Go to the documentation of this file.
54 #define PARSE_REGEX "^([a-z]+)(?:,\\s*(.*))?"
57 #define MAX_TOKENS 100
67 static bool PrefilterFlowbitIsPrefilterable(
const Signature *s);
96 while ((token = strtok_r(arrptr,
"|", &saveptr))) {
98 while(isspace((
unsigned char)*token))
102 char *end = token + strlen(token) - 1;
103 while(end > token && isspace((
unsigned char)*end))
107 if (strchr(token,
' ') != NULL) {
108 SCLogError(
"Spaces are not allowed in flowbit names.");
114 "maximum allowed: %d.",
210 return DetectFlowbitMatchIsset(p,fd);
212 return DetectFlowbitMatchIsnotset(p,fd);
214 int r = DetectFlowbitMatchSet(p, fd);
217 SCLogDebug(
"flowbit set, appending to work queue");
223 return DetectFlowbitMatchUnset(p,fd);
225 int r = DetectFlowbitMatchToggle(p, fd);
227 SCLogDebug(
"flowbit set (by toggle), appending to work queue");
240 static int DetectFlowbitParse(
const char *
str,
char *cmd,
int cmd_len,
char *
name,
245 pcre2_match_data *match = NULL;
248 if (count != 2 && count != 3) {
249 SCLogError(
"\"%s\" is not a valid setting for flowbits.",
str);
254 rc = pcre2_substring_copy_bynumber(match, 1, (PCRE2_UCHAR8 *)cmd, &pcre2len);
256 SCLogError(
"pcre2_substring_copy_bynumber failed");
262 rc = pcre2_substring_copy_bynumber(match, 2, (PCRE2_UCHAR8 *)
name, &pcre2len);
264 SCLogError(
"pcre2_substring_copy_bynumber failed");
269 while (strlen(
name) > 0 && isblank(
name[strlen(
name) - 1])) {
273 if (strchr(
name,
'|') == NULL) {
275 for (
size_t i = 0; i < strlen(
name); i++) {
276 if (isblank(
name[i])) {
277 SCLogError(
"spaces not allowed in flowbit names");
284 pcre2_match_data_free(match);
289 pcre2_match_data_free(match);
298 char fb_cmd_str[16] =
"", fb_name[256] =
"";
300 if (!DetectFlowbitParse(rawstr, fb_cmd_str,
sizeof(fb_cmd_str), fb_name,
305 if (strcmp(fb_cmd_str,
"noalert") == 0) {
306 if (strlen(fb_name) != 0)
310 }
else if (strcmp(fb_cmd_str,
"isset") == 0) {
312 }
else if (strcmp(fb_cmd_str,
"isnotset") == 0) {
314 }
else if (strcmp(fb_cmd_str,
"set") == 0) {
316 }
else if (strcmp(fb_cmd_str,
"unset") == 0) {
318 }
else if (strcmp(fb_cmd_str,
"toggle") == 0) {
321 SCLogError(
"ERROR: flowbits action \"%s\" is not supported.", fb_cmd_str);
332 if (strlen(fb_name) == 0)
340 if (strchr(fb_name,
'|') != NULL) {
341 int retval = FlowbitOrAddData(
de_ctx, cd, fb_name);
352 SCLogDebug(
"idx %" PRIu32
", cmd %s, name %s",
353 cd->
idx, fb_cmd_str, strlen(fb_name) ? fb_name :
"(none)");
440 struct FBAnalyze *array, uint32_t elements);
442 static void FBAnalyzerArrayFree(
struct FBAnalyze *array,
const uint32_t array_size)
445 for (uint32_t i = 0; i < array_size; i++) {
446 SCFree(array[i].set_sids);
447 SCFree(array[i].unset_sids);
448 SCFree(array[i].isset_sids);
449 SCFree(array[i].isnotset_sids);
450 SCFree(array[i].toggle_sids);
456 static void FBAnalyzerFree(
struct FBAnalyzer *fba)
458 if (fba && fba->
array) {
466 static bool CheckExpand(
const uint32_t sids_idx, uint32_t **sids, uint32_t *sids_size)
468 if (sids_idx >= *sids_size) {
469 const uint32_t old_size = *sids_size;
470 const uint32_t new_size =
MAX(2 * old_size,
MAX_SIDS);
472 void *ptr =
SCRealloc(*sids, new_size *
sizeof(uint32_t));
475 *sids_size = new_size;
574 SCLogError(
"Unable to allocate flowbit analyze array");
581 (uint64_t)(array_size *
sizeof(
struct FBAnalyze)));
587 int r = DetectFlowbitsAnalyzeSignature(s, &fba);
589 FBAnalyzerFree(&fba);
595 for (uint32_t i = 0; i < array_size; i++) {
600 bool to_state =
false;
608 "set. Checked in %u and %u other sigs",
614 SCLogDebug(
"flowbit %s/%u: isset in state, set not in state", varname, i);
623 SCLogDebug(
"flowbit %s/%u: isset not in state, set in state", varname, i);
627 SCLogDebug(
"ALL flowbit %s/%u: sets %u toggles %u unsets %u isnotsets %u issets %u", varname, i,
631 SCLogDebug(
"STATE flowbit %s/%u: sets %u toggles %u unsets %u isnotsets %u issets %u", varname, i,
636 SCLogDebug(
"SET flowbit %s/%u: SID %u", varname, i,
642 SCLogDebug(
"GET flowbit %s/%u: SID %u", varname, i, s->
id);
652 SCCalloc(sids_array_size,
sizeof(uint32_t));
654 SCLogError(
"Failed to allocate memory for rule_state_dependant_ids");
661 SCLogError(
"Failed to allocate memory for rule_state_variable_idx");
665 SCLogDebug(
"alloc'ed array for rule dependency and fbs idx array, sid %u, "
666 "sizes are %u and %u",
670 uint32_t new_array_size =
673 new_array_size *
sizeof(uint32_t));
674 if (tmp_ptr == NULL) {
675 SCLogError(
"Failed to allocate memory for rule_state_variable_idx");
680 SCLogDebug(
"realloc'ed array for rule dependency, sid %u, new size is %u",
684 new_fb_array_size *
sizeof(uint32_t));
687 SCLogError(
"Failed to reallocate memory for rule_state_variable_idx");
691 "realloc'ed array for flowbits ids, new size is %u", new_fb_array_size);
709 SCLogDebug(
"made SID %u stateful because it depends on "
710 "stateful rules that set flowbit %s", s->
id, varname);
716 DetectFlowbitsAnalyzeDump(
de_ctx, array, array_size);
719 FBAnalyzerFree(&fba);
722 FBAnalyzerFree(&fba);
727 static struct FBAnalyzer DetectFlowbitsAnalyzeForGroup(
739 SCLogError(
"Unable to allocate flowbit analyze array");
743 "fb analyzer array size: %" PRIu64, (uint64_t)(array_size *
sizeof(
struct FBAnalyze)));
748 for (uint32_t i = 0; i < sgh->init->sig_cnt; i++) {
749 const Signature *s = sgh->init->match_array[i];
752 int r = DetectFlowbitsAnalyzeSignature(s, &fba);
754 FBAnalyzerFree(&fba);
760 for (uint32_t i = 0; i < array_size; i++) {
765 bool to_state =
false;
768 SCLogDebug(
"flowbit %s/%u: isset in state, set not in state", varname, i);
776 SCLogDebug(
"flowbit %s/%u: isset not in state, set in state", varname, i);
780 SCLogDebug(
"ALL flowbit %s/%u: sets %u toggles %u unsets %u isnotsets %u issets %u",
785 SCLogDebug(
"STATE flowbit %s/%u: sets %u toggles %u unsets %u isnotsets %u issets %u",
792 SCLogDebug(
"SET flowbit %s/%u: SID %u", varname, i,
797 SCLogDebug(
"GET flowbit %s/%u: SID %u", varname, i, s->
id);
801 SCLogDebug(
"made SID %u stateful because it depends on "
802 "stateful rules that set flowbit %s",
813 struct FBAnalyze *array, uint32_t elements)
815 SCJsonBuilder *js = SCJbNewObject();
819 SCJbOpenArray(js,
"flowbits");
820 for (uint32_t x = 0; x < elements; x++) {
828 SCJbSetString(js,
"name", varname);
829 SCJbSetUint(js,
"internal_id", x);
838 SCJbOpenArray(js,
"sets");
841 SCJbAppendUint(js, s->
id);
847 SCJbOpenArray(js,
"isset");
850 SCJbAppendUint(js, s->
id);
856 SCJbOpenArray(js,
"isnotset");
859 SCJbAppendUint(js, s->
id);
865 SCJbOpenArray(js,
"unset");
868 SCJbAppendUint(js, s->
id);
874 SCJbOpenArray(js,
"toggle");
877 SCJbAppendUint(js, s->
id);
886 const char *filename =
"flowbits.json";
888 char log_path[PATH_MAX] =
"";
889 snprintf(log_path,
sizeof(log_path),
"%s/%s", log_dir, filename);
892 FILE *fp = fopen(log_path,
"w");
894 fwrite(SCJbPtr(js), SCJbLen(js), 1, fp);
903 static bool PrefilterFlowbitIsPrefilterable(
const Signature *s)
913 SCLogDebug(
"sid:%u: FLOWBITS ISSET can prefilter", s->
id);
938 else if (a->
id < b->
id)
953 static void PrefilterFlowbitFree(
void *vctx)
958 PFB_RB_REMOVE(&
ctx->fb_tree, rec);
971 if (p->
flow == NULL) {
980 memset(&lookup, 0,
sizeof(lookup));
1001 static void PrefilterFlowbitPostRuleMatch(
1007 if (p->
flow == NULL) {
1017 memset(&lookup, 0,
sizeof(lookup));
1024 SCLogDebug(
"flowbit %u found in the tree: %u. Adding %u sids", lookup.
id, b->
id,
1039 #define BLOCK_SIZE 8
1041 static int AddBitAndSid(
1045 memset(&x, 0,
sizeof(x));
1054 add->
id = flowbit_id;
1065 SCLogDebug(
"not found, so added (res %p)", res);
1095 if (AddBitAndSid(
ctx, s, fb->
idx) < 0) {
1101 if (AddBitAndSid(
ctx, s, fb->
or_list[i]) < 0) {
1109 static uint32_t NextMultiple(
const uint32_t v,
const uint32_t
m)
1111 return v + (
m - v %
m);
1135 SCLogDebug(
"flowbit: %u => rejected sid %u (iid:%u). No prefilter or prefilter not "
1136 "flowbits (%p, %s, %d)",
1146 if (fs_fb->
idx != fb->
idx) {
1148 "flowbit: %u => rejected sid %u (iid:%u). Sig prefilters on different bit %u",
1149 fb->
idx, s->
id, sig_iid, fs_fb->
idx);
1155 if (add->
rule_id[x] == sig_iid) {
1174 SCLogDebug(
"flowbit: %u => accepted sid %u (iid:%u)", fb->
idx, s->
id, sig_iid);
1191 memset(&x, 0,
sizeof(x));
1207 if (AddIssetSidsForBit(
de_ctx, fba, fb, add) != 1) {
1214 SCLogDebug(
"not found, so added (res %p)", res);
1219 int r = AddIssetSidsForBit(
de_ctx, fba, fb, pfb);
1222 }
else if (r == 0) {
1244 SCLogDebug(
"sgh %p: setting up prefilter", sgh);
1248 struct FBAnalyzer fb_analysis = DetectFlowbitsAnalyzeForGroup(
de_ctx, sgh);
1249 if (fb_analysis.
array == NULL)
1252 for (uint32_t i = 0; i < sgh->
init->
sig_cnt; i++) {
1270 "DETECT_SM_LIST_POSTMATCH: sid %u DETECT_FLOWBITS set %u", s->
id, fb->
idx);
1272 SCLogDebug(
"DETECT_SM_LIST_POSTMATCH: sid %u DETECT_FLOWBITS toggle %u", s->
id,
1281 SCLogDebug(
"flowbit %u not supported: unset in use", fb->
idx);
1285 if (set_ctx == NULL) {
1286 set_ctx =
SCCalloc(1,
sizeof(*set_ctx));
1287 if (set_ctx == NULL)
1291 SCLogDebug(
"setting up sets/toggles for sid %u", s->
id);
1292 if (AddBitSetToggle(
de_ctx, &fb_analysis, set_ctx, fb, s) == 1) {
1307 SCLogDebug(
"no prefilter or prefilter not flowbits");
1314 SCLogDebug(
"flowbit %u not supported: toggle or unset in use", fb->
idx);
1322 if (isset_ctx == NULL) {
1323 isset_ctx =
SCCalloc(1,
sizeof(*isset_ctx));
1324 if (isset_ctx == NULL)
1327 if (AddBitsAndSid(
de_ctx, isset_ctx, fb, s) < 0) {
1333 static const char *g_prefilter_flowbits_isset =
"flowbits:isset";
1334 if (isset_ctx != NULL) {
1337 isset_ctx, PrefilterFlowbitFree, g_prefilter_flowbits_isset);
1341 static const char *g_prefilter_flowbits_set =
"flowbits:set";
1343 PrefilterFlowbitFree, g_prefilter_flowbits_set);
1344 SCLogDebug(
"set/toggle: added prefilter engine");
1347 PrefilterFlowbitFree(set_ctx);
1349 SCLogDebug(
"set/toggle: NO prefilter engine added");
1351 }
else if (set_ctx != NULL) {
1352 PrefilterFlowbitFree(set_ctx);
1354 FBAnalyzerFree(&fb_analysis);
1359 PrefilterFlowbitFree(set_ctx);
1362 PrefilterFlowbitFree(isset_ctx);
1364 FBAnalyzerFree(&fb_analysis);
1370 static int FlowBitsTestParse01(
void)
1372 char command[16] =
"",
name[16] =
"";
1375 FAIL_IF(!DetectFlowbitParse(
"noalert", command,
sizeof(command),
name,
1377 FAIL_IF(strcmp(command,
"noalert") != 0);
1380 FAIL_IF(!DetectFlowbitParse(
"set,flowbit", command,
sizeof(command),
name,
1382 FAIL_IF(strcmp(command,
"set") != 0);
1386 FAIL_IF(!DetectFlowbitParse(
"set, flowbit", command,
sizeof(command),
name,
1388 FAIL_IF(strcmp(command,
"set") != 0);
1392 FAIL_IF(!DetectFlowbitParse(
"set,flowbit ", command,
sizeof(command),
name,
1394 FAIL_IF(strcmp(command,
"set") != 0);
1398 FAIL_IF(!DetectFlowbitParse(
"set, flowbit ", command,
sizeof(command),
name,
1400 FAIL_IF(strcmp(command,
"set") != 0);
1404 FAIL_IF(DetectFlowbitParse(
"set,namewith space", command,
sizeof(command),
1417 static int FlowBitsTestSig01(
void)
1427 s =
de_ctx->
sig_list =
SigInit(
de_ctx,
"alert ip any any -> any any (msg:\"Noalert\"; flowbits:noalert,wrongusage; content:\"GET \"; sid:1;)");
1442 static int FlowBitsTestSig02(
void)
1448 memset(&th_v, 0,
sizeof(th_v));
1455 s =
de_ctx->
sig_list =
SigInit(
de_ctx,
"alert ip any any -> any any (msg:\"isset rule need an option\"; flowbits:isset; content:\"GET \"; sid:1;)");
1458 s =
de_ctx->
sig_list =
SigInit(
de_ctx,
"alert ip any any -> any any (msg:\"isnotset rule need an option\"; flowbits:isnotset; content:\"GET \"; sid:2;)");
1461 s =
de_ctx->
sig_list =
SigInit(
de_ctx,
"alert ip any any -> any any (msg:\"set rule need an option\"; flowbits:set; content:\"GET \"; sid:3;)");
1464 s =
de_ctx->
sig_list =
SigInit(
de_ctx,
"alert ip any any -> any any (msg:\"unset rule need an option\"; flowbits:unset; content:\"GET \"; sid:4;)");
1467 s =
de_ctx->
sig_list =
SigInit(
de_ctx,
"alert ip any any -> any any (msg:\"toggle rule need an option\"; flowbits:toggle; content:\"GET \"; sid:5;)");
1470 s =
de_ctx->
sig_list =
SigInit(
de_ctx,
"alert ip any any -> any any (msg:\"!set is not an option\"; flowbits:!set,myerr; content:\"GET \"; sid:6;)");
1486 static int FlowBitsTestSig03(
void)
1496 s =
de_ctx->
sig_list =
SigInit(
de_ctx,
"alert ip any any -> any any (msg:\"Unknown cmd\"; flowbits:wrongcmd; content:\"GET \"; sid:1;)");
1511 static int FlowBitsTestSig04(
void)
1521 s =
de_ctx->
sig_list =
SigInit(
de_ctx,
"alert ip any any -> any any (msg:\"isset option\"; flowbits:isset,fbt; content:\"GET \"; sid:1;)");
1539 static int FlowBitsTestSig05(
void)
1549 s =
de_ctx->
sig_list =
SigInit(
de_ctx,
"alert ip any any -> any any (msg:\"Noalert\"; flowbits:noalert; content:\"GET \"; sid:1;)");
1565 static int FlowBitsTestSig06(
void)
1567 uint8_t *buf = (uint8_t *)
1568 "GET /one/ HTTP/1.1\r\n"
1569 "Host: one.example.org\r\n"
1571 uint16_t buflen = strlen((
char *)buf);
1583 memset(&th_v, 0,
sizeof(th_v));
1584 memset(&f, 0,
sizeof(
Flow));
1595 p->
proto = IPPROTO_TCP;
1615 for ( ; gv != NULL; gv = gv->
next) {
1638 static int FlowBitsTestSig07(
void)
1640 uint8_t *buf = (uint8_t *)
1641 "GET /one/ HTTP/1.1\r\n"
1642 "Host: one.example.org\r\n"
1644 uint16_t buflen = strlen((
char *)buf);
1656 memset(&th_v, 0,
sizeof(th_v));
1657 memset(&f, 0,
sizeof(
Flow));
1668 p->
proto = IPPROTO_TCP;
1678 s = s->
next =
SigInit(
de_ctx,
"alert ip any any -> any any (msg:\"Flowbit unset\"; flowbits:unset,myflow2; sid:11;)");
1690 for ( ; gv != NULL; gv = gv->
next) {
1713 static int FlowBitsTestSig08(
void)
1715 uint8_t *buf = (uint8_t *)
1716 "GET /one/ HTTP/1.1\r\n"
1717 "Host: one.example.org\r\n"
1719 uint16_t buflen = strlen((
char *)buf);
1732 memset(&th_v, 0,
sizeof(th_v));
1733 memset(&f, 0,
sizeof(
Flow));
1744 p->
proto = IPPROTO_TCP;
1754 s = s->
next =
SigInit(
de_ctx,
"alert ip any any -> any any (msg:\"Flowbit unset\"; flowbits:toggle,myflow2; sid:11;)");
1766 for ( ; gv != NULL; gv = gv->
next) {
uint16_t cnts[DETECT_FLOWBITS_CMD_MAX]
uint32_t rule_state_dependant_sids_idx
uint32_t isnotset_sids_idx
SCMutex g_flowbits_dump_write_m
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
struct SigMatch_ * smlists[DETECT_SM_LIST_MAX]
#define DETECT_FLOWBITS_CMD_MAX
SigTableElmt * sigmatch_table
void PostRuleMatchWorkQueueAppend(DetectEngineThreadCtx *det_ctx, const Signature *s, const int type, const uint32_t value)
void(* Free)(DetectEngineCtx *, void *)
Container for matching data for a signature group.
void FlowBitsRegisterTests(void)
this function registers unit tests for FlowBits
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
bool is_rule_state_dependant
struct HtpBodyChunk_ * next
#define DETECT_FLOWBITS_CMD_ISNOTSET
int PrefilterAppendEngine(DetectEngineCtx *de_ctx, SigGroupHead *sgh, PrefilterPktFn PrefilterFunc, SignatureMask mask, enum SignatureHookPkt hook, void *pectx, void(*FreeFunc)(void *pectx), const char *name)
bool FlowBitToggle(Flow *f, uint32_t idx)
int DetectFlowbitsAnalyze(DetectEngineCtx *de_ctx)
main detection engine ctx
@ SIGNATURE_HOOK_PKT_NOT_SET
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
#define FLOW_PKT_TOSERVER
const char * VarNameStoreSetupLookup(const uint32_t id, const enum VarTypes type)
void SigMatchSignatures(ThreadVars *tv, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
#define SCMUTEX_INITIALIZER
int DetectParsePcreExec(DetectParseRegex *parse_regex, pcre2_match_data **match, const char *str, int start_offset, int options)
#define DETECT_FLOWBITS_CMD_TOGGLE
#define DETECT_FLOWBITS_CMD_ISSET
uint32_t VarNameStoreRegister(const char *name, const enum VarTypes type)
#define SIGMATCH_SUPPORT_FIREWALL
struct PrefilterEngineFlowbits __attribute__
RB_HEAD(PFB, PrefilterFlowbit)
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
int FlowBitSet(Flow *f, uint32_t idx)
add a flowbit to the flow
#define FAIL_IF_NOT(expr)
Fail a test if expression evaluates to false.
int(* SetupPrefilter)(DetectEngineCtx *de_ctx, struct SigGroupHead_ *sgh)
void FlowBitUnset(Flow *f, uint32_t idx)
@ DETECT_SM_LIST_POSTMATCH
#define FLOW_INITIALIZE(f)
#define FAIL_IF_NOT_NULL(expr)
Fail a test if expression evaluates to non-NULL.
struct GenericVar_ * next
#define PASS
Pass the test.
#define SCMutexUnlock(mut)
#define SIG_MASK_REQUIRE_FLOW
void DetectSetupParseRegexes(const char *parse_str, DetectParseRegex *detect_parse)
#define RB_FOREACH_SAFE(x, name, head, y)
Per thread variable structure.
uint32_t rule_state_flowbits_ids_size
TmEcode DetectEngineThreadCtxInit(ThreadVars *tv, void *initdata, void **data)
initialize thread specific detection engine context
void VarNameStoreUnregister(const uint32_t id, const enum VarTypes type)
#define SCLogWarning(...)
Macro used to log WARNING messages.
Signature * SigInit(DetectEngineCtx *de_ctx, const char *sigstr)
Parses a signature and adds it to the Detection Engine Context.
SigGroupHeadInitData * init
void DetectFlowbitFree(DetectEngineCtx *, void *)
void DetectFlowbitsRegister(void)
const char * SCConfigGetLogDirectory(void)
RB_GENERATE(PFB, PrefilterFlowbit, rb, PrefilterFlowbitCompare)
SignatureInitData * init_data
uint32_t * rule_state_dependant_sids_array
Data structures and function prototypes for keeping state for the detection engine.
int(* Match)(DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *)
uint32_t rule_state_dependant_sids_size
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
uint32_t toggle_sids_size
#define SCRealloc(ptr, sz)
#define SIG_FLAG_INIT_STATE_MATCH
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
#define FAIL_IF(expr)
Fail a test if expression evaluates to true.
uint16_t state_cnts[DETECT_FLOWBITS_CMD_MAX]
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *tv, void *data)
PostRuleMatchWorkQueueItem * q
Packet * PacketGetFromAlloc(void)
Get a malloced packet.
int PrefilterAppendPostRuleEngine(DetectEngineCtx *de_ctx, SigGroupHead *sgh, void(*PrefilterPostRuleFunc)(DetectEngineThreadCtx *det_ctx, const void *pectx, Packet *p, Flow *f), void *pectx, void(*FreeFunc)(void *pectx), const char *name)
int FlowBitIsset(Flow *f, uint32_t idx)
#define SCLogError(...)
Macro used to log ERROR messages.
bool(* SupportsPrefilter)(const Signature *s)
#define DETECT_FLOWBITS_CMD_UNSET
a single match condition for a signature
uint32_t isnotset_sids_size
DetectEngineCtx * DetectEngineCtxInit(void)
int DetectFlowbitMatch(DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *)
SigMatch * SigMatchAppendSMToList(DetectEngineCtx *de_ctx, Signature *s, uint16_t type, SigMatchCtx *ctx, const int list)
Append a SigMatch to the list type.
uint32_t * rule_state_flowbits_ids_array
#define SIGMATCH_IPONLY_COMPAT
#define FLOW_PKT_TOSERVER_FIRST
bool rule_engine_analysis_set
#define SIG_FLAG_PREFILTER
bool post_rule_match_prefilter
RB_PROTOTYPE(PFB, PrefilterFlowbit, rb, PrefilterFlowbitCompare)
PostRuleMatchWorkQueue post_rule_work_queue
int FlowBitIsnotset(Flow *f, uint32_t idx)
#define DETECT_FLOWBITS_CMD_SET
void(* RegisterTests)(void)