detect_8c_source.html

/* Copyright (C) 2007-2017 Open Information Security Foundation

 *

 * You can copy, redistribute or modify this Program under the terms of

 * the GNU General Public License version 2 as published by the Free

 * Software Foundation.

 *

 * This program is distributed in the hope that it will be useful,

 * but WITHOUT ANY WARRANTY; without even the implied warranty of

 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the

 * GNU General Public License for more details.

 *

 * You should have received a copy of the GNU General Public License

 * version 2 along with this program; if not, write to the Free Software

 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA

 * 02110-1301, USA.

 */


/**

 * \file

 *

 * \author Victor Julien <victor@inliniac.net>

 *

 * Basic detection engine

 */


#include "suricata-common.h"

#include "suricata.h"

#include "conf.h"


#include "decode.h"

#include "flow.h"

#include "stream-tcp.h"

#include "app-layer.h"

#include "app-layer-parser.h"


#include "detect.h"

#include "detect-engine.h"

#include "detect-engine-profile.h"


#include "detect-engine-alert.h"

#include "detect-engine-siggroup.h"

#include "detect-engine-address.h"

#include "detect-engine-proto.h"

#include "detect-engine-port.h"

#include "detect-engine-mpm.h"

#include "detect-engine-iponly.h"

#include "detect-engine-threshold.h"

#include "detect-engine-prefilter.h"

#include "detect-engine-state.h"

#include "detect-engine-analyzer.h"


#include "detect-engine-payload.h"

#include "detect-engine-event.h"


#include "detect-filestore.h"

#include "detect-flowvar.h"

#include "detect-replace.h"


#include "util-validate.h"

#include "util-detect.h"


typedef struct DetectRunScratchpad {

    const AppProto alproto;

    const uint8_t flow_flags; /* flow/state flags: STREAM_* */

    const bool app_decoder_events;

    const SigGroupHead *sgh;

    SignatureMask pkt_mask;

} DetectRunScratchpad;


/* prototypes */

static DetectRunScratchpad DetectRunSetup(const DetectEngineCtx *de_ctx,

        DetectEngineThreadCtx *det_ctx, Packet * const p, Flow * const pflow);

static void DetectRunInspectIPOnly(ThreadVars *tv, const DetectEngineCtx *de_ctx,

        DetectEngineThreadCtx *det_ctx, Flow * const pflow, Packet * const p);

static inline void DetectRunGetRuleGroup(const DetectEngineCtx *de_ctx,

        Packet * const p, Flow * const pflow, DetectRunScratchpad *scratch);

static inline void DetectRunPrefilterPkt(ThreadVars *tv,

        DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p,

        DetectRunScratchpad *scratch);

static inline void DetectRulePacketRules(ThreadVars * const tv,

        DetectEngineCtx * const de_ctx, DetectEngineThreadCtx * const det_ctx,

        Packet * const p, Flow * const pflow, const DetectRunScratchpad *scratch);

static void DetectRunTx(ThreadVars *tv, DetectEngineCtx *de_ctx,

        DetectEngineThreadCtx *det_ctx, Packet *p,

        Flow *f, DetectRunScratchpad *scratch);

static inline void DetectRunPostRules(ThreadVars *tv, DetectEngineCtx *de_ctx,

        DetectEngineThreadCtx *det_ctx, Packet * const p, Flow * const pflow,

        DetectRunScratchpad *scratch);

static void DetectRunCleanup(DetectEngineThreadCtx *det_ctx,

        Packet *p, Flow * const pflow);


/** \internal

 */

static void DetectRun(ThreadVars *th_v,

        DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx,

        Packet *p)

{

    SCEnter();

    SCLogDebug("pcap_cnt %"PRIu64, p->pcap_cnt);


    /* bail early if packet should not be inspected */

    if (p->flags & PKT_NOPACKET_INSPECTION) {

        /* nothing to do */

        SCReturn;

    }


    /* Load the Packet's flow early, even though it might not be needed.

     * Mark as a constant pointer, although the flow itself can change. */

    Flow * const pflow = p->flow;


    DetectRunScratchpad scratch = DetectRunSetup(de_ctx, det_ctx, p, pflow);


    /* run the IPonly engine */

    DetectRunInspectIPOnly(th_v, de_ctx, det_ctx, pflow, p);


    /* get our rule group */

    DetectRunGetRuleGroup(de_ctx, p, pflow, &scratch);

    /* if we didn't get a sig group head, we

     * have nothing to do.... */

    if (scratch.sgh == NULL) {

        SCLogDebug("no sgh for this packet, nothing to match against");

        goto end;

    }


    /* run the prefilters for packets */

    DetectRunPrefilterPkt(th_v, de_ctx, det_ctx, p, &scratch);


    PACKET_PROFILING_DETECT_START(p, PROF_DETECT_RULES);

    /* inspect the rules against the packet */

    DetectRulePacketRules(th_v, de_ctx, det_ctx, p, pflow, &scratch);

    PACKET_PROFILING_DETECT_END(p, PROF_DETECT_RULES);


    /* run tx/state inspection. Don't call for ICMP error msgs. */

    if (pflow && pflow->alstate && likely(pflow->proto == p->proto)) {

        PACKET_PROFILING_DETECT_START(p, PROF_DETECT_TX);

        DetectRunTx(th_v, de_ctx, det_ctx, p, pflow, &scratch);

        PACKET_PROFILING_DETECT_END(p, PROF_DETECT_TX);

    }


end:

    DetectRunPostRules(th_v, de_ctx, det_ctx, p, pflow, &scratch);


    DetectRunCleanup(det_ctx, p, pflow);

    SCReturn;

}


static void DetectRunPostMatch(ThreadVars *tv,

                               DetectEngineThreadCtx *det_ctx, Packet *p,

                               const Signature *s)

{

    /* run the packet match functions */

    const SigMatchData *smd = s->sm_arrays[DETECT_SM_LIST_POSTMATCH];

    if (smd != NULL) {

        KEYWORD_PROFILING_SET_LIST(det_ctx, DETECT_SM_LIST_POSTMATCH);


        SCLogDebug("running match functions, sm %p", smd);


        while (1) {

            KEYWORD_PROFILING_START;

            (void)sigmatch_table[smd->type].Match(det_ctx, p, s, smd->ctx);

            KEYWORD_PROFILING_END(det_ctx, smd->type, 1);

            if (smd->is_last)

                break;

            smd++;

        }

    }

}


/**

 *  \brief Get the SigGroupHead for a packet.

 *

 *  \param de_ctx detection engine context

 *  \param p packet

 *

 *  \retval sgh the SigGroupHead or NULL if non applies to the packet

 */

const SigGroupHead *SigMatchSignaturesGetSgh(const DetectEngineCtx *de_ctx,

        const Packet *p)

{

    SCEnter();


    int f;

    SigGroupHead *sgh = NULL;


    /* if the packet proto is 0 (not set), we're inspecting it against

     * the decoder events sgh we have. */

    if (p->proto == 0 && p->events.cnt > 0) {

        SCReturnPtr(de_ctx->decoder_event_sgh, "SigGroupHead");

    } else if (p->proto == 0) {

        if (!(PKT_IS_IPV4(p) || PKT_IS_IPV6(p))) {

            /* not IP, so nothing to do */

            SCReturnPtr(NULL, "SigGroupHead");

        }

    }


    /* select the flow_gh */

    if (p->flowflags & FLOW_PKT_TOCLIENT)

        f = 0;

    else

        f = 1;


    int proto = IP_GET_IPPROTO(p);

    if (proto == IPPROTO_TCP) {

        DetectPort *list = de_ctx->flow_gh[f].tcp;

        SCLogDebug("tcp toserver %p, tcp toclient %p: going to use %p",

                de_ctx->flow_gh[1].tcp, de_ctx->flow_gh[0].tcp, de_ctx->flow_gh[f].tcp);

        uint16_t port = f ? p->dp : p->sp;

        SCLogDebug("tcp port %u -> %u:%u", port, p->sp, p->dp);

        DetectPort *sghport = DetectPortLookupGroup(list, port);

        if (sghport != NULL)

            sgh = sghport->sh;

        SCLogDebug("TCP list %p, port %u, direction %s, sghport %p, sgh %p",

                list, port, f ? "toserver" : "toclient", sghport, sgh);

    } else if (proto == IPPROTO_UDP) {

        DetectPort *list = de_ctx->flow_gh[f].udp;

        uint16_t port = f ? p->dp : p->sp;

        DetectPort *sghport = DetectPortLookupGroup(list, port);

        if (sghport != NULL)

            sgh = sghport->sh;

        SCLogDebug("UDP list %p, port %u, direction %s, sghport %p, sgh %p",

                list, port, f ? "toserver" : "toclient", sghport, sgh);

    } else {

        sgh = de_ctx->flow_gh[f].sgh[proto];

    }


    SCReturnPtr(sgh, "SigGroupHead");

}


static inline void DetectPrefilterMergeSort(DetectEngineCtx *de_ctx,

                                            DetectEngineThreadCtx *det_ctx)

{

    SigIntId mpm, nonmpm;

    SigIntId *mpm_ptr = det_ctx->pmq.rule_id_array;

    SigIntId *nonmpm_ptr = det_ctx->non_pf_id_array;

    uint32_t m_cnt = det_ctx->pmq.rule_id_array_cnt;

    uint32_t n_cnt = det_ctx->non_pf_id_cnt;

    SigIntId *final_ptr;

    uint32_t final_cnt;

    SigIntId id;

    SigIntId previous_id = (SigIntId)-1;

    Signature **sig_array = de_ctx->sig_array;

    Signature **match_array = det_ctx->match_array;

    Signature *s;


    SCLogDebug("PMQ rule id array count %d", det_ctx->pmq.rule_id_array_cnt);


    /* Load first values. */

    if (likely(m_cnt)) {

        mpm = *mpm_ptr;

    } else {

        /* mpm list is empty */

        final_ptr = nonmpm_ptr;

        final_cnt = n_cnt;

        goto final;

    }

    if (likely(n_cnt)) {

        nonmpm = *nonmpm_ptr;

    } else {

        /* non-mpm list is empty. */

        final_ptr = mpm_ptr;

        final_cnt = m_cnt;

        goto final;

    }

    while (1) {

        if (mpm < nonmpm) {

            /* Take from mpm list */

            id = mpm;


            s = sig_array[id];

            /* As the mpm list can contain duplicates, check for that here. */

            if (likely(id != previous_id)) {

                *match_array++ = s;

                previous_id = id;

            }

            if (unlikely(--m_cnt == 0)) {

                /* mpm list is now empty */

                final_ptr = nonmpm_ptr;

                final_cnt = n_cnt;

                goto final;

             }

             mpm_ptr++;

             mpm = *mpm_ptr;

         } else if (mpm > nonmpm) {

             id = nonmpm;


             s = sig_array[id];

             /* As the mpm list can contain duplicates, check for that here. */

             if (likely(id != previous_id)) {

                 *match_array++ = s;

                 previous_id = id;

             }

             if (unlikely(--n_cnt == 0)) {

                 final_ptr = mpm_ptr;

                 final_cnt = m_cnt;

                 goto final;

             }

             nonmpm_ptr++;

             nonmpm = *nonmpm_ptr;


        } else { /* implied mpm == nonmpm */

            /* special case: if on both lists, it's a negated mpm pattern */


            /* mpm list may have dups, so skip past them here */

            while (--m_cnt != 0) {

                mpm_ptr++;

                mpm = *mpm_ptr;

                if (mpm != nonmpm)

                    break;

            }

            /* if mpm is done, update nonmpm_ptrs and jump to final */

            if (unlikely(m_cnt == 0)) {

                n_cnt--;


                /* mpm list is now empty */

                final_ptr = ++nonmpm_ptr;

                final_cnt = n_cnt;

                goto final;

            }

            /* otherwise, if nonmpm is done jump to final for mpm

             * mpm ptrs alrady updated */

            if (unlikely(--n_cnt == 0)) {

                final_ptr = mpm_ptr;

                final_cnt = m_cnt;

                goto final;

            }


            /* not at end of the lists, update nonmpm. Mpm already

             * updated in while loop above. */

            nonmpm_ptr++;

            nonmpm = *nonmpm_ptr;

        }

    }


 final: /* Only one list remaining. Just walk that list. */


    while (final_cnt-- > 0) {

        id = *final_ptr++;

        s = sig_array[id];


        /* As the mpm list can contain duplicates, check for that here. */

        if (likely(id != previous_id)) {

            *match_array++ = s;

            previous_id = id;

        }

    }


    det_ctx->match_array_cnt = match_array - det_ctx->match_array;

    DEBUG_VALIDATE_BUG_ON((det_ctx->pmq.rule_id_array_cnt + det_ctx->non_pf_id_cnt) < det_ctx->match_array_cnt);

    PMQ_RESET(&det_ctx->pmq);

}


/** \internal

 *  \brief build non-prefilter list based on the rule group list we've set.

 */

static inline void

DetectPrefilterBuildNonPrefilterList(DetectEngineThreadCtx *det_ctx,

        const SignatureMask mask, const uint8_t alproto)

{

    for (uint32_t x = 0; x < det_ctx->non_pf_store_cnt; x++) {

        /* only if the mask matches this rule can possibly match,

         * so build the non_mpm array only for match candidates */

        const SignatureMask rule_mask = det_ctx->non_pf_store_ptr[x].mask;

        const uint8_t rule_alproto = det_ctx->non_pf_store_ptr[x].alproto;

        if ((rule_mask & mask) == rule_mask &&

                (rule_alproto == 0 || AppProtoEquals(rule_alproto, alproto))) {

            det_ctx->non_pf_id_array[det_ctx->non_pf_id_cnt++] = det_ctx->non_pf_store_ptr[x].id;

        }

    }

}


/** \internal

 *  \brief select non-mpm list

 *  Based on the packet properties, select the non-mpm list to use

 *  \todo move non_pf_store* into scratchpad */

static inline void

DetectPrefilterSetNonPrefilterList(const Packet *p, DetectEngineThreadCtx *det_ctx, DetectRunScratchpad *scratch)

{

    if ((p->proto == IPPROTO_TCP) && (p->tcph != NULL) && (p->tcph->th_flags & TH_SYN)) {

        det_ctx->non_pf_store_ptr = scratch->sgh->non_pf_syn_store_array;

        det_ctx->non_pf_store_cnt = scratch->sgh->non_pf_syn_store_cnt;

    } else {

        det_ctx->non_pf_store_ptr = scratch->sgh->non_pf_other_store_array;

        det_ctx->non_pf_store_cnt = scratch->sgh->non_pf_other_store_cnt;

    }

    SCLogDebug("sgh non_pf ptr %p cnt %u (syn %p/%u, other %p/%u)",

            det_ctx->non_pf_store_ptr, det_ctx->non_pf_store_cnt,

            scratch->sgh->non_pf_syn_store_array, scratch->sgh->non_pf_syn_store_cnt,

            scratch->sgh->non_pf_other_store_array, scratch->sgh->non_pf_other_store_cnt);

}


/** \internal

 *  \brief update flow's file tracking flags based on the detection engine

 *         A set of flags is prepared that is sent to the File API. The

           File API may reject one or more based on the global force settings.

 */

static inline void

DetectPostInspectFileFlagsUpdate(Flow *f, const SigGroupHead *sgh, uint8_t direction)

{

    uint16_t flow_file_flags = FLOWFILE_INIT;


    if (sgh == NULL) {

        SCLogDebug("requesting disabling all file features for flow");

        flow_file_flags = FLOWFILE_NONE;

    } else {

        if (sgh->filestore_cnt == 0) {

            SCLogDebug("requesting disabling filestore for flow");

            flow_file_flags |= (FLOWFILE_NO_STORE_TS|FLOWFILE_NO_STORE_TC);

        }

#ifdef HAVE_MAGIC

        if (!(sgh->flags & SIG_GROUP_HEAD_HAVEFILEMAGIC)) {

            SCLogDebug("requesting disabling magic for flow");

            flow_file_flags |= (FLOWFILE_NO_MAGIC_TS|FLOWFILE_NO_MAGIC_TC);

        }

#endif

        if (!(sgh->flags & SIG_GROUP_HEAD_HAVEFILEMD5)) {

            SCLogDebug("requesting disabling md5 for flow");

            flow_file_flags |= (FLOWFILE_NO_MD5_TS|FLOWFILE_NO_MD5_TC);

        }

        if (!(sgh->flags & SIG_GROUP_HEAD_HAVEFILESHA1)) {

            SCLogDebug("requesting disabling sha1 for flow");

            flow_file_flags |= (FLOWFILE_NO_SHA1_TS|FLOWFILE_NO_SHA1_TC);

        }

        if (!(sgh->flags & SIG_GROUP_HEAD_HAVEFILESHA256)) {

            SCLogDebug("requesting disabling sha256 for flow");

            flow_file_flags |= (FLOWFILE_NO_SHA256_TS|FLOWFILE_NO_SHA256_TC);

        }

        if (!(sgh->flags & SIG_GROUP_HEAD_HAVEFILESIZE)) {

            SCLogDebug("requesting disabling filesize for flow");

            flow_file_flags |= (FLOWFILE_NO_SIZE_TS|FLOWFILE_NO_SIZE_TC);

        }

    }

    if (flow_file_flags != 0) {

        FileUpdateFlowFileFlags(f, flow_file_flags, direction);

    }

}


static inline void

DetectRunPostGetFirstRuleGroup(const Packet *p, Flow *pflow, const SigGroupHead *sgh)

{

    if ((p->flowflags & FLOW_PKT_TOSERVER) && !(pflow->flags & FLOW_SGH_TOSERVER)) {

        /* first time we see this toserver sgh, store it */

        pflow->sgh_toserver = sgh;

        pflow->flags |= FLOW_SGH_TOSERVER;


        if (p->proto == IPPROTO_TCP && (sgh == NULL || !(sgh->flags & SIG_GROUP_HEAD_HAVERAWSTREAM))) {

            if (pflow->protoctx != NULL) {

                TcpSession *ssn = pflow->protoctx;

                SCLogDebug("STREAMTCP_STREAM_FLAG_DISABLE_RAW ssn.client");

                ssn->client.flags |= STREAMTCP_STREAM_FLAG_DISABLE_RAW;

            }

        }


        DetectPostInspectFileFlagsUpdate(pflow,

                pflow->sgh_toserver, STREAM_TOSERVER);


    } else if ((p->flowflags & FLOW_PKT_TOCLIENT) && !(pflow->flags & FLOW_SGH_TOCLIENT)) {

        pflow->sgh_toclient = sgh;

        pflow->flags |= FLOW_SGH_TOCLIENT;


        if (p->proto == IPPROTO_TCP && (sgh == NULL || !(sgh->flags & SIG_GROUP_HEAD_HAVERAWSTREAM))) {

            if (pflow->protoctx != NULL) {

                TcpSession *ssn = pflow->protoctx;

                SCLogDebug("STREAMTCP_STREAM_FLAG_DISABLE_RAW ssn.server");

                ssn->server.flags |= STREAMTCP_STREAM_FLAG_DISABLE_RAW;

            }

        }


        DetectPostInspectFileFlagsUpdate(pflow,

                pflow->sgh_toclient, STREAM_TOCLIENT);

    }

}


static inline void DetectRunGetRuleGroup(

    const DetectEngineCtx *de_ctx,

    Packet * const p, Flow * const pflow,

    DetectRunScratchpad *scratch)

{

    const SigGroupHead *sgh = NULL;


    if (pflow) {

        bool use_flow_sgh = false;

        /* Get the stored sgh from the flow (if any). Make sure we're not using

         * the sgh for icmp error packets part of the same stream. */

        if (IP_GET_IPPROTO(p) == pflow->proto) { /* filter out icmp */

            PACKET_PROFILING_DETECT_START(p, PROF_DETECT_GETSGH);

            if ((p->flowflags & FLOW_PKT_TOSERVER) && (pflow->flags & FLOW_SGH_TOSERVER)) {

                sgh = pflow->sgh_toserver;

                SCLogDebug("sgh = pflow->sgh_toserver; => %p", sgh);

                use_flow_sgh = true;

            } else if ((p->flowflags & FLOW_PKT_TOCLIENT) && (pflow->flags & FLOW_SGH_TOCLIENT)) {

                sgh = pflow->sgh_toclient;

                SCLogDebug("sgh = pflow->sgh_toclient; => %p", sgh);

                use_flow_sgh = true;

            }

            PACKET_PROFILING_DETECT_END(p, PROF_DETECT_GETSGH);

        }


        if (!(use_flow_sgh)) {

            PACKET_PROFILING_DETECT_START(p, PROF_DETECT_GETSGH);

            sgh = SigMatchSignaturesGetSgh(de_ctx, p);

            PACKET_PROFILING_DETECT_END(p, PROF_DETECT_GETSGH);


            /* HACK: prevent the wrong sgh (or NULL) from being stored in the

             * flow's sgh pointers */

            if (PKT_IS_ICMPV4(p) && ICMPV4_DEST_UNREACH_IS_VALID(p)) {

                ; /* no-op */

            } else {

                /* store the found sgh (or NULL) in the flow to save us

                 * from looking it up again for the next packet.

                 * Also run other tasks */

                DetectRunPostGetFirstRuleGroup(p, pflow, sgh);

            }

        }

    } else { /* p->flags & PKT_HAS_FLOW */

        /* no flow */


        PACKET_PROFILING_DETECT_START(p, PROF_DETECT_GETSGH);

        sgh = SigMatchSignaturesGetSgh(de_ctx, p);

        PACKET_PROFILING_DETECT_END(p, PROF_DETECT_GETSGH);

    }


    scratch->sgh = sgh;

}


static void DetectRunInspectIPOnly(ThreadVars *tv, const DetectEngineCtx *de_ctx,

        DetectEngineThreadCtx *det_ctx,

        Flow * const pflow, Packet * const p)

{

    if (pflow) {

        /* set the iponly stuff */

        if (pflow->flags & FLOW_TOCLIENT_IPONLY_SET)

            p->flowflags |= FLOW_PKT_TOCLIENT_IPONLY_SET;

        if (pflow->flags & FLOW_TOSERVER_IPONLY_SET)

            p->flowflags |= FLOW_PKT_TOSERVER_IPONLY_SET;


        if (((p->flowflags & FLOW_PKT_TOSERVER) && !(p->flowflags & FLOW_PKT_TOSERVER_IPONLY_SET)) ||

            ((p->flowflags & FLOW_PKT_TOCLIENT) && !(p->flowflags & FLOW_PKT_TOCLIENT_IPONLY_SET)))

        {

            SCLogDebug("testing against \"ip-only\" signatures");


            PACKET_PROFILING_DETECT_START(p, PROF_DETECT_IPONLY);

            IPOnlyMatchPacket(tv, de_ctx, det_ctx, &de_ctx->io_ctx, &det_ctx->io_ctx, p);

            PACKET_PROFILING_DETECT_END(p, PROF_DETECT_IPONLY);


            /* save in the flow that we scanned this direction... */

            FlowSetIPOnlyFlag(pflow, p->flowflags & FLOW_PKT_TOSERVER ? 1 : 0);


        } else if (((p->flowflags & FLOW_PKT_TOSERVER) &&

                   (pflow->flags & FLOW_TOSERVER_IPONLY_SET)) ||

                   ((p->flowflags & FLOW_PKT_TOCLIENT) &&

                   (pflow->flags & FLOW_TOCLIENT_IPONLY_SET)))

        {

            /* If we have a drop from IP only module,

             * we will drop the rest of the flow packets

             * This will apply only to inline/IPS */

            if (pflow->flags & FLOW_ACTION_DROP) {

                PACKET_DROP(p);

            }

        }

    } else { /* p->flags & PKT_HAS_FLOW */

        /* no flow */


        /* Even without flow we should match the packet src/dst */

        PACKET_PROFILING_DETECT_START(p, PROF_DETECT_IPONLY);

        IPOnlyMatchPacket(tv, de_ctx, det_ctx, &de_ctx->io_ctx,

                          &det_ctx->io_ctx, p);

        PACKET_PROFILING_DETECT_END(p, PROF_DETECT_IPONLY);

    }

}


/* returns 0 if no match, 1 if match */

static inline int DetectRunInspectRuleHeader(

    const Packet *p,

    const Flow *f,

    const Signature *s,

    const uint32_t sflags,

    const uint8_t s_proto_flags)

{

    /* check if this signature has a requirement for flowvars of some type

     * and if so, if we actually have any in the flow. If not, the sig

     * can't match and we skip it. */

    if ((p->flags & PKT_HAS_FLOW) && (sflags & SIG_FLAG_REQUIRE_FLOWVAR)) {

        DEBUG_VALIDATE_BUG_ON(f == NULL);


        int m  = f->flowvar ? 1 : 0;


        /* no flowvars? skip this sig */

        if (m == 0) {

            SCLogDebug("skipping sig as the flow has no flowvars and sig "

                    "has SIG_FLAG_REQUIRE_FLOWVAR flag set.");

            return 0;

        }

    }


    if ((s_proto_flags & DETECT_PROTO_IPV4) && !PKT_IS_IPV4(p)) {

        SCLogDebug("ip version didn't match");

        return 0;

    }

    if ((s_proto_flags & DETECT_PROTO_IPV6) && !PKT_IS_IPV6(p)) {

        SCLogDebug("ip version didn't match");

        return 0;

    }


    if (DetectProtoContainsProto(&s->proto, IP_GET_IPPROTO(p)) == 0) {

        SCLogDebug("proto didn't match");

        return 0;

    }


    /* check the source & dst port in the sig */

    if (p->proto == IPPROTO_TCP || p->proto == IPPROTO_UDP || p->proto == IPPROTO_SCTP) {

        if (!(sflags & SIG_FLAG_DP_ANY)) {

            if (p->flags & PKT_IS_FRAGMENT)

                return 0;

            DetectPort *dport = DetectPortLookupGroup(s->dp,p->dp);

            if (dport == NULL) {

                SCLogDebug("dport didn't match.");

                return 0;

            }

        }

        if (!(sflags & SIG_FLAG_SP_ANY)) {

            if (p->flags & PKT_IS_FRAGMENT)

                return 0;

            DetectPort *sport = DetectPortLookupGroup(s->sp,p->sp);

            if (sport == NULL) {

                SCLogDebug("sport didn't match.");

                return 0;

            }

        }

    } else if ((sflags & (SIG_FLAG_DP_ANY|SIG_FLAG_SP_ANY)) != (SIG_FLAG_DP_ANY|SIG_FLAG_SP_ANY)) {

        SCLogDebug("port-less protocol and sig needs ports");

        return 0;

    }


    /* check the destination address */

    if (!(sflags & SIG_FLAG_DST_ANY)) {

        if (PKT_IS_IPV4(p)) {

            if (DetectAddressMatchIPv4(s->addr_dst_match4, s->addr_dst_match4_cnt, &p->dst) == 0)

                return 0;

        } else if (PKT_IS_IPV6(p)) {

            if (DetectAddressMatchIPv6(s->addr_dst_match6, s->addr_dst_match6_cnt, &p->dst) == 0)

                return 0;

        }

    }

    /* check the source address */

    if (!(sflags & SIG_FLAG_SRC_ANY)) {

        if (PKT_IS_IPV4(p)) {

            if (DetectAddressMatchIPv4(s->addr_src_match4, s->addr_src_match4_cnt, &p->src) == 0)

                return 0;

        } else if (PKT_IS_IPV6(p)) {

            if (DetectAddressMatchIPv6(s->addr_src_match6, s->addr_src_match6_cnt, &p->src) == 0)

                return 0;

        }

    }


    return 1;

}


/** \internal

 *  \brief run packet/stream prefilter engines

 */

static inline void DetectRunPrefilterPkt(

    ThreadVars *tv,

    DetectEngineCtx *de_ctx,

    DetectEngineThreadCtx *det_ctx,

    Packet *p,

    DetectRunScratchpad *scratch

)

{

    DetectPrefilterSetNonPrefilterList(p, det_ctx, scratch);


    /* create our prefilter mask */

    PacketCreateMask(p, &scratch->pkt_mask, scratch->alproto, scratch->app_decoder_events);


    /* build and prefilter non_pf list against the mask of the packet */

    PACKET_PROFILING_DETECT_START(p, PROF_DETECT_NONMPMLIST);

    det_ctx->non_pf_id_cnt = 0;

    if (likely(det_ctx->non_pf_store_cnt > 0)) {

        DetectPrefilterBuildNonPrefilterList(det_ctx, scratch->pkt_mask, scratch->alproto);

    }

    PACKET_PROFILING_DETECT_END(p, PROF_DETECT_NONMPMLIST);


    /* run the prefilter engines */

    Prefilter(det_ctx, scratch->sgh, p, scratch->flow_flags);

    /* create match list if we have non-pf and/or pf */

    if (det_ctx->non_pf_store_cnt || det_ctx->pmq.rule_id_array_cnt) {

#ifdef PROFILING

        if (tv) {

            StatsAddUI64(tv, det_ctx->counter_mpm_list, (uint64_t)det_ctx->pmq.rule_id_array_cnt);

        }

#endif

        PACKET_PROFILING_DETECT_START(p, PROF_DETECT_PF_SORT2);

        DetectPrefilterMergeSort(de_ctx, det_ctx);

        PACKET_PROFILING_DETECT_END(p, PROF_DETECT_PF_SORT2);

    }


#ifdef PROFILING

    if (tv) {

        StatsAddUI64(tv, det_ctx->counter_nonmpm_list,

                             (uint64_t)det_ctx->non_pf_store_cnt);

        /* non mpm sigs after mask prefilter */

        StatsAddUI64(tv, det_ctx->counter_fnonmpm_list,

                             (uint64_t)det_ctx->non_pf_id_cnt);

    }

#endif

}


static inline void DetectRulePacketRules(

    ThreadVars * const tv,

    DetectEngineCtx * const de_ctx,

    DetectEngineThreadCtx * const det_ctx,

    Packet * const p,

    Flow * const pflow,

    const DetectRunScratchpad *scratch

)

{

    const Signature *s = NULL;

    const Signature *next_s = NULL;


    /* inspect the sigs against the packet */

    /* Prefetch the next signature. */

    SigIntId match_cnt = det_ctx->match_array_cnt;

#ifdef PROFILING

    if (tv) {

        StatsAddUI64(tv, det_ctx->counter_match_list,

                             (uint64_t)match_cnt);

    }

#endif

    Signature **match_array = det_ctx->match_array;


    SGH_PROFILING_RECORD(det_ctx, scratch->sgh);

#ifdef PROFILING

    if (match_cnt >= de_ctx->profile_match_logging_threshold)

        RulesDumpMatchArray(det_ctx, scratch->sgh, p);

#endif


    uint32_t sflags, next_sflags = 0;

    if (match_cnt) {

        next_s = *match_array++;

        next_sflags = next_s->flags;

    }

    while (match_cnt--) {

        RULE_PROFILING_START(p);

        uint8_t alert_flags = 0;

        bool state_alert = false;

#ifdef PROFILING

        bool smatch = false; /* signature match */

#endif

        s = next_s;

        sflags = next_sflags;

        if (match_cnt) {

            next_s = *match_array++;

            next_sflags = next_s->flags;

        }

        const uint8_t s_proto_flags = s->proto.flags;


        SCLogDebug("inspecting signature id %"PRIu32"", s->id);


        if (s->app_inspect != NULL) {

            goto next; // handle sig in DetectRunTx

        }


        /* don't run mask check for stateful rules.

         * There we depend on prefilter */

        if ((s->mask & scratch->pkt_mask) != s->mask) {

            SCLogDebug("mask mismatch %x & %x != %x", s->mask, scratch->pkt_mask, s->mask);

            goto next;

        }


        if (unlikely(sflags & SIG_FLAG_DSIZE)) {

            if (likely(p->payload_len < s->dsize_low || p->payload_len > s->dsize_high)) {

                SCLogDebug("kicked out as p->payload_len %u, dsize low %u, hi %u",

                        p->payload_len, s->dsize_low, s->dsize_high);

                goto next;

            }

        }


        /* if the sig has alproto and the session as well they should match */

        if (likely(sflags & SIG_FLAG_APPLAYER)) {

            if (s->alproto != ALPROTO_UNKNOWN && !AppProtoEquals(s->alproto, scratch->alproto)) {

                if (s->alproto == ALPROTO_DCERPC) {

                    if (scratch->alproto != ALPROTO_SMB) {

                        SCLogDebug("DCERPC sig, alproto not SMB");

                        goto next;

                    }

                } else {

                    SCLogDebug("alproto mismatch");

                    goto next;

                }

            }

        }


        if (DetectRunInspectRuleHeader(p, pflow, s, sflags, s_proto_flags) == 0) {

            goto next;

        }


        if (DetectEnginePktInspectionRun(tv, det_ctx, s, pflow, p, &alert_flags) == false) {

            goto next;

        }


#ifdef PROFILING

        smatch = true;

#endif

        DetectRunPostMatch(tv, det_ctx, p, s);


        if (!(sflags & SIG_FLAG_NOALERT)) {

            /* stateful sigs call PacketAlertAppend from DeStateDetectStartDetection */

            if (!state_alert)

                PacketAlertAppend(det_ctx, s, p, 0, alert_flags);

        } else {

            /* apply actions even if not alerting */

            DetectSignatureApplyActions(p, s, alert_flags);

        }

next:

        DetectVarProcessList(det_ctx, pflow, p);

        DetectReplaceFree(det_ctx);

        RULE_PROFILING_END(det_ctx, s, smatch, p);


        det_ctx->flags = 0;

        continue;

    }

}


static DetectRunScratchpad DetectRunSetup(

    const DetectEngineCtx *de_ctx,

    DetectEngineThreadCtx *det_ctx,

    Packet * const p, Flow * const pflow)

{

    AppProto alproto = ALPROTO_UNKNOWN;

    uint8_t flow_flags = 0; /* flow/state flags */

    bool app_decoder_events = false;


    PACKET_PROFILING_DETECT_START(p, PROF_DETECT_SETUP);


#ifdef UNITTESTS

    p->alerts.cnt = 0;

#endif

    det_ctx->ticker++;

    det_ctx->filestore_cnt = 0;

    det_ctx->base64_decoded_len = 0;

    det_ctx->raw_stream_progress = 0;

    det_ctx->match_array_cnt = 0;


#ifdef DEBUG

    if (p->flags & PKT_STREAM_ADD) {

        det_ctx->pkt_stream_add_cnt++;

    }

#endif


    /* grab the protocol state we will detect on */

    if (p->flags & PKT_HAS_FLOW) {

        DEBUG_VALIDATE_BUG_ON(pflow == NULL);


        if (p->flowflags & FLOW_PKT_TOSERVER) {

            flow_flags = STREAM_TOSERVER;

            SCLogDebug("flag STREAM_TOSERVER set");

        } else if (p->flowflags & FLOW_PKT_TOCLIENT) {

            flow_flags = STREAM_TOCLIENT;

            SCLogDebug("flag STREAM_TOCLIENT set");

        }

        SCLogDebug("p->flowflags 0x%02x", p->flowflags);


        if (p->flags & PKT_STREAM_EOF) {

            flow_flags |= STREAM_EOF;

            SCLogDebug("STREAM_EOF set");

        }


        /* store tenant_id in the flow so that we can use it

         * for creating pseudo packets */

        if (p->tenant_id > 0 && pflow->tenant_id == 0) {

            pflow->tenant_id = p->tenant_id;

        }


        /* live ruleswap check for flow updates */

        if (pflow->de_ctx_version == 0) {

            /* first time this flow is inspected, set id */

            pflow->de_ctx_version = de_ctx->version;

        } else if (pflow->de_ctx_version != de_ctx->version) {

            /* first time we inspect flow with this de_ctx, reset */

            pflow->flags &= ~FLOW_SGH_TOSERVER;

            pflow->flags &= ~FLOW_SGH_TOCLIENT;

            pflow->sgh_toserver = NULL;

            pflow->sgh_toclient = NULL;


            pflow->de_ctx_version = de_ctx->version;

            GenericVarFree(pflow->flowvar);

            pflow->flowvar = NULL;


            DetectEngineStateResetTxs(pflow);

        }


        /* Retrieve the app layer state and protocol and the tcp reassembled

         * stream chunks. */

        if ((p->proto == IPPROTO_TCP && (p->flags & PKT_STREAM_EST)) ||

                (p->proto == IPPROTO_UDP) ||

                (p->proto == IPPROTO_SCTP && (p->flowflags & FLOW_PKT_ESTABLISHED)))

        {

            /* update flow flags with knowledge on disruptions */

            flow_flags = FlowGetDisruptionFlags(pflow, flow_flags);

            alproto = FlowGetAppProtocol(pflow);

            if (p->proto == IPPROTO_TCP && pflow->protoctx &&

                    StreamReassembleRawHasDataReady(pflow->protoctx, p)) {

                p->flags |= PKT_DETECT_HAS_STREAMDATA;

                flow_flags |= STREAM_FLUSH;

            }

            SCLogDebug("alproto %u", alproto);

        } else {

            SCLogDebug("packet doesn't have established flag set (proto %d)", p->proto);

        }


        app_decoder_events = AppLayerParserHasDecoderEvents(pflow->alparser);

    }


    DetectRunScratchpad pad = { alproto, flow_flags, app_decoder_events, NULL, 0 };

    PACKET_PROFILING_DETECT_END(p, PROF_DETECT_SETUP);

    return pad;

}


static inline void DetectRunPostRules(

    ThreadVars *tv,

    DetectEngineCtx *de_ctx,

    DetectEngineThreadCtx *det_ctx,

    Packet * const p,

    Flow * const pflow,

    DetectRunScratchpad *scratch)

{

    /* see if we need to increment the inspect_id and reset the de_state */

    if (pflow && pflow->alstate) {

        PACKET_PROFILING_DETECT_START(p, PROF_DETECT_TX_UPDATE);

        DeStateUpdateInspectTransactionId(pflow, scratch->flow_flags, (scratch->sgh == NULL));

        PACKET_PROFILING_DETECT_END(p, PROF_DETECT_TX_UPDATE);

    }


    /* so now let's iterate the alerts and remove the ones after a pass rule

     * matched (if any). This is done inside PacketAlertFinalize() */

    /* PR: installed "tag" keywords are handled after the threshold inspection */


    PACKET_PROFILING_DETECT_START(p, PROF_DETECT_ALERT);

    PacketAlertFinalize(de_ctx, det_ctx, p);

    if (p->alerts.cnt > 0) {

        StatsAddUI64(tv, det_ctx->counter_alerts, (uint64_t)p->alerts.cnt);

    }

    PACKET_PROFILING_DETECT_END(p, PROF_DETECT_ALERT);

}


static void DetectRunCleanup(DetectEngineThreadCtx *det_ctx,

        Packet *p, Flow * const pflow)

{

    PACKET_PROFILING_DETECT_START(p, PROF_DETECT_CLEANUP);

    InspectionBufferClean(det_ctx);


    if (pflow != NULL) {

        /* update inspected tracker for raw reassembly */

        if (p->proto == IPPROTO_TCP && pflow->protoctx != NULL &&

                (p->flags & PKT_DETECT_HAS_STREAMDATA)) {

            StreamReassembleRawUpdateProgress(pflow->protoctx, p,

                    det_ctx->raw_stream_progress);

        }

    }

    PACKET_PROFILING_DETECT_END(p, PROF_DETECT_CLEANUP);

    SCReturn;

}


void RuleMatchCandidateTxArrayInit(DetectEngineThreadCtx *det_ctx, uint32_t size)

{

    DEBUG_VALIDATE_BUG_ON(det_ctx->tx_candidates);

    det_ctx->tx_candidates = SCCalloc(size, sizeof(RuleMatchCandidateTx));

    if (det_ctx->tx_candidates == NULL) {

        FatalError(SC_ERR_MEM_ALLOC, "failed to allocate %"PRIu64" bytes",

                (uint64_t)(size * sizeof(RuleMatchCandidateTx)));

    }

    det_ctx->tx_candidates_size = size;

    SCLogDebug("array initialized to %u elements (%"PRIu64" bytes)",

            size, (uint64_t)(size * sizeof(RuleMatchCandidateTx)));

}


void RuleMatchCandidateTxArrayFree(DetectEngineThreadCtx *det_ctx)

{

    SCFree(det_ctx->tx_candidates);

    det_ctx->tx_candidates_size = 0;

}


/* if size >= cur_space */

static inline bool RuleMatchCandidateTxArrayHasSpace(const DetectEngineThreadCtx *det_ctx,

        const uint32_t need)

{

    if (det_ctx->tx_candidates_size >= need)

        return 1;

    return 0;

}


/* realloc */

static int RuleMatchCandidateTxArrayExpand(DetectEngineThreadCtx *det_ctx, const uint32_t needed)

{

    const uint32_t old_size = det_ctx->tx_candidates_size;

    uint32_t new_size = needed;

    void *ptmp = SCRealloc(det_ctx->tx_candidates, (new_size * sizeof(RuleMatchCandidateTx)));

    if (ptmp == NULL) {

        FatalError(SC_ERR_MEM_ALLOC, "failed to expand to %"PRIu64" bytes",

                (uint64_t)(new_size * sizeof(RuleMatchCandidateTx)));

        // TODO can this be handled more gracefully?

    }

    det_ctx->tx_candidates = ptmp;

    det_ctx->tx_candidates_size = new_size;

    SCLogDebug("array expanded from %u to %u elements (%"PRIu64" bytes -> %"PRIu64" bytes)",

            old_size, new_size, (uint64_t)(old_size * sizeof(RuleMatchCandidateTx)),

            (uint64_t)(new_size * sizeof(RuleMatchCandidateTx))); (void)old_size;

    return 1;

}


/** \internal

 *  \brief sort helper for sorting match candidates by id: ascending

 *

 *  The id field is set from Signature::num, so we sort the candidates to match the signature

 *  sort order (ascending).

 *

 *  \todo maybe let one with flags win if equal? */

static int

DetectRunTxSortHelper(const void *a, const void *b)

{

    const RuleMatchCandidateTx *s0 = a;

    const RuleMatchCandidateTx *s1 = b;

    if (s1->id == s0->id)

        return 0;

    else

        return s0->id > s1->id ? 1 : -1;

}


#if 0

#define TRACE_SID_TXS(sid,txs,...)          \

    do {                                    \

        char _trace_buf[2048];              \

        snprintf(_trace_buf, sizeof(_trace_buf), __VA_ARGS__);  \

        SCLogNotice("%p/%"PRIu64"/%u: %s", txs->tx_ptr, txs->tx_id, sid, _trace_buf);   \

    } while(0)

#else

#define TRACE_SID_TXS(sid,txs,...)

#endif


/** \internal

 *  \brief inspect a rule against a transaction

 *

 *  Inspect a rule. New detection or continued stateful

 *  detection.

 *

 *  \param stored_flags pointer to stored flags or NULL.

 *         If stored_flags is set it means we're continueing

 *         inspection from an earlier run.

 *

 *  \retval bool true sig matched, false didn't match

 */

static bool DetectRunTxInspectRule(ThreadVars *tv,

        DetectEngineCtx *de_ctx,

        DetectEngineThreadCtx *det_ctx,

        Packet *p,

        Flow *f,

        const uint8_t in_flow_flags,   // direction, EOF, etc

        void *alstate,

        DetectTransaction *tx,

        const Signature *s,

        uint32_t *stored_flags,

        RuleMatchCandidateTx *can,

        DetectRunScratchpad *scratch)

{

    uint8_t flow_flags = in_flow_flags;

    const int direction = (flow_flags & STREAM_TOSERVER) ? 0 : 1;

    uint32_t inspect_flags = stored_flags ? *stored_flags : 0;

    int total_matches = 0;

    int file_no_match = 0;

    bool retval = false;

    bool mpm_before_progress = false;   // is mpm engine before progress?

    bool mpm_in_progress = false;       // is mpm engine in a buffer we will revisit?


    /* see if we want to pass on the FLUSH flag */

    if ((s->flags & SIG_FLAG_FLUSH) == 0)

        flow_flags &=~ STREAM_FLUSH;


    TRACE_SID_TXS(s->id, tx, "starting %s", direction ? "toclient" : "toserver");

    TRACE_SID_TXS(s->id, tx, "FLUSH? %s", (flow_flags & STREAM_FLUSH)?"true":"false");


    /* for a new inspection we inspect pkt header and packet matches */

    if (likely(stored_flags == NULL)) {

        TRACE_SID_TXS(s->id, tx, "first inspect, run packet matches");

        if (DetectRunInspectRuleHeader(p, f, s, s->flags, s->proto.flags) == 0) {

            TRACE_SID_TXS(s->id, tx, "DetectRunInspectRuleHeader() no match");

            return false;

        }

        if (DetectEnginePktInspectionRun(tv, det_ctx, s, f, p, NULL) == false) {

            TRACE_SID_TXS(s->id, tx, "DetectEnginePktInspectionRun no match");

            return false;

        }

        /* stream mpm and negated mpm sigs can end up here with wrong proto */

        if (!(AppProtoEquals(s->alproto, f->alproto) || s->alproto == ALPROTO_UNKNOWN)) {

            TRACE_SID_TXS(s->id, tx, "alproto mismatch");

            return false;

        }

    }


    const DetectEngineAppInspectionEngine *engine = s->app_inspect;

    while (engine != NULL) { // TODO could be do {} while as s->app_inspect cannot be null

        TRACE_SID_TXS(s->id, tx, "engine %p inspect_flags %x", engine, inspect_flags);

        if (!(inspect_flags & BIT_U32(engine->id)) &&

                direction == engine->dir)

        {

            const bool skip_engine = (engine->alproto != 0 && engine->alproto != f->alproto);

            /* special case: file_data on 'alert tcp' will have engines

             * in the list that are not for us. */

            if (unlikely(skip_engine)) {

                engine = engine->next;

                continue;

            }


            /* engines are sorted per progress, except that the one with

             * mpm/prefilter enabled is first */

            if (tx->tx_progress < engine->progress) {

                SCLogDebug("tx progress %d < engine progress %d",

                        tx->tx_progress, engine->progress);

                break;

            }

            if (engine->mpm) {

                if (tx->tx_progress > engine->progress) {

                    mpm_before_progress = true;

                } else if (tx->tx_progress == engine->progress) {

                    mpm_in_progress = true;

                }

            }


            /* run callback: but bypass stream callback if we can */

            int match;

            if (unlikely(engine->stream && can->stream_stored)) {

                match = can->stream_result;

                TRACE_SID_TXS(s->id, tx, "stream skipped, stored result %d used instead", match);

            } else {

                KEYWORD_PROFILING_SET_LIST(det_ctx, engine->sm_list);

                DEBUG_VALIDATE_BUG_ON(engine->v2.Callback == NULL);

                match = engine->v2.Callback(

                        de_ctx, det_ctx, engine, s, f, flow_flags, alstate, tx->tx_ptr, tx->tx_id);

                TRACE_SID_TXS(s->id, tx, "engine %p match %d", engine, match);

                if (engine->stream) {

                    can->stream_stored = true;

                    can->stream_result = match;

                    TRACE_SID_TXS(s->id, tx, "stream ran, store result %d for next tx (if any)", match);

                }

            }

            if (match == DETECT_ENGINE_INSPECT_SIG_MATCH) {

                inspect_flags |= BIT_U32(engine->id);

                engine = engine->next;

                total_matches++;

                continue;

            } else if (match == DETECT_ENGINE_INSPECT_SIG_MATCH_MORE_FILES) {

                /* if the file engine matched, but indicated more

                 * files are still in progress, we don't set inspect

                 * flags as these would end inspection for this tx */

                engine = engine->next;

                total_matches++;

                continue;

            } else if (match == DETECT_ENGINE_INSPECT_SIG_CANT_MATCH) {

                inspect_flags |= DE_STATE_FLAG_SIG_CANT_MATCH;

                inspect_flags |= BIT_U32(engine->id);

            } else if (match == DETECT_ENGINE_INSPECT_SIG_CANT_MATCH_FILES) {

                inspect_flags |= DE_STATE_FLAG_SIG_CANT_MATCH;

                inspect_flags |= BIT_U32(engine->id);

                file_no_match = 1;

            }

            /* implied DETECT_ENGINE_INSPECT_SIG_NO_MATCH */

            if (engine->mpm && mpm_before_progress) {

                inspect_flags |= DE_STATE_FLAG_SIG_CANT_MATCH;

                inspect_flags |= BIT_U32(engine->id);

            }

            break;

        }

        engine = engine->next;

    }

    TRACE_SID_TXS(s->id, tx, "inspect_flags %x, total_matches %u, engine %p",

            inspect_flags, total_matches, engine);


    if (engine == NULL && total_matches) {

        inspect_flags |= DE_STATE_FLAG_FULL_INSPECT;

        TRACE_SID_TXS(s->id, tx, "MATCH");

        retval = true;

    }


    if (stored_flags) {

        *stored_flags = inspect_flags;

        TRACE_SID_TXS(s->id, tx, "continue inspect flags %08x", inspect_flags);

    } else {

        // store... or? If tx is done we might not want to come back to this tx


        // also... if mpmid tracking is enabled, we won't do a sig again for this tx...

        TRACE_SID_TXS(s->id, tx, "start inspect flags %08x", inspect_flags);

        if (inspect_flags & DE_STATE_FLAG_SIG_CANT_MATCH) {

            if (file_no_match) {

                /* if we have a mismatch on a file sig, we need to keep state.

                 * We may get another file on the same tx (for http and smtp

                 * at least), so for a new file we need to re-eval the sig.

                 * Thoughts / TODO:

                 *  - not for some protos that have 1 file per tx (e.g. nfs)

                 *  - maybe we only need this for file sigs that mix with

                 *    other matches? E.g. 'POST + filename', is different than

                 *    just 'filename'.

                 */

                DetectRunStoreStateTx(scratch->sgh, f, tx->tx_ptr, tx->tx_id, s,

                        inspect_flags, flow_flags, file_no_match);

            }

        } else if ((inspect_flags & DE_STATE_FLAG_FULL_INSPECT) && mpm_before_progress) {

            TRACE_SID_TXS(s->id, tx, "no need to store match sig, "

                    "mpm won't trigger for it anymore");


            if (inspect_flags & DE_STATE_FLAG_FILE_INSPECT) {

                TRACE_SID_TXS(s->id, tx, "except that for new files, "

                        "we may have to revisit anyway");

                DetectRunStoreStateTx(scratch->sgh, f, tx->tx_ptr, tx->tx_id, s,

                        inspect_flags, flow_flags, file_no_match);

            }

        } else if ((inspect_flags & DE_STATE_FLAG_FULL_INSPECT) == 0 && mpm_in_progress) {

            TRACE_SID_TXS(s->id, tx, "no need to store no-match sig, "

                    "mpm will revisit it");

        } else {

            TRACE_SID_TXS(s->id, tx, "storing state: flags %08x", inspect_flags);

            DetectRunStoreStateTx(scratch->sgh, f, tx->tx_ptr, tx->tx_id, s,

                    inspect_flags, flow_flags, file_no_match);

        }

    }


    return retval;

}


/** \internal

 *  \brief get a DetectTransaction object

 *  \retval struct filled with relevant info or all nulls/0s

 */

static DetectTransaction GetDetectTx(const uint8_t ipproto, const AppProto alproto,

        void *alstate, const uint64_t tx_id, void *tx_ptr, const int tx_end_state,

        const uint8_t flow_flags)

{

    uint64_t detect_flags;

    AppLayerTxData *txd = AppLayerParserGetTxData(ipproto, alproto, tx_ptr);

    if (likely(txd != NULL)) {

        detect_flags = (flow_flags & STREAM_TOSERVER) ? txd->detect_flags_ts : txd->detect_flags_tc;

    } else {

        detect_flags = 0;

    }

    if (detect_flags & APP_LAYER_TX_INSPECTED_FLAG) {

        SCLogDebug("%"PRIu64" tx already fully inspected for %s. Flags %016"PRIx64,

                tx_id, flow_flags & STREAM_TOSERVER ? "toserver" : "toclient",

                detect_flags);

        DetectTransaction no_tx = { NULL, 0, NULL, NULL, 0, 0, 0, 0, 0, };

        return no_tx;

    }


    const int tx_progress = AppLayerParserGetStateProgress(ipproto, alproto, tx_ptr, flow_flags);

    const int dir_int = (flow_flags & STREAM_TOSERVER) ? 0 : 1;

    DetectEngineState *tx_de_state = AppLayerParserGetTxDetectState(ipproto, alproto, tx_ptr);

    DetectEngineStateDirection *tx_dir_state = tx_de_state ? &tx_de_state->dir_state[dir_int] : NULL;

    uint64_t prefilter_flags = detect_flags & APP_LAYER_TX_PREFILTER_MASK;


    DetectTransaction tx = {

                            .tx_ptr = tx_ptr,

                            .tx_id = tx_id,

                            .tx_data_ptr = (struct AppLayerTxData *)txd,

                            .de_state = tx_dir_state,

                            .detect_flags = detect_flags,

                            .prefilter_flags = prefilter_flags,

                            .prefilter_flags_orig = prefilter_flags,

                            .tx_progress = tx_progress,

                            .tx_end_state = tx_end_state,

                           };

    return tx;

}


static inline void StoreDetectFlags(DetectTransaction *tx, const uint8_t flow_flags,

        const uint8_t ipproto, const AppProto alproto, const uint64_t detect_flags)

{

    AppLayerTxData *txd = (AppLayerTxData *)tx->tx_data_ptr;

    if (likely(txd != NULL)) {

        if (flow_flags & STREAM_TOSERVER) {

            txd->detect_flags_ts = detect_flags;

        } else {

            txd->detect_flags_tc = detect_flags;

        }

    }

}


static void DetectRunTx(ThreadVars *tv,

                    DetectEngineCtx *de_ctx,

                    DetectEngineThreadCtx *det_ctx,

                    Packet *p,

                    Flow *f,

                    DetectRunScratchpad *scratch)

{

    const uint8_t flow_flags = scratch->flow_flags;

    const SigGroupHead * const sgh = scratch->sgh;

    void * const alstate = f->alstate;

    const uint8_t ipproto = f->proto;

    const AppProto alproto = f->alproto;


    const uint64_t total_txs = AppLayerParserGetTxCnt(f, alstate);

    uint64_t tx_id_min = AppLayerParserGetTransactionInspectId(f->alparser, flow_flags);

    const int tx_end_state = AppLayerParserGetStateProgressCompletionStatus(alproto, flow_flags);


    AppLayerGetTxIteratorFunc IterFunc = AppLayerGetTxIterator(ipproto, alproto);

    AppLayerGetTxIterState state;

    memset(&state, 0, sizeof(state));


    while (1) {

        AppLayerGetTxIterTuple ires = IterFunc(ipproto, alproto, alstate, tx_id_min, total_txs, &state);

        if (ires.tx_ptr == NULL)

            break;


        DetectTransaction tx = GetDetectTx(ipproto, alproto,

                alstate, ires.tx_id, ires.tx_ptr, tx_end_state, flow_flags);

        if (tx.tx_ptr == NULL) {

            SCLogDebug("%p/%"PRIu64" no transaction to inspect",

                    tx.tx_ptr, tx_id_min);


            tx_id_min++; // next (if any) run look for +1

            goto next;

        }

        tx_id_min = tx.tx_id + 1; // next look for cur + 1


        uint32_t array_idx = 0;

        uint32_t total_rules = det_ctx->match_array_cnt;

        total_rules += (tx.de_state ? tx.de_state->cnt : 0);


        /* run prefilter engines and merge results into a candidates array */

        if (sgh->tx_engines) {

            PACKET_PROFILING_DETECT_START(p, PROF_DETECT_PF_TX);

            DetectRunPrefilterTx(det_ctx, sgh, p, ipproto, flow_flags, alproto,

                    alstate, &tx);

            PACKET_PROFILING_DETECT_END(p, PROF_DETECT_PF_TX);

            SCLogDebug("%p/%"PRIu64" rules added from prefilter: %u candidates",

                    tx.tx_ptr, tx.tx_id, det_ctx->pmq.rule_id_array_cnt);


            total_rules += det_ctx->pmq.rule_id_array_cnt;

            if (!(RuleMatchCandidateTxArrayHasSpace(det_ctx, total_rules))) {

                RuleMatchCandidateTxArrayExpand(det_ctx, total_rules);

            }


            for (uint32_t i = 0; i < det_ctx->pmq.rule_id_array_cnt; i++) {

                const Signature *s = de_ctx->sig_array[det_ctx->pmq.rule_id_array[i]];

                const SigIntId id = s->num;

                det_ctx->tx_candidates[array_idx].s = s;

                det_ctx->tx_candidates[array_idx].id = id;

                det_ctx->tx_candidates[array_idx].flags = NULL;

                det_ctx->tx_candidates[array_idx].stream_reset = 0;

                array_idx++;

            }

            PMQ_RESET(&det_ctx->pmq);

        } else {

            if (!(RuleMatchCandidateTxArrayHasSpace(det_ctx, total_rules))) {

                RuleMatchCandidateTxArrayExpand(det_ctx, total_rules);

            }

        }


        /* merge 'state' rules from the regular prefilter */

        uint32_t x = array_idx;

        for (uint32_t i = 0; i < det_ctx->match_array_cnt; i++) {

            const Signature *s = det_ctx->match_array[i];

            if (s->app_inspect != NULL) {

                const SigIntId id = s->num;

                det_ctx->tx_candidates[array_idx].s = s;

                det_ctx->tx_candidates[array_idx].id = id;

                det_ctx->tx_candidates[array_idx].flags = NULL;

                det_ctx->tx_candidates[array_idx].stream_reset = 0;

                array_idx++;


                SCLogDebug("%p/%"PRIu64" rule %u (%u) added from 'match' list",

                        tx.tx_ptr, tx.tx_id, s->id, id);

            }

        }

        SCLogDebug("%p/%"PRIu64" rules added from 'match' list: %u",

                tx.tx_ptr, tx.tx_id, array_idx - x); (void)x;


        /* merge stored state into results */

        if (tx.de_state != NULL) {

            const uint32_t old = array_idx;


            /* if tx.de_state->flags has 'new file' set and sig below has

             * 'file inspected' flag, reset the file part of the state */

            const bool have_new_file = (tx.de_state->flags & DETECT_ENGINE_STATE_FLAG_FILE_NEW);

            if (have_new_file) {

                SCLogDebug("%p/%"PRIu64" destate: need to consider new file",

                        tx.tx_ptr, tx.tx_id);

                tx.de_state->flags &= ~DETECT_ENGINE_STATE_FLAG_FILE_NEW;

            }


            SigIntId state_cnt = 0;

            DeStateStore *tx_store = tx.de_state->head;

            for (; tx_store != NULL; tx_store = tx_store->next) {

                SCLogDebug("tx_store %p", tx_store);


                SigIntId store_cnt = 0;

                for (store_cnt = 0;

                        store_cnt < DE_STATE_CHUNK_SIZE && state_cnt < tx.de_state->cnt;

                        store_cnt++, state_cnt++)

                {

                    DeStateStoreItem *item = &tx_store->store[store_cnt];

                    SCLogDebug("rule id %u, inspect_flags %u", item->sid, item->flags);

                    if (have_new_file && (item->flags & DE_STATE_FLAG_FILE_INSPECT)) {

                        /* remove part of the state. File inspect engine will now

                         * be able to run again */

                        item->flags &= ~(DE_STATE_FLAG_SIG_CANT_MATCH|DE_STATE_FLAG_FULL_INSPECT|DE_STATE_FLAG_FILE_INSPECT);

                        SCLogDebug("rule id %u, post file reset inspect_flags %u", item->sid, item->flags);

                    }

                    det_ctx->tx_candidates[array_idx].s = de_ctx->sig_array[item->sid];

                    det_ctx->tx_candidates[array_idx].id = item->sid;

                    det_ctx->tx_candidates[array_idx].flags = &item->flags;

                    det_ctx->tx_candidates[array_idx].stream_reset = 0;

                    array_idx++;

                }

            }

            if (old && old != array_idx) {

                qsort(det_ctx->tx_candidates, array_idx, sizeof(RuleMatchCandidateTx),

                        DetectRunTxSortHelper);


                SCLogDebug("%p/%"PRIu64" rules added from 'continue' list: %u",

                        tx.tx_ptr, tx.tx_id, array_idx - old);

            }

        }


        det_ctx->tx_id = tx.tx_id;

        det_ctx->tx_id_set = 1;

        det_ctx->p = p;


        /* run rules: inspect the match candidates */

        for (uint32_t i = 0; i < array_idx; i++) {

            RuleMatchCandidateTx *can = &det_ctx->tx_candidates[i];

            const Signature *s = det_ctx->tx_candidates[i].s;

            uint32_t *inspect_flags = det_ctx->tx_candidates[i].flags;


            /* deduplicate: rules_array is sorted, but not deduplicated:

             * both mpm and stored state could give us the same sid.

             * As they are back to back in that case we can check for it

             * here. We select the stored state one. */

            if ((i + 1) < array_idx) {

                if (det_ctx->tx_candidates[i].s == det_ctx->tx_candidates[i+1].s) {

                    if (det_ctx->tx_candidates[i].flags != NULL) {

                        i++;

                        SCLogDebug("%p/%"PRIu64" inspecting SKIP NEXT: sid %u (%u), flags %08x",

                                tx.tx_ptr, tx.tx_id, s->id, s->num, inspect_flags ? *inspect_flags : 0);

                    } else if (det_ctx->tx_candidates[i+1].flags != NULL) {

                        SCLogDebug("%p/%"PRIu64" inspecting SKIP CURRENT: sid %u (%u), flags %08x",

                                tx.tx_ptr, tx.tx_id, s->id, s->num, inspect_flags ? *inspect_flags : 0);

                        continue;

                    } else {

                        // if it's all the same, inspect the current one and skip next.

                        i++;

                        SCLogDebug("%p/%"PRIu64" inspecting SKIP NEXT: sid %u (%u), flags %08x",

                                tx.tx_ptr, tx.tx_id, s->id, s->num, inspect_flags ? *inspect_flags : 0);

                    }

                }

            }


            SCLogDebug("%p/%"PRIu64" inspecting: sid %u (%u), flags %08x",

                    tx.tx_ptr, tx.tx_id, s->id, s->num, inspect_flags ? *inspect_flags : 0);


            if (inspect_flags) {

                if (*inspect_flags & (DE_STATE_FLAG_FULL_INSPECT|DE_STATE_FLAG_SIG_CANT_MATCH)) {

                    SCLogDebug("%p/%"PRIu64" inspecting: sid %u (%u), flags %08x ALREADY COMPLETE",

                            tx.tx_ptr, tx.tx_id, s->id, s->num, *inspect_flags);

                    continue;

                }

            }


            if (inspect_flags) {

                /* continue previous inspection */

                SCLogDebug("%p/%"PRIu64" Continueing sid %u", tx.tx_ptr, tx.tx_id, s->id);

            } else {

                /* start new inspection */

                SCLogDebug("%p/%"PRIu64" Start sid %u", tx.tx_ptr, tx.tx_id, s->id);

            }


            /* call individual rule inspection */

            RULE_PROFILING_START(p);

            const int r = DetectRunTxInspectRule(tv, de_ctx, det_ctx, p, f, flow_flags,

                    alstate, &tx, s, inspect_flags, can, scratch);

            if (r == 1) {

                /* match */

                DetectRunPostMatch(tv, det_ctx, p, s);


                uint8_t alert_flags = (PACKET_ALERT_FLAG_STATE_MATCH|PACKET_ALERT_FLAG_TX);

                if (s->action & ACTION_DROP)

                    alert_flags |= PACKET_ALERT_FLAG_DROP_FLOW;


                SCLogDebug("%p/%"PRIu64" sig %u (%u) matched", tx.tx_ptr, tx.tx_id, s->id, s->num);

                if (!(s->flags & SIG_FLAG_NOALERT)) {

                    PacketAlertAppend(det_ctx, s, p, tx.tx_id, alert_flags);

                } else {

                    DetectSignatureApplyActions(p, s, alert_flags);

                }

            }

            DetectVarProcessList(det_ctx, p->flow, p);

            RULE_PROFILING_END(det_ctx, s, r, p);

        }


        det_ctx->tx_id = 0;

        det_ctx->tx_id_set = 0;

        det_ctx->p = NULL;


        /* see if we have any updated state to store in the tx */


        uint64_t new_detect_flags = 0;

        /* this side of the tx is done */

        if (tx.tx_progress >= tx.tx_end_state) {

            new_detect_flags |= APP_LAYER_TX_INSPECTED_FLAG;

            SCLogDebug("%p/%"PRIu64" tx is done for direction %s. Flag %016"PRIx64,

                    tx.tx_ptr, tx.tx_id,

                    flow_flags & STREAM_TOSERVER ? "toserver" : "toclient",

                    new_detect_flags);

        }

        if (tx.prefilter_flags != tx.prefilter_flags_orig) {

            new_detect_flags |= tx.prefilter_flags;

            SCLogDebug("%p/%"PRIu64" updated prefilter flags %016"PRIx64" "

                    "(was: %016"PRIx64") for direction %s. Flag %016"PRIx64,

                    tx.tx_ptr, tx.tx_id, tx.prefilter_flags, tx.prefilter_flags_orig,

                    flow_flags & STREAM_TOSERVER ? "toserver" : "toclient",

                    new_detect_flags);

        }

        if (new_detect_flags != 0 &&

                (new_detect_flags | tx.detect_flags) != tx.detect_flags)

        {

            new_detect_flags |= tx.detect_flags;

            SCLogDebug("%p/%"PRIu64" Storing new flags %016"PRIx64" (was %016"PRIx64")",

                    tx.tx_ptr, tx.tx_id, new_detect_flags, tx.detect_flags);


            StoreDetectFlags(&tx, flow_flags, ipproto, alproto, new_detect_flags);

        }

next:

        InspectionBufferClean(det_ctx);


        if (!ires.has_next)

            break;

    }

}


/** \brief Apply action(s) and Set 'drop' sig info,

 *         if applicable */

void DetectSignatureApplyActions(Packet *p,

        const Signature *s, const uint8_t alert_flags)

{

    PACKET_UPDATE_ACTION(p, s->action);


    if (s->action & ACTION_DROP) {

        if (p->alerts.drop.action == 0) {

            p->alerts.drop.num = s->num;

            p->alerts.drop.action = s->action;

            p->alerts.drop.s = (Signature *)s;

        }

    } else if (s->action & ACTION_PASS) {

        /* if an stream/app-layer match we enforce the pass for the flow */

        if ((p->flow != NULL) &&

                (alert_flags & (PACKET_ALERT_FLAG_STATE_MATCH|PACKET_ALERT_FLAG_STREAM_MATCH)))

        {

            FlowSetNoPacketInspectionFlag(p->flow);

        }


    }

}


static DetectEngineThreadCtx *GetTenantById(HashTable *h, uint32_t id)

{

    /* technically we need to pass a DetectEngineThreadCtx struct with the

     * tentant_id member. But as that member is the first in the struct, we

     * can use the id directly. */

    return HashTableLookup(h, &id, 0);

}


static void DetectFlow(ThreadVars *tv,

                       DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx,

                       Packet *p)

{

    if (p->flags & PKT_NOPACKET_INSPECTION) {

        /* hack: if we are in pass the entire flow mode, we need to still

         * update the inspect_id forward. So test for the condition here,

         * and call the update code if necessary. */

        const int pass = ((p->flow->flags & FLOW_NOPACKET_INSPECTION));

        if (pass) {

            uint8_t flags;

            if (p->flowflags & FLOW_PKT_TOSERVER) {

                flags = STREAM_TOSERVER;

            } else {

                flags = STREAM_TOCLIENT;

            }

            flags = FlowGetDisruptionFlags(p->flow, flags);

            DeStateUpdateInspectTransactionId(p->flow, flags, true);

        }

        SCLogDebug("p->pcap %"PRIu64": no detection on packet, "

                "PKT_NOPACKET_INSPECTION is set", p->pcap_cnt);

        return;

    }


    /* see if the packet matches one or more of the sigs */

    (void)DetectRun(tv, de_ctx, det_ctx, p);

}


static void DetectNoFlow(ThreadVars *tv,

                         DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx,

                         Packet *p)

{

    /* No need to perform any detection on this packet, if the the given flag is set.*/

    if ((p->flags & PKT_NOPACKET_INSPECTION) ||

        (PACKET_TEST_ACTION(p, ACTION_DROP)))

    {

        return;

    }


    /* see if the packet matches one or more of the sigs */

    DetectRun(tv, de_ctx, det_ctx, p);

    return;

}


/** \brief Detection engine thread wrapper.

 *  \param tv thread vars

 *  \param p packet to inspect

 *  \param data thread specific data

 *  \param pq packet queue

 *  \retval TM_ECODE_FAILED error

 *  \retval TM_ECODE_OK ok

 */

TmEcode Detect(ThreadVars *tv, Packet *p, void *data)

{

    DEBUG_VALIDATE_PACKET(p);


    DetectEngineCtx *de_ctx = NULL;

    DetectEngineThreadCtx *det_ctx = (DetectEngineThreadCtx *)data;

    if (det_ctx == NULL) {

        printf("ERROR: Detect has no thread ctx\n");

        goto error;

    }


    if (unlikely(SC_ATOMIC_GET(det_ctx->so_far_used_by_detect) == 0)) {

        (void)SC_ATOMIC_SET(det_ctx->so_far_used_by_detect, 1);

        SCLogDebug("Detect Engine using new det_ctx - %p",

                  det_ctx);

    }


    /* if in MT mode _and_ we have tenants registered, use

     * MT logic. */

    if (det_ctx->mt_det_ctxs_cnt > 0 && det_ctx->TenantGetId != NULL)

    {

        uint32_t tenant_id = p->tenant_id;

        if (tenant_id == 0)

            tenant_id = det_ctx->TenantGetId(det_ctx, p);

        if (tenant_id > 0 && tenant_id < det_ctx->mt_det_ctxs_cnt) {

            p->tenant_id = tenant_id;

            det_ctx = GetTenantById(det_ctx->mt_det_ctxs_hash, tenant_id);

            if (det_ctx == NULL)

                return TM_ECODE_OK;

            de_ctx = det_ctx->de_ctx;

            if (de_ctx == NULL)

                return TM_ECODE_OK;


            if (unlikely(SC_ATOMIC_GET(det_ctx->so_far_used_by_detect) == 0)) {

                (void)SC_ATOMIC_SET(det_ctx->so_far_used_by_detect, 1);

                SCLogDebug("MT de_ctx %p det_ctx %p (tenant %u)", de_ctx, det_ctx, tenant_id);

            }

        } else {

            /* use default if no tenants are registered for this packet */

            de_ctx = det_ctx->de_ctx;

        }

    } else {

        de_ctx = det_ctx->de_ctx;

    }


    if (p->flow) {

        DetectFlow(tv, de_ctx, det_ctx, p);

    } else {

        DetectNoFlow(tv, de_ctx, det_ctx, p);

    }

    return TM_ECODE_OK;

error:

    return TM_ECODE_FAILED;

}


/** \brief disable file features we don't need

 *  Called if we have no detection engine.

 */

void DisableDetectFlowFileFlags(Flow *f)

{

    DetectPostInspectFileFlagsUpdate(f, NULL /* no sgh */, STREAM_TOSERVER);

    DetectPostInspectFileFlagsUpdate(f, NULL /* no sgh */, STREAM_TOCLIENT);

}


#ifdef UNITTESTS

/**

 *  \brief wrapper for old tests

 */

void SigMatchSignatures(ThreadVars *th_v,

        DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx,

        Packet *p)

{

    DetectRun(th_v, de_ctx, det_ctx, p);

}

#endif


/*

 * TESTS

 */


#ifdef UNITTESTS

#include "tests/detect.c"

#endif