86 const uint8_t default_action);
93 static inline uint8_t DetectRulePacketRules(
ThreadVars *
const tv,
127 DetectRunInspectIPOnly(th_v,
de_ctx, det_ctx, pflow, p);
130 DetectRunGetRuleGroup(
de_ctx, p, pflow, &scratch);
133 if (scratch.
sgh == NULL) {
134 SCLogDebug(
"no sgh for this packet, nothing to match against");
139 DetectRunPrefilterPkt(th_v,
de_ctx, det_ctx, p, &scratch);
143 const uint8_t pkt_policy = DetectRulePacketRules(th_v,
de_ctx, det_ctx, p, pflow, &scratch);
159 if (p->
proto == IPPROTO_TCP) {
162 DetectRunAppendDefaultAccept(det_ctx, p);
174 DetectRunFrames(th_v,
de_ctx, det_ctx, p, pflow, &scratch);
182 DetectRunAppendDefaultAccept(det_ctx, p);
185 }
else if (p->
proto == IPPROTO_UDP) {
186 DetectRunFrames(th_v,
de_ctx, det_ctx, p, pflow, &scratch);
190 DetectRunTx(th_v,
de_ctx, det_ctx, p, pflow, &scratch);
199 DetectRunAppendDefaultAccept(det_ctx, p);
203 DetectRunPostRules(th_v,
de_ctx, det_ctx, p, pflow, &scratch);
205 DetectRunCleanup(det_ctx, p, pflow);
229 if (scratch.
sgh == NULL) {
230 SCLogDebug(
"no sgh for this packet, nothing to match against");
235 DetectRunPrefilterPkt(th_v,
de_ctx, det_ctx, p, &scratch);
239 const uint8_t pkt_policy = DetectRulePacketRules(th_v,
de_ctx, det_ctx, p, pflow, &scratch);
246 DetectRunPostRules(th_v,
de_ctx, det_ctx, p, pflow, &scratch);
248 DetectRunCleanup(det_ctx, p, pflow);
261 SCLogDebug(
"running match functions, sm %p", smd);
292 }
else if (p->
proto == 0) {
293 if (!(PacketIsIPv4(p) || PacketIsIPv6(p))) {
302 int proto = PacketGetIPProto(p);
303 if (
proto == IPPROTO_TCP) {
307 const uint16_t port = dir ? p->
dp : p->
sp;
312 SCLogDebug(
"TCP list %p, port %u, direction %s, sghport %p, sgh %p", list, port,
313 dir ?
"toserver" :
"toclient", sghport, sgh);
314 }
else if (
proto == IPPROTO_UDP) {
316 uint16_t port = dir ? p->
dp : p->
sp;
320 SCLogDebug(
"UDP list %p, port %u, direction %s, sghport %p, sgh %p", list, port,
321 dir ?
"toserver" :
"toclient", sghport, sgh);
329 static inline void DetectPrefilterCopyDeDup(
337 while (final_cnt-- > 0) {
342 if (
likely(
id != previous_id)) {
359 DetectPostInspectFileFlagsUpdate(
Flow *f,
const SigGroupHead *sgh, uint8_t direction)
364 SCLogDebug(
"requesting disabling all file features for flow");
368 SCLogDebug(
"requesting disabling filestore for flow");
372 if (!(sgh->
flags & SIG_GROUP_HEAD_HAVEFILEMAGIC)) {
373 SCLogDebug(
"requesting disabling magic for flow");
378 SCLogDebug(
"requesting disabling md5 for flow");
382 SCLogDebug(
"requesting disabling sha1 for flow");
386 SCLogDebug(
"requesting disabling sha256 for flow");
390 if (flow_file_flags != 0) {
406 SCLogDebug(
"STREAMTCP_STREAM_FLAG_DISABLE_RAW ssn.client");
411 DetectPostInspectFileFlagsUpdate(pflow,
421 SCLogDebug(
"STREAMTCP_STREAM_FLAG_DISABLE_RAW ssn.server");
426 DetectPostInspectFileFlagsUpdate(pflow,
431 static inline void DetectRunGetRuleGroup(
439 bool use_flow_sgh =
false;
442 if (PacketGetIPProto(p) == pflow->
proto) {
446 SCLogDebug(
"sgh = pflow->sgh_toserver; => %p", sgh);
450 SCLogDebug(
"sgh = pflow->sgh_toclient; => %p", sgh);
456 if (!(use_flow_sgh)) {
469 DetectRunPostGetFirstRuleGroup(p, pflow, sgh);
489 SCLogDebug(
"testing against \"ip-only\" signatures");
508 static inline bool DetectRunInspectRuleHeader(
const Packet *p,
const Flow *f,
const Signature *s,
509 const uint32_t sflags,
const uint8_t s_proto_flags)
518 const bool fv = f->
flowvar != NULL;
520 SCLogDebug(
"skipping sig as the flow has no flowvars and sig "
521 "has SIG_FLAG_REQUIRE_FLOWVAR flag set.");
561 SCLogDebug(
"port-less protocol and sig needs ports");
567 if (PacketIsIPv4(p)) {
570 }
else if (PacketIsIPv6(p)) {
577 if (PacketIsIPv4(p)) {
580 }
else if (PacketIsIPv6(p)) {
607 DetectPrefilterCopyDeDup(
de_ctx, det_ctx);
622 static bool IsOnlyTxInDirection(
Flow *f, uint64_t txid, uint8_t dir)
625 if (tx_cnt == txid + 1) {
629 if (tx_cnt == txid + 2) {
644 static int SortHelper(
const void *a,
const void *b)
650 return sa->
iid > sb->
iid ? 1 : -1;
653 static inline uint8_t DetectRulePacketRules(
ThreadVars *
const tv,
658 bool fw_verdict =
false;
668 (uint64_t)match_cnt);
679 bool skip_fw =
false;
680 uint32_t sflags, next_sflags = 0;
682 next_s = *match_array++;
683 next_sflags = next_s->
flags;
685 while (match_cnt--) {
687 bool break_out_of_packet_filter =
false;
688 uint8_t alert_flags = 0;
693 sflags = next_sflags;
695 next_s = *match_array++;
696 next_sflags = next_s->
flags;
708 }
else if (have_fw_rules) {
715 break_out_of_packet_filter =
true;
738 if (SigDsizePrefilter(p, s, sflags))
749 if (!DetectRunInspectRuleHeader(p, pflow, s, sflags, s_proto_flags)) {
760 DetectRunPostMatch(
tv, det_ctx, p, s);
778 if (pflow->
proto != IPPROTO_UDP) {
781 txd->guessed_applayer_logged++;
798 SCLogDebug(
"sig_array_len %u det_ctx->pmq.rule_id_array_cnt %u",
801 for (uint32_t x = 0; x < match_cnt; x++) {
802 *r++ = match_array[x];
803 SCLogDebug(
"appended %u", match_array[x]->
id);
810 if (
ts->app_inspect == NULL) {
816 qsort(replace, match_cnt,
sizeof(
Signature *), SortHelper);
822 uint32_t skipped = 0;
823 for (uint32_t x = 0; x < match_cnt; x++) {
825 if (last_sig == *
m) {
832 match_cnt -= skipped;
834 next_s = *match_array++;
835 next_sflags = next_s->
flags;
866 break_out_of_packet_filter =
true;
871 break_out_of_packet_filter =
true;
882 break_out_of_packet_filter =
true;
886 DetectVarProcessList(det_ctx, pflow, p);
887 DetectReplaceFree(det_ctx);
891 if (break_out_of_packet_filter)
921 const uint8_t default_action)
924 uint8_t flow_flags = 0;
925 bool app_decoder_events =
false;
947 det_ctx->pkt_stream_add_cnt++;
956 flow_flags = STREAM_TOSERVER;
959 flow_flags = STREAM_TOCLIENT;
965 flow_flags |= STREAM_EOF;
996 (p->
proto == IPPROTO_UDP) ||
1001 alproto = FlowGetAppProtocol(pflow);
1008 SCLogDebug(
"packet doesn't have established flag set (proto %d)", p->
proto);
1045 SCLogDebug(
"packet %" PRIu64
": droppit as no ACCEPT set %02x (pkt %s)", p->
pcap_cnt,
1057 if (pflow != NULL) {
1074 FatalError(
"failed to allocate %" PRIu64
" bytes",
1078 SCLogDebug(
"array initialized to %u elements (%"PRIu64
" bytes)",
1090 const uint32_t need)
1101 uint32_t new_size = needed;
1104 FatalError(
"failed to expand to %" PRIu64
" bytes",
1110 SCLogDebug(
"array expanded from %u to %u elements (%"PRIu64
" bytes -> %"PRIu64
" bytes)",
1123 DetectRunTxSortHelper(
const void *a,
const void *b)
1127 if (s1->
id == s0->
id) {
1134 return s0->
id > s1->
id ? 1 : -1;
1138 #define TRACE_SID_TXS(sid,txs,...) \
1140 char _trace_buf[2048]; \
1141 snprintf(_trace_buf, sizeof(_trace_buf), __VA_ARGS__); \
1142 SCLogNotice("%p/%"PRIu64"/%u: %s", txs->tx_ptr, txs->tx_id, sid, _trace_buf); \
1145 #define TRACE_SID_TXS(sid,txs,...)
1154 tx_ptr = SCDoH2GetDnsTx(tx_ptr, flow_flags);
1159 }
else if (engine_alproto != alproto && engine_alproto !=
ALPROTO_UNKNOWN) {
1183 const uint8_t in_flow_flags,
1187 uint32_t *stored_flags,
1191 const uint8_t flow_flags = in_flow_flags;
1192 const int direction = (flow_flags & STREAM_TOSERVER) ? 0 : 1;
1193 uint32_t inspect_flags = stored_flags ? *stored_flags : 0;
1194 int total_matches = 0;
1195 uint16_t file_no_match = 0;
1196 bool retval =
false;
1197 bool mpm_before_progress =
false;
1198 bool mpm_in_progress =
false;
1200 TRACE_SID_TXS(s->
id, tx,
"starting %s", direction ?
"toclient" :
"toserver");
1203 if (
likely(stored_flags == NULL)) {
1222 TRACE_SID_TXS(s->
id, tx,
"engine %p inspect_flags %x", engine, inspect_flags);
1225 if (!(inspect_flags &
BIT_U32(engine->
id)) &&
1229 if (tx_ptr == NULL) {
1233 engine = engine->
next;
1243 SCLogDebug(
"tx progress %d < engine progress %d",
1250 "engine->mpm: t->tx_progress %u > engine->progress %u, so set "
1251 "mpm_before_progress",
1253 mpm_before_progress =
true;
1256 "engine->mpm: t->tx_progress %u == engine->progress %u, so set "
1259 mpm_in_progress =
true;
1263 uint8_t engine_flags = flow_flags;
1264 if (direction != engine->
dir) {
1265 engine_flags = flow_flags ^ (STREAM_TOCLIENT | STREAM_TOSERVER);
1271 TRACE_SID_TXS(s->
id, tx,
"stream skipped, stored result %d used instead", match);
1276 mpm_before_progress =
true;
1290 de_ctx, det_ctx, engine, s, f, engine_flags, alstate, tx_ptr, tx->
tx_id);
1295 TRACE_SID_TXS(s->
id, tx,
"stream ran, store result %d for next tx (if any)", match);
1300 engine = engine->
next;
1307 engine = engine->
next;
1319 if (engine->
mpm && mpm_before_progress) {
1325 direction != engine->
dir) {
1329 if (direction == 0 && engine->
next == NULL) {
1333 engine = engine->
next;
1337 engine = engine->
next;
1338 }
while (engine != NULL);
1339 TRACE_SID_TXS(s->
id, tx,
"inspect_flags %x, total_matches %u, engine %p",
1340 inspect_flags, total_matches, engine);
1342 if (engine == NULL && total_matches) {
1349 *stored_flags = inspect_flags;
1350 TRACE_SID_TXS(s->
id, tx,
"continue inspect flags %08x", inspect_flags);
1357 if (file_no_match) {
1368 inspect_flags, flow_flags, file_no_match);
1372 "mpm won't trigger for it anymore");
1376 "we may have to revisit anyway");
1378 inspect_flags, flow_flags, file_no_match);
1382 "mpm will revisit it");
1383 }
else if (inspect_flags != 0 || file_no_match != 0) {
1386 inspect_flags, flow_flags, file_no_match);
1395 NULL, 0, NULL, NULL, 0, 0, 0, 0, \
1403 const uint64_t tx_id,
void *tx_ptr,
const int tx_end_state,
const uint8_t flow_flags)
1407 bool updated = (flow_flags & STREAM_TOSERVER) ? txd->updated_ts : txd->updated_tc;
1408 if (!updated && tx_progress < tx_end_state && ((flow_flags & STREAM_EOF) == 0)) {
1412 const uint8_t inspected_flag =
1414 if (
unlikely(txd->flags & inspected_flag)) {
1415 SCLogDebug(
"%" PRIu64
" tx already fully inspected for %s. Flags %02x", tx_id,
1416 flow_flags & STREAM_TOSERVER ?
"toserver" :
"toclient", txd->flags);
1422 if (
unlikely(txd->flags & skip_flag)) {
1423 SCLogDebug(
"%" PRIu64
" tx should not be inspected in direction %s. Flags %02x", tx_id,
1424 flow_flags & STREAM_TOSERVER ?
"toserver" :
"toclient", txd->flags);
1429 const uint8_t detect_progress =
1430 (flow_flags & STREAM_TOSERVER) ? txd->detect_progress_ts : txd->detect_progress_tc;
1432 const int dir_int = (flow_flags & STREAM_TOSERVER) ? 0 : 1;
1435 tx_de_state ? &tx_de_state->
dir_state[dir_int] : NULL;
1440 .de_state = tx_dir_state,
1441 .detect_progress = detect_progress,
1442 .detect_progress_orig = detect_progress,
1443 .tx_progress = tx_progress,
1444 .tx_end_state = tx_end_state,
1449 static inline void StoreDetectProgress(
1453 if (flow_flags & STREAM_TOSERVER) {
1454 txd->detect_progress_ts = progress;
1456 txd->detect_progress_tc = progress;
1462 static inline void RuleMatchCandidateMergeStateRules(
1480 uint32_t j = *array_idx;
1489 uint32_t k = *array_idx;
1511 if (s->
iid <= s0->
id) {
1556 bool *skip_fw_hook,
const uint8_t skip_before_progress,
bool *last_for_progress,
1557 bool *fw_next_progress_missing)
1567 if (can_idx + 1 < can_size) {
1573 SCLogDebug(
"peek: next sid progress %u != current progress %u, so current "
1574 "is last for progress",
1576 *last_for_progress =
true;
1579 SCLogDebug(
"peek: missing progress, so we'll drop that unless we get a "
1580 "sweeping accept first");
1581 *fw_next_progress_missing =
true;
1585 SCLogDebug(
"peek: next sid not a fw rule, so current is last for progress");
1586 *last_for_progress =
true;
1589 SCLogDebug(
"peek: no peek beyond last rule");
1591 SCLogDebug(
"peek: there are no rules to allow the state after this rule");
1592 *fw_next_progress_missing =
true;
1596 if ((*skip_fw_hook) ==
true) {
1600 *skip_fw_hook =
false;
1632 static inline bool ApplyAcceptToPacket(
1646 if (total_txs == tx->
tx_id + 1) {
1654 if ((total_txs == tx->
tx_id + 1) &&
1664 static bool ApplyAccept(
Packet *p,
const uint8_t flow_flags,
const Signature *s,
1665 DetectTransaction *tx,
const int tx_end_state,
const bool fw_next_progress_missing,
1666 bool *tx_fw_verdict,
bool *skip_fw_hook, uint8_t *skip_before_progress)
1668 *tx_fw_verdict =
true;
1674 *skip_fw_hook =
true;
1679 if (fw_next_progress_missing) {
1681 flow_flags & STREAM_TOSERVER ?
"toserver" :
"toclient");
1689 *skip_fw_hook =
true;
1690 *skip_before_progress = (uint8_t)tx_end_state + 1;
1692 "accept:tx applied, skip_fw_hook, skip_before_progress %u", *skip_before_progress);
1709 const uint8_t flow_flags = scratch->
flow_flags;
1711 void *
const alstate = f->
alstate;
1712 const uint8_t ipproto = f->
proto;
1722 uint32_t fw_verdicted = 0;
1723 uint32_t tx_inspected = 0;
1730 if (ires.tx_ptr == NULL)
1734 GetDetectTx(ipproto, alproto, ires.tx_id, ires.tx_ptr, tx_end_state, flow_flags);
1736 SCLogDebug(
"%p/%"PRIu64
" no transaction to inspect",
1742 tx_id_min = tx.
tx_id + 1;
1751 bool do_sort =
false;
1752 uint32_t array_idx = 0;
1762 SCLogDebug(
"%p/%"PRIu64
" rules added from prefilter: %u candidates",
1766 if (!(RuleMatchCandidateTxArrayHasSpace(det_ctx, total_rules))) {
1767 RuleMatchCandidateTxArrayExpand(det_ctx, total_rules);
1781 if (!(RuleMatchCandidateTxArrayHasSpace(det_ctx, total_rules))) {
1782 RuleMatchCandidateTxArrayExpand(det_ctx, total_rules);
1788 uint32_t x = array_idx;
1790 RuleMatchCandidateMergeStateRules(det_ctx, &array_idx);
1794 const uint32_t old = array_idx;
1799 if (have_new_file) {
1800 SCLogDebug(
"%p/%"PRIu64
" destate: need to consider new file",
1807 for (; tx_store != NULL; tx_store = tx_store->
next) {
1813 store_cnt++, state_cnt++)
1830 do_sort |= (old && old != array_idx);
1836 DetectRunTxSortHelper);
1845 for (uint32_t i = 0; i < array_idx; i++) {
1851 bool skip_fw_hook =
false;
1852 uint8_t skip_before_progress = 0;
1853 bool fw_next_progress_missing =
false;
1861 if (total_txs == tx.
tx_id + 1) {
1862 DetectRunAppendDefaultAccept(det_ctx, p);
1868 bool tx_fw_verdict =
false;
1870 for (uint32_t i = 0; i < array_idx; i++) {
1874 bool break_out_of_app_filter =
false;
1877 flow_flags & STREAM_TOSERVER ?
"toserver" :
"toclient", tx.
tx_progress,
1885 while ((i + 1) < array_idx &&
1887 SCLogDebug(
"%p/%" PRIu64
" inspecting SKIP NEXT: sid %u (%u), flags %08x",
1896 if (!tx_fw_verdict) {
1897 const bool accept_tx_applies_to_packet = total_txs == tx.
tx_id + 1;
1898 if (accept_tx_applies_to_packet) {
1899 SCLogDebug(
"accept:(tx|hook): should be applied to the packet");
1900 DetectRunAppendDefaultAccept(det_ctx, p);
1903 tx_fw_verdict =
true;
1906 SCLogDebug(
"APP_LAYER_TX_ACCEPT, so skip rule");
1914 s->
id, s->
iid, inspect_flags ? *inspect_flags : 0);
1916 if (inspect_flags) {
1919 " inspecting: sid %u (%u), flags %08x DE_STATE_FLAG_FULL_INSPECT",
1926 const bool fw_accept_to_packet = ApplyAcceptToPacket(total_txs, &tx, s);
1927 break_out_of_app_filter = ApplyAccept(p, flow_flags, s, &tx, tx_end_state,
1928 fw_next_progress_missing, &tx_fw_verdict, &skip_fw_hook,
1929 &skip_before_progress);
1930 if (fw_accept_to_packet)
1931 DetectRunAppendDefaultAccept(det_ctx, p);
1932 if (break_out_of_app_filter)
1939 " inspecting: sid %u (%u), flags %08x DE_STATE_FLAG_SIG_CANT_MATCH",
1945 if (inspect_flags) {
1953 bool last_for_progress =
false;
1954 if (have_fw_rules) {
1955 int fw_r = DetectRunTxCheckFirewallPolicy(det_ctx, p, f, &tx, s, i, array_idx,
1956 &skip_fw_hook, skip_before_progress, &last_for_progress,
1957 &fw_next_progress_missing);
1966 const int r = DetectRunTxInspectRule(
tv,
de_ctx, det_ctx, p, f, flow_flags,
1967 alstate, &tx, s, inspect_flags, can, scratch);
1970 DetectRunPostMatch(
tv, det_ctx, p, s);
1975 const bool fw_accept_to_packet = ApplyAcceptToPacket(total_txs, &tx, s);
1978 if (fw_accept_to_packet) {
1979 SCLogDebug(
"accept:(tx|hook): should be applied to the packet");
1988 break_out_of_app_filter = ApplyAccept(p, flow_flags, s, &tx, tx_end_state,
1989 fw_next_progress_missing, &tx_fw_verdict, &skip_fw_hook,
1990 &skip_before_progress);
1992 }
else if (last_for_progress) {
1993 SCLogDebug(
"sid %u: not a match: %s rule, last_for_progress %s", s->
id,
1998 flow_flags & STREAM_TOSERVER ?
"toserver" :
"toclient");
2003 break_out_of_app_filter =
true;
2004 tx_fw_verdict =
true;
2007 DetectVarProcessList(det_ctx, p->
flow, p);
2016 uint32_t prev_array_idx = array_idx;
2019 if (
ts->app_inspect != NULL) {
2027 SCLogDebug(
"%p/%" PRIu64
" rule %u (%u) added from 'post match' prefilter",
2031 SCLogDebug(
"%p/%" PRIu64
" rules added from 'post match' prefilter: %u", tx.
tx_ptr,
2032 tx.
tx_id, array_idx - prev_array_idx);
2033 if (prev_array_idx != array_idx) {
2036 DetectRunTxSortHelper);
2042 if (break_out_of_app_filter)
2057 flow_flags & STREAM_TOSERVER ?
"toserver" :
"toclient");
2058 const uint8_t inspected_flag = (flow_flags & STREAM_TOSERVER)
2062 SCLogDebug(
"%p/%" PRIu64
" tx is done for direction %s. Progress %02x", tx.
tx_ptr,
2063 tx.
tx_id, flow_flags & STREAM_TOSERVER ?
"toserver" :
"toclient",
2086 SCLogDebug(
"packet %" PRIu64
": tx_inspected %u fw_verdicted %u", p->
pcap_cnt, tx_inspected,
2088 if (tx_inspected && have_fw_rules && tx_inspected != fw_verdicted) {
2090 flow_flags & STREAM_TOSERVER ?
"toserver" :
"toclient");
2096 if (tx_inspected == 0 && fw_verdicted == 0 && have_fw_rules) {
2097 DetectRunAppendDefaultAccept(det_ctx, p);
2112 SCLogDebug(
"pcap_cnt %" PRIu64
": %s: skip frame inspection for TCP w/o APP UPDATE",
2117 if (frames_container == NULL) {
2122 frames = &frames_container->
toserver;
2124 frames = &frames_container->
toclient;
2127 for (uint32_t idx = 0; idx < frames->
cnt; idx++) {
2130 if (frame == NULL) {
2135 uint32_t array_idx = 0;
2143 SCLogDebug(
"%p/%" PRIi64
" rules added from prefilter: %u candidates", frame, frame->
id,
2148 if (!(RuleMatchCandidateTxArrayHasSpace(
2149 det_ctx, total_rules))) {
2150 RuleMatchCandidateTxArrayExpand(det_ctx, total_rules);
2165 uint32_t x = array_idx;
2176 SCLogDebug(
"%p/%" PRIi64
" rule %u (%u) added from 'match' list", frame, frame->
id,
2180 SCLogDebug(
"%p/%" PRIi64
" rules added from 'match' list: %u", frame, frame->
id,
2185 for (uint32_t i = 0; i < array_idx; i++) {
2192 while ((i + 1) < array_idx &&
2196 SCLogDebug(
"%p/%" PRIi64
" inspecting: sid %u (%u)", frame, frame->
id, s->
id, s->
iid);
2199 SCLogDebug(
"%p/%" PRIi64
" Start sid %u", frame, frame->
id, s->
id);
2203 bool r = DetectRunInspectRuleHeader(p, f, s, s->
flags, s->
proto.
flags);
2208 DetectRunPostMatch(
tv, det_ctx, p, s);
2213 "%p/%" PRIi64
" sig %u (%u) matched", frame, frame->
id, s->
id, s->
iid);
2220 DetectVarProcessList(det_ctx, p->
flow, p);
2231 "frame->inspect_progress: %" PRIu64
" -> not updated", frame->
inspect_progress);
2234 SCLogDebug(
"%p/%" PRIi64
" rules inspected, running cleanup", frame, frame->
id);
2285 SCLogDebug(
"p->pcap %"PRIu64
": no detection on packet, "
2286 "PKT_NOPACKET_INSPECTION is set", p->
pcap_cnt);
2314 DetectRunPacketHook(
tv,
de_ctx, det_ctx, sgh, p);
2325 DetectRunPacketHook(
tv,
de_ctx, det_ctx, sgh, p);
2343 if (det_ctx == NULL) {
2344 printf(
"ERROR: Detect has no thread ctx\n");
2350 SCLogDebug(
"Detect Engine using new det_ctx - %p",
2361 if (tenant_id > 0 && tenant_id < det_ctx->mt_det_ctxs_cnt) {
2364 if (det_ctx == NULL)
2372 SCLogDebug(
"MT de_ctx %p det_ctx %p (tenant %u)",
de_ctx, det_ctx, tenant_id);
2383 DetectFlow(
tv,
de_ctx, det_ctx, p);
2385 DetectNoFlow(
tv,
de_ctx, det_ctx, p);
2388 #ifdef PROFILE_RULES
2391 gettimeofday(&
ts, NULL);
2392 if (
ts.tv_sec != det_ctx->rule_perf_last_sync) {
2393 SCProfilingRuleThreatAggregate(det_ctx);
2394 det_ctx->rule_perf_last_sync =
ts.tv_sec;
2408 DetectPostInspectFileFlagsUpdate(f, NULL , STREAM_TOSERVER);
2409 DetectPostInspectFileFlagsUpdate(f, NULL , STREAM_TOCLIENT);
2420 DetectFlow(
tv,
de_ctx, det_ctx, p);
2422 DetectNoFlow(
tv,
de_ctx, det_ctx, p);