Go to the documentation of this file.
81 static inline void DetectRulePacketRules(
ThreadVars *
const tv,
120 DetectRunInspectIPOnly(th_v,
de_ctx, det_ctx, pflow, p);
123 DetectRunGetRuleGroup(
de_ctx, p, pflow, &scratch);
126 if (scratch.
sgh == NULL) {
127 SCLogDebug(
"no sgh for this packet, nothing to match against");
132 DetectRunPrefilterPkt(th_v,
de_ctx, det_ctx, p, &scratch);
136 DetectRulePacketRules(th_v,
de_ctx, det_ctx, p, pflow, &scratch);
141 if (p->
proto == IPPROTO_TCP) {
145 DetectRunFrames(th_v,
de_ctx, det_ctx, p, pflow, &scratch);
148 }
else if (p->
proto == IPPROTO_UDP) {
149 DetectRunFrames(th_v,
de_ctx, det_ctx, p, pflow, &scratch);
153 DetectRunTx(th_v,
de_ctx, det_ctx, p, pflow, &scratch);
158 DetectRunPostRules(th_v,
de_ctx, det_ctx, p, pflow, &scratch);
160 DetectRunCleanup(det_ctx, p, pflow);
173 SCLogDebug(
"running match functions, sm %p", smd);
206 }
else if (p->
proto == 0) {
220 if (
proto == IPPROTO_TCP) {
222 SCLogDebug(
"tcp toserver %p, tcp toclient %p: going to use %p",
224 uint16_t port = f ? p->
dp : p->
sp;
229 SCLogDebug(
"TCP list %p, port %u, direction %s, sghport %p, sgh %p",
230 list, port, f ?
"toserver" :
"toclient", sghport, sgh);
231 }
else if (
proto == IPPROTO_UDP) {
233 uint16_t port = f ? p->
dp : p->
sp;
237 SCLogDebug(
"UDP list %p, port %u, direction %s, sghport %p, sgh %p",
238 list, port, f ?
"toserver" :
"toclient", sghport, sgh);
269 final_ptr = nonmpm_ptr;
274 nonmpm = *nonmpm_ptr;
288 if (
likely(
id != previous_id)) {
294 final_ptr = nonmpm_ptr;
300 }
else if (mpm > nonmpm) {
305 if (
likely(
id != previous_id)) {
315 nonmpm = *nonmpm_ptr;
321 while (--m_cnt != 0) {
332 final_ptr = ++nonmpm_ptr;
347 nonmpm = *nonmpm_ptr;
353 while (final_cnt-- > 0) {
358 if (
likely(
id != previous_id)) {
372 static inline void DetectPrefilterBuildNonPrefilterList(
380 if ((rule_mask & mask) == rule_mask &&
381 (rule_alproto == 0 || AppProtoEquals(rule_alproto, alproto))) {
401 SCLogDebug(
"sgh non_pf ptr %p cnt %u (syn %p/%u, other %p/%u)",
413 DetectPostInspectFileFlagsUpdate(
Flow *f,
const SigGroupHead *sgh, uint8_t direction)
418 SCLogDebug(
"requesting disabling all file features for flow");
422 SCLogDebug(
"requesting disabling filestore for flow");
426 if (!(sgh->
flags & SIG_GROUP_HEAD_HAVEFILEMAGIC)) {
427 SCLogDebug(
"requesting disabling magic for flow");
432 SCLogDebug(
"requesting disabling md5 for flow");
436 SCLogDebug(
"requesting disabling sha1 for flow");
440 SCLogDebug(
"requesting disabling sha256 for flow");
444 SCLogDebug(
"requesting disabling filesize for flow");
448 if (flow_file_flags != 0) {
464 SCLogDebug(
"STREAMTCP_STREAM_FLAG_DISABLE_RAW ssn.client");
469 DetectPostInspectFileFlagsUpdate(pflow,
479 SCLogDebug(
"STREAMTCP_STREAM_FLAG_DISABLE_RAW ssn.server");
484 DetectPostInspectFileFlagsUpdate(pflow,
489 static inline void DetectRunGetRuleGroup(
497 bool use_flow_sgh =
false;
504 SCLogDebug(
"sgh = pflow->sgh_toserver; => %p", sgh);
508 SCLogDebug(
"sgh = pflow->sgh_toclient; => %p", sgh);
514 if (!(use_flow_sgh)) {
527 DetectRunPostGetFirstRuleGroup(p, pflow, sgh);
555 SCLogDebug(
"testing against \"ip-only\" signatures");
576 static inline int DetectRunInspectRuleHeader(
580 const uint32_t sflags,
581 const uint8_t s_proto_flags)
593 SCLogDebug(
"skipping sig as the flow has no flowvars and sig "
594 "has SIG_FLAG_REQUIRE_FLOWVAR flag set.");
614 if (p->
proto == IPPROTO_TCP || p->
proto == IPPROTO_UDP || p->
proto == IPPROTO_SCTP) {
634 SCLogDebug(
"port-less protocol and sig needs ports");
665 static inline void DetectRunPrefilterPkt(
673 DetectPrefilterSetNonPrefilterList(p, det_ctx, scratch);
682 DetectPrefilterBuildNonPrefilterList(det_ctx, scratch->
pkt_mask, scratch->
alproto);
696 DetectPrefilterMergeSort(
de_ctx, det_ctx);
711 static inline void DetectRulePacketRules(
729 (uint64_t)match_cnt);
740 uint32_t sflags, next_sflags = 0;
742 next_s = *match_array++;
743 next_sflags = next_s->
flags;
745 while (match_cnt--) {
747 uint8_t alert_flags = 0;
752 sflags = next_sflags;
754 next_s = *match_array++;
755 next_sflags = next_s->
flags;
775 if (SigDsizePrefilter(p, s, sflags))
786 if (DetectRunInspectRuleHeader(p, pflow, s, sflags, s_proto_flags) == 0) {
797 DetectRunPostMatch(
tv, det_ctx, p, s);
801 DetectVarProcessList(det_ctx, pflow, p);
802 DetectReplaceFree(det_ctx);
816 uint8_t flow_flags = 0;
817 bool app_decoder_events =
false;
836 det_ctx->pkt_stream_add_cnt++;
845 flow_flags = STREAM_TOSERVER;
848 flow_flags = STREAM_TOCLIENT;
854 flow_flags |= STREAM_EOF;
885 (p->
proto == IPPROTO_UDP) ||
894 flow_flags |= STREAM_FLUSH;
898 SCLogDebug(
"packet doesn't have established flag set (proto %d)", p->
proto);
909 static inline void DetectRunPostRules(
969 SCLogDebug(
"array initialized to %u elements (%"PRIu64
" bytes)",
992 uint32_t new_size = needed;
1001 SCLogDebug(
"array expanded from %u to %u elements (%"PRIu64
" bytes -> %"PRIu64
" bytes)",
1015 DetectRunTxSortHelper(
const void *a,
const void *b)
1019 if (s1->
id == s0->
id)
1022 return s0->
id > s1->
id ? 1 : -1;
1026 #define TRACE_SID_TXS(sid,txs,...) \
1028 char _trace_buf[2048]; \
1029 snprintf(_trace_buf, sizeof(_trace_buf), __VA_ARGS__); \
1030 SCLogNotice("%p/%"PRIu64"/%u: %s", txs->tx_ptr, txs->tx_id, sid, _trace_buf); \
1033 #define TRACE_SID_TXS(sid,txs,...)
1053 const uint8_t in_flow_flags,
1057 uint32_t *stored_flags,
1061 uint8_t flow_flags = in_flow_flags;
1062 const int direction = (flow_flags & STREAM_TOSERVER) ? 0 : 1;
1063 uint32_t inspect_flags = stored_flags ? *stored_flags : 0;
1064 int total_matches = 0;
1065 uint16_t file_no_match = 0;
1066 bool retval =
false;
1067 bool mpm_before_progress =
false;
1068 bool mpm_in_progress =
false;
1072 flow_flags &=~ STREAM_FLUSH;
1074 TRACE_SID_TXS(s->
id, tx,
"starting %s", direction ?
"toclient" :
"toserver");
1075 TRACE_SID_TXS(s->
id, tx,
"FLUSH? %s", (flow_flags & STREAM_FLUSH)?
"true":
"false");
1078 if (
likely(stored_flags == NULL)) {
1080 if (DetectRunInspectRuleHeader(p, f, s, s->
flags, s->
proto.
flags) == 0) {
1096 while (engine != NULL) {
1097 TRACE_SID_TXS(s->
id, tx,
"engine %p inspect_flags %x", engine, inspect_flags);
1098 if (!(inspect_flags &
BIT_U32(engine->
id)) &&
1099 direction == engine->
dir)
1105 engine = engine->
next;
1112 SCLogDebug(
"tx progress %d < engine progress %d",
1119 "engine->mpm: t->tx_progress %u > engine->progress %u, so set "
1120 "mpm_before_progress",
1122 mpm_before_progress =
true;
1125 "engine->mpm: t->tx_progress %u == engine->progress %u, so set "
1128 mpm_in_progress =
true;
1136 TRACE_SID_TXS(s->
id, tx,
"stream skipped, stored result %d used instead", match);
1146 TRACE_SID_TXS(s->
id, tx,
"stream ran, store result %d for next tx (if any)", match);
1151 engine = engine->
next;
1158 engine = engine->
next;
1170 if (engine->
mpm && mpm_before_progress) {
1176 engine = engine->
next;
1178 TRACE_SID_TXS(s->
id, tx,
"inspect_flags %x, total_matches %u, engine %p",
1179 inspect_flags, total_matches, engine);
1181 if (engine == NULL && total_matches) {
1188 *stored_flags = inspect_flags;
1189 TRACE_SID_TXS(s->
id, tx,
"continue inspect flags %08x", inspect_flags);
1196 if (file_no_match) {
1207 inspect_flags, flow_flags, file_no_match);
1211 "mpm won't trigger for it anymore");
1215 "we may have to revisit anyway");
1217 inspect_flags, flow_flags, file_no_match);
1221 "mpm will revisit it");
1225 inspect_flags, flow_flags, file_no_match);
1237 void *alstate,
const uint64_t tx_id,
void *tx_ptr,
const int tx_end_state,
1238 const uint8_t flow_flags)
1240 uint64_t detect_flags;
1242 if (
likely(txd != NULL)) {
1243 detect_flags = (flow_flags & STREAM_TOSERVER) ? txd->detect_flags_ts : txd->detect_flags_tc;
1248 SCLogDebug(
"%"PRIu64
" tx already fully inspected for %s. Flags %016"PRIx64,
1249 tx_id, flow_flags & STREAM_TOSERVER ?
"toserver" :
"toclient",
1256 const int dir_int = (flow_flags & STREAM_TOSERVER) ? 0 : 1;
1265 .tx_data_ptr = (
struct AppLayerTxData *)txd,
1266 .de_state = tx_dir_state,
1267 .detect_flags = detect_flags,
1268 .prefilter_flags = prefilter_flags,
1269 .prefilter_flags_orig = prefilter_flags,
1270 .tx_progress = tx_progress,
1271 .tx_end_state = tx_end_state,
1276 static inline void StoreDetectFlags(
DetectTransaction *tx,
const uint8_t flow_flags,
1277 const uint8_t ipproto,
const AppProto alproto,
const uint64_t detect_flags)
1279 AppLayerTxData *txd = (AppLayerTxData *)tx->
tx_data_ptr;
1280 if (
likely(txd != NULL)) {
1281 if (flow_flags & STREAM_TOSERVER) {
1282 txd->detect_flags_ts = detect_flags;
1284 txd->detect_flags_tc = detect_flags;
1296 const uint8_t flow_flags = scratch->
flow_flags;
1298 void *
const alstate = f->
alstate;
1299 const uint8_t ipproto = f->
proto;
1308 memset(&state, 0,
sizeof(state));
1311 AppLayerGetTxIterTuple ires = IterFunc(ipproto, alproto, alstate, tx_id_min, total_txs, &state);
1312 if (ires.tx_ptr == NULL)
1316 alstate, ires.tx_id, ires.tx_ptr, tx_end_state, flow_flags);
1318 SCLogDebug(
"%p/%"PRIu64
" no transaction to inspect",
1324 tx_id_min = tx.
tx_id + 1;
1326 bool do_sort =
false;
1327 uint32_t array_idx = 0;
1337 SCLogDebug(
"%p/%"PRIu64
" rules added from prefilter: %u candidates",
1341 if (!(RuleMatchCandidateTxArrayHasSpace(det_ctx, total_rules))) {
1342 RuleMatchCandidateTxArrayExpand(det_ctx, total_rules);
1356 if (!(RuleMatchCandidateTxArrayHasSpace(det_ctx, total_rules))) {
1357 RuleMatchCandidateTxArrayExpand(det_ctx, total_rules);
1362 uint32_t x = array_idx;
1373 SCLogDebug(
"%p/%"PRIu64
" rule %u (%u) added from 'match' list",
1377 do_sort = (array_idx > x);
1383 const uint32_t old = array_idx;
1388 if (have_new_file) {
1389 SCLogDebug(
"%p/%"PRIu64
" destate: need to consider new file",
1396 for (; tx_store != NULL; tx_store = tx_store->
next) {
1402 store_cnt++, state_cnt++)
1419 do_sort |= (old && old != array_idx);
1425 DetectRunTxSortHelper);
1437 for (uint32_t i = 0; i < array_idx; i++) {
1446 if ((i + 1) < array_idx) {
1450 SCLogDebug(
"%p/%"PRIu64
" inspecting SKIP NEXT: sid %u (%u), flags %08x",
1453 SCLogDebug(
"%p/%"PRIu64
" inspecting SKIP CURRENT: sid %u (%u), flags %08x",
1459 SCLogDebug(
"%p/%"PRIu64
" inspecting SKIP NEXT: sid %u (%u), flags %08x",
1465 SCLogDebug(
"%p/%"PRIu64
" inspecting: sid %u (%u), flags %08x",
1468 if (inspect_flags) {
1470 SCLogDebug(
"%p/%"PRIu64
" inspecting: sid %u (%u), flags %08x ALREADY COMPLETE",
1476 if (inspect_flags) {
1486 const int r = DetectRunTxInspectRule(
tv,
de_ctx, det_ctx, p, f, flow_flags,
1487 alstate, &tx, s, inspect_flags, can, scratch);
1490 DetectRunPostMatch(
tv, det_ctx, p, s);
1496 DetectVarProcessList(det_ctx, p->
flow, p);
1506 uint64_t new_detect_flags = 0;
1510 SCLogDebug(
"%p/%"PRIu64
" tx is done for direction %s. Flag %016"PRIx64,
1512 flow_flags & STREAM_TOSERVER ?
"toserver" :
"toclient",
1518 SCLogDebug(
"%p/%"PRIu64
" updated prefilter flags %016"PRIx64
" "
1519 "(was: %016"PRIx64
") for direction %s. Flag %016"PRIx64,
1521 flow_flags & STREAM_TOSERVER ?
"toserver" :
"toclient",
1524 if (new_detect_flags != 0 &&
1529 SCLogDebug(
"%p/%"PRIu64
" Storing new flags %016"PRIx64
" (was %016"PRIx64
")",
1532 StoreDetectFlags(&tx, flow_flags, ipproto, alproto, new_detect_flags);
1549 if (frames_container == NULL) {
1554 frames = &frames_container->
toserver;
1556 frames = &frames_container->
toclient;
1559 for (uint32_t idx = 0; idx < frames->
cnt; idx++) {
1562 if (frame == NULL) {
1566 uint32_t array_idx = 0;
1574 SCLogDebug(
"%p/%" PRIi64
" rules added from prefilter: %u candidates", frame, frame->
id,
1579 if (!(RuleMatchCandidateTxArrayHasSpace(
1580 det_ctx, total_rules))) {
1581 RuleMatchCandidateTxArrayExpand(det_ctx, total_rules);
1596 uint32_t x = array_idx;
1607 SCLogDebug(
"%p/%" PRIi64
" rule %u (%u) added from 'match' list", frame, frame->
id,
1611 SCLogDebug(
"%p/%" PRIi64
" rules added from 'match' list: %u", frame, frame->
id,
1616 for (uint32_t i = 0; i < array_idx; i++) {
1619 SCLogDebug(
"%p/%" PRIi64
" inspecting: sid %u (%u)", frame, frame->
id, s->
id, s->
num);
1622 SCLogDebug(
"%p/%" PRIi64
" Start sid %u", frame, frame->
id, s->
id);
1626 int r = DetectRunInspectRuleHeader(p, f, s, s->
flags, s->
proto.
flags);
1631 DetectRunPostMatch(
tv, det_ctx, p, s);
1633 const uint8_t alert_flags =
1638 "%p/%" PRIi64
" sig %u (%u) matched", frame, frame->
id, s->
id, s->
num);
1642 DetectVarProcessList(det_ctx, p->
flow, p);
1669 flags = STREAM_TOSERVER;
1671 flags = STREAM_TOCLIENT;
1676 SCLogDebug(
"p->pcap %"PRIu64
": no detection on packet, "
1677 "PKT_NOPACKET_INSPECTION is set", p->
pcap_cnt);
1688 (void)DetectRun(
tv,
de_ctx, det_ctx, p);
1720 if (det_ctx == NULL) {
1721 printf(
"ERROR: Detect has no thread ctx\n");
1727 SCLogDebug(
"Detect Engine using new det_ctx - %p",
1738 if (tenant_id > 0 && tenant_id < det_ctx->mt_det_ctxs_cnt) {
1741 if (det_ctx == NULL)
1749 SCLogDebug(
"MT de_ctx %p det_ctx %p (tenant %u)",
de_ctx, det_ctx, tenant_id);
1760 DetectFlow(
tv,
de_ctx, det_ctx, p);
1762 DetectNoFlow(
tv,
de_ctx, det_ctx, p);
1774 DetectPostInspectFileFlagsUpdate(f, NULL , STREAM_TOSERVER);
1775 DetectPostInspectFileFlagsUpdate(f, NULL , STREAM_TOCLIENT);
1786 DetectFlow(
tv,
de_ctx, det_ctx, p);
1788 DetectNoFlow(
tv,
de_ctx, det_ctx, p);
uint32_t non_pf_syn_store_cnt
#define FLOWFILE_NO_MD5_TS
SignatureNonPrefilterStore * non_pf_store_ptr
void RulesDumpTxMatchArray(const DetectEngineThreadCtx *det_ctx, const SigGroupHead *sgh, const Packet *p, const uint64_t tx_id, const uint32_t rule_cnt, const uint32_t pkt_prefilter_cnt)
#define SIG_GROUP_HEAD_HAVEFILEMD5
#define FLOWFILE_NO_MD5_TC
PrefilterEngine * tx_engines
struct AppLayerTxData * tx_data_ptr
#define RULE_PROFILING_END(ctx, r, m, p)
#define DE_STATE_CHUNK_SIZE
#define FLOWFILE_NO_SIZE_TS
uint16_t alert_queue_size
#define FLOWFILE_NO_SIZE_TC
DetectMatchAddressIPv6 * addr_src_match6
#define PACKET_ALERT_FLAG_TX
struct SigGroupHead_ * decoder_event_sgh
int FlowGetPacketDirection(const Flow *f, const Packet *p)
determine the direction of the packet compared to the flow
DetectEngineLookupFlow flow_gh[FLOW_STATES]
#define DE_STATE_FLAG_SIG_CANT_MATCH
uint16_t counter_match_list
struct DetectEngineAppInspectionEngine_ * next
#define DETECT_PROTO_IPV6
void IPOnlyMatchPacket(ThreadVars *tv, const DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const DetectEngineIPOnlyCtx *io_ctx, DetectEngineIPOnlyThreadCtx *io_tctx, Packet *p)
Match a packet against the IP Only detection engine contexts.
void Prefilter(DetectEngineThreadCtx *det_ctx, const SigGroupHead *sgh, Packet *p, const uint8_t flags)
uint32_t rule_id_array_cnt
Container for matching data for a signature group.
#define SIG_GROUP_HEAD_HAVEFILESIZE
#define SC_ATOMIC_SET(name, val)
Set the value for the atomic variable.
#define KEYWORD_PROFILING_SET_LIST(ctx, list)
int DetectAddressMatchIPv4(const DetectMatchAddressIPv4 *addrs, uint16_t addrs_cnt, const Address *a)
Match a packets address against a signatures addrs array.
#define FLOW_SGH_TOCLIENT
AppLayerGetTxIteratorFunc AppLayerGetTxIterator(const uint8_t ipproto, const AppProto alproto)
struct HtpBodyChunk_ * next
int AppLayerParserGetStateProgress(uint8_t ipproto, AppProto alproto, void *alstate, uint8_t flags)
get the progress value for a tx/protocol
#define FLOWFILE_NO_MAGIC_TS
#define ICMPV4_DEST_UNREACH_IS_VALID(p)
#define SIG_GROUP_HEAD_HAVEFILESHA1
void DetectRunPrefilterFrame(DetectEngineThreadCtx *det_ctx, const SigGroupHead *sgh, Packet *p, const Frames *frames, const Frame *frame, const AppProto alproto, const uint32_t idx)
main detection engine ctx
int AppLayerParserGetStateProgressCompletionStatus(AppProto alproto, uint8_t direction)
struct DetectRunScratchpad DetectRunScratchpad
DetectEngineStateDirection dir_state[2]
Frame * FrameGetByIndex(Frames *frames, const uint32_t idx)
void StreamReassembleRawUpdateProgress(TcpSession *ssn, Packet *p, uint64_t progress)
update stream engine after detection
#define FLOW_PKT_TOSERVER
#define APP_LAYER_TX_INSPECTED_FLAG
#define SIG_GROUP_HEAD_HAVERAWSTREAM
void SigMatchSignatures(ThreadVars *tv, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
SigMatchData * sm_arrays[DETECT_SM_LIST_MAX]
struct SigGroupHead_ * sh
#define PACKET_PROFILING_DETECT_END(p, id)
TmEcode Detect(ThreadVars *tv, Packet *p, void *data)
Detection engine thread wrapper.
#define FLOW_PKT_TOCLIENT_IPONLY_SET
#define KEYWORD_PROFILING_START
uint16_t counter_fnonmpm_list
struct DetectEngineAppInspectionEngine_::@84 v2
void DisableDetectFlowFileFlags(Flow *f)
disable file features we don't need Called if we have no detection engine.
uint64_t AppLayerParserGetTransactionInspectId(AppLayerParserState *pstate, uint8_t direction)
uint16_t counter_nonmpm_list
PacketEngineEvents events
DetectEngineFrameInspectionEngine * frame_inspect
const uint64_t prefilter_flags_orig
void PacketCreateMask(Packet *p, SignatureMask *mask, AppProto alproto, bool app_decoder_events)
#define SIG_FLAG_APPLAYER
#define KEYWORD_PROFILING_END(ctx, type, m)
HashTable * mt_det_ctxs_hash
bool DetectEnginePktInspectionRun(ThreadVars *tv, DetectEngineThreadCtx *det_ctx, const Signature *s, Flow *f, Packet *p, uint8_t *alert_flags)
const struct SigGroupHead_ * sgh_toserver
uint16_t counter_alerts_suppressed
void DetectRunStoreStateTx(const SigGroupHead *sgh, Flow *f, void *tx, uint64_t tx_id, const Signature *s, uint32_t inspect_flags, uint8_t flow_flags, const uint16_t file_no_match)
AppLayerParserState * alparser
#define DETECT_ENGINE_INSPECT_SIG_CANT_MATCH_FILES
#define FLOWFILE_NO_SHA1_TC
@ DETECT_SM_LIST_POSTMATCH
RuleMatchCandidateTx * tx_candidates
DetectMatchAddressIPv4 * addr_src_match4
uint16_t counter_alerts_overflow
#define DETECT_ENGINE_THREAD_CTX_FRAME_ID_SET
#define PKT_IS_TOSERVER(p)
#define DEBUG_VALIDATE_PACKET(p)
void DeStateUpdateInspectTransactionId(Flow *f, const uint8_t flags, const bool tag_txs_as_inspected)
update flow's inspection id's
#define FLOWFILE_NO_STORE_TS
uint32_t tx_candidates_size
#define FLOW_PKT_TOSERVER_IPONLY_SET
struct SigGroupHead_ * sgh[256]
void * HashTableLookup(HashTable *ht, void *data, uint16_t datalen)
Per thread variable structure.
struct DeStateStore_ * next
#define FLOWFILE_NO_SHA256_TS
#define DETECT_ENGINE_INSPECT_SIG_MATCH
#define PKT_DETECT_HAS_STREAMDATA
bool StreamReassembleRawHasDataReady(TcpSession *ssn, Packet *p)
does the stream engine have data to inspect?
Port structure for detection engine.
DetectEngineAppInspectionEngine * app_inspect
const struct SigGroupHead_ * sgh_toclient
#define SIG_FLAG_REQUIRE_FLOWVAR
uint64_t raw_stream_progress
void FileUpdateFlowFileFlags(Flow *f, uint16_t set_file_flags, uint8_t direction)
set a flow's file flags
void AlertQueueAppend(DetectEngineThreadCtx *det_ctx, const Signature *s, Packet *p, uint64_t tx_id, uint8_t alert_flags)
Append signature to local packet alert queue for later preprocessing.
void RuleMatchCandidateTxArrayFree(DetectEngineThreadCtx *det_ctx)
int DetectRunFrameInspectRule(ThreadVars *tv, DetectEngineThreadCtx *det_ctx, const Signature *s, Flow *f, Packet *p, const Frames *frames, const Frame *frame, const uint32_t idx)
FramesContainer * AppLayerFramesGetContainer(Flow *f)
InspectEngineFuncPtr2 Callback
#define APP_LAYER_TX_PREFILTER_MASK
void FlowSetIPOnlyFlag(Flow *f, int direction)
Set the IPOnly scanned flag for 'direction'.
#define FLOW_TOSERVER_IPONLY_SET
#define RULE_PROFILING_START(p)
#define SCReturnPtr(x, type)
DetectEngineStateDirection * de_state
Data structures and function prototypes for keeping state for the detection engine.
int(* Match)(DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *)
void RulesDumpMatchArray(const DetectEngineThreadCtx *det_ctx, const SigGroupHead *sgh, const Packet *p)
uint16_t addr_dst_match6_cnt
#define FLOW_PKT_TOCLIENT
PrefilterEngine * frame_engines
#define DETECT_ENGINE_INSPECT_SIG_CANT_MATCH
#define DETECT_ENGINE_STATE_FLAG_FILE_NEW
#define SCRealloc(ptr, sz)
#define FLOWFILE_NO_SHA256_TC
#define DETECT_ENGINE_INSPECT_SIG_MATCH_MORE_FILES
#define DETECT_PROTO_IPV4
int DetectAddressMatchIPv6(const DetectMatchAddressIPv6 *addrs, uint16_t addrs_cnt, const Address *a)
Match a packets address against a signatures addrs array.
void DetectEngineStateResetTxs(Flow *f)
Reset de state for active tx' To be used on detect engine reload.
#define FLOWFILE_NO_MAGIC_TC
SignatureNonPrefilterStore * non_pf_other_store_array
#define FLOW_TOCLIENT_IPONLY_SET
#define APP_LAYER_TX_RESERVED_FLAGS
uint32_t non_pf_other_store_cnt
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
uint32_t profile_match_logging_threshold
AppLayerTxData * AppLayerParserGetTxData(uint8_t ipproto, AppProto alproto, void *tx)
#define FatalError(x,...)
#define FLOWFILE_NO_STORE_TC
SigIntId * non_pf_id_array
AppProto FlowGetAppProtocol(const Flow *f)
uint16_t addr_src_match6_cnt
void StatsAddUI64(ThreadVars *tv, uint16_t id, uint64_t x)
Adds a value of type uint64_t to the local counter.
#define FLOWFILE_NO_SHA1_TS
const bool app_decoder_events
#define PACKET_PROFILING_DETECT_START(p, id)
#define PACKET_ALERT_FLAG_FRAME
uint32_t non_pf_store_cnt
#define FLOW_SGH_TOSERVER
#define SGH_PROFILING_RECORD(det_ctx, sgh)
void PacketAlertFinalize(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
Check the threshold of the sigs that match, set actions, break on pass action This function iterate t...
DetectMatchAddressIPv6 * addr_dst_match6
DeStateStoreItem store[DE_STATE_CHUNK_SIZE]
#define IP_GET_IPPROTO(p)
void InspectionBufferClean(DetectEngineThreadCtx *det_ctx)
#define TRACE_SID_TXS(sid, txs,...)
#define FLOW_PKT_ESTABLISHED
#define STREAMTCP_FLAG_APP_LAYER_DISABLED
SignatureNonPrefilterStore * non_pf_syn_store_array
#define PKT_NOPACKET_INSPECTION
#define DE_STATE_FLAG_FULL_INSPECT
#define STREAMTCP_STREAM_FLAG_DISABLE_RAW
AppLayerGetTxIterTuple(* AppLayerGetTxIteratorFunc)(const uint8_t ipproto, const AppProto alproto, void *alstate, uint64_t min_tx_id, uint64_t max_tx_id, AppLayerGetTxIterState *state)
tx iterator prototype
#define DE_STATE_FLAG_FILE_INSPECT
#define FLOW_NOPACKET_INSPECTION
DetectEngineIPOnlyCtx io_ctx
#define SC_ATOMIC_GET(name)
Get the value from the atomic variable.
DetectMatchAddressIPv4 * addr_dst_match4
uint8_t FlowGetDisruptionFlags(const Flow *f, uint8_t flags)
get 'disruption' flags: GAP/DEPTH/PASS
uint16_t addr_src_match4_cnt
void GenericVarFree(GenericVar *gv)
uint16_t addr_dst_match4_cnt
AppProto alproto
application level protocol
#define SIG_GROUP_HEAD_HAVEFILESHA256
uint64_t AppLayerParserGetTxCnt(const Flow *f, void *alstate)
#define PACKET_ALERT_FLAG_STATE_MATCH
bool AppLayerParserHasDecoderEvents(AppLayerParserState *pstate)
#define DEBUG_VALIDATE_BUG_ON(exp)
const uint64_t detect_flags
@ PKT_DROP_REASON_FLOW_DROP
uint16_t counter_mpm_list
const SigGroupHead * SigMatchSignaturesGetSgh(const DetectEngineCtx *de_ctx, const Packet *p)
Get the SigGroupHead for a packet.
void DetectRunPrefilterTx(DetectEngineThreadCtx *det_ctx, const SigGroupHead *sgh, Packet *p, const uint8_t ipproto, const uint8_t flow_flags, const AppProto alproto, void *alstate, DetectTransaction *tx)
run prefilter engines on a transaction
void RuleMatchCandidateTxArrayInit(DetectEngineThreadCtx *det_ctx, uint32_t size)
DetectPort * DetectPortLookupGroup(DetectPort *dp, uint16_t port)
Function that find the group matching address in a group head.
DetectEngineIPOnlyThreadCtx io_ctx
uint32_t(* TenantGetId)(const void *, const Packet *p)
int DetectProtoContainsProto(const DetectProto *dp, int proto)
see if a DetectProto contains a certain proto