Go to the documentation of this file.
92 #define DETECT_ENGINE_DEFAULT_INSPECTION_RECURSION_LIMIT 3000
99 static uint32_t TenantIdHash(
HashTable *h,
void *data, uint16_t data_len);
100 static char TenantIdCompare(
void *d1, uint16_t d1_len,
void *d2, uint16_t d2_len);
101 static void TenantIdFree(
void *d);
102 static uint32_t DetectEngineTenantGetIdFromLivedev(
const void *ctx,
const Packet *p);
103 static uint32_t DetectEngineTenantGetIdFromVlanId(
const void *ctx,
const Packet *p);
104 static uint32_t DetectEngineTenantGetIdFromPcap(
const void *ctx,
const Packet *p);
135 FatalError(
"failed to register inspect engine %s", name);
147 FatalError(
"failed to register inspect engine %s: %s", name, strerror(errno));
149 new_engine->
sm_list = (uint16_t)sm_list;
154 if (g_pkt_inspect_engines == NULL) {
155 g_pkt_inspect_engines = new_engine;
158 while (t->
next != NULL) {
162 t->
next = new_engine;
175 FatalError(
"failed to register inspect engine %s", name);
192 FatalError(
"failed to register inspect engine %s: %s", name, strerror(errno));
194 new_engine->
sm_list = (uint16_t)sm_list;
196 new_engine->
dir = direction;
201 if (g_frame_inspect_engines == NULL) {
202 g_frame_inspect_engines = new_engine;
205 while (t->
next != NULL) {
209 t->
next = new_engine;
224 FatalError(
"failed to register inspect engine %s", name);
230 (progress < 0 || progress >= SHRT_MAX) || (Callback == NULL)) {
234 SCLogError(
"Invalid arguments: must register "
235 "GetData with DetectEngineInspectBufferGeneric");
252 new_engine->
dir = direction;
253 new_engine->
sm_list = (uint16_t)sm_list;
255 new_engine->
progress = (int16_t)progress;
259 if (g_app_inspect_engines == NULL) {
260 g_app_inspect_engines = new_engine;
263 while (t->
next != NULL) {
267 t->
next = new_engine;
272 static void DetectAppLayerInspectEngineCopy(
274 int sm_list,
int new_list,
287 new_engine->
sm_list = (uint16_t)new_list;
291 new_engine->
v2 = t->
v2;
298 while (list->
next != NULL) {
302 list->
next = new_engine;
324 new_engine->
v2 = t->
v2;
329 list->
next = new_engine;
338 static void DetectPktInspectEngineCopy(
340 int sm_list,
int new_list,
351 new_engine->
sm_list = (uint16_t)new_list;
354 new_engine->
v1 = t->
v1;
361 while (list->
next != NULL) {
365 list->
next = new_engine;
384 new_engine->
v1 = t->
v1;
390 while (list->
next != NULL) {
394 list->
next = new_engine;
409 FatalError(
"failed to register inspect engine %s", name);
426 FatalError(
"failed to register inspect engine %s: %s", name, strerror(errno));
428 new_engine->
sm_list = (uint16_t)sm_list;
430 new_engine->
dir = direction;
439 while (list->
next != NULL) {
443 list->
next = new_engine;
462 new_engine->
sm_list = (uint16_t)new_list;
468 new_engine->
v1 = t->
v1;
473 while (list->
next != NULL) {
477 list->
next = new_engine;
499 new_engine->
v1 = t->
v1;
505 while (list->
next != NULL) {
509 list->
next = new_engine;
521 static void AppendStreamInspectEngine(
524 bool prepend =
false;
533 new_engine->
mpm =
true;
536 new_engine->
dir = direction;
537 new_engine->
stream =
true;
540 new_engine->
smd = stream;
548 }
else if (prepend) {
555 while (a->
next != NULL) {
559 a->
next = new_engine;
562 SCLogDebug(
"sid %u: engine %p/%u added", s->
id, new_engine, new_engine->
id);
569 bool prepend =
false;
592 new_engine->
mpm =
true;
598 new_engine->
smd = smd;
599 new_engine->
v1 = u->
v1;
605 }
else if (prepend) {
610 while (a->
next != NULL) {
614 a->
next = new_engine;
622 bool prepend =
false;
632 new_engine->
mpm =
true;
637 new_engine->
smd = smd;
638 new_engine->
v1 = e->
v1;
644 }
else if (prepend) {
649 while (a->
next != NULL) {
653 a->
next = new_engine;
659 const int mpm_list,
const int files_id, uint8_t *last_id,
bool *head_is_mpm)
673 SCLogDebug(
"app engine: t %p t->id %u => alproto:%s files:%s", t, t->
id,
681 bool prepend =
false;
686 new_engine->
mpm =
true;
693 new_engine->
smd = smd;
695 new_engine->
v2 = t->
v2;
701 if (new_engine->
sm_list == files_id) {
703 SCLogDebug(
"sid %u: engine %p/%u is FILE ENGINE", s->
id, new_engine, new_engine->
id);
706 SCLogDebug(
"sid %u: engine %p/%u %s", s->
id, new_engine, new_engine->
id,
714 if (new_engine->
sm_list == files_id) {
716 SCLogDebug(
"sid %u: engine %p/%u is FILE ENGINE", s->
id, new_engine, new_engine->
id);
718 new_engine->
id = ++(*last_id);
719 SCLogDebug(
"sid %u: engine %p/%u %s", s->
id, new_engine, new_engine->
id,
725 while (a->
next != NULL) {
733 a->
next = new_engine;
734 if (new_engine->
sm_list == files_id) {
736 SCLogDebug(
"sid %u: engine %p/%u is FILE ENGINE", s->
id, new_engine, new_engine->
id);
738 new_engine->
id = ++(*last_id);
739 SCLogDebug(
"sid %u: engine %p/%u %s", s->
id, new_engine, new_engine->
id,
744 SCLogDebug(
"sid %u: engine %p/%u added", s->
id, new_engine, new_engine->
id);
757 bool head_is_mpm =
false;
771 u != NULL; u = u->
next) {
773 AppendFrameInspectEngine(
de_ctx, u, s, smd, mpm_list);
782 AppendPacketInspectEngine(
de_ctx, e, s, smd, mpm_list);
791 AppendAppInspectEngine(
792 de_ctx, t, s, smd, mpm_list, files_id, &last_id, &head_is_mpm);
805 AppendStreamInspectEngine(s, stream, 0, last_id + 1);
807 AppendStreamInspectEngine(s, stream, 1, last_id + 1);
809 AppendStreamInspectEngine(s, stream, 0, last_id + 1);
810 AppendStreamInspectEngine(s, stream, 1, last_id + 1);
824 iter->
sm_list == mpm_list ?
"MPM" :
"");
875 for (
int i = 0; i < arrays; i++) {
876 if (bufs[i] == ie->
smd) {
882 bufs[arrays++] = ie->
smd;
892 for (
int i = 0; i < arrays; i++) {
893 if (bufs[i] == e->
smd) {
899 bufs[arrays++] = e->
smd;
909 for (
int i = 0; i < arrays; i++) {
910 if (bufs[i] == u->
smd) {
916 bufs[arrays++] = u->
smd;
922 for (
int i = 0; i < engines; i++) {
944 static int g_buffer_type_reg_closed = 0;
948 return g_buffer_type_id;
951 static uint32_t DetectBufferTypeHashNameFunc(
HashListTable *ht,
void *data, uint16_t datalen)
960 static uint32_t DetectBufferTypeHashIdFunc(
HashListTable *ht,
void *data, uint16_t datalen)
963 uint32_t hash = map->
id;
968 static char DetectBufferTypeCompareNameFunc(
void *data1, uint16_t len1,
void *data2, uint16_t len2)
973 char r = (strcmp(map1->
name, map2->
name) == 0);
978 static char DetectBufferTypeCompareIdFunc(
void *data1, uint16_t len1,
void *data2, uint16_t len2)
982 return map1->
id == map2->
id;
985 static void DetectBufferTypeFreeFunc(
void *data)
998 SCLogError(
"%s allocates transform option memory but has no free routine",
1008 static int DetectBufferTypeInit(
void)
1010 BUG_ON(g_buffer_type_hash);
1012 DetectBufferTypeCompareNameFunc, DetectBufferTypeFreeFunc);
1013 if (g_buffer_type_hash == NULL)
1019 static void DetectBufferTypeFree(
void)
1021 if (g_buffer_type_hash == NULL)
1025 g_buffer_type_hash = NULL;
1029 static int DetectBufferTypeAdd(
const char *
string)
1031 BUG_ON(
string == NULL || strlen(
string) >= 32);
1038 map->
id = g_buffer_type_id++;
1048 memset(&map, 0,
sizeof(map));
1057 BUG_ON(g_buffer_type_reg_closed);
1058 if (g_buffer_type_hash == NULL)
1059 DetectBufferTypeInit();
1063 return DetectBufferTypeAdd(name);
1071 BUG_ON(g_buffer_type_reg_closed);
1076 SCLogDebug(
"%p %s -- %d supports multi instance", exists, name, exists->
id);
1081 BUG_ON(g_buffer_type_reg_closed);
1085 exists->
frame =
true;
1086 SCLogDebug(
"%p %s -- %d supports frame inspection", exists, name, exists->
id);
1091 BUG_ON(g_buffer_type_reg_closed);
1096 SCLogDebug(
"%p %s -- %d supports packet inspection", exists, name, exists->
id);
1101 BUG_ON(g_buffer_type_reg_closed);
1106 SCLogDebug(
"%p %s -- %d supports mpm", exists, name, exists->
id);
1111 BUG_ON(g_buffer_type_reg_closed);
1116 SCLogDebug(
"%p %s -- %d supports transformations", exists, name, exists->
id);
1132 memset(&map, 0,
sizeof(map));
1142 memset(&lookup, 0,
sizeof(lookup));
1152 return res ? res->
name : NULL;
1157 BUG_ON(
string == NULL || strlen(
string) >= 32);
1173 const int direction,
const AppProto alproto,
const uint8_t frame_type)
1180 const int buffer_id = DetectEngineBufferTypeAdd(
de_ctx, name);
1181 if (buffer_id < 0) {
1210 return DetectEngineBufferTypeAdd(
de_ctx, name);
1218 BUG_ON(desc == NULL || strlen(desc) >= 128);
1249 exists->
frame =
true;
1250 SCLogDebug(
"%p %s -- %d supports frame inspection", exists, name, exists->
id);
1258 SCLogDebug(
"%p %s -- %d supports packet inspection", exists, name, exists->
id);
1266 SCLogDebug(
"%p %s -- %d supports mpm", exists, name, exists->
id);
1274 SCLogDebug(
"%p %s -- %d supports transformations", exists, name, exists->
id);
1316 BUG_ON(g_buffer_type_reg_closed);
1332 bool (*ValidateCallback)(
const Signature *,
const char **sigerror))
1334 BUG_ON(g_buffer_type_reg_closed);
1387 SCLogError(
"Rule buffer cannot be reset after base64_data.");
1392 SCLogError(
"no matches following transform(s)");
1400 SCLogError(
"previous sticky buffer has no matches");
1410 if ((uint32_t)list == b->
id) {
1411 SCLogDebug(
"found buffer %p for list %d", b, list);
1414 SCLogDebug(
"sm_init was true for %p list %d", b, list);
1433 SCLogError(
"failed to expand rule buffer array");
1457 SCLogError(
"previous transforms not consumed "
1458 "(list: %u, transform_cnt %u)",
1463 SCLogDebug(
"buffer %d has transform(s) registered: %d",
1467 if (new_list == -1) {
1479 SCLogError(
"failed to expand rule buffer array");
1492 SCLogDebug(
"new list after applying transforms: %u", new_list);
1515 for (uint32_t x = 0; x <= mbuffer->
max; x++) {
1535 if (!buffer->
init) {
1556 if (local_id >= fb->
size) {
1557 uint32_t old_size = fb->
size;
1558 uint32_t new_size = local_id + 1;
1559 uint32_t grow_by = new_size - old_size;
1560 SCLogDebug(
"size is %u, need %u, so growing by %u", old_size, new_size, grow_by);
1568 SCLogDebug(
"ptr %p to_zero %p", ptr, to_zero);
1571 fb->
size = new_size;
1577 #ifdef DEBUG_VALIDATION
1578 buffer->multi =
true;
1585 memset(buffer, 0,
sizeof(*buffer));
1586 buffer->
buf =
SCCalloc(initial_size,
sizeof(uint8_t));
1587 if (buffer->
buf != NULL) {
1588 buffer->
size = initial_size;
1595 #ifdef DEBUG_VALIDATION
1607 const uint8_t *data,
const uint32_t data_len)
1609 #ifdef DEBUG_VALIDATION
1624 #ifdef DEBUG_VALIDATION
1628 if (buffer->
inspect == NULL) {
1630 if (det_ctx && list_id != -1)
1642 if (buffer->
buf != NULL) {
1645 memset(buffer, 0,
sizeof(*buffer));
1657 uint32_t new_size = (buffer->
size == 0) ? 4096 : buffer->
size;
1658 while (new_size < min_size) {
1665 buffer->
size = new_size;
1674 uint32_t copy_size =
MIN(buf_len, buffer->
size);
1675 memcpy(buffer->
buf, buf, copy_size);
1701 const uint8_t *content, uint16_t content_len,
const char **namestr)
1742 const int size = g_buffer_type_id;
1746 DetectBufferTypeCompareNameFunc, DetectBufferTypeFreeFunc);
1749 HashListTableInit(256, DetectBufferTypeHashIdFunc, DetectBufferTypeCompareIdFunc,
1761 memcpy(copy, map,
sizeof(*copy));
1767 SCLogDebug(
"name %s id %d mpm %s packet %s -- %s. "
1768 "Callbacks: Setup %p Validate %p",
1769 map->
name, map->
id, map->
mpm ?
"true" :
"false", map->
packet ?
"true" :
"false",
1776 DetectAppLayerInspectEngineCopyListToDetectCtx(
de_ctx);
1778 DetectFrameInspectEngineCopyListToDetectCtx(
de_ctx);
1780 DetectPktInspectEngineCopyListToDetectCtx(
de_ctx);
1822 while (framemlist) {
1833 BUG_ON(g_buffer_type_hash == NULL);
1835 g_buffer_type_reg_closed = 1;
1846 SCLogError(
"buffer '%s' does not support transformations", base_map->
name);
1853 memset(&t, 0,
sizeof(t));
1854 for (
int i = 0; i < transform_cnt; i++) {
1857 t.
cnt = transform_cnt;
1860 memset(&lookup_map, 0,
sizeof(lookup_map));
1878 map->
mpm = base_map->
mpm;
1885 }
else if (map->
packet) {
1895 SCLogDebug(
"buffer %s registered with id %d, parent %d", map->name, map->id, map->parent_id);
1898 DetectFrameInspectEngineCopy(
de_ctx, map->parent_id, map->id, &map->transforms);
1899 }
else if (map->packet) {
1900 DetectPktInspectEngineCopy(
de_ctx, map->parent_id, map->id, &map->transforms);
1902 DetectAppLayerInspectEngineCopy(
de_ctx, map->parent_id, map->id, &map->transforms);
1908 static int DetectEngineInspectRulePacketMatches(
1912 Packet *p, uint8_t *_alert_flags)
1920 SCLogDebug(
"running match functions, sm %p", smd);
1938 static int DetectEngineInspectRulePayloadMatches(
1961 SCLogDebug(
"no match in stream, fall back to packet payload");
1969 SCLogDebug(
"SIG_FLAG_REQUIRE_STREAM_ONLY, so no match");
1987 uint8_t *alert_flags)
1993 SCLogDebug(
"sid %u: e %p Callback returned no match", s->
id, e);
1996 SCLogDebug(
"sid %u: e %p Callback returned true", s->
id, e);
2015 e->
sm_list = (uint16_t)list_id;
2024 while (a->
next != NULL) {
2036 if (DetectEnginePktInspectionAppend(
2039 SCLogDebug(
"sid %u: DetectEngineInspectRulePayloadMatches appended", s->
id);
2043 if (DetectEnginePktInspectionAppend(
2046 SCLogDebug(
"sid %u: DetectEngineInspectRulePacketMatches appended", s->
id);
2128 uint8_t
flags,
void *alstate,
void *txv, uint64_t tx_id)
2131 SCLogDebug(
"running match functions, sm %p", smd);
2137 AppLayerTxMatch(det_ctx, f,
flags, alstate, txv, s, smd->
ctx);
2171 void *alstate,
void *txv, uint64_t tx_id)
2173 const int list_id = engine->
sm_list;
2174 SCLogDebug(
"running inspect on %d", list_id);
2188 f,
flags, txv, list_id);
2195 const uint8_t *data = buffer->
inspect;
2200 ci_flags |= buffer->
flags;
2230 const int list_id = engine->
sm_list;
2231 SCLogDebug(
"running inspect on %d", list_id);
2249 ci_flags |= buffer->
flags;
2267 static void InjectPackets(
ThreadVars **detect_tvs,
2269 int no_of_detect_tvs)
2273 for (
int i = 0; i < no_of_detect_tvs; i++) {
2274 if (
SC_ATOMIC_GET(new_det_ctx[i]->so_far_used_by_detect) != 1) {
2275 if (detect_tvs[i]->inq != NULL) {
2312 if (no_of_detect_tvs == 0) {
2322 memset(detect_tvs, 0x00, (no_of_detect_tvs *
sizeof(
ThreadVars *)));
2347 if (new_det_ctx[i] == NULL) {
2349 "failure in live rule swap. Let's get out of here");
2353 SCLogDebug(
"live rule swap created new det_ctx - %p and de_ctx "
2354 "- %p\n", new_det_ctx[i], new_de_ctx);
2359 BUG_ON(i != no_of_detect_tvs);
2372 SCLogDebug(
"swapping new det_ctx - %p with older one - %p",
2383 SCLogDebug(
"Live rule swap has swapped %d old det_ctx's with new ones, "
2384 "along with the new de_ctx", no_of_detect_tvs);
2386 InjectPackets(detect_tvs, new_det_ctx, no_of_detect_tvs);
2390 uint32_t threads_done = 0;
2392 for (i = 0; i < no_of_detect_tvs; i++) {
2394 threads_done = no_of_detect_tvs;
2398 if (
SC_ATOMIC_GET(new_det_ctx[i]->so_far_used_by_detect) == 1) {
2399 SCLogDebug(
"new_det_ctx - %p used by detect engine", new_det_ctx[i]);
2402 TmThreadsCaptureBreakLoop(detect_tvs[i]);
2405 if (threads_done < no_of_detect_tvs) {
2416 if (i != no_of_detect_tvs) {
2429 for (i = 0; i < no_of_detect_tvs; i++) {
2430 SCLogDebug(
"Freeing old_det_ctx - %p used by detect",
2440 for (i = 0; i < no_of_detect_tvs; i++) {
2441 if (new_det_ctx[i] != NULL)
2467 if (prefix != NULL) {
2471 int failure_fatal = 0;
2472 if (
ConfGetBool(
"engine.init-failure-fatal", (
int *)&failure_fatal) != 1) {
2473 SCLogDebug(
"ConfGetBool could not load the value.");
2485 SCLogDebug(
"Unable to alloc SpmGlobalThreadCtx.");
2489 if (DetectEngineCtxLoadConf(
de_ctx) == -1) {
2499 DetectBufferTypeSetupDetectEngine(
de_ctx);
2548 if (prefix == NULL || strlen(prefix) == 0)
2586 #ifdef PROFILE_RULES
2587 if (
de_ctx->profile_ctx != NULL) {
2589 de_ctx->profile_ctx = NULL;
2625 DetectEngineCtxFreeThreadKeywordData(
de_ctx);
2627 DetectEngineCtxFreeFailedSigs(
de_ctx);
2647 DetectBufferTypeFreeDetectEngine(
de_ctx);
2673 const char *max_uniq_toclient_groups_str = NULL;
2674 const char *max_uniq_toserver_groups_str = NULL;
2675 const char *sgh_mpm_context = NULL;
2676 const char *de_ctx_profile = NULL;
2678 (void)
ConfGet(
"detect.profile", &de_ctx_profile);
2679 (void)
ConfGet(
"detect.sgh-mpm-context", &sgh_mpm_context);
2684 if (de_ctx_custom != NULL) {
2686 if (de_ctx_profile == NULL) {
2687 if (opt->
val && strcmp(opt->
val,
"profile") == 0) {
2688 de_ctx_profile = opt->head.tqh_first->
val;
2692 if (sgh_mpm_context == NULL) {
2693 if (opt->
val && strcmp(opt->
val,
"sgh-mpm-context") == 0) {
2694 sgh_mpm_context = opt->head.tqh_first->
val;
2700 if (de_ctx_profile != NULL) {
2701 if (strcmp(de_ctx_profile,
"low") == 0 ||
2702 strcmp(de_ctx_profile,
"lowest") == 0) {
2704 }
else if (strcmp(de_ctx_profile,
"medium") == 0) {
2706 }
else if (strcmp(de_ctx_profile,
"high") == 0 ||
2707 strcmp(de_ctx_profile,
"highest") == 0) {
2709 }
else if (strcmp(de_ctx_profile,
"custom") == 0) {
2712 SCLogError(
"invalid value for detect.profile: '%s'. "
2713 "Valid options: low, medium, high and custom.",
2718 SCLogDebug(
"Profile for detection engine groups is \"%s\"", de_ctx_profile);
2720 SCLogDebug(
"Profile for detection engine groups not provided "
2721 "at suricata.yaml. Using default (\"medium\").");
2725 if (sgh_mpm_context == NULL || strcmp(sgh_mpm_context,
"auto") == 0) {
2735 if (strcmp(sgh_mpm_context,
"single") == 0) {
2737 }
else if (strcmp(sgh_mpm_context,
"full") == 0) {
2741 "invalid conf value for detect-engine.sgh-mpm-context-"
2766 (void)
ConfGet(
"detect.custom-values.toclient-groups",
2767 &max_uniq_toclient_groups_str);
2768 (void)
ConfGet(
"detect.custom-values.toserver-groups",
2769 &max_uniq_toserver_groups_str);
2771 if (de_ctx_custom != NULL) {
2773 if (opt->
val && strcmp(opt->
val,
"custom-values") == 0) {
2774 if (max_uniq_toclient_groups_str == NULL) {
2776 (opt->head.tqh_first,
"toclient-sp-groups");
2778 if (max_uniq_toclient_groups_str == NULL) {
2780 (opt->head.tqh_first,
"toclient-groups");
2782 if (max_uniq_toserver_groups_str == NULL) {
2784 (opt->head.tqh_first,
"toserver-dp-groups");
2786 if (max_uniq_toserver_groups_str == NULL) {
2788 (opt->head.tqh_first,
"toserver-groups");
2793 if (max_uniq_toclient_groups_str != NULL) {
2795 (uint16_t)strlen(max_uniq_toclient_groups_str),
2796 (
const char *)max_uniq_toclient_groups_str) <= 0) {
2800 "toclient-groups failed, using %u",
2808 if (max_uniq_toserver_groups_str != NULL) {
2810 (uint16_t)strlen(max_uniq_toserver_groups_str),
2811 (
const char *)max_uniq_toserver_groups_str) <= 0) {
2815 "toserver-groups failed, using %u",
2834 if (
ConfGetInt(
"detect.inspection-recursion-limit", &value) == 1)
2836 if (value >= 0 && value <= INT_MAX) {
2842 ConfNode *insp_recursion_limit_node = NULL;
2843 char *insp_recursion_limit = NULL;
2845 if (de_ctx_custom != NULL) {
2848 if (opt->
val && strcmp(opt->
val,
"inspection-recursion-limit") != 0)
2852 if (insp_recursion_limit_node == NULL) {
2854 "entry for detect-engine:inspection-recursion-limit");
2857 insp_recursion_limit = insp_recursion_limit_node->
val;
2858 SCLogDebug(
"Found detect-engine.inspection-recursion-limit - %s:%s",
2859 insp_recursion_limit_node->
name, insp_recursion_limit_node->
val);
2863 if (insp_recursion_limit != NULL) {
2865 0, (
const char *)insp_recursion_limit) < 0) {
2867 "detect-engine.inspection-recursion-limit: %s "
2883 SCLogDebug(
"de_ctx->inspection_recursion_limit: %d",
2888 const char *ports = NULL;
2889 (void)
ConfGet(
"detect.grouping.tcp-whitelist", &ports);
2893 ports =
"53, 80, 139, 443, 445, 1433, 3306, 3389, 6666, 6667, 8080";
2894 SCLogConfig(
"grouping: tcp-whitelist (default) %s", ports);
2899 "for detect.grouping.tcp-whitelist",
2903 for ( ; x != NULL; x = x->
next) {
2906 "for detect.grouping.tcp-whitelist: only single ports allowed",
2915 (void)
ConfGet(
"detect.grouping.udp-whitelist", &ports);
2919 ports =
"53, 135, 5060";
2920 SCLogConfig(
"grouping: udp-whitelist (default) %s", ports);
2925 "for detect.grouping.udp-whitelist",
2931 "for detect.grouping.udp-whitelist: only single ports allowed",
2940 const char *pf_setting = NULL;
2941 if (
ConfGet(
"detect.prefilter.default", &pf_setting) == 1 && pf_setting) {
2942 if (strcasecmp(pf_setting,
"mpm") == 0) {
2944 }
else if (strcasecmp(pf_setting,
"auto") == 0) {
2953 SCLogConfig(
"prefilter engines: MPM and keywords");
2982 SCLogError(
"setting up thread local detect ctx");
2991 SCLogError(
"setting up thread local detect ctx "
2992 "for keyword \"%s\" failed",
3030 SCLogError(
"setting up thread local detect ctx");
3042 SCLogError(
"setting up thread local detect ctx "
3043 "for keyword \"%s\" failed",
3073 uint32_t map_array_size = 0;
3074 uint32_t map_cnt = 0;
3075 uint32_t max_tenant_id = 0;
3081 "set using multi-detect.selector");
3094 mt_det_ctxs_hash =
HashTableInit(tcnt * 2, TenantIdHash, TenantIdCompare, TenantIdFree);
3095 if (mt_det_ctxs_hash == NULL) {
3100 SCLogInfo(
"no tenants left, or none registered yet");
3111 map_array_size = map_cnt + 1;
3113 map_array =
SCCalloc(map_array_size,
sizeof(*map_array));
3114 if (map_array == NULL)
3121 if (map_cnt >= map_array_size) {
3133 list = master->
list;
3138 if (mt_det_ctx == NULL)
3140 if (
HashTableAdd(mt_det_ctxs_hash, mt_det_ctx, 0) != 0) {
3149 mt_det_ctxs_hash = NULL;
3161 det_ctx->
TenantGetId = DetectEngineTenantGetIdFromVlanId;
3165 det_ctx->
TenantGetId = DetectEngineTenantGetIdFromLivedev;
3169 det_ctx->
TenantGetId = DetectEngineTenantGetIdFromPcap;
3176 if (map_array != NULL)
3178 if (mt_det_ctxs_hash != NULL)
3259 DetectEngineThreadCtxInitKeywords(
de_ctx, det_ctx);
3260 DetectEngineThreadCtxInitGlobalKeywords(det_ctx);
3261 #ifdef PROFILE_RULES
3299 if (det_ctx->
de_ctx == NULL) {
3334 if (DetectEngineThreadCtxInitForMT(
tv, det_ctx) !=
TM_ECODE_OK) {
3341 *data = (
void *)det_ctx;
3365 if (det_ctx->
de_ctx == NULL) {
3397 if (DetectEngineThreadCtxInitForMT(
tv, det_ctx) !=
TM_ECODE_OK) {
3410 SCLogDebug(
"PACKET PKT_STREAM_ADD: %"PRIu64, det_ctx->pkt_stream_add_cnt);
3412 SCLogDebug(
"PAYLOAD MPM %"PRIu64
"/%"PRIu64, det_ctx->payload_mpm_cnt, det_ctx->payload_mpm_size);
3413 SCLogDebug(
"STREAM MPM %"PRIu64
"/%"PRIu64, det_ctx->stream_mpm_cnt, det_ctx->stream_mpm_size);
3415 SCLogDebug(
"PAYLOAD SIG %"PRIu64
"/%"PRIu64, det_ctx->payload_persig_cnt, det_ctx->payload_persig_size);
3416 SCLogDebug(
"STREAM SIG %"PRIu64
"/%"PRIu64, det_ctx->stream_persig_cnt, det_ctx->stream_persig_size);
3424 #ifdef PROFILE_RULES
3434 if (det_ctx->
de_ctx != NULL) {
3474 for (uint32_t x = 0; x < fb->
size; x++) {
3485 DetectEngineThreadCtxDeinitGlobalKeywords(det_ctx);
3486 if (det_ctx->
de_ctx != NULL) {
3487 DetectEngineThreadCtxDeinitKeywords(det_ctx->
de_ctx, det_ctx);
3505 if (det_ctx == NULL) {
3514 DetectEngineThreadCtxFree(det_ctx);
3525 static uint32_t DetectKeywordCtxHashFunc(
HashListTable *ht,
void *data, uint16_t datalen)
3528 const char *name = ctx->
name;
3529 uint64_t hash =
StringHashDjb2((
const uint8_t *)name, strlen(name)) + (ptrdiff_t)ctx->
data;
3534 static char DetectKeywordCtxCompareFunc(
void *data1, uint16_t len1,
void *data2, uint16_t len2)
3538 const char *name1 = ctx1->
name;
3539 const char *name2 = ctx2->
name;
3540 return (strcmp(name1, name2) == 0 && ctx1->
data == ctx2->
data);
3543 static void DetectKeywordCtxFreeFunc(
void *ptr)
3566 BUG_ON(
de_ctx == NULL || InitFunc == NULL || FreeFunc == NULL);
3570 DetectKeywordCtxHashFunc, DetectKeywordCtxCompareFunc, DetectKeywordCtxFreeFunc);
3655 void *(*InitFunc)(
void *),
void *data,
void (*FreeFunc)(
void *))
3658 BUG_ON(InitFunc == NULL || FreeFunc == NULL);
3664 while (item != NULL) {
3665 if (strcmp(name, item->
name) == 0) {
3715 if (master->
list == NULL) {
3791 static int DetectEngineMultiTenantLoadTenant(uint32_t tenant_id,
const char *filename,
int loader_id)
3796 snprintf(prefix,
sizeof(prefix),
"multi-detect.%u", tenant_id);
3799 if (
SCStatFn(filename, &st) != 0) {
3800 SCLogError(
"failed to stat file %s", filename);
3806 SCLogError(
"tenant %u already registered", tenant_id);
3813 SCLogError(
"failed to properly setup yaml %s", filename);
3850 static int DetectEngineMultiTenantReloadTenant(uint32_t tenant_id,
const char *filename,
int reload_cnt)
3853 if (old_de_ctx == NULL) {
3854 SCLogError(
"tenant detect engine not found");
3858 if (filename == NULL)
3862 snprintf(prefix,
sizeof(prefix),
"multi-detect.%u.reload.%d", tenant_id, reload_cnt);
3873 SCLogError(
"failed to properly setup yaml %s", filename);
3878 if (new_de_ctx == NULL) {
3918 static void DetectLoaderFreeTenant(
void *ctx)
3921 if (t->
yaml != NULL) {
3927 static int DetectLoaderFuncLoadTenant(
void *vctx,
int loader_id)
3932 if (DetectEngineMultiTenantLoadTenant(ctx->
tenant_id, ctx->
yaml, loader_id) != 0) {
3938 static int DetectLoaderSetupLoadTenant(uint32_t tenant_id,
const char *yaml)
3946 if (t->
yaml == NULL) {
3954 static int DetectLoaderFuncReloadTenant(
void *vctx,
int loader_id)
3966 static int DetectLoaderSetupReloadTenants(
const int reload_cnt)
3985 loader_id, DetectLoaderFuncReloadTenant, t, DetectLoaderFreeTenant);
3999 static int DetectLoaderSetupReloadTenant(uint32_t tenant_id,
const char *yaml,
int reload_cnt)
4002 if (old_de_ctx == NULL)
4014 if (t->
yaml == NULL) {
4024 loader_id, DetectLoaderFuncReloadTenant, t, DetectLoaderFreeTenant);
4031 int r = DetectLoaderSetupLoadTenant(tenant_id, yaml);
4045 int r = DetectLoaderSetupReloadTenant(tenant_id, yaml, reload_cnt);
4059 int r = DetectLoaderSetupReloadTenants(reload_cnt);
4069 static int DetectEngineMultiTenantSetupLoadLivedevMappings(
const ConfNode *mappings_root_node,
4074 int mapping_cnt = 0;
4075 if (mappings_root_node != NULL) {
4078 if (tenant_id_node == NULL)
4081 if (device_node == NULL)
4084 uint32_t tenant_id = 0;
4086 tenant_id_node->
val) < 0) {
4089 tenant_id_node->
val);
4093 const char *dev = device_node->
val;
4112 SCLogConfig(
"device %s connected to tenant-id %u", dev, tenant_id);
4121 SCLogConfig(
"%d device - tenant-id mappings defined", mapping_cnt);
4128 static int DetectEngineMultiTenantSetupLoadVlanMappings(
const ConfNode *mappings_root_node,
4133 int mapping_cnt = 0;
4134 if (mappings_root_node != NULL) {
4137 if (tenant_id_node == NULL)
4140 if (vlan_id_node == NULL)
4143 uint32_t tenant_id = 0;
4145 tenant_id_node->
val) < 0) {
4148 tenant_id_node->
val);
4152 uint16_t vlan_id = 0;
4154 &vlan_id, 10, (uint16_t)strlen(vlan_id_node->
val), vlan_id_node->
val) < 0) {
4160 if (vlan_id == 0 || vlan_id >= 4095) {
4162 "of %s is invalid. Valid range 1-4094.",
4170 SCLogConfig(
"vlan %u connected to tenant-id %u", vlan_id, tenant_id);
4196 int failure_fatal = 0;
4197 (void)
ConfGetBool(
"engine.init-failure-fatal", &failure_fatal);
4200 (void)
ConfGetBool(
"multi-detect.enabled", &enabled);
4210 const char *handler = NULL;
4211 if (
ConfGet(
"multi-detect.selector", &handler) == 1) {
4212 SCLogConfig(
"multi-tenant selector type %s", handler);
4214 if (strcmp(handler,
"vlan") == 0) {
4218 if ((
ConfGetBool(
"vlan.use-for-tracking", &vlanbool)) == 1 && vlanbool == 0) {
4220 "can't use multi-detect selector 'vlan'");
4225 }
else if (strcmp(handler,
"direct") == 0) {
4227 }
else if (strcmp(handler,
"device") == 0) {
4230 SCLogWarning(
"multi-tenant 'device' mode not supported for IPS");
4237 "multi-detect.selector",
4244 SCLogConfig(
"multi-detect is enabled (multi tenancy). Selector: %s", handler);
4250 int mapping_cnt = DetectEngineMultiTenantSetupLoadVlanMappings(mappings_root_node,
4252 if (mapping_cnt == 0) {
4258 SCLogNotice(
"no tenant traffic mappings defined, "
4259 "tenants won't be used until mappings are added");
4261 if (failure_fatal) {
4262 SCLogError(
"no multi-detect mappings defined");
4270 int mapping_cnt = DetectEngineMultiTenantSetupLoadLivedevMappings(mappings_root_node,
4272 if (mapping_cnt == 0) {
4273 if (failure_fatal) {
4274 SCLogError(
"no multi-detect mappings defined");
4286 if (tenants_root_node != NULL) {
4287 const char *path = NULL;
4290 path = path_node->
val;
4296 if (id_node == NULL) {
4300 if (yaml_node == NULL) {
4304 uint32_t tenant_id = 0;
4306 &tenant_id, 10, (uint16_t)strlen(id_node->
val), id_node->
val) < 0) {
4314 char yaml_path[PATH_MAX] =
"";
4318 strlcpy(yaml_path, yaml_node->
val,
sizeof(yaml_path));
4325 snprintf(prefix,
sizeof(prefix),
"multi-detect.%u", tenant_id);
4327 SCLogError(
"failed to load yaml %s", yaml_path);
4331 int r = DetectLoaderSetupLoadTenant(tenant_id, yaml_path);
4352 SCLogDebug(
"multi-detect not enabled (multi tenancy)");
4359 static uint32_t DetectEngineTenantGetIdFromVlanId(
const void *ctx,
const Packet *p)
4363 uint32_t vlan_id = 0;
4383 static uint32_t DetectEngineTenantGetIdFromLivedev(
const void *ctx,
const Packet *p)
4388 if (ld == NULL || det_ctx == NULL)
4395 static int DetectEngineTenantRegisterSelector(
4402 SCLogInfo(
"conflicting selector already set");
4409 if (
m->traffic_id == traffic_id) {
4410 SCLogInfo(
"traffic id already registered");
4431 SCLogDebug(
"tenant handler %u %u %u registered", selector, tenant_id, traffic_id);
4436 static int DetectEngineTenantUnregisterSelector(
4460 SCLogInfo(
"tenant handler %u %u %u unregistered", selector, tenant_id, traffic_id);
4474 return DetectEngineTenantRegisterSelector(
4485 return DetectEngineTenantUnregisterSelector(
TENANT_SELECTOR_VLAN, tenant_id, (uint32_t)vlan_id);
4500 static uint32_t DetectEngineTenantGetIdFromPcap(
const void *ctx,
const Packet *p)
4510 if (master->
list == NULL) {
4533 BUG_ON((*de_ctx)->ref_cnt == 0);
4534 (*de_ctx)->ref_cnt--;
4542 if (instance == NULL)
4545 if (master->
list == NULL) {
4546 master->
list = instance;
4549 master->
list = instance;
4566 r = DetectEngineAddToList(
de_ctx);
4574 if (instance == NULL) {
4579 if (instance ==
de_ctx) {
4583 instance = instance->
next;
4588 if (instance ==
de_ctx) {
4596 if (instance == NULL) {
4602 instance->
next = NULL;
4620 ret = DetectEngineMoveToFreeListNoLock(master,
de_ctx);
4644 SCLogDebug(
"freeing detect engine %p", instance);
4666 DetectEngineMoveToFreeListNoLock(master, instance);
4673 static int reloads = 0;
4688 memset(prefix, 0,
sizeof(prefix));
4693 snprintf(prefix,
sizeof(prefix),
"detect-engine-reloads.%d", reloads++);
4720 if (old_de_ctx == NULL)
4722 SCLogDebug(
"get ref to old_de_ctx %p", old_de_ctx);
4736 if (new_de_ctx == NULL) {
4748 SCLogDebug(
"set up new_de_ctx %p", new_de_ctx);
4757 SCLogDebug(
"going to reload the threads to use new_de_ctx %p", new_de_ctx);
4759 DetectEngineReloadThreads(new_de_ctx);
4760 SCLogDebug(
"threads now run new_de_ctx %p", new_de_ctx);
4769 SCLogDebug(
"old_de_ctx should have been freed");
4773 #ifdef HAVE_MALLOC_TRIM
4784 static uint32_t TenantIdHash(
HashTable *h,
void *data, uint16_t data_len)
4790 static char TenantIdCompare(
void *d1, uint16_t d1_len,
void *d2, uint16_t d2_len)
4797 static void TenantIdFree(
void *d)
4799 DetectEngineThreadCtxFree(d);
4815 for ( ; list != NULL; list = list->
next) {
4826 if (stub_de_ctx == NULL) {
4828 if (stub_de_ctx == NULL) {
4833 if (master->
list == NULL) {
4834 master->
list = stub_de_ctx;
4837 master->
list = stub_de_ctx;
4843 DetectEngineReloadThreads(stub_de_ctx);
4853 SCLogDebug(
"old_de_ctx should have been freed");
4857 static int g_parse_metadata = 0;
4861 g_parse_metadata = 1;
4866 g_parse_metadata = 0;
4871 return g_parse_metadata;
4880 return "packet/stream payload";
4886 return "base64_data";
4889 return "post-match";
4897 return "max (internal)";
4918 static int DetectEngineInitYamlConf(
const char *conf)
4925 static void DetectEngineDeInitYamlConf(
void)
4933 static int DetectEngineTest01(
void)
4939 " - profile: medium\n"
4940 " - custom-values:\n"
4941 " toclient_src_groups: 2\n"
4942 " toclient_dst_groups: 2\n"
4943 " toclient_sp_groups: 2\n"
4944 " toclient_dp_groups: 3\n"
4945 " toserver_src_groups: 2\n"
4946 " toserver_dst_groups: 4\n"
4947 " toserver_sp_groups: 2\n"
4948 " toserver_dp_groups: 25\n"
4949 " - inspection-recursion-limit: 0\n";
4951 FAIL_IF(DetectEngineInitYamlConf(conf) == -1);
4960 DetectEngineDeInitYamlConf();
4965 static int DetectEngineTest02(
void)
4971 " - profile: medium\n"
4972 " - custom-values:\n"
4973 " toclient_src_groups: 2\n"
4974 " toclient_dst_groups: 2\n"
4975 " toclient_sp_groups: 2\n"
4976 " toclient_dp_groups: 3\n"
4977 " toserver_src_groups: 2\n"
4978 " toserver_dst_groups: 4\n"
4979 " toserver_sp_groups: 2\n"
4980 " toserver_dp_groups: 25\n"
4981 " - inspection-recursion-limit:\n";
4983 FAIL_IF(DetectEngineInitYamlConf(conf) == -1);
4993 DetectEngineDeInitYamlConf();
4998 static int DetectEngineTest03(
void)
5004 " - profile: medium\n"
5005 " - custom-values:\n"
5006 " toclient_src_groups: 2\n"
5007 " toclient_dst_groups: 2\n"
5008 " toclient_sp_groups: 2\n"
5009 " toclient_dp_groups: 3\n"
5010 " toserver_src_groups: 2\n"
5011 " toserver_dst_groups: 4\n"
5012 " toserver_sp_groups: 2\n"
5013 " toserver_dp_groups: 25\n";
5015 FAIL_IF(DetectEngineInitYamlConf(conf) == -1);
5025 DetectEngineDeInitYamlConf();
5030 static int DetectEngineTest04(
void)
5036 " - profile: medium\n"
5037 " - custom-values:\n"
5038 " toclient_src_groups: 2\n"
5039 " toclient_dst_groups: 2\n"
5040 " toclient_sp_groups: 2\n"
5041 " toclient_dp_groups: 3\n"
5042 " toserver_src_groups: 2\n"
5043 " toserver_dst_groups: 4\n"
5044 " toserver_sp_groups: 2\n"
5045 " toserver_dp_groups: 25\n"
5046 " - inspection-recursion-limit: 10\n";
5048 FAIL_IF(DetectEngineInitYamlConf(conf) == -1);
5057 DetectEngineDeInitYamlConf();
5062 static int DetectEngineTest08(
void)
5068 " - profile: custom\n"
5069 " - custom-values:\n"
5070 " toclient-groups: 23\n"
5071 " toserver-groups: 27\n";
5073 FAIL_IF(DetectEngineInitYamlConf(conf) == -1);
5083 DetectEngineDeInitYamlConf();
5089 static int DetectEngineTest09(
void)
5095 " - profile: custom\n"
5096 " - custom-values:\n"
5097 " toclient-groups: BA\n"
5098 " toserver-groups: BA\n"
5099 " - inspection-recursion-limit: 10\n";
5101 FAIL_IF(DetectEngineInitYamlConf(conf) == -1);
5111 DetectEngineDeInitYamlConf();
#define HashListTableGetListData(hb)
#define DE_STATE_ID_FILE_INSPECT
void SCProfilingSghThreadCleanup(DetectEngineThreadCtx *det_ctx)
DetectEngineCtx * DetectEngineCtxInitWithPrefix(const char *prefix, uint32_t tenant_id)
int ConfGetInt(const char *name, intmax_t *val)
Retrieve a configuration value as an integer.
void DetectEngineResetMaxSigId(DetectEngineCtx *de_ctx)
int DetectEngineMTApply(void)
void SCProfilingKeywordDestroyCtx(DetectEngineCtx *de_ctx)
#define PACKET_ALERT_FLAG_STREAM_MATCH
bool DetectEngineBufferTypeSupportsPacketGetById(const DetectEngineCtx *de_ctx, const int id)
DetectEngineThreadCtx * DetectEngineThreadCtxInitForReload(ThreadVars *tv, DetectEngineCtx *new_de_ctx, int mt)
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
struct SigMatch_ * smlists[DETECT_SM_LIST_MAX]
void SCProfilingKeywordThreadCleanup(DetectEngineThreadCtx *det_ctx)
void AlertQueueFree(DetectEngineThreadCtx *det_ctx)
void SCProfilingSghThreadSetup(SCProfileSghDetectCtx *ctx, DetectEngineThreadCtx *det_ctx)
int DetectParseDupSigHashInit(DetectEngineCtx *de_ctx)
Initializes the hash table that is used to cull duplicate sigs.
void DetectLoaderThreadSpawn(void)
spawn the detect loader manager thread
uint8_t SinglePatternMatchDefaultMatcher(void)
Returns the single pattern matcher algorithm to be used, based on the spm-algo setting in yaml.
void DetectEngineDeReference(DetectEngineCtx **de_ctx)
#define DETECT_CI_FLAGS_START
uint8_t DetectEngineInspectBufferGeneric(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const DetectEngineAppInspectionEngine *engine, const Signature *s, Flow *f, uint8_t flags, void *alstate, void *txv, uint64_t tx_id)
Do the content inspection & validation for a signature.
void(* Free)(DetectEngineCtx *, void *)
int DetectEngineMustParseMetadata(void)
void MpmFactoryDeRegisterAllMpmCtxProfiles(DetectEngineCtx *de_ctx)
uint16_t counter_match_list
DetectEngineTenantMapping * tenant_mapping_list
#define SC_ATOMIC_INIT(name)
wrapper for initializing an atomic variable.
struct DetectEngineAppInspectionEngine_ * next
void MpmStoreFree(DetectEngineCtx *de_ctx)
Frees the hash table - DetectEngineCtx->mpm_hash_table, allocated by MpmStoreInit() function.
void DetectFrameMpmRegisterByParentId(DetectEngineCtx *de_ctx, const int id, const int parent_id, DetectEngineTransforms *transforms)
copy a mpm engine from parent_id, add in transforms
void DetectEngineBufferTypeSupportsPacket(DetectEngineCtx *de_ctx, const char *name)
void DetectEngineBufferRunSetupCallback(const DetectEngineCtx *de_ctx, const int id, Signature *s)
int ConfGetBool(const char *name, int *val)
Retrieve a configuration value as a boolean.
enum DetectEngineType type
void DetectEnginePruneFreeList(void)
struct DetectEnginePktInspectionEngine::@86 v1
int SigLoadSignatures(DetectEngineCtx *de_ctx, char *sig_file, bool sig_file_exclusive)
Load signatures.
void * DetectThreadCtxGetKeywordThreadCtx(DetectEngineThreadCtx *det_ctx, int id)
Retrieve thread local keyword ctx by id.
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
#define SIG_FLAG_INIT_NEED_FLUSH
DetectEngineCtx * DetectEngineCtxInitStubForDD(void)
#define KEYWORD_PROFILING_SET_LIST(ctx, list)
uint16_t max_uniq_toclient_groups
int ActionInitConfig(void)
Load the action order from config. If none is provided, it will be default to ACTION_PASS,...
InspectEngineFuncPtr Callback
int PathMerge(char *out_buf, size_t buf_size, const char *const dir, const char *const fname)
uint32_t non_pf_store_cnt_max
void PacketEnqueue(PacketQueue *q, Packet *p)
struct HtpBodyChunk_ * next
void DetectBufferTypeSupportsFrames(const char *name)
#define TM_FLAG_DETECT_TM
void DetectMpmInitializeFrameMpms(DetectEngineCtx *de_ctx)
simple fifo queue for packets with mutex and cond Calling the mutex or triggering the cond is respons...
@ DETECT_SM_LIST_DYNAMIC_START
int DetectBufferSetActiveList(DetectEngineCtx *de_ctx, Signature *s, const int list)
int AppLayerParserGetStateProgress(uint8_t ipproto, AppProto alproto, void *alstate, uint8_t flags)
get the progress value for a tx/protocol
AppLayerDecoderEvents * decoder_events
void *(* InitFunc)(void *)
ConfNode * ConfGetNode(const char *name)
Get a ConfNode by name.
InspectionBufferGetDataPtr GetData
DetectBufferMpmRegistry * pkt_mpms_list
void TmThreadContinueDetectLoaderThreads(void)
Unpauses all threads present in tv_root.
@ DETECT_SM_LIST_THRESHOLD
void DetectBufferTypeRegisterSetupCallback(const char *name, void(*SetupCallback)(const DetectEngineCtx *, Signature *))
InspectionBuffer *(* InspectionBufferGetDataPtr)(struct DetectEngineThreadCtx_ *det_ctx, const DetectEngineTransforms *transforms, Flow *f, const uint8_t flow_flags, void *txv, const int list_id)
const char * AppProtoToString(AppProto alproto)
Maps the ALPROTO_*, to its string equivalent.
int DetectEngineReloadTenantBlocking(uint32_t tenant_id, const char *yaml, int reload_cnt)
Reload a tenant and wait for loading to complete.
int inspection_recursion_limit
void DetectAddressMapFree(DetectEngineCtx *de_ctx)
const DetectEngineTransforms * transforms
main detection engine ctx
int StringParseUint16(uint16_t *res, int base, size_t len, const char *str)
void DetectEngineReloadSetIdle(void)
int ConfYamlLoadFileWithPrefix(const char *filename, const char *prefix)
Load configuration from a YAML file, insert in tree at 'prefix'.
void ** global_keyword_ctxs_array
DetectEngineCtx * DetectEngineGetCurrent(void)
uint32_t TmThreadCountThreadsByTmmFlags(uint8_t flags)
returns a count of all the threads that match the flag
void DetectBufferTypeSupportsMultiInstance(const char *name)
HashListTableBucket * HashListTableGetListHead(HashListTable *ht)
#define TAILQ_FOREACH(var, head, field)
uint8_t DetectEngineInspectPacketPayload(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const Signature *s, Flow *f, Packet *p)
Do the content inspection & validation for a signature.
int DetectEngineAddToMaster(DetectEngineCtx *de_ctx)
int ConfYamlHandleInclude(ConfNode *parent, const char *filename)
Include a file in the configuration.
InspectionBuffer *(* InspectionBufferGetPktDataPtr)(struct DetectEngineThreadCtx_ *det_ctx, const DetectEngineTransforms *transforms, Packet *p, const int list_id)
void SCSigSignatureOrderingModuleCleanup(DetectEngineCtx *de_ctx)
De-registers all the signature ordering functions registered.
const char * DetectEngineBufferTypeGetNameById(const DetectEngineCtx *de_ctx, const int id)
@ ENGINE_SGH_MPM_FACTORY_CONTEXT_FULL
int DetectEngineMultiTenantSetup(const bool unix_socket)
setup multi-detect / multi-tenancy
void PrefilterDeinit(DetectEngineCtx *de_ctx)
struct DetectBufferMpmRegistry_ * next
#define SIG_FLAG_REQUIRE_STREAM
void ConfDump(void)
Dump configuration to stdout.
struct DetectEngineTenantMapping_ * next
void DetectEngineSetEvent(DetectEngineThreadCtx *det_ctx, uint8_t e)
void AppLayerDecoderEventsFreeEvents(AppLayerDecoderEvents **events)
struct SCProfileSghDetectCtx_ * profile_sgh_ctx
ThreadVars * tv_root[TVT_MAX]
one time registration of keywords at start up
void SCReferenceConfDeinit(DetectEngineCtx *de_ctx)
struct DetectPort_ * next
void DetectEngineCtxFree(DetectEngineCtx *de_ctx)
Free a DetectEngineCtx::
SpmThreadCtx * spm_thread_ctx
int DetectEngineReloadTenantsBlocking(const int reload_cnt)
Reload all tenants and wait for loading to complete.
#define SCMUTEX_INITIALIZER
SigMatchData * sm_arrays[DETECT_SM_LIST_MAX]
const char * conf_filename
enum DetectEnginePrefilterSetting prefilter_setting
void DetectParseDupSigHashFree(DetectEngineCtx *de_ctx)
Frees the hash table that is used to cull duplicate sigs.
int StringParseInt32(int32_t *res, int base, size_t len, const char *str)
int PrefilterGenericMpmFrameRegister(DetectEngineCtx *de_ctx, SigGroupHead *sgh, MpmCtx *mpm_ctx, const DetectBufferMpmRegistry *mpm_reg, int list_id)
uint32_t DetectEngineGetVersion(void)
void SigCleanSignatures(DetectEngineCtx *de_ctx)
void * HashListTableLookup(HashListTable *ht, void *data, uint16_t datalen)
int DetectBufferGetActiveList(DetectEngineCtx *de_ctx, Signature *s)
#define SIG_FLAG_TOCLIENT
bool DetectBufferIsPresent(const Signature *s, const uint32_t buf_id)
#define KEYWORD_PROFILING_START
uint16_t counter_fnonmpm_list
#define DETECT_TRANSFORMS_MAX
void ThresholdHashInit(DetectEngineCtx *de_ctx)
Init threshold context hash tables.
uint16_t counter_nonmpm_list
Data structure to store app layer decoder events.
InspectionBuffer * InspectionBufferGet(DetectEngineThreadCtx *det_ctx, const int list_id)
DetectEngineFrameInspectionEngine * frame_inspect
void DetectBufferTypeCloseRegistration(void)
const DetectEngineTransforms * transforms
#define FAIL_IF_NOT(expr)
Fail a test if expression evaluates to false.
const DetectBufferType * DetectEngineBufferTypeGetById(const DetectEngineCtx *de_ctx, const int id)
void HashTableFree(HashTable *ht)
int DetectBufferTypeGetByName(const char *name)
#define KEYWORD_PROFILING_END(ctx, type, m)
void DetectBufferTypeSupportsPacket(const char *name)
InspectionBufferFrameInspectFunc Callback
int HashListTableAdd(HashListTable *ht, void *data, uint16_t datalen)
int SigGroupHeadHashInit(DetectEngineCtx *de_ctx)
Initializes the hash table in the detection engine context to hold the SigGroupHeads.
void SCRConfDeInitContext(DetectEngineCtx *de_ctx)
Releases de_ctx resources related to Reference Config API.
DetectPort * udp_whitelist
HashTable * mt_det_ctxs_hash
size_t strlcpy(char *dst, const char *src, size_t siz)
bool DetectEnginePktInspectionRun(ThreadVars *tv, DetectEngineThreadCtx *det_ctx, const Signature *s, Flow *f, Packet *p, uint8_t *alert_flags)
void DetectAppLayerMpmRegisterByParentId(DetectEngineCtx *de_ctx, const int id, const int parent_id, DetectEngineTransforms *transforms)
copy a mpm engine from parent_id, add in transforms
void AlertQueueInit(DetectEngineThreadCtx *det_ctx)
uint16_t counter_alerts_suppressed
void DetectFrameInspectEngineRegister(const char *name, int dir, InspectionBufferFrameInspectFunc Callback, AppProto alproto, uint8_t type)
register inspect engine at start up time
#define PKT_SET_SRC(p, src_val)
@ TENANT_SELECTOR_UNKNOWN
int ConfGet(const char *name, const char **vptr)
Retrieve the value of a configuration node.
void InspectionBufferInit(InspectionBuffer *buffer, uint32_t initial_size)
int DetectEngineMultiTenantEnabled(void)
#define HashListTableGetListNext(hb)
@ DETECT_SM_LIST_POSTMATCH
void ConfNodeRemove(ConfNode *node)
Remove (and SCFree) the provided configuration node.
#define SIG_FLAG_TOSERVER
void InspectionBufferSetupMultiEmpty(InspectionBuffer *buffer)
setup the buffer empty
DetectEngineTenantSelectors
int DetectPortParse(const DetectEngineCtx *de_ctx, DetectPort **head, const char *str)
Function for parsing port strings.
int(* InspectionBufferPktInspectFunc)(struct DetectEngineThreadCtx_ *, const struct DetectEnginePktInspectionEngine *engine, const struct Signature_ *s, Packet *p, uint8_t *alert_flags)
HashListTable * HashListTableInit(uint32_t size, uint32_t(*Hash)(struct HashListTable_ *, void *, uint16_t), char(*Compare)(void *, uint16_t, void *, uint16_t), void(*Free)(void *))
SCDetectRequiresStatus * requirements
#define TAILQ_REMOVE(head, elm, field)
bool(* TransformValidate)(const uint8_t *content, uint16_t content_len, void *context)
uint16_t counter_alerts_overflow
void DetectBufferTypeRegisterValidateCallback(const char *name, bool(*ValidateCallback)(const Signature *, const char **sigerror))
int DetectEngineMoveToFreeList(DetectEngineCtx *de_ctx)
#define PASS
Pass the test.
SpmGlobalThreadCtx * SpmInitGlobalThreadCtx(uint8_t matcher)
void SCProfilingPrefilterDestroyCtx(DetectEngineCtx *de_ctx)
void DetectMpmInitializePktMpms(DetectEngineCtx *de_ctx)
void DetectLoadersInit(void)
struct TmSlot_ * tm_slots
const char * DetectEngineBufferTypeGetDescriptionById(const DetectEngineCtx *de_ctx, const int id)
#define SCMutexUnlock(mut)
@ DETECT_SM_LIST_BASE64_DATA
#define PKT_PSEUDO_STREAM_END
InspectionBuffer * buffers
DetectEngineThreadKeywordCtxItem * keyword_list
LiveDevice * LiveGetDevice(const char *name)
Get a pointer to the device at idx.
enum DetectEngineTenantSelectors tenant_selector
HashListTable * keyword_hash
void DetectPktInspectEngineRegister(const char *name, InspectionBufferGetPktDataPtr GetPktData, InspectionBufferPktInspectFunc Callback)
register inspect engine at start up time
void InspectionBufferCheckAndExpand(InspectionBuffer *buffer, uint32_t min_size)
make sure that the buffer has at least 'min_size' bytes Expand the buffer if necessary
int DetectEngineInspectStreamPayload(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const Signature *s, Flow *f, Packet *p)
Do the content inspection & validation for a signature on the raw stream.
DetectEnginePktInspectionEngine * pkt_inspect
int DetectBufferTypeMaxId(void)
void DatasetPostReloadCleanup(void)
Per thread variable structure.
bool DetectEngineBufferTypeValidateTransform(DetectEngineCtx *de_ctx, int sm_list, const uint8_t *content, uint16_t content_len, const char **namestr)
Check content byte array compatibility with transforms.
int DetectEngineEnabled(void)
Check if detection is enabled.
SigMatchData * SigMatchList2DataArray(SigMatch *head)
convert SigMatch list to SigMatchData array
TmEcode DetectEngineThreadCtxInit(ThreadVars *tv, void *initdata, void **data)
initialize thread specific detection engine context
int DetectEngineReloadIsIdle(void)
#define DETECT_ENGINE_INSPECT_SIG_MATCH
#define PKT_DETECT_HAS_STREAMDATA
@ DETECT_EVENT_TOO_MANY_BUFFERS
void SCProfilingRuleDestroyCtx(struct SCProfileDetectCtx_ *)
void SCClassConfDeinit(DetectEngineCtx *de_ctx)
@ DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE
DetectEngineFrameInspectionEngine * frame_inspect_engines
DetectEngineCtx * free_list
int StringParseUint32(uint32_t *res, int base, size_t len, const char *str)
void PatternMatchThreadPrepare(MpmThreadCtx *mpm_thread_ctx, uint16_t mpm_matcher)
int ConfYamlLoadString(const char *string, size_t len)
Load configuration from a YAML string.
struct DetectEngineThreadKeywordCtxItem_ * next
#define SCLogWarning(...)
Macro used to log WARNING messages.
int HashTableAdd(HashTable *ht, void *data, uint16_t datalen)
int DetectEngineBufferTypeRegister(DetectEngineCtx *de_ctx, const char *name)
Port structure for detection engine.
DetectEngineAppInspectionEngine * app_inspect
void SCProfilingRuleThreadCleanup(DetectEngineThreadCtx *)
bool(* ValidateCallback)(const struct Signature_ *, const char **sigerror)
struct ThreadVars_ * next
uint32_t hashlittle_safe(const void *key, size_t length, uint32_t initval)
int SigGroupCleanup(DetectEngineCtx *de_ctx)
void DetectEngineThreadCtxInfo(ThreadVars *t, DetectEngineThreadCtx *det_ctx)
uint8_t DetectEngineInspectStream(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const struct DetectEngineAppInspectionEngine_ *engine, const Signature *s, Flow *f, uint8_t flags, void *alstate, void *txv, uint64_t tx_id)
inspect engine for stateful rules
int DetectEngineLoadTenantBlocking(uint32_t tenant_id, const char *yaml)
Load a tenant and wait for loading to complete.
void TmModuleDetectLoaderRegister(void)
DetectEngineCtx * DetectEngineCtxInit(void)
void RuleMatchCandidateTxArrayFree(DetectEngineThreadCtx *det_ctx)
void DetectEngineInitializeFastPatternList(DetectEngineCtx *de_ctx)
#define DE_STATE_FLAG_BASE
void PatternMatchThreadPrint(MpmThreadCtx *mpm_thread_ctx, uint16_t mpm_matcher)
int SCRConfLoadReferenceConfigFile(DetectEngineCtx *de_ctx, FILE *fd)
Loads the Reference info from the reference.config file.
int DetectEngineTenantRegisterLivedev(uint32_t tenant_id, int device_id)
#define DETECT_CI_FLAGS_END
void DetectEngineBufferTypeSupportsFrames(DetectEngineCtx *de_ctx, const char *name)
int(* InspectionBufferFrameInspectFunc)(struct DetectEngineThreadCtx_ *, const struct DetectEngineFrameInspectionEngine *engine, const struct Signature_ *s, Packet *p, const struct Frames *frames, const struct Frame *frame)
DetectBufferMpmRegistry * frame_mpms_list
TmModule * TmModuleGetById(int id)
Returns a TM Module by its id.
struct TenantLoaderCtx_ TenantLoaderCtx
uint16_t max_uniq_toserver_groups
int SignatureInitDataBufferCheckExpand(Signature *s)
check if buffers array still has space left, expand if not
struct LiveDevice_ * livedev
InspectionBufferPktInspectFunc Callback
SignatureInitData * init_data
enum DetectEngineSyncState state
SpmThreadCtx * SpmMakeThreadCtx(const SpmGlobalThreadCtx *global_thread_ctx)
struct SCProfileKeywordDetectCtx_ * profile_keyword_ctx
const char ** additional_configs
Data structures and function prototypes for keeping state for the detection engine.
int(* Match)(DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *)
void ConfCreateContextBackup(void)
Creates a backup of the conf_hash hash_table used by the conf API.
void SCProfilingPrefilterThreadCleanup(DetectEngineThreadCtx *det_ctx)
int32_t byte_extract_max_local_id
@ SIG_PROP_FLOW_ACTION_PACKET
const struct SignatureProperties signature_properties[SIG_TYPE_MAX]
int RunmodeIsUnittests(void)
#define SCLogInfo(...)
Macro used to log INFORMATIONAL messages.
#define TAILQ_FOREACH_SAFE(var, head, field, tvar)
struct DetectEngineAppInspectionEngine_::@85 v2
#define SIG_FLAG_REQUIRE_STREAM_ONLY
void SpmDestroyGlobalThreadCtx(SpmGlobalThreadCtx *global_thread_ctx)
#define DETECT_ENGINE_INSPECT_SIG_CANT_MATCH
void DetectEngineRegisterTests(void)
int DetectLoaderQueueTask(int loader_id, LoaderFunc Func, void *func_ctx, LoaderFreeFunc FreeFunc)
@ DETECT_ENGINE_TYPE_TENANT
void DetectEngineBufferTypeSupportsTransformations(DetectEngineCtx *de_ctx, const char *name)
bool DetectEngineBufferTypeSupportsMpmGetById(const DetectEngineCtx *de_ctx, const int id)
const char * DetectSigmatchListEnumToString(enum DetectSigmatchListEnum type)
#define SCRealloc(ptr, sz)
void SRepReloadComplete(void)
Increment effective reputation version after a rule/reputation reload is complete.
#define SIG_FLAG_INIT_STATE_MATCH
ConfNode * ConfNodeLookupChild(const ConfNode *node, const char *name)
Lookup a child configuration node by name.
#define DETECT_SM_LIST_NOTSET
bool DetectEngineBufferTypeSupportsFramesGetById(const DetectEngineCtx *de_ctx, const int id)
int DetectEngineBufferTypeRegisterWithFrameEngines(DetectEngineCtx *de_ctx, const char *name, const int direction, const AppProto alproto, const uint8_t frame_type)
void SCReferenceConfInit(DetectEngineCtx *de_ctx)
InspectionBufferGetPktDataPtr GetData
@ DETECT_ENGINE_TYPE_NORMAL
void InspectionBufferCopy(InspectionBuffer *buffer, uint8_t *buf, uint32_t buf_len)
void * FlowWorkerGetDetectCtxPtr(void *flow_worker)
AppLayerDecoderEvents * DetectEngineGetEvents(DetectEngineThreadCtx *det_ctx)
bool DetectEngineBufferTypeSupportsMultiInstanceGetById(const DetectEngineCtx *de_ctx, const int id)
SigFileLoaderStat sig_stat
void DetectEngineFrameMpmRegister(DetectEngineCtx *de_ctx, const char *name, int direction, int priority, int(*PrefilterRegister)(DetectEngineCtx *de_ctx, SigGroupHead *sgh, MpmCtx *mpm_ctx, const DetectBufferMpmRegistry *mpm_reg, int list_id), AppProto alproto, uint8_t type)
uint32_t * to_clear_queue
void SpmDestroyThreadCtx(SpmThreadCtx *thread_ctx)
struct SCProfilePrefilterDetectCtx_ * profile_prefilter_ctx
#define FAIL_IF(expr)
Fail a test if expression evaluates to true.
int DetectEnginePktInspectionSetup(Signature *s)
int DetectBufferTypeRegister(const char *name)
uint8_t(* InspectEngineFuncPtr)(struct DetectEngineCtx_ *de_ctx, struct DetectEngineThreadCtx_ *det_ctx, const struct DetectEngineAppInspectionEngine_ *engine, const struct Signature_ *s, Flow *f, uint8_t flags, void *alstate, void *txv, uint64_t tx_id)
int DetectRegisterThreadCtxFuncs(DetectEngineCtx *de_ctx, const char *name, void *(*InitFunc)(void *), void *data, void(*FreeFunc)(void *), int mode)
Register Thread keyword context Funcs.
int MpmStoreInit(DetectEngineCtx *de_ctx)
Initializes the MpmStore mpm hash table to be used by the detection engine context.
DetectBufferMpmRegistry * app_mpms_list
@ SIG_PROP_FLOW_ACTION_FLOW_IF_STATEFUL
DetectEngineCtx * DetectEngineCtxInitStubForMT(void)
void DetectBufferTypeSupportsMpm(const char *name)
void HashListTableFree(HashListTable *ht)
HashListTable * buffer_type_hash_name
struct DetectEngineCtx_ * next
@ DETECT_ENGINE_TYPE_DD_STUB
void InspectionBufferApplyTransforms(InspectionBuffer *buffer, const DetectEngineTransforms *transforms)
void DetectEngineBumpVersion(void)
void AppLayerDecoderEventsSetEventRaw(AppLayerDecoderEvents **sevents, uint8_t event)
Set an app layer decoder event.
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
SigMatch * DetectBufferGetFirstSigMatch(const Signature *s, const uint32_t buf_id)
struct DetectEngineFrameInspectionEngine * next
void(* Transform)(InspectionBuffer *, void *context)
SignatureInitDataBuffer * curbuf
int DetectEngineInspectFrameBufferGeneric(DetectEngineThreadCtx *det_ctx, const DetectEngineFrameInspectionEngine *engine, const Signature *s, Packet *p, const Frames *frames, const Frame *frame)
Do the content inspection & validation for a signature.
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *tv, void *data)
struct DetectEnginePktInspectionEngine * next
#define DETECT_ENGINE_DEFAULT_INSPECTION_RECURSION_LIMIT
void ConfRestoreContextBackup(void)
Restores the backup of the hash_table present in backup_conf_hash back to conf_hash.
uint8_t PatternMatchDefaultMatcher(void)
Function to return the multi pattern matcher algorithm to be used by the engine, based on the mpm-alg...
int DetectEngineTenantRegisterPcapFile(uint32_t tenant_id)
void InspectionBufferSetupMulti(InspectionBuffer *buffer, const DetectEngineTransforms *transforms, const uint8_t *data, const uint32_t data_len)
setup the buffer with our initial data
void SigGroupHeadHashFree(DetectEngineCtx *de_ctx)
Frees the hash table - DetectEngineCtx->sgh_hash_table, allocated by SigGroupHeadHashInit() function.
uint8_t DetectEngineInspectGenericList(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const struct DetectEngineAppInspectionEngine_ *engine, const Signature *s, Flow *f, uint8_t flags, void *alstate, void *txv, uint64_t tx_id)
Do the content inspection & validation for a signature.
void DetectEngineAppInspectionEngineSignatureFree(DetectEngineCtx *de_ctx, Signature *s)
free app inspect engines for a signature
@ DETECT_ENGINE_CONTENT_INSPECTION_MODE_HEADER
DetectPort * tcp_whitelist
#define DETECT_ENGINE_INSPECT_SIG_NO_MATCH
DetectEnginePktInspectionEngine * pkt_inspect_engines
SigMatch * DetectBufferGetLastSigMatch(const Signature *s, const uint32_t buf_id)
void DetectEngineBufferTypeSupportsMpm(DetectEngineCtx *de_ctx, const char *name)
SigIntId * non_pf_id_array
const char * DetectBufferTypeGetDescriptionByName(const char *name)
int RunmodeGetCurrent(void)
Packet * PacketGetFromAlloc(void)
Get a malloced packet.
void DetectEngineFreeFastPatternList(DetectEngineCtx *de_ctx)
void DetectBufferTypeSupportsTransformations(const char *name)
struct SCLogConfig_ SCLogConfig
Holds the config state used by the logging api.
int DetectAddressMapInit(DetectEngineCtx *de_ctx)
void ConfInit(void)
Initialize the configuration system.
SignatureInitDataBuffer * buffers
DetectEngineAppInspectionEngine * app_inspect_engines
int filemagic_thread_ctx_id
int global_keyword_ctxs_size
void PrefilterInit(DetectEngineCtx *de_ctx)
#define DETECT_ENGINE_THREAD_CTX_STREAM_CONTENT_MATCH
void * DetectThreadCtxGetGlobalKeywordThreadCtx(DetectEngineThreadCtx *det_ctx, int id)
Retrieve thread local keyword ctx by id.
#define SCLogError(...)
Macro used to log ERROR messages.
int SRepInit(DetectEngineCtx *de_ctx)
init reputation
int DetectEngineReloadStart(void)
void DetectEngineUnsetParseMetadata(void)
@ PKT_SRC_DETECT_RELOAD_FLUSH
void InspectionBufferSetup(DetectEngineThreadCtx *det_ctx, const int list_id, InspectionBuffer *buffer, const uint8_t *data, const uint32_t data_len)
setup the buffer with our initial data
void ** keyword_ctxs_array
int base64_decoded_len_max
int HashListTableRemove(HashListTable *ht, void *data, uint16_t datalen)
DetectEngineTransforms transforms
a single match condition for a signature
const DetectEngineTransforms * transforms
struct DetectEngineThreadCtx_::@98 inspect
void InspectionBufferClean(DetectEngineThreadCtx *det_ctx)
int DetectLoadersSync(void)
wait for loader tasks to complete
void SCProfilingSghDestroyCtx(DetectEngineCtx *de_ctx)
HashTable * HashTableInit(uint32_t size, uint32_t(*Hash)(struct HashTable_ *, void *, uint16_t), char(*Compare)(void *, uint16_t, void *, uint16_t), void(*Free)(void *))
SpmTableElmt spm_table[SPM_TABLE_SIZE]
DetectEngineCtx * DetectEngineReference(DetectEngineCtx *de_ctx)
MpmTableElmt mpm_table[MPM_TABLE_SIZE]
struct DetectEngineSyncer_ DetectEngineSyncer
void DetectMpmInitializeAppMpms(DetectEngineCtx *de_ctx)
int EngineModeIsIPS(void)
void PmqFree(PrefilterRuleStore *pmq)
Cleanup and free a Pmq.
struct DetectEngineThreadCtx_::@99 multi_inspect
InspectionBuffer * InspectionBufferMultipleForListGet(DetectEngineThreadCtx *det_ctx, const int list_id, const uint32_t local_id)
for a InspectionBufferMultipleForList get a InspectionBuffer
@ DETECT_ENGINE_TYPE_MT_STUB
void ConfDeInit(void)
De-initializes the configuration system.
uint16_t vlan_id[VLAN_MAX_LAYERS]
int DetectEngineReload(const SCInstance *suri)
Reload the detection engine.
bool DetectEngineBufferRunValidateCallback(const DetectEngineCtx *de_ctx, const int id, const Signature *s, const char **sigerror)
void(* SetupCallback)(const struct DetectEngineCtx_ *, struct Signature_ *)
void DetectAppLayerInspectEngineRegister(const char *name, AppProto alproto, uint32_t dir, int progress, InspectEngineFuncPtr Callback, InspectionBufferGetDataPtr GetData)
register inspect engine at start up time
SpmGlobalThreadCtx * spm_global_thread_ctx
void DetectEngineClearMaster(void)
void SRepDestroy(DetectEngineCtx *de_ctx)
uint16_t StatsRegisterAvgCounter(const char *name, struct ThreadVars_ *tv)
Registers a counter, whose value holds the average of all the values assigned to it.
@ SIG_PROP_FLOW_ACTION_FLOW
void DetectBufferTypeSetDescriptionByName(const char *name, const char *desc)
DetectEngineTransforms transforms
void SCClassConfInit(DetectEngineCtx *de_ctx)
#define SCStatFn(pathname, statbuf)
int DetectUnregisterThreadCtxFuncs(DetectEngineCtx *de_ctx, void *data, const char *name)
Remove Thread keyword context registration.
#define SC_ATOMIC_GET(name)
Get the value from the atomic variable.
void DetectEngineFrameInspectEngineRegister(DetectEngineCtx *de_ctx, const char *name, int dir, InspectionBufferFrameInspectFunc Callback, AppProto alproto, uint8_t type)
register inspect engine at start up time
int DetectEngineTenantRegisterVlanId(uint32_t tenant_id, uint16_t vlan_id)
void DetectEngineSetParseMetadata(void)
bool DetectEngineContentInspection(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const Signature *s, const SigMatchData *smd, Packet *p, Flow *f, const uint8_t *buffer, const uint32_t buffer_len, const uint32_t stream_start_offset, const uint8_t flags, const enum DetectContentInspectionType inspection_mode)
wrapper around DetectEngineContentInspectionInternal to return true/false only
int TmThreadsCheckFlag(ThreadVars *tv, uint32_t flag)
Check if a thread flag is set.
#define SCLogNotice(...)
Macro used to log NOTICE messages.
void DetectPktMpmRegisterByParentId(DetectEngineCtx *de_ctx, const int id, const int parent_id, DetectEngineTransforms *transforms)
copy a mpm engine from parent_id, add in transforms
void ThresholdContextDestroy(DetectEngineCtx *de_ctx)
Destroy threshold context hash tables.
@ TENANT_SELECTOR_LIVEDEV
AppProto alproto
application level protocol
struct DetectEngineFrameInspectionEngine::@87 v1
uint16_t StatsRegisterCounter(const char *name, struct ThreadVars_ *tv)
Registers a normal, unqualified counter.
int DetectEngineTenantUnregisterPcapFile(uint32_t tenant_id)
Signature loader statistics.
int DetectEngineInspectPktBufferGeneric(DetectEngineThreadCtx *det_ctx, const DetectEnginePktInspectionEngine *engine, const Signature *s, Packet *p, uint8_t *_alert_flags)
Do the content inspection & validation for a signature.
HashListTable * buffer_type_hash_id
DetectEngineCtx * DetectEngineGetByTenantId(uint32_t tenant_id)
uint32_t base64_decode_max_len
void InspectionBufferFree(InspectionBuffer *buffer)
void DetectPortCleanupList(const DetectEngineCtx *de_ctx, DetectPort *head)
Free a DetectPort list and each of its members.
@ DETECT_SM_LIST_SUPPRESS
InspectionBuffer * inspection_buffers
#define DEBUG_VALIDATE_BUG_ON(exp)
int DetectEngineAppInspectionEngine2Signature(DetectEngineCtx *de_ctx, Signature *s)
bool SCClassConfLoadClassificationConfigFile(DetectEngineCtx *de_ctx, FILE *fd)
Loads the Classtype info from the classification.config file.
int DetectEngineTenantUnregisterVlanId(uint32_t tenant_id, uint16_t vlan_id)
int PmqSetup(PrefilterRuleStore *pmq)
Setup a pmq.
void PatternMatchThreadDestroy(MpmThreadCtx *mpm_thread_ctx, uint16_t mpm_matcher)
void SCProfilingRuleThreadSetup(struct SCProfileDetectCtx_ *, DetectEngineThreadCtx *)
int VarNameStoreActivate(void)
uint16_t counter_mpm_list
void RuleMatchCandidateTxArrayInit(DetectEngineThreadCtx *det_ctx, uint32_t size)
void SCProfilingKeywordThreadSetup(SCProfileKeywordDetectCtx *ctx, DetectEngineThreadCtx *det_ctx)
int DetectEngineReloadIsStart(void)
int DetectRegisterThreadCtxGlobalFuncs(const char *name, void *(*InitFunc)(void *), void *data, void(*FreeFunc)(void *))
Register Thread keyword context Funcs (Global)
uint32_t tenant_array_size
struct DetectEngineTenantMapping_ * tenant_array
volatile uint8_t suricata_ctl_flags
void FlowWorkerReplaceDetectCtx(void *flow_worker, void *detect_ctx)
@ ENGINE_SGH_MPM_FACTORY_CONTEXT_SINGLE
uint32_t StringHashDjb2(const uint8_t *data, uint32_t datalen)
int DetectEngineBufferTypeGetByIdTransforms(DetectEngineCtx *de_ctx, const int id, TransformData *transforms, int transform_cnt)
uint32_t(* TenantGetId)(const void *, const Packet *p)
void SCProfilingPrefilterThreadSetup(SCProfilePrefilterDetectCtx *ctx, DetectEngineThreadCtx *det_ctx)
void SCClassConfDeInitContext(DetectEngineCtx *de_ctx)
Releases resources used by the Classification Config API.
#define SIG_FLAG_REQUIRE_PACKET
const char * ConfNodeLookupChildValue(const ConfNode *node, const char *name)
Lookup the value of a child configuration node by name.