suricata
detect.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2022 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Victor Julien <victor@inliniac.net>
22  *
23  * Basic detection engine
24  */
25 
26 #include "suricata-common.h"
27 #include "suricata.h"
28 #include "conf.h"
29 
30 #include "decode.h"
31 #include "packet.h"
32 #include "flow.h"
33 #include "stream-tcp.h"
34 #include "app-layer.h"
35 #include "app-layer-parser.h"
36 #include "app-layer-frames.h"
37 
38 #include "detect.h"
39 #include "detect-dsize.h"
40 #include "detect-engine.h"
41 #include "detect-engine-build.h"
42 #include "detect-engine-frame.h"
43 #include "detect-engine-profile.h"
44 
45 #include "detect-engine-alert.h"
46 #include "detect-engine-siggroup.h"
47 #include "detect-engine-address.h"
48 #include "detect-engine-proto.h"
49 #include "detect-engine-port.h"
50 #include "detect-engine-mpm.h"
51 #include "detect-engine-iponly.h"
52 #include "detect-engine-threshold.h"
53 #include "detect-engine-prefilter.h"
54 #include "detect-engine-state.h"
55 #include "detect-engine-analyzer.h"
56 
57 #include "detect-engine-payload.h"
58 #include "detect-engine-event.h"
59 
60 #include "detect-filestore.h"
61 #include "detect-flowvar.h"
62 #include "detect-replace.h"
63 
64 #include "util-validate.h"
65 #include "util-detect.h"
66 #include "util-profiling.h"
67 
68 #include "action-globals.h"
69 
70 typedef struct DetectRunScratchpad {
71  const AppProto alproto;
72  const uint8_t flow_flags; /* flow/state flags: STREAM_* */
73  const bool app_decoder_events;
74  const SigGroupHead *sgh;
75  SignatureMask pkt_mask;
76 } DetectRunScratchpad;
77 
78 /* prototypes */
79 static DetectRunScratchpad DetectRunSetup(const DetectEngineCtx *de_ctx,
80  DetectEngineThreadCtx *det_ctx, Packet * const p, Flow * const pflow);
81 static void DetectRunInspectIPOnly(ThreadVars *tv, const DetectEngineCtx *de_ctx,
82  DetectEngineThreadCtx *det_ctx, Flow * const pflow, Packet * const p);
83 static inline void DetectRunGetRuleGroup(const DetectEngineCtx *de_ctx,
84  Packet * const p, Flow * const pflow, DetectRunScratchpad *scratch);
85 static inline void DetectRunPrefilterPkt(ThreadVars *tv,
86  DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p,
87  DetectRunScratchpad *scratch);
88 static inline void DetectRulePacketRules(ThreadVars * const tv,
89  DetectEngineCtx * const de_ctx, DetectEngineThreadCtx * const det_ctx,
90  Packet * const p, Flow * const pflow, const DetectRunScratchpad *scratch);
91 static void DetectRunTx(ThreadVars *tv, DetectEngineCtx *de_ctx,
92  DetectEngineThreadCtx *det_ctx, Packet *p,
93  Flow *f, DetectRunScratchpad *scratch);
94 static void DetectRunFrames(ThreadVars *tv, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx,
95  Packet *p, Flow *f, DetectRunScratchpad *scratch);
96 static inline void DetectRunPostRules(ThreadVars *tv, DetectEngineCtx *de_ctx,
97  DetectEngineThreadCtx *det_ctx, Packet * const p, Flow * const pflow,
98  DetectRunScratchpad *scratch);
99 static void DetectRunCleanup(DetectEngineThreadCtx *det_ctx,
100  Packet *p, Flow * const pflow);
101 
102 /** \internal
103  */
104 static void DetectRun(ThreadVars *th_v,
105  DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx,
106  Packet *p)
107 {
108  SCEnter();
109  SCLogDebug("p->pcap_cnt %" PRIu64 " direction %s pkt_src %s", p->pcap_cnt,
110  p->flow ? (FlowGetPacketDirection(p->flow, p) == TOSERVER ? "toserver" : "toclient")
111  : "noflow",
112  PktSrcToString(p->pkt_src));
113 
114  /* bail early if packet should not be inspected */
115  if (p->flags & PKT_NOPACKET_INSPECTION) {
116  /* nothing to do */
117  SCReturn;
118  }
119 
120  /* Load the Packet's flow early, even though it might not be needed.
121  * Mark as a constant pointer, although the flow itself can change. */
122  Flow * const pflow = p->flow;
123 
124  DetectRunScratchpad scratch = DetectRunSetup(de_ctx, det_ctx, p, pflow);
125 
126  /* run the IPonly engine */
127  DetectRunInspectIPOnly(th_v, de_ctx, det_ctx, pflow, p);
128 
129  /* get our rule group */
130  DetectRunGetRuleGroup(de_ctx, p, pflow, &scratch);
131  /* if we didn't get a sig group head, we
132  * have nothing to do.... */
133  if (scratch.sgh == NULL) {
134  SCLogDebug("no sgh for this packet, nothing to match against");
135  goto end;
136  }
137 
138  /* run the prefilters for packets */
139  DetectRunPrefilterPkt(th_v, de_ctx, det_ctx, p, &scratch);
140 
141  PACKET_PROFILING_DETECT_START(p, PROF_DETECT_RULES);
142  /* inspect the rules against the packet */
143  DetectRulePacketRules(th_v, de_ctx, det_ctx, p, pflow, &scratch);
144  PACKET_PROFILING_DETECT_END(p, PROF_DETECT_RULES);
145 
146  /* run tx/state inspection. Don't call for ICMP error msgs. */
147  if (pflow && pflow->alstate && likely(pflow->proto == p->proto)) {
148  if (p->proto == IPPROTO_TCP) {
149  if ((p->flags & PKT_STREAM_EST) == 0) {
150  goto end;
151  }
152  const TcpSession *ssn = p->flow->protoctx;
153  if (ssn && (ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED) == 0) {
154  // PACKET_PROFILING_DETECT_START(p, PROF_DETECT_TX);
155  DetectRunFrames(th_v, de_ctx, det_ctx, p, pflow, &scratch);
156  // PACKET_PROFILING_DETECT_END(p, PROF_DETECT_TX);
157  }
158  // no update to transactions
159  if (!PKT_IS_PSEUDOPKT(p) && p->app_update_direction == 0 &&
160  ((PKT_IS_TOSERVER(p) && (p->flow->flags & FLOW_TS_APP_UPDATED) == 0) ||
161  (PKT_IS_TOCLIENT(p) && (p->flow->flags & FLOW_TC_APP_UPDATED) == 0))) {
162  goto end;
163  }
164  } else if (p->proto == IPPROTO_UDP) {
165  DetectRunFrames(th_v, de_ctx, det_ctx, p, pflow, &scratch);
166  }
167 
168  PACKET_PROFILING_DETECT_START(p, PROF_DETECT_TX);
169  DetectRunTx(th_v, de_ctx, det_ctx, p, pflow, &scratch);
170  PACKET_PROFILING_DETECT_END(p, PROF_DETECT_TX);
171  /* see if we need to increment the inspect_id and reset the de_state */
172  PACKET_PROFILING_DETECT_START(p, PROF_DETECT_TX_UPDATE);
173  AppLayerParserSetTransactionInspectId(
174  pflow, pflow->alparser, pflow->alstate, scratch.flow_flags, (scratch.sgh == NULL));
175  PACKET_PROFILING_DETECT_END(p, PROF_DETECT_TX_UPDATE);
176  }
177 
178 end:
179  DetectRunPostRules(th_v, de_ctx, det_ctx, p, pflow, &scratch);
180 
181  DetectRunCleanup(det_ctx, p, pflow);
182  SCReturn;
183 }
184 
185 static void DetectRunPostMatch(ThreadVars *tv,
186  DetectEngineThreadCtx *det_ctx, Packet *p,
187  const Signature *s)
188 {
189  /* run the packet match functions */
190  const SigMatchData *smd = s->sm_arrays[DETECT_SM_LIST_POSTMATCH];
191  if (smd != NULL) {
192  KEYWORD_PROFILING_SET_LIST(det_ctx, DETECT_SM_LIST_POSTMATCH);
193 
194  SCLogDebug("running match functions, sm %p", smd);
195 
196  while (1) {
197  KEYWORD_PROFILING_START;
198  (void)sigmatch_table[smd->type].Match(det_ctx, p, s, smd->ctx);
199  KEYWORD_PROFILING_END(det_ctx, smd->type, 1);
200  if (smd->is_last)
201  break;
202  smd++;
203  }
204  }
205 }
206 
207 /**
208  * \brief Get the SigGroupHead for a packet.
209  *
210  * \param de_ctx detection engine context
211  * \param p packet
212  *
213  * \retval sgh the SigGroupHead or NULL if non applies to the packet
214  */
215 const SigGroupHead *SigMatchSignaturesGetSgh(const DetectEngineCtx *de_ctx,
216  const Packet *p)
217 {
218  SCEnter();
219  SigGroupHead *sgh = NULL;
220 
221  /* if the packet proto is 0 (not set), we're inspecting it against
222  * the decoder events sgh we have. */
223  if (p->proto == 0 && p->events.cnt > 0) {
224  SCReturnPtr(de_ctx->decoder_event_sgh, "SigGroupHead");
225  } else if (p->proto == 0) {
226  if (!(PacketIsIPv4(p) || PacketIsIPv6(p))) {
227  /* not IP, so nothing to do */
228  SCReturnPtr(NULL, "SigGroupHead");
229  }
230  }
231 
232  /* select the flow_gh */
233  const int dir = (p->flowflags & FLOW_PKT_TOCLIENT) == 0;
234 
235  int proto = PacketGetIPProto(p);
236  if (proto == IPPROTO_TCP) {
237  DetectPort *list = de_ctx->flow_gh[dir].tcp;
238  SCLogDebug("tcp toserver %p, tcp toclient %p: going to use %p", de_ctx->flow_gh[1].tcp,
239  de_ctx->flow_gh[0].tcp, de_ctx->flow_gh[dir].tcp);
240  const uint16_t port = dir ? p->dp : p->sp;
241  SCLogDebug("tcp port %u -> %u:%u", port, p->sp, p->dp);
242  DetectPort *sghport = DetectPortLookupGroup(list, port);
243  if (sghport != NULL)
244  sgh = sghport->sh;
245  SCLogDebug("TCP list %p, port %u, direction %s, sghport %p, sgh %p", list, port,
246  dir ? "toserver" : "toclient", sghport, sgh);
247  } else if (proto == IPPROTO_UDP) {
248  DetectPort *list = de_ctx->flow_gh[dir].udp;
249  uint16_t port = dir ? p->dp : p->sp;
250  DetectPort *sghport = DetectPortLookupGroup(list, port);
251  if (sghport != NULL)
252  sgh = sghport->sh;
253  SCLogDebug("UDP list %p, port %u, direction %s, sghport %p, sgh %p", list, port,
254  dir ? "toserver" : "toclient", sghport, sgh);
255  } else {
256  sgh = de_ctx->flow_gh[dir].sgh[proto];
257  }
258 
259  SCReturnPtr(sgh, "SigGroupHead");
260 }
261 
262 static inline void DetectPrefilterMergeSort(DetectEngineCtx *de_ctx,
263  DetectEngineThreadCtx *det_ctx)
264 {
265  SigIntId mpm, nonmpm;
266  SigIntId *mpm_ptr = det_ctx->pmq.rule_id_array;
267  SigIntId *nonmpm_ptr = det_ctx->non_pf_id_array;
268  uint32_t m_cnt = det_ctx->pmq.rule_id_array_cnt;
269  uint32_t n_cnt = det_ctx->non_pf_id_cnt;
270  SigIntId *final_ptr;
271  uint32_t final_cnt;
272  SigIntId id;
273  SigIntId previous_id = (SigIntId)-1;
274  Signature **sig_array = de_ctx->sig_array;
275  Signature **match_array = det_ctx->match_array;
276  Signature *s;
277 
278  SCLogDebug("PMQ rule id array count %d", det_ctx->pmq.rule_id_array_cnt);
279 
280  /* Load first values. */
281  if (likely(m_cnt)) {
282  mpm = *mpm_ptr;
283  } else {
284  /* mpm list is empty */
285  final_ptr = nonmpm_ptr;
286  final_cnt = n_cnt;
287  goto final;
288  }
289  if (likely(n_cnt)) {
290  nonmpm = *nonmpm_ptr;
291  } else {
292  /* non-mpm list is empty. */
293  final_ptr = mpm_ptr;
294  final_cnt = m_cnt;
295  goto final;
296  }
297  while (1) {
298  if (mpm < nonmpm) {
299  /* Take from mpm list */
300  id = mpm;
301 
302  s = sig_array[id];
303  /* As the mpm list can contain duplicates, check for that here. */
304  if (likely(id != previous_id)) {
305  *match_array++ = s;
306  previous_id = id;
307  }
308  if (unlikely(--m_cnt == 0)) {
309  /* mpm list is now empty */
310  final_ptr = nonmpm_ptr;
311  final_cnt = n_cnt;
312  goto final;
313  }
314  mpm_ptr++;
315  mpm = *mpm_ptr;
316  } else if (mpm > nonmpm) {
317  id = nonmpm;
318 
319  s = sig_array[id];
320  /* As the mpm list can contain duplicates, check for that here. */
321  if (likely(id != previous_id)) {
322  *match_array++ = s;
323  previous_id = id;
324  }
325  if (unlikely(--n_cnt == 0)) {
326  final_ptr = mpm_ptr;
327  final_cnt = m_cnt;
328  goto final;
329  }
330  nonmpm_ptr++;
331  nonmpm = *nonmpm_ptr;
332 
333  } else { /* implied mpm == nonmpm */
334  /* special case: if on both lists, it's a negated mpm pattern */
335 
336  /* mpm list may have dups, so skip past them here */
337  while (--m_cnt != 0) {
338  mpm_ptr++;
339  mpm = *mpm_ptr;
340  if (mpm != nonmpm)
341  break;
342  }
343  /* if mpm is done, update nonmpm_ptrs and jump to final */
344  if (unlikely(m_cnt == 0)) {
345  n_cnt--;
346 
347  /* mpm list is now empty */
348  final_ptr = ++nonmpm_ptr;
349  final_cnt = n_cnt;
350  goto final;
351  }
352  /* otherwise, if nonmpm is done jump to final for mpm
353  * mpm ptrs already updated */
354  if (unlikely(--n_cnt == 0)) {
355  final_ptr = mpm_ptr;
356  final_cnt = m_cnt;
357  goto final;
358  }
359 
360  /* not at end of the lists, update nonmpm. Mpm already
361  * updated in while loop above. */
362  nonmpm_ptr++;
363  nonmpm = *nonmpm_ptr;
364  }
365  }
366 
367  final: /* Only one list remaining. Just walk that list. */
368 
369  while (final_cnt-- > 0) {
370  id = *final_ptr++;
371  s = sig_array[id];
372 
373  /* As the mpm list can contain duplicates, check for that here. */
374  if (likely(id != previous_id)) {
375  *match_array++ = s;
376  previous_id = id;
377  }
378  }
379 
380  det_ctx->match_array_cnt = match_array - det_ctx->match_array;
381  DEBUG_VALIDATE_BUG_ON((det_ctx->pmq.rule_id_array_cnt + det_ctx->non_pf_id_cnt) < det_ctx->match_array_cnt);
382  PMQ_RESET(&det_ctx->pmq);
383 }
384 
385 /** \internal
386  * \brief build non-prefilter list based on the rule group list we've set.
387  */
388 static inline void DetectPrefilterBuildNonPrefilterList(
389  DetectEngineThreadCtx *det_ctx, const SignatureMask mask, const AppProto alproto)
390 {
391  for (uint32_t x = 0; x < det_ctx->non_pf_store_cnt; x++) {
392  /* only if the mask matches this rule can possibly match,
393  * so build the non_mpm array only for match candidates */
394  const SignatureMask rule_mask = det_ctx->non_pf_store_ptr[x].mask;
395  const AppProto rule_alproto = det_ctx->non_pf_store_ptr[x].alproto;
396  if ((rule_mask & mask) == rule_mask &&
397  (rule_alproto == 0 || AppProtoEquals(rule_alproto, alproto))) {
398  det_ctx->non_pf_id_array[det_ctx->non_pf_id_cnt++] = det_ctx->non_pf_store_ptr[x].id;
399  }
400  }
401 }
402 
403 /** \internal
404  * \brief select non-mpm list
405  * Based on the packet properties, select the non-mpm list to use
406  * \todo move non_pf_store* into scratchpad */
407 static inline void
408 DetectPrefilterSetNonPrefilterList(const Packet *p, DetectEngineThreadCtx *det_ctx, DetectRunScratchpad *scratch)
409 {
410  if ((p->proto == IPPROTO_TCP) && PacketIsTCP(p) && (PacketGetTCP(p)->th_flags & TH_SYN)) {
411  det_ctx->non_pf_store_ptr = scratch->sgh->non_pf_syn_store_array;
412  det_ctx->non_pf_store_cnt = scratch->sgh->non_pf_syn_store_cnt;
413  } else {
414  det_ctx->non_pf_store_ptr = scratch->sgh->non_pf_other_store_array;
415  det_ctx->non_pf_store_cnt = scratch->sgh->non_pf_other_store_cnt;
416  }
417  SCLogDebug("sgh non_pf ptr %p cnt %u (syn %p/%u, other %p/%u)",
418  det_ctx->non_pf_store_ptr, det_ctx->non_pf_store_cnt,
419  scratch->sgh->non_pf_syn_store_array, scratch->sgh->non_pf_syn_store_cnt,
420  scratch->sgh->non_pf_other_store_array, scratch->sgh->non_pf_other_store_cnt);
421 }
422 
423 /** \internal
424  * \brief update flow's file tracking flags based on the detection engine
425  * A set of flags is prepared that is sent to the File API. The
426  File API may reject one or more based on the global force settings.
427  */
428 static inline void
429 DetectPostInspectFileFlagsUpdate(Flow *f, const SigGroupHead *sgh, uint8_t direction)
430 {
431  uint16_t flow_file_flags = FLOWFILE_INIT;
432 
433  if (sgh == NULL) {
434  SCLogDebug("requesting disabling all file features for flow");
435  flow_file_flags = FLOWFILE_NONE;
436  } else {
437  if (sgh->filestore_cnt == 0) {
438  SCLogDebug("requesting disabling filestore for flow");
439  flow_file_flags |= (FLOWFILE_NO_STORE_TS|FLOWFILE_NO_STORE_TC);
440  }
441 #ifdef HAVE_MAGIC
442  if (!(sgh->flags & SIG_GROUP_HEAD_HAVEFILEMAGIC)) {
443  SCLogDebug("requesting disabling magic for flow");
444  flow_file_flags |= (FLOWFILE_NO_MAGIC_TS|FLOWFILE_NO_MAGIC_TC);
445  }
446 #endif
447  if (!(sgh->flags & SIG_GROUP_HEAD_HAVEFILEMD5)) {
448  SCLogDebug("requesting disabling md5 for flow");
449  flow_file_flags |= (FLOWFILE_NO_MD5_TS|FLOWFILE_NO_MD5_TC);
450  }
451  if (!(sgh->flags & SIG_GROUP_HEAD_HAVEFILESHA1)) {
452  SCLogDebug("requesting disabling sha1 for flow");
453  flow_file_flags |= (FLOWFILE_NO_SHA1_TS|FLOWFILE_NO_SHA1_TC);
454  }
455  if (!(sgh->flags & SIG_GROUP_HEAD_HAVEFILESHA256)) {
456  SCLogDebug("requesting disabling sha256 for flow");
457  flow_file_flags |= (FLOWFILE_NO_SHA256_TS|FLOWFILE_NO_SHA256_TC);
458  }
459  if (!(sgh->flags & SIG_GROUP_HEAD_HAVEFILESIZE)) {
460  SCLogDebug("requesting disabling filesize for flow");
461  flow_file_flags |= (FLOWFILE_NO_SIZE_TS|FLOWFILE_NO_SIZE_TC);
462  }
463  }
464  if (flow_file_flags != 0) {
465  FileUpdateFlowFileFlags(f, flow_file_flags, direction);
466  }
467 }
468 
469 static inline void
470 DetectRunPostGetFirstRuleGroup(const Packet *p, Flow *pflow, const SigGroupHead *sgh)
471 {
472  if ((p->flowflags & FLOW_PKT_TOSERVER) && !(pflow->flags & FLOW_SGH_TOSERVER)) {
473  /* first time we see this toserver sgh, store it */
474  pflow->sgh_toserver = sgh;
475  pflow->flags |= FLOW_SGH_TOSERVER;
476 
477  if (p->proto == IPPROTO_TCP && (sgh == NULL || !(sgh->flags & SIG_GROUP_HEAD_HAVERAWSTREAM))) {
478  if (pflow->protoctx != NULL) {
479  TcpSession *ssn = pflow->protoctx;
480  SCLogDebug("STREAMTCP_STREAM_FLAG_DISABLE_RAW ssn.client");
481  ssn->client.flags |= STREAMTCP_STREAM_FLAG_DISABLE_RAW;
482  }
483  }
484 
485  DetectPostInspectFileFlagsUpdate(pflow,
486  pflow->sgh_toserver, STREAM_TOSERVER);
487 
488  } else if ((p->flowflags & FLOW_PKT_TOCLIENT) && !(pflow->flags & FLOW_SGH_TOCLIENT)) {
489  pflow->sgh_toclient = sgh;
490  pflow->flags |= FLOW_SGH_TOCLIENT;
491 
492  if (p->proto == IPPROTO_TCP && (sgh == NULL || !(sgh->flags & SIG_GROUP_HEAD_HAVERAWSTREAM))) {
493  if (pflow->protoctx != NULL) {
494  TcpSession *ssn = pflow->protoctx;
495  SCLogDebug("STREAMTCP_STREAM_FLAG_DISABLE_RAW ssn.server");
496  ssn->server.flags |= STREAMTCP_STREAM_FLAG_DISABLE_RAW;
497  }
498  }
499 
500  DetectPostInspectFileFlagsUpdate(pflow,
501  pflow->sgh_toclient, STREAM_TOCLIENT);
502  }
503 }
504 
505 static inline void DetectRunGetRuleGroup(
506  const DetectEngineCtx *de_ctx,
507  Packet * const p, Flow * const pflow,
508  DetectRunScratchpad *scratch)
509 {
510  const SigGroupHead *sgh = NULL;
511 
512  if (pflow) {
513  bool use_flow_sgh = false;
514  /* Get the stored sgh from the flow (if any). Make sure we're not using
515  * the sgh for icmp error packets part of the same stream. */
516  if (PacketGetIPProto(p) == pflow->proto) { /* filter out icmp */
517  PACKET_PROFILING_DETECT_START(p, PROF_DETECT_GETSGH);
518  if ((p->flowflags & FLOW_PKT_TOSERVER) && (pflow->flags & FLOW_SGH_TOSERVER)) {
519  sgh = pflow->sgh_toserver;
520  SCLogDebug("sgh = pflow->sgh_toserver; => %p", sgh);
521  use_flow_sgh = true;
522  } else if ((p->flowflags & FLOW_PKT_TOCLIENT) && (pflow->flags & FLOW_SGH_TOCLIENT)) {
523  sgh = pflow->sgh_toclient;
524  SCLogDebug("sgh = pflow->sgh_toclient; => %p", sgh);
525  use_flow_sgh = true;
526  }
527  PACKET_PROFILING_DETECT_END(p, PROF_DETECT_GETSGH);
528  }
529 
530  if (!(use_flow_sgh)) {
531  PACKET_PROFILING_DETECT_START(p, PROF_DETECT_GETSGH);
532  sgh = SigMatchSignaturesGetSgh(de_ctx, p);
533  PACKET_PROFILING_DETECT_END(p, PROF_DETECT_GETSGH);
534 
535  /* HACK: prevent the wrong sgh (or NULL) from being stored in the
536  * flow's sgh pointers */
537  if (PacketIsICMPv4(p) && ICMPV4_DEST_UNREACH_IS_VALID(p)) {
538  ; /* no-op */
539  } else {
540  /* store the found sgh (or NULL) in the flow to save us
541  * from looking it up again for the next packet.
542  * Also run other tasks */
543  DetectRunPostGetFirstRuleGroup(p, pflow, sgh);
544  }
545  }
546  } else { /* p->flags & PKT_HAS_FLOW */
547  /* no flow */
548 
549  PACKET_PROFILING_DETECT_START(p, PROF_DETECT_GETSGH);
550  sgh = SigMatchSignaturesGetSgh(de_ctx, p);
551  PACKET_PROFILING_DETECT_END(p, PROF_DETECT_GETSGH);
552  }
553 
554  scratch->sgh = sgh;
555 }
556 
557 static void DetectRunInspectIPOnly(ThreadVars *tv, const DetectEngineCtx *de_ctx,
558  DetectEngineThreadCtx *det_ctx,
559  Flow * const pflow, Packet * const p)
560 {
561  if (pflow) {
562  /* set the iponly stuff */
563  if (pflow->flags & FLOW_TOCLIENT_IPONLY_SET)
564  p->flowflags |= FLOW_PKT_TOCLIENT_IPONLY_SET;
565  if (pflow->flags & FLOW_TOSERVER_IPONLY_SET)
566  p->flowflags |= FLOW_PKT_TOSERVER_IPONLY_SET;
567 
568  if (((p->flowflags & FLOW_PKT_TOSERVER) && !(p->flowflags & FLOW_PKT_TOSERVER_IPONLY_SET)) ||
569  ((p->flowflags & FLOW_PKT_TOCLIENT) && !(p->flowflags & FLOW_PKT_TOCLIENT_IPONLY_SET)))
570  {
571  SCLogDebug("testing against \"ip-only\" signatures");
572 
573  PACKET_PROFILING_DETECT_START(p, PROF_DETECT_IPONLY);
574  IPOnlyMatchPacket(tv, de_ctx, det_ctx, &de_ctx->io_ctx, p);
575  PACKET_PROFILING_DETECT_END(p, PROF_DETECT_IPONLY);
576 
577  /* save in the flow that we scanned this direction... */
578  FlowSetIPOnlyFlag(pflow, p->flowflags & FLOW_PKT_TOSERVER ? 1 : 0);
579  }
580  } else { /* p->flags & PKT_HAS_FLOW */
581  /* no flow */
582 
583  /* Even without flow we should match the packet src/dst */
584  PACKET_PROFILING_DETECT_START(p, PROF_DETECT_IPONLY);
585  IPOnlyMatchPacket(tv, de_ctx, det_ctx, &de_ctx->io_ctx, p);
586  PACKET_PROFILING_DETECT_END(p, PROF_DETECT_IPONLY);
587  }
588 }
589 
590 /** \internal
591  * \brief inspect the rule header: protocol, ports, etc
592  * \retval bool false if no match, true if match */
593 static inline bool DetectRunInspectRuleHeader(const Packet *p, const Flow *f, const Signature *s,
594  const uint32_t sflags, const uint8_t s_proto_flags)
595 {
596  /* check if this signature has a requirement for flowvars of some type
597  * and if so, if we actually have any in the flow. If not, the sig
598  * can't match and we skip it. */
599  if ((p->flags & PKT_HAS_FLOW) && (sflags & SIG_FLAG_REQUIRE_FLOWVAR)) {
600  DEBUG_VALIDATE_BUG_ON(f == NULL);
601 
602  /* no flowvars? skip this sig */
603  const bool fv = f->flowvar != NULL;
604  if (fv == false) {
605  SCLogDebug("skipping sig as the flow has no flowvars and sig "
606  "has SIG_FLAG_REQUIRE_FLOWVAR flag set.");
607  return false;
608  }
609  }
610 
611  if ((s_proto_flags & DETECT_PROTO_IPV4) && !PacketIsIPv4(p)) {
612  SCLogDebug("ip version didn't match");
613  return false;
614  }
615  if ((s_proto_flags & DETECT_PROTO_IPV6) && !PacketIsIPv6(p)) {
616  SCLogDebug("ip version didn't match");
617  return false;
618  }
619 
620  if (DetectProtoContainsProto(&s->proto, PacketGetIPProto(p)) == 0) {
621  SCLogDebug("proto didn't match");
622  return false;
623  }
624 
625  /* check the source & dst port in the sig */
626  if (p->proto == IPPROTO_TCP || p->proto == IPPROTO_UDP || p->proto == IPPROTO_SCTP) {
627  if (!(sflags & SIG_FLAG_DP_ANY)) {
628  if (p->flags & PKT_IS_FRAGMENT)
629  return false;
630  const DetectPort *dport = DetectPortLookupGroup(s->dp, p->dp);
631  if (dport == NULL) {
632  SCLogDebug("dport didn't match.");
633  return false;
634  }
635  }
636  if (!(sflags & SIG_FLAG_SP_ANY)) {
637  if (p->flags & PKT_IS_FRAGMENT)
638  return false;
639  const DetectPort *sport = DetectPortLookupGroup(s->sp, p->sp);
640  if (sport == NULL) {
641  SCLogDebug("sport didn't match.");
642  return false;
643  }
644  }
645  } else if ((sflags & (SIG_FLAG_DP_ANY|SIG_FLAG_SP_ANY)) != (SIG_FLAG_DP_ANY|SIG_FLAG_SP_ANY)) {
646  SCLogDebug("port-less protocol and sig needs ports");
647  return false;
648  }
649 
650  /* check the destination address */
651  if (!(sflags & SIG_FLAG_DST_ANY)) {
652  if (PacketIsIPv4(p)) {
653  if (DetectAddressMatchIPv4(s->addr_dst_match4, s->addr_dst_match4_cnt, &p->dst) == 0)
654  return false;
655  } else if (PacketIsIPv6(p)) {
656  if (DetectAddressMatchIPv6(s->addr_dst_match6, s->addr_dst_match6_cnt, &p->dst) == 0)
657  return false;
658  }
659  }
660  /* check the source address */
661  if (!(sflags & SIG_FLAG_SRC_ANY)) {
662  if (PacketIsIPv4(p)) {
663  if (DetectAddressMatchIPv4(s->addr_src_match4, s->addr_src_match4_cnt, &p->src) == 0)
664  return false;
665  } else if (PacketIsIPv6(p)) {
666  if (DetectAddressMatchIPv6(s->addr_src_match6, s->addr_src_match6_cnt, &p->src) == 0)
667  return false;
668  }
669  }
670 
671  return true;
672 }
673 
674 /** \internal
675  * \brief run packet/stream prefilter engines
676  */
677 static inline void DetectRunPrefilterPkt(
678  ThreadVars *tv,
679  DetectEngineCtx *de_ctx,
680  DetectEngineThreadCtx *det_ctx,
681  Packet *p,
682  DetectRunScratchpad *scratch
683 )
684 {
685  DetectPrefilterSetNonPrefilterList(p, det_ctx, scratch);
686 
687  /* create our prefilter mask */
688  PacketCreateMask(p, &scratch->pkt_mask, scratch->alproto, scratch->app_decoder_events);
689 
690  /* build and prefilter non_pf list against the mask of the packet */
691  PACKET_PROFILING_DETECT_START(p, PROF_DETECT_NONMPMLIST);
692  det_ctx->non_pf_id_cnt = 0;
693  if (likely(det_ctx->non_pf_store_cnt > 0)) {
694  DetectPrefilterBuildNonPrefilterList(det_ctx, scratch->pkt_mask, scratch->alproto);
695  }
696  PACKET_PROFILING_DETECT_END(p, PROF_DETECT_NONMPMLIST);
697 
698  /* run the prefilter engines */
699  Prefilter(det_ctx, scratch->sgh, p, scratch->flow_flags, scratch->pkt_mask);
700  /* create match list if we have non-pf and/or pf */
701  if (det_ctx->non_pf_store_cnt || det_ctx->pmq.rule_id_array_cnt) {
702 #ifdef PROFILING
703  if (tv) {
704  StatsAddUI64(tv, det_ctx->counter_mpm_list, (uint64_t)det_ctx->pmq.rule_id_array_cnt);
705  }
706 #endif
707  PACKET_PROFILING_DETECT_START(p, PROF_DETECT_PF_SORT2);
708  DetectPrefilterMergeSort(de_ctx, det_ctx);
709  PACKET_PROFILING_DETECT_END(p, PROF_DETECT_PF_SORT2);
710  }
711 
712 #ifdef PROFILING
713  if (tv) {
714  StatsAddUI64(tv, det_ctx->counter_nonmpm_list,
715  (uint64_t)det_ctx->non_pf_store_cnt);
716  /* non mpm sigs after mask prefilter */
717  StatsAddUI64(tv, det_ctx->counter_fnonmpm_list,
718  (uint64_t)det_ctx->non_pf_id_cnt);
719  }
720 #endif
721 }
722 
723 static inline void DetectRulePacketRules(
724  ThreadVars * const tv,
725  DetectEngineCtx * const de_ctx,
726  DetectEngineThreadCtx * const det_ctx,
727  Packet * const p,
728  Flow * const pflow,
729  const DetectRunScratchpad *scratch
730 )
731 {
732  const Signature *next_s = NULL;
733 
734  /* inspect the sigs against the packet */
735  /* Prefetch the next signature. */
736  SigIntId match_cnt = det_ctx->match_array_cnt;
737 #ifdef PROFILING
738  if (tv) {
739  StatsAddUI64(tv, det_ctx->counter_match_list,
740  (uint64_t)match_cnt);
741  }
742 #endif
743  Signature **match_array = det_ctx->match_array;
744 
745  SGH_PROFILING_RECORD(det_ctx, scratch->sgh);
746 #ifdef PROFILING
747  if (match_cnt >= de_ctx->profile_match_logging_threshold)
748  RulesDumpMatchArray(det_ctx, scratch->sgh, p);
749 #endif
750 
751  uint32_t sflags, next_sflags = 0;
752  if (match_cnt) {
753  next_s = *match_array++;
754  next_sflags = next_s->flags;
755  }
756  while (match_cnt--) {
757  RULE_PROFILING_START(p);
758  uint8_t alert_flags = 0;
759 #ifdef PROFILE_RULES
760  bool smatch = false; /* signature match */
761 #endif
762  const Signature *s = next_s;
763  sflags = next_sflags;
764  if (match_cnt) {
765  next_s = *match_array++;
766  next_sflags = next_s->flags;
767  }
768  const uint8_t s_proto_flags = s->proto.flags;
769 
770  SCLogDebug("inspecting signature id %"PRIu32"", s->id);
771 
772  if (s->app_inspect != NULL) {
773  goto next; // handle sig in DetectRunTx
774  }
775  if (s->frame_inspect != NULL) {
776  goto next; // handle sig in DetectRunFrame
777  }
778 
779  /* don't run mask check for stateful rules.
780  * There we depend on prefilter */
781  if ((s->mask & scratch->pkt_mask) != s->mask) {
782  SCLogDebug("mask mismatch %x & %x != %x", s->mask, scratch->pkt_mask, s->mask);
783  goto next;
784  }
785 
786  if (SigDsizePrefilter(p, s, sflags))
787  goto next;
788 
789  /* if the sig has alproto and the session as well they should match */
790  if (likely(sflags & SIG_FLAG_APPLAYER)) {
791  if (s->alproto != ALPROTO_UNKNOWN && !AppProtoEquals(s->alproto, scratch->alproto)) {
792  SCLogDebug("alproto mismatch");
793  goto next;
794  }
795  }
796 
797  if (DetectRunInspectRuleHeader(p, pflow, s, sflags, s_proto_flags) == false) {
798  goto next;
799  }
800 
801  if (DetectEnginePktInspectionRun(tv, det_ctx, s, pflow, p, &alert_flags) == false) {
802  goto next;
803  }
804 
805 #ifdef PROFILE_RULES
806  smatch = true;
807 #endif
808  DetectRunPostMatch(tv, det_ctx, p, s);
809 
810  uint64_t txid = PACKET_ALERT_NOTX;
811  if ((alert_flags & PACKET_ALERT_FLAG_STREAM_MATCH) ||
812  (s->alproto != ALPROTO_UNKNOWN && pflow->proto == IPPROTO_UDP)) {
813  // if there is a stream match (TCP), or
814  // a UDP specific app-layer signature,
815  // try to use the good tx for the packet direction
816  if (pflow->alstate) {
817  uint8_t dir =
818  (p->flowflags & FLOW_PKT_TOCLIENT) ? STREAM_TOCLIENT : STREAM_TOSERVER;
819  txid = AppLayerParserGetTransactionInspectId(pflow->alparser, dir);
820  alert_flags |= PACKET_ALERT_FLAG_TX;
821  }
822  }
823  AlertQueueAppend(det_ctx, s, p, txid, alert_flags);
824 next:
825  DetectVarProcessList(det_ctx, pflow, p);
826  DetectReplaceFree(det_ctx);
827  RULE_PROFILING_END(det_ctx, s, smatch, p);
828  continue;
829  }
830 }
831 
832 static DetectRunScratchpad DetectRunSetup(
833  const DetectEngineCtx *de_ctx,
834  DetectEngineThreadCtx *det_ctx,
835  Packet * const p, Flow * const pflow)
836 {
837  AppProto alproto = ALPROTO_UNKNOWN;
838  uint8_t flow_flags = 0; /* flow/state flags */
839  bool app_decoder_events = false;
840 
841  PACKET_PROFILING_DETECT_START(p, PROF_DETECT_SETUP);
842 
843 #ifdef UNITTESTS
844  p->alerts.cnt = 0;
845  p->alerts.discarded = 0;
846  p->alerts.suppressed = 0;
847 #endif
848  det_ctx->filestore_cnt = 0;
849  det_ctx->base64_decoded_len = 0;
850  det_ctx->raw_stream_progress = 0;
851  det_ctx->match_array_cnt = 0;
852 
853  det_ctx->alert_queue_size = 0;
854  p->alerts.drop.action = 0;
855 
856 #ifdef DEBUG
857  if (p->flags & PKT_STREAM_ADD) {
858  det_ctx->pkt_stream_add_cnt++;
859  }
860 #endif
861 
862  /* grab the protocol state we will detect on */
863  if (p->flags & PKT_HAS_FLOW) {
864  DEBUG_VALIDATE_BUG_ON(pflow == NULL);
865 
866  if (p->flowflags & FLOW_PKT_TOSERVER) {
867  flow_flags = STREAM_TOSERVER;
868  SCLogDebug("flag STREAM_TOSERVER set");
869  } else if (p->flowflags & FLOW_PKT_TOCLIENT) {
870  flow_flags = STREAM_TOCLIENT;
871  SCLogDebug("flag STREAM_TOCLIENT set");
872  }
873  SCLogDebug("p->flowflags 0x%02x", p->flowflags);
874 
875  if (p->flags & PKT_STREAM_EOF) {
876  flow_flags |= STREAM_EOF;
877  SCLogDebug("STREAM_EOF set");
878  }
879 
880  /* store tenant_id in the flow so that we can use it
881  * for creating pseudo packets */
882  if (p->tenant_id > 0 && pflow->tenant_id == 0) {
883  pflow->tenant_id = p->tenant_id;
884  }
885 
886  /* live ruleswap check for flow updates */
887  if (pflow->de_ctx_version == 0) {
888  /* first time this flow is inspected, set id */
889  pflow->de_ctx_version = de_ctx->version;
890  } else if (pflow->de_ctx_version != de_ctx->version) {
891  /* first time we inspect flow with this de_ctx, reset */
892  pflow->flags &= ~FLOW_SGH_TOSERVER;
893  pflow->flags &= ~FLOW_SGH_TOCLIENT;
894  pflow->sgh_toserver = NULL;
895  pflow->sgh_toclient = NULL;
896 
897  pflow->de_ctx_version = de_ctx->version;
898  GenericVarFree(pflow->flowvar);
899  pflow->flowvar = NULL;
900 
901  DetectEngineStateResetTxs(pflow);
902  }
903 
904  /* Retrieve the app layer state and protocol and the tcp reassembled
905  * stream chunks. */
906  if ((p->proto == IPPROTO_TCP && (p->flags & PKT_STREAM_EST)) ||
907  (p->proto == IPPROTO_UDP) ||
908  (p->proto == IPPROTO_SCTP && (p->flowflags & FLOW_PKT_ESTABLISHED)))
909  {
910  /* update flow flags with knowledge on disruptions */
911  flow_flags = FlowGetDisruptionFlags(pflow, flow_flags);
912  alproto = FlowGetAppProtocol(pflow);
913  if (p->proto == IPPROTO_TCP && pflow->protoctx &&
914  StreamReassembleRawHasDataReady(pflow->protoctx, p)) {
915  p->flags |= PKT_DETECT_HAS_STREAMDATA;
916  }
917  SCLogDebug("alproto %u", alproto);
918  } else {
919  SCLogDebug("packet doesn't have established flag set (proto %d)", p->proto);
920  }
921 
922  app_decoder_events = AppLayerParserHasDecoderEvents(pflow->alparser);
923  }
924 
925  DetectRunScratchpad pad = { alproto, flow_flags, app_decoder_events, NULL, 0 };
926  PACKET_PROFILING_DETECT_END(p, PROF_DETECT_SETUP);
927  return pad;
928 }
929 
930 static inline void DetectRunPostRules(
931  ThreadVars *tv,
932  DetectEngineCtx *de_ctx,
933  DetectEngineThreadCtx *det_ctx,
934  Packet * const p,
935  Flow * const pflow,
936  DetectRunScratchpad *scratch)
937 {
938  /* so now let's iterate the alerts and remove the ones after a pass rule
939  * matched (if any). This is done inside PacketAlertFinalize() */
940  /* PR: installed "tag" keywords are handled after the threshold inspection */
941 
942  PACKET_PROFILING_DETECT_START(p, PROF_DETECT_ALERT);
943  PacketAlertFinalize(de_ctx, det_ctx, p);
944  if (p->alerts.cnt > 0) {
945  StatsAddUI64(tv, det_ctx->counter_alerts, (uint64_t)p->alerts.cnt);
946  }
947  if (p->alerts.discarded > 0) {
948  StatsAddUI64(tv, det_ctx->counter_alerts_overflow, (uint64_t)p->alerts.discarded);
949  }
950  if (p->alerts.suppressed > 0) {
951  StatsAddUI64(tv, det_ctx->counter_alerts_suppressed, (uint64_t)p->alerts.suppressed);
952  }
953  PACKET_PROFILING_DETECT_END(p, PROF_DETECT_ALERT);
954 }
955 
956 static void DetectRunCleanup(DetectEngineThreadCtx *det_ctx,
957  Packet *p, Flow * const pflow)
958 {
959  PACKET_PROFILING_DETECT_START(p, PROF_DETECT_CLEANUP);
960  InspectionBufferClean(det_ctx);
961 
962  if (pflow != NULL) {
963  /* update inspected tracker for raw reassembly */
964  if (p->proto == IPPROTO_TCP && pflow->protoctx != NULL &&
965  (p->flags & PKT_DETECT_HAS_STREAMDATA)) {
966  StreamReassembleRawUpdateProgress(pflow->protoctx, p,
967  det_ctx->raw_stream_progress);
968  }
969  }
970  PACKET_PROFILING_DETECT_END(p, PROF_DETECT_CLEANUP);
971  SCReturn;
972 }
973 
974 void RuleMatchCandidateTxArrayInit(DetectEngineThreadCtx *det_ctx, uint32_t size)
975 {
976  DEBUG_VALIDATE_BUG_ON(det_ctx->tx_candidates);
977  det_ctx->tx_candidates = SCCalloc(size, sizeof(RuleMatchCandidateTx));
978  if (det_ctx->tx_candidates == NULL) {
979  FatalError("failed to allocate %" PRIu64 " bytes",
980  (uint64_t)(size * sizeof(RuleMatchCandidateTx)));
981  }
982  det_ctx->tx_candidates_size = size;
983  SCLogDebug("array initialized to %u elements (%"PRIu64" bytes)",
984  size, (uint64_t)(size * sizeof(RuleMatchCandidateTx)));
985 }
986 
987 void RuleMatchCandidateTxArrayFree(DetectEngineThreadCtx *det_ctx)
988 {
989  SCFree(det_ctx->tx_candidates);
990  det_ctx->tx_candidates_size = 0;
991 }
992 
993 /* if size >= cur_space */
994 static inline bool RuleMatchCandidateTxArrayHasSpace(const DetectEngineThreadCtx *det_ctx,
995  const uint32_t need)
996 {
997  if (det_ctx->tx_candidates_size >= need)
998  return 1;
999  return 0;
1000 }
1001 
1002 /* realloc */
1003 static int RuleMatchCandidateTxArrayExpand(DetectEngineThreadCtx *det_ctx, const uint32_t needed)
1004 {
1005  const uint32_t old_size = det_ctx->tx_candidates_size;
1006  uint32_t new_size = needed;
1007  void *ptmp = SCRealloc(det_ctx->tx_candidates, (new_size * sizeof(RuleMatchCandidateTx)));
1008  if (ptmp == NULL) {
1009  FatalError("failed to expand to %" PRIu64 " bytes",
1010  (uint64_t)(new_size * sizeof(RuleMatchCandidateTx)));
1011  // TODO can this be handled more gracefully?
1012  }
1013  det_ctx->tx_candidates = ptmp;
1014  det_ctx->tx_candidates_size = new_size;
1015  SCLogDebug("array expanded from %u to %u elements (%"PRIu64" bytes -> %"PRIu64" bytes)",
1016  old_size, new_size, (uint64_t)(old_size * sizeof(RuleMatchCandidateTx)),
1017  (uint64_t)(new_size * sizeof(RuleMatchCandidateTx))); (void)old_size;
1018  return 1;
1019 }
1020 
1021 /** \internal
1022  * \brief sort helper for sorting match candidates by id: ascending
1023  *
1024  * The id field is set from Signature::num, so we sort the candidates to match the signature
1025  * sort order (ascending), where candidates that have flags go first.
1026  */
1027 static int
1028 DetectRunTxSortHelper(const void *a, const void *b)
1029 {
1030  const RuleMatchCandidateTx *s0 = a;
1031  const RuleMatchCandidateTx *s1 = b;
1032  if (s1->id == s0->id) {
1033  if (s1->flags && !s0->flags)
1034  return 1;
1035  else if (!s1->flags && s0->flags)
1036  return -1;
1037  return 0;
1038  } else
1039  return s0->id > s1->id ? 1 : -1;
1040 }
1041 
1042 #if 0
1043 #define TRACE_SID_TXS(sid,txs,...) \
1044  do { \
1045  char _trace_buf[2048]; \
1046  snprintf(_trace_buf, sizeof(_trace_buf), __VA_ARGS__); \
1047  SCLogNotice("%p/%"PRIu64"/%u: %s", txs->tx_ptr, txs->tx_id, sid, _trace_buf); \
1048  } while(0)
1049 #else
1050 #define TRACE_SID_TXS(sid,txs,...)
1051 #endif
1052 
1053 // Get inner transaction for engine
1054 void *DetectGetInnerTx(void *tx_ptr, AppProto alproto, AppProto engine_alproto, uint8_t flow_flags)
1055 {
1056  if (unlikely(alproto == ALPROTO_DOH2)) {
1057  if (engine_alproto == ALPROTO_DNS) {
1058  // need to get the dns tx pointer
1059  tx_ptr = SCDoH2GetDnsTx(tx_ptr, flow_flags);
1060  } else if (engine_alproto != ALPROTO_HTTP2) {
1061  // incompatible engine->alproto with flow alproto
1062  tx_ptr = NULL;
1063  }
1064  } else if (engine_alproto != alproto) {
1065  // incompatible engine->alproto with flow alproto
1066  tx_ptr = NULL;
1067  }
1068  return tx_ptr;
1069 }
1070 
1071 /** \internal
1072  * \brief inspect a rule against a transaction
1073  *
1074  * Inspect a rule. New detection or continued stateful
1075  * detection.
1076  *
1077  * \param stored_flags pointer to stored flags or NULL.
1078  * If stored_flags is set it means we're continuing
1079  * inspection from an earlier run.
1080  *
1081  * \retval bool true sig matched, false didn't match
1082  */
1083 static bool DetectRunTxInspectRule(ThreadVars *tv,
1084  DetectEngineCtx *de_ctx,
1085  DetectEngineThreadCtx *det_ctx,
1086  Packet *p,
1087  Flow *f,
1088  const uint8_t in_flow_flags, // direction, EOF, etc
1089  void *alstate,
1090  DetectTransaction *tx,
1091  const Signature *s,
1092  uint32_t *stored_flags,
1093  RuleMatchCandidateTx *can,
1094  DetectRunScratchpad *scratch)
1095 {
1096  const uint8_t flow_flags = in_flow_flags;
1097  const int direction = (flow_flags & STREAM_TOSERVER) ? 0 : 1;
1098  uint32_t inspect_flags = stored_flags ? *stored_flags : 0;
1099  int total_matches = 0;
1100  uint16_t file_no_match = 0;
1101  bool retval = false;
1102  bool mpm_before_progress = false; // is mpm engine before progress?
1103  bool mpm_in_progress = false; // is mpm engine in a buffer we will revisit?
1104 
1105  TRACE_SID_TXS(s->id, tx, "starting %s", direction ? "toclient" : "toserver");
1106 
1107  /* for a new inspection we inspect pkt header and packet matches */
1108  if (likely(stored_flags == NULL)) {
1109  TRACE_SID_TXS(s->id, tx, "first inspect, run packet matches");
1110  if (DetectRunInspectRuleHeader(p, f, s, s->flags, s->proto.flags) == false) {
1111  TRACE_SID_TXS(s->id, tx, "DetectRunInspectRuleHeader() no match");
1112  return false;
1113  }
1114  if (DetectEnginePktInspectionRun(tv, det_ctx, s, f, p, NULL) == false) {
1115  TRACE_SID_TXS(s->id, tx, "DetectEnginePktInspectionRun no match");
1116  return false;
1117  }
1118  /* stream mpm and negated mpm sigs can end up here with wrong proto */
1119  if (!(AppProtoEquals(s->alproto, f->alproto) || s->alproto == ALPROTO_UNKNOWN)) {
1120  TRACE_SID_TXS(s->id, tx, "alproto mismatch");
1121  return false;
1122  }
1123  }
1124 
1125  const DetectEngineAppInspectionEngine *engine = s->app_inspect;
1126  do {
1127  TRACE_SID_TXS(s->id, tx, "engine %p inspect_flags %x", engine, inspect_flags);
1128  if (!(inspect_flags & BIT_U32(engine->id)) &&
1129  direction == engine->dir)
1130  {
1131  void *tx_ptr = DetectGetInnerTx(tx->tx_ptr, f->alproto, engine->alproto, flow_flags);
1132  if (tx_ptr == NULL) {
1133  if (engine->alproto != ALPROTO_UNKNOWN) {
1134  /* special case: file_data on 'alert tcp' will have engines
1135  * in the list that are not for us. */
1136  engine = engine->next;
1137  continue;
1138  } else {
1139  tx_ptr = tx->tx_ptr;
1140  }
1141  }
1142 
1143  /* engines are sorted per progress, except that the one with
1144  * mpm/prefilter enabled is first */
1145  if (tx->tx_progress < engine->progress) {
1146  SCLogDebug("tx progress %d < engine progress %d",
1147  tx->tx_progress, engine->progress);
1148  break;
1149  }
1150  if (engine->mpm) {
1151  if (tx->tx_progress > engine->progress) {
1152  TRACE_SID_TXS(s->id, tx,
1153  "engine->mpm: t->tx_progress %u > engine->progress %u, so set "
1154  "mpm_before_progress",
1155  tx->tx_progress, engine->progress);
1156  mpm_before_progress = true;
1157  } else if (tx->tx_progress == engine->progress) {
1158  TRACE_SID_TXS(s->id, tx,
1159  "engine->mpm: t->tx_progress %u == engine->progress %u, so set "
1160  "mpm_in_progress",
1161  tx->tx_progress, engine->progress);
1162  mpm_in_progress = true;
1163  }
1164  }
1165 
1166  /* run callback: but bypass stream callback if we can */
1167  uint8_t match;
1168  if (unlikely(engine->stream && can->stream_stored)) {
1169  match = can->stream_result;
1170  TRACE_SID_TXS(s->id, tx, "stream skipped, stored result %d used instead", match);
1171  } else {
1172  KEYWORD_PROFILING_SET_LIST(det_ctx, engine->sm_list);
1173  DEBUG_VALIDATE_BUG_ON(engine->v2.Callback == NULL);
1174  match = engine->v2.Callback(
1175  de_ctx, det_ctx, engine, s, f, flow_flags, alstate, tx_ptr, tx->tx_id);
1176  TRACE_SID_TXS(s->id, tx, "engine %p match %d", engine, match);
1177  if (engine->stream) {
1178  can->stream_stored = true;
1179  can->stream_result = match;
1180  TRACE_SID_TXS(s->id, tx, "stream ran, store result %d for next tx (if any)", match);
1181  }
1182  }
1183  if (match == DETECT_ENGINE_INSPECT_SIG_MATCH) {
1184  inspect_flags |= BIT_U32(engine->id);
1185  engine = engine->next;
1186  total_matches++;
1187  continue;
1188  } else if (match == DETECT_ENGINE_INSPECT_SIG_MATCH_MORE_FILES) {
1189  /* if the file engine matched, but indicated more
1190  * files are still in progress, we don't set inspect
1191  * flags as these would end inspection for this tx */
1192  engine = engine->next;
1193  total_matches++;
1194  continue;
1195  } else if (match == DETECT_ENGINE_INSPECT_SIG_CANT_MATCH) {
1196  inspect_flags |= DE_STATE_FLAG_SIG_CANT_MATCH;
1197  inspect_flags |= BIT_U32(engine->id);
1198  } else if (match == DETECT_ENGINE_INSPECT_SIG_CANT_MATCH_FILES) {
1199  inspect_flags |= DE_STATE_FLAG_SIG_CANT_MATCH;
1200  inspect_flags |= BIT_U32(engine->id);
1201  file_no_match = 1;
1202  }
1203  /* implied DETECT_ENGINE_INSPECT_SIG_NO_MATCH */
1204  if (engine->mpm && mpm_before_progress) {
1205  inspect_flags |= DE_STATE_FLAG_SIG_CANT_MATCH;
1206  inspect_flags |= BIT_U32(engine->id);
1207  }
1208  break;
1209  }
1210  engine = engine->next;
1211  } while (engine != NULL);
1212  TRACE_SID_TXS(s->id, tx, "inspect_flags %x, total_matches %u, engine %p",
1213  inspect_flags, total_matches, engine);
1214 
1215  if (engine == NULL && total_matches) {
1216  inspect_flags |= DE_STATE_FLAG_FULL_INSPECT;
1217  TRACE_SID_TXS(s->id, tx, "MATCH");
1218  retval = true;
1219  }
1220 
1221  if (stored_flags) {
1222  *stored_flags = inspect_flags;
1223  TRACE_SID_TXS(s->id, tx, "continue inspect flags %08x", inspect_flags);
1224  } else {
1225  // store... or? If tx is done we might not want to come back to this tx
1226 
1227  // also... if mpmid tracking is enabled, we won't do a sig again for this tx...
1228  TRACE_SID_TXS(s->id, tx, "start inspect flags %08x", inspect_flags);
1229  if (inspect_flags & DE_STATE_FLAG_SIG_CANT_MATCH) {
1230  if (file_no_match) {
1231  /* if we have a mismatch on a file sig, we need to keep state.
1232  * We may get another file on the same tx (for http and smtp
1233  * at least), so for a new file we need to re-eval the sig.
1234  * Thoughts / TODO:
1235  * - not for some protos that have 1 file per tx (e.g. nfs)
1236  * - maybe we only need this for file sigs that mix with
1237  * other matches? E.g. 'POST + filename', is different than
1238  * just 'filename'.
1239  */
1240  DetectRunStoreStateTx(scratch->sgh, f, tx->tx_ptr, tx->tx_id, s,
1241  inspect_flags, flow_flags, file_no_match);
1242  }
1243  } else if ((inspect_flags & DE_STATE_FLAG_FULL_INSPECT) && mpm_before_progress) {
1244  TRACE_SID_TXS(s->id, tx, "no need to store match sig, "
1245  "mpm won't trigger for it anymore");
1246 
1247  if (inspect_flags & DE_STATE_FLAG_FILE_INSPECT) {
1248  TRACE_SID_TXS(s->id, tx, "except that for new files, "
1249  "we may have to revisit anyway");
1250  DetectRunStoreStateTx(scratch->sgh, f, tx->tx_ptr, tx->tx_id, s,
1251  inspect_flags, flow_flags, file_no_match);
1252  }
1253  } else if ((inspect_flags & DE_STATE_FLAG_FULL_INSPECT) == 0 && mpm_in_progress) {
1254  TRACE_SID_TXS(s->id, tx, "no need to store no-match sig, "
1255  "mpm will revisit it");
1256  } else if (inspect_flags != 0 || file_no_match != 0) {
1257  TRACE_SID_TXS(s->id, tx, "storing state: flags %08x", inspect_flags);
1258  DetectRunStoreStateTx(scratch->sgh, f, tx->tx_ptr, tx->tx_id, s,
1259  inspect_flags, flow_flags, file_no_match);
1260  }
1261  }
1262 
1263  return retval;
1264 }
1265 
1266 #define NO_TX \
1267  { \
1268  NULL, 0, NULL, NULL, 0, 0, 0, 0, 0, \
1269  }
1270 
1271 /** \internal
1272  * \brief get a DetectTransaction object
1273  * \retval struct filled with relevant info or all nulls/0s
1274  */
1275 static DetectTransaction GetDetectTx(const uint8_t ipproto, const AppProto alproto,
1276  void *alstate, const uint64_t tx_id, void *tx_ptr, const int tx_end_state,
1277  const uint8_t flow_flags)
1278 {
1279  AppLayerTxData *txd = AppLayerParserGetTxData(ipproto, alproto, tx_ptr);
1280  if (unlikely(txd == NULL)) {
1281  DetectTransaction no_tx = NO_TX;
1282  return no_tx;
1283  }
1284  uint64_t detect_flags =
1285  (flow_flags & STREAM_TOSERVER) ? txd->detect_flags_ts : txd->detect_flags_tc;
1286  if (detect_flags & APP_LAYER_TX_INSPECTED_FLAG) {
1287  SCLogDebug("%"PRIu64" tx already fully inspected for %s. Flags %016"PRIx64,
1288  tx_id, flow_flags & STREAM_TOSERVER ? "toserver" : "toclient",
1289  detect_flags);
1290  DetectTransaction no_tx = NO_TX;
1291  return no_tx;
1292  }
1293  if (detect_flags & APP_LAYER_TX_SKIP_INSPECT_FLAG) {
1294  SCLogDebug("%" PRIu64 " tx should not be inspected in direction %s. Flags %016" PRIx64,
1295  tx_id, flow_flags & STREAM_TOSERVER ? "toserver" : "toclient", detect_flags);
1296  DetectTransaction no_tx = NO_TX;
1297  return no_tx;
1298  }
1299 
1300  const int tx_progress = AppLayerParserGetStateProgress(ipproto, alproto, tx_ptr, flow_flags);
1301  const int dir_int = (flow_flags & STREAM_TOSERVER) ? 0 : 1;
1302  DetectEngineState *tx_de_state = txd->de_state;
1303  DetectEngineStateDirection *tx_dir_state = tx_de_state ? &tx_de_state->dir_state[dir_int] : NULL;
1304  uint64_t prefilter_flags = detect_flags & APP_LAYER_TX_PREFILTER_MASK;
1305  DEBUG_VALIDATE_BUG_ON(prefilter_flags & APP_LAYER_TX_RESERVED_FLAGS);
1306 
1307  DetectTransaction tx = {
1308  .tx_ptr = tx_ptr,
1309  .tx_id = tx_id,
1310  .tx_data_ptr = (struct AppLayerTxData *)txd,
1311  .de_state = tx_dir_state,
1312  .detect_flags = detect_flags,
1313  .prefilter_flags = prefilter_flags,
1314  .prefilter_flags_orig = prefilter_flags,
1315  .tx_progress = tx_progress,
1316  .tx_end_state = tx_end_state,
1317  };
1318  return tx;
1319 }
1320 
1321 static inline void StoreDetectFlags(DetectTransaction *tx, const uint8_t flow_flags,
1322  const uint8_t ipproto, const AppProto alproto, const uint64_t detect_flags)
1323 {
1324  AppLayerTxData *txd = (AppLayerTxData *)tx->tx_data_ptr;
1325  if (likely(txd != NULL)) {
1326  if (flow_flags & STREAM_TOSERVER) {
1327  txd->detect_flags_ts = detect_flags;
1328  } else {
1329  txd->detect_flags_tc = detect_flags;
1330  }
1331  }
1332 }
1333 
1334 // Merge 'state' rules from the regular prefilter
1335 // updates array_idx on the way
1336 static inline void RuleMatchCandidateMergeStateRules(
1337  DetectEngineThreadCtx *det_ctx, uint32_t *array_idx)
1338 {
1339  // Now, we will merge 2 sorted lists :
1340  // the one in det_ctx->tx_candidates
1341  // and the one in det_ctx->match_array
1342  // For match_array, we take only the relevant elements where s->app_inspect != NULL
1343 
1344  // Basically, we iterate at the same time over the 2 lists
1345  // comparing and taking an element from either.
1346 
1347  // Trick is to do so in place in det_ctx->tx_candidates,
1348  // so as to minimize the number of moves in det_ctx->tx_candidates.
1349  // For this, the algorithm traverses the lists in reverse order.
1350  // Otherwise, if the first element of match_array was to be put before
1351  // all tx_candidates, we would need to shift all tx_candidates
1352 
1353  // Retain the number of elements sorted in tx_candidates before merge
1354  uint32_t j = *array_idx;
1355  // First loop only counting the number of elements to add
1356  for (uint32_t i = 0; i < det_ctx->match_array_cnt; i++) {
1357  const Signature *s = det_ctx->match_array[i];
1358  if (s->app_inspect != NULL) {
1359  (*array_idx)++;
1360  }
1361  }
1362  // Future number of elements in tx_candidates after merge
1363  uint32_t k = *array_idx;
1364 
1365  if (k == j) {
1366  // no new element from match_array to merge in tx_candidates
1367  return;
1368  }
1369 
1370  // variable i is for all elements of match_array (even not relevant ones)
1371  // variable j is for elements of tx_candidates before merge
1372  // variable k is for elements of tx_candidates after merge
1373  for (uint32_t i = det_ctx->match_array_cnt; i > 0;) {
1374  const Signature *s = det_ctx->match_array[i - 1];
1375  if (s->app_inspect == NULL) {
1376  // no relevant element, get the next one from match_array
1377  i--;
1378  continue;
1379  }
1380  // we have one element from match_array to merge in tx_candidates
1381  k--;
1382  if (j > 0) {
1383  // j > 0 means there is still at least one element in tx_candidates to merge
1384  const RuleMatchCandidateTx *s0 = &det_ctx->tx_candidates[j - 1];
1385  if (s->num <= s0->id) {
1386  // get next element from previous tx_candidates
1387  j--;
1388  // take the element from tx_candidates before merge
1389  det_ctx->tx_candidates[k].s = det_ctx->tx_candidates[j].s;
1390  det_ctx->tx_candidates[k].id = det_ctx->tx_candidates[j].id;
1391  det_ctx->tx_candidates[k].flags = det_ctx->tx_candidates[j].flags;
1392  det_ctx->tx_candidates[k].stream_reset = det_ctx->tx_candidates[j].stream_reset;
1393  continue;
1394  }
1395  } // otherwise
1396  // get next element from match_array
1397  i--;
1398  // take the element from match_array
1399  det_ctx->tx_candidates[k].s = s;
1400  det_ctx->tx_candidates[k].id = s->num;
1401  det_ctx->tx_candidates[k].flags = NULL;
1402  det_ctx->tx_candidates[k].stream_reset = 0;
1403  }
1404  // Even if k > 0 or j > 0, the loop is over. (Note that j == k now)
1405  // The remaining elements in tx_candidates up to k were already sorted
1406  // and come before any other element later in the list
1407 }
1408 
1409 static void DetectRunTx(ThreadVars *tv,
1410  DetectEngineCtx *de_ctx,
1411  DetectEngineThreadCtx *det_ctx,
1412  Packet *p,
1413  Flow *f,
1414  DetectRunScratchpad *scratch)
1415 {
1416  const uint8_t flow_flags = scratch->flow_flags;
1417  const SigGroupHead * const sgh = scratch->sgh;
1418  void * const alstate = f->alstate;
1419  const uint8_t ipproto = f->proto;
1420  const AppProto alproto = f->alproto;
1421 
1422  const uint64_t total_txs = AppLayerParserGetTxCnt(f, alstate);
1423  uint64_t tx_id_min = AppLayerParserGetTransactionInspectId(f->alparser, flow_flags);
1424  const int tx_end_state = AppLayerParserGetStateProgressCompletionStatus(alproto, flow_flags);
1425 
1426  AppLayerGetTxIteratorFunc IterFunc = AppLayerGetTxIterator(ipproto, alproto);
1427  AppLayerGetTxIterState state;
1428  memset(&state, 0, sizeof(state));
1429 
1430  while (1) {
1431  AppLayerGetTxIterTuple ires = IterFunc(ipproto, alproto, alstate, tx_id_min, total_txs, &state);
1432  if (ires.tx_ptr == NULL)
1433  break;
1434 
1435  DetectTransaction tx = GetDetectTx(ipproto, alproto,
1436  alstate, ires.tx_id, ires.tx_ptr, tx_end_state, flow_flags);
1437  if (tx.tx_ptr == NULL) {
1438  SCLogDebug("%p/%"PRIu64" no transaction to inspect",
1439  tx.tx_ptr, tx_id_min);
1440 
1441  tx_id_min++; // next (if any) run look for +1
1442  goto next;
1443  }
1444  tx_id_min = tx.tx_id + 1; // next look for cur + 1
1445 
1446  bool do_sort = false; // do we need to sort the tx candidate list?
1447  uint32_t array_idx = 0;
1448  uint32_t total_rules = det_ctx->match_array_cnt;
1449  total_rules += (tx.de_state ? tx.de_state->cnt : 0);
1450 
1451  /* run prefilter engines and merge results into a candidates array */
1452  if (sgh->tx_engines) {
1453  PACKET_PROFILING_DETECT_START(p, PROF_DETECT_PF_TX);
1454  DetectRunPrefilterTx(det_ctx, sgh, p, ipproto, flow_flags, alproto,
1455  alstate, &tx);
1456  PACKET_PROFILING_DETECT_END(p, PROF_DETECT_PF_TX);
1457  SCLogDebug("%p/%"PRIu64" rules added from prefilter: %u candidates",
1458  tx.tx_ptr, tx.tx_id, det_ctx->pmq.rule_id_array_cnt);
1459 
1460  total_rules += det_ctx->pmq.rule_id_array_cnt;
1461  if (!(RuleMatchCandidateTxArrayHasSpace(det_ctx, total_rules))) {
1462  RuleMatchCandidateTxArrayExpand(det_ctx, total_rules);
1463  }
1464 
1465  for (uint32_t i = 0; i < det_ctx->pmq.rule_id_array_cnt; i++) {
1466  const Signature *s = de_ctx->sig_array[det_ctx->pmq.rule_id_array[i]];
1467  const SigIntId id = s->num;
1468  det_ctx->tx_candidates[array_idx].s = s;
1469  det_ctx->tx_candidates[array_idx].id = id;
1470  det_ctx->tx_candidates[array_idx].flags = NULL;
1471  det_ctx->tx_candidates[array_idx].stream_reset = 0;
1472  array_idx++;
1473  }
1474  PMQ_RESET(&det_ctx->pmq);
1475  } else {
1476  if (!(RuleMatchCandidateTxArrayHasSpace(det_ctx, total_rules))) {
1477  RuleMatchCandidateTxArrayExpand(det_ctx, total_rules);
1478  }
1479  }
1480 
1481  /* merge 'state' rules from the regular prefilter */
1482 #ifdef PROFILING
1483  uint32_t x = array_idx;
1484 #endif
1485  RuleMatchCandidateMergeStateRules(det_ctx, &array_idx);
1486 
1487  /* merge stored state into results */
1488  if (tx.de_state != NULL) {
1489  const uint32_t old = array_idx;
1490 
1491  /* if tx.de_state->flags has 'new file' set and sig below has
1492  * 'file inspected' flag, reset the file part of the state */
1493  const bool have_new_file = (tx.de_state->flags & DETECT_ENGINE_STATE_FLAG_FILE_NEW);
1494  if (have_new_file) {
1495  SCLogDebug("%p/%"PRIu64" destate: need to consider new file",
1496  tx.tx_ptr, tx.tx_id);
1497  tx.de_state->flags &= ~DETECT_ENGINE_STATE_FLAG_FILE_NEW;
1498  }
1499 
1500  SigIntId state_cnt = 0;
1501  DeStateStore *tx_store = tx.de_state->head;
1502  for (; tx_store != NULL; tx_store = tx_store->next) {
1503  SCLogDebug("tx_store %p", tx_store);
1504 
1505  SigIntId store_cnt = 0;
1506  for (store_cnt = 0;
1507  store_cnt < DE_STATE_CHUNK_SIZE && state_cnt < tx.de_state->cnt;
1508  store_cnt++, state_cnt++)
1509  {
1510  DeStateStoreItem *item = &tx_store->store[store_cnt];
1511  SCLogDebug("rule id %u, inspect_flags %u", item->sid, item->flags);
1512  if (have_new_file && (item->flags & DE_STATE_FLAG_FILE_INSPECT)) {
1513  /* remove part of the state. File inspect engine will now
1514  * be able to run again */
1515  item->flags &= ~(DE_STATE_FLAG_SIG_CANT_MATCH|DE_STATE_FLAG_FULL_INSPECT|DE_STATE_FLAG_FILE_INSPECT);
1516  SCLogDebug("rule id %u, post file reset inspect_flags %u", item->sid, item->flags);
1517  }
1518  det_ctx->tx_candidates[array_idx].s = de_ctx->sig_array[item->sid];
1519  det_ctx->tx_candidates[array_idx].id = item->sid;
1520  det_ctx->tx_candidates[array_idx].flags = &item->flags;
1521  det_ctx->tx_candidates[array_idx].stream_reset = 0;
1522  array_idx++;
1523  }
1524  }
1525  do_sort |= (old && old != array_idx); // sort if continue list adds sids
1526  SCLogDebug("%p/%" PRIu64 " rules added from 'continue' list: %u", tx.tx_ptr, tx.tx_id,
1527  array_idx - old);
1528  }
1529  if (do_sort) {
1530  qsort(det_ctx->tx_candidates, array_idx, sizeof(RuleMatchCandidateTx),
1531  DetectRunTxSortHelper);
1532  }
1533 
1534 #ifdef PROFILING
1535  if (array_idx >= de_ctx->profile_match_logging_threshold)
1536  RulesDumpTxMatchArray(det_ctx, scratch->sgh, p, tx.tx_id, array_idx, x);
1537 #endif
1538  det_ctx->tx_id = tx.tx_id;
1539  det_ctx->tx_id_set = true;
1540  det_ctx->p = p;
1541 
1542 #ifdef DEBUG
1543  for (uint32_t i = 0; i < array_idx; i++) {
1544  RuleMatchCandidateTx *can = &det_ctx->tx_candidates[i];
1545  const Signature *s = det_ctx->tx_candidates[i].s;
1546  SCLogDebug("%u: sid %u flags %p", i, s->id, can->flags);
1547  }
1548 #endif
1549  /* run rules: inspect the match candidates */
1550  for (uint32_t i = 0; i < array_idx; i++) {
1551  RuleMatchCandidateTx *can = &det_ctx->tx_candidates[i];
1552  const Signature *s = det_ctx->tx_candidates[i].s;
1553  uint32_t *inspect_flags = det_ctx->tx_candidates[i].flags;
1554 
1555  /* deduplicate: rules_array is sorted, but not deduplicated:
1556  * both mpm and stored state could give us the same sid.
1557  * As they are back to back in that case we can check for it
1558  * here. We select the stored state one as that comes first
1559  * in the array. */
1560  while ((i + 1) < array_idx &&
1561  det_ctx->tx_candidates[i].s == det_ctx->tx_candidates[i + 1].s) {
1562  SCLogDebug("%p/%" PRIu64 " inspecting SKIP NEXT: sid %u (%u), flags %08x",
1563  tx.tx_ptr, tx.tx_id, s->id, s->num, inspect_flags ? *inspect_flags : 0);
1564  i++;
1565  }
1566 
1567  SCLogDebug("%p/%"PRIu64" inspecting: sid %u (%u), flags %08x",
1568  tx.tx_ptr, tx.tx_id, s->id, s->num, inspect_flags ? *inspect_flags : 0);
1569 
1570  if (inspect_flags) {
1571  if (*inspect_flags & (DE_STATE_FLAG_FULL_INSPECT|DE_STATE_FLAG_SIG_CANT_MATCH)) {
1572  SCLogDebug("%p/%"PRIu64" inspecting: sid %u (%u), flags %08x ALREADY COMPLETE",
1573  tx.tx_ptr, tx.tx_id, s->id, s->num, *inspect_flags);
1574  continue;
1575  }
1576  }
1577 
1578  if (inspect_flags) {
1579  /* continue previous inspection */
1580  SCLogDebug("%p/%" PRIu64 " Continuing sid %u", tx.tx_ptr, tx.tx_id, s->id);
1581  } else {
1582  /* start new inspection */
1583  SCLogDebug("%p/%"PRIu64" Start sid %u", tx.tx_ptr, tx.tx_id, s->id);
1584  }
1585 
1586  /* call individual rule inspection */
1587  RULE_PROFILING_START(p);
1588  const int r = DetectRunTxInspectRule(tv, de_ctx, det_ctx, p, f, flow_flags,
1589  alstate, &tx, s, inspect_flags, can, scratch);
1590  if (r == 1) {
1591  /* match */
1592  DetectRunPostMatch(tv, det_ctx, p, s);
1593 
1594  const uint8_t alert_flags = (PACKET_ALERT_FLAG_STATE_MATCH | PACKET_ALERT_FLAG_TX);
1595  SCLogDebug("%p/%"PRIu64" sig %u (%u) matched", tx.tx_ptr, tx.tx_id, s->id, s->num);
1596  AlertQueueAppend(det_ctx, s, p, tx.tx_id, alert_flags);
1597  }
1598  DetectVarProcessList(det_ctx, p->flow, p);
1599  RULE_PROFILING_END(det_ctx, s, r, p);
1600  }
1601 
1602  det_ctx->tx_id = 0;
1603  det_ctx->tx_id_set = false;
1604  det_ctx->p = NULL;
1605 
1606  /* see if we have any updated state to store in the tx */
1607 
1608  uint64_t new_detect_flags = 0;
1609  /* this side of the tx is done */
1610  if (tx.tx_progress >= tx.tx_end_state) {
1611  new_detect_flags |= APP_LAYER_TX_INSPECTED_FLAG;
1612  SCLogDebug("%p/%"PRIu64" tx is done for direction %s. Flag %016"PRIx64,
1613  tx.tx_ptr, tx.tx_id,
1614  flow_flags & STREAM_TOSERVER ? "toserver" : "toclient",
1615  new_detect_flags);
1616  }
1617  if (tx.prefilter_flags != tx.prefilter_flags_orig) {
1618  new_detect_flags |= tx.prefilter_flags;
1619  DEBUG_VALIDATE_BUG_ON(new_detect_flags & APP_LAYER_TX_RESERVED_FLAGS);
1620  SCLogDebug("%p/%"PRIu64" updated prefilter flags %016"PRIx64" "
1621  "(was: %016"PRIx64") for direction %s. Flag %016"PRIx64,
1622  tx.tx_ptr, tx.tx_id, tx.prefilter_flags, tx.prefilter_flags_orig,
1623  flow_flags & STREAM_TOSERVER ? "toserver" : "toclient",
1624  new_detect_flags);
1625  }
1626  if (new_detect_flags != 0 &&
1627  (new_detect_flags | tx.detect_flags) != tx.detect_flags)
1628  {
1629  new_detect_flags |= tx.detect_flags;
1630  DEBUG_VALIDATE_BUG_ON(new_detect_flags & APP_LAYER_TX_RESERVED_FLAGS);
1631  SCLogDebug("%p/%"PRIu64" Storing new flags %016"PRIx64" (was %016"PRIx64")",
1632  tx.tx_ptr, tx.tx_id, new_detect_flags, tx.detect_flags);
1633 
1634  StoreDetectFlags(&tx, flow_flags, ipproto, alproto, new_detect_flags);
1635  }
1636 next:
1637  InspectionBufferClean(det_ctx);
1638 
1639  if (!ires.has_next)
1640  break;
1641  }
1642 }
1643 
1644 static void DetectRunFrames(ThreadVars *tv, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx,
1645  Packet *p, Flow *f, DetectRunScratchpad *scratch)
1646 {
1647  const SigGroupHead *const sgh = scratch->sgh;
1648  const AppProto alproto = f->alproto;
1649 
1650  /* for TCP, limit inspection to pseudo packets or real packet that did
1651  * an app-layer update. */
1652  if (p->proto == IPPROTO_TCP && !PKT_IS_PSEUDOPKT(p) &&
1653  ((PKT_IS_TOSERVER(p) && (f->flags & FLOW_TS_APP_UPDATED) == 0) ||
1654  (PKT_IS_TOCLIENT(p) && (f->flags & FLOW_TC_APP_UPDATED) == 0))) {
1655  SCLogDebug("pcap_cnt %" PRIu64 ": %s: skip frame inspection for TCP w/o APP UPDATE",
1656  p->pcap_cnt, PKT_IS_TOSERVER(p) ? "toserver" : "toclient");
1657  return;
1658  }
1659  FramesContainer *frames_container = AppLayerFramesGetContainer(f);
1660  if (frames_container == NULL) {
1661  return;
1662  }
1663  Frames *frames;
1664  if (PKT_IS_TOSERVER(p)) {
1665  frames = &frames_container->toserver;
1666  } else {
1667  frames = &frames_container->toclient;
1668  }
1669 
1670  for (uint32_t idx = 0; idx < frames->cnt; idx++) {
1671  SCLogDebug("frame %u", idx);
1672  Frame *frame = FrameGetByIndex(frames, idx);
1673  if (frame == NULL) {
1674  continue;
1675  }
1676 
1677  det_ctx->frame_inspect_progress = 0;
1678  uint32_t array_idx = 0;
1679  uint32_t total_rules = det_ctx->match_array_cnt;
1680 
1681  /* run prefilter engines and merge results into a candidates array */
1682  if (sgh->frame_engines) {
1683  // PACKET_PROFILING_DETECT_START(p, PROF_DETECT_PF_TX);
1684  DetectRunPrefilterFrame(det_ctx, sgh, p, frames, frame, alproto);
1685  // PACKET_PROFILING_DETECT_END(p, PROF_DETECT_PF_TX);
1686  SCLogDebug("%p/%" PRIi64 " rules added from prefilter: %u candidates", frame, frame->id,
1687  det_ctx->pmq.rule_id_array_cnt);
1688 
1689  total_rules += det_ctx->pmq.rule_id_array_cnt;
1690 
1691  if (!(RuleMatchCandidateTxArrayHasSpace(
1692  det_ctx, total_rules))) { // TODO is it safe to overload?
1693  RuleMatchCandidateTxArrayExpand(det_ctx, total_rules);
1694  }
1695 
1696  for (uint32_t i = 0; i < det_ctx->pmq.rule_id_array_cnt; i++) {
1697  const Signature *s = de_ctx->sig_array[det_ctx->pmq.rule_id_array[i]];
1698  const SigIntId id = s->num;
1699  det_ctx->tx_candidates[array_idx].s = s;
1700  det_ctx->tx_candidates[array_idx].id = id;
1701  det_ctx->tx_candidates[array_idx].flags = NULL;
1702  det_ctx->tx_candidates[array_idx].stream_reset = 0;
1703  array_idx++;
1704  }
1705  PMQ_RESET(&det_ctx->pmq);
1706  }
1707  /* merge 'state' rules from the regular prefilter */
1708  uint32_t x = array_idx;
1709  for (uint32_t i = 0; i < det_ctx->match_array_cnt; i++) {
1710  const Signature *s = det_ctx->match_array[i];
1711  if (s->frame_inspect != NULL) {
1712  const SigIntId id = s->num;
1713  det_ctx->tx_candidates[array_idx].s = s;
1714  det_ctx->tx_candidates[array_idx].id = id;
1715  det_ctx->tx_candidates[array_idx].flags = NULL;
1716  det_ctx->tx_candidates[array_idx].stream_reset = 0;
1717  array_idx++;
1718 
1719  SCLogDebug("%p/%" PRIi64 " rule %u (%u) added from 'match' list", frame, frame->id,
1720  s->id, id);
1721  }
1722  }
1723  SCLogDebug("%p/%" PRIi64 " rules added from 'match' list: %u", frame, frame->id,
1724  array_idx - x);
1725  (void)x;
1726 
1727  /* run rules: inspect the match candidates */
1728  for (uint32_t i = 0; i < array_idx; i++) {
1729  const Signature *s = det_ctx->tx_candidates[i].s;
1730 
1731  /* deduplicate: rules_array is sorted, but not deduplicated.
1732  * As they are back to back in that case we can check for it
1733  * here. We select the stored state one as that comes first
1734  * in the array. */
1735  while ((i + 1) < array_idx &&
1736  det_ctx->tx_candidates[i].s == det_ctx->tx_candidates[i + 1].s) {
1737  i++;
1738  }
1739  SCLogDebug("%p/%" PRIi64 " inspecting: sid %u (%u)", frame, frame->id, s->id, s->num);
1740 
1741  /* start new inspection */
1742  SCLogDebug("%p/%" PRIi64 " Start sid %u", frame, frame->id, s->id);
1743 
1744  /* call individual rule inspection */
1745  RULE_PROFILING_START(p);
1746  bool r = DetectRunInspectRuleHeader(p, f, s, s->flags, s->proto.flags);
1747  if (r == true) {
1748  r = DetectRunFrameInspectRule(tv, det_ctx, s, f, p, frames, frame);
1749  if (r == true) {
1750  /* match */
1751  DetectRunPostMatch(tv, det_ctx, p, s);
1752 
1753  uint8_t alert_flags = (PACKET_ALERT_FLAG_STATE_MATCH | PACKET_ALERT_FLAG_FRAME);
1754  det_ctx->frame_id = frame->id;
1755  SCLogDebug(
1756  "%p/%" PRIi64 " sig %u (%u) matched", frame, frame->id, s->id, s->num);
1757  if (frame->flags & FRAME_FLAG_TX_ID_SET) {
1758  alert_flags |= PACKET_ALERT_FLAG_TX;
1759  }
1760  AlertQueueAppend(det_ctx, s, p, frame->tx_id, alert_flags);
1761  }
1762  }
1763  DetectVarProcessList(det_ctx, p->flow, p);
1764  RULE_PROFILING_END(det_ctx, s, r, p);
1765  }
1766 
1767  /* update Frame::inspect_progress here instead of in the code above. The reason is that a
1768  * frame might be used more than once in buffers with transforms. */
1769  if (frame->inspect_progress < det_ctx->frame_inspect_progress) {
1770  frame->inspect_progress = det_ctx->frame_inspect_progress;
1771  SCLogDebug("frame->inspect_progress: %" PRIu64 " -> updated", frame->inspect_progress);
1772  } else {
1773  SCLogDebug(
1774  "frame->inspect_progress: %" PRIu64 " -> not updated", frame->inspect_progress);
1775  }
1776 
1777  SCLogDebug("%p/%" PRIi64 " rules inspected, running cleanup", frame, frame->id);
1778  InspectionBufferClean(det_ctx);
1779  }
1780 }
1781 
1782 static DetectEngineThreadCtx *GetTenantById(HashTable *h, uint32_t id)
1783 {
1784  /* technically we need to pass a DetectEngineThreadCtx struct with the
1785  * tenant_id member. But as that member is the first in the struct, we
1786  * can use the id directly. */
1787  return HashTableLookup(h, &id, 0);
1788 }
1789 
1790 static void DetectFlow(ThreadVars *tv,
1791  DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx,
1792  Packet *p)
1793 {
1794  Flow *const f = p->flow;
1795 
1796  if (p->flags & PKT_NOPACKET_INSPECTION) {
1797  /* hack: if we are in pass the entire flow mode, we need to still
1798  * update the inspect_id forward. So test for the condition here,
1799  * and call the update code if necessary. */
1800  const int pass = ((f->flags & FLOW_NOPACKET_INSPECTION));
1801  if (pass) {
1802  uint8_t flags = STREAM_FLAGS_FOR_PACKET(p);
1803  flags = FlowGetDisruptionFlags(f, flags);
1804  if (f->alstate) {
1805  AppLayerParserSetTransactionInspectId(f, f->alparser, f->alstate, flags, true);
1806  }
1807  }
1808  SCLogDebug("p->pcap %"PRIu64": no detection on packet, "
1809  "PKT_NOPACKET_INSPECTION is set", p->pcap_cnt);
1810  return;
1811  }
1812 
1813  /* we check the flow drop here, and not the packet drop. This is
1814  * to allow stream engine "invalid" drop packets to still be
1815  * evaluated by the stream event rules. */
1816  if (f->flags & FLOW_ACTION_DROP) {
1817  DEBUG_VALIDATE_BUG_ON(!(PKT_IS_PSEUDOPKT(p)) && !PacketCheckAction(p, ACTION_DROP));
1818  SCReturn;
1819  }
1820 
1821  /* see if the packet matches one or more of the sigs */
1822  (void)DetectRun(tv, de_ctx, det_ctx, p);
1823 }
1824 
1825 
1826 static void DetectNoFlow(ThreadVars *tv,
1827  DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx,
1828  Packet *p)
1829 {
1830  /* No need to perform any detection on this packet, if the given flag is set.*/
1831  if ((p->flags & PKT_NOPACKET_INSPECTION) || (PacketCheckAction(p, ACTION_DROP))) {
1832  return;
1833  }
1834 
1835  /* see if the packet matches one or more of the sigs */
1836  DetectRun(tv, de_ctx, det_ctx, p);
1837 }
1838 
1839 /** \brief Detection engine thread wrapper.
1840  * \param tv thread vars
1841  * \param p packet to inspect
1842  * \param data thread specific data
1843  * \param pq packet queue
1844  * \retval TM_ECODE_FAILED error
1845  * \retval TM_ECODE_OK ok
1846  */
1847 TmEcode Detect(ThreadVars *tv, Packet *p, void *data)
1848 {
1849  DEBUG_VALIDATE_PACKET(p);
1850 
1851  DetectEngineCtx *de_ctx = NULL;
1852  DetectEngineThreadCtx *det_ctx = (DetectEngineThreadCtx *)data;
1853  if (det_ctx == NULL) {
1854  printf("ERROR: Detect has no thread ctx\n");
1855  goto error;
1856  }
1857 
1858  if (unlikely(SC_ATOMIC_GET(det_ctx->so_far_used_by_detect) == 0)) {
1859  (void)SC_ATOMIC_SET(det_ctx->so_far_used_by_detect, 1);
1860  SCLogDebug("Detect Engine using new det_ctx - %p",
1861  det_ctx);
1862  }
1863 
1864  /* if in MT mode _and_ we have tenants registered, use
1865  * MT logic. */
1866  if (det_ctx->mt_det_ctxs_cnt > 0 && det_ctx->TenantGetId != NULL)
1867  {
1868  uint32_t tenant_id = p->tenant_id;
1869  if (tenant_id == 0)
1870  tenant_id = det_ctx->TenantGetId(det_ctx, p);
1871  if (tenant_id > 0 && tenant_id < det_ctx->mt_det_ctxs_cnt) {
1872  p->tenant_id = tenant_id;
1873  det_ctx = GetTenantById(det_ctx->mt_det_ctxs_hash, tenant_id);
1874  if (det_ctx == NULL)
1875  return TM_ECODE_OK;
1876  de_ctx = det_ctx->de_ctx;
1877  if (de_ctx == NULL)
1878  return TM_ECODE_OK;
1879 
1880  if (unlikely(SC_ATOMIC_GET(det_ctx->so_far_used_by_detect) == 0)) {
1881  (void)SC_ATOMIC_SET(det_ctx->so_far_used_by_detect, 1);
1882  SCLogDebug("MT de_ctx %p det_ctx %p (tenant %u)", de_ctx, det_ctx, tenant_id);
1883  }
1884  } else {
1885  /* use default if no tenants are registered for this packet */
1886  de_ctx = det_ctx->de_ctx;
1887  }
1888  } else {
1889  de_ctx = det_ctx->de_ctx;
1890  }
1891 
1892  if (p->flow) {
1893  DetectFlow(tv, de_ctx, det_ctx, p);
1894  } else {
1895  DetectNoFlow(tv, de_ctx, det_ctx, p);
1896  }
1897 
1898 #ifdef PROFILE_RULES
1899  /* aggregate statistics */
1900  struct timeval ts;
1901  gettimeofday(&ts, NULL);
1902  if (ts.tv_sec != det_ctx->rule_perf_last_sync) {
1903  SCProfilingRuleThreatAggregate(det_ctx);
1904  det_ctx->rule_perf_last_sync = ts.tv_sec;
1905  }
1906 #endif
1907 
1908  return TM_ECODE_OK;
1909 error:
1910  return TM_ECODE_FAILED;
1911 }
1912 
1913 /** \brief disable file features we don't need
1914  * Called if we have no detection engine.
1915  */
1916 void DisableDetectFlowFileFlags(Flow *f)
1917 {
1918  DetectPostInspectFileFlagsUpdate(f, NULL /* no sgh */, STREAM_TOSERVER);
1919  DetectPostInspectFileFlagsUpdate(f, NULL /* no sgh */, STREAM_TOCLIENT);
1920 }
1921 
1922 #ifdef UNITTESTS
1923 /**
1924  * \brief wrapper for old tests
1925  */
1926 void SigMatchSignatures(
1927  ThreadVars *tv, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
1928 {
1929  if (p->flow) {
1930  DetectFlow(tv, de_ctx, det_ctx, p);
1931  } else {
1932  DetectNoFlow(tv, de_ctx, det_ctx, p);
1933  }
1934 }
1935 #endif
1936 
1937 /*
1938  * TESTS
1939  */
1940 
1941 #ifdef UNITTESTS
1942 #include "tests/detect.c"
1943 #endif
PKT_IS_TOCLIENT
#define PKT_IS_TOCLIENT(p)
Definition: decode.h:241
DetectEngineAppInspectionEngine_::stream
bool stream
Definition: detect.h:434
SigGroupHead_::non_pf_syn_store_cnt
uint32_t non_pf_syn_store_cnt
Definition: detect.h:1469
PacketCheckAction
bool PacketCheckAction(const Packet *p, const uint8_t a)
Definition: packet.c:48
FLOWFILE_NO_MD5_TS
#define FLOWFILE_NO_MD5_TS
Definition: flow.h:136
DetectEngineThreadCtx_::non_pf_store_ptr
SignatureNonPrefilterStore * non_pf_store_ptr
Definition: detect.h:1193
RulesDumpTxMatchArray
void RulesDumpTxMatchArray(const DetectEngineThreadCtx *det_ctx, const SigGroupHead *sgh, const Packet *p, const uint64_t tx_id, const uint32_t rule_cnt, const uint32_t pkt_prefilter_cnt)
Definition: detect-engine-profile.c:34
SIG_GROUP_HEAD_HAVEFILEMD5
#define SIG_GROUP_HEAD_HAVEFILEMD5
Definition: detect.h:1331
FLOWFILE_NO_MD5_TC
#define FLOWFILE_NO_MD5_TC
Definition: flow.h:137
SigGroupHead_::tx_engines
PrefilterEngine * tx_engines
Definition: detect.h:1476
DetectEngineAppInspectionEngine_
Definition: detect.h:429
Packet_::proto
uint8_t proto
Definition: decode.h:501
DetectTransaction_::tx_data_ptr
struct AppLayerTxData * tx_data_ptr
Definition: detect-engine-prefilter.h:34
DetectEngineAppInspectionEngine_::mpm
bool mpm
Definition: detect.h:433
DE_STATE_CHUNK_SIZE
#define DE_STATE_CHUNK_SIZE
Definition: detect-engine-state.h:52
RuleMatchCandidateTx::stream_stored
bool stream_stored
Definition: detect.h:1078
FLOWFILE_NO_SIZE_TS
#define FLOWFILE_NO_SIZE_TS
Definition: flow.h:148
Frame::inspect_progress
uint64_t inspect_progress
Definition: app-layer-frames.h:55
DetectEngineThreadCtx_::alert_queue_size
uint16_t alert_queue_size
Definition: detect.h:1177
PROF_DETECT_GETSGH
@ PROF_DETECT_GETSGH
Definition: suricata-common.h:441
ts
uint64_t ts
Definition: source-erf-file.c:55
FLOWFILE_NO_SIZE_TC
#define FLOWFILE_NO_SIZE_TC
Definition: flow.h:149
detect-engine.h
PACKET_ALERT_FLAG_STREAM_MATCH
#define PACKET_ALERT_FLAG_STREAM_MATCH
Definition: decode.h:259
detect-engine-proto.h
DetectEngineThreadCtx_::match_array_cnt
SigIntId match_array_cnt
Definition: detect.h:1188
Frame::tx_id
uint64_t tx_id
Definition: app-layer-frames.h:54
DetectEngineStateDirection_::flags
uint8_t flags
Definition: detect-engine-state.h:88
detect-dsize.h
Signature_::addr_src_match6
DetectMatchAddressIPv6 * addr_src_match6
Definition: detect.h:634
sigmatch_table
SigTableElmt * sigmatch_table
Definition: detect-parse.c:127
PKT_HAS_FLOW
#define PKT_HAS_FLOW
Definition: decode.h:1273
PACKET_ALERT_FLAG_TX
#define PACKET_ALERT_FLAG_TX
Definition: decode.h:261
DetectEngineCtx_::decoder_event_sgh
struct SigGroupHead_ * decoder_event_sgh
Definition: detect.h:923
FlowGetPacketDirection
int FlowGetPacketDirection(const Flow *f, const Packet *p)
determine the direction of the packet compared to the flow
Definition: flow.c:287
DetectEngineCtx_::flow_gh
DetectEngineLookupFlow flow_gh[FLOW_STATES]
Definition: detect.h:871
DE_STATE_FLAG_SIG_CANT_MATCH
#define DE_STATE_FLAG_SIG_CANT_MATCH
Definition: detect-engine-state.h:56
DetectEngineThreadCtx_::counter_match_list
uint16_t counter_match_list
Definition: detect.h:1149
ALPROTO_DNS
@ ALPROTO_DNS
Definition: app-layer-protos.h:41
DetectEngineAppInspectionEngine_::next
struct DetectEngineAppInspectionEngine_ * next
Definition: detect.h:451
DETECT_PROTO_IPV6
#define DETECT_PROTO_IPV6
Definition: detect-engine-proto.h:34
detect-engine-siggroup.h
SigGroupHead_::flags
uint16_t flags
Definition: detect.h:1458
PKT_IS_PSEUDOPKT
#define PKT_IS_PSEUDOPKT(p)
return 1 if the packet is a pseudo packet
Definition: decode.h:1326
DetectEngineState_
Definition: detect-engine-state.h:92
Signature_::num
SigIntId num
Definition: detect.h:613
stream-tcp.h
PrefilterRuleStore_::rule_id_array_cnt
uint32_t rule_id_array_cnt
Definition: util-prefilter.h:40
detect-engine-event.h
SigGroupHead_
Container for matching data for a signature group.
Definition: detect.h:1457
SIG_GROUP_HEAD_HAVEFILESIZE
#define SIG_GROUP_HEAD_HAVEFILESIZE
Definition: detect.h:1332
unlikely
#define unlikely(expr)
Definition: util-optimize.h:35
detect.c
SC_ATOMIC_SET
#define SC_ATOMIC_SET(name, val)
Set the value for the atomic variable.
Definition: util-atomic.h:386
KEYWORD_PROFILING_SET_LIST
#define KEYWORD_PROFILING_SET_LIST(ctx, list)
Definition: util-profiling.h:46
DetectAddressMatchIPv4
int DetectAddressMatchIPv4(const DetectMatchAddressIPv4 *addrs, uint16_t addrs_cnt, const Address *a)
Match a packets address against a signatures addrs array.
Definition: detect-engine-address.c:1589
DetectEngineAppInspectionEngine_::Callback
InspectEngineFuncPtr Callback
Definition: detect.h:444
Signature_::alproto
AppProto alproto
Definition: detect.h:606
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:269
SignatureNonPrefilterStore_::id
SigIntId id
Definition: detect.h:1067
FLOW_SGH_TOCLIENT
#define FLOW_SGH_TOCLIENT
Definition: flow.h:74
Packet_::pcap_cnt
uint64_t pcap_cnt
Definition: decode.h:601
AppLayerParserSetTransactionInspectId
void AppLayerParserSetTransactionInspectId(const Flow *f, AppLayerParserState *pstate, void *alstate, const uint8_t flags, bool tag_txs_as_inspected)
Definition: app-layer-parser.c:731
DetectEngineStateDirection_::cnt
SigIntId cnt
Definition: detect-engine-state.h:86
AppLayerGetTxIterator
AppLayerGetTxIteratorFunc AppLayerGetTxIterator(const uint8_t ipproto, const AppProto alproto)
Definition: app-layer-parser.c:675
next
struct HtpBodyChunk_ * next
Definition: app-layer-htp.h:0
SigMatchData_::is_last
bool is_last
Definition: detect.h:360
Flow_::proto
uint8_t proto
Definition: flow.h:382
AppProto
uint16_t AppProto
Definition: app-layer-protos.h:84
PacketAlerts_::cnt
uint16_t cnt
Definition: decode.h:271
AppLayerParserGetStateProgress
int AppLayerParserGetStateProgress(uint8_t ipproto, AppProto alproto, void *alstate, uint8_t flags)
get the progress value for a tx/protocol
Definition: app-layer-parser.c:1067
DetectEngineThreadCtx_::tx_id
uint64_t tx_id
Definition: detect.h:1171
SigMatchData_::ctx
SigMatchCtx * ctx
Definition: detect.h:361
action-globals.h
FLOWFILE_NO_MAGIC_TS
#define FLOWFILE_NO_MAGIC_TS
Definition: flow.h:129
FramesContainer::toserver
Frames toserver
Definition: app-layer-frames.h:74
Packet_::flags
uint32_t flags
Definition: decode.h:516
ICMPV4_DEST_UNREACH_IS_VALID
#define ICMPV4_DEST_UNREACH_IS_VALID(p)
Definition: decode-icmpv4.h:253
Frame
Definition: app-layer-frames.h:45
Flow_
Flow data structure.
Definition: flow.h:360
DetectTransaction_::tx_end_state
const int tx_end_state
Definition: detect-engine-prefilter.h:41
PROF_DETECT_ALERT
@ PROF_DETECT_ALERT
Definition: suricata-common.h:452
DetectEngineThreadCtx_::pmq
PrefilterRuleStore pmq
Definition: detect.h:1197
SIG_GROUP_HEAD_HAVEFILESHA1
#define SIG_GROUP_HEAD_HAVEFILESHA1
Definition: detect.h:1333
FLOW_TC_APP_UPDATED
#define FLOW_TC_APP_UPDATED
Definition: flow.h:119
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:841
AppLayerParserGetStateProgressCompletionStatus
int AppLayerParserGetStateProgressCompletionStatus(AppProto alproto, uint8_t direction)
Definition: app-layer-parser.c:1096
DetectRunScratchpad
struct DetectRunScratchpad DetectRunScratchpad
PROF_DETECT_PF_TX
@ PROF_DETECT_PF_TX
Definition: suricata-common.h:447
Frames::cnt
uint16_t cnt
Definition: app-layer-frames.h:61
Frame::id
int64_t id
Definition: app-layer-frames.h:53
APP_LAYER_TX_SKIP_INSPECT_FLAG
#define APP_LAYER_TX_SKIP_INSPECT_FLAG
Definition: app-layer-parser.h:78
DetectEngineThreadCtx_::p
Packet * p
Definition: detect.h:1175
DetectEngineState_::dir_state
DetectEngineStateDirection dir_state[2]
Definition: detect-engine-state.h:93
FrameGetByIndex
Frame * FrameGetByIndex(Frames *frames, const uint32_t idx)
Definition: app-layer-frames.c:134
RuleMatchCandidateTx::id
SigIntId id
Definition: detect.h:1074
PROF_DETECT_CLEANUP
@ PROF_DETECT_CLEANUP
Definition: suricata-common.h:454
SIG_FLAG_DST_ANY
#define SIG_FLAG_DST_ANY
Definition: detect.h:239
NO_TX
#define NO_TX
Definition: detect.c:1266
FLOW_PKT_TOSERVER
#define FLOW_PKT_TOSERVER
Definition: flow.h:232
HashTable_
Definition: util-hash.h:35
Frames
Definition: app-layer-frames.h:60
FramesContainer
Definition: app-layer-frames.h:73
PacketAlerts_::drop
PacketAlert drop
Definition: decode.h:277
APP_LAYER_TX_INSPECTED_FLAG
#define APP_LAYER_TX_INSPECTED_FLAG
Definition: app-layer-parser.h:80
DetectRunScratchpad
Definition: detect.c:70
SIG_GROUP_HEAD_HAVERAWSTREAM
#define SIG_GROUP_HEAD_HAVERAWSTREAM
Definition: detect.h:1327
FLOW_ACTION_DROP
#define FLOW_ACTION_DROP
Definition: flow.h:69
TcpStream_::flags
uint16_t flags
Definition: stream-tcp-private.h:107
FLOWFILE_NONE
#define FLOWFILE_NONE
Definition: flow.h:167
detect-engine-frame.h
SigMatchSignatures
void SigMatchSignatures(ThreadVars *tv, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
Definition: detect.c:1926
Signature_::sm_arrays
SigMatchData * sm_arrays[DETECT_SM_LIST_MAX]
Definition: detect.h:654
proto
uint8_t proto
Definition: decode-template.h:0
DetectPort_::sh
struct SigGroupHead_ * sh
Definition: detect.h:228
PACKET_PROFILING_DETECT_END
#define PACKET_PROFILING_DETECT_END(p, id)
Definition: util-profiling.h:221
Detect
TmEcode Detect(ThreadVars *tv, Packet *p, void *data)
Detection engine thread wrapper.
Definition: detect.c:1847
FLOW_PKT_TOCLIENT_IPONLY_SET
#define FLOW_PKT_TOCLIENT_IPONLY_SET
Definition: flow.h:236
detect-engine-payload.h
Packet_::flowflags
uint8_t flowflags
Definition: decode.h:510
SIG_FLAG_SRC_ANY
#define SIG_FLAG_SRC_ANY
Definition: detect.h:238
TM_ECODE_FAILED
@ TM_ECODE_FAILED
Definition: tm-threads-common.h:83
DetectRunFrameInspectRule
bool DetectRunFrameInspectRule(ThreadVars *tv, DetectEngineThreadCtx *det_ctx, const Signature *s, Flow *f, Packet *p, const Frames *frames, const Frame *frame)
Definition: detect-engine-frame.c:227
Flow_::protoctx
void * protoctx
Definition: flow.h:450
SigMatchData_
Data needed for Match()
Definition: detect.h:358
DeStateStoreItem_::sid
SigIntId sid
Definition: detect-engine-state.h:74
RuleMatchCandidateTx::s
const Signature * s
Definition: detect.h:1084
KEYWORD_PROFILING_START
#define KEYWORD_PROFILING_START
Definition: util-profiling.h:50
DetectEngineThreadCtx_::counter_fnonmpm_list
uint16_t counter_fnonmpm_list
Definition: detect.h:1148
SigMatchData_::type
uint16_t type
Definition: detect.h:359
DetectEngineCtx_::version
uint32_t version
Definition: detect.h:919
DisableDetectFlowFileFlags
void DisableDetectFlowFileFlags(Flow *f)
disable file features we don't need Called if we have no detection engine.
Definition: detect.c:1916
AppLayerParserGetTransactionInspectId
uint64_t AppLayerParserGetTransactionInspectId(AppLayerParserState *pstate, uint8_t direction)
Definition: app-layer-parser.c:700
Packet_::alerts
PacketAlerts alerts
Definition: decode.h:595
DetectTransaction_::tx_progress
const int tx_progress
Definition: detect-engine-prefilter.h:40
DetectEngineThreadCtx_::counter_nonmpm_list
uint16_t counter_nonmpm_list
Definition: detect.h:1147
detect-engine-prefilter.h
DetectRunPrefilterFrame
void DetectRunPrefilterFrame(DetectEngineThreadCtx *det_ctx, const SigGroupHead *sgh, Packet *p, const Frames *frames, const Frame *frame, const AppProto alproto)
Definition: detect-engine-frame.c:73
Packet_::events
PacketEngineEvents events
Definition: decode.h:605
Signature_::frame_inspect
DetectEngineFrameInspectionEngine * frame_inspect
Definition: detect.h:650
DetectTransaction_::prefilter_flags_orig
const uint64_t prefilter_flags_orig
Definition: detect-engine-prefilter.h:39
PROF_DETECT_PF_SORT2
@ PROF_DETECT_PF_SORT2
Definition: suricata-common.h:450
pad
uint16_t pad
Definition: source-erf-file.c:61
TM_ECODE_OK
@ TM_ECODE_OK
Definition: tm-threads-common.h:82
PacketCreateMask
void PacketCreateMask(Packet *p, SignatureMask *mask, AppProto alproto, bool app_decoder_events)
Definition: detect-engine-build.c:407
SIG_FLAG_APPLAYER
#define SIG_FLAG_APPLAYER
Definition: detect.h:246
KEYWORD_PROFILING_END
#define KEYWORD_PROFILING_END(ctx, type, m)
Definition: util-profiling.h:64
detect-flowvar.h
DetectEngineThreadCtx_::mt_det_ctxs_hash
HashTable * mt_det_ctxs_hash
Definition: detect.h:1107
PacketAlert_::action
uint8_t action
Definition: decode.h:247
TcpSession_::flags
uint32_t flags
Definition: stream-tcp-private.h:292
DetectEnginePktInspectionRun
bool DetectEnginePktInspectionRun(ThreadVars *tv, DetectEngineThreadCtx *det_ctx, const Signature *s, Flow *f, Packet *p, uint8_t *alert_flags)
Definition: detect-engine.c:1955
Flow_::sgh_toserver
const struct SigGroupHead_ * sgh_toserver
Definition: flow.h:492
PROF_DETECT_TX_UPDATE
@ PROF_DETECT_TX_UPDATE
Definition: suricata-common.h:453
DetectEngineAppInspectionEngine_::id
uint8_t id
Definition: detect.h:432
DetectEngineThreadCtx_::counter_alerts_suppressed
uint16_t counter_alerts_suppressed
Definition: detect.h:1144
DetectRunStoreStateTx
void DetectRunStoreStateTx(const SigGroupHead *sgh, Flow *f, void *tx, uint64_t tx_id, const Signature *s, uint32_t inspect_flags, uint8_t flow_flags, const uint16_t file_no_match)
Definition: detect-engine-state.c:214
DetectEngineAppInspectionEngine_::sm_list
uint16_t sm_list
Definition: detect.h:435
FLOWFILE_INIT
#define FLOWFILE_INIT
Definition: flow.h:126
Flow_::alparser
AppLayerParserState * alparser
Definition: flow.h:484
DETECT_ENGINE_INSPECT_SIG_CANT_MATCH_FILES
#define DETECT_ENGINE_INSPECT_SIG_CANT_MATCH_FILES
Definition: detect-engine-state.h:43
FLOWFILE_NO_SHA1_TC
#define FLOWFILE_NO_SHA1_TC
Definition: flow.h:141
DETECT_SM_LIST_POSTMATCH
@ DETECT_SM_LIST_POSTMATCH
Definition: detect.h:124
FramesContainer::toclient
Frames toclient
Definition: app-layer-frames.h:75
DetectEngineThreadCtx_::tx_candidates
RuleMatchCandidateTx * tx_candidates
Definition: detect.h:1190
Signature_::addr_src_match4
DetectMatchAddressIPv4 * addr_src_match4
Definition: detect.h:631
decode.h
DetectEngineThreadCtx_::counter_alerts_overflow
uint16_t counter_alerts_overflow
Definition: detect.h:1142
TOSERVER
#define TOSERVER
Definition: flow.h:45
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:17
PKT_IS_TOSERVER
#define PKT_IS_TOSERVER(p)
Definition: decode.h:240
Prefilter
void Prefilter(DetectEngineThreadCtx *det_ctx, const SigGroupHead *sgh, Packet *p, const uint8_t flags, const SignatureMask mask)
Definition: detect-engine-prefilter.c:147
DetectEngineThreadCtx_
Definition: detect.h:1090
DEBUG_VALIDATE_PACKET
#define DEBUG_VALIDATE_PACKET(p)
Definition: util-validate.h:101
DeStateStoreItem_::flags
uint32_t flags
Definition: detect-engine-state.h:73
PKT_STREAM_ADD
#define PKT_STREAM_ADD
Definition: decode.h:1268
FLOWFILE_NO_STORE_TS
#define FLOWFILE_NO_STORE_TS
Definition: flow.h:133
BIT_U32
#define BIT_U32(n)
Definition: suricata-common.h:400
DetectEngineThreadCtx_::tx_candidates_size
uint32_t tx_candidates_size
Definition: detect.h:1191
FLOW_PKT_TOSERVER_IPONLY_SET
#define FLOW_PKT_TOSERVER_IPONLY_SET
Definition: flow.h:235
FRAME_FLAG_TX_ID_SET
#define FRAME_FLAG_TX_ID_SET
Definition: app-layer-frames.h:38
PKT_IS_FRAGMENT
#define PKT_IS_FRAGMENT
Definition: decode.h:1297
STREAM_FLAGS_FOR_PACKET
#define STREAM_FLAGS_FOR_PACKET(p)
Definition: stream.h:30
SCEnter
#define SCEnter(...)
Definition: util-debug.h:271
PMQ_RESET
#define PMQ_RESET(pmq)
Definition: util-prefilter.h:46
detect-engine-mpm.h
DetectEngineLookupFlow_::sgh
struct SigGroupHead_ * sgh[256]
Definition: detect.h:785
HashTableLookup
void * HashTableLookup(HashTable *ht, void *data, uint16_t datalen)
Definition: util-hash.c:183
detect.h
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:57
DeStateStore_::next
struct DeStateStore_ * next
Definition: detect-engine-state.h:79
SignatureNonPrefilterStore_::alproto
AppProto alproto
Definition: detect.h:1069
Packet_::sp
Port sp
Definition: decode.h:486
FLOWFILE_NO_SHA256_TS
#define FLOWFILE_NO_SHA256_TS
Definition: flow.h:144
DETECT_ENGINE_INSPECT_SIG_MATCH
#define DETECT_ENGINE_INSPECT_SIG_MATCH
Definition: detect-engine-state.h:38
PKT_DETECT_HAS_STREAMDATA
#define PKT_DETECT_HAS_STREAMDATA
Definition: decode.h:1312
StreamReassembleRawHasDataReady
bool StreamReassembleRawHasDataReady(TcpSession *ssn, Packet *p)
does the stream engine have data to inspect?
Definition: stream-tcp-reassemble.c:1460
detect-engine-port.h
PktSrcToString
const char * PktSrcToString(enum PktSrcEnum pkt_src)
Definition: decode.c:824
DetectEngineThreadCtx_::non_pf_id_cnt
uint32_t non_pf_id_cnt
Definition: detect.h:1103
DetectPort_
Port structure for detection engine.
Definition: detect.h:217
PacketAlerts_::discarded
uint16_t discarded
Definition: decode.h:272
app-layer-parser.h
Signature_::app_inspect
DetectEngineAppInspectionEngine * app_inspect
Definition: detect.h:648
util-detect.h
detect-engine-profile.h
Flow_::sgh_toclient
const struct SigGroupHead_ * sgh_toclient
Definition: flow.h:489
DetectEngineThreadCtx_::base64_decoded_len
int base64_decoded_len
Definition: detect.h:1133
SIG_FLAG_REQUIRE_FLOWVAR
#define SIG_FLAG_REQUIRE_FLOWVAR
Definition: detect.h:263
RuleMatchCandidateTx::stream_result
uint8_t stream_result
Definition: detect.h:1079
util-profiling.h
DetectTransaction_::tx_id
const uint64_t tx_id
Definition: detect-engine-prefilter.h:33
DetectEngineLookupFlow_::udp
DetectPort * udp
Definition: detect.h:784
DetectEngineThreadCtx_::raw_stream_progress
uint64_t raw_stream_progress
Definition: detect.h:1116
FileUpdateFlowFileFlags
void FileUpdateFlowFileFlags(Flow *f, uint16_t set_file_flags, uint8_t direction)
set a flow's file flags
Definition: util-file.c:1121
SCReturn
#define SCReturn
Definition: util-debug.h:273
Signature_::flags
uint32_t flags
Definition: detect.h:602
AlertQueueAppend
void AlertQueueAppend(DetectEngineThreadCtx *det_ctx, const Signature *s, Packet *p, uint64_t tx_id, uint8_t alert_flags)
Append signature to local packet alert queue for later preprocessing.
Definition: detect-engine-alert.c:283
RuleMatchCandidateTxArrayFree
void RuleMatchCandidateTxArrayFree(DetectEngineThreadCtx *det_ctx)
Definition: detect.c:987
AppLayerGetTxIterState
Definition: app-layer-parser.h:143
DetectTransaction_::prefilter_flags
uint64_t prefilter_flags
Definition: detect-engine-prefilter.h:37
Packet_
Definition: decode.h:479
detect-engine-build.h
AppLayerFramesGetContainer
FramesContainer * AppLayerFramesGetContainer(Flow *f)
Definition: app-layer-parser.c:174
DetectEngineThreadCtx_::frame_id
int64_t frame_id
Definition: detect.h:1172
APP_LAYER_TX_PREFILTER_MASK
#define APP_LAYER_TX_PREFILTER_MASK
Definition: app-layer-parser.h:83
detect-engine-alert.h
conf.h
DetectEngineAppInspectionEngine_::v2
struct DetectEngineAppInspectionEngine_::@80 v2
DetectRunScratchpad::pkt_mask
SignatureMask pkt_mask
Definition: detect.c:75
FlowSetIPOnlyFlag
void FlowSetIPOnlyFlag(Flow *f, int direction)
Set the IPOnly scanned flag for 'direction'.
Definition: flow.c:151
FLOW_TOSERVER_IPONLY_SET
#define FLOW_TOSERVER_IPONLY_SET
Definition: flow.h:59
DetectEngineThreadCtx_::filestore_cnt
uint16_t filestore_cnt
Definition: detect.h:1137
PROF_DETECT_IPONLY
@ PROF_DETECT_IPONLY
Definition: suricata-common.h:442
RULE_PROFILING_END
#define RULE_PROFILING_END(a, b, c, p)
Definition: util-profiling.h:430
TmEcode
TmEcode
Definition: tm-threads-common.h:81
RULE_PROFILING_START
#define RULE_PROFILING_START(p)
Definition: util-profiling.h:429
ALPROTO_DOH2
@ ALPROTO_DOH2
Definition: app-layer-protos.h:61
PKT_STREAM_EOF
#define PKT_STREAM_EOF
Definition: decode.h:1272
SCReturnPtr
#define SCReturnPtr(x, type)
Definition: util-debug.h:287
DetectTransaction_::de_state
DetectEngineStateDirection * de_state
Definition: detect-engine-prefilter.h:35
detect-engine-state.h
Data structures and function prototypes for keeping state for the detection engine.
detect-filestore.h
SigTableElmt_::Match
int(* Match)(DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *)
Definition: detect.h:1269
detect-replace.h
RulesDumpMatchArray
void RulesDumpMatchArray(const DetectEngineThreadCtx *det_ctx, const SigGroupHead *sgh, const Packet *p)
Definition: detect-engine-profile.c:79
ALPROTO_HTTP2
@ ALPROTO_HTTP2
Definition: app-layer-protos.h:64
Signature_::addr_dst_match6_cnt
uint16_t addr_dst_match6_cnt
Definition: detect.h:628
FLOW_PKT_TOCLIENT
#define FLOW_PKT_TOCLIENT
Definition: flow.h:233
SigGroupHead_::frame_engines
PrefilterEngine * frame_engines
Definition: detect.h:1477
PACKET_ALERT_NOTX
#define PACKET_ALERT_NOTX
Definition: detect.h:53
Signature_::sp
DetectPort * sp
Definition: detect.h:642
DetectRunScratchpad::sgh
const SigGroupHead * sgh
Definition: detect.c:74
DETECT_ENGINE_INSPECT_SIG_CANT_MATCH
#define DETECT_ENGINE_INSPECT_SIG_CANT_MATCH
Definition: detect-engine-state.h:39
DETECT_ENGINE_STATE_FLAG_FILE_NEW
#define DETECT_ENGINE_STATE_FLAG_FILE_NEW
Definition: detect-engine-state.h:70
Flow_::flowvar
GenericVar * flowvar
Definition: flow.h:495
RuleMatchCandidateTx::flags
uint32_t * flags
Definition: detect.h:1075
Frame::flags
uint8_t flags
Definition: app-layer-frames.h:47
DetectEngineAppInspectionEngine_::alproto
AppProto alproto
Definition: detect.h:430
SCRealloc
#define SCRealloc(ptr, sz)
Definition: util-mem.h:50
detect-engine-analyzer.h
FLOWFILE_NO_SHA256_TC
#define FLOWFILE_NO_SHA256_TC
Definition: flow.h:145
DetectEngineStateDirection_::head
DeStateStore * head
Definition: detect-engine-state.h:83
DETECT_ENGINE_INSPECT_SIG_MATCH_MORE_FILES
#define DETECT_ENGINE_INSPECT_SIG_MATCH_MORE_FILES
Definition: detect-engine-state.h:49
DetectProto_::flags
uint8_t flags
Definition: detect-engine-proto.h:38
AppLayerTxData
struct AppLayerTxData AppLayerTxData
Definition: detect.h:1364
DETECT_PROTO_IPV4
#define DETECT_PROTO_IPV4
Definition: detect-engine-proto.h:33
app-layer-frames.h
DetectAddressMatchIPv6
int DetectAddressMatchIPv6(const DetectMatchAddressIPv6 *addrs, uint16_t addrs_cnt, const Address *a)
Match a packets address against a signatures addrs array.
Definition: detect-engine-address.c:1622
Packet_::tenant_id
uint32_t tenant_id
Definition: decode.h:640
Packet_::flow
struct Flow_ * flow
Definition: decode.h:518
DetectEngineStateResetTxs
void DetectEngineStateResetTxs(Flow *f)
Reset de state for active tx' To be used on detect engine reload.
Definition: detect-engine-state.c:260
FLOWFILE_NO_MAGIC_TC
#define FLOWFILE_NO_MAGIC_TC
Definition: flow.h:130
TH_SYN
#define TH_SYN
Definition: decode-tcp.h:35
flags
uint8_t flags
Definition: decode-gre.h:0
Signature_::proto
DetectProto proto
Definition: detect.h:620
SigGroupHead_::non_pf_other_store_array
SignatureNonPrefilterStore * non_pf_other_store_array
Definition: detect.h:1470
FLOW_TOCLIENT_IPONLY_SET
#define FLOW_TOCLIENT_IPONLY_SET
Definition: flow.h:61
suricata-common.h
SIG_FLAG_SP_ANY
#define SIG_FLAG_SP_ANY
Definition: detect.h:240
APP_LAYER_TX_RESERVED_FLAGS
#define APP_LAYER_TX_RESERVED_FLAGS
Definition: app-layer-parser.h:68
SigGroupHead_::non_pf_other_store_cnt
uint32_t non_pf_other_store_cnt
Definition: detect.h:1468
packet.h
DeStateStore_
Definition: detect-engine-state.h:77
ACTION_DROP
#define ACTION_DROP
Definition: action-globals.h:30
DetectTransaction_
Definition: detect-engine-prefilter.h:31
Packet_::app_update_direction
uint8_t app_update_direction
Definition: decode.h:513
PROF_DETECT_SETUP
@ PROF_DETECT_SETUP
Definition: suricata-common.h:440
DetectEngineStateDirection_
Definition: detect-engine-state.h:82
DetectEngineThreadCtx_::frame_inspect_progress
uint64_t frame_inspect_progress
Definition: detect.h:1173
DetectEngineCtx_::profile_match_logging_threshold
uint32_t profile_match_logging_threshold
Definition: detect.h:955
FLOW_TS_APP_UPDATED
#define FLOW_TS_APP_UPDATED
Definition: flow.h:118
AppLayerParserGetTxData
AppLayerTxData * AppLayerParserGetTxData(uint8_t ipproto, AppProto alproto, void *tx)
Definition: app-layer-parser.c:1159
FatalError
#define FatalError(...)
Definition: util-debug.h:502
TcpSession_::client
TcpStream client
Definition: stream-tcp-private.h:295
FLOWFILE_NO_STORE_TC
#define FLOWFILE_NO_STORE_TC
Definition: flow.h:134
tv
ThreadVars * tv
Definition: fuzz_decodepcapfile.c:32
DetectEngineThreadCtx_::non_pf_id_array
SigIntId * non_pf_id_array
Definition: detect.h:1102
DetectEngineAppInspectionEngine_::progress
int16_t progress
Definition: detect.h:437
util-validate.h
DetectTransaction_::tx_ptr
void * tx_ptr
Definition: detect-engine-prefilter.h:32
Signature_::addr_src_match6_cnt
uint16_t addr_src_match6_cnt
Definition: detect.h:629
StreamReassembleRawUpdateProgress
void StreamReassembleRawUpdateProgress(TcpSession *ssn, Packet *p, const uint64_t progress)
update stream engine after detection
Definition: stream-tcp-reassemble.c:1506
StatsAddUI64
void StatsAddUI64(ThreadVars *tv, uint16_t id, uint64_t x)
Adds a value of type uint64_t to the local counter.
Definition: counters.c:146
FLOWFILE_NO_SHA1_TS
#define FLOWFILE_NO_SHA1_TS
Definition: flow.h:140
PROF_DETECT_RULES
@ PROF_DETECT_RULES
Definition: suricata-common.h:443
DetectRunScratchpad::app_decoder_events
const bool app_decoder_events
Definition: detect.c:73
TcpSession_::server
TcpStream server
Definition: stream-tcp-private.h:294
PROF_DETECT_NONMPMLIST
@ PROF_DETECT_NONMPMLIST
Definition: suricata-common.h:451
Signature_::dp
DetectPort * dp
Definition: detect.h:642
PacketAlerts_::suppressed
uint16_t suppressed
Definition: decode.h:273
PACKET_PROFILING_DETECT_START
#define PACKET_PROFILING_DETECT_START(p, id)
Definition: util-profiling.h:214
PACKET_ALERT_FLAG_FRAME
#define PACKET_ALERT_FLAG_FRAME
Definition: decode.h:265
DetectEngineThreadCtx_::non_pf_store_cnt
uint32_t non_pf_store_cnt
Definition: detect.h:1194
FLOW_SGH_TOSERVER
#define FLOW_SGH_TOSERVER
Definition: flow.h:72
DetectEngineThreadCtx_::counter_alerts
uint16_t counter_alerts
Definition: detect.h:1140
SCFree
#define SCFree(p)
Definition: util-mem.h:61
Packet_::pkt_src
uint8_t pkt_src
Definition: decode.h:586
SGH_PROFILING_RECORD
#define SGH_PROFILING_RECORD(det_ctx, sgh)
Definition: util-profiling.h:252
PacketAlertFinalize
void PacketAlertFinalize(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
Check the threshold of the sigs that match, set actions, break on pass action This function iterate t...
Definition: detect-engine-alert.c:371
Signature_::addr_dst_match6
DetectMatchAddressIPv6 * addr_dst_match6
Definition: detect.h:633
Flow_::alstate
void * alstate
Definition: flow.h:485
Signature_::id
uint32_t id
Definition: detect.h:636
DeStateStore_::store
DeStateStoreItem store[DE_STATE_CHUNK_SIZE]
Definition: detect-engine-state.h:78
Flow_::flags
uint32_t flags
Definition: flow.h:430
RuleMatchCandidateTx::stream_reset
uint32_t stream_reset
Definition: detect.h:1081
detect-engine-iponly.h
Signature_
Signature container.
Definition: detect.h:601
InspectionBufferClean
void InspectionBufferClean(DetectEngineThreadCtx *det_ctx)
Definition: detect-engine.c:1470
SignatureMask
#define SignatureMask
Definition: detect.h:311
ALPROTO_UNKNOWN
@ ALPROTO_UNKNOWN
Definition: app-layer-protos.h:29
TRACE_SID_TXS
#define TRACE_SID_TXS(sid, txs,...)
Definition: detect.c:1050
FLOW_PKT_ESTABLISHED
#define FLOW_PKT_ESTABLISHED
Definition: flow.h:234
DetectEngineThreadCtx_::tx_id_set
bool tx_id_set
Definition: detect.h:1169
STREAMTCP_FLAG_APP_LAYER_DISABLED
#define STREAMTCP_FLAG_APP_LAYER_DISABLED
Definition: stream-tcp-private.h:201
DetectRunScratchpad::flow_flags
const uint8_t flow_flags
Definition: detect.c:72
DetectEngineThreadCtx_::de_ctx
DetectEngineCtx * de_ctx
Definition: detect.h:1212
suricata.h
IPOnlyMatchPacket
void IPOnlyMatchPacket(ThreadVars *tv, const DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const DetectEngineIPOnlyCtx *io_ctx, Packet *p)
Match a packet against the IP Only detection engine contexts.
Definition: detect-engine-iponly.c:1004
DetectEngineCtx_::sig_array
Signature ** sig_array
Definition: detect.h:858
Packet_::dst
Address dst
Definition: decode.h:484
SigGroupHead_::non_pf_syn_store_array
SignatureNonPrefilterStore * non_pf_syn_store_array
Definition: detect.h:1472
PROF_DETECT_TX
@ PROF_DETECT_TX
Definition: suricata-common.h:444
DetectEngineAppInspectionEngine_::dir
uint8_t dir
Definition: detect.h:431
PKT_NOPACKET_INSPECTION
#define PKT_NOPACKET_INSPECTION
Definition: decode.h:1257
SignatureNonPrefilterStore_::mask
SignatureMask mask
Definition: detect.h:1068
DetectGetInnerTx
void * DetectGetInnerTx(void *tx_ptr, AppProto alproto, AppProto engine_alproto, uint8_t flow_flags)
Definition: detect.c:1054
DetectRunScratchpad::alproto
const AppProto alproto
Definition: detect.c:71
DE_STATE_FLAG_FULL_INSPECT
#define DE_STATE_FLAG_FULL_INSPECT
Definition: detect-engine-state.h:55
STREAMTCP_STREAM_FLAG_DISABLE_RAW
#define STREAMTCP_STREAM_FLAG_DISABLE_RAW
Definition: stream-tcp-private.h:238
DetectEngineThreadCtx_::mt_det_ctxs_cnt
uint32_t mt_det_ctxs_cnt
Definition: detect.h:1105
AppLayerGetTxIteratorFunc
AppLayerGetTxIterTuple(* AppLayerGetTxIteratorFunc)(const uint8_t ipproto, const AppProto alproto, void *alstate, uint64_t min_tx_id, uint64_t max_tx_id, AppLayerGetTxIterState *state)
tx iterator prototype
Definition: app-layer-parser.h:152
likely
#define likely(expr)
Definition: util-optimize.h:32
IPPROTO_SCTP
#define IPPROTO_SCTP
Definition: decode.h:1199
DE_STATE_FLAG_FILE_INSPECT
#define DE_STATE_FLAG_FILE_INSPECT
Definition: detect-engine-state.h:60
FLOW_NOPACKET_INSPECTION
#define FLOW_NOPACKET_INSPECTION
Definition: flow.h:64
DetectEngineCtx_::io_ctx
DetectEngineIPOnlyCtx io_ctx
Definition: detect.h:882
SC_ATOMIC_GET
#define SC_ATOMIC_GET(name)
Get the value from the atomic variable.
Definition: util-atomic.h:375
Signature_::addr_dst_match4
DetectMatchAddressIPv4 * addr_dst_match4
Definition: detect.h:630
FlowGetDisruptionFlags
uint8_t FlowGetDisruptionFlags(const Flow *f, uint8_t flags)
get 'disruption' flags: GAP/DEPTH/PASS
Definition: flow.c:1137
TcpSession_
Definition: stream-tcp-private.h:283
flow.h
Signature_::addr_src_match4_cnt
uint16_t addr_src_match4_cnt
Definition: detect.h:627
SigIntId
#define SigIntId
Definition: suricata-common.h:315
DeStateStoreItem_
Definition: detect-engine-state.h:72
GenericVarFree
void GenericVarFree(GenericVar *gv)
Definition: util-var.c:48
Signature_::addr_dst_match4_cnt
uint16_t addr_dst_match4_cnt
Definition: detect.h:626
Flow_::alproto
AppProto alproto
application level protocol
Definition: flow.h:459
Packet_::dp
Port dp
Definition: decode.h:494
SCCalloc
#define SCCalloc(nm, sz)
Definition: util-mem.h:53
SIG_GROUP_HEAD_HAVEFILESHA256
#define SIG_GROUP_HEAD_HAVEFILESHA256
Definition: detect.h:1334
SigGroupHead_::filestore_cnt
uint16_t filestore_cnt
Definition: detect.h:1463
AppLayerParserGetTxCnt
uint64_t AppLayerParserGetTxCnt(const Flow *f, void *alstate)
Definition: app-layer-parser.c:1082
PACKET_ALERT_FLAG_STATE_MATCH
#define PACKET_ALERT_FLAG_STATE_MATCH
Definition: decode.h:257
AppLayerParserHasDecoderEvents
bool AppLayerParserHasDecoderEvents(AppLayerParserState *pstate)
Definition: app-layer-parser.c:1489
DetectEngineLookupFlow_::tcp
DetectPort * tcp
Definition: detect.h:783
DEBUG_VALIDATE_BUG_ON
#define DEBUG_VALIDATE_BUG_ON(exp)
Definition: util-validate.h:102
DetectTransaction_::detect_flags
const uint64_t detect_flags
Definition: detect-engine-prefilter.h:36
detect-engine-address.h
Flow_::tenant_id
uint32_t tenant_id
Definition: flow.h:425
Packet_::src
Address src
Definition: decode.h:483
DetectEngineThreadCtx_::counter_mpm_list
uint16_t counter_mpm_list
Definition: detect.h:1146
SigMatchSignaturesGetSgh
const SigGroupHead * SigMatchSignaturesGetSgh(const DetectEngineCtx *de_ctx, const Packet *p)
Get the SigGroupHead for a packet.
Definition: detect.c:215
DetectRunPrefilterTx
void DetectRunPrefilterTx(DetectEngineThreadCtx *det_ctx, const SigGroupHead *sgh, Packet *p, const uint8_t ipproto, const uint8_t flow_flags, const AppProto alproto, void *alstate, DetectTransaction *tx)
run prefilter engines on a transaction
Definition: detect-engine-prefilter.c:93
RuleMatchCandidateTxArrayInit
void RuleMatchCandidateTxArrayInit(DetectEngineThreadCtx *det_ctx, uint32_t size)
Definition: detect.c:974
SIG_FLAG_DP_ANY
#define SIG_FLAG_DP_ANY
Definition: detect.h:241
DetectPortLookupGroup
DetectPort * DetectPortLookupGroup(DetectPort *dp, uint16_t port)
Function that find the group matching port in a group head.
Definition: detect-engine-port.c:613
PKT_STREAM_EST
#define PKT_STREAM_EST
Definition: decode.h:1270
detect-engine-threshold.h
Signature_::mask
SignatureMask mask
Definition: detect.h:612
app-layer.h
RuleMatchCandidateTx
Definition: detect.h:1073
DetectEngineThreadCtx_::TenantGetId
uint32_t(* TenantGetId)(const void *, const Packet *p)
Definition: detect.h:1112
PrefilterRuleStore_::rule_id_array
SigIntId * rule_id_array
Definition: util-prefilter.h:38
PacketEngineEvents_::cnt
uint8_t cnt
Definition: decode.h:290
Flow_::de_ctx_version
uint32_t de_ctx_version
Definition: flow.h:473
DetectProtoContainsProto
int DetectProtoContainsProto(const DetectProto *dp, int proto)
see if a DetectProto contains a certain proto
Definition: detect-engine-proto.c:135
DetectEngineThreadCtx_::match_array
Signature ** match_array
Definition: detect.h:1183