Go to the documentation of this file.
55 #define PARSE_REGEX "^([a-z]+)(?:,\\s*(.*))?"
58 #define MAX_TOKENS 100
68 static bool PrefilterFlowbitIsPrefilterable(
const Signature *s);
101 while ((token = strtok_r(arrptr,
"|", &saveptr))) {
103 while(isspace((
unsigned char)*token))
107 char *end = token + strlen(token) - 1;
108 while(end > token && isspace((
unsigned char)*end))
112 if (strchr(token,
' ') != NULL) {
113 SCLogError(
"Spaces are not allowed in flowbit names.");
119 "maximum allowed: %d.",
215 return DetectFlowbitMatchIsset(p,fd);
217 return DetectFlowbitMatchIsnotset(p,fd);
219 int r = DetectFlowbitMatchSet(p, fd);
222 SCLogDebug(
"flowbit set, appending to work queue");
228 return DetectFlowbitMatchUnset(p,fd);
230 int r = DetectFlowbitMatchToggle(p, fd);
232 SCLogDebug(
"flowbit set (by toggle), appending to work queue");
245 static int DetectFlowbitParse(
const char *
str,
char *cmd,
int cmd_len,
char *
name,
250 pcre2_match_data *match = NULL;
253 if (count != 2 && count != 3) {
254 SCLogError(
"\"%s\" is not a valid setting for flowbits.",
str);
259 rc = pcre2_substring_copy_bynumber(match, 1, (PCRE2_UCHAR8 *)cmd, &pcre2len);
261 SCLogError(
"pcre2_substring_copy_bynumber failed");
267 rc = pcre2_substring_copy_bynumber(match, 2, (PCRE2_UCHAR8 *)
name, &pcre2len);
269 SCLogError(
"pcre2_substring_copy_bynumber failed");
274 while (strlen(
name) > 0 && isblank(
name[strlen(
name) - 1])) {
278 if (strchr(
name,
'|') == NULL) {
280 for (
size_t i = 0; i < strlen(
name); i++) {
281 if (isblank(
name[i])) {
282 SCLogError(
"spaces not allowed in flowbit names");
289 pcre2_match_data_free(match);
294 pcre2_match_data_free(match);
303 char fb_cmd_str[16] =
"", fb_name[256] =
"";
305 if (!DetectFlowbitParse(rawstr, fb_cmd_str,
sizeof(fb_cmd_str), fb_name,
310 if (strcmp(fb_cmd_str,
"noalert") == 0) {
311 if (strlen(fb_name) != 0)
315 }
else if (strcmp(fb_cmd_str,
"isset") == 0) {
317 }
else if (strcmp(fb_cmd_str,
"isnotset") == 0) {
319 }
else if (strcmp(fb_cmd_str,
"set") == 0) {
321 }
else if (strcmp(fb_cmd_str,
"unset") == 0) {
323 }
else if (strcmp(fb_cmd_str,
"toggle") == 0) {
326 SCLogError(
"ERROR: flowbits action \"%s\" is not supported.", fb_cmd_str);
337 if (strlen(fb_name) == 0)
345 if (strchr(fb_name,
'|') != NULL) {
346 int retval = FlowbitOrAddData(
de_ctx, cd, fb_name);
357 SCLogDebug(
"idx %" PRIu32
", cmd %s, name %s",
358 cd->
idx, fb_cmd_str, strlen(fb_name) ? fb_name :
"(none)");
445 struct FBAnalyze *array, uint32_t elements);
447 static void FBAnalyzerArrayFree(
struct FBAnalyze *array,
const uint32_t array_size)
450 for (uint32_t i = 0; i < array_size; i++) {
451 SCFree(array[i].set_sids);
452 SCFree(array[i].unset_sids);
453 SCFree(array[i].isset_sids);
454 SCFree(array[i].isnotset_sids);
455 SCFree(array[i].toggle_sids);
461 static void FBAnalyzerFree(
struct FBAnalyzer *fba)
463 if (fba && fba->
array) {
471 static bool CheckExpand(
const uint32_t sids_idx, uint32_t **sids, uint32_t *sids_size)
473 if (sids_idx >= *sids_size) {
474 const uint32_t old_size = *sids_size;
475 const uint32_t new_size =
MAX(2 * old_size,
MAX_SIDS);
477 void *ptr =
SCRealloc(*sids, new_size *
sizeof(uint32_t));
480 *sids_size = new_size;
579 SCLogError(
"Unable to allocate flowbit analyze array");
586 (uint64_t)(array_size *
sizeof(
struct FBAnalyze)));
592 int r = DetectFlowbitsAnalyzeSignature(s, &fba);
594 FBAnalyzerFree(&fba);
600 for (uint32_t i = 0; i < array_size; i++) {
605 bool to_state =
false;
613 "set. Checked in %u and %u other sigs",
619 SCLogDebug(
"flowbit %s/%u: isset in state, set not in state", varname, i);
628 SCLogDebug(
"flowbit %s/%u: isset not in state, set in state", varname, i);
632 SCLogDebug(
"ALL flowbit %s/%u: sets %u toggles %u unsets %u isnotsets %u issets %u", varname, i,
636 SCLogDebug(
"STATE flowbit %s/%u: sets %u toggles %u unsets %u isnotsets %u issets %u", varname, i,
641 SCLogDebug(
"SET flowbit %s/%u: SID %u", varname, i,
647 SCLogDebug(
"GET flowbit %s/%u: SID %u", varname, i, s->
id);
657 SCCalloc(sids_array_size,
sizeof(uint32_t));
659 SCLogError(
"Failed to allocate memory for rule_state_dependant_ids");
666 SCLogError(
"Failed to allocate memory for rule_state_variable_idx");
670 SCLogDebug(
"alloc'ed array for rule dependency and fbs idx array, sid %u, "
671 "sizes are %u and %u",
675 uint32_t new_array_size =
678 new_array_size *
sizeof(uint32_t));
679 if (tmp_ptr == NULL) {
680 SCLogError(
"Failed to allocate memory for rule_state_variable_idx");
685 SCLogDebug(
"realloc'ed array for rule dependency, sid %u, new size is %u",
689 new_fb_array_size *
sizeof(uint32_t));
692 SCLogError(
"Failed to reallocate memory for rule_state_variable_idx");
696 "realloc'ed array for flowbits ids, new size is %u", new_fb_array_size);
714 SCLogDebug(
"made SID %u stateful because it depends on "
715 "stateful rules that set flowbit %s", s->
id, varname);
721 DetectFlowbitsAnalyzeDump(
de_ctx, array, array_size);
724 FBAnalyzerFree(&fba);
727 FBAnalyzerFree(&fba);
732 static struct FBAnalyzer DetectFlowbitsAnalyzeForGroup(
744 SCLogError(
"Unable to allocate flowbit analyze array");
748 "fb analyzer array size: %" PRIu64, (uint64_t)(array_size *
sizeof(
struct FBAnalyze)));
753 for (uint32_t i = 0; i < sgh->init->sig_cnt; i++) {
754 const Signature *s = sgh->init->match_array[i];
757 int r = DetectFlowbitsAnalyzeSignature(s, &fba);
759 FBAnalyzerFree(&fba);
765 for (uint32_t i = 0; i < array_size; i++) {
770 bool to_state =
false;
773 SCLogDebug(
"flowbit %s/%u: isset in state, set not in state", varname, i);
781 SCLogDebug(
"flowbit %s/%u: isset not in state, set in state", varname, i);
785 SCLogDebug(
"ALL flowbit %s/%u: sets %u toggles %u unsets %u isnotsets %u issets %u",
790 SCLogDebug(
"STATE flowbit %s/%u: sets %u toggles %u unsets %u isnotsets %u issets %u",
797 SCLogDebug(
"SET flowbit %s/%u: SID %u", varname, i,
802 SCLogDebug(
"GET flowbit %s/%u: SID %u", varname, i, s->
id);
806 SCLogDebug(
"made SID %u stateful because it depends on "
807 "stateful rules that set flowbit %s",
818 struct FBAnalyze *array, uint32_t elements)
820 SCJsonBuilder *js = SCJbNewObject();
824 SCJbOpenArray(js,
"flowbits");
825 for (uint32_t x = 0; x < elements; x++) {
833 SCJbSetString(js,
"name", varname);
834 SCJbSetUint(js,
"internal_id", x);
843 SCJbOpenArray(js,
"sets");
846 SCJbAppendUint(js, s->
id);
852 SCJbOpenArray(js,
"isset");
855 SCJbAppendUint(js, s->
id);
861 SCJbOpenArray(js,
"isnotset");
864 SCJbAppendUint(js, s->
id);
870 SCJbOpenArray(js,
"unset");
873 SCJbAppendUint(js, s->
id);
879 SCJbOpenArray(js,
"toggle");
882 SCJbAppendUint(js, s->
id);
891 const char *filename =
"flowbits.json";
893 char log_path[PATH_MAX] =
"";
894 snprintf(log_path,
sizeof(log_path),
"%s/%s", log_dir, filename);
897 FILE *fp = fopen(log_path,
"w");
899 fwrite(SCJbPtr(js), SCJbLen(js), 1, fp);
908 static bool PrefilterFlowbitIsPrefilterable(
const Signature *s)
918 SCLogDebug(
"sid:%u: FLOWBITS ISSET can prefilter", s->
id);
943 else if (a->
id < b->
id)
958 static void PrefilterFlowbitFree(
void *vctx)
963 PFB_RB_REMOVE(&
ctx->fb_tree, rec);
976 if (p->
flow == NULL) {
985 memset(&lookup, 0,
sizeof(lookup));
1006 static void PrefilterFlowbitPostRuleMatch(
1012 if (p->
flow == NULL) {
1022 memset(&lookup, 0,
sizeof(lookup));
1029 SCLogDebug(
"flowbit %u found in the tree: %u. Adding %u sids", lookup.
id, b->
id,
1044 #define BLOCK_SIZE 8
1046 static int AddBitAndSid(
1050 memset(&x, 0,
sizeof(x));
1059 add->
id = flowbit_id;
1070 SCLogDebug(
"not found, so added (res %p)", res);
1100 if (AddBitAndSid(
ctx, s, fb->
idx) < 0) {
1106 if (AddBitAndSid(
ctx, s, fb->
or_list[i]) < 0) {
1114 static uint32_t NextMultiple(
const uint32_t v,
const uint32_t
m)
1116 return v + (
m - v %
m);
1140 SCLogDebug(
"flowbit: %u => rejected sid %u (iid:%u). No prefilter or prefilter not "
1141 "flowbits (%p, %s, %d)",
1151 if (fs_fb->
idx != fb->
idx) {
1153 "flowbit: %u => rejected sid %u (iid:%u). Sig prefilters on different bit %u",
1154 fb->
idx, s->
id, sig_iid, fs_fb->
idx);
1160 if (add->
rule_id[x] == sig_iid) {
1179 SCLogDebug(
"flowbit: %u => accepted sid %u (iid:%u)", fb->
idx, s->
id, sig_iid);
1196 memset(&x, 0,
sizeof(x));
1212 if (AddIssetSidsForBit(
de_ctx, fba, fb, add) != 1) {
1219 SCLogDebug(
"not found, so added (res %p)", res);
1224 int r = AddIssetSidsForBit(
de_ctx, fba, fb, pfb);
1227 }
else if (r == 0) {
1249 SCLogDebug(
"sgh %p: setting up prefilter", sgh);
1253 struct FBAnalyzer fb_analysis = DetectFlowbitsAnalyzeForGroup(
de_ctx, sgh);
1254 if (fb_analysis.
array == NULL)
1257 for (uint32_t i = 0; i < sgh->
init->
sig_cnt; i++) {
1275 "DETECT_SM_LIST_POSTMATCH: sid %u DETECT_FLOWBITS set %u", s->
id, fb->
idx);
1277 SCLogDebug(
"DETECT_SM_LIST_POSTMATCH: sid %u DETECT_FLOWBITS toggle %u", s->
id,
1286 SCLogDebug(
"flowbit %u not supported: unset in use", fb->
idx);
1290 if (set_ctx == NULL) {
1291 set_ctx =
SCCalloc(1,
sizeof(*set_ctx));
1292 if (set_ctx == NULL)
1296 SCLogDebug(
"setting up sets/toggles for sid %u", s->
id);
1297 if (AddBitSetToggle(
de_ctx, &fb_analysis, set_ctx, fb, s) == 1) {
1312 SCLogDebug(
"no prefilter or prefilter not flowbits");
1319 SCLogDebug(
"flowbit %u not supported: toggle or unset in use", fb->
idx);
1327 if (isset_ctx == NULL) {
1328 isset_ctx =
SCCalloc(1,
sizeof(*isset_ctx));
1329 if (isset_ctx == NULL)
1332 if (AddBitsAndSid(
de_ctx, isset_ctx, fb, s) < 0) {
1338 static const char *g_prefilter_flowbits_isset =
"flowbits:isset";
1339 if (isset_ctx != NULL) {
1342 isset_ctx, PrefilterFlowbitFree, g_prefilter_flowbits_isset);
1346 static const char *g_prefilter_flowbits_set =
"flowbits:set";
1348 PrefilterFlowbitFree, g_prefilter_flowbits_set);
1349 SCLogDebug(
"set/toggle: added prefilter engine");
1352 PrefilterFlowbitFree(set_ctx);
1354 SCLogDebug(
"set/toggle: NO prefilter engine added");
1356 }
else if (set_ctx != NULL) {
1357 PrefilterFlowbitFree(set_ctx);
1359 FBAnalyzerFree(&fb_analysis);
1364 PrefilterFlowbitFree(set_ctx);
1367 PrefilterFlowbitFree(isset_ctx);
1369 FBAnalyzerFree(&fb_analysis);
1375 static int FlowBitsTestParse01(
void)
1377 char command[16] =
"",
name[16] =
"";
1380 FAIL_IF(!DetectFlowbitParse(
"noalert", command,
sizeof(command),
name,
1382 FAIL_IF(strcmp(command,
"noalert") != 0);
1385 FAIL_IF(!DetectFlowbitParse(
"set,flowbit", command,
sizeof(command),
name,
1387 FAIL_IF(strcmp(command,
"set") != 0);
1391 FAIL_IF(!DetectFlowbitParse(
"set, flowbit", command,
sizeof(command),
name,
1393 FAIL_IF(strcmp(command,
"set") != 0);
1397 FAIL_IF(!DetectFlowbitParse(
"set,flowbit ", command,
sizeof(command),
name,
1399 FAIL_IF(strcmp(command,
"set") != 0);
1403 FAIL_IF(!DetectFlowbitParse(
"set, flowbit ", command,
sizeof(command),
name,
1405 FAIL_IF(strcmp(command,
"set") != 0);
1409 FAIL_IF(DetectFlowbitParse(
"set,namewith space", command,
sizeof(command),
1422 static int FlowBitsTestSig01(
void)
1432 s =
de_ctx->
sig_list =
SigInit(
de_ctx,
"alert ip any any -> any any (msg:\"Noalert\"; flowbits:noalert,wrongusage; content:\"GET \"; sid:1;)");
1447 static int FlowBitsTestSig02(
void)
1453 memset(&th_v, 0,
sizeof(th_v));
1460 s =
de_ctx->
sig_list =
SigInit(
de_ctx,
"alert ip any any -> any any (msg:\"isset rule need an option\"; flowbits:isset; content:\"GET \"; sid:1;)");
1463 s =
de_ctx->
sig_list =
SigInit(
de_ctx,
"alert ip any any -> any any (msg:\"isnotset rule need an option\"; flowbits:isnotset; content:\"GET \"; sid:2;)");
1466 s =
de_ctx->
sig_list =
SigInit(
de_ctx,
"alert ip any any -> any any (msg:\"set rule need an option\"; flowbits:set; content:\"GET \"; sid:3;)");
1469 s =
de_ctx->
sig_list =
SigInit(
de_ctx,
"alert ip any any -> any any (msg:\"unset rule need an option\"; flowbits:unset; content:\"GET \"; sid:4;)");
1472 s =
de_ctx->
sig_list =
SigInit(
de_ctx,
"alert ip any any -> any any (msg:\"toggle rule need an option\"; flowbits:toggle; content:\"GET \"; sid:5;)");
1475 s =
de_ctx->
sig_list =
SigInit(
de_ctx,
"alert ip any any -> any any (msg:\"!set is not an option\"; flowbits:!set,myerr; content:\"GET \"; sid:6;)");
1491 static int FlowBitsTestSig03(
void)
1501 s =
de_ctx->
sig_list =
SigInit(
de_ctx,
"alert ip any any -> any any (msg:\"Unknown cmd\"; flowbits:wrongcmd; content:\"GET \"; sid:1;)");
1516 static int FlowBitsTestSig04(
void)
1526 s =
de_ctx->
sig_list =
SigInit(
de_ctx,
"alert ip any any -> any any (msg:\"isset option\"; flowbits:isset,fbt; content:\"GET \"; sid:1;)");
1544 static int FlowBitsTestSig05(
void)
1554 s =
de_ctx->
sig_list =
SigInit(
de_ctx,
"alert ip any any -> any any (msg:\"Noalert\"; flowbits:noalert; content:\"GET \"; sid:1;)");
1570 static int FlowBitsTestSig06(
void)
1572 uint8_t *buf = (uint8_t *)
1573 "GET /one/ HTTP/1.1\r\n"
1574 "Host: one.example.org\r\n"
1576 uint16_t buflen = strlen((
char *)buf);
1588 memset(&th_v, 0,
sizeof(th_v));
1589 memset(&f, 0,
sizeof(
Flow));
1600 p->
proto = IPPROTO_TCP;
1620 for ( ; gv != NULL; gv = gv->
next) {
1643 static int FlowBitsTestSig07(
void)
1645 uint8_t *buf = (uint8_t *)
1646 "GET /one/ HTTP/1.1\r\n"
1647 "Host: one.example.org\r\n"
1649 uint16_t buflen = strlen((
char *)buf);
1661 memset(&th_v, 0,
sizeof(th_v));
1662 memset(&f, 0,
sizeof(
Flow));
1673 p->
proto = IPPROTO_TCP;
1683 s = s->
next =
SigInit(
de_ctx,
"alert ip any any -> any any (msg:\"Flowbit unset\"; flowbits:unset,myflow2; sid:11;)");
1695 for ( ; gv != NULL; gv = gv->
next) {
1718 static int FlowBitsTestSig08(
void)
1720 uint8_t *buf = (uint8_t *)
1721 "GET /one/ HTTP/1.1\r\n"
1722 "Host: one.example.org\r\n"
1724 uint16_t buflen = strlen((
char *)buf);
1737 memset(&th_v, 0,
sizeof(th_v));
1738 memset(&f, 0,
sizeof(
Flow));
1749 p->
proto = IPPROTO_TCP;
1759 s = s->
next =
SigInit(
de_ctx,
"alert ip any any -> any any (msg:\"Flowbit unset\"; flowbits:toggle,myflow2; sid:11;)");
1771 for ( ; gv != NULL; gv = gv->
next) {
uint16_t cnts[DETECT_FLOWBITS_CMD_MAX]
uint32_t rule_state_dependant_sids_idx
uint32_t isnotset_sids_idx
SCMutex g_flowbits_dump_write_m
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
struct SigMatch_ * smlists[DETECT_SM_LIST_MAX]
#define DETECT_FLOWBITS_CMD_MAX
SigTableElmt * sigmatch_table
void PostRuleMatchWorkQueueAppend(DetectEngineThreadCtx *det_ctx, const Signature *s, const int type, const uint32_t value)
void(* Free)(DetectEngineCtx *, void *)
#define DETECT_TABLE_PACKET_FILTER_FLAG
Container for matching data for a signature group.
void FlowBitsRegisterTests(void)
this function registers unit tests for FlowBits
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
bool is_rule_state_dependant
struct HtpBodyChunk_ * next
#define DETECT_FLOWBITS_CMD_ISNOTSET
int PrefilterAppendEngine(DetectEngineCtx *de_ctx, SigGroupHead *sgh, PrefilterPktFn PrefilterFunc, SignatureMask mask, enum SignatureHookPkt hook, void *pectx, void(*FreeFunc)(void *pectx), const char *name)
bool FlowBitToggle(Flow *f, uint32_t idx)
int DetectFlowbitsAnalyze(DetectEngineCtx *de_ctx)
main detection engine ctx
@ SIGNATURE_HOOK_PKT_NOT_SET
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
#define FLOW_PKT_TOSERVER
const char * VarNameStoreSetupLookup(const uint32_t id, const enum VarTypes type)
#define DETECT_TABLE_APP_TD_FLAG
void SigMatchSignatures(ThreadVars *tv, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
#define SCMUTEX_INITIALIZER
int DetectParsePcreExec(DetectParseRegex *parse_regex, pcre2_match_data **match, const char *str, int start_offset, int options)
#define DETECT_FLOWBITS_CMD_TOGGLE
#define DETECT_FLOWBITS_CMD_ISSET
uint32_t VarNameStoreRegister(const char *name, const enum VarTypes type)
#define SIGMATCH_SUPPORT_FIREWALL
struct PrefilterEngineFlowbits __attribute__
#define DETECT_TABLE_APP_FILTER_FLAG
RB_HEAD(PFB, PrefilterFlowbit)
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
int FlowBitSet(Flow *f, uint32_t idx)
add a flowbit to the flow
#define FAIL_IF_NOT(expr)
Fail a test if expression evaluates to false.
#define DETECT_TABLE_PACKET_TD_FLAG
int(* SetupPrefilter)(DetectEngineCtx *de_ctx, struct SigGroupHead_ *sgh)
void FlowBitUnset(Flow *f, uint32_t idx)
@ DETECT_SM_LIST_POSTMATCH
#define FLOW_INITIALIZE(f)
#define FAIL_IF_NOT_NULL(expr)
Fail a test if expression evaluates to non-NULL.
struct GenericVar_ * next
#define PASS
Pass the test.
#define SCMutexUnlock(mut)
#define SIG_MASK_REQUIRE_FLOW
void DetectSetupParseRegexes(const char *parse_str, DetectParseRegex *detect_parse)
#define RB_FOREACH_SAFE(x, name, head, y)
SigMatch * SCSigMatchAppendSMToList(DetectEngineCtx *de_ctx, Signature *s, uint16_t type, SigMatchCtx *ctx, const int list)
Append a SigMatch to the list type.
Per thread variable structure.
uint32_t rule_state_flowbits_ids_size
TmEcode DetectEngineThreadCtxInit(ThreadVars *tv, void *initdata, void **data)
initialize thread specific detection engine context
void VarNameStoreUnregister(const uint32_t id, const enum VarTypes type)
#define SCLogWarning(...)
Macro used to log WARNING messages.
Signature * SigInit(DetectEngineCtx *de_ctx, const char *sigstr)
Parses a signature and adds it to the Detection Engine Context.
SigGroupHeadInitData * init
void DetectFlowbitFree(DetectEngineCtx *, void *)
void DetectFlowbitsRegister(void)
const char * SCConfigGetLogDirectory(void)
RB_GENERATE(PFB, PrefilterFlowbit, rb, PrefilterFlowbitCompare)
SignatureInitData * init_data
uint32_t * rule_state_dependant_sids_array
Data structures and function prototypes for keeping state for the detection engine.
int(* Match)(DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *)
uint32_t rule_state_dependant_sids_size
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
uint32_t toggle_sids_size
#define SCRealloc(ptr, sz)
#define SIG_FLAG_INIT_STATE_MATCH
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
#define FAIL_IF(expr)
Fail a test if expression evaluates to true.
uint16_t state_cnts[DETECT_FLOWBITS_CMD_MAX]
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *tv, void *data)
PostRuleMatchWorkQueueItem * q
Packet * PacketGetFromAlloc(void)
Get a malloced packet.
int PrefilterAppendPostRuleEngine(DetectEngineCtx *de_ctx, SigGroupHead *sgh, void(*PrefilterPostRuleFunc)(DetectEngineThreadCtx *det_ctx, const void *pectx, Packet *p, Flow *f), void *pectx, void(*FreeFunc)(void *pectx), const char *name)
int FlowBitIsset(Flow *f, uint32_t idx)
#define SCLogError(...)
Macro used to log ERROR messages.
#define DETECT_TABLE_PACKET_PRE_STREAM_FLAG
bool(* SupportsPrefilter)(const Signature *s)
#define DETECT_FLOWBITS_CMD_UNSET
a single match condition for a signature
uint32_t isnotset_sids_size
DetectEngineCtx * DetectEngineCtxInit(void)
int DetectFlowbitMatch(DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *)
uint32_t * rule_state_flowbits_ids_array
#define SIGMATCH_IPONLY_COMPAT
#define FLOW_PKT_TOSERVER_FIRST
bool rule_engine_analysis_set
#define SIG_FLAG_PREFILTER
bool post_rule_match_prefilter
RB_PROTOTYPE(PFB, PrefilterFlowbit, rb, PrefilterFlowbitCompare)
PostRuleMatchWorkQueue post_rule_work_queue
int FlowBitIsnotset(Flow *f, uint32_t idx)
#define DETECT_FLOWBITS_CMD_SET
void(* RegisterTests)(void)