetectPktInspectEngineRegister(const char *name, InspectionBufferGetPktDataPtr GetPktData, InspectionBufferPktInspectFunc Callback)
register inspect engine at start up time
Definition: detect-engine.c:159
DetectEngineInspectStreamPayload
int DetectEngineInspectStreamPayload(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const Signature *s, Flow *f, Packet *p)
Do the content inspection & validation for a signature on the raw stream.
Definition: detect-engine-payload.c:248
util-reference-config.h
Packet_::pcap_v
PcapPacketVars pcap_v
Definition: decode.h:602
DetectEngineCtx_::failure_fatal
bool failure_fatal
Definition: detect.h:982
Signature_::pkt_inspect
DetectEnginePktInspectionEngine * pkt_inspect
Definition: detect.h:740
DetectEngineAppInspectionEngine_::GetMultiData
InspectionMultiBufferGetDataPtr GetMultiData
Definition: detect.h:433
DetectEngineCtx_::max_flowbits
uint8_t max_flowbits
Definition: detect.h:985
SCEnter
#define SCEnter(...)
Definition: util-debug.h:284
detect-engine-mpm.h
DetectMetadataHashFree
void DetectMetadataHashFree(DetectEngineCtx *de_ctx)
Definition: detect-metadata.c:80
DetectBufferTypeMaxId
int DetectBufferTypeMaxId(void)
Definition: detect-engine.c:1212
DatasetPostReloadCleanup
void DatasetPostReloadCleanup(void)
Definition: datasets.c:565
SCConfGetNonNull
int SCConfGetNonNull(const char *name, const char **vptr)
Retrieve the non-null value of a configuration node.
Definition: conf.c:381
detect.h
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:58
DetectEngineBufferTypeValidateTransform
bool DetectEngineBufferTypeValidateTransform(DetectEngineCtx *de_ctx, int sm_list, const uint8_t *content, uint16_t content_len, const char **namestr)
Check content byte array compatibility with transforms.
Definition: detect-engine.c:1708
DetectEngineCtx_::sm_types_prefilter
bool * sm_types_prefilter
Definition: detect.h:1167
DetectEngineEnabled
int DetectEngineEnabled(void)
Check if detection is enabled.
Definition: detect-engine.c:4069
SigMatchList2DataArray
SigMatchData * SigMatchList2DataArray(SigMatch *head)
convert SigMatch list to SigMatchData array
Definition: detect-parse.c:2597
DetectEngineThreadCtxInit
TmEcode DetectEngineThreadCtxInit(ThreadVars *tv, void *initdata, void **data)
initialize thread specific detection engine context
Definition: detect-engine.c:3620
MpmTableElmt_::CacheStatsDeinit
void(* CacheStatsDeinit)(void *data)
Definition: util-mpm.h:182
DetectEngineReloadIsIdle
int DetectEngineReloadIsIdle(void)
Definition: detect-engine.c:2099
DetectEngineFrameInspectionEngine::sm_list
uint16_t sm_list
Definition: detect.h:515
DETECT_ENGINE_INSPECT_SIG_MATCH
#define DETECT_ENGINE_INSPECT_SIG_MATCH
Definition: detect-engine-state.h:41
PKT_DETECT_HAS_STREAMDATA
#define PKT_DETECT_HAS_STREAMDATA
Definition: decode.h:1350
InspectionSingleBufferGetDataPtr
bool(* InspectionSingleBufferGetDataPtr)(const void *txv, const uint8_t flow_flags, const uint8_t **buf, uint32_t *buf_len)
Definition: detect-engine-helper.h:45
SigMatch_::next
struct SigMatch_ * next
Definition: detect.h:360
DetectEngineCtx_::mpm_matcher
uint8_t mpm_matcher
Definition: detect.h:984
DETECT_TABLE_PACKET_PRE_FLOW
@ DETECT_TABLE_PACKET_PRE_FLOW
Definition: detect.h:559
detect-engine-port.h
LiveDevice_::tenant_id
uint32_t tenant_id
Definition: util-device-private.h:46
SCClassConfDeinit
void SCClassConfDeinit(DetectEngineCtx *de_ctx)
Definition: util-classification-config.c:81
InspectionBuffer::inspect_offset
uint64_t inspect_offset
Definition: detect-engine-inspect-buffer.h:36
DETECT_TABLE_PACKET_FILTER
@ DETECT_TABLE_PACKET_FILTER
Definition: detect.h:561
DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE
@ DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE
Definition: detect-engine-content-inspection.h:36
DetectEngineCtx_::frame_inspect_engines
DetectEngineFrameInspectionEngine * frame_inspect_engines
Definition: detect.h:1147
DetectEngineMasterCtx_::free_list
DetectEngineCtx * free_list
Definition: detect.h:1747
StringParseUint32
int StringParseUint32(uint32_t *res, int base, size_t len, const char *str)
Definition: util-byte.c:269
DetectEngineSyncState
DetectEngineSyncState
Definition: detect-engine.c:2051
LiveDevice_::dev
char * dev
Definition: util-device-private.h:33
DetectEngineThreadKeywordCtxItem_::next
struct DetectEngineThreadKeywordCtxItem_ * next
Definition: detect.h:905
DETECT_SM_LIST_MATCH
@ DETECT_SM_LIST_MATCH
Definition: detect.h:117
SCLogWarning
#define SCLogWarning(...)
Macro used to log WARNING messages.
Definition: util-debug.h:262
HashTableAdd
int HashTableAdd(HashTable *ht, void *data, uint16_t datalen)
Definition: util-hash.c:132
DetectEngineBufferTypeRegister
int DetectEngineBufferTypeRegister(DetectEngineCtx *de_ctx, const char *name)
Definition: detect-engine.c:1542
DetectPort_
Port structure for detection engine.
Definition: detect.h:219
DetectEngineThreadCtx_::json_content_capacity
uint8_t json_content_capacity
Definition: detect.h:1338
app-layer-parser.h
Signature_::app_inspect
DetectEngineAppInspectionEngine * app_inspect
Definition: detect.h:739
SigMatch_::ctx
SigMatchCtx * ctx
Definition: detect.h:359
ThreadVars_::next
struct ThreadVars_ * next
Definition: threadvars.h:124
DetectEngineContentInspection
bool DetectEngineContentInspection(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const Signature *s, const SigMatchData *smd, Packet *p, Flow *f, const uint8_t *buffer, const uint32_t buffer_len, const uint64_t stream_start_offset, const uint8_t flags, const enum DetectContentInspectionType inspection_mode)
wrapper around DetectEngineContentInspectionInternal to return true/false only
Definition: detect-engine-content-inspection.c:751
SignatureInitData_::hook
SignatureHook hook
Definition: detect.h:597
AppLayerParserGetStateProgress
int AppLayerParserGetStateProgress(uint8_t ipproto, AppProto alproto, void *tx, uint8_t flags)
get the progress value for a tx/protocol
Definition: app-layer-parser.c:1225
DetectEngineThreadCtx_::lua_rule_errors
StatsCounterId lua_rule_errors
Definition: detect.h:1435
BUG_ON
#define BUG_ON(x)
Definition: suricata-common.h:325
hashlittle_safe
uint32_t hashlittle_safe(const void *key, size_t length, uint32_t initval)
Definition: util-hash-lookup3.c:482
DetectEngineThreadCtx_::base64_decoded_len
int base64_decoded_len
Definition: detect.h:1383
SigGroupCleanup
int SigGroupCleanup(DetectEngineCtx *de_ctx)
Definition: detect-engine-build.c:2366
detect-engine-tag.h
util-profiling.h
tv_root_lock
SCMutex tv_root_lock
Definition: tm-threads.c:87
DetectEngineInspectStream
uint8_t DetectEngineInspectStream(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const struct DetectEngineAppInspectionEngine_ *engine, const Signature *s, Flow *f, uint8_t flags, void *alstate, void *txv, uint64_t tx_id)
inspect engine for stateful rules
Definition: detect-engine-payload.c:298
DetectEngineLoadTenantBlocking
int DetectEngineLoadTenantBlocking(uint32_t tenant_id, const char *yaml)
Load a tenant and wait for loading to complete.
Definition: detect-engine.c:4398
TmModuleDetectLoaderRegister
void TmModuleDetectLoaderRegister(void)
Definition: detect-engine-loader.c:776
Signature_::flags
uint32_t flags
Definition: detect.h:683
DetectEngineFrameInspectionEngine::v1
struct DetectEngineFrameInspectionEngine::@86 v1
DetectBufferType_::xform_id
TransformIdData xform_id[DETECT_TRANSFORMS_MAX]
Definition: detect.h:465
DetectEngineCtxInit
DetectEngineCtx * DetectEngineCtxInit(void)
Definition: detect-engine.c:2833
RuleMatchCandidateTxArrayFree
void RuleMatchCandidateTxArrayFree(DetectEngineThreadCtx *det_ctx)
Definition: detect.c:1194
DetectEngineInitializeFastPatternList
void DetectEngineInitializeFastPatternList(DetectEngineCtx *de_ctx)
Definition: detect-fast-pattern.c:149
Packet_
Definition: decode.h:516
DetectEngineFrameInspectionEngine::alproto
AppProto alproto
Definition: detect.h:511
DE_STATE_FLAG_BASE
#define DE_STATE_FLAG_BASE
Definition: detect-engine-state.h:66
detect-engine-build.h
PatternMatchThreadPrepare
void PatternMatchThreadPrepare(MpmThreadCtx *mpm_thread_ctx, DetectEngineCtx *de_ctx)
Definition: detect-engine-mpm.c:993
conf-yaml-loader.h
SCRConfLoadReferenceConfigFile
int SCRConfLoadReferenceConfigFile(DetectEngineCtx *de_ctx, FILE *fd)
Loads the Reference info from the reference.config file.
Definition: util-reference-config.c:481
DetectEngineTenantRegisterLivedev
int DetectEngineTenantRegisterLivedev(uint32_t tenant_id, int device_id)
Definition: detect-engine.c:4844
PcapPacketVars_::tenant_id
uint32_t tenant_id
Definition: source-pcap.h:39
DETECT_CI_FLAGS_END
#define DETECT_CI_FLAGS_END
Definition: detect-engine-content-inspection.h:42
DetectEngineBufferTypeSupportsFrames
void DetectEngineBufferTypeSupportsFrames(DetectEngineCtx *de_ctx, const char *name)
Definition: detect-engine.c:1572
InspectionBufferFrameInspectFunc
int(* InspectionBufferFrameInspectFunc)(struct DetectEngineThreadCtx_ *, const struct DetectEngineFrameInspectionEngine *engine, const struct Signature_ *s, Packet *p, const struct Frames *frames, const struct Frame *frame)
Definition: detect.h:506
MpmTableElmt_::CacheStatsInit
void *(* CacheStatsInit)(void)
Definition: util-mpm.h:180
DetectEngineCtx_::frame_mpms_list
DetectBufferMpmRegistry * frame_mpms_list
Definition: detect.h:1148
detect-engine-alert.h
conf.h
DetectEngineCtx_::sgh_mpm_ctx_cnf
uint8_t sgh_mpm_ctx_cnf
Definition: detect.h:1089
DetectEngineAppInspectionEngine_::match_on_null
bool match_on_null
Definition: detect.h:423
DetectBufferType_::packet
bool packet
Definition: detect.h:456
DetectContentData_::flags
uint32_t flags
Definition: detect-content.h:104
DetectEngineMasterCtx_::multi_tenant_enabled
int multi_tenant_enabled
Definition: detect.h:1735
TmModuleGetById
TmModule * TmModuleGetById(int id)
Returns a TM Module by its id.
Definition: tm-modules.c:69
TmSlot_
Definition: tm-threads.h:53
DetectEngineFrameInspectionEngine
Definition: detect.h:510
TenantLoaderCtx
struct TenantLoaderCtx_ TenantLoaderCtx
ENGINE_PROFILE_MEDIUM
@ ENGINE_PROFILE_MEDIUM
Definition: detect.h:1232
util-magic.h
DetectEngineCtx_::max_uniq_toserver_groups
uint16_t max_uniq_toserver_groups
Definition: detect.h:1044
MpmTableElmt_::CacheRuleset
int(* CacheRuleset)(MpmConfig *)
Definition: util-mpm.h:183
DetectEngineBufferTypeGetById
const DetectBufferType * DetectEngineBufferTypeGetById(const DetectEngineCtx *de_ctx, const int id)
Definition: detect-engine.c:1475
DETECT_TABLE_PACKET_TD
@ DETECT_TABLE_PACKET_TD
Definition: detect.h:562
TmEcode
TmEcode
Definition: tm-threads-common.h:80
DetectEnginePktInspectionEngine::Callback
InspectionBufferPktInspectFunc Callback
Definition: detect.h:492
ThresholdCacheThreadInit
int ThresholdCacheThreadInit(DetectEngineThreadCtx *det_ctx)
Definition: detect-engine-threshold.c:642
DetectBufferType_::name
char name[64]
Definition: detect.h:451
Signature_::init_data
SignatureInitData * init_data
Definition: detect.h:761
DetectEngineSyncer_::state
enum DetectEngineSyncState state
Definition: detect-engine.c:2059
SpmMakeThreadCtx
SpmThreadCtx * SpmMakeThreadCtx(const SpmGlobalThreadCtx *global_thread_ctx)
Definition: util-spm.c:163
SCReferenceSCConfInit
void SCReferenceSCConfInit(DetectEngineCtx *de_ctx)
Definition: util-reference-config.c:52
DetectEngineCtx_::profile_keyword_ctx
struct SCProfileKeywordDetectCtx_ * profile_keyword_ctx
Definition: detect.h:1101
DetectEngineAppInspectionEngine_::GetDataSingle
InspectionSingleBufferGetDataPtr GetDataSingle
Definition: detect.h:432
SCInstance_::additional_configs
const char ** additional_configs
Definition: suricata.h:179
detect-engine-state.h
Data structures and function prototypes for keeping state for the detection engine.
SigTableElmt_::Match
int(* Match)(DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *)
Definition: detect.h:1480
reputation.h
SCProfilingPrefilterThreadCleanup
void SCProfilingPrefilterThreadCleanup(DetectEngineThreadCtx *det_ctx)
Definition: util-profiling-prefilter.c:281
SCConfCreateContextBackup
void SCConfCreateContextBackup(void)
Creates a backup of the conf_hash hash_table used by the conf API.
Definition: conf.c:741
util-action.h
HashListTable_
Definition: util-hashlist.h:37
DetectEngineThreadCtxGetJsonContext
int DetectEngineThreadCtxGetJsonContext(DetectEngineThreadCtx *det_ctx)
Definition: detect-engine.c:5378
DetectEngineCtx_::byte_extract_max_local_id
int32_t byte_extract_max_local_id
Definition: detect.h:1063
DetectEngineTransforms::transforms
TransformData transforms[DETECT_TRANSFORMS_MAX]
Definition: detect.h:392
DetectEnginePktInspectionEngine::sm_list_base
uint16_t sm_list_base
Definition: detect.h:489
SIG_PROP_FLOW_ACTION_PACKET
@ SIG_PROP_FLOW_ACTION_PACKET
Definition: detect.h:84
DetectEngineMultiTenantEnabled
bool DetectEngineMultiTenantEnabled(void)
Definition: detect-engine.c:4139
signature_properties
const struct SignatureProperties signature_properties[SIG_TYPE_MAX]
Definition: detect-engine.c:119
DetectEngineCtx_::RateFilterCallback
SCDetectRateFilterFunc RateFilterCallback
Definition: detect.h:1203
runmodes.h
RunmodeIsUnittests
int RunmodeIsUnittests(void)
Definition: suricata.c:292
PacketQueue_::cond_q
SCCondT cond_q
Definition: packet-queue.h:57
SCLogInfo
#define SCLogInfo(...)
Macro used to log INFORMATIONAL messages.
Definition: util-debug.h:232
TAILQ_FOREACH_SAFE
#define TAILQ_FOREACH_SAFE(var, head, field, tvar)
Definition: queue.h:329
DetectEngineFrameInspectionEngine::dir
uint8_t dir
Definition: detect.h:512
SIG_FLAG_REQUIRE_STREAM_ONLY
#define SIG_FLAG_REQUIRE_STREAM_ONLY
Definition: detect.h:260
SpmDestroyGlobalThreadCtx
void SpmDestroyGlobalThreadCtx(SpmGlobalThreadCtx *global_thread_ctx)
Definition: util-spm.c:154
DETECT_ENGINE_INSPECT_SIG_CANT_MATCH
#define DETECT_ENGINE_INSPECT_SIG_CANT_MATCH
Definition: detect-engine-state.h:42
DetectEngineThreadCtx_::mtc
MpmThreadCtx mtc
Definition: detect.h:1404
DetectEngineRegisterTests
void DetectEngineRegisterTests(void)
Definition: detect-engine.c:5650
SigString_::filename
char * filename
Definition: detect.h:884
DetectBufferType_::multi_instance
bool multi_instance
Definition: detect.h:459
DetectLoaderQueueTask
int DetectLoaderQueueTask(int loader_id, LoaderFunc Func, void *func_ctx, LoaderFreeFunc FreeFunc)
Definition: detect-engine-loader.c:538
DETECT_ENGINE_TYPE_TENANT
@ DETECT_ENGINE_TYPE_TENANT
Definition: detect.h:921
DetectEngineBufferTypeSupportsTransformations
void DetectEngineBufferTypeSupportsTransformations(DetectEngineCtx *de_ctx, const char *name)
Definition: detect-engine.c:1596
PACKET_ALERT_FLAG_STREAM_MATCH
#define PACKET_ALERT_FLAG_STREAM_MATCH
Definition: decode.h:272
InspectionMultiBufferGetDataPtr
bool(* InspectionMultiBufferGetDataPtr)(struct DetectEngineThreadCtx_ *det_ctx, const void *txv, const uint8_t flow_flags, uint32_t local_id, const uint8_t **buf, uint32_t *buf_len)
Definition: detect-engine-helper.h:42
SigGroupBuild
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
Definition: detect-engine-build.c:2295
DetectEngineBufferTypeSupportsMpmGetById
bool DetectEngineBufferTypeSupportsMpmGetById(const DetectEngineCtx *de_ctx, const int id)
Definition: detect-engine.c:1622
DetectAppLayerMpmMultiRegister
void DetectAppLayerMpmMultiRegister(const char *name, int direction, int priority, PrefilterRegisterFunc PrefilterRegister, InspectionMultiBufferGetDataPtr GetData, AppProto alproto, uint8_t tx_min_progress)
Definition: detect-engine-mpm.c:184
DetectEngineCtx_::config_prefix
char config_prefix[64]
Definition: detect.h:1107
DetectSigmatchListEnumToString
const char * DetectSigmatchListEnumToString(enum DetectSigmatchListEnum type)
Definition: detect-engine.c:5258
TmModule_
Definition: tm-modules.h:47
SCRealloc
#define SCRealloc(ptr, sz)
Definition: util-mem.h:50
DetectEngineAppInspectionEngine_::alproto
AppProto alproto
Definition: detect.h:417
MpmConfig_::cache_max_age_seconds
uint64_t cache_max_age_seconds
Definition: util-mpm.h:93
SRepReloadComplete
void SRepReloadComplete(void)
Increment effective reputation version after a rule/reputation reload is complete.
Definition: reputation.c:161
SIG_FLAG_INIT_STATE_MATCH
#define SIG_FLAG_INIT_STATE_MATCH
Definition: detect.h:296
detect-engine-content-inspection.h
DetectEngineAppInspectionEngine_::smd
SigMatchData * smd
Definition: detect.h:440
DetectEngineBufferTypeSupportsFramesGetById
bool DetectEngineBufferTypeSupportsFramesGetById(const DetectEngineCtx *de_ctx, const int id)
Definition: detect-engine.c:1631
DetectBufferType_::id
int id
Definition: detect.h:453
DetectEngineCtx_::spm_matcher
uint8_t spm_matcher
Definition: detect.h:989
DetectEngineBufferTypeRegisterWithFrameEngines
int DetectEngineBufferTypeRegisterWithFrameEngines(DetectEngineCtx *de_ctx, const char *name, const int direction, const AppProto alproto, const uint8_t frame_type)
Definition: detect-engine.c:1508
DetectEnginePktInspectionEngine::GetData
InspectionBufferGetPktDataPtr GetData
Definition: detect.h:491
SCConfNodeLookupChild
SCConfNode * SCConfNodeLookupChild(const SCConfNode *node, const char *name)
Lookup a child configuration node by name.
Definition: conf.c:850
ENGINE_PROFILE_UNKNOWN
@ ENGINE_PROFILE_UNKNOWN
Definition: detect.h:1230
DETECT_ENGINE_TYPE_NORMAL
@ DETECT_ENGINE_TYPE_NORMAL
Definition: detect.h:918
FlowWorkerGetDetectCtxPtr
void * FlowWorkerGetDetectCtxPtr(void *flow_worker)
Definition: flow-worker.c:743
detect-fast-pattern.h
APP_LAYER_MAX_PROGRESS
#define APP_LAYER_MAX_PROGRESS
Definition: app-layer-parser.h:75
DetectBufferType_::frame
bool frame
Definition: detect.h:457
DetectEngineBufferTypeSupportsMultiInstanceGetById
bool DetectEngineBufferTypeSupportsMultiInstanceGetById(const DetectEngineCtx *de_ctx, const int id)
Definition: detect-engine.c:1604
SCCondSignal
#define SCCondSignal
Definition: threads-debug.h:140
ThreadVars_::inq
Tmq * inq
Definition: threadvars.h:89
util-conf.h
DetectEngineCtx_::sig_stat
SigFileLoaderStat sig_stat
Definition: detect.h:1158
Packet_::flow
struct Flow_ * flow
Definition: decode.h:564
DetectEngineFrameMpmRegister
void DetectEngineFrameMpmRegister(DetectEngineCtx *de_ctx, const char *name, int direction, int priority, int(*PrefilterRegister)(DetectEngineCtx *de_ctx, SigGroupHead *sgh, MpmCtx *mpm_ctx, const DetectBufferMpmRegistry *mpm_reg, int list_id), AppProto alproto, uint8_t type)
Definition: detect-engine-mpm.c:480
DetectEngineThreadCtx_::to_clear_queue
uint32_t * to_clear_queue
Definition: detect.h:1361
SpmDestroyThreadCtx
void SpmDestroyThreadCtx(SpmThreadCtx *thread_ctx)
Definition: util-spm.c:173
DetectEngineCtx_::profile_prefilter_ctx
struct SCProfilePrefilterDetectCtx_ * profile_prefilter_ctx
Definition: detect.h:1102
FAIL_IF
#define FAIL_IF(expr)
Fail a test if expression evaluates to true.
Definition: util-unittest.h:71
TENANT_SELECTOR_DIRECT
@ TENANT_SELECTOR_DIRECT
Definition: detect.h:1717
DETECT_CI_FLAGS_SINGLE
#define DETECT_CI_FLAGS_SINGLE
Definition: detect-engine-content-inspection.h:50
DetectEnginePktInspectionSetup
int DetectEnginePktInspectionSetup(Signature *s)
Definition: detect-engine.c:2029
DetectBufferTypeRegister
int DetectBufferTypeRegister(const char *name)
Definition: detect-engine.c:1391
InspectEngineFuncPtr
uint8_t(* InspectEngineFuncPtr)(struct DetectEngineCtx_ *de_ctx, struct DetectEngineThreadCtx_ *det_ctx, const struct DetectEngineAppInspectionEngine_ *engine, const struct Signature_ *s, Flow *f, uint8_t flags, void *alstate, void *txv, uint64_t tx_id)
Definition: detect.h:411
SleepMsec
#define SleepMsec(msec)
Definition: tm-threads.h:45
flags
uint8_t flags
Definition: decode-gre.h:0
DetectRegisterThreadCtxFuncs
int DetectRegisterThreadCtxFuncs(DetectEngineCtx *de_ctx, const char *name, void *(*InitFunc)(void *), void *data, void(*FreeFunc)(void *), int mode)
Register Thread keyword context Funcs.
Definition: detect-engine.c:3923
DetectAppLayerMultiRegister
void DetectAppLayerMultiRegister(const char *name, AppProto alproto, uint32_t dir, uint8_t progress, InspectionMultiBufferGetDataPtr GetData, int priority)
Definition: detect-engine.c:2288
MpmStoreInit
int MpmStoreInit(DetectEngineCtx *de_ctx)
Initializes the MpmStore mpm hash table to be used by the detection engine context.
Definition: detect-engine-mpm.c:1495
DetectEngineMasterCtx_::keyword_id
int keyword_id
Definition: detect.h:1759
DetectEngineCtx_::app_mpms_list
DetectBufferMpmRegistry * app_mpms_list
Definition: detect.h:1140
suricata-common.h
DetectEnginePktInspectionEngine::v1
struct DetectEnginePktInspectionEngine::@85 v1
SIG_PROP_FLOW_ACTION_FLOW_IF_STATEFUL
@ SIG_PROP_FLOW_ACTION_FLOW_IF_STATEFUL
Definition: detect.h:86
DetectEngineCtxInitStubForMT
DetectEngineCtx * DetectEngineCtxInitStubForMT(void)
Definition: detect-engine.c:2823
SigMatch_::type
uint16_t type
Definition: detect.h:357
DetectBufferTypeSupportsMpm
void DetectBufferTypeSupportsMpm(const char *name)
Definition: detect-engine.c:1435
util-path.h
DetectEngineThreadCtx_::tenant_id
uint32_t tenant_id
Definition: detect.h:1303
HashListTableFree
void HashListTableFree(HashListTable *ht)
Definition: util-hashlist.c:88
DETECT_FIREWALL_POLICY_SIZE
#define DETECT_FIREWALL_POLICY_SIZE
Definition: detect.h:928
detect-byte-extract.h
DetectEngineCtx_::buffer_type_hash_name
HashListTable * buffer_type_hash_name
Definition: detect.h:1135
DetectEngineCtx_::next
struct DetectEngineCtx_ * next
Definition: detect.h:1114
DETECT_TABLE_NOT_SET
@ DETECT_TABLE_NOT_SET
Definition: detect.h:558
DETECT_ENGINE_TYPE_DD_STUB
@ DETECT_ENGINE_TYPE_DD_STUB
Definition: detect.h:919
TENANT_SELECTOR_VLAN
@ TENANT_SELECTOR_VLAN
Definition: detect.h:1718
DetectEngineBumpVersion
void DetectEngineBumpVersion(void)
Definition: detect-engine.c:4093
DetectEngineFrameInspectionEngine::next
struct DetectEngineFrameInspectionEngine * next
Definition: detect.h:523
SignatureHook_::type
enum SignatureHookType type
Definition: detect.h:577
DetectEngineInspectFrameBufferGeneric
int DetectEngineInspectFrameBufferGeneric(DetectEngineThreadCtx *det_ctx, const DetectEngineFrameInspectionEngine *engine, const Signature *s, Packet *p, const Frames *frames, const Frame *frame)
Do the content inspection & validation for a signature.
Definition: detect-engine-frame.c:561
Packet_::livedev_id
uint16_t livedev_id
Definition: decode.h:633
DetectEngineThreadCtxDeinit
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *tv, void *data)
Definition: detect-engine.c:3865
util-spm.h
DetectEnginePktInspectionEngine::next
struct DetectEnginePktInspectionEngine * next
Definition: detect.h:496
DetectContentData_::content
uint8_t * content
Definition: detect-content.h:94
DetectEngineCtx_::rate_filter_callback_arg
void * rate_filter_callback_arg
Definition: detect.h:1206
DETECT_ENGINE_DEFAULT_INSPECTION_RECURSION_LIMIT
#define DETECT_ENGINE_DEFAULT_INSPECTION_RECURSION_LIMIT
Definition: detect-engine.c:96
version
uint8_t version
Definition: decode-gre.h:1
MpmConfig_::cache_stats
void * cache_stats
Definition: util-mpm.h:94
detect-engine-buffer.h
PostRuleMatchWorkQueue::q
PostRuleMatchWorkQueueItem * q
Definition: detect.h:1282
TransformIdData_::id_data_len
uint32_t id_data_len
Definition: detect.h:447
MPM_HS
@ MPM_HS
Definition: util-mpm.h:40
PatternMatchDefaultMatcher
uint8_t PatternMatchDefaultMatcher(void)
Function to return the multi pattern matcher algorithm to be used by the engine, based on the mpm-alg...
Definition: detect-engine-mpm.c:936
AppLayerParserGetSubStateProgressName
const char * AppLayerParserGetSubStateProgressName(const AppProto alproto, const uint8_t sub_state, const uint8_t state, const uint8_t dir_flag)
Definition: app-layer-parser.c:1303
util-classification-config.h
SCConfDeInit
void SCConfDeInit(void)
De-initializes the configuration system.
Definition: conf.c:760
DetectEngineTenantRegisterPcapFile
int DetectEngineTenantRegisterPcapFile(uint32_t tenant_id)
Definition: detect-engine.c:4860
SCStrdup
#define SCStrdup(s)
Definition: util-mem.h:56
FatalError
#define FatalError(...)
Definition: util-debug.h:517
SigGroupHeadHashFree
void SigGroupHeadHashFree(DetectEngineCtx *de_ctx)
Frees the hash table - DetectEngineCtx->sgh_hash_table, allocated by SigGroupHeadHashInit() function.
Definition: detect-engine-siggroup.c:299
SCAppLayerDecoderEventsFreeEvents
void SCAppLayerDecoderEventsFreeEvents(AppLayerDecoderEvents **events)
Definition: app-layer-events.c:137
DetectEngineInspectGenericList
uint8_t DetectEngineInspectGenericList(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const struct DetectEngineAppInspectionEngine_ *engine, const Signature *s, Flow *f, uint8_t flags, void *alstate, void *txv, uint64_t tx_id)
Do the content inspection & validation for a signature.
Definition: detect-engine.c:2123
DetectEngineAppInspectionEngineSignatureFree
void DetectEngineAppInspectionEngineSignatureFree(DetectEngineCtx *de_ctx, Signature *s)
free app inspect engines for a signature
Definition: detect-engine.c:1106
DETECT_ENGINE_CONTENT_INSPECTION_MODE_HEADER
@ DETECT_ENGINE_CONTENT_INSPECTION_MODE_HEADER
Definition: detect-engine-content-inspection.h:33
util-hash-lookup3.h
DETECT_SM_LIST_TMATCH
@ DETECT_SM_LIST_TMATCH
Definition: detect.h:129
DetectEngineCtx_::loader_id
int loader_id
Definition: detect.h:1117
SCInstance_::sig_file
char * sig_file
Definition: suricata.h:139
TransformData_::transform
int transform
Definition: detect.h:387
DETECT_ENGINE_INSPECT_SIG_NO_MATCH
#define DETECT_ENGINE_INSPECT_SIG_NO_MATCH
Definition: detect-engine-state.h:40
DetectEngineCtx_::pkt_inspect_engines
DetectEnginePktInspectionEngine * pkt_inspect_engines
Definition: detect.h:1144
DetectEngineBufferTypeSupportsMpm
void DetectEngineBufferTypeSupportsMpm(DetectEngineCtx *de_ctx, const char *name)
Definition: detect-engine.c:1588
SIG_TYPE_MAX
@ SIG_TYPE_MAX
Definition: detect.h:79
tv
ThreadVars * tv
Definition: fuzz_decodepcapfile.c:33
DetectEngineCtx_::sm_types_silent_error
bool * sm_types_silent_error
Definition: detect.h:1168
DetectEngineThreadKeywordCtxItem_::FreeFunc
void(* FreeFunc)(void *)
Definition: detect.h:903
DetectAppLayerInspectEngineRegisterSubState
void DetectAppLayerInspectEngineRegisterSubState(const char *name, AppProto alproto, uint32_t dir, uint8_t sub_state, uint8_t progress, InspectEngineFuncPtr Callback, InspectionBufferGetDataPtr GetData)
register an app inspection engine for a tx type
Definition: detect-engine.c:299
app-layer-events.h
SignatureInitDataBuffer_::only_ts
bool only_ts
Definition: detect.h:534
util-validate.h
PacketGetFromAlloc
Packet * PacketGetFromAlloc(void)
Get a malloced packet.
Definition: decode.c:261
DetectEngineFreeFastPatternList
void DetectEngineFreeFastPatternList(DetectEngineCtx *de_ctx)
Definition: detect-fast-pattern.c:171
DetectBufferTypeSupportsTransformations
void DetectBufferTypeSupportsTransformations(const char *name)
Definition: detect-engine.c:1445
detect-engine-sigorder.h
SCMalloc
#define SCMalloc(sz)
Definition: util-mem.h:47
DetectEngineMpmCachingGetPath
const char * DetectEngineMpmCachingGetPath(void)
Definition: detect-engine.c:2652
SCLogConfig
struct SCLogConfig_ SCLogConfig
Holds the config state used by the logging api.
DETECT_ENGINE_MPM_CACHE_OP_SAVE
#define DETECT_ENGINE_MPM_CACHE_OP_SAVE
Definition: detect.h:1768
DetectAddressMapInit
int DetectAddressMapInit(DetectEngineCtx *de_ctx)
Definition: detect-engine-address.c:1324
DetectContentData_::spm_ctx
SpmCtx * spm_ctx
Definition: detect-content.h:111
InspectionBuffer::inspect_len
uint32_t inspect_len
Definition: detect-engine-inspect-buffer.h:37
SignatureInitData_::buffers
SignatureInitDataBuffer * buffers
Definition: detect.h:661
DetectEngineCtx_::app_inspect_engines
DetectEngineAppInspectionEngine * app_inspect_engines
Definition: detect.h:1143
DetectEngineCtx_::filemagic_thread_ctx_id
int filemagic_thread_ctx_id
Definition: detect.h:1035
SigJsonContent
Definition: detect.h:1292
DetectEngineSyncer_
Definition: detect-engine.c:2057
DetectEngineThreadCtx_::global_keyword_ctxs_size
int global_keyword_ctxs_size
Definition: detect.h:1428
DetectEngineThreadCtx_::json_content
SigJsonContent * json_content
Definition: detect.h:1337
PrefilterInit
void PrefilterInit(DetectEngineCtx *de_ctx)
Definition: detect-engine-prefilter.c:1524
InspectionBuffer::inspect
const uint8_t * inspect
Definition: detect-engine-inspect-buffer.h:35
str
#define str(s)
Definition: suricata-common.h:316
DetectEngineThreadCtx_::replace
const Signature ** replace
Definition: detect.h:1394
DetectEngineThreadCtx_::tv
ThreadVars * tv
Definition: detect.h:1308
SCConfGetNode
SCConfNode * SCConfGetNode(const char *name)
Get a SCConfNode by name.
Definition: conf.c:184
SCLogError
#define SCLogError(...)
Macro used to log ERROR messages.
Definition: util-debug.h:274
DETECT_TBLSIZE
int DETECT_TBLSIZE
Definition: detect-engine-register.c:264
SRepInit
int SRepInit(DetectEngineCtx *de_ctx)
init reputation
Definition: reputation.c:557
DetectEngineReloadStart
int DetectEngineReloadStart(void)
Definition: detect-engine.c:2065
DetectEngineUnsetParseMetadata
void DetectEngineUnsetParseMetadata(void)
Definition: detect-engine.c:5248
PKT_SRC_DETECT_RELOAD_FLUSH
@ PKT_SRC_DETECT_RELOAD_FLUSH
Definition: decode.h:61
DetectEngineThreadCtx_::keyword_ctxs_array
void ** keyword_ctxs_array
Definition: detect.h:1425
SCFree
#define SCFree(p)
Definition: util-mem.h:61
AppLayerParserGetSubStateName
const char * AppLayerParserGetSubStateName(const AppProto alproto, const uint8_t sub_state)
Definition: app-layer-parser.c:1352
DetectEngineAppInspectionEngine_::sub_state
uint8_t sub_state
Definition: detect.h:427
DetectEngineMasterCtx_
Definition: detect.h:1731
Signature_::id
uint32_t id
Definition: detect.h:727
ENGINE_PROFILE_CUSTOM
@ ENGINE_PROFILE_CUSTOM
Definition: detect.h:1234
HashListTableBucket_
Definition: util-hashlist.h:28
DetectEngineThreadKeywordCtxItem_::name
const char * name
Definition: detect.h:907
detect-tcphdr.h
DetectEngineCtx_::guess_applayer_log_limit
uint8_t guess_applayer_log_limit
Definition: detect.h:1029
HashListTableRemove
int HashListTableRemove(HashListTable *ht, void *data, uint16_t datalen)
Definition: util-hashlist.c:154
DatasetReload
void DatasetReload(void)
Definition: datasets.c:539
ENGINE_PROFILE_LOW
@ ENGINE_PROFILE_LOW
Definition: detect.h:1231
DetectBufferType_::transforms
DetectEngineTransforms transforms
Definition: detect.h:464
detect-engine-iponly.h
SCConfRestoreContextBackup
void SCConfRestoreContextBackup(void)
Restores the backup of the hash_table present in backup_conf_hash back to conf_hash.
Definition: conf.c:751
DetectEngineType
DetectEngineType
Definition: detect.h:917
detect-parse.h
SignatureInitDataBuffer_::id
uint32_t id
Definition: detect.h:527
Signature_
Signature container.
Definition: detect.h:682
SigMatch_
a single match condition for a signature
Definition: detect.h:356
DetectEngineCtx_::tenant_path
char * tenant_path
Definition: detect.h:1188
DetectEngineAppInspectionEngine_::transforms
const DetectEngineTransforms * transforms
Definition: detect.h:437
DETECT_SM_LIST_MAX
@ DETECT_SM_LIST_MAX
Definition: detect.h:135
DetectBufferType_::parent_id
int parent_id
Definition: detect.h:454
DETECT_PREFILTER_MPM
@ DETECT_PREFILTER_MPM
Definition: detect.h:912
TenantLoaderCtx_::yaml
char * yaml
Definition: detect-engine.c:4284
TransformIdData_::id_data
const uint8_t * id_data
Definition: detect.h:446
DetectLoadersSync
int DetectLoadersSync(void)
wait for loader tasks to complete
Definition: detect-engine-loader.c:572
SCProfilingSghDestroyCtx
void SCProfilingSghDestroyCtx(DetectEngineCtx *de_ctx)
Definition: util-profiling-rulegroups.c:286
HashTableInit
HashTable * HashTableInit(uint32_t size, uint32_t(*Hash)(struct HashTable_ *, void *, uint16_t), char(*Compare)(void *, uint16_t, void *, uint16_t), void(*Free)(void *))
Definition: util-hash.c:35
DetectEngineTenantMapping_::traffic_id
uint32_t traffic_id
Definition: detect.h:1726
ALPROTO_UNKNOWN
@ ALPROTO_UNKNOWN
Definition: app-layer-protos.h:29
ALPROTO_FAILED
@ ALPROTO_FAILED
Definition: app-layer-protos.h:33
spm_table
SpmTableElmt spm_table[SPM_TABLE_SIZE]
Definition: util-spm.c:63
DetectEngineReference
DetectEngineCtx * DetectEngineReference(DetectEngineCtx *de_ctx)
Definition: detect-engine.c:4125
SCDetectEngineRegisterRateFilterCallback
bool SCDetectEngineRegisterRateFilterCallback(SCDetectRateFilterFunc fn, void *arg)
Register a callback when a rate_filter has been applied to an alert.
Definition: detect-engine.c:5365
DetectEngineThreadCtx_::base64_decoded
uint8_t * base64_decoded
Definition: detect.h:1382
TenantLoaderCtx_::reload_cnt
int reload_cnt
Definition: detect-engine.c:4283
mpm_table
MpmTableElmt mpm_table[MPM_TABLE_SIZE]
Definition: util-mpm.c:47
DetectEngineSyncer
struct DetectEngineSyncer_ DetectEngineSyncer
DetectMpmInitializeAppMpms
void DetectMpmInitializeAppMpms(DetectEngineCtx *de_ctx)
Definition: detect-engine-mpm.c:316
EngineModeIsIPS
int EngineModeIsIPS(void)
Definition: suricata.c:246
MpmTableElmt_::ConfigDeinit
void(* ConfigDeinit)(MpmConfig **)
Definition: util-mpm.h:162
DetectEngineTransforms::cnt
int cnt
Definition: detect.h:393
DetectEngineThreadCtx_::de_ctx
DetectEngineCtx * de_ctx
Definition: detect.h:1423
InspectionBufferSetupMultiEmpty
void InspectionBufferSetupMultiEmpty(InspectionBuffer *buffer)
setup the buffer empty
Definition: detect-engine-inspect-buffer.c:144
suricata.h
DetectEngineCtx_::sig_array
Signature ** sig_array
Definition: detect.h:1000
MpmTableElmt_::ConfigCacheDirSet
void(* ConfigCacheDirSet)(MpmConfig *, const char *dir_path)
Definition: util-mpm.h:163
InspectionBufferGetDataPtr
InspectionBuffer *(* InspectionBufferGetDataPtr)(struct DetectEngineThreadCtx_ *det_ctx, const DetectEngineTransforms *transforms, Flow *f, const uint8_t flow_flags, void *txv, const int list_id)
Definition: detect-engine-helper.h:39
DetectEngineAppInspectionEngine_::dir
uint8_t dir
Definition: detect.h:418
PmqFree
void PmqFree(PrefilterRuleStore *pmq)
Cleanup and free a Pmq.
Definition: util-prefilter.c:126
DetectContentData_::content_len
uint16_t content_len
Definition: detect-content.h:95
MpmTableElmt_::CachePrune
int(* CachePrune)(MpmConfig *)
Definition: util-mpm.h:184
DETECT_ENGINE_TYPE_MT_STUB
@ DETECT_ENGINE_TYPE_MT_STUB
Definition: detect.h:920
SCConfNode_::name
char * name
Definition: conf.h:38
SignatureInitDataBuffer_::only_tc
bool only_tc
Definition: detect.h:533
detect-uricontent.h
DetectEngineCtx_::buffer_type_id
uint32_t buffer_type_id
Definition: detect.h:1137
Packet_::vlan_id
uint16_t vlan_id[VLAN_MAX_LAYERS]
Definition: decode.h:543
RUNMODE_CONF_TEST
@ RUNMODE_CONF_TEST
Definition: runmodes.h:56
ENGINE_PROFILE_HIGH
@ ENGINE_PROFILE_HIGH
Definition: detect.h:1233
DetectEngineReload
int DetectEngineReload(const SCInstance *suri)
Reload the detection engine.
Definition: detect-engine.c:5054
DetectEngineBufferRunValidateCallback
bool DetectEngineBufferRunValidateCallback(const DetectEngineCtx *de_ctx, const int id, const Signature *s, const char **sigerror)
Definition: detect-engine.c:1669
DetectEngineCtx_::sigerror
const char * sigerror
Definition: detect.h:1081
DetectEngineThreadCtx_::json_content_len
uint8_t json_content_len
Definition: detect.h:1339
DetectEngineThreadCtx_::mt_det_ctxs_cnt
uint32_t mt_det_ctxs_cnt
Definition: detect.h:1310
DetectEngineContentInspectionBuffer
bool DetectEngineContentInspectionBuffer(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const Signature *s, const SigMatchData *smd, Packet *p, Flow *f, const InspectionBuffer *b, const enum DetectContentInspectionType inspection_mode)
wrapper around DetectEngineContentInspectionInternal to return true/false only
Definition: detect-engine-content-inspection.c:772
DetectEngineMasterCtx_::lock
SCMutex lock
Definition: detect.h:1732
DetectEnginePktInspectionEngine::mpm
bool mpm
Definition: detect.h:487
SCInstance_
Definition: suricata.h:134
DetectEngineCtx_::spm_global_thread_ctx
SpmGlobalThreadCtx * spm_global_thread_ctx
Definition: detect.h:1039
DetectEngineClearMaster
void DetectEngineClearMaster(void)
Definition: detect-engine.c:5027
DetectEngineThreadCtx_::counter_match_list
StatsCounterAvgId counter_match_list
Definition: detect.h:1354
SRepDestroy
void SRepDestroy(DetectEngineCtx *de_ctx)
Definition: reputation.c:640
MpmTableElmt_::ConfigInit
MpmConfig *(* ConfigInit)(void)
Definition: util-mpm.h:161
DetectEngineCtx_::flags
uint8_t flags
Definition: detect.h:983
AppLayerParserSupportsSubStates
bool AppLayerParserSupportsSubStates(const AppProto alproto)
Definition: app-layer-parser.c:1382
SIG_PROP_FLOW_ACTION_FLOW
@ SIG_PROP_FLOW_ACTION_FLOW
Definition: detect.h:85
DetectBufferTypeSetDescriptionByName
void DetectBufferTypeSetDescriptionByName(const char *name, const char *desc)
Definition: detect-engine.c:1552
DetectFirewallPolicies::app_policies
HashTable * app_policies
Definition: detect.h:954
SigString_::sig_str
char * sig_str
Definition: detect.h:885
SCStatFn
#define SCStatFn(pathname, statbuf)
Definition: util-path.h:35
DetectUnregisterThreadCtxFuncs
int DetectUnregisterThreadCtxFuncs(DetectEngineCtx *de_ctx, void *data, const char *name)
Remove Thread keyword context registration.
Definition: detect-engine.c:3975
SC_ATOMIC_GET
#define SC_ATOMIC_GET(name)
Get the value from the atomic variable.
Definition: util-atomic.h:375
SCInstance_::sig_file_exclusive
bool sig_file_exclusive
Definition: suricata.h:140
DetectAppLayerInspectEngineRegisterSingle
void DetectAppLayerInspectEngineRegisterSingle(const char *name, AppProto alproto, uint32_t dir, uint8_t progress, InspectEngineFuncPtr Callback, InspectionSingleBufferGetDataPtr GetData)
Definition: detect-engine.c:322
DetectEngineFrameInspectEngineRegister
void DetectEngineFrameInspectEngineRegister(DetectEngineCtx *de_ctx, const char *name, int dir, InspectionBufferFrameInspectFunc Callback, AppProto alproto, uint8_t type)
register inspect engine at start up time
Definition: detect-engine.c:480
Signature_::msg
char * msg
Definition: detect.h:750
DetectEngineTenantRegisterVlanId
int DetectEngineTenantRegisterVlanId(uint32_t tenant_id, uint16_t vlan_id)
Definition: detect-engine.c:4850
flow.h
DetectEngineSetParseMetadata
void DetectEngineSetParseMetadata(void)
Definition: detect-engine.c:5243
TmThreadsCheckFlag
int TmThreadsCheckFlag(ThreadVars *tv, uint32_t flag)
Check if a thread flag is set.
Definition: tm-threads.c:95
SCDetectRegisterThreadCtxGlobalFuncs
int SCDetectRegisterThreadCtxGlobalFuncs(const char *name, void *(*InitFunc)(void *), void *data, void(*FreeFunc)(void *))
Register Thread keyword context Funcs (Global)
Definition: detect-engine.c:4013
SCLogNotice
#define SCLogNotice(...)
Macro used to log NOTICE messages.
Definition: util-debug.h:250
DetectPktMpmRegisterByParentId
void DetectPktMpmRegisterByParentId(DetectEngineCtx *de_ctx, const int id, const int parent_id, DetectEngineTransforms *transforms)
copy a mpm engine from parent_id, add in transforms
Definition: detect-engine-mpm.c:670
SpmDestroyCtx
void SpmDestroyCtx(SpmCtx *ctx)
Definition: util-spm.c:193
TENANT_SELECTOR_LIVEDEV
@ TENANT_SELECTOR_LIVEDEV
Definition: detect.h:1719
Flow_::alproto
AppProto alproto
application level protocol
Definition: flow.h:450
DetectEngineFrameInspectionEngine::type
uint8_t type
Definition: detect.h:513
DetectSigmatchListEnum
DetectSigmatchListEnum
Definition: detect.h:115
DetectEngineMasterCtx_::version
uint32_t version
Definition: detect.h:1738
SCCalloc
#define SCCalloc(nm, sz)
Definition: util-mem.h:53
DetectEngineCtx_::sig_array_len
uint32_t sig_array_len
Definition: detect.h:1001
util-enum.h
ThreadVars_::stats
StatsThreadContext stats
Definition: threadvars.h:121
SCConfNode_
Definition: conf.h:37
DetectEngineTenantUnregisterPcapFile
int DetectEngineTenantUnregisterPcapFile(uint32_t tenant_id)
Definition: detect-engine.c:4866
TenantLoaderCtx_::tenant_id
uint32_t tenant_id
Definition: detect-engine.c:4282
DetectEngineCtx_::signum
uint32_t signum
Definition: detect.h:1003
DetectEngineCtx_::tenant_id
uint32_t tenant_id
Definition: detect.h:986
SignatureInitData_::buffer_index
uint32_t buffer_index
Definition: detect.h:662
detect-engine-loader.h
SigFileLoaderStat_
Signature loader statistics.
Definition: detect.h:892
SCConfNode_::val
char * val
Definition: conf.h:39
DetectEngineInspectPktBufferGeneric
int DetectEngineInspectPktBufferGeneric(DetectEngineThreadCtx *det_ctx, const DetectEnginePktInspectionEngine *engine, const Signature *s, Packet *p, uint8_t *_alert_flags)
Do the content inspection & validation for a signature.
Definition: detect-engine.c:2387
DetectEngineCtx_::buffer_type_hash_id
HashListTable * buffer_type_hash_id
Definition: detect.h:1136
DetectEngineGetByTenantId
DetectEngineCtx * DetectEngineGetByTenantId(uint32_t tenant_id)
Definition: detect-engine.c:4877
SpmInitCtx
SpmCtx * SpmInitCtx(const uint8_t *needle, uint16_t needle_len, int nocase, SpmGlobalThreadCtx *global_thread_ctx)
Definition: util-spm.c:183
DetectPortCleanupList
void DetectPortCleanupList(const DetectEngineCtx *de_ctx, DetectPort *head)
Free a DetectPort list and each of its members.
Definition: detect-engine-port.c:124
DETECT_SM_LIST_SUPPRESS
@ DETECT_SM_LIST_SUPPRESS
Definition: detect.h:132
SCMutex
#define SCMutex
Definition: threads-debug.h:114
InspectionBufferMultipleForList::inspection_buffers
InspectionBuffer * inspection_buffers
Definition: detect.h:380
DetectLowerSetupCallback
void DetectLowerSetupCallback(const DetectEngineCtx *de_ctx, Signature *s, const DetectBufferType *map)
Definition: detect-engine.c:5334
DEBUG_VALIDATE_BUG_ON
#define DEBUG_VALIDATE_BUG_ON(exp)
Definition: util-validate.h:109
DetectEngineAppInspectionEngine2Signature
int DetectEngineAppInspectionEngine2Signature(DetectEngineCtx *de_ctx, Signature *s)
Definition: detect-engine.c:941
SCClassConfLoadClassificationConfigFile
bool SCClassConfLoadClassificationConfigFile(DetectEngineCtx *de_ctx, FILE *fd)
Loads the Classtype info from the classification.config file.
Definition: util-classification-config.c:520
InspectionBufferSetupMulti
void InspectionBufferSetupMulti(DetectEngineThreadCtx *det_ctx, InspectionBuffer *buffer, const DetectEngineTransforms *transforms, const uint8_t *data, const uint32_t data_len)
setup the buffer with our initial data
Definition: detect-engine-inspect-buffer.c:157
DetectEngineThreadCtx_::lua_blocked_function_errors
StatsCounterId lua_blocked_function_errors
Definition: detect.h:1438
DetectEngineTenantUnregisterVlanId
int DetectEngineTenantUnregisterVlanId(uint32_t tenant_id, uint16_t vlan_id)
Definition: detect-engine.c:4855
SCStat
struct stat SCStat
Definition: util-path.h:33
detect-engine-address.h
PmqSetup
int PmqSetup(PrefilterRuleStore *pmq)
Setup a pmq.
Definition: util-prefilter.c:37
PatternMatchThreadDestroy
void PatternMatchThreadDestroy(MpmThreadCtx *mpm_thread_ctx, uint16_t mpm_matcher)
Definition: detect-engine-mpm.c:988
TmModule_::flags
uint8_t flags
Definition: tm-modules.h:80
VarNameStoreActivate
int VarNameStoreActivate(void)
Definition: util-var-name.c:222
InspectionBufferMultipleForListGet
InspectionBuffer * InspectionBufferMultipleForListGet(DetectEngineThreadCtx *det_ctx, const int list_id, const uint32_t local_id)
for a InspectionBufferMultipleForList get a InspectionBuffer
Definition: detect-engine-inspect-buffer.c:76
RuleMatchCandidateTxArrayInit
void RuleMatchCandidateTxArrayInit(DetectEngineThreadCtx *det_ctx, uint32_t size)
Definition: detect.c:1181
SCProfilingKeywordThreadSetup
void SCProfilingKeywordThreadSetup(SCProfileKeywordDetectCtx *ctx, DetectEngineThreadCtx *det_ctx)
Definition: util-profiling-keywords.c:284
util-threshold-config.h
DetectEngineReloadIsStart
int DetectEngineReloadIsStart(void)
Definition: detect-engine.c:2079
DetectEngineThreadCtx_::post_rule_work_queue
PostRuleMatchWorkQueue post_rule_work_queue
Definition: detect.h:1406
DetectEngineThreadCtx_::tenant_array_size
uint32_t tenant_array_size
Definition: detect.h:1315
DetectEngineThreadCtx_::tenant_array
struct DetectEngineTenantMapping_ * tenant_array
Definition: detect.h:1314
suricata_ctl_flags
volatile uint8_t suricata_ctl_flags
Definition: suricata.c:176
detect-engine-threshold.h
TM_FLAG_FLOWWORKER_TM
#define TM_FLAG_FLOWWORKER_TM
Definition: tm-modules.h:34
FlowWorkerReplaceDetectCtx
void FlowWorkerReplaceDetectCtx(void *flow_worker, void *detect_ctx)
Definition: flow-worker.c:736
StringHashDjb2
uint32_t StringHashDjb2(const uint8_t *data, uint32_t datalen)
Definition: util-hash-string.c:22
DetectEngineBufferTypeGetByIdTransforms
int DetectEngineBufferTypeGetByIdTransforms(DetectEngineCtx *de_ctx, const int id, TransformData *transforms, int transform_cnt)
Definition: detect-engine.c:1831
DetectEngineThreadCtx_::TenantGetId
uint32_t(* TenantGetId)(const void *, const Packet *p)
Definition: detect.h:1317
MPM_AC_KS
@ MPM_AC_KS
Definition: util-mpm.h:39
DetectEngineAppInspectionEngine_::progress
uint8_t progress
Definition: detect.h:426
SCProfilingPrefilterThreadSetup
void SCProfilingPrefilterThreadSetup(SCProfilePrefilterDetectCtx *ctx, DetectEngineThreadCtx *det_ctx)
Definition: util-profiling-prefilter.c:245
SCClassConfDeInitContext
void SCClassConfDeInitContext(DetectEngineCtx *de_ctx)
Releases resources used by the Classification Config API.
Definition: util-classification-config.c:191
PrefilterPktNonPFStatsDump
void PrefilterPktNonPFStatsDump(void)
Definition: detect-engine-prefilter.c:625
DetectBufferType_::description
char description[128]
Definition: detect.h:452
SIG_FLAG_REQUIRE_PACKET
#define SIG_FLAG_REQUIRE_PACKET
Definition: detect.h:253
DetectEngineFrameInspectionEngine::smd
SigMatchData * smd
Definition: detect.h:522
DetectEngineThreadCtx_::match_array
Signature ** match_array
Definition: detect.h:1391