86 const uint8_t default_action);
93 static inline uint8_t DetectRulePacketRules(
ThreadVars *
const tv,
127 DetectRunInspectIPOnly(th_v,
de_ctx, det_ctx, pflow, p);
130 DetectRunGetRuleGroup(
de_ctx, p, pflow, &scratch);
133 if (scratch.
sgh == NULL) {
134 SCLogDebug(
"no sgh for this packet, nothing to match against");
139 DetectRunPrefilterPkt(th_v,
de_ctx, det_ctx, p, &scratch);
143 const uint8_t pkt_policy = DetectRulePacketRules(th_v,
de_ctx, det_ctx, p, pflow, &scratch);
159 if (p->
proto == IPPROTO_TCP) {
162 DetectRunAppendDefaultAccept(det_ctx, p);
174 DetectRunFrames(th_v,
de_ctx, det_ctx, p, pflow, &scratch);
182 DetectRunAppendDefaultAccept(det_ctx, p);
185 }
else if (p->
proto == IPPROTO_UDP) {
186 DetectRunFrames(th_v,
de_ctx, det_ctx, p, pflow, &scratch);
190 DetectRunTx(th_v,
de_ctx, det_ctx, p, pflow, &scratch);
199 DetectRunAppendDefaultAccept(det_ctx, p);
203 DetectRunPostRules(th_v,
de_ctx, det_ctx, p, pflow, &scratch);
205 DetectRunCleanup(det_ctx, p, pflow);
229 if (scratch.
sgh == NULL) {
230 SCLogDebug(
"no sgh for this packet, nothing to match against");
235 DetectRunPrefilterPkt(th_v,
de_ctx, det_ctx, p, &scratch);
239 const uint8_t pkt_policy = DetectRulePacketRules(th_v,
de_ctx, det_ctx, p, pflow, &scratch);
246 DetectRunPostRules(th_v,
de_ctx, det_ctx, p, pflow, &scratch);
248 DetectRunCleanup(det_ctx, p, pflow);
261 SCLogDebug(
"running match functions, sm %p", smd);
292 }
else if (p->
proto == 0) {
293 if (!(PacketIsIPv4(p) || PacketIsIPv6(p))) {
302 int proto = PacketGetIPProto(p);
303 if (
proto == IPPROTO_TCP) {
307 const uint16_t port = dir ? p->
dp : p->
sp;
312 SCLogDebug(
"TCP list %p, port %u, direction %s, sghport %p, sgh %p", list, port,
313 dir ?
"toserver" :
"toclient", sghport, sgh);
314 }
else if (
proto == IPPROTO_UDP) {
316 uint16_t port = dir ? p->
dp : p->
sp;
320 SCLogDebug(
"UDP list %p, port %u, direction %s, sghport %p, sgh %p", list, port,
321 dir ?
"toserver" :
"toclient", sghport, sgh);
329 static inline void DetectPrefilterCopyDeDup(
337 while (final_cnt-- > 0) {
342 if (
likely(
id != previous_id)) {
359 DetectPostInspectFileFlagsUpdate(
Flow *f,
const SigGroupHead *sgh, uint8_t direction)
364 SCLogDebug(
"requesting disabling all file features for flow");
368 SCLogDebug(
"requesting disabling filestore for flow");
372 if (!(sgh->
flags & SIG_GROUP_HEAD_HAVEFILEMAGIC)) {
373 SCLogDebug(
"requesting disabling magic for flow");
378 SCLogDebug(
"requesting disabling md5 for flow");
382 SCLogDebug(
"requesting disabling sha1 for flow");
386 SCLogDebug(
"requesting disabling sha256 for flow");
390 SCLogDebug(
"requesting disabling filesize for flow");
394 if (flow_file_flags != 0) {
410 SCLogDebug(
"STREAMTCP_STREAM_FLAG_DISABLE_RAW ssn.client");
415 DetectPostInspectFileFlagsUpdate(pflow,
425 SCLogDebug(
"STREAMTCP_STREAM_FLAG_DISABLE_RAW ssn.server");
430 DetectPostInspectFileFlagsUpdate(pflow,
435 static inline void DetectRunGetRuleGroup(
443 bool use_flow_sgh =
false;
446 if (PacketGetIPProto(p) == pflow->
proto) {
450 SCLogDebug(
"sgh = pflow->sgh_toserver; => %p", sgh);
454 SCLogDebug(
"sgh = pflow->sgh_toclient; => %p", sgh);
460 if (!(use_flow_sgh)) {
473 DetectRunPostGetFirstRuleGroup(p, pflow, sgh);
493 SCLogDebug(
"testing against \"ip-only\" signatures");
512 static inline bool DetectRunInspectRuleHeader(
const Packet *p,
const Flow *f,
const Signature *s,
513 const uint32_t sflags,
const uint8_t s_proto_flags)
522 const bool fv = f->
flowvar != NULL;
524 SCLogDebug(
"skipping sig as the flow has no flowvars and sig "
525 "has SIG_FLAG_REQUIRE_FLOWVAR flag set.");
565 SCLogDebug(
"port-less protocol and sig needs ports");
571 if (PacketIsIPv4(p)) {
574 }
else if (PacketIsIPv6(p)) {
581 if (PacketIsIPv4(p)) {
584 }
else if (PacketIsIPv6(p)) {
611 DetectPrefilterCopyDeDup(
de_ctx, det_ctx);
626 static bool IsOnlyTxInDirection(
Flow *f, uint64_t txid, uint8_t dir)
629 if (tx_cnt == txid + 1) {
633 if (tx_cnt == txid + 2) {
648 static int SortHelper(
const void *a,
const void *b)
654 return sa->
iid > sb->
iid ? 1 : -1;
657 static inline uint8_t DetectRulePacketRules(
ThreadVars *
const tv,
662 bool fw_verdict =
false;
672 (uint64_t)match_cnt);
683 bool skip_fw =
false;
684 uint32_t sflags, next_sflags = 0;
686 next_s = *match_array++;
687 next_sflags = next_s->
flags;
689 while (match_cnt--) {
691 bool break_out_of_packet_filter =
false;
692 uint8_t alert_flags = 0;
697 sflags = next_sflags;
699 next_s = *match_array++;
700 next_sflags = next_s->
flags;
712 }
else if (have_fw_rules) {
719 break_out_of_packet_filter =
true;
742 if (SigDsizePrefilter(p, s, sflags))
753 if (!DetectRunInspectRuleHeader(p, pflow, s, sflags, s_proto_flags)) {
764 DetectRunPostMatch(
tv, det_ctx, p, s);
782 if (pflow->
proto != IPPROTO_UDP) {
785 txd->guessed_applayer_logged++;
802 SCLogDebug(
"sig_array_len %u det_ctx->pmq.rule_id_array_cnt %u",
805 for (uint32_t x = 0; x < match_cnt; x++) {
806 *r++ = match_array[x];
807 SCLogDebug(
"appended %u", match_array[x]->
id);
814 if (
ts->app_inspect == NULL) {
820 qsort(replace, match_cnt,
sizeof(
Signature *), SortHelper);
826 uint32_t skipped = 0;
827 for (uint32_t x = 0; x < match_cnt; x++) {
829 if (last_sig == *
m) {
836 match_cnt -= skipped;
838 next_s = *match_array++;
839 next_sflags = next_s->
flags;
870 break_out_of_packet_filter =
true;
875 break_out_of_packet_filter =
true;
886 break_out_of_packet_filter =
true;
890 DetectVarProcessList(det_ctx, pflow, p);
891 DetectReplaceFree(det_ctx);
895 if (break_out_of_packet_filter)
925 const uint8_t default_action)
928 uint8_t flow_flags = 0;
929 bool app_decoder_events =
false;
951 det_ctx->pkt_stream_add_cnt++;
960 flow_flags = STREAM_TOSERVER;
963 flow_flags = STREAM_TOCLIENT;
969 flow_flags |= STREAM_EOF;
1000 (p->
proto == IPPROTO_UDP) ||
1005 alproto = FlowGetAppProtocol(pflow);
1012 SCLogDebug(
"packet doesn't have established flag set (proto %d)", p->
proto);
1049 SCLogDebug(
"packet %" PRIu64
": droppit as no ACCEPT set %02x (pkt %s)", p->
pcap_cnt,
1061 if (pflow != NULL) {
1078 FatalError(
"failed to allocate %" PRIu64
" bytes",
1082 SCLogDebug(
"array initialized to %u elements (%"PRIu64
" bytes)",
1094 const uint32_t need)
1105 uint32_t new_size = needed;
1108 FatalError(
"failed to expand to %" PRIu64
" bytes",
1114 SCLogDebug(
"array expanded from %u to %u elements (%"PRIu64
" bytes -> %"PRIu64
" bytes)",
1127 DetectRunTxSortHelper(
const void *a,
const void *b)
1131 if (s1->
id == s0->
id) {
1138 return s0->
id > s1->
id ? 1 : -1;
1142 #define TRACE_SID_TXS(sid,txs,...) \
1144 char _trace_buf[2048]; \
1145 snprintf(_trace_buf, sizeof(_trace_buf), __VA_ARGS__); \
1146 SCLogNotice("%p/%"PRIu64"/%u: %s", txs->tx_ptr, txs->tx_id, sid, _trace_buf); \
1149 #define TRACE_SID_TXS(sid,txs,...)
1158 tx_ptr = SCDoH2GetDnsTx(tx_ptr, flow_flags);
1163 }
else if (engine_alproto != alproto && engine_alproto !=
ALPROTO_UNKNOWN) {
1187 const uint8_t in_flow_flags,
1191 uint32_t *stored_flags,
1195 const uint8_t flow_flags = in_flow_flags;
1196 const int direction = (flow_flags & STREAM_TOSERVER) ? 0 : 1;
1197 uint32_t inspect_flags = stored_flags ? *stored_flags : 0;
1198 int total_matches = 0;
1199 uint16_t file_no_match = 0;
1200 bool retval =
false;
1201 bool mpm_before_progress =
false;
1202 bool mpm_in_progress =
false;
1204 TRACE_SID_TXS(s->
id, tx,
"starting %s", direction ?
"toclient" :
"toserver");
1207 if (
likely(stored_flags == NULL)) {
1226 TRACE_SID_TXS(s->
id, tx,
"engine %p inspect_flags %x", engine, inspect_flags);
1229 if (!(inspect_flags &
BIT_U32(engine->
id)) &&
1233 if (tx_ptr == NULL) {
1237 engine = engine->
next;
1247 SCLogDebug(
"tx progress %d < engine progress %d",
1254 "engine->mpm: t->tx_progress %u > engine->progress %u, so set "
1255 "mpm_before_progress",
1257 mpm_before_progress =
true;
1260 "engine->mpm: t->tx_progress %u == engine->progress %u, so set "
1263 mpm_in_progress =
true;
1267 uint8_t engine_flags = flow_flags;
1268 if (direction != engine->
dir) {
1269 engine_flags = flow_flags ^ (STREAM_TOCLIENT | STREAM_TOSERVER);
1275 TRACE_SID_TXS(s->
id, tx,
"stream skipped, stored result %d used instead", match);
1280 mpm_before_progress =
true;
1294 de_ctx, det_ctx, engine, s, f, engine_flags, alstate, tx_ptr, tx->
tx_id);
1299 TRACE_SID_TXS(s->
id, tx,
"stream ran, store result %d for next tx (if any)", match);
1304 engine = engine->
next;
1311 engine = engine->
next;
1323 if (engine->
mpm && mpm_before_progress) {
1329 direction != engine->
dir) {
1333 if (direction == 0 && engine->
next == NULL) {
1337 engine = engine->
next;
1341 engine = engine->
next;
1342 }
while (engine != NULL);
1343 TRACE_SID_TXS(s->
id, tx,
"inspect_flags %x, total_matches %u, engine %p",
1344 inspect_flags, total_matches, engine);
1346 if (engine == NULL && total_matches) {
1353 *stored_flags = inspect_flags;
1354 TRACE_SID_TXS(s->
id, tx,
"continue inspect flags %08x", inspect_flags);
1361 if (file_no_match) {
1372 inspect_flags, flow_flags, file_no_match);
1376 "mpm won't trigger for it anymore");
1380 "we may have to revisit anyway");
1382 inspect_flags, flow_flags, file_no_match);
1386 "mpm will revisit it");
1387 }
else if (inspect_flags != 0 || file_no_match != 0) {
1390 inspect_flags, flow_flags, file_no_match);
1399 NULL, 0, NULL, NULL, 0, 0, 0, 0, \
1407 const uint64_t tx_id,
void *tx_ptr,
const int tx_end_state,
const uint8_t flow_flags)
1411 bool updated = (flow_flags & STREAM_TOSERVER) ? txd->updated_ts : txd->updated_tc;
1412 if (!updated && tx_progress < tx_end_state && ((flow_flags & STREAM_EOF) == 0)) {
1416 const uint8_t inspected_flag =
1418 if (
unlikely(txd->flags & inspected_flag)) {
1419 SCLogDebug(
"%" PRIu64
" tx already fully inspected for %s. Flags %02x", tx_id,
1420 flow_flags & STREAM_TOSERVER ?
"toserver" :
"toclient", txd->flags);
1426 if (
unlikely(txd->flags & skip_flag)) {
1427 SCLogDebug(
"%" PRIu64
" tx should not be inspected in direction %s. Flags %02x", tx_id,
1428 flow_flags & STREAM_TOSERVER ?
"toserver" :
"toclient", txd->flags);
1433 const uint8_t detect_progress =
1434 (flow_flags & STREAM_TOSERVER) ? txd->detect_progress_ts : txd->detect_progress_tc;
1436 const int dir_int = (flow_flags & STREAM_TOSERVER) ? 0 : 1;
1439 tx_de_state ? &tx_de_state->
dir_state[dir_int] : NULL;
1444 .de_state = tx_dir_state,
1445 .detect_progress = detect_progress,
1446 .detect_progress_orig = detect_progress,
1447 .tx_progress = tx_progress,
1448 .tx_end_state = tx_end_state,
1453 static inline void StoreDetectProgress(
1457 if (flow_flags & STREAM_TOSERVER) {
1458 txd->detect_progress_ts = progress;
1460 txd->detect_progress_tc = progress;
1466 static inline void RuleMatchCandidateMergeStateRules(
1484 uint32_t j = *array_idx;
1493 uint32_t k = *array_idx;
1515 if (s->
iid <= s0->
id) {
1560 bool *skip_fw_hook,
const uint8_t skip_before_progress,
bool *last_for_progress,
1561 bool *fw_next_progress_missing)
1571 if (can_idx + 1 < can_size) {
1577 SCLogDebug(
"peek: next sid progress %u != current progress %u, so current "
1578 "is last for progress",
1580 *last_for_progress =
true;
1583 SCLogDebug(
"peek: missing progress, so we'll drop that unless we get a "
1584 "sweeping accept first");
1585 *fw_next_progress_missing =
true;
1589 SCLogDebug(
"peek: next sid not a fw rule, so current is last for progress");
1590 *last_for_progress =
true;
1593 SCLogDebug(
"peek: no peek beyond last rule");
1595 SCLogDebug(
"peek: there are no rules to allow the state after this rule");
1596 *fw_next_progress_missing =
true;
1600 if ((*skip_fw_hook) ==
true) {
1604 *skip_fw_hook =
false;
1636 static inline bool ApplyAcceptToPacket(
1650 if (total_txs == tx->
tx_id + 1) {
1658 if ((total_txs == tx->
tx_id + 1) &&
1668 static bool ApplyAccept(
Packet *p,
const uint8_t flow_flags,
const Signature *s,
1669 DetectTransaction *tx,
const int tx_end_state,
const bool fw_next_progress_missing,
1670 bool *tx_fw_verdict,
bool *skip_fw_hook, uint8_t *skip_before_progress)
1672 *tx_fw_verdict =
true;
1678 *skip_fw_hook =
true;
1683 if (fw_next_progress_missing) {
1685 flow_flags & STREAM_TOSERVER ?
"toserver" :
"toclient");
1693 *skip_fw_hook =
true;
1694 *skip_before_progress = (uint8_t)tx_end_state + 1;
1696 "accept:tx applied, skip_fw_hook, skip_before_progress %u", *skip_before_progress);
1713 const uint8_t flow_flags = scratch->
flow_flags;
1715 void *
const alstate = f->
alstate;
1716 const uint8_t ipproto = f->
proto;
1726 uint32_t fw_verdicted = 0;
1727 uint32_t tx_inspected = 0;
1734 if (ires.tx_ptr == NULL)
1738 GetDetectTx(ipproto, alproto, ires.tx_id, ires.tx_ptr, tx_end_state, flow_flags);
1740 SCLogDebug(
"%p/%"PRIu64
" no transaction to inspect",
1746 tx_id_min = tx.
tx_id + 1;
1755 bool do_sort =
false;
1756 uint32_t array_idx = 0;
1766 SCLogDebug(
"%p/%"PRIu64
" rules added from prefilter: %u candidates",
1770 if (!(RuleMatchCandidateTxArrayHasSpace(det_ctx, total_rules))) {
1771 RuleMatchCandidateTxArrayExpand(det_ctx, total_rules);
1785 if (!(RuleMatchCandidateTxArrayHasSpace(det_ctx, total_rules))) {
1786 RuleMatchCandidateTxArrayExpand(det_ctx, total_rules);
1792 uint32_t x = array_idx;
1794 RuleMatchCandidateMergeStateRules(det_ctx, &array_idx);
1798 const uint32_t old = array_idx;
1803 if (have_new_file) {
1804 SCLogDebug(
"%p/%"PRIu64
" destate: need to consider new file",
1811 for (; tx_store != NULL; tx_store = tx_store->
next) {
1817 store_cnt++, state_cnt++)
1834 do_sort |= (old && old != array_idx);
1840 DetectRunTxSortHelper);
1849 for (uint32_t i = 0; i < array_idx; i++) {
1855 bool skip_fw_hook =
false;
1856 uint8_t skip_before_progress = 0;
1857 bool fw_next_progress_missing =
false;
1865 if (total_txs == tx.
tx_id + 1) {
1866 DetectRunAppendDefaultAccept(det_ctx, p);
1872 bool tx_fw_verdict =
false;
1874 for (uint32_t i = 0; i < array_idx; i++) {
1878 bool break_out_of_app_filter =
false;
1881 flow_flags & STREAM_TOSERVER ?
"toserver" :
"toclient", tx.
tx_progress,
1889 while ((i + 1) < array_idx &&
1891 SCLogDebug(
"%p/%" PRIu64
" inspecting SKIP NEXT: sid %u (%u), flags %08x",
1900 if (!tx_fw_verdict) {
1901 const bool accept_tx_applies_to_packet = total_txs == tx.
tx_id + 1;
1902 if (accept_tx_applies_to_packet) {
1903 SCLogDebug(
"accept:(tx|hook): should be applied to the packet");
1904 DetectRunAppendDefaultAccept(det_ctx, p);
1907 tx_fw_verdict =
true;
1910 SCLogDebug(
"APP_LAYER_TX_ACCEPT, so skip rule");
1918 s->
id, s->
iid, inspect_flags ? *inspect_flags : 0);
1920 if (inspect_flags) {
1923 " inspecting: sid %u (%u), flags %08x DE_STATE_FLAG_FULL_INSPECT",
1930 const bool fw_accept_to_packet = ApplyAcceptToPacket(total_txs, &tx, s);
1931 break_out_of_app_filter = ApplyAccept(p, flow_flags, s, &tx, tx_end_state,
1932 fw_next_progress_missing, &tx_fw_verdict, &skip_fw_hook,
1933 &skip_before_progress);
1934 if (fw_accept_to_packet)
1935 DetectRunAppendDefaultAccept(det_ctx, p);
1936 if (break_out_of_app_filter)
1943 " inspecting: sid %u (%u), flags %08x DE_STATE_FLAG_SIG_CANT_MATCH",
1949 if (inspect_flags) {
1957 bool last_for_progress =
false;
1958 if (have_fw_rules) {
1959 int fw_r = DetectRunTxCheckFirewallPolicy(det_ctx, p, f, &tx, s, i, array_idx,
1960 &skip_fw_hook, skip_before_progress, &last_for_progress,
1961 &fw_next_progress_missing);
1970 const int r = DetectRunTxInspectRule(
tv,
de_ctx, det_ctx, p, f, flow_flags,
1971 alstate, &tx, s, inspect_flags, can, scratch);
1974 DetectRunPostMatch(
tv, det_ctx, p, s);
1979 const bool fw_accept_to_packet = ApplyAcceptToPacket(total_txs, &tx, s);
1982 if (fw_accept_to_packet) {
1983 SCLogDebug(
"accept:(tx|hook): should be applied to the packet");
1992 break_out_of_app_filter = ApplyAccept(p, flow_flags, s, &tx, tx_end_state,
1993 fw_next_progress_missing, &tx_fw_verdict, &skip_fw_hook,
1994 &skip_before_progress);
1996 }
else if (last_for_progress) {
1997 SCLogDebug(
"sid %u: not a match: %s rule, last_for_progress %s", s->
id,
2002 flow_flags & STREAM_TOSERVER ?
"toserver" :
"toclient");
2007 break_out_of_app_filter =
true;
2008 tx_fw_verdict =
true;
2011 DetectVarProcessList(det_ctx, p->
flow, p);
2020 uint32_t prev_array_idx = array_idx;
2023 if (
ts->app_inspect != NULL) {
2031 SCLogDebug(
"%p/%" PRIu64
" rule %u (%u) added from 'post match' prefilter",
2035 SCLogDebug(
"%p/%" PRIu64
" rules added from 'post match' prefilter: %u", tx.
tx_ptr,
2036 tx.
tx_id, array_idx - prev_array_idx);
2037 if (prev_array_idx != array_idx) {
2040 DetectRunTxSortHelper);
2046 if (break_out_of_app_filter)
2061 flow_flags & STREAM_TOSERVER ?
"toserver" :
"toclient");
2062 const uint8_t inspected_flag = (flow_flags & STREAM_TOSERVER)
2066 SCLogDebug(
"%p/%" PRIu64
" tx is done for direction %s. Progress %02x", tx.
tx_ptr,
2067 tx.
tx_id, flow_flags & STREAM_TOSERVER ?
"toserver" :
"toclient",
2090 SCLogDebug(
"packet %" PRIu64
": tx_inspected %u fw_verdicted %u", p->
pcap_cnt, tx_inspected,
2092 if (tx_inspected && have_fw_rules && tx_inspected != fw_verdicted) {
2094 flow_flags & STREAM_TOSERVER ?
"toserver" :
"toclient");
2100 if (tx_inspected == 0 && fw_verdicted == 0 && have_fw_rules) {
2101 DetectRunAppendDefaultAccept(det_ctx, p);
2116 SCLogDebug(
"pcap_cnt %" PRIu64
": %s: skip frame inspection for TCP w/o APP UPDATE",
2121 if (frames_container == NULL) {
2126 frames = &frames_container->
toserver;
2128 frames = &frames_container->
toclient;
2131 for (uint32_t idx = 0; idx < frames->
cnt; idx++) {
2134 if (frame == NULL) {
2139 uint32_t array_idx = 0;
2147 SCLogDebug(
"%p/%" PRIi64
" rules added from prefilter: %u candidates", frame, frame->
id,
2152 if (!(RuleMatchCandidateTxArrayHasSpace(
2153 det_ctx, total_rules))) {
2154 RuleMatchCandidateTxArrayExpand(det_ctx, total_rules);
2169 uint32_t x = array_idx;
2180 SCLogDebug(
"%p/%" PRIi64
" rule %u (%u) added from 'match' list", frame, frame->
id,
2184 SCLogDebug(
"%p/%" PRIi64
" rules added from 'match' list: %u", frame, frame->
id,
2189 for (uint32_t i = 0; i < array_idx; i++) {
2196 while ((i + 1) < array_idx &&
2200 SCLogDebug(
"%p/%" PRIi64
" inspecting: sid %u (%u)", frame, frame->
id, s->
id, s->
iid);
2203 SCLogDebug(
"%p/%" PRIi64
" Start sid %u", frame, frame->
id, s->
id);
2207 bool r = DetectRunInspectRuleHeader(p, f, s, s->
flags, s->
proto.
flags);
2212 DetectRunPostMatch(
tv, det_ctx, p, s);
2217 "%p/%" PRIi64
" sig %u (%u) matched", frame, frame->
id, s->
id, s->
iid);
2224 DetectVarProcessList(det_ctx, p->
flow, p);
2235 "frame->inspect_progress: %" PRIu64
" -> not updated", frame->
inspect_progress);
2238 SCLogDebug(
"%p/%" PRIi64
" rules inspected, running cleanup", frame, frame->
id);
2289 SCLogDebug(
"p->pcap %"PRIu64
": no detection on packet, "
2290 "PKT_NOPACKET_INSPECTION is set", p->
pcap_cnt);
2318 DetectRunPacketHook(
tv,
de_ctx, det_ctx, sgh, p);
2329 DetectRunPacketHook(
tv,
de_ctx, det_ctx, sgh, p);
2347 if (det_ctx == NULL) {
2348 printf(
"ERROR: Detect has no thread ctx\n");
2354 SCLogDebug(
"Detect Engine using new det_ctx - %p",
2365 if (tenant_id > 0 && tenant_id < det_ctx->mt_det_ctxs_cnt) {
2368 if (det_ctx == NULL)
2376 SCLogDebug(
"MT de_ctx %p det_ctx %p (tenant %u)",
de_ctx, det_ctx, tenant_id);
2387 DetectFlow(
tv,
de_ctx, det_ctx, p);
2389 DetectNoFlow(
tv,
de_ctx, det_ctx, p);
2392 #ifdef PROFILE_RULES
2395 gettimeofday(&
ts, NULL);
2396 if (
ts.tv_sec != det_ctx->rule_perf_last_sync) {
2397 SCProfilingRuleThreatAggregate(det_ctx);
2398 det_ctx->rule_perf_last_sync =
ts.tv_sec;
2412 DetectPostInspectFileFlagsUpdate(f, NULL , STREAM_TOSERVER);
2413 DetectPostInspectFileFlagsUpdate(f, NULL , STREAM_TOCLIENT);
2424 DetectFlow(
tv,
de_ctx, det_ctx, p);
2426 DetectNoFlow(
tv,
de_ctx, det_ctx, p);