89 static inline uint8_t DetectRulePacketRules(
ThreadVars *
const tv,
124 DetectRunInspectIPOnly(
th_v,
de_ctx, det_ctx, pflow,
p);
127 DetectRunGetRuleGroup(
de_ctx,
p, pflow, &scratch);
130 if (scratch.
sgh == NULL) {
132 SCLogDebug(
"no sgh for this packet, nothing to match against");
136 "packet %" PRIu64
": no sgh, need to apply default policies",
PcapPacketCntGet(
p));
139 DetectRunPrefilterPkt(
th_v,
de_ctx, det_ctx,
p, &scratch);
143 const uint8_t pkt_policy = DetectRulePacketRules(
th_v,
de_ctx, det_ctx,
p, pflow, &scratch);
161 if (
p->
proto == IPPROTO_TCP) {
165 SCLogDebug(
"default accept: no PKT_STREAM_EST");
166 DetectRunAppendDefaultAccept(det_ctx,
p);
179 DetectRunFrames(
th_v,
de_ctx, det_ctx,
p, pflow, &scratch);
189 DetectRunAppendDefaultAccept(det_ctx,
p);
193 }
else if (
p->
proto == IPPROTO_UDP) {
194 DetectRunFrames(
th_v,
de_ctx, det_ctx,
p, pflow, &scratch);
198 DetectRunTx(
th_v,
de_ctx, det_ctx,
p, pflow, &scratch);
209 DetectRunAppendDefaultAccept(det_ctx,
p);
214 DetectRunPostRules(
th_v,
de_ctx, det_ctx,
p, pflow, &scratch);
216 DetectRunCleanup(det_ctx,
p, pflow);
241 if (scratch.
sgh == NULL) {
242 SCLogDebug(
"no sgh for this packet, nothing to match against");
247 DetectRunPrefilterPkt(
th_v,
de_ctx, det_ctx,
p, &scratch);
251 const uint8_t pkt_policy = DetectRulePacketRules(
th_v,
de_ctx, det_ctx,
p, pflow, &scratch);
258 DetectRunPostRules(
th_v,
de_ctx, det_ctx,
p, pflow, &scratch);
260 DetectRunCleanup(det_ctx,
p, pflow);
273 SCLogDebug(
"running match functions, sm %p", smd);
310 }
else if (
p->
proto == 0) {
311 if (!(PacketIsIPv4(
p) || PacketIsIPv6(
p))) {
320 int proto = PacketGetIPProto(
p);
321 if (
proto == IPPROTO_TCP) {
325 const uint16_t port = dir ?
p->
dp :
p->
sp;
330 SCLogDebug(
"TCP list %p, port %u, direction %s, sghport %p, sgh %p", list, port,
331 dir ?
"toserver" :
"toclient", sghport, sgh);
332 }
else if (
proto == IPPROTO_UDP) {
334 uint16_t port = dir ?
p->
dp :
p->
sp;
338 SCLogDebug(
"UDP list %p, port %u, direction %s, sghport %p, sgh %p", list, port,
339 dir ?
"toserver" :
"toclient", sghport, sgh);
347 static inline void DetectPrefilterCopyDeDup(
355 while (final_cnt-- > 0) {
360 if (
likely(
id != previous_id)) {
377 DetectPostInspectFileFlagsUpdate(
Flow *f,
const SigGroupHead *sgh, uint8_t direction)
382 SCLogDebug(
"requesting disabling all file features for flow");
386 SCLogDebug(
"requesting disabling filestore for flow");
387 flow_file_flags |= (FLOWFILE_NO_STORE_TS|FLOWFILE_NO_STORE_TC);
390 if (!(sgh->
flags & SIG_GROUP_HEAD_HAVEFILEMAGIC)) {
391 SCLogDebug(
"requesting disabling magic for flow");
396 SCLogDebug(
"requesting disabling md5 for flow");
400 SCLogDebug(
"requesting disabling sha1 for flow");
404 SCLogDebug(
"requesting disabling sha256 for flow");
408 if (flow_file_flags != 0) {
424 SCLogDebug(
"STREAMTCP_STREAM_FLAG_DISABLE_RAW ssn.client");
429 DetectPostInspectFileFlagsUpdate(pflow,
439 SCLogDebug(
"STREAMTCP_STREAM_FLAG_DISABLE_RAW ssn.server");
444 DetectPostInspectFileFlagsUpdate(pflow,
449 static inline void DetectRunGetRuleGroup(
457 bool use_flow_sgh =
false;
460 if (PacketGetIPProto(
p) == pflow->
proto) {
464 SCLogDebug(
"sgh = pflow->sgh_toserver; => %p", sgh);
468 SCLogDebug(
"sgh = pflow->sgh_toclient; => %p", sgh);
474 if (!(use_flow_sgh)) {
487 DetectRunPostGetFirstRuleGroup(
p, pflow, sgh);
507 SCLogDebug(
"testing against \"ip-only\" signatures");
526 static inline bool DetectRunInspectRuleHeader(
536 const bool fv = f->
flowvar != NULL;
538 SCLogDebug(
"skipping sig as the flow has no flowvars and sig "
539 "has SIG_FLAG_REQUIRE_FLOWVAR flag set.");
544 if (!(s->
proto == NULL)) {
545 const uint8_t s_proto_flags = s->
proto->
flags;
557 if (PacketIsEthernet(
p) &&
591 SCLogDebug(
"port-less protocol and sig needs ports");
597 if (PacketIsIPv4(
p)) {
600 }
else if (PacketIsIPv6(
p)) {
607 if (PacketIsIPv4(
p)) {
610 }
else if (PacketIsIPv6(
p)) {
638 DetectPrefilterCopyDeDup(
de_ctx, det_ctx);
653 static bool IsOnlyTxInDirection(
Flow *f, uint64_t txid, uint8_t dir)
656 if (tx_cnt == txid + 1) {
660 if (tx_cnt == txid + 2) {
666 if ((dir == STREAM_TOSERVER && (txd->
flags & APP_LAYER_TX_SKIP_INSPECT_TS)) ||
667 (dir == STREAM_TOCLIENT && (txd->
flags & APP_LAYER_TX_SKIP_INSPECT_TC))) {
675 static int SortHelper(
const void *a,
const void *b)
681 return sa->
iid > sb->
iid ? 1 : -1;
684 static inline bool SkipFwRules(
const Packet *
p)
686 if (
p->
flow != NULL) {
711 SCLogDebug(
"packet %" PRIu64
": drop PKT_DROP_REASON_FW_DEFAULT_PACKET_POLICY",
723 SCLogDebug(
"packet %" PRIu64
": accept scope hook upgraded to packet",
753 const uint8_t alert_flags_in)
769 uint8_t alert_flags = alert_flags_in;
770 if (f->
proto != IPPROTO_UDP) {
782 static inline uint8_t DetectRulePacketRules(
ThreadVars *
const tv,
787 bool fw_verdict =
false;
807 bool skip_fw = SkipFwRules(
p);
808 uint32_t sflags, next_sflags = 0;
810 next_s = *match_array++;
811 next_sflags = next_s->
flags;
813 while (match_cnt--) {
815 bool break_out_of_packet_filter =
false;
816 uint8_t alert_flags = 0;
821 sflags = next_sflags;
823 next_s = *match_array++;
824 next_sflags = next_s->
flags;
836 }
else if (have_fw_rules) {
843 break_out_of_packet_filter =
true;
866 if (SigDsizePrefilter(
p, s, sflags))
877 if (DetectRunInspectRuleHeader(
p, pflow, s, sflags) ==
false) {
888 DetectRunPostMatch(
tv, det_ctx,
p, s);
890 DetectRulePacketAppendAlert(
de_ctx, det_ctx, s,
p, pflow, alert_flags);
899 SCLogDebug(
"sig_array_len %u det_ctx->pmq.rule_id_array_cnt %u",
902 for (uint32_t x = 0; x < match_cnt; x++) {
903 *r++ = match_array[x];
904 SCLogDebug(
"appended %u", match_array[x]->
id);
911 if (
ts->app_inspect == NULL) {
923 uint32_t skipped = 0;
924 for (uint32_t x = 0; x < match_cnt; x++) {
926 if (last_sig == *
m) {
933 match_cnt -= skipped;
935 next_s = *match_array++;
936 next_sflags = next_s->
flags;
983 break_out_of_packet_filter =
true;
987 DetectVarProcessList(det_ctx, pflow,
p);
988 DetectReplaceFree(det_ctx);
992 if (break_out_of_packet_filter)
1001 if (have_fw_rules) {
1002 if (skip_fw || fw_verdict) {
1022 uint8_t flow_flags = 0;
1023 bool app_decoder_events =
false;
1046 det_ctx->pkt_stream_add_cnt++;
1055 flow_flags = STREAM_TOSERVER;
1058 flow_flags = STREAM_TOCLIENT;
1064 flow_flags |= STREAM_EOF;
1095 (
p->
proto == IPPROTO_UDP) ||
1107 SCLogDebug(
"packet doesn't have established flag set (proto %d)",
p->
proto);
1150 SCLogDebug(
"packet %" PRIu64
": default action as no verdict set %02x (pkt %s)",
1163 if (pflow != NULL) {
1186 FatalError(
"failed to allocate %" PRIu64
" bytes",
1190 SCLogDebug(
"array initialized to %u elements (%"PRIu64
" bytes)",
1202 const uint32_t need)
1213 uint32_t new_size = needed;
1216 FatalError(
"failed to expand to %" PRIu64
" bytes",
1222 SCLogDebug(
"array expanded from %u to %u elements (%"PRIu64
" bytes -> %"PRIu64
" bytes)",
1235 DetectRunTxSortHelper(
const void *a,
const void *b)
1239 if (s1->
id == s0->
id) {
1246 return s0->
id > s1->
id ? 1 : -1;
1250 #define TRACE_SID_TXS(sid,txs,...) \
1252 char _trace_buf[2048]; \
1253 snprintf(_trace_buf, sizeof(_trace_buf), __VA_ARGS__); \
1254 SCLogNotice("%p/%"PRIu64"/%u: %s", txs->tx_ptr, txs->tx_id, sid, _trace_buf); \
1257 #define TRACE_SID_TXS(sid,txs,...)
1269 SCLogDebug(
"pre: tx_ptr %p flow::alproto %s engine::alproto %s", tx_ptr,
1272 switch (engine_alproto) {
1275 tx_ptr = SCDoH2GetDnsTx(tx_ptr, flow_flags);
1286 }
else if (engine_alproto != alproto && engine_alproto !=
ALPROTO_UNKNOWN) {
1309 const uint8_t in_flow_flags,
1313 const uint8_t flow_flags = in_flow_flags;
1314 const int direction = (flow_flags & STREAM_TOSERVER) ? 0 : 1;
1315 uint32_t inspect_flags = stored_flags ? *stored_flags : 0;
1316 int total_matches = 0;
1317 uint16_t file_no_match = 0;
1318 bool mpm_before_progress =
false;
1319 bool mpm_in_progress =
false;
1321 TRACE_SID_TXS(s->
id, tx,
"starting %s", direction ?
"toclient" :
"toserver");
1324 if (
likely(stored_flags == NULL)) {
1326 if (DetectRunInspectRuleHeader(
p, f, s, s->
flags) ==
false) {
1340 TRACE_SID_TXS(s->
id, tx,
"continue, inspect_flags %x", inspect_flags);
1345 TRACE_SID_TXS(s->
id, tx,
"engine %p inspect_flags %x", engine, inspect_flags);
1349 if (!(inspect_flags &
BIT_U32(engine->
id)) &&
1361 "skip because engine alproto %s sub_state %u != tx_type %u (engine "
1365 engine = engine->
next;
1369 "inspecting engine alproto %s sub_state %u == tx_type %u (engine progress %u)",
1374 if (tx_ptr == NULL) {
1380 engine = engine->
next;
1391 SCLogDebug(
"tx progress %d < engine progress %d",
1398 "engine->mpm: t->tx_progress %u > engine->progress %u, so set "
1399 "mpm_before_progress",
1401 mpm_before_progress =
true;
1404 "engine->mpm: t->tx_progress %u == engine->progress %u, so set "
1408 mpm_in_progress =
true;
1413 uint8_t engine_flags = flow_flags;
1414 if (direction != engine->
dir) {
1415 engine_flags = flow_flags ^ (STREAM_TOCLIENT | STREAM_TOSERVER);
1421 TRACE_SID_TXS(s->
id, tx,
"stream skipped, stored result %d used instead", match);
1426 mpm_before_progress =
true;
1441 de_ctx, det_ctx, engine, s, f, engine_flags, alstate, tx_ptr, tx->
tx_id);
1446 TRACE_SID_TXS(s->
id, tx,
"stream ran, store result %d for next tx (if any)", match);
1451 engine = engine->
next;
1458 engine = engine->
next;
1470 if (engine->
mpm && mpm_before_progress) {
1476 direction != engine->
dir) {
1482 if (direction == 0 && engine->
next == NULL) {
1486 engine = engine->
next;
1490 engine = engine->
next;
1491 }
while (engine != NULL);
1492 TRACE_SID_TXS(s->
id, tx,
"inspect_flags %x, total_matches %u, engine %p",
1493 inspect_flags, total_matches, engine);
1495 bool full_match =
false;
1496 if (engine == NULL && total_matches) {
1503 *stored_flags = inspect_flags;
1504 TRACE_SID_TXS(s->
id, tx,
"continue inspect flags %08x", inspect_flags);
1511 if (file_no_match) {
1522 inspect_flags, flow_flags, file_no_match);
1526 "mpm won't trigger for it anymore");
1530 "we may have to revisit anyway");
1532 inspect_flags, flow_flags, file_no_match);
1536 "mpm will revisit it");
1538 }
else if (inspect_flags != 0 || file_no_match != 0) {
1541 inspect_flags, flow_flags, file_no_match);
1543 if (inspect_flags == 0) {
1544 TRACE_SID_TXS(s->
id, tx,
"no match: inspect_flags %08x", inspect_flags);
1562 NULL, 0, NULL, NULL, 0, 0, 0, 0, false, 0, \
1570 const uint64_t tx_id,
void *tx_ptr,
const int tx_end_state,
const uint8_t flow_flags)
1575 const uint8_t tx_progress =
1579 const uint8_t e_tx_end_state = txd->
tx_type == 0 ? (uint8_t)tx_end_state
1584 if (!updated && tx_progress < e_tx_end_state && ((flow_flags & STREAM_EOF) == 0)) {
1588 const uint8_t inspected_flag =
1591 SCLogDebug(
"%" PRIu64
" tx already fully inspected for %s. Flags %02x", tx_id,
1592 flow_flags & STREAM_TOSERVER ?
"toserver" :
"toclient", txd->
flags);
1596 const uint8_t skip_flag = (flow_flags & STREAM_TOSERVER) ? APP_LAYER_TX_SKIP_INSPECT_TS
1597 : APP_LAYER_TX_SKIP_INSPECT_TC;
1599 SCLogDebug(
"%" PRIu64
" tx should not be inspected in direction %s. Flags %02x", tx_id,
1600 flow_flags & STREAM_TOSERVER ?
"toserver" :
"toclient", txd->
flags);
1609 const uint8_t detect_progress =
1612 const int dir_int = (flow_flags & STREAM_TOSERVER) ? 0 : 1;
1615 tx_de_state ? &tx_de_state->
dir_state[dir_int] : NULL;
1621 .detect_progress = detect_progress,
1622 .detect_progress_orig = detect_progress,
1623 .tx_progress = (uint8_t)tx_progress,
1624 .tx_end_state = e_tx_end_state,
1631 static inline void StoreDetectProgress(
1635 if (flow_flags & STREAM_TOSERVER) {
1644 static inline void RuleMatchCandidateMergeStateRules(
1662 uint32_t j = *array_idx;
1671 uint32_t k = *array_idx;
1693 if (s->
iid <= s0->
id) {
1750 const uint8_t progress)
1752 const uint8_t dir_flags = direction & (STREAM_TOSERVER | STREAM_TOCLIENT);
1767 if (
likely(ap != NULL)) {
1773 SCLogDebug(
"dropping packet PKT_DROP_REASON_FW_DEFAULT_APP_POLICY");
1781 DetectRunAppendDefaultAppPolicyAlert(det_ctx,
p,
true, tx, ap);
1789 const bool last_hook =
progress == tx->tx_progress;
1790 bool apply_to_packet =
false;
1795 apply_to_packet =
true;
1799 apply_to_packet = tx->is_last;
1802 apply_to_packet = tx->is_last && last_hook;
1809 SCLogDebug(
"packet %" PRIu64
" hook %u default policy ACCEPT, apply_to_packet:%s",
1814 DetectRunAppendDefaultAppPolicyAlert(det_ctx,
p, apply_to_packet, tx, ap);
1815 }
else if (apply_to_packet) {
1817 DetectRunAppendDefaultAccept(det_ctx,
p);
1841 const uint8_t start_hook,
const uint8_t end_hook)
1845 const bool need_verdict =
1847 SCLogDebug(
"need_verdict:%s is_last:%s end_hook:%u tx->tx_end_state:%u tx->progress: %u",
1851 for (uint8_t hook = start_hook; hook <= end_hook; hook++) {
1852 const bool apply_to_packet =
1855 SCLogDebug(
"%" PRIu64
": %s default policy for hook %u, apply_to_packet %s",
1860 det_ctx, policies, tx,
p, alproto, direction, hook);
1861 SCLogDebug(
"fw: hook:%u policy:%02x apply_to_packet:%s", hook, policy.
action,
1881 if (apply_to_packet) {
1896 SCLogDebug(
"default accept: last tx and progress at end_hook %u", end_hook);
1897 DetectRunAppendDefaultAccept(det_ctx,
p);
1936 SCLogDebug(
"default accept due to flow accept");
1937 DetectRunAppendDefaultAccept(det_ctx,
p);
1948 const bool accept_tx_applies_to_packet = tx->
is_last;
1949 if (accept_tx_applies_to_packet) {
1950 SCLogDebug(
"accept:tx: should be applied to the packet");
1951 DetectRunAppendDefaultAccept(det_ctx,
p);
1955 SCLogDebug(
"APP_LAYER_TX_ACCEPT, so skip rule");
1971 SCLogDebug(
"missing fw rules at list start: sid %u, progress %u (%u:%u)", s->
id,
2010 if (can_idx + 1 < can_size) {
2016 SCLogDebug(
"peek: next sid progress %u != current progress %u, so current "
2017 "is last for progress",
2022 SCLogDebug(
"peek: missing progress, so we'll drop that unless we get a "
2023 "sweeping accept first");
2028 SCLogDebug(
"peek: next sid not a fw rule, so current is last for progress");
2033 SCLogDebug(
"peek: no peek beyond last rule");
2035 SCLogDebug(
"peek: there are no rules to allow the state after this rule");
2126 SCLogDebug(
"fw fw_skip_app_filter:%s skip_fw_hook:%s "
2127 "skip_before_progress:%u fw_last_for_progress:%s fw_next_progress_missing:%s",
2149 SCLogDebug(
"accept:tx applied, skip_fw_hook, skip_before_progress %u",
2154 SCLogDebug(
"sid %u: ACTION_ACCEPT with ACTION_SCOPE_FLOW", s->
id);
2175 if (rule_cnt == 0) {
2178 DetectRunAppendDefaultAccept(det_ctx,
p);
2185 DetectRunAppendDefaultAccept(det_ctx,
p);
2202 alproto, flow_flags & (STREAM_TOSERVER | STREAM_TOCLIENT),
2226 const uint8_t flow_flags)
2235 const bool fw_accept_to_packet = ApplyAcceptToPacket(tx, s);
2236 if (fw_accept_to_packet) {
2238 SCLogDebug(
"accept:(tx|hook): should be applied to the packet");
2244 DetectRunTxFirewallApplyAccept(det_ctx,
p, flow_flags, s, tx, fw_state);
2246 SCLogDebug(
"drop packet because of rule with drop action");
2249 SCLogDebug(
"drop flow because of rule with drop action");
2272 static int DetectRunTxFirewallRulePartialMatch(
2279 SCLogDebug(
"need to apply accept to packet");
2280 DetectRunAppendDefaultAccept(det_ctx,
p);
2283 SCLogDebug(
"only applying accept:flow on full match, downgrading to "
2304 const uint8_t flow_flags)
2331 Packet *
p,
const uint8_t flow_flags)
2337 const bool fw_accept_to_packet = ApplyAcceptToPacket(tx, s);
2338 DetectRunTxFirewallApplyAccept(det_ctx,
p, flow_flags, s, tx, fw_state);
2339 if (fw_accept_to_packet) {
2341 DetectRunAppendDefaultAccept(det_ctx,
p);
2353 const uint8_t flow_flags = scratch->
flow_flags;
2355 void *
const alstate = f->
alstate;
2356 const uint8_t ipproto = f->
proto;
2366 uint32_t tx_inspected = 0;
2370 bool last_tx_skipped =
false;
2377 if (ires.
tx_ptr == NULL) {
2378 SCLogDebug(
"%p/%" PRIu64
" no transaction to inspect", ires.
tx_ptr, tx_id_min);
2383 GetDetectTx(ipproto, alproto, ires.
tx_id, ires.
tx_ptr, tx_end_state, flow_flags);
2385 SCLogDebug(
"%p/%"PRIu64
" no transaction to inspect",
2392 tx_id_min = tx.
tx_id + 1;
2402 bool do_sort =
false;
2403 uint32_t array_idx = 0;
2413 SCLogDebug(
"%p/%"PRIu64
" rules added from prefilter: %u candidates",
2417 if (!(RuleMatchCandidateTxArrayHasSpace(det_ctx, total_rules))) {
2418 RuleMatchCandidateTxArrayExpand(det_ctx, total_rules);
2432 if (!(RuleMatchCandidateTxArrayHasSpace(det_ctx, total_rules))) {
2433 RuleMatchCandidateTxArrayExpand(det_ctx, total_rules);
2439 uint32_t x = array_idx;
2441 RuleMatchCandidateMergeStateRules(det_ctx, &array_idx);
2445 const uint32_t old = array_idx;
2450 if (have_new_file) {
2451 SCLogDebug(
"%p/%"PRIu64
" destate: need to consider new file",
2458 for (; tx_store != NULL; tx_store = tx_store->
next) {
2464 store_cnt++, state_cnt++)
2481 do_sort |= (old && old != array_idx);
2487 DetectRunTxSortHelper);
2496 for (uint32_t i = 0; i < array_idx; i++) {
2512 SCLogDebug(
"%s: tx_progress %u tx %p have_fw_rules %s array_idx %u detect_progress_orig %u "
2513 "cur detect_progress %u",
2514 flow_flags & STREAM_TOSERVER ?
"toserver" :
"toclient", tx.
tx_progress,
2518 if (have_fw_rules) {
2521 const int r = DetectTxFirewallNoRulesApplyPolicies(
2522 det_ctx,
p, f, &tx, alproto, flow_flags, array_idx);
2526 }
else if (r == 2) {
2532 for (uint32_t i = 0; i < array_idx; i++) {
2538 flow_flags & STREAM_TOSERVER ?
"toserver" :
"toclient", tx.
tx_progress,
2541 if (have_fw_rules) {
2543 DetectRunTxPreCheckFirewallPolicy(det_ctx,
p, &tx,
2544 flow_flags & (STREAM_TOSERVER | STREAM_TOCLIENT), s, i, &fw_state);
2545 SCLogDebug(
"fw fw_skip_app_filter:%s skip_fw_hook:%s "
2546 "skip_before_progress:%u fw_last_for_progress:%s "
2547 "fw_next_progress_missing:%s",
2566 while ((i + 1) < array_idx &&
2568 SCLogDebug(
"%p/%" PRIu64
" inspecting SKIP NEXT: sid %u (%u), flags %08x",
2574 s->
id, s->
iid, inspect_flags ? *inspect_flags : 0);
2576 if (inspect_flags) {
2579 " inspecting: sid %u (%u), flags %08x DE_STATE_FLAG_FULL_INSPECT",
2584 if (have_fw_rules) {
2585 DetectRunTxFirewallRuleStatefulReApplyMatch(
2586 det_ctx, s, &tx, &fw_state,
p, flow_flags);
2592 " inspecting: sid %u (%u), flags %08x DE_STATE_FLAG_SIG_CANT_MATCH",
2604 if (have_fw_rules) {
2607 DetectRunTxCheckRuleState(det_ctx,
p, f, &tx, s, i, array_idx, &fw_state);
2608 SCLogDebug(
"fw fw_skip_app_filter:%s skip_fw_hook:%s "
2609 "skip_before_progress:%u fw_last_for_progress:%s "
2610 "fw_next_progress_missing:%s",
2622 const int r = DetectRunTxInspectRule(
tv,
de_ctx, det_ctx,
p, f, flow_flags,
2623 alstate, &tx, s, inspect_flags, can, scratch);
2627 DetectRunPostMatch(
tv, det_ctx,
p, s);
2635 DetectRunTxFirewallRuleFullMatch(det_ctx, s, &tx, &fw_state, f,
p, flow_flags);
2637 }
else if (r == 0) {
2639 if (DetectRunTxFirewallRulePartialMatch(det_ctx, s, &tx,
p) == 1) {
2643 if (DetectRunTxFirewallRuleNoMatch(det_ctx, s, &tx, &fw_state,
p, flow_flags) ==
2648 DetectVarProcessList(det_ctx,
p->
flow,
p);
2657 uint32_t prev_array_idx = array_idx;
2660 if (
ts->app_inspect != NULL) {
2668 SCLogDebug(
"%p/%" PRIu64
" rule %u (%u) added from 'post match' prefilter",
2672 SCLogDebug(
"%p/%" PRIu64
" rules added from 'post match' prefilter: %u", tx.
tx_ptr,
2673 tx.
tx_id, array_idx - prev_array_idx);
2674 if (prev_array_idx != array_idx) {
2677 DetectRunTxSortHelper);
2693 flow_flags & STREAM_TOSERVER ?
"toserver" :
"toclient");
2694 const uint8_t inspected_flag = (flow_flags & STREAM_TOSERVER)
2698 SCLogDebug(
"%p/%" PRIu64
" tx is done for direction %s. Progress %02x", tx.
tx_ptr,
2699 tx.
tx_id, flow_flags & STREAM_TOSERVER ?
"toserver" :
"toclient",
2721 if (have_fw_rules) {
2722 if (tx_inspected == 0) {
2724 SCLogDebug(
"default accept: no app inspect performed");
2725 DetectRunAppendDefaultAccept(det_ctx,
p);
2726 }
else if (last_tx_skipped) {
2730 SCLogDebug(
"default accept: last tx skipped");
2731 DetectRunAppendDefaultAccept(det_ctx,
p);
2747 SCLogDebug(
"pcap_cnt %" PRIu64
": %s: skip frame inspection for TCP w/o APP UPDATE",
2752 if (frames_container == NULL) {
2757 frames = &frames_container->
toserver;
2759 frames = &frames_container->
toclient;
2762 for (uint32_t idx = 0; idx < frames->
cnt; idx++) {
2765 if (frame == NULL) {
2770 uint32_t array_idx = 0;
2778 SCLogDebug(
"%p/%" PRIi64
" rules added from prefilter: %u candidates", frame, frame->
id,
2783 if (!(RuleMatchCandidateTxArrayHasSpace(
2784 det_ctx, total_rules))) {
2785 RuleMatchCandidateTxArrayExpand(det_ctx, total_rules);
2800 uint32_t x = array_idx;
2811 SCLogDebug(
"%p/%" PRIi64
" rule %u (%u) added from 'match' list", frame, frame->
id,
2815 SCLogDebug(
"%p/%" PRIi64
" rules added from 'match' list: %u", frame, frame->
id,
2820 for (uint32_t i = 0; i < array_idx; i++) {
2827 while ((i + 1) < array_idx &&
2831 SCLogDebug(
"%p/%" PRIi64
" inspecting: sid %u (%u)", frame, frame->
id, s->
id, s->
iid);
2834 SCLogDebug(
"%p/%" PRIi64
" Start sid %u", frame, frame->
id, s->
id);
2838 bool r = DetectRunInspectRuleHeader(
p, f, s, s->
flags);
2843 DetectRunPostMatch(
tv, det_ctx,
p, s);
2846 "%p/%" PRIi64
" sig %u (%u) matched", frame, frame->
id, s->
id, s->
iid);
2847 const uint8_t alert_flags =
2850 const uint8_t ipproto =
p->
proto;
2851 uint8_t sub_state = 0;
2864 DetectVarProcessList(det_ctx,
p->
flow,
p);
2875 "frame->inspect_progress: %" PRIu64
" -> not updated", frame->
inspect_progress);
2878 SCLogDebug(
"%p/%" PRIi64
" rules inspected, running cleanup", frame, frame->
id);
2926 SCLogDebug(
"p->pcap %" PRIu64
": no detection on packet, "
2927 "PKT_NOPACKET_INSPECTION is set",
2985 if (det_ctx == NULL) {
2986 printf(
"ERROR: Detect has no thread ctx\n");
2992 SCLogDebug(
"Detect Engine using new det_ctx - %p",
3003 if (tenant_id > 0 && tenant_id < det_ctx->mt_det_ctxs_cnt) {
3006 if (det_ctx == NULL)
3014 SCLogDebug(
"MT de_ctx %p det_ctx %p (tenant %u)",
de_ctx, det_ctx, tenant_id);
3030 #ifdef PROFILE_RULES
3033 gettimeofday(&
ts, NULL);
3034 if (
ts.tv_sec != det_ctx->rule_perf_last_sync) {
3035 SCProfilingRuleThreatAggregate(det_ctx);
3036 det_ctx->rule_perf_last_sync =
ts.tv_sec;
3050 DetectPostInspectFileFlagsUpdate(f, NULL , STREAM_TOSERVER);
3051 DetectPostInspectFileFlagsUpdate(f, NULL , STREAM_TOCLIENT);
3054 #if defined(UNITTESTS) || defined(FUZZ)