Go to the documentation of this file.
94 #define DETECT_ENGINE_DEFAULT_INSPECTION_RECURSION_LIMIT 3000
101 static uint32_t TenantIdHash(
HashTable *h,
void *
data, uint16_t data_len);
102 static char TenantIdCompare(
void *d1, uint16_t d1_len,
void *d2, uint16_t d2_len);
103 static void TenantIdFree(
void *d);
104 static uint32_t DetectEngineTenantGetIdFromLivedev(
const void *
ctx,
const Packet *p);
105 static uint32_t DetectEngineTenantGetIdFromVlanId(
const void *
ctx,
const Packet *p);
106 static uint32_t DetectEngineTenantGetIdFromPcap(
const void *
ctx,
const Packet *p);
108 static inline void InspectionBufferApplyTransformsInternal(
154 FatalError(
"failed to register inspect engine %s: %s",
name, strerror(errno));
156 new_engine->
sm_list = (uint16_t)sm_list;
161 if (g_pkt_inspect_engines == NULL) {
162 g_pkt_inspect_engines = new_engine;
165 while (t->
next != NULL) {
169 t->
next = new_engine;
176 static void AppLayerInspectEngineRegisterInternal(
const char *
name,
AppProto alproto, uint32_t dir,
191 (progress < 0 || progress >= SHRT_MAX) || (Callback == NULL)) {
195 SCLogError(
"Invalid arguments: must register "
196 "GetData with DetectEngineInspectBufferGeneric");
199 SCLogError(
"Invalid arguments: must register "
200 "GetData with DetectEngineInspectMultiBufferGeneric");
212 AppLayerInspectEngineRegisterInternal(
222 new_engine->
dir = direction;
223 new_engine->
sm_list = (uint16_t)sm_list;
225 new_engine->
progress = (int16_t)progress;
233 if (g_app_inspect_engines == NULL) {
234 g_app_inspect_engines = new_engine;
237 while (t->
next != NULL) {
241 t->
next = new_engine;
255 if (t->
sm_list == sm_list && t->
alproto == alproto && t_direction == dir &&
263 AppLayerInspectEngineRegisterInternal(
name, alproto, dir, progress, Callback, GetData, NULL);
267 static void DetectAppLayerInspectEngineCopy(
269 int sm_list,
int new_list,
282 new_engine->
sm_list = (uint16_t)new_list;
286 new_engine->
v2 = t->
v2;
293 while (list->
next != NULL) {
297 list->
next = new_engine;
319 new_engine->
v2 = t->
v2;
324 list->
next = new_engine;
333 static void DetectPktInspectEngineCopy(
335 int sm_list,
int new_list,
346 new_engine->
sm_list = (uint16_t)new_list;
349 new_engine->
v1 = t->
v1;
356 while (list->
next != NULL) {
360 list->
next = new_engine;
379 new_engine->
v1 = t->
v1;
385 while (list->
next != NULL) {
389 list->
next = new_engine;
421 FatalError(
"failed to register inspect engine %s: %s",
name, strerror(errno));
423 new_engine->
sm_list = (uint16_t)sm_list;
425 new_engine->
dir = direction;
434 while (list->
next != NULL) {
438 list->
next = new_engine;
457 new_engine->
sm_list = (uint16_t)new_list;
463 new_engine->
v1 = t->
v1;
468 while (list->
next != NULL) {
472 list->
next = new_engine;
494 new_engine->
v1 = t->
v1;
500 while (list->
next != NULL) {
504 list->
next = new_engine;
516 static void AppendStreamInspectEngine(
519 bool prepend =
false;
528 new_engine->
mpm =
true;
531 new_engine->
dir = direction;
532 new_engine->
stream =
true;
535 new_engine->
smd = stream;
543 }
else if (prepend) {
550 while (a->
next != NULL) {
554 a->
next = new_engine;
557 SCLogDebug(
"sid %u: engine %p/%u added", s->
id, new_engine, new_engine->
id);
564 bool prepend =
false;
587 new_engine->
mpm =
true;
593 new_engine->
smd = smd;
594 new_engine->
v1 = u->
v1;
600 }
else if (prepend) {
605 while (a->
next != NULL) {
609 a->
next = new_engine;
617 bool prepend =
false;
627 new_engine->
mpm =
true;
632 new_engine->
smd = smd;
633 new_engine->
v1 = e->
v1;
639 }
else if (prepend) {
644 while (a->
next != NULL) {
648 a->
next = new_engine;
654 const int mpm_list,
const int files_id, uint8_t *last_id,
bool *head_is_mpm)
668 SCLogDebug(
"app engine: t %p t->id %u => alproto:%s files:%s", t, t->
id,
676 bool prepend =
false;
681 new_engine->
mpm =
true;
688 new_engine->
smd = smd;
691 new_engine->
v2 = t->
v2;
697 if (new_engine->
sm_list == files_id) {
699 SCLogDebug(
"sid %u: engine %p/%u is FILE ENGINE", s->
id, new_engine, new_engine->
id);
702 SCLogDebug(
"sid %u: engine %p/%u %s", s->
id, new_engine, new_engine->
id,
710 if (new_engine->
sm_list == files_id) {
712 SCLogDebug(
"sid %u: engine %p/%u is FILE ENGINE", s->
id, new_engine, new_engine->
id);
714 new_engine->
id = ++(*last_id);
715 SCLogDebug(
"sid %u: engine %p/%u %s", s->
id, new_engine, new_engine->
id,
721 while (a->
next != NULL) {
729 a->
next = new_engine;
730 if (new_engine->
sm_list == files_id) {
732 SCLogDebug(
"sid %u: engine %p/%u is FILE ENGINE", s->
id, new_engine, new_engine->
id);
734 new_engine->
id = ++(*last_id);
735 SCLogDebug(
"sid %u: engine %p/%u %s", s->
id, new_engine, new_engine->
id,
740 SCLogDebug(
"sid %u: engine %p/%u added", s->
id, new_engine, new_engine->
id);
753 bool head_is_mpm =
false;
768 u != NULL; u = u->
next) {
770 AppendFrameInspectEngine(
de_ctx, u, s, smd, mpm_list);
779 AppendPacketInspectEngine(
de_ctx, e, s, smd, mpm_list);
797 AppendAppInspectEngine(
798 de_ctx, t, s, smd, mpm_list, files_id, &last_id, &head_is_mpm);
834 AppendAppInspectEngine(
de_ctx, &t, s, NULL, mpm_list, files_id, &last_id, &head_is_mpm);
844 AppendStreamInspectEngine(s, stream, 0, last_id + 1);
846 AppendStreamInspectEngine(s, stream, 1, last_id + 1);
848 AppendStreamInspectEngine(s, stream, 0, last_id + 1);
849 AppendStreamInspectEngine(s, stream, 1, last_id + 1);
863 iter->
sm_list == mpm_list ?
"MPM" :
"");
914 for (
int i = 0; i < arrays; i++) {
915 if (bufs[i] == ie->
smd) {
921 bufs[arrays++] = ie->
smd;
931 for (
int i = 0; i < arrays; i++) {
932 if (bufs[i] == e->
smd) {
938 bufs[arrays++] = e->
smd;
948 for (
int i = 0; i < arrays; i++) {
949 if (bufs[i] == u->
smd) {
955 bufs[arrays++] = u->
smd;
961 for (
int i = 0; i < engines; i++) {
983 static int g_buffer_type_reg_closed = 0;
987 return g_buffer_type_id;
990 static uint32_t DetectBufferTypeHashNameFunc(
HashListTable *ht,
void *data, uint16_t datalen)
999 static uint32_t DetectBufferTypeHashIdFunc(
HashListTable *ht,
void *data, uint16_t datalen)
1002 uint32_t hash = map->
id;
1007 static char DetectBufferTypeCompareNameFunc(
void *data1, uint16_t len1,
void *data2, uint16_t len2)
1012 char r = (strcmp(map1->
name, map2->
name) == 0);
1017 static char DetectBufferTypeCompareIdFunc(
void *data1, uint16_t len1,
void *data2, uint16_t len2)
1021 return map1->
id == map2->
id;
1024 static void DetectBufferTypeFreeFunc(
void *data)
1037 SCLogError(
"%s allocates transform option memory but has no free routine",
1047 static int DetectBufferTypeInit(
void)
1049 BUG_ON(g_buffer_type_hash);
1051 DetectBufferTypeCompareNameFunc, DetectBufferTypeFreeFunc);
1052 if (g_buffer_type_hash == NULL)
1058 static void DetectBufferTypeFree(
void)
1060 if (g_buffer_type_hash == NULL)
1064 g_buffer_type_hash = NULL;
1067 static int DetectBufferTypeAdd(
const char *
string)
1069 BUG_ON(
string == NULL || strlen(
string) >= 64);
1076 map->
id = g_buffer_type_id++;
1086 memset(&map, 0,
sizeof(map));
1095 BUG_ON(g_buffer_type_reg_closed);
1096 if (g_buffer_type_hash == NULL)
1097 DetectBufferTypeInit();
1101 return DetectBufferTypeAdd(
name);
1109 BUG_ON(g_buffer_type_reg_closed);
1114 SCLogDebug(
"%p %s -- %d supports multi instance", exists,
name, exists->
id);
1119 BUG_ON(g_buffer_type_reg_closed);
1123 exists->
frame =
true;
1124 SCLogDebug(
"%p %s -- %d supports frame inspection", exists,
name, exists->
id);
1129 BUG_ON(g_buffer_type_reg_closed);
1134 SCLogDebug(
"%p %s -- %d supports packet inspection", exists,
name, exists->
id);
1139 BUG_ON(g_buffer_type_reg_closed);
1149 BUG_ON(g_buffer_type_reg_closed);
1154 SCLogDebug(
"%p %s -- %d supports transformations", exists,
name, exists->
id);
1170 memset(&map, 0,
sizeof(map));
1180 memset(&lookup, 0,
sizeof(lookup));
1190 return res ? res->
name : NULL;
1195 BUG_ON(
string == NULL || strlen(
string) >= 32);
1211 const int direction,
const AppProto alproto,
const uint8_t frame_type)
1218 const int buffer_id = DetectEngineBufferTypeAdd(
de_ctx,
name);
1219 if (buffer_id < 0) {
1248 return DetectEngineBufferTypeAdd(
de_ctx,
name);
1256 BUG_ON(desc == NULL || strlen(desc) >= 128);
1287 exists->
frame =
true;
1288 SCLogDebug(
"%p %s -- %d supports frame inspection", exists,
name, exists->
id);
1296 SCLogDebug(
"%p %s -- %d supports packet inspection", exists,
name, exists->
id);
1312 SCLogDebug(
"%p %s -- %d supports transformations", exists,
name, exists->
id);
1354 BUG_ON(g_buffer_type_reg_closed);
1370 const char *
name,
bool (*ValidateCallback)(
const Signature *,
const char **sigerror,
1373 BUG_ON(g_buffer_type_reg_closed);
1427 SCLogError(
"Rule buffer cannot be reset after base64_data.");
1432 SCLogError(
"no matches following transform(s)");
1440 SCLogError(
"previous sticky buffer has no matches");
1450 if ((uint32_t)list == b->
id) {
1451 SCLogDebug(
"found buffer %p for list %d", b, list);
1454 SCLogDebug(
"sm_init was true for %p list %d", b, list);
1478 SCLogError(
"failed to expand rule buffer array");
1509 SCLogError(
"previous transforms not consumed "
1510 "(list: %u, transform_cnt %u)",
1515 SCLogDebug(
"buffer %d has transform(s) registered: %d",
1519 if (new_list == -1) {
1531 SCLogError(
"failed to expand rule buffer array");
1544 SCLogDebug(
"new list after applying transforms: %u", new_list);
1567 for (uint32_t x = 0; x <= mbuffer->
max; x++) {
1587 if (!buffer->
init) {
1608 if (local_id >= fb->
size) {
1609 uint32_t old_size = fb->
size;
1610 uint32_t new_size = local_id + 1;
1611 uint32_t grow_by = new_size - old_size;
1612 SCLogDebug(
"size is %u, need %u, so growing by %u", old_size, new_size, grow_by);
1620 SCLogDebug(
"ptr %p to_zero %p", ptr, to_zero);
1623 fb->
size = new_size;
1629 #ifdef DEBUG_VALIDATION
1630 buffer->multi =
true;
1653 InspectionBufferApplyTransformsInternal(det_ctx, buffer, transforms);
1658 memset(buffer, 0,
sizeof(*buffer));
1659 buffer->
buf =
SCCalloc(initial_size,
sizeof(uint8_t));
1660 if (buffer->
buf != NULL) {
1661 buffer->
size = initial_size;
1668 #ifdef DEBUG_VALIDATION
1682 #ifdef DEBUG_VALIDATION
1690 InspectionBufferApplyTransformsInternal(det_ctx, buffer, transforms);
1696 #ifdef DEBUG_VALIDATION
1700 if (buffer->
inspect == NULL) {
1702 if (det_ctx && list_id != -1)
1715 InspectionBufferSetupInternal(det_ctx, list_id, buffer, data, data_len);
1723 InspectionBufferSetupInternal(det_ctx, list_id, buffer, data, data_len);
1724 InspectionBufferApplyTransformsInternal(det_ctx, buffer, transforms);
1729 if (buffer->
buf != NULL) {
1732 memset(buffer, 0,
sizeof(*buffer));
1744 uint32_t new_size = (buffer->
size == 0) ? 4096 : buffer->
size;
1745 while (new_size < min_size) {
1752 buffer->
size = new_size;
1773 uint32_t copy_size =
MIN(buf_len, buffer->
size);
1774 memcpy(buffer->
buf, buf, copy_size);
1800 const uint8_t *content, uint16_t content_len,
const char **namestr)
1826 const int size = g_buffer_type_id;
1830 DetectBufferTypeCompareNameFunc, DetectBufferTypeFreeFunc);
1833 HashListTableInit(256, DetectBufferTypeHashIdFunc, DetectBufferTypeCompareIdFunc,
1845 memcpy(copy, map,
sizeof(*copy));
1851 SCLogDebug(
"name %s id %d mpm %s packet %s -- %s. "
1852 "Callbacks: Setup %p Validate %p",
1853 map->
name, map->
id, map->
mpm ?
"true" :
"false", map->
packet ?
"true" :
"false",
1860 DetectAppLayerInspectEngineCopyListToDetectCtx(
de_ctx);
1862 DetectFrameInspectEngineCopyListToDetectCtx(
de_ctx);
1864 DetectPktInspectEngineCopyListToDetectCtx(
de_ctx);
1906 while (framemlist) {
1917 BUG_ON(g_buffer_type_hash == NULL);
1919 g_buffer_type_reg_closed = 1;
1930 SCLogError(
"buffer '%s' does not support transformations", base_map->
name);
1937 memset(&t, 0,
sizeof(t));
1938 for (
int i = 0; i < transform_cnt; i++) {
1941 t.
cnt = transform_cnt;
1944 memset(&lookup_map, 0,
sizeof(lookup_map));
1962 map->
mpm = base_map->
mpm;
1969 }
else if (map->
packet) {
1979 SCLogDebug(
"buffer %s registered with id %d, parent %d", map->name, map->id, map->parent_id);
1982 DetectFrameInspectEngineCopy(
de_ctx, map->parent_id, map->id, &map->transforms);
1983 }
else if (map->packet) {
1984 DetectPktInspectEngineCopy(
de_ctx, map->parent_id, map->id, &map->transforms);
1986 DetectAppLayerInspectEngineCopy(
de_ctx, map->parent_id, map->id, &map->transforms);
1992 static int DetectEngineInspectRulePacketMatches(
1996 Packet *p, uint8_t *_alert_flags)
2004 SCLogDebug(
"running match functions, sm %p", smd);
2022 static int DetectEngineInspectRulePayloadMatches(
2044 SCLogDebug(
"no match in stream, fall back to packet payload");
2052 SCLogDebug(
"SIG_FLAG_REQUIRE_STREAM_ONLY, so no match");
2070 uint8_t *alert_flags)
2076 SCLogDebug(
"sid %u: e %p Callback returned no match", s->
id, e);
2079 SCLogDebug(
"sid %u: e %p Callback returned true", s->
id, e);
2098 e->
sm_list = (uint16_t)list_id;
2107 while (a->
next != NULL) {
2119 if (DetectEnginePktInspectionAppend(
2122 SCLogDebug(
"sid %u: DetectEngineInspectRulePayloadMatches appended", s->
id);
2126 if (DetectEnginePktInspectionAppend(
2129 SCLogDebug(
"sid %u: DetectEngineInspectRulePacketMatches appended", s->
id);
2211 uint8_t
flags,
void *alstate,
void *txv, uint64_t tx_id)
2214 SCLogDebug(
"running match functions, sm %p", smd);
2220 AppLayerTxMatch(det_ctx, f,
flags, alstate, txv, s, smd->
ctx);
2254 void *alstate,
void *txv, uint64_t tx_id)
2256 const int list_id = engine->
sm_list;
2257 SCLogDebug(
"running inspect on %d", list_id);
2271 f,
flags, txv, list_id);
2281 const uint8_t *data = buffer->
inspect;
2286 ci_flags |= buffer->
flags;
2305 AppLayerInspectEngineRegisterInternal(
2308 alproto, tx_min_progress);
2313 const Signature *s,
Flow *f, uint8_t
flags,
void *alstate,
void *txv, uint64_t tx_id)
2315 uint32_t local_id = 0;
2323 det_ctx, transforms, f,
flags, txv, engine->
sm_list, local_id);
2325 if (buffer == NULL || buffer->
inspect == NULL)
2337 if (local_id == 0) {
2364 const int list_id = engine->
sm_list;
2365 SCLogDebug(
"running inspect on %d", list_id);
2383 ci_flags |= buffer->
flags;
2410 for (
int i = 0; i < no_of_detect_tvs; i++) {
2411 if (detect_tvs[i]) {
2414 SCLogDebug(
"Injecting pkt for tv %s[i=%d] %d", detect_tvs[i]->
name, i, count++);
2426 SCLogDebug(
"leaving: thread notification count = %d", count);
2434 static void InjectPackets(
2442 for (
int i = 0; i < no_of_detect_tvs; i++) {
2443 if (
SC_ATOMIC_GET(new_det_ctx[i]->so_far_used_by_detect) != 1) {
2444 if (detect_tvs[i]->inq != NULL) {
2481 if (no_of_detect_tvs == 0) {
2491 memset(detect_tvs, 0x00, (no_of_detect_tvs *
sizeof(
ThreadVars *)));
2516 if (new_det_ctx[i] == NULL) {
2518 "failure in live rule swap. Let's get out of here");
2522 SCLogDebug(
"live rule swap created new det_ctx - %p and de_ctx "
2523 "- %p\n", new_det_ctx[i], new_de_ctx);
2528 BUG_ON(i != no_of_detect_tvs);
2541 SCLogDebug(
"swapping new det_ctx - %p with older one - %p",
2552 SCLogDebug(
"Live rule swap has swapped %d old det_ctx's with new ones, "
2553 "along with the new de_ctx", no_of_detect_tvs);
2555 InjectPackets(detect_tvs, new_det_ctx, no_of_detect_tvs);
2559 uint32_t threads_done = 0;
2561 for (i = 0; i < no_of_detect_tvs; i++) {
2563 threads_done = no_of_detect_tvs;
2567 if (
SC_ATOMIC_GET(new_det_ctx[i]->so_far_used_by_detect) == 1) {
2568 SCLogDebug(
"new_det_ctx - %p used by detect engine", new_det_ctx[i]);
2571 TmThreadsCaptureBreakLoop(detect_tvs[i]);
2574 if (threads_done < no_of_detect_tvs) {
2585 if (i != no_of_detect_tvs) {
2598 for (i = 0; i < no_of_detect_tvs; i++) {
2599 SCLogDebug(
"Freeing old_det_ctx - %p used by detect",
2609 for (i = 0; i < no_of_detect_tvs; i++) {
2610 if (new_det_ctx[i] != NULL)
2618 const char *strval = NULL;
2619 if (
SCConfGet(
"detect.sgh-mpm-caching", &strval) != 1)
2622 int sgh_mpm_caching = 0;
2623 (void)
SCConfGetBool(
"detect.sgh-mpm-caching", &sgh_mpm_caching);
2624 return (
bool)sgh_mpm_caching;
2633 char yamlpath[] =
"detect.sgh-mpm-caching-path";
2634 const char *strval = NULL;
2637 if (strval != NULL) {
2641 static bool notified =
false;
2643 SCLogInfo(
"%s has no path specified, using %s", yamlpath, SGH_CACHE_DIR);
2646 return SGH_CACHE_DIR;
2669 if (prefix != NULL) {
2673 int failure_fatal = 0;
2674 if (
SCConfGetBool(
"engine.init-failure-fatal", (
int *)&failure_fatal) != 1) {
2675 SCLogDebug(
"ConfGetBool could not load the value.");
2698 SCLogDebug(
"Unable to alloc SpmGlobalThreadCtx.");
2710 if (DetectEngineCtxLoadConf(
de_ctx) == -1) {
2719 DetectBufferTypeSetupDetectEngine(
de_ctx);
2767 if (prefix == NULL || strlen(prefix) == 0)
2805 #ifdef PROFILE_RULES
2806 if (
de_ctx->profile_ctx != NULL) {
2807 SCProfilingRuleDestroyCtx(
de_ctx->profile_ctx);
2808 de_ctx->profile_ctx = NULL;
2851 DetectEngineCtxFreeThreadKeywordData(
de_ctx);
2853 DetectEngineCtxFreeFailedSigs(
de_ctx);
2873 DetectBufferTypeFreeDetectEngine(
de_ctx);
2902 const char *max_uniq_toclient_groups_str = NULL;
2903 const char *max_uniq_toserver_groups_str = NULL;
2904 const char *sgh_mpm_context = NULL;
2905 const char *de_ctx_profile = NULL;
2907 (void)
SCConfGet(
"detect.profile", &de_ctx_profile);
2908 (void)
SCConfGet(
"detect.sgh-mpm-context", &sgh_mpm_context);
2913 if (de_ctx_custom != NULL) {
2915 if (de_ctx_profile == NULL) {
2916 if (opt->
val && strcmp(opt->
val,
"profile") == 0) {
2917 de_ctx_profile = opt->head.tqh_first->
val;
2921 if (sgh_mpm_context == NULL) {
2922 if (opt->
val && strcmp(opt->
val,
"sgh-mpm-context") == 0) {
2923 sgh_mpm_context = opt->head.tqh_first->
val;
2929 if (de_ctx_profile != NULL) {
2930 if (strcmp(de_ctx_profile,
"low") == 0 ||
2931 strcmp(de_ctx_profile,
"lowest") == 0) {
2933 }
else if (strcmp(de_ctx_profile,
"medium") == 0) {
2935 }
else if (strcmp(de_ctx_profile,
"high") == 0 ||
2936 strcmp(de_ctx_profile,
"highest") == 0) {
2938 }
else if (strcmp(de_ctx_profile,
"custom") == 0) {
2941 SCLogError(
"invalid value for detect.profile: '%s'. "
2942 "Valid options: low, medium, high and custom.",
2947 SCLogDebug(
"Profile for detection engine groups is \"%s\"", de_ctx_profile);
2949 SCLogDebug(
"Profile for detection engine groups not provided "
2950 "at suricata.yaml. Using default (\"medium\").");
2954 if (sgh_mpm_context == NULL || strcmp(sgh_mpm_context,
"auto") == 0) {
2964 if (strcmp(sgh_mpm_context,
"single") == 0) {
2966 }
else if (strcmp(sgh_mpm_context,
"full") == 0) {
2970 "invalid conf value for detect-engine.sgh-mpm-context-"
2995 (void)
SCConfGet(
"detect.custom-values.toclient-groups", &max_uniq_toclient_groups_str);
2996 (void)
SCConfGet(
"detect.custom-values.toserver-groups", &max_uniq_toserver_groups_str);
2998 if (de_ctx_custom != NULL) {
3000 if (opt->
val && strcmp(opt->
val,
"custom-values") == 0) {
3001 if (max_uniq_toclient_groups_str == NULL) {
3003 opt->head.tqh_first,
"toclient-sp-groups");
3005 if (max_uniq_toclient_groups_str == NULL) {
3007 opt->head.tqh_first,
"toclient-groups");
3009 if (max_uniq_toserver_groups_str == NULL) {
3011 opt->head.tqh_first,
"toserver-dp-groups");
3013 if (max_uniq_toserver_groups_str == NULL) {
3015 opt->head.tqh_first,
"toserver-groups");
3020 if (max_uniq_toclient_groups_str != NULL) {
3022 (uint16_t)strlen(max_uniq_toclient_groups_str),
3023 (
const char *)max_uniq_toclient_groups_str) <= 0) {
3027 "toclient-groups failed, using %u",
3035 if (max_uniq_toserver_groups_str != NULL) {
3037 (uint16_t)strlen(max_uniq_toserver_groups_str),
3038 (
const char *)max_uniq_toserver_groups_str) <= 0) {
3042 "toserver-groups failed, using %u",
3062 if (
SCConfGetInt(
"detect.inspection-recursion-limit", &value) == 1) {
3063 if (value >= 0 && value <= INT_MAX) {
3069 SCConfNode *insp_recursion_limit_node = NULL;
3070 char *insp_recursion_limit = NULL;
3072 if (de_ctx_custom != NULL) {
3075 if (opt->
val && strcmp(opt->
val,
"inspection-recursion-limit") != 0)
3079 if (insp_recursion_limit_node == NULL) {
3081 "entry for detect-engine:inspection-recursion-limit");
3084 insp_recursion_limit = insp_recursion_limit_node->
val;
3085 SCLogDebug(
"Found detect-engine.inspection-recursion-limit - %s:%s",
3086 insp_recursion_limit_node->
name, insp_recursion_limit_node->
val);
3090 if (insp_recursion_limit != NULL) {
3092 0, (
const char *)insp_recursion_limit) < 0) {
3094 "detect-engine.inspection-recursion-limit: %s "
3107 SCLogDebug(
"de_ctx->inspection_recursion_limit: %d",
3112 if (
SCConfGetInt(
"detect.stream-tx-log-limit", &value) == 1) {
3113 if (value >= 0 && value <= UINT8_MAX) {
3116 SCLogWarning(
"Invalid value for detect-engine.stream-tx-log-limit: must be between 0 "
3117 "and 255, will default to 4");
3120 int guess_applayer = 0;
3121 if ((
SCConfGetBool(
"detect.guess-applayer-tx", &guess_applayer)) == 1) {
3122 if (guess_applayer == 1) {
3129 const char *ports = NULL;
3130 (void)
SCConfGet(
"detect.grouping.tcp-priority-ports", &ports);
3132 SCLogConfig(
"grouping: tcp-priority-ports %s", ports);
3134 (void)
SCConfGet(
"detect.grouping.tcp-whitelist", &ports);
3137 "grouping: tcp-priority-ports from legacy 'tcp-whitelist' setting: %s", ports);
3139 ports =
"53, 80, 139, 443, 445, 1433, 3306, 3389, 6666, 6667, 8080";
3140 SCLogConfig(
"grouping: tcp-priority-ports (default) %s", ports);
3145 "for detect.grouping.tcp-priority-ports",
3149 for ( ; x != NULL; x = x->
next) {
3152 "for detect.grouping.tcp-priority-ports: only single ports allowed",
3161 (void)
SCConfGet(
"detect.grouping.udp-priority-ports", &ports);
3163 SCLogConfig(
"grouping: udp-priority-ports %s", ports);
3165 (void)
SCConfGet(
"detect.grouping.udp-whitelist", &ports);
3168 "grouping: udp-priority-ports from legacy 'udp-whitelist' setting: %s", ports);
3170 ports =
"53, 135, 5060";
3171 SCLogConfig(
"grouping: udp-priority-ports (default) %s", ports);
3176 "for detect.grouping.udp-priority-ports",
3182 "for detect.grouping.udp-priority-ports: only single ports allowed",
3191 const char *pf_setting = NULL;
3192 if (
SCConfGet(
"detect.prefilter.default", &pf_setting) == 1 && pf_setting) {
3193 if (strcasecmp(pf_setting,
"mpm") == 0) {
3195 }
else if (strcasecmp(pf_setting,
"auto") == 0) {
3204 SCLogConfig(
"prefilter engines: MPM and keywords");
3224 SCLogError(
"setting up thread local detect ctx");
3233 SCLogError(
"setting up thread local detect ctx "
3234 "for keyword \"%s\" failed",
3272 SCLogError(
"setting up thread local detect ctx");
3284 SCLogError(
"setting up thread local detect ctx "
3285 "for keyword \"%s\" failed",
3315 uint32_t map_array_size = 0;
3316 uint32_t map_cnt = 0;
3317 uint32_t max_tenant_id = 0;
3323 "set using multi-detect.selector");
3336 mt_det_ctxs_hash =
HashTableInit(tcnt * 2, TenantIdHash, TenantIdCompare, TenantIdFree);
3337 if (mt_det_ctxs_hash == NULL) {
3342 SCLogInfo(
"no tenants left, or none registered yet");
3353 map_array_size = map_cnt + 1;
3355 map_array =
SCCalloc(map_array_size,
sizeof(*map_array));
3356 if (map_array == NULL)
3363 if (map_cnt >= map_array_size) {
3375 list = master->
list;
3380 if (mt_det_ctx == NULL)
3382 if (
HashTableAdd(mt_det_ctxs_hash, mt_det_ctx, 0) != 0) {
3391 mt_det_ctxs_hash = NULL;
3403 det_ctx->
TenantGetId = DetectEngineTenantGetIdFromVlanId;
3407 det_ctx->
TenantGetId = DetectEngineTenantGetIdFromLivedev;
3411 det_ctx->
TenantGetId = DetectEngineTenantGetIdFromPcap;
3418 if (map_array != NULL)
3420 if (mt_det_ctxs_hash != NULL)
3493 DetectEngineThreadCtxInitKeywords(
de_ctx, det_ctx);
3494 DetectEngineThreadCtxInitGlobalKeywords(det_ctx);
3495 #ifdef PROFILE_RULES
3496 SCProfilingRuleThreadSetup(
de_ctx->profile_ctx, det_ctx);
3533 if (det_ctx->
de_ctx == NULL) {
3583 if (DetectEngineThreadCtxInitForMT(
tv, det_ctx) !=
TM_ECODE_OK) {
3590 *data = (
void *)det_ctx;
3614 if (det_ctx->
de_ctx == NULL) {
3646 if (DetectEngineThreadCtxInitForMT(
tv, det_ctx) !=
TM_ECODE_OK) {
3659 SCLogDebug(
"PACKET PKT_STREAM_ADD: %"PRIu64, det_ctx->pkt_stream_add_cnt);
3661 SCLogDebug(
"PAYLOAD MPM %"PRIu64
"/%"PRIu64, det_ctx->payload_mpm_cnt, det_ctx->payload_mpm_size);
3662 SCLogDebug(
"STREAM MPM %"PRIu64
"/%"PRIu64, det_ctx->stream_mpm_cnt, det_ctx->stream_mpm_size);
3664 SCLogDebug(
"PAYLOAD SIG %"PRIu64
"/%"PRIu64, det_ctx->payload_persig_cnt, det_ctx->payload_persig_size);
3665 SCLogDebug(
"STREAM SIG %"PRIu64
"/%"PRIu64, det_ctx->stream_persig_cnt, det_ctx->stream_persig_size);
3673 #ifdef PROFILE_RULES
3674 SCProfilingRuleThreadCleanup(det_ctx);
3683 if (det_ctx->
de_ctx != NULL) {
3722 for (uint32_t x = 0; x < fb->
size; x++) {
3733 DetectEngineThreadCtxDeinitGlobalKeywords(det_ctx);
3734 if (det_ctx->
de_ctx != NULL) {
3735 DetectEngineThreadCtxDeinitKeywords(det_ctx->
de_ctx, det_ctx);
3755 if (det_ctx == NULL) {
3764 DetectEngineThreadCtxFree(det_ctx);
3769 static uint32_t DetectKeywordCtxHashFunc(
HashListTable *ht,
void *data, uint16_t datalen)
3778 static char DetectKeywordCtxCompareFunc(
void *data1, uint16_t len1,
void *data2, uint16_t len2)
3782 const char *name1 = ctx1->
name;
3783 const char *name2 = ctx2->
name;
3784 return (strcmp(name1, name2) == 0 && ctx1->
data == ctx2->
data);
3787 static void DetectKeywordCtxFreeFunc(
void *ptr)
3810 BUG_ON(
de_ctx == NULL || InitFunc == NULL || FreeFunc == NULL);
3814 DetectKeywordCtxHashFunc, DetectKeywordCtxCompareFunc, DetectKeywordCtxFreeFunc);
3899 void *(*InitFunc)(
void *),
void *data,
void (*FreeFunc)(
void *))
3902 BUG_ON(InitFunc == NULL || FreeFunc == NULL);
3908 while (item != NULL) {
3909 if (strcmp(
name, item->
name) == 0) {
3959 if (master->
list == NULL) {
4035 static int DetectEngineMultiTenantLoadTenant(uint32_t tenant_id,
const char *filename,
int loader_id)
4040 snprintf(prefix,
sizeof(prefix),
"multi-detect.%u", tenant_id);
4043 if (
SCStatFn(filename, &st) != 0) {
4044 SCLogError(
"failed to stat file %s", filename);
4050 SCLogError(
"tenant %u already registered", tenant_id);
4057 SCLogError(
"failed to properly setup yaml %s", filename);
4094 static int DetectEngineMultiTenantReloadTenant(uint32_t tenant_id,
const char *filename,
int reload_cnt)
4097 if (old_de_ctx == NULL) {
4098 SCLogError(
"tenant detect engine not found");
4102 if (filename == NULL)
4106 snprintf(prefix,
sizeof(prefix),
"multi-detect.%u.reload.%d", tenant_id, reload_cnt);
4117 SCLogError(
"failed to properly setup yaml %s", filename);
4122 if (new_de_ctx == NULL) {
4135 goto new_de_ctx_error;
4140 goto new_de_ctx_error;
4165 static void DetectLoaderFreeTenant(
void *
ctx)
4168 if (t->
yaml != NULL) {
4174 static int DetectLoaderFuncLoadTenant(
void *vctx,
int loader_id)
4179 if (DetectEngineMultiTenantLoadTenant(
ctx->tenant_id,
ctx->yaml, loader_id) != 0) {
4185 static int DetectLoaderSetupLoadTenant(uint32_t tenant_id,
const char *yaml)
4193 if (t->
yaml == NULL) {
4201 static int DetectLoaderFuncReloadTenant(
void *vctx,
int loader_id)
4207 if (DetectEngineMultiTenantReloadTenant(
ctx->tenant_id,
ctx->yaml,
ctx->reload_cnt) != 0) {
4213 static int DetectLoaderSetupReloadTenants(
const int reload_cnt)
4232 loader_id, DetectLoaderFuncReloadTenant, t, DetectLoaderFreeTenant);
4246 static int DetectLoaderSetupReloadTenant(uint32_t tenant_id,
const char *yaml,
int reload_cnt)
4249 if (old_de_ctx == NULL)
4261 if (t->
yaml == NULL) {
4271 loader_id, DetectLoaderFuncReloadTenant, t, DetectLoaderFreeTenant);
4278 int r = DetectLoaderSetupLoadTenant(tenant_id, yaml);
4292 int r = DetectLoaderSetupReloadTenant(tenant_id, yaml, reload_cnt);
4306 int r = DetectLoaderSetupReloadTenants(reload_cnt);
4316 static int DetectEngineMultiTenantSetupLoadLivedevMappings(
4317 const SCConfNode *mappings_root_node,
bool failure_fatal)
4321 int mapping_cnt = 0;
4322 if (mappings_root_node != NULL) {
4325 if (tenant_id_node == NULL)
4328 if (device_node == NULL)
4331 uint32_t tenant_id = 0;
4333 tenant_id_node->
val) < 0) {
4336 tenant_id_node->
val);
4340 const char *dev = device_node->
val;
4359 SCLogConfig(
"device %s connected to tenant-id %u", dev, tenant_id);
4368 SCLogConfig(
"%d device - tenant-id mappings defined", mapping_cnt);
4375 static int DetectEngineMultiTenantSetupLoadVlanMappings(
4376 const SCConfNode *mappings_root_node,
bool failure_fatal)
4380 int mapping_cnt = 0;
4381 if (mappings_root_node != NULL) {
4384 if (tenant_id_node == NULL)
4387 if (vlan_id_node == NULL)
4390 uint32_t tenant_id = 0;
4392 tenant_id_node->
val) < 0) {
4395 tenant_id_node->
val);
4399 uint16_t vlan_id = 0;
4401 &vlan_id, 10, (uint16_t)strlen(vlan_id_node->
val), vlan_id_node->
val) < 0) {
4407 if (vlan_id == 0 || vlan_id >= 4095) {
4409 "of %s is invalid. Valid range 1-4094.",
4417 SCLogConfig(
"vlan %u connected to tenant-id %u", vlan_id, tenant_id);
4443 int failure_fatal = 0;
4444 (void)
SCConfGetBool(
"engine.init-failure-fatal", &failure_fatal);
4457 const char *handler = NULL;
4458 if (
SCConfGet(
"multi-detect.selector", &handler) == 1) {
4459 SCLogConfig(
"multi-tenant selector type %s", handler);
4461 if (strcmp(handler,
"vlan") == 0) {
4465 if ((
SCConfGetBool(
"vlan.use-for-tracking", &vlanbool)) == 1 && vlanbool == 0) {
4467 "can't use multi-detect selector 'vlan'");
4472 }
else if (strcmp(handler,
"direct") == 0) {
4474 }
else if (strcmp(handler,
"device") == 0) {
4477 SCLogWarning(
"multi-tenant 'device' mode not supported for IPS");
4484 "multi-detect.selector",
4491 SCLogConfig(
"multi-detect is enabled (multi tenancy). Selector: %s", handler);
4497 int mapping_cnt = DetectEngineMultiTenantSetupLoadVlanMappings(mappings_root_node,
4499 if (mapping_cnt == 0) {
4505 SCLogNotice(
"no tenant traffic mappings defined, "
4506 "tenants won't be used until mappings are added");
4508 if (failure_fatal) {
4509 SCLogError(
"no multi-detect mappings defined");
4517 int mapping_cnt = DetectEngineMultiTenantSetupLoadLivedevMappings(mappings_root_node,
4519 if (mapping_cnt == 0) {
4520 if (failure_fatal) {
4521 SCLogError(
"no multi-detect mappings defined");
4533 if (tenants_root_node != NULL) {
4534 const char *path = NULL;
4537 path = path_node->
val;
4543 if (id_node == NULL) {
4547 if (yaml_node == NULL) {
4551 uint32_t tenant_id = 0;
4553 &tenant_id, 10, (uint16_t)strlen(id_node->
val), id_node->
val) < 0) {
4561 char yaml_path[PATH_MAX] =
"";
4565 strlcpy(yaml_path, yaml_node->
val,
sizeof(yaml_path));
4572 snprintf(prefix,
sizeof(prefix),
"multi-detect.%u", tenant_id);
4574 SCLogError(
"failed to load yaml %s", yaml_path);
4578 int r = DetectLoaderSetupLoadTenant(tenant_id, yaml_path);
4599 SCLogDebug(
"multi-detect not enabled (multi tenancy)");
4606 static uint32_t DetectEngineTenantGetIdFromVlanId(
const void *
ctx,
const Packet *p)
4610 uint32_t vlan_id = 0;
4630 static uint32_t DetectEngineTenantGetIdFromLivedev(
const void *
ctx,
const Packet *p)
4635 if (ld == NULL || det_ctx == NULL)
4642 static int DetectEngineTenantRegisterSelector(
4649 SCLogInfo(
"conflicting selector already set");
4656 if (
m->traffic_id == traffic_id) {
4657 SCLogInfo(
"traffic id already registered");
4678 SCLogDebug(
"tenant handler %u %u %u registered", selector, tenant_id, traffic_id);
4683 static int DetectEngineTenantUnregisterSelector(
4707 SCLogInfo(
"tenant handler %u %u %u unregistered", selector, tenant_id, traffic_id);
4721 return DetectEngineTenantRegisterSelector(
4732 return DetectEngineTenantUnregisterSelector(
TENANT_SELECTOR_VLAN, tenant_id, (uint32_t)vlan_id);
4747 static uint32_t DetectEngineTenantGetIdFromPcap(
const void *
ctx,
const Packet *p)
4757 if (master->
list == NULL) {
4780 BUG_ON((*de_ctx)->ref_cnt == 0);
4781 (*de_ctx)->ref_cnt--;
4789 if (instance == NULL)
4792 if (master->
list == NULL) {
4793 master->
list = instance;
4796 master->
list = instance;
4813 r = DetectEngineAddToList(
de_ctx);
4821 if (instance == NULL) {
4826 if (instance ==
de_ctx) {
4830 instance = instance->
next;
4835 if (instance ==
de_ctx) {
4843 if (instance == NULL) {
4849 instance->
next = NULL;
4867 ret = DetectEngineMoveToFreeListNoLock(master,
de_ctx);
4891 SCLogDebug(
"freeing detect engine %p", instance);
4913 DetectEngineMoveToFreeListNoLock(master, instance);
4920 static int reloads = 0;
4935 memset(prefix, 0,
sizeof(prefix));
4940 snprintf(prefix,
sizeof(prefix),
"detect-engine-reloads.%d", reloads++);
4967 if (old_de_ctx == NULL)
4969 SCLogDebug(
"get ref to old_de_ctx %p", old_de_ctx);
4983 if (new_de_ctx == NULL) {
4995 SCLogDebug(
"set up new_de_ctx %p", new_de_ctx);
5004 SCLogDebug(
"going to reload the threads to use new_de_ctx %p", new_de_ctx);
5006 DetectEngineReloadThreads(new_de_ctx);
5007 SCLogDebug(
"threads now run new_de_ctx %p", new_de_ctx);
5016 SCLogDebug(
"old_de_ctx should have been freed");
5020 #ifdef HAVE_MALLOC_TRIM
5031 static uint32_t TenantIdHash(
HashTable *h,
void *data, uint16_t data_len)
5037 static char TenantIdCompare(
void *d1, uint16_t d1_len,
void *d2, uint16_t d2_len)
5044 static void TenantIdFree(
void *d)
5046 DetectEngineThreadCtxFree(d);
5062 for ( ; list != NULL; list = list->
next) {
5073 if (stub_de_ctx == NULL) {
5075 if (stub_de_ctx == NULL) {
5080 if (master->
list == NULL) {
5081 master->
list = stub_de_ctx;
5084 master->
list = stub_de_ctx;
5090 DetectEngineReloadThreads(stub_de_ctx);
5100 SCLogDebug(
"old_de_ctx should have been freed");
5104 static int g_parse_metadata = 0;
5108 g_parse_metadata = 1;
5113 g_parse_metadata = 0;
5118 return g_parse_metadata;
5127 return "packet/stream payload";
5133 return "base64_data";
5136 return "post-match";
5144 return "max (internal)";
5163 for (; sm != NULL; sm = sm->
next) {
5169 *sigerror =
"md5-like keyword should not be used together with "
5170 "nocase, since the rule is automatically "
5171 "lowercased anyway which makes nocase redundant.";
5176 *sigerror =
"Invalid length for md5-like keyword (should "
5177 "be 32 characters long). This rule will therefore "
5184 if (!isxdigit(cd->
content[i])) {
5186 "Invalid md5-like string (should be string of hexadecimal characters)."
5187 "This rule will therefore never match.";
5201 static int DetectEngineInitYamlConf(
const char *conf)
5208 static void DetectEngineDeInitYamlConf(
void)
5214 static int DetectEngineTest01(
void)
5220 " - profile: medium\n"
5221 " - custom-values:\n"
5222 " toclient_src_groups: 2\n"
5223 " toclient_dst_groups: 2\n"
5224 " toclient_sp_groups: 2\n"
5225 " toclient_dp_groups: 3\n"
5226 " toserver_src_groups: 2\n"
5227 " toserver_dst_groups: 4\n"
5228 " toserver_sp_groups: 2\n"
5229 " toserver_dp_groups: 25\n"
5230 " - inspection-recursion-limit: 0\n";
5232 FAIL_IF(DetectEngineInitYamlConf(conf) == -1);
5241 DetectEngineDeInitYamlConf();
5246 static int DetectEngineTest02(
void)
5252 " - profile: medium\n"
5253 " - custom-values:\n"
5254 " toclient_src_groups: 2\n"
5255 " toclient_dst_groups: 2\n"
5256 " toclient_sp_groups: 2\n"
5257 " toclient_dp_groups: 3\n"
5258 " toserver_src_groups: 2\n"
5259 " toserver_dst_groups: 4\n"
5260 " toserver_sp_groups: 2\n"
5261 " toserver_dp_groups: 25\n"
5262 " - inspection-recursion-limit:\n";
5264 FAIL_IF(DetectEngineInitYamlConf(conf) == -1);
5274 DetectEngineDeInitYamlConf();
5279 static int DetectEngineTest03(
void)
5285 " - profile: medium\n"
5286 " - custom-values:\n"
5287 " toclient_src_groups: 2\n"
5288 " toclient_dst_groups: 2\n"
5289 " toclient_sp_groups: 2\n"
5290 " toclient_dp_groups: 3\n"
5291 " toserver_src_groups: 2\n"
5292 " toserver_dst_groups: 4\n"
5293 " toserver_sp_groups: 2\n"
5294 " toserver_dp_groups: 25\n";
5296 FAIL_IF(DetectEngineInitYamlConf(conf) == -1);
5306 DetectEngineDeInitYamlConf();
5311 static int DetectEngineTest04(
void)
5317 " - profile: medium\n"
5318 " - custom-values:\n"
5319 " toclient_src_groups: 2\n"
5320 " toclient_dst_groups: 2\n"
5321 " toclient_sp_groups: 2\n"
5322 " toclient_dp_groups: 3\n"
5323 " toserver_src_groups: 2\n"
5324 " toserver_dst_groups: 4\n"
5325 " toserver_sp_groups: 2\n"
5326 " toserver_dp_groups: 25\n"
5327 " - inspection-recursion-limit: 10\n";
5329 FAIL_IF(DetectEngineInitYamlConf(conf) == -1);
5338 DetectEngineDeInitYamlConf();
5343 static int DetectEngineTest08(
void)
5349 " - profile: custom\n"
5350 " - custom-values:\n"
5351 " toclient-groups: 23\n"
5352 " toserver-groups: 27\n";
5354 FAIL_IF(DetectEngineInitYamlConf(conf) == -1);
5364 DetectEngineDeInitYamlConf();
5370 static int DetectEngineTest09(
void)
5376 " - profile: custom\n"
5377 " - custom-values:\n"
5378 " toclient-groups: BA\n"
5379 " toserver-groups: BA\n"
5380 " - inspection-recursion-limit: 10\n";
5382 FAIL_IF(DetectEngineInitYamlConf(conf) == -1);
5392 DetectEngineDeInitYamlConf();
#define DETECT_CONTENT_NOCASE
#define HashListTableGetListData(hb)
#define DE_STATE_ID_FILE_INSPECT
@ DETECT_EVENT_TOO_MANY_BUFFERS
void SCProfilingSghThreadCleanup(DetectEngineThreadCtx *det_ctx)
DetectEngineCtx * DetectEngineCtxInitWithPrefix(const char *prefix, uint32_t tenant_id)
void DetectAppLayerMpmMultiRegister(const char *name, int direction, int priority, PrefilterRegisterFunc PrefilterRegister, InspectionMultiBufferGetDataPtr GetData, AppProto alproto, int tx_min_progress)
int SCConfYamlLoadString(const char *string, size_t len)
Load configuration from a YAML string.
void DetectEngineResetMaxSigId(DetectEngineCtx *de_ctx)
int DetectEngineMTApply(void)
void SCProfilingKeywordDestroyCtx(DetectEngineCtx *de_ctx)
#define PACKET_ALERT_FLAG_STREAM_MATCH
bool DetectEngineBufferTypeSupportsPacketGetById(const DetectEngineCtx *de_ctx, const int id)
SigMatch * DetectBufferGetFirstSigMatch(const Signature *s, const uint32_t buf_id)
DetectEngineThreadCtx * DetectEngineThreadCtxInitForReload(ThreadVars *tv, DetectEngineCtx *new_de_ctx, int mt)
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
void SCConfNodeRemove(SCConfNode *node)
Remove (and SCFree) the provided configuration node.
struct SigMatch_ * smlists[DETECT_SM_LIST_MAX]
void SCProfilingKeywordThreadCleanup(DetectEngineThreadCtx *det_ctx)
void AlertQueueFree(DetectEngineThreadCtx *det_ctx)
void SCProfilingSghThreadSetup(SCProfileSghDetectCtx *ctx, DetectEngineThreadCtx *det_ctx)
int DetectParseDupSigHashInit(DetectEngineCtx *de_ctx)
Initializes the hash table that is used to cull duplicate sigs.
SigTableElmt * sigmatch_table
void DetectLoaderThreadSpawn(void)
spawn the detect loader manager thread
uint8_t SinglePatternMatchDefaultMatcher(void)
Returns the single pattern matcher algorithm to be used, based on the spm-algo setting in yaml.
void DetectEngineDeReference(DetectEngineCtx **de_ctx)
#define DETECT_CI_FLAGS_START
uint8_t DetectEngineInspectBufferGeneric(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const DetectEngineAppInspectionEngine *engine, const Signature *s, Flow *f, uint8_t flags, void *alstate, void *txv, uint64_t tx_id)
Do the content inspection & validation for a signature.
void(* Free)(DetectEngineCtx *, void *)
int DetectEngineMustParseMetadata(void)
#define PKT_PSEUDO_LOG_FLUSH
void MpmFactoryDeRegisterAllMpmCtxProfiles(DetectEngineCtx *de_ctx)
uint16_t counter_match_list
DetectEngineTenantMapping * tenant_mapping_list
#define SC_ATOMIC_INIT(name)
wrapper for initializing an atomic variable.
struct DetectEngineAppInspectionEngine_ * next
uint8_t DetectEngineInspectMultiBufferGeneric(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const DetectEngineAppInspectionEngine *engine, const Signature *s, Flow *f, uint8_t flags, void *alstate, void *txv, uint64_t tx_id)
void MpmStoreFree(DetectEngineCtx *de_ctx)
Frees the hash table - DetectEngineCtx->mpm_hash_table, allocated by MpmStoreInit() function.
void InspectionBufferSetupAndApplyTransforms(DetectEngineThreadCtx *det_ctx, const int list_id, InspectionBuffer *buffer, const uint8_t *data, const uint32_t data_len, const DetectEngineTransforms *transforms)
setup the buffer with our initial data
void DetectFrameMpmRegisterByParentId(DetectEngineCtx *de_ctx, const int id, const int parent_id, DetectEngineTransforms *transforms)
copy a mpm engine from parent_id, add in transforms
void DetectEngineBufferTypeSupportsPacket(DetectEngineCtx *de_ctx, const char *name)
void DetectEngineBufferRunSetupCallback(const DetectEngineCtx *de_ctx, const int id, Signature *s)
enum DetectEngineType type
void DetectEnginePruneFreeList(void)
int SigLoadSignatures(DetectEngineCtx *de_ctx, char *sig_file, bool sig_file_exclusive)
Load signatures.
void * DetectThreadCtxGetKeywordThreadCtx(DetectEngineThreadCtx *det_ctx, int id)
Retrieve thread local keyword ctx by id.
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
#define SIG_FLAG_INIT_NEED_FLUSH
void SCClassSCConfInit(DetectEngineCtx *de_ctx)
DetectEngineCtx * DetectEngineCtxInitStubForDD(void)
#define KEYWORD_PROFILING_SET_LIST(ctx, list)
uint16_t max_uniq_toclient_groups
int ActionInitConfig(void)
Load the action order from config. If none is provided, it will be default to ACTION_PASS,...
InspectEngineFuncPtr Callback
int PathMerge(char *out_buf, size_t buf_size, const char *const dir, const char *const fname)
void PacketEnqueue(PacketQueue *q, Packet *p)
DetectFileDataCfg * filedata_config
struct HtpBodyChunk_ * next
void DetectBufferTypeSupportsFrames(const char *name)
#define TM_FLAG_DETECT_TM
void DetectMpmInitializeFrameMpms(DetectEngineCtx *de_ctx)
simple fifo queue for packets with mutex and cond Calling the mutex or triggering the cond is respons...
@ DETECT_SM_LIST_DYNAMIC_START
int DetectBufferSetActiveList(DetectEngineCtx *de_ctx, Signature *s, const int list)
int AppLayerParserGetStateProgress(uint8_t ipproto, AppProto alproto, void *alstate, uint8_t flags)
get the progress value for a tx/protocol
AppLayerDecoderEvents * decoder_events
InspectionBuffer *(* InspectionMultiBufferGetDataPtr)(struct DetectEngineThreadCtx_ *det_ctx, const DetectEngineTransforms *transforms, Flow *f, const uint8_t flow_flags, void *txv, const int list_id, const uint32_t local_id)
void *(* InitFunc)(void *)
InspectionBufferGetDataPtr GetData
DetectBufferMpmRegistry * pkt_mpms_list
void TmThreadContinueDetectLoaderThreads(void)
Unpauses all threads present in tv_root.
@ DETECT_SM_LIST_THRESHOLD
void DetectBufferTypeRegisterSetupCallback(const char *name, void(*SetupCallback)(const DetectEngineCtx *, Signature *))
int SCConfYamlHandleInclude(SCConfNode *parent, const char *filename)
Include a file in the configuration.
InspectionBuffer *(* InspectionBufferGetDataPtr)(struct DetectEngineThreadCtx_ *det_ctx, const DetectEngineTransforms *transforms, Flow *f, const uint8_t flow_flags, void *txv, const int list_id)
const char * AppProtoToString(AppProto alproto)
Maps the ALPROTO_*, to its string equivalent.
int DetectEngineReloadTenantBlocking(uint32_t tenant_id, const char *yaml, int reload_cnt)
Reload a tenant and wait for loading to complete.
int inspection_recursion_limit
void DetectAddressMapFree(DetectEngineCtx *de_ctx)
const DetectEngineTransforms * transforms
main detection engine ctx
int StringParseUint16(uint16_t *res, int base, size_t len, const char *str)
void DetectEngineReloadSetIdle(void)
void DetectBufferTypeRegisterValidateCallback(const char *name, bool(*ValidateCallback)(const Signature *, const char **sigerror, const DetectBufferType *))
int SCConfGet(const char *name, const char **vptr)
Retrieve the value of a configuration node.
uint16_t lua_blocked_function_errors
void ** global_keyword_ctxs_array
DetectEngineCtx * DetectEngineGetCurrent(void)
uint32_t TmThreadCountThreadsByTmmFlags(uint8_t flags)
returns a count of all the threads that match the flag
void DetectBufferTypeSupportsMultiInstance(const char *name)
HashListTableBucket * HashListTableGetListHead(HashListTable *ht)
#define TAILQ_FOREACH(var, head, field)
#define SIG_FLAG_INIT_FORCE_TOCLIENT
uint8_t DetectEngineInspectPacketPayload(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const Signature *s, Flow *f, Packet *p)
Do the content inspection & validation for a signature.
struct DetectEngineAppInspectionEngine_::@79 v2
int DetectEngineAddToMaster(DetectEngineCtx *de_ctx)
InspectionBuffer *(* InspectionBufferGetPktDataPtr)(struct DetectEngineThreadCtx_ *det_ctx, const DetectEngineTransforms *transforms, Packet *p, const int list_id)
void SCSigSignatureOrderingModuleCleanup(DetectEngineCtx *de_ctx)
De-registers all the signature ordering functions registered.
const char * DetectEngineBufferTypeGetNameById(const DetectEngineCtx *de_ctx, const int id)
int DetectEngineMultiTenantSetup(const bool unix_socket)
setup multi-detect / multi-tenancy
void PrefilterDeinit(DetectEngineCtx *de_ctx)
struct DetectBufferMpmRegistry_ * next
#define SIG_FLAG_REQUIRE_STREAM
struct DetectEngineTenantMapping_ * next
void DetectEngineSetEvent(DetectEngineThreadCtx *det_ctx, uint8_t e)
#define SIG_FLAG_TXBOTHDIR
bool DetectContentInspectionMatchOnAbsentBuffer(const SigMatchData *smd)
tells if we should match on absent buffer, because there is an absent keyword being used
void AppLayerDecoderEventsFreeEvents(AppLayerDecoderEvents **events)
int SCConfGetBool(const char *name, int *val)
Retrieve a configuration value as a boolean.
struct SCProfileSghDetectCtx_ * profile_sgh_ctx
ThreadVars * tv_root[TVT_MAX]
one time registration of keywords at start up
void SCReferenceConfDeinit(DetectEngineCtx *de_ctx)
struct DetectPort_ * next
DetectPort * tcp_priorityports
void DetectEngineCtxFree(DetectEngineCtx *de_ctx)
Free a DetectEngineCtx::
SpmThreadCtx * spm_thread_ctx
int DetectEngineReloadTenantsBlocking(const int reload_cnt)
Reload all tenants and wait for loading to complete.
#define SCMUTEX_INITIALIZER
SigMatchData * sm_arrays[DETECT_SM_LIST_MAX]
const char * conf_filename
enum DetectEnginePrefilterSetting prefilter_setting
void DetectParseDupSigHashFree(DetectEngineCtx *de_ctx)
Frees the hash table that is used to cull duplicate sigs.
DetectPort * udp_priorityports
int SCConfYamlLoadFileWithPrefix(const char *filename, const char *prefix)
Load configuration from a YAML file, insert in tree at 'prefix'.
int StringParseInt32(int32_t *res, int base, size_t len, const char *str)
int PrefilterGenericMpmFrameRegister(DetectEngineCtx *de_ctx, SigGroupHead *sgh, MpmCtx *mpm_ctx, const DetectBufferMpmRegistry *mpm_reg, int list_id)
uint32_t DetectEngineGetVersion(void)
const char * SCConfNodeLookupChildValue(const SCConfNode *node, const char *name)
Lookup the value of a child configuration node by name.
void SigCleanSignatures(DetectEngineCtx *de_ctx)
void * HashListTableLookup(HashListTable *ht, void *data, uint16_t datalen)
uint16_t lua_instruction_limit_errors
int DetectBufferGetActiveList(DetectEngineCtx *de_ctx, Signature *s)
#define SIG_FLAG_TOCLIENT
bool DetectMd5ValidateCallback(const Signature *s, const char **sigerror, const DetectBufferType *map)
bool DetectEngineMpmCachingEnabled(void)
bool DetectBufferIsPresent(const Signature *s, const uint32_t buf_id)
#define KEYWORD_PROFILING_START
uint16_t counter_fnonmpm_list
#define DETECT_TRANSFORMS_MAX
HashTable * non_pf_engine_names
uint16_t counter_nonmpm_list
InspectionBuffer * InspectionBufferGet(DetectEngineThreadCtx *det_ctx, const int list_id)
int PrefilterMultiGenericMpmRegister(DetectEngineCtx *de_ctx, SigGroupHead *sgh, MpmCtx *mpm_ctx, const DetectBufferMpmRegistry *mpm_reg, int list_id)
DetectEngineFrameInspectionEngine * frame_inspect
void DetectBufferTypeCloseRegistration(void)
const DetectEngineTransforms * transforms
#define FAIL_IF_NOT(expr)
Fail a test if expression evaluates to false.
void HashTableFree(HashTable *ht)
int DetectBufferTypeGetByName(const char *name)
#define KEYWORD_PROFILING_END(ctx, type, m)
void DetectBufferTypeSupportsPacket(const char *name)
InspectionBufferFrameInspectFunc Callback
int HashListTableAdd(HashListTable *ht, void *data, uint16_t datalen)
int SigGroupHeadHashInit(DetectEngineCtx *de_ctx)
Initializes the hash table in the detection engine context to hold the SigGroupHeads.
void SCRConfDeInitContext(DetectEngineCtx *de_ctx)
Releases de_ctx resources related to Reference Config API.
HashTable * mt_det_ctxs_hash
size_t strlcpy(char *dst, const char *src, size_t siz)
bool DetectEnginePktInspectionRun(ThreadVars *tv, DetectEngineThreadCtx *det_ctx, const Signature *s, Flow *f, Packet *p, uint8_t *alert_flags)
void DetectAppLayerMpmRegisterByParentId(DetectEngineCtx *de_ctx, const int id, const int parent_id, DetectEngineTransforms *transforms)
copy a mpm engine from parent_id, add in transforms
void AlertQueueInit(DetectEngineThreadCtx *det_ctx)
void DetectAppLayerMultiRegister(const char *name, AppProto alproto, uint32_t dir, int progress, InspectionMultiBufferGetDataPtr GetData, int priority, int tx_min_progress)
uint16_t counter_alerts_suppressed
uint16_t base64_decode_max_len
@ SIGNATURE_HOOK_TYPE_APP
#define PKT_SET_SRC(p, src_val)
void SCConfInit(void)
Initialize the configuration system.
@ TENANT_SELECTOR_UNKNOWN
void InspectionBufferInit(InspectionBuffer *buffer, uint32_t initial_size)
int DetectEngineMultiTenantEnabled(void)
#define HashListTableGetListNext(hb)
@ DETECT_SM_LIST_POSTMATCH
#define SIG_FLAG_TOSERVER
void InspectionBufferSetupMultiEmpty(InspectionBuffer *buffer)
setup the buffer empty
DetectEngineTenantSelectors
int DetectPortParse(const DetectEngineCtx *de_ctx, DetectPort **head, const char *str)
Function for parsing port strings.
int(* InspectionBufferPktInspectFunc)(struct DetectEngineThreadCtx_ *, const struct DetectEnginePktInspectionEngine *engine, const struct Signature_ *s, Packet *p, uint8_t *alert_flags)
HashListTable * HashListTableInit(uint32_t size, uint32_t(*Hash)(struct HashListTable_ *, void *, uint16_t), char(*Compare)(void *, uint16_t, void *, uint16_t), void(*Free)(void *))
SCDetectRequiresStatus * requirements
#define TAILQ_REMOVE(head, elm, field)
SCRunMode SCRunmodeGet(void)
Get the current run mode.
bool(* TransformValidate)(const uint8_t *content, uint16_t content_len, void *context)
uint16_t counter_alerts_overflow
bool(* ValidateCallback)(const struct Signature_ *, const char **sigerror, const struct DetectBufferType_ *)
int DetectEngineMoveToFreeList(DetectEngineCtx *de_ctx)
#define PASS
Pass the test.
SpmGlobalThreadCtx * SpmInitGlobalThreadCtx(uint8_t matcher)
void SCProfilingPrefilterDestroyCtx(DetectEngineCtx *de_ctx)
void DetectMpmInitializePktMpms(DetectEngineCtx *de_ctx)
@ ENGINE_SGH_MPM_FACTORY_CONTEXT_SINGLE
void DetectLoadersInit(void)
struct TmSlot_ * tm_slots
const char * DetectEngineBufferTypeGetDescriptionById(const DetectEngineCtx *de_ctx, const int id)
#define SCMutexUnlock(mut)
@ DETECT_SM_LIST_BASE64_DATA
#define PKT_PSEUDO_STREAM_END
InspectionBuffer * buffers
DetectEngineThreadKeywordCtxItem * keyword_list
LiveDevice * LiveGetDevice(const char *name)
Get a pointer to the device at idx.
int SCConfGetInt(const char *name, intmax_t *val)
Retrieve a configuration value as an integer.
enum DetectEngineTenantSelectors tenant_selector
HashListTable * keyword_hash
void DetectPktInspectEngineRegister(const char *name, InspectionBufferGetPktDataPtr GetPktData, InspectionBufferPktInspectFunc Callback)
register inspect engine at start up time
int DetectEngineInspectStreamPayload(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const Signature *s, Flow *f, Packet *p)
Do the content inspection & validation for a signature on the raw stream.
DetectEnginePktInspectionEngine * pkt_inspect
InspectionMultiBufferGetDataPtr GetMultiData
int DetectBufferTypeMaxId(void)
void DatasetPostReloadCleanup(void)
Per thread variable structure.
bool DetectEngineBufferTypeValidateTransform(DetectEngineCtx *de_ctx, int sm_list, const uint8_t *content, uint16_t content_len, const char **namestr)
Check content byte array compatibility with transforms.
bool * sm_types_prefilter
int DetectEngineEnabled(void)
Check if detection is enabled.
SigMatchData * SigMatchList2DataArray(SigMatch *head)
convert SigMatch list to SigMatchData array
TmEcode DetectEngineThreadCtxInit(ThreadVars *tv, void *initdata, void **data)
initialize thread specific detection engine context
int DetectEngineReloadIsIdle(void)
#define DETECT_ENGINE_INSPECT_SIG_MATCH
#define PKT_DETECT_HAS_STREAMDATA
void SCClassConfDeinit(DetectEngineCtx *de_ctx)
@ DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE
DetectEngineFrameInspectionEngine * frame_inspect_engines
DetectEngineCtx * free_list
SigMatch * DetectBufferGetLastSigMatch(const Signature *s, const uint32_t buf_id)
int StringParseUint32(uint32_t *res, int base, size_t len, const char *str)
void PatternMatchThreadPrepare(MpmThreadCtx *mpm_thread_ctx, uint16_t mpm_matcher)
struct DetectEngineThreadKeywordCtxItem_ * next
#define SCLogWarning(...)
Macro used to log WARNING messages.
int HashTableAdd(HashTable *ht, void *data, uint16_t datalen)
int DetectEngineBufferTypeRegister(DetectEngineCtx *de_ctx, const char *name)
Port structure for detection engine.
DetectEngineAppInspectionEngine * app_inspect
struct ThreadVars_ * next
uint32_t hashlittle_safe(const void *key, size_t length, uint32_t initval)
int SigGroupCleanup(DetectEngineCtx *de_ctx)
uint16_t lua_memory_limit_errors
uint8_t DetectEngineInspectStream(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const struct DetectEngineAppInspectionEngine_ *engine, const Signature *s, Flow *f, uint8_t flags, void *alstate, void *txv, uint64_t tx_id)
inspect engine for stateful rules
int DetectEngineLoadTenantBlocking(uint32_t tenant_id, const char *yaml)
Load a tenant and wait for loading to complete.
void TmModuleDetectLoaderRegister(void)
DetectEngineCtx * DetectEngineCtxInit(void)
void RuleMatchCandidateTxArrayFree(DetectEngineThreadCtx *det_ctx)
void DetectEngineInitializeFastPatternList(DetectEngineCtx *de_ctx)
#define DE_STATE_FLAG_BASE
int SCRConfLoadReferenceConfigFile(DetectEngineCtx *de_ctx, FILE *fd)
Loads the Reference info from the reference.config file.
int DetectEngineTenantRegisterLivedev(uint32_t tenant_id, int device_id)
#define DETECT_CI_FLAGS_END
void DetectEngineBufferTypeSupportsFrames(DetectEngineCtx *de_ctx, const char *name)
int(* InspectionBufferFrameInspectFunc)(struct DetectEngineThreadCtx_ *, const struct DetectEngineFrameInspectionEngine *engine, const struct Signature_ *s, Packet *p, const struct Frames *frames, const struct Frame *frame)
DetectBufferMpmRegistry * frame_mpms_list
struct SignatureHook_::@84::@85 app
TmModule * TmModuleGetById(int id)
Returns a TM Module by its id.
struct TenantLoaderCtx_ TenantLoaderCtx
uint16_t max_uniq_toserver_groups
const DetectBufferType * DetectEngineBufferTypeGetById(const DetectEngineCtx *de_ctx, const int id)
int SignatureInitDataBufferCheckExpand(Signature *s)
check if buffers array still has space left, expand if not
struct LiveDevice_ * livedev
InspectionBufferPktInspectFunc Callback
SignatureInitData * init_data
enum DetectEngineSyncState state
SpmThreadCtx * SpmMakeThreadCtx(const SpmGlobalThreadCtx *global_thread_ctx)
void SCReferenceSCConfInit(DetectEngineCtx *de_ctx)
struct SCProfileKeywordDetectCtx_ * profile_keyword_ctx
const char ** additional_configs
Data structures and function prototypes for keeping state for the detection engine.
int(* Match)(DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *)
void SCProfilingPrefilterThreadCleanup(DetectEngineThreadCtx *det_ctx)
void SCConfCreateContextBackup(void)
Creates a backup of the conf_hash hash_table used by the conf API.
int32_t byte_extract_max_local_id
@ SIG_PROP_FLOW_ACTION_PACKET
const struct SignatureProperties signature_properties[SIG_TYPE_MAX]
int RunmodeIsUnittests(void)
#define SCLogInfo(...)
Macro used to log INFORMATIONAL messages.
#define TAILQ_FOREACH_SAFE(var, head, field, tvar)
#define SIG_FLAG_REQUIRE_STREAM_ONLY
void * InspectionBufferCheckAndExpand(InspectionBuffer *buffer, uint32_t min_size)
make sure that the buffer has at least 'min_size' bytes Expand the buffer if necessary
void SpmDestroyGlobalThreadCtx(SpmGlobalThreadCtx *global_thread_ctx)
#define DETECT_ENGINE_INSPECT_SIG_CANT_MATCH
void DetectEngineRegisterTests(void)
int DetectLoaderQueueTask(int loader_id, LoaderFunc Func, void *func_ctx, LoaderFreeFunc FreeFunc)
@ DETECT_ENGINE_TYPE_TENANT
void DetectEngineBufferTypeSupportsTransformations(DetectEngineCtx *de_ctx, const char *name)
bool DetectEngineBufferTypeSupportsMpmGetById(const DetectEngineCtx *de_ctx, const int id)
const char * DetectSigmatchListEnumToString(enum DetectSigmatchListEnum type)
#define SCRealloc(ptr, sz)
void SRepReloadComplete(void)
Increment effective reputation version after a rule/reputation reload is complete.
#define SIG_FLAG_INIT_STATE_MATCH
@ ENGINE_SGH_MPM_FACTORY_CONTEXT_FULL
struct PacketQueue_ * stream_pq
#define DETECT_SM_LIST_NOTSET
bool DetectEngineBufferTypeSupportsFramesGetById(const DetectEngineCtx *de_ctx, const int id)
int DetectEngineBufferTypeRegisterWithFrameEngines(DetectEngineCtx *de_ctx, const char *name, const int direction, const AppProto alproto, const uint8_t frame_type)
InspectionBufferGetPktDataPtr GetData
SCConfNode * SCConfNodeLookupChild(const SCConfNode *node, const char *name)
Lookup a child configuration node by name.
@ DETECT_ENGINE_TYPE_NORMAL
void InspectionBufferCopy(InspectionBuffer *buffer, uint8_t *buf, uint32_t buf_len)
void * FlowWorkerGetDetectCtxPtr(void *flow_worker)
bool DetectEngineBufferTypeSupportsMultiInstanceGetById(const DetectEngineCtx *de_ctx, const int id)
SigFileLoaderStat sig_stat
void DetectEngineFrameMpmRegister(DetectEngineCtx *de_ctx, const char *name, int direction, int priority, int(*PrefilterRegister)(DetectEngineCtx *de_ctx, SigGroupHead *sgh, MpmCtx *mpm_ctx, const DetectBufferMpmRegistry *mpm_reg, int list_id), AppProto alproto, uint8_t type)
uint32_t * to_clear_queue
void SpmDestroyThreadCtx(SpmThreadCtx *thread_ctx)
struct SCProfilePrefilterDetectCtx_ * profile_prefilter_ctx
#define FAIL_IF(expr)
Fail a test if expression evaluates to true.
int DetectEnginePktInspectionSetup(Signature *s)
int DetectBufferTypeRegister(const char *name)
uint8_t(* InspectEngineFuncPtr)(struct DetectEngineCtx_ *de_ctx, struct DetectEngineThreadCtx_ *det_ctx, const struct DetectEngineAppInspectionEngine_ *engine, const struct Signature_ *s, Flow *f, uint8_t flags, void *alstate, void *txv, uint64_t tx_id)
int DetectRegisterThreadCtxFuncs(DetectEngineCtx *de_ctx, const char *name, void *(*InitFunc)(void *), void *data, void(*FreeFunc)(void *), int mode)
Register Thread keyword context Funcs.
int MpmStoreInit(DetectEngineCtx *de_ctx)
Initializes the MpmStore mpm hash table to be used by the detection engine context.
DetectBufferMpmRegistry * app_mpms_list
@ SIG_PROP_FLOW_ACTION_FLOW_IF_STATEFUL
DetectEngineCtx * DetectEngineCtxInitStubForMT(void)
void DetectBufferTypeSupportsMpm(const char *name)
void HashListTableFree(HashListTable *ht)
HashListTable * buffer_type_hash_name
struct DetectEngineCtx_ * next
#define SIG_FLAG_INIT_FORCE_TOSERVER
@ DETECT_ENGINE_TYPE_DD_STUB
void DetectEngineBumpVersion(void)
void AppLayerDecoderEventsSetEventRaw(AppLayerDecoderEvents **sevents, uint8_t event)
Set an app layer decoder event.
struct DetectEngineFrameInspectionEngine * next
SignatureInitDataBuffer * curbuf
enum SignatureHookType type
int DetectEngineInspectFrameBufferGeneric(DetectEngineThreadCtx *det_ctx, const DetectEngineFrameInspectionEngine *engine, const Signature *s, Packet *p, const Frames *frames, const Frame *frame)
Do the content inspection & validation for a signature.
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *tv, void *data)
struct DetectEnginePktInspectionEngine * next
#define DETECT_ENGINE_DEFAULT_INSPECTION_RECURSION_LIMIT
PostRuleMatchWorkQueueItem * q
uint8_t PatternMatchDefaultMatcher(void)
Function to return the multi pattern matcher algorithm to be used by the engine, based on the mpm-alg...
struct DetectEngineFrameInspectionEngine::@83 v1
void SCConfDeInit(void)
De-initializes the configuration system.
int DetectEngineTenantRegisterPcapFile(uint32_t tenant_id)
void SigGroupHeadHashFree(DetectEngineCtx *de_ctx)
Frees the hash table - DetectEngineCtx->sgh_hash_table, allocated by SigGroupHeadHashInit() function.
uint8_t DetectEngineInspectGenericList(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const struct DetectEngineAppInspectionEngine_ *engine, const Signature *s, Flow *f, uint8_t flags, void *alstate, void *txv, uint64_t tx_id)
Do the content inspection & validation for a signature.
void DetectEngineAppInspectionEngineSignatureFree(DetectEngineCtx *de_ctx, Signature *s)
free app inspect engines for a signature
@ DETECT_ENGINE_CONTENT_INSPECTION_MODE_HEADER
void InspectionBufferApplyTransforms(DetectEngineThreadCtx *det_ctx, InspectionBuffer *buffer, const DetectEngineTransforms *transforms)
#define DETECT_ENGINE_INSPECT_SIG_NO_MATCH
DetectEnginePktInspectionEngine * pkt_inspect_engines
void DetectEngineBufferTypeSupportsMpm(DetectEngineCtx *de_ctx, const char *name)
bool * sm_types_silent_error
const char * DetectBufferTypeGetDescriptionByName(const char *name)
Packet * PacketGetFromAlloc(void)
Get a malloced packet.
void InspectionBufferTruncate(InspectionBuffer *buffer, uint32_t buf_len)
void DetectEngineFreeFastPatternList(DetectEngineCtx *de_ctx)
void DetectBufferTypeSupportsTransformations(const char *name)
const char * DetectEngineMpmCachingGetPath(void)
struct SCLogConfig_ SCLogConfig
Holds the config state used by the logging api.
int DetectAddressMapInit(DetectEngineCtx *de_ctx)
void InjectPacketsForFlush(ThreadVars **detect_tvs, int no_of_detect_tvs)
SignatureInitDataBuffer * buffers
DetectEngineAppInspectionEngine * app_inspect_engines
int filemagic_thread_ctx_id
int global_keyword_ctxs_size
void PrefilterInit(DetectEngineCtx *de_ctx)
void * DetectThreadCtxGetGlobalKeywordThreadCtx(DetectEngineThreadCtx *det_ctx, int id)
Retrieve thread local keyword ctx by id.
SCConfNode * SCConfGetNode(const char *name)
Get a SCConfNode by name.
#define SCLogError(...)
Macro used to log ERROR messages.
int SRepInit(DetectEngineCtx *de_ctx)
init reputation
int DetectEngineReloadStart(void)
void DetectEngineUnsetParseMetadata(void)
@ PKT_SRC_DETECT_RELOAD_FLUSH
void InspectionBufferSetup(DetectEngineThreadCtx *det_ctx, const int list_id, InspectionBuffer *buffer, const uint8_t *data, const uint32_t data_len)
setup the buffer with our initial data
void ** keyword_ctxs_array
uint8_t guess_applayer_log_limit
int HashListTableRemove(HashListTable *ht, void *data, uint16_t datalen)
DetectEngineTransforms transforms
void SCConfRestoreContextBackup(void)
Restores the backup of the hash_table present in backup_conf_hash back to conf_hash.
struct DetectEnginePktInspectionEngine::@82 v1
a single match condition for a signature
const DetectEngineTransforms * transforms
struct DetectEngineThreadCtx_::@98 inspect
void InspectionBufferClean(DetectEngineThreadCtx *det_ctx)
int DetectLoadersSync(void)
wait for loader tasks to complete
void SCProfilingSghDestroyCtx(DetectEngineCtx *de_ctx)
HashTable * HashTableInit(uint32_t size, uint32_t(*Hash)(struct HashTable_ *, void *, uint16_t), char(*Compare)(void *, uint16_t, void *, uint16_t), void(*Free)(void *))
SpmTableElmt spm_table[SPM_TABLE_SIZE]
DetectEngineCtx * DetectEngineReference(DetectEngineCtx *de_ctx)
MpmTableElmt mpm_table[MPM_TABLE_SIZE]
struct DetectEngineSyncer_ DetectEngineSyncer
void DetectMpmInitializeAppMpms(DetectEngineCtx *de_ctx)
int EngineModeIsIPS(void)
void(* ConfigDeinit)(MpmConfig **)
void(* ConfigCacheDirSet)(MpmConfig *, const char *dir_path)
void PmqFree(PrefilterRuleStore *pmq)
Cleanup and free a Pmq.
struct DetectEngineThreadCtx_::@99 multi_inspect
InspectionBuffer * InspectionBufferMultipleForListGet(DetectEngineThreadCtx *det_ctx, const int list_id, const uint32_t local_id)
for a InspectionBufferMultipleForList get a InspectionBuffer
@ DETECT_ENGINE_TYPE_MT_STUB
void ThresholdCacheThreadFree(void)
uint16_t vlan_id[VLAN_MAX_LAYERS]
int DetectEngineReload(const SCInstance *suri)
Reload the detection engine.
bool DetectEngineBufferRunValidateCallback(const DetectEngineCtx *de_ctx, const int id, const Signature *s, const char **sigerror)
void(* SetupCallback)(const struct DetectEngineCtx_ *, struct Signature_ *)
void DetectAppLayerInspectEngineRegister(const char *name, AppProto alproto, uint32_t dir, int progress, InspectEngineFuncPtr Callback, InspectionBufferGetDataPtr GetData)
Registers an app inspection engine.
bool DetectEngineContentInspectionBuffer(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const Signature *s, const SigMatchData *smd, Packet *p, Flow *f, const InspectionBuffer *b, const enum DetectContentInspectionType inspection_mode)
wrapper around DetectEngineContentInspectionInternal to return true/false only
SpmGlobalThreadCtx * spm_global_thread_ctx
void DetectEngineClearMaster(void)
void SRepDestroy(DetectEngineCtx *de_ctx)
MpmConfig *(* ConfigInit)(void)
uint16_t StatsRegisterAvgCounter(const char *name, struct ThreadVars_ *tv)
Registers a counter, whose value holds the average of all the values assigned to it.
@ SIG_PROP_FLOW_ACTION_FLOW
void DetectBufferTypeSetDescriptionByName(const char *name, const char *desc)
DetectEngineTransforms transforms
#define SCStatFn(pathname, statbuf)
int DetectUnregisterThreadCtxFuncs(DetectEngineCtx *de_ctx, void *data, const char *name)
Remove Thread keyword context registration.
#define SC_ATOMIC_GET(name)
Get the value from the atomic variable.
void DetectEngineFrameInspectEngineRegister(DetectEngineCtx *de_ctx, const char *name, int dir, InspectionBufferFrameInspectFunc Callback, AppProto alproto, uint8_t type)
register inspect engine at start up time
int DetectEngineTenantRegisterVlanId(uint32_t tenant_id, uint16_t vlan_id)
void DetectEngineSetParseMetadata(void)
bool DetectEngineContentInspection(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const Signature *s, const SigMatchData *smd, Packet *p, Flow *f, const uint8_t *buffer, const uint32_t buffer_len, const uint32_t stream_start_offset, const uint8_t flags, const enum DetectContentInspectionType inspection_mode)
wrapper around DetectEngineContentInspectionInternal to return true/false only
int TmThreadsCheckFlag(ThreadVars *tv, uint32_t flag)
Check if a thread flag is set.
void(* Transform)(DetectEngineThreadCtx *, InspectionBuffer *, void *context)
#define SCLogNotice(...)
Macro used to log NOTICE messages.
void DetectPktMpmRegisterByParentId(DetectEngineCtx *de_ctx, const int id, const int parent_id, DetectEngineTransforms *transforms)
copy a mpm engine from parent_id, add in transforms
@ TENANT_SELECTOR_LIVEDEV
AppProto alproto
application level protocol
uint16_t StatsRegisterCounter(const char *name, struct ThreadVars_ *tv)
Registers a normal, unqualified counter.
int DetectEngineTenantUnregisterPcapFile(uint32_t tenant_id)
Signature loader statistics.
int DetectEngineInspectPktBufferGeneric(DetectEngineThreadCtx *det_ctx, const DetectEnginePktInspectionEngine *engine, const Signature *s, Packet *p, uint8_t *_alert_flags)
Do the content inspection & validation for a signature.
void InspectionBufferSetupMulti(DetectEngineThreadCtx *det_ctx, InspectionBuffer *buffer, const DetectEngineTransforms *transforms, const uint8_t *data, const uint32_t data_len)
setup the buffer with our initial data
HashListTable * buffer_type_hash_id
DetectEngineCtx * DetectEngineGetByTenantId(uint32_t tenant_id)
void InspectionBufferFree(InspectionBuffer *buffer)
void DetectPortCleanupList(const DetectEngineCtx *de_ctx, DetectPort *head)
Free a DetectPort list and each of its members.
@ DETECT_SM_LIST_SUPPRESS
InspectionBuffer * inspection_buffers
#define DEBUG_VALIDATE_BUG_ON(exp)
int DetectEngineAppInspectionEngine2Signature(DetectEngineCtx *de_ctx, Signature *s)
bool SCClassConfLoadClassificationConfigFile(DetectEngineCtx *de_ctx, FILE *fd)
Loads the Classtype info from the classification.config file.
int DetectEngineTenantUnregisterVlanId(uint32_t tenant_id, uint16_t vlan_id)
int PmqSetup(PrefilterRuleStore *pmq)
Setup a pmq.
void PatternMatchThreadDestroy(MpmThreadCtx *mpm_thread_ctx, uint16_t mpm_matcher)
int VarNameStoreActivate(void)
uint16_t counter_mpm_list
union SignatureHook_::@84 t
void RuleMatchCandidateTxArrayInit(DetectEngineThreadCtx *det_ctx, uint32_t size)
void SCProfilingKeywordThreadSetup(SCProfileKeywordDetectCtx *ctx, DetectEngineThreadCtx *det_ctx)
int DetectEngineReloadIsStart(void)
int DetectRegisterThreadCtxGlobalFuncs(const char *name, void *(*InitFunc)(void *), void *data, void(*FreeFunc)(void *))
Register Thread keyword context Funcs (Global)
PostRuleMatchWorkQueue post_rule_work_queue
uint32_t tenant_array_size
struct DetectEngineTenantMapping_ * tenant_array
volatile uint8_t suricata_ctl_flags
void FlowWorkerReplaceDetectCtx(void *flow_worker, void *detect_ctx)
uint32_t StringHashDjb2(const uint8_t *data, uint32_t datalen)
int DetectEngineBufferTypeGetByIdTransforms(DetectEngineCtx *de_ctx, const int id, TransformData *transforms, int transform_cnt)
uint32_t(* TenantGetId)(const void *, const Packet *p)
void SCProfilingPrefilterThreadSetup(SCProfilePrefilterDetectCtx *ctx, DetectEngineThreadCtx *det_ctx)
void SCClassConfDeInitContext(DetectEngineCtx *de_ctx)
Releases resources used by the Classification Config API.
void PrefilterPktNonPFStatsDump(void)
#define SIG_FLAG_REQUIRE_PACKET