Go to the documentation of this file.
88 static inline void DetectRulePacketRules(
ThreadVars *
const tv,
127 DetectRunInspectIPOnly(th_v,
de_ctx, det_ctx, pflow, p);
130 DetectRunGetRuleGroup(
de_ctx, p, pflow, &scratch);
133 if (scratch.
sgh == NULL) {
134 SCLogDebug(
"no sgh for this packet, nothing to match against");
139 DetectRunPrefilterPkt(th_v,
de_ctx, det_ctx, p, &scratch);
143 DetectRulePacketRules(th_v,
de_ctx, det_ctx, p, pflow, &scratch);
148 if (p->
proto == IPPROTO_TCP) {
155 DetectRunFrames(th_v,
de_ctx, det_ctx, p, pflow, &scratch);
164 }
else if (p->
proto == IPPROTO_UDP) {
165 DetectRunFrames(th_v,
de_ctx, det_ctx, p, pflow, &scratch);
169 DetectRunTx(th_v,
de_ctx, det_ctx, p, pflow, &scratch);
179 DetectRunPostRules(th_v,
de_ctx, det_ctx, p, pflow, &scratch);
181 DetectRunCleanup(det_ctx, p, pflow);
194 SCLogDebug(
"running match functions, sm %p", smd);
225 }
else if (p->
proto == 0) {
236 if (
proto == IPPROTO_TCP) {
240 const uint16_t port = dir ? p->
dp : p->
sp;
245 SCLogDebug(
"TCP list %p, port %u, direction %s, sghport %p, sgh %p", list, port,
246 dir ?
"toserver" :
"toclient", sghport, sgh);
247 }
else if (
proto == IPPROTO_UDP) {
249 uint16_t port = dir ? p->
dp : p->
sp;
253 SCLogDebug(
"UDP list %p, port %u, direction %s, sghport %p, sgh %p", list, port,
254 dir ?
"toserver" :
"toclient", sghport, sgh);
285 final_ptr = nonmpm_ptr;
290 nonmpm = *nonmpm_ptr;
304 if (
likely(
id != previous_id)) {
310 final_ptr = nonmpm_ptr;
316 }
else if (mpm > nonmpm) {
321 if (
likely(
id != previous_id)) {
331 nonmpm = *nonmpm_ptr;
337 while (--m_cnt != 0) {
348 final_ptr = ++nonmpm_ptr;
363 nonmpm = *nonmpm_ptr;
369 while (final_cnt-- > 0) {
374 if (
likely(
id != previous_id)) {
388 static inline void DetectPrefilterBuildNonPrefilterList(
396 if ((rule_mask & mask) == rule_mask &&
397 (rule_alproto == 0 || AppProtoEquals(rule_alproto, alproto))) {
417 SCLogDebug(
"sgh non_pf ptr %p cnt %u (syn %p/%u, other %p/%u)",
429 DetectPostInspectFileFlagsUpdate(
Flow *f,
const SigGroupHead *sgh, uint8_t direction)
434 SCLogDebug(
"requesting disabling all file features for flow");
438 SCLogDebug(
"requesting disabling filestore for flow");
442 if (!(sgh->
flags & SIG_GROUP_HEAD_HAVEFILEMAGIC)) {
443 SCLogDebug(
"requesting disabling magic for flow");
448 SCLogDebug(
"requesting disabling md5 for flow");
452 SCLogDebug(
"requesting disabling sha1 for flow");
456 SCLogDebug(
"requesting disabling sha256 for flow");
460 SCLogDebug(
"requesting disabling filesize for flow");
464 if (flow_file_flags != 0) {
480 SCLogDebug(
"STREAMTCP_STREAM_FLAG_DISABLE_RAW ssn.client");
485 DetectPostInspectFileFlagsUpdate(pflow,
495 SCLogDebug(
"STREAMTCP_STREAM_FLAG_DISABLE_RAW ssn.server");
500 DetectPostInspectFileFlagsUpdate(pflow,
505 static inline void DetectRunGetRuleGroup(
513 bool use_flow_sgh =
false;
520 SCLogDebug(
"sgh = pflow->sgh_toserver; => %p", sgh);
524 SCLogDebug(
"sgh = pflow->sgh_toclient; => %p", sgh);
530 if (!(use_flow_sgh)) {
543 DetectRunPostGetFirstRuleGroup(p, pflow, sgh);
571 SCLogDebug(
"testing against \"ip-only\" signatures");
593 static inline bool DetectRunInspectRuleHeader(
const Packet *p,
const Flow *f,
const Signature *s,
594 const uint32_t sflags,
const uint8_t s_proto_flags)
603 const bool fv = f->
flowvar != NULL;
605 SCLogDebug(
"skipping sig as the flow has no flowvars and sig "
606 "has SIG_FLAG_REQUIRE_FLOWVAR flag set.");
646 SCLogDebug(
"port-less protocol and sig needs ports");
677 static inline void DetectRunPrefilterPkt(
685 DetectPrefilterSetNonPrefilterList(p, det_ctx, scratch);
694 DetectPrefilterBuildNonPrefilterList(det_ctx, scratch->
pkt_mask, scratch->
alproto);
708 DetectPrefilterMergeSort(
de_ctx, det_ctx);
723 static inline void DetectRulePacketRules(
740 (uint64_t)match_cnt);
751 uint32_t sflags, next_sflags = 0;
753 next_s = *match_array++;
754 next_sflags = next_s->
flags;
756 while (match_cnt--) {
758 uint8_t alert_flags = 0;
763 sflags = next_sflags;
765 next_s = *match_array++;
766 next_sflags = next_s->
flags;
786 if (SigDsizePrefilter(p, s, sflags))
797 if (DetectRunInspectRuleHeader(p, pflow, s, sflags, s_proto_flags) ==
false) {
808 DetectRunPostMatch(
tv, det_ctx, p, s);
825 DetectVarProcessList(det_ctx, pflow, p);
826 DetectReplaceFree(det_ctx);
840 uint8_t flow_flags = 0;
841 bool app_decoder_events =
false;
860 det_ctx->pkt_stream_add_cnt++;
869 flow_flags = STREAM_TOSERVER;
872 flow_flags = STREAM_TOCLIENT;
878 flow_flags |= STREAM_EOF;
909 (p->
proto == IPPROTO_UDP) ||
914 alproto = FlowGetAppProtocol(pflow);
921 SCLogDebug(
"packet doesn't have established flag set (proto %d)", p->
proto);
932 static inline void DetectRunPostRules(
981 FatalError(
"failed to allocate %" PRIu64
" bytes",
985 SCLogDebug(
"array initialized to %u elements (%"PRIu64
" bytes)",
1008 uint32_t new_size = needed;
1011 FatalError(
"failed to expand to %" PRIu64
" bytes",
1017 SCLogDebug(
"array expanded from %u to %u elements (%"PRIu64
" bytes -> %"PRIu64
" bytes)",
1030 DetectRunTxSortHelper(
const void *a,
const void *b)
1034 if (s1->
id == s0->
id) {
1041 return s0->
id > s1->
id ? 1 : -1;
1045 #define TRACE_SID_TXS(sid,txs,...) \
1047 char _trace_buf[2048]; \
1048 snprintf(_trace_buf, sizeof(_trace_buf), __VA_ARGS__); \
1049 SCLogNotice("%p/%"PRIu64"/%u: %s", txs->tx_ptr, txs->tx_id, sid, _trace_buf); \
1052 #define TRACE_SID_TXS(sid,txs,...)
1072 const uint8_t in_flow_flags,
1076 uint32_t *stored_flags,
1080 const uint8_t flow_flags = in_flow_flags;
1081 const int direction = (flow_flags & STREAM_TOSERVER) ? 0 : 1;
1082 uint32_t inspect_flags = stored_flags ? *stored_flags : 0;
1083 int total_matches = 0;
1084 uint16_t file_no_match = 0;
1085 bool retval =
false;
1086 bool mpm_before_progress =
false;
1087 bool mpm_in_progress =
false;
1089 TRACE_SID_TXS(s->
id, tx,
"starting %s", direction ?
"toclient" :
"toserver");
1092 if (
likely(stored_flags == NULL)) {
1094 if (DetectRunInspectRuleHeader(p, f, s, s->
flags, s->
proto.
flags) ==
false) {
1111 TRACE_SID_TXS(s->
id, tx,
"engine %p inspect_flags %x", engine, inspect_flags);
1112 if (!(inspect_flags &
BIT_U32(engine->
id)) &&
1113 direction == engine->
dir)
1119 engine = engine->
next;
1126 SCLogDebug(
"tx progress %d < engine progress %d",
1133 "engine->mpm: t->tx_progress %u > engine->progress %u, so set "
1134 "mpm_before_progress",
1136 mpm_before_progress =
true;
1139 "engine->mpm: t->tx_progress %u == engine->progress %u, so set "
1142 mpm_in_progress =
true;
1150 TRACE_SID_TXS(s->
id, tx,
"stream skipped, stored result %d used instead", match);
1160 TRACE_SID_TXS(s->
id, tx,
"stream ran, store result %d for next tx (if any)", match);
1165 engine = engine->
next;
1172 engine = engine->
next;
1184 if (engine->
mpm && mpm_before_progress) {
1190 engine = engine->
next;
1191 }
while (engine != NULL);
1192 TRACE_SID_TXS(s->
id, tx,
"inspect_flags %x, total_matches %u, engine %p",
1193 inspect_flags, total_matches, engine);
1195 if (engine == NULL && total_matches) {
1202 *stored_flags = inspect_flags;
1203 TRACE_SID_TXS(s->
id, tx,
"continue inspect flags %08x", inspect_flags);
1210 if (file_no_match) {
1221 inspect_flags, flow_flags, file_no_match);
1225 "mpm won't trigger for it anymore");
1229 "we may have to revisit anyway");
1231 inspect_flags, flow_flags, file_no_match);
1235 "mpm will revisit it");
1236 }
else if (inspect_flags != 0 || file_no_match != 0) {
1239 inspect_flags, flow_flags, file_no_match);
1248 NULL, 0, NULL, NULL, 0, 0, 0, 0, 0, \
1256 void *alstate,
const uint64_t tx_id,
void *tx_ptr,
const int tx_end_state,
1257 const uint8_t flow_flags)
1264 uint64_t detect_flags =
1265 (flow_flags & STREAM_TOSERVER) ? txd->detect_flags_ts : txd->detect_flags_tc;
1267 SCLogDebug(
"%"PRIu64
" tx already fully inspected for %s. Flags %016"PRIx64,
1268 tx_id, flow_flags & STREAM_TOSERVER ?
"toserver" :
"toclient",
1274 SCLogDebug(
"%" PRIu64
" tx should not be inspected in direction %s. Flags %016" PRIx64,
1275 tx_id, flow_flags & STREAM_TOSERVER ?
"toserver" :
"toclient", detect_flags);
1281 const int dir_int = (flow_flags & STREAM_TOSERVER) ? 0 : 1;
1291 .de_state = tx_dir_state,
1292 .detect_flags = detect_flags,
1293 .prefilter_flags = prefilter_flags,
1294 .prefilter_flags_orig = prefilter_flags,
1295 .tx_progress = tx_progress,
1296 .tx_end_state = tx_end_state,
1301 static inline void StoreDetectFlags(
DetectTransaction *tx,
const uint8_t flow_flags,
1302 const uint8_t ipproto,
const AppProto alproto,
const uint64_t detect_flags)
1305 if (
likely(txd != NULL)) {
1306 if (flow_flags & STREAM_TOSERVER) {
1307 txd->detect_flags_ts = detect_flags;
1309 txd->detect_flags_tc = detect_flags;
1316 static inline void RuleMatchCandidateMergeStateRules(
1334 uint32_t j = *array_idx;
1343 uint32_t k = *array_idx;
1365 if (s->
num <= s0->
id) {
1396 const uint8_t flow_flags = scratch->
flow_flags;
1398 void *
const alstate = f->
alstate;
1399 const uint8_t ipproto = f->
proto;
1408 memset(&state, 0,
sizeof(state));
1411 AppLayerGetTxIterTuple ires = IterFunc(ipproto, alproto, alstate, tx_id_min, total_txs, &state);
1412 if (ires.tx_ptr == NULL)
1416 alstate, ires.tx_id, ires.tx_ptr, tx_end_state, flow_flags);
1418 SCLogDebug(
"%p/%"PRIu64
" no transaction to inspect",
1424 tx_id_min = tx.
tx_id + 1;
1426 bool do_sort =
false;
1427 uint32_t array_idx = 0;
1437 SCLogDebug(
"%p/%"PRIu64
" rules added from prefilter: %u candidates",
1441 if (!(RuleMatchCandidateTxArrayHasSpace(det_ctx, total_rules))) {
1442 RuleMatchCandidateTxArrayExpand(det_ctx, total_rules);
1456 if (!(RuleMatchCandidateTxArrayHasSpace(det_ctx, total_rules))) {
1457 RuleMatchCandidateTxArrayExpand(det_ctx, total_rules);
1463 uint32_t x = array_idx;
1465 RuleMatchCandidateMergeStateRules(det_ctx, &array_idx);
1469 const uint32_t old = array_idx;
1474 if (have_new_file) {
1475 SCLogDebug(
"%p/%"PRIu64
" destate: need to consider new file",
1482 for (; tx_store != NULL; tx_store = tx_store->
next) {
1488 store_cnt++, state_cnt++)
1505 do_sort |= (old && old != array_idx);
1511 DetectRunTxSortHelper);
1523 for (uint32_t i = 0; i < array_idx; i++) {
1530 for (uint32_t i = 0; i < array_idx; i++) {
1540 while ((i + 1) < array_idx &&
1542 SCLogDebug(
"%p/%" PRIu64
" inspecting SKIP NEXT: sid %u (%u), flags %08x",
1547 SCLogDebug(
"%p/%"PRIu64
" inspecting: sid %u (%u), flags %08x",
1550 if (inspect_flags) {
1552 SCLogDebug(
"%p/%"PRIu64
" inspecting: sid %u (%u), flags %08x ALREADY COMPLETE",
1558 if (inspect_flags) {
1568 const int r = DetectRunTxInspectRule(
tv,
de_ctx, det_ctx, p, f, flow_flags,
1569 alstate, &tx, s, inspect_flags, can, scratch);
1572 DetectRunPostMatch(
tv, det_ctx, p, s);
1578 DetectVarProcessList(det_ctx, p->
flow, p);
1588 uint64_t new_detect_flags = 0;
1592 SCLogDebug(
"%p/%"PRIu64
" tx is done for direction %s. Flag %016"PRIx64,
1594 flow_flags & STREAM_TOSERVER ?
"toserver" :
"toclient",
1600 SCLogDebug(
"%p/%"PRIu64
" updated prefilter flags %016"PRIx64
" "
1601 "(was: %016"PRIx64
") for direction %s. Flag %016"PRIx64,
1603 flow_flags & STREAM_TOSERVER ?
"toserver" :
"toclient",
1606 if (new_detect_flags != 0 &&
1611 SCLogDebug(
"%p/%"PRIu64
" Storing new flags %016"PRIx64
" (was %016"PRIx64
")",
1614 StoreDetectFlags(&tx, flow_flags, ipproto, alproto, new_detect_flags);
1631 if (frames_container == NULL) {
1636 frames = &frames_container->
toserver;
1638 frames = &frames_container->
toclient;
1641 for (uint32_t idx = 0; idx < frames->
cnt; idx++) {
1644 if (frame == NULL) {
1649 uint32_t array_idx = 0;
1657 SCLogDebug(
"%p/%" PRIi64
" rules added from prefilter: %u candidates", frame, frame->
id,
1662 if (!(RuleMatchCandidateTxArrayHasSpace(
1663 det_ctx, total_rules))) {
1664 RuleMatchCandidateTxArrayExpand(det_ctx, total_rules);
1679 uint32_t x = array_idx;
1690 SCLogDebug(
"%p/%" PRIi64
" rule %u (%u) added from 'match' list", frame, frame->
id,
1694 SCLogDebug(
"%p/%" PRIi64
" rules added from 'match' list: %u", frame, frame->
id,
1699 for (uint32_t i = 0; i < array_idx; i++) {
1706 while ((i + 1) < array_idx &&
1710 SCLogDebug(
"%p/%" PRIi64
" inspecting: sid %u (%u)", frame, frame->
id, s->
id, s->
num);
1713 SCLogDebug(
"%p/%" PRIi64
" Start sid %u", frame, frame->
id, s->
id);
1717 bool r = DetectRunInspectRuleHeader(p, f, s, s->
flags, s->
proto.
flags);
1722 DetectRunPostMatch(
tv, det_ctx, p, s);
1724 const uint8_t alert_flags =
1729 "%p/%" PRIi64
" sig %u (%u) matched", frame, frame->
id, s->
id, s->
num);
1733 DetectVarProcessList(det_ctx, p->
flow, p);
1744 "frame->inspect_progress: %" PRIu64
" -> not updated", frame->
inspect_progress);
1747 SCLogDebug(
"%p/%" PRIi64
" rules inspected, running cleanup", frame, frame->
id);
1778 SCLogDebug(
"p->pcap %"PRIu64
": no detection on packet, "
1779 "PKT_NOPACKET_INSPECTION is set", p->
pcap_cnt);
1792 (void)DetectRun(
tv,
de_ctx, det_ctx, p);
1824 if (det_ctx == NULL) {
1825 printf(
"ERROR: Detect has no thread ctx\n");
1831 SCLogDebug(
"Detect Engine using new det_ctx - %p",
1842 if (tenant_id > 0 && tenant_id < det_ctx->mt_det_ctxs_cnt) {
1845 if (det_ctx == NULL)
1853 SCLogDebug(
"MT de_ctx %p det_ctx %p (tenant %u)",
de_ctx, det_ctx, tenant_id);
1864 DetectFlow(
tv,
de_ctx, det_ctx, p);
1866 DetectNoFlow(
tv,
de_ctx, det_ctx, p);
1869 #ifdef PROFILE_RULES
1872 gettimeofday(&
ts, NULL);
1873 if (
ts.tv_sec != det_ctx->rule_perf_last_sync) {
1874 SCProfilingRuleThreatAggregate(det_ctx);
1875 det_ctx->rule_perf_last_sync =
ts.tv_sec;
1889 DetectPostInspectFileFlagsUpdate(f, NULL , STREAM_TOSERVER);
1890 DetectPostInspectFileFlagsUpdate(f, NULL , STREAM_TOCLIENT);
1901 DetectFlow(
tv,
de_ctx, det_ctx, p);
1903 DetectNoFlow(
tv,
de_ctx, det_ctx, p);
#define PKT_IS_TOCLIENT(p)
uint32_t non_pf_syn_store_cnt
bool PacketCheckAction(const Packet *p, const uint8_t a)
#define FLOWFILE_NO_MD5_TS
SignatureNonPrefilterStore * non_pf_store_ptr
void RulesDumpTxMatchArray(const DetectEngineThreadCtx *det_ctx, const SigGroupHead *sgh, const Packet *p, const uint64_t tx_id, const uint32_t rule_cnt, const uint32_t pkt_prefilter_cnt)
#define SIG_GROUP_HEAD_HAVEFILEMD5
#define FLOWFILE_NO_MD5_TC
PrefilterEngine * tx_engines
struct AppLayerTxData * tx_data_ptr
#define DE_STATE_CHUNK_SIZE
#define FLOWFILE_NO_SIZE_TS
uint64_t inspect_progress
uint16_t alert_queue_size
#define FLOWFILE_NO_SIZE_TC
#define PACKET_ALERT_FLAG_STREAM_MATCH
DetectMatchAddressIPv6 * addr_src_match6
#define PACKET_ALERT_FLAG_TX
struct SigGroupHead_ * decoder_event_sgh
int FlowGetPacketDirection(const Flow *f, const Packet *p)
determine the direction of the packet compared to the flow
DetectEngineLookupFlow flow_gh[FLOW_STATES]
#define DE_STATE_FLAG_SIG_CANT_MATCH
uint16_t counter_match_list
struct DetectEngineAppInspectionEngine_ * next
#define DETECT_PROTO_IPV6
#define PKT_IS_PSEUDOPKT(p)
return 1 if the packet is a pseudo packet
void Prefilter(DetectEngineThreadCtx *det_ctx, const SigGroupHead *sgh, Packet *p, const uint8_t flags)
uint32_t rule_id_array_cnt
Container for matching data for a signature group.
#define SIG_GROUP_HEAD_HAVEFILESIZE
#define SC_ATOMIC_SET(name, val)
Set the value for the atomic variable.
#define KEYWORD_PROFILING_SET_LIST(ctx, list)
int DetectAddressMatchIPv4(const DetectMatchAddressIPv4 *addrs, uint16_t addrs_cnt, const Address *a)
Match a packets address against a signatures addrs array.
InspectEngineFuncPtr Callback
#define FLOW_SGH_TOCLIENT
void AppLayerParserSetTransactionInspectId(const Flow *f, AppLayerParserState *pstate, void *alstate, const uint8_t flags, bool tag_txs_as_inspected)
AppLayerGetTxIteratorFunc AppLayerGetTxIterator(const uint8_t ipproto, const AppProto alproto)
struct HtpBodyChunk_ * next
int AppLayerParserGetStateProgress(uint8_t ipproto, AppProto alproto, void *alstate, uint8_t flags)
get the progress value for a tx/protocol
#define FLOWFILE_NO_MAGIC_TS
#define ICMPV4_DEST_UNREACH_IS_VALID(p)
#define SIG_GROUP_HEAD_HAVEFILESHA1
#define FLOW_TC_APP_UPDATED
main detection engine ctx
int AppLayerParserGetStateProgressCompletionStatus(AppProto alproto, uint8_t direction)
struct DetectRunScratchpad DetectRunScratchpad
#define APP_LAYER_TX_SKIP_INSPECT_FLAG
DetectEngineStateDirection dir_state[2]
Frame * FrameGetByIndex(Frames *frames, const uint32_t idx)
#define FLOW_PKT_TOSERVER
#define APP_LAYER_TX_INSPECTED_FLAG
#define SIG_GROUP_HEAD_HAVERAWSTREAM
void SigMatchSignatures(ThreadVars *tv, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
SigMatchData * sm_arrays[DETECT_SM_LIST_MAX]
struct SigGroupHead_ * sh
#define PACKET_PROFILING_DETECT_END(p, id)
TmEcode Detect(ThreadVars *tv, Packet *p, void *data)
Detection engine thread wrapper.
#define FLOW_PKT_TOCLIENT_IPONLY_SET
bool DetectRunFrameInspectRule(ThreadVars *tv, DetectEngineThreadCtx *det_ctx, const Signature *s, Flow *f, Packet *p, const Frames *frames, const Frame *frame)
#define KEYWORD_PROFILING_START
uint16_t counter_fnonmpm_list
void DisableDetectFlowFileFlags(Flow *f)
disable file features we don't need Called if we have no detection engine.
uint64_t AppLayerParserGetTransactionInspectId(AppLayerParserState *pstate, uint8_t direction)
uint16_t counter_nonmpm_list
void DetectRunPrefilterFrame(DetectEngineThreadCtx *det_ctx, const SigGroupHead *sgh, Packet *p, const Frames *frames, const Frame *frame, const AppProto alproto)
PacketEngineEvents events
DetectEngineFrameInspectionEngine * frame_inspect
const uint64_t prefilter_flags_orig
void PacketCreateMask(Packet *p, SignatureMask *mask, AppProto alproto, bool app_decoder_events)
#define SIG_FLAG_APPLAYER
#define KEYWORD_PROFILING_END(ctx, type, m)
HashTable * mt_det_ctxs_hash
bool DetectEnginePktInspectionRun(ThreadVars *tv, DetectEngineThreadCtx *det_ctx, const Signature *s, Flow *f, Packet *p, uint8_t *alert_flags)
const struct SigGroupHead_ * sgh_toserver
uint16_t counter_alerts_suppressed
void DetectRunStoreStateTx(const SigGroupHead *sgh, Flow *f, void *tx, uint64_t tx_id, const Signature *s, uint32_t inspect_flags, uint8_t flow_flags, const uint16_t file_no_match)
AppLayerParserState * alparser
#define DETECT_ENGINE_INSPECT_SIG_CANT_MATCH_FILES
#define FLOWFILE_NO_SHA1_TC
@ DETECT_SM_LIST_POSTMATCH
RuleMatchCandidateTx * tx_candidates
DetectMatchAddressIPv4 * addr_src_match4
uint16_t counter_alerts_overflow
#define DETECT_ENGINE_THREAD_CTX_FRAME_ID_SET
#define PKT_IS_TOSERVER(p)
#define DEBUG_VALIDATE_PACKET(p)
#define FLOWFILE_NO_STORE_TS
uint32_t tx_candidates_size
#define FLOW_PKT_TOSERVER_IPONLY_SET
#define STREAM_FLAGS_FOR_PACKET(p)
struct SigGroupHead_ * sgh[256]
void * HashTableLookup(HashTable *ht, void *data, uint16_t datalen)
Per thread variable structure.
struct DeStateStore_ * next
#define FLOWFILE_NO_SHA256_TS
#define DETECT_ENGINE_INSPECT_SIG_MATCH
#define PKT_DETECT_HAS_STREAMDATA
bool StreamReassembleRawHasDataReady(TcpSession *ssn, Packet *p)
does the stream engine have data to inspect?
const char * PktSrcToString(enum PktSrcEnum pkt_src)
Port structure for detection engine.
DetectEngineAppInspectionEngine * app_inspect
const struct SigGroupHead_ * sgh_toclient
#define SIG_FLAG_REQUIRE_FLOWVAR
uint64_t raw_stream_progress
void FileUpdateFlowFileFlags(Flow *f, uint16_t set_file_flags, uint8_t direction)
set a flow's file flags
void AlertQueueAppend(DetectEngineThreadCtx *det_ctx, const Signature *s, Packet *p, uint64_t tx_id, uint8_t alert_flags)
Append signature to local packet alert queue for later preprocessing.
void RuleMatchCandidateTxArrayFree(DetectEngineThreadCtx *det_ctx)
FramesContainer * AppLayerFramesGetContainer(Flow *f)
#define APP_LAYER_TX_PREFILTER_MASK
void FlowSetIPOnlyFlag(Flow *f, int direction)
Set the IPOnly scanned flag for 'direction'.
#define FLOW_TOSERVER_IPONLY_SET
#define RULE_PROFILING_END(a, b, c, p)
#define RULE_PROFILING_START(p)
#define SCReturnPtr(x, type)
DetectEngineStateDirection * de_state
Data structures and function prototypes for keeping state for the detection engine.
int(* Match)(DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *)
void RulesDumpMatchArray(const DetectEngineThreadCtx *det_ctx, const SigGroupHead *sgh, const Packet *p)
uint16_t addr_dst_match6_cnt
#define FLOW_PKT_TOCLIENT
PrefilterEngine * frame_engines
#define PACKET_ALERT_NOTX
struct DetectEngineAppInspectionEngine_::@85 v2
#define DETECT_ENGINE_INSPECT_SIG_CANT_MATCH
#define DETECT_ENGINE_STATE_FLAG_FILE_NEW
#define SCRealloc(ptr, sz)
#define FLOWFILE_NO_SHA256_TC
#define DETECT_ENGINE_INSPECT_SIG_MATCH_MORE_FILES
struct AppLayerTxData AppLayerTxData
#define DETECT_PROTO_IPV4
int DetectAddressMatchIPv6(const DetectMatchAddressIPv6 *addrs, uint16_t addrs_cnt, const Address *a)
Match a packets address against a signatures addrs array.
void DetectEngineStateResetTxs(Flow *f)
Reset de state for active tx' To be used on detect engine reload.
#define FLOWFILE_NO_MAGIC_TC
SignatureNonPrefilterStore * non_pf_other_store_array
#define FLOW_TOCLIENT_IPONLY_SET
#define APP_LAYER_TX_RESERVED_FLAGS
uint32_t non_pf_other_store_cnt
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
uint8_t app_update_direction
uint64_t frame_inspect_progress
uint32_t profile_match_logging_threshold
#define FLOW_TS_APP_UPDATED
AppLayerTxData * AppLayerParserGetTxData(uint8_t ipproto, AppProto alproto, void *tx)
#define FLOWFILE_NO_STORE_TC
SigIntId * non_pf_id_array
uint16_t addr_src_match6_cnt
void StreamReassembleRawUpdateProgress(TcpSession *ssn, Packet *p, const uint64_t progress)
update stream engine after detection
void StatsAddUI64(ThreadVars *tv, uint16_t id, uint64_t x)
Adds a value of type uint64_t to the local counter.
#define FLOWFILE_NO_SHA1_TS
const bool app_decoder_events
#define PACKET_PROFILING_DETECT_START(p, id)
#define PACKET_ALERT_FLAG_FRAME
uint32_t non_pf_store_cnt
#define FLOW_SGH_TOSERVER
#define SGH_PROFILING_RECORD(det_ctx, sgh)
void PacketAlertFinalize(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
Check the threshold of the sigs that match, set actions, break on pass action This function iterate t...
DetectMatchAddressIPv6 * addr_dst_match6
DeStateStoreItem store[DE_STATE_CHUNK_SIZE]
#define IP_GET_IPPROTO(p)
void InspectionBufferClean(DetectEngineThreadCtx *det_ctx)
#define TRACE_SID_TXS(sid, txs,...)
#define FLOW_PKT_ESTABLISHED
#define STREAMTCP_FLAG_APP_LAYER_DISABLED
void IPOnlyMatchPacket(ThreadVars *tv, const DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const DetectEngineIPOnlyCtx *io_ctx, Packet *p)
Match a packet against the IP Only detection engine contexts.
SignatureNonPrefilterStore * non_pf_syn_store_array
#define PKT_NOPACKET_INSPECTION
#define DE_STATE_FLAG_FULL_INSPECT
#define STREAMTCP_STREAM_FLAG_DISABLE_RAW
AppLayerGetTxIterTuple(* AppLayerGetTxIteratorFunc)(const uint8_t ipproto, const AppProto alproto, void *alstate, uint64_t min_tx_id, uint64_t max_tx_id, AppLayerGetTxIterState *state)
tx iterator prototype
#define DE_STATE_FLAG_FILE_INSPECT
#define FLOW_NOPACKET_INSPECTION
DetectEngineIPOnlyCtx io_ctx
#define SC_ATOMIC_GET(name)
Get the value from the atomic variable.
DetectMatchAddressIPv4 * addr_dst_match4
uint8_t FlowGetDisruptionFlags(const Flow *f, uint8_t flags)
get 'disruption' flags: GAP/DEPTH/PASS
uint16_t addr_src_match4_cnt
void GenericVarFree(GenericVar *gv)
uint16_t addr_dst_match4_cnt
AppProto alproto
application level protocol
#define SIG_GROUP_HEAD_HAVEFILESHA256
uint64_t AppLayerParserGetTxCnt(const Flow *f, void *alstate)
#define PACKET_ALERT_FLAG_STATE_MATCH
bool AppLayerParserHasDecoderEvents(AppLayerParserState *pstate)
#define DEBUG_VALIDATE_BUG_ON(exp)
const uint64_t detect_flags
uint16_t counter_mpm_list
const SigGroupHead * SigMatchSignaturesGetSgh(const DetectEngineCtx *de_ctx, const Packet *p)
Get the SigGroupHead for a packet.
void DetectRunPrefilterTx(DetectEngineThreadCtx *det_ctx, const SigGroupHead *sgh, Packet *p, const uint8_t ipproto, const uint8_t flow_flags, const AppProto alproto, void *alstate, DetectTransaction *tx)
run prefilter engines on a transaction
void RuleMatchCandidateTxArrayInit(DetectEngineThreadCtx *det_ctx, uint32_t size)
DetectPort * DetectPortLookupGroup(DetectPort *dp, uint16_t port)
Function that find the group matching port in a group head.
uint32_t(* TenantGetId)(const void *, const Packet *p)
int DetectProtoContainsProto(const DetectProto *dp, int proto)
see if a DetectProto contains a certain proto