suricata
detect.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2025 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Victor Julien <victor@inliniac.net>
22  *
23  * Basic detection engine
24  */
25 
26 #include "suricata-common.h"
27 #include "suricata.h"
28 
29 #include "decode.h"
30 #include "packet.h"
31 #include "flow.h"
32 #include "stream-tcp.h"
33 #include "app-layer.h"
34 #include "app-layer-parser.h"
35 #include "app-layer-frames.h"
36 
37 #include "detect.h"
38 #include "detect-dsize.h"
39 #include "detect-engine.h"
40 #include "detect-engine-build.h"
41 #include "detect-engine-frame.h"
42 #include "detect-engine-profile.h"
43 
44 #include "detect-engine-alert.h"
45 #include "detect-engine-siggroup.h"
46 #include "detect-engine-address.h"
47 #include "detect-engine-proto.h"
48 #include "detect-engine-port.h"
49 #include "detect-engine-mpm.h"
50 #include "detect-engine-iponly.h"
51 #include "detect-engine-threshold.h"
52 #include "detect-engine-prefilter.h"
53 #include "detect-engine-state.h"
54 #include "detect-engine-analyzer.h"
55 
56 #include "detect-engine-payload.h"
57 #include "detect-engine-event.h"
58 
59 #include "detect-filestore.h"
60 #include "detect-flowvar.h"
61 #include "detect-replace.h"
62 
63 #include "util-validate.h"
64 #include "util-detect.h"
65 #include "util-profiling.h"
66 
67 #include "action-globals.h"
68 
69 typedef struct DetectRunScratchpad {
70  const AppProto alproto;
71  const uint8_t flow_flags; /* flow/state flags: STREAM_* */
72  const bool app_decoder_events;
73  /**
74  * Either ACTION_DROP (drop:packet) or ACTION_ACCEPT (accept:hook)
75  *
76  * ACTION_DROP means the default policy of drop:packet is applied
77  * ACTION_ACCEPT means the default policy of accept:hook is applied
78  */
79  const uint8_t default_action;
80  const SigGroupHead *sgh;
81 } DetectRunScratchpad;
82 
83 /* prototypes */
84 static DetectRunScratchpad DetectRunSetup(const DetectEngineCtx *de_ctx,
85  DetectEngineThreadCtx *det_ctx, Packet *const p, Flow *const pflow,
86  const uint8_t default_action);
87 static void DetectRunInspectIPOnly(ThreadVars *tv, const DetectEngineCtx *de_ctx,
88  DetectEngineThreadCtx *det_ctx, Flow * const pflow, Packet * const p);
89 static inline void DetectRunGetRuleGroup(const DetectEngineCtx *de_ctx,
90  Packet * const p, Flow * const pflow, DetectRunScratchpad *scratch);
91 static inline void DetectRunPrefilterPkt(ThreadVars *tv, const DetectEngineCtx *de_ctx,
92  DetectEngineThreadCtx *det_ctx, Packet *p, DetectRunScratchpad *scratch);
93 static inline uint8_t DetectRulePacketRules(ThreadVars *const tv,
94  const DetectEngineCtx *const de_ctx, DetectEngineThreadCtx *const det_ctx, Packet *const p,
95  Flow *const pflow, const DetectRunScratchpad *scratch);
96 static void DetectRunTx(ThreadVars *tv, DetectEngineCtx *de_ctx,
97  DetectEngineThreadCtx *det_ctx, Packet *p,
98  Flow *f, DetectRunScratchpad *scratch);
99 static void DetectRunFrames(ThreadVars *tv, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx,
100  Packet *p, Flow *f, DetectRunScratchpad *scratch);
101 static inline void DetectRunPostRules(ThreadVars *tv, const DetectEngineCtx *de_ctx,
102  DetectEngineThreadCtx *det_ctx, Packet *const p, Flow *const pflow,
103  DetectRunScratchpad *scratch);
104 static void DetectRunCleanup(DetectEngineThreadCtx *det_ctx,
105  Packet *p, Flow * const pflow);
106 static inline void DetectRunAppendDefaultAccept(DetectEngineThreadCtx *det_ctx, Packet *p);
107 
108 /** \internal
109  */
110 static void DetectRun(ThreadVars *th_v,
111  DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx,
112  Packet *p)
113 {
114  SCEnter();
115  SCLogDebug("p->pcap_cnt %" PRIu64 " direction %s pkt_src %s", p->pcap_cnt,
116  p->flow ? (FlowGetPacketDirection(p->flow, p) == TOSERVER ? "toserver" : "toclient")
117  : "noflow",
118  PktSrcToString(p->pkt_src));
119 
120  /* Load the Packet's flow early, even though it might not be needed.
121  * Mark as a constant pointer, although the flow itself can change. */
122  Flow * const pflow = p->flow;
123 
124  DetectRunScratchpad scratch = DetectRunSetup(de_ctx, det_ctx, p, pflow, ACTION_DROP);
125 
126  /* run the IPonly engine */
127  DetectRunInspectIPOnly(th_v, de_ctx, det_ctx, pflow, p);
128 
129  /* get our rule group */
130  DetectRunGetRuleGroup(de_ctx, p, pflow, &scratch);
131  /* if we didn't get a sig group head, we
132  * have nothing to do.... */
133  if (scratch.sgh == NULL) {
134  SCLogDebug("no sgh for this packet, nothing to match against");
135  goto end;
136  }
137 
138  /* run the prefilters for packets */
139  DetectRunPrefilterPkt(th_v, de_ctx, det_ctx, p, &scratch);
140 
141  PACKET_PROFILING_DETECT_START(p, PROF_DETECT_RULES);
142  /* inspect the rules against the packet */
143  const uint8_t pkt_policy = DetectRulePacketRules(th_v, de_ctx, det_ctx, p, pflow, &scratch);
144  PACKET_PROFILING_DETECT_END(p, PROF_DETECT_RULES);
145 
146  /* Only FW rules will already have set the action, IDS rules go through PacketAlertFinalize
147  *
148  * If rules told us to drop or accept:packet/accept:flow, we skip app_filter and app_td.
149  *
150  * accept:hook won't have set the pkt_policy, so we simply continue.
151  *
152  * TODO what about app state progression, cleanup and such? */
153  if (pkt_policy & (ACTION_DROP | ACTION_ACCEPT)) {
154  goto end;
155  }
156 
157  /* run tx/state inspection. Don't call for ICMP error msgs. */
158  if (pflow && pflow->alstate && likely(pflow->proto == p->proto)) {
159  if (p->proto == IPPROTO_TCP) {
160  if ((p->flags & PKT_STREAM_EST) == 0) {
161  SCLogDebug("packet %" PRIu64 ": skip tcp non-established", p->pcap_cnt);
162  DetectRunAppendDefaultAccept(det_ctx, p);
163  goto end;
164  }
165  const TcpSession *ssn = p->flow->protoctx;
166  bool setting_nopayload = p->flow->alparser &&
167  SCAppLayerParserStateIssetFlag(
168  p->flow->alparser, APP_LAYER_PARSER_NO_INSPECTION) &&
169  !(p->flags & PKT_NOPAYLOAD_INSPECTION);
170  // we may be right after disabling app-layer (ssh)
171  if (ssn &&
172  ((ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED) == 0 || setting_nopayload)) {
173  // PACKET_PROFILING_DETECT_START(p, PROF_DETECT_TX);
174  DetectRunFrames(th_v, de_ctx, det_ctx, p, pflow, &scratch);
175  // PACKET_PROFILING_DETECT_END(p, PROF_DETECT_TX);
176  }
177  // no update to transactions
178  if (!PKT_IS_PSEUDOPKT(p) && p->app_update_direction == 0 &&
179  ((PKT_IS_TOSERVER(p) && (p->flow->flags & FLOW_TS_APP_UPDATED) == 0) ||
180  (PKT_IS_TOCLIENT(p) && (p->flow->flags & FLOW_TC_APP_UPDATED) == 0))) {
181  SCLogDebug("packet %" PRIu64 ": no app-layer update", p->pcap_cnt);
182  DetectRunAppendDefaultAccept(det_ctx, p);
183  goto end;
184  }
185  } else if (p->proto == IPPROTO_UDP) {
186  DetectRunFrames(th_v, de_ctx, det_ctx, p, pflow, &scratch);
187  }
188 
189  PACKET_PROFILING_DETECT_START(p, PROF_DETECT_TX);
190  DetectRunTx(th_v, de_ctx, det_ctx, p, pflow, &scratch);
191  PACKET_PROFILING_DETECT_END(p, PROF_DETECT_TX);
192  /* see if we need to increment the inspect_id and reset the de_state */
193  PACKET_PROFILING_DETECT_START(p, PROF_DETECT_TX_UPDATE);
194  AppLayerParserSetTransactionInspectId(
195  pflow, pflow->alparser, pflow->alstate, scratch.flow_flags, (scratch.sgh == NULL));
196  PACKET_PROFILING_DETECT_END(p, PROF_DETECT_TX_UPDATE);
197  } else {
198  SCLogDebug("packet %" PRIu64 ": no flow / app-layer", p->pcap_cnt);
199  DetectRunAppendDefaultAccept(det_ctx, p);
200  }
201 
202 end:
203  DetectRunPostRules(th_v, de_ctx, det_ctx, p, pflow, &scratch);
204 
205  DetectRunCleanup(det_ctx, p, pflow);
206  SCReturn;
207 }
208 
209 /** \internal
210  */
211 static void DetectRunPacketHook(ThreadVars *th_v, const DetectEngineCtx *de_ctx,
212  DetectEngineThreadCtx *det_ctx, const SigGroupHead *sgh, Packet *p)
213 {
214  SCEnter();
215  SCLogDebug("p->pcap_cnt %" PRIu64 " direction %s pkt_src %s", p->pcap_cnt,
216  p->flow ? (FlowGetPacketDirection(p->flow, p) == TOSERVER ? "toserver" : "toclient")
217  : "noflow",
218  PktSrcToString(p->pkt_src));
219 
220  /* Load the Packet's flow early, even though it might not be needed.
221  * Mark as a constant pointer, although the flow itself can change. */
222  Flow *const pflow = p->flow;
223 
224  DetectRunScratchpad scratch = DetectRunSetup(de_ctx, det_ctx, p, pflow, ACTION_ACCEPT);
225  scratch.sgh = sgh;
226 
227  /* if we didn't get a sig group head, we
228  * have nothing to do.... */
229  if (scratch.sgh == NULL) {
230  SCLogDebug("no sgh for this packet, nothing to match against");
231  goto end;
232  }
233 
234  /* run the prefilters for packets */
235  DetectRunPrefilterPkt(th_v, de_ctx, det_ctx, p, &scratch);
236 
237  // PACKET_PROFILING_DETECT_START(p, PROF_DETECT_RULES); // TODO
238  /* inspect the rules against the packet */
239  const uint8_t pkt_policy = DetectRulePacketRules(th_v, de_ctx, det_ctx, p, pflow, &scratch);
240  // PACKET_PROFILING_DETECT_END(p, PROF_DETECT_RULES);
241  if (pkt_policy & (ACTION_DROP | ACTION_ACCEPT)) {
242  goto end;
243  }
244 
245 end:
246  DetectRunPostRules(th_v, de_ctx, det_ctx, p, pflow, &scratch);
247 
248  DetectRunCleanup(det_ctx, p, pflow);
249  SCReturn;
250 }
251 
252 static void DetectRunPostMatch(ThreadVars *tv,
253  DetectEngineThreadCtx *det_ctx, Packet *p,
254  const Signature *s)
255 {
256  /* run the packet match functions */
257  const SigMatchData *smd = s->sm_arrays[DETECT_SM_LIST_POSTMATCH];
258  if (smd != NULL) {
259  KEYWORD_PROFILING_SET_LIST(det_ctx, DETECT_SM_LIST_POSTMATCH);
260 
261  SCLogDebug("running match functions, sm %p", smd);
262 
263  while (1) {
264  KEYWORD_PROFILING_START;
265  (void)sigmatch_table[smd->type].Match(det_ctx, p, s, smd->ctx);
266  KEYWORD_PROFILING_END(det_ctx, smd->type, 1);
267  if (smd->is_last)
268  break;
269  smd++;
270  }
271  }
272 }
273 
274 /**
275  * \brief Get the SigGroupHead for a packet.
276  *
277  * \param de_ctx detection engine context
278  * \param p packet
279  *
280  * \retval sgh the SigGroupHead or NULL if non applies to the packet
281  */
282 const SigGroupHead *SigMatchSignaturesGetSgh(const DetectEngineCtx *de_ctx,
283  const Packet *p)
284 {
285  SCEnter();
286  SigGroupHead *sgh = NULL;
287 
288  /* if the packet proto is 0 (not set), we're inspecting it against
289  * the decoder events sgh we have. */
290  if (p->proto == 0 && p->events.cnt > 0) {
291  SCReturnPtr(de_ctx->decoder_event_sgh, "SigGroupHead");
292  } else if (p->proto == 0) {
293  if (!(PacketIsIPv4(p) || PacketIsIPv6(p))) {
294  /* not IP, so nothing to do */
295  SCReturnPtr(NULL, "SigGroupHead");
296  }
297  }
298 
299  /* select the flow_gh */
300  const int dir = (p->flowflags & FLOW_PKT_TOCLIENT) == 0;
301 
302  int proto = PacketGetIPProto(p);
303  if (proto == IPPROTO_TCP) {
304  DetectPort *list = de_ctx->flow_gh[dir].tcp;
305  SCLogDebug("tcp toserver %p, tcp toclient %p: going to use %p", de_ctx->flow_gh[1].tcp,
306  de_ctx->flow_gh[0].tcp, de_ctx->flow_gh[dir].tcp);
307  const uint16_t port = dir ? p->dp : p->sp;
308  SCLogDebug("tcp port %u -> %u:%u", port, p->sp, p->dp);
309  DetectPort *sghport = DetectPortLookupGroup(list, port);
310  if (sghport != NULL)
311  sgh = sghport->sh;
312  SCLogDebug("TCP list %p, port %u, direction %s, sghport %p, sgh %p", list, port,
313  dir ? "toserver" : "toclient", sghport, sgh);
314  } else if (proto == IPPROTO_UDP) {
315  DetectPort *list = de_ctx->flow_gh[dir].udp;
316  uint16_t port = dir ? p->dp : p->sp;
317  DetectPort *sghport = DetectPortLookupGroup(list, port);
318  if (sghport != NULL)
319  sgh = sghport->sh;
320  SCLogDebug("UDP list %p, port %u, direction %s, sghport %p, sgh %p", list, port,
321  dir ? "toserver" : "toclient", sghport, sgh);
322  } else {
323  sgh = de_ctx->flow_gh[dir].sgh[proto];
324  }
325 
326  SCReturnPtr(sgh, "SigGroupHead");
327 }
328 
329 static inline void DetectPrefilterCopyDeDup(
330  const DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx)
331 {
332  SigIntId *pf_ptr = det_ctx->pmq.rule_id_array;
333  uint32_t final_cnt = det_ctx->pmq.rule_id_array_cnt;
334  Signature **sig_array = de_ctx->sig_array;
335  Signature **match_array = det_ctx->match_array;
336  SigIntId previous_id = (SigIntId)-1;
337  while (final_cnt-- > 0) {
338  SigIntId id = *pf_ptr++;
339  Signature *s = sig_array[id];
340 
341  /* As the prefilter list can contain duplicates, check for that here. */
342  if (likely(id != previous_id)) {
343  *match_array++ = s;
344  previous_id = id;
345  }
346  }
347 
348  det_ctx->match_array_cnt = (uint32_t)(match_array - det_ctx->match_array);
349  DEBUG_VALIDATE_BUG_ON(det_ctx->pmq.rule_id_array_cnt < det_ctx->match_array_cnt);
350  PMQ_RESET(&det_ctx->pmq);
351 }
352 
353 /** \internal
354  * \brief update flow's file tracking flags based on the detection engine
355  * A set of flags is prepared that is sent to the File API. The
356  File API may reject one or more based on the global force settings.
357  */
358 static inline void
359 DetectPostInspectFileFlagsUpdate(Flow *f, const SigGroupHead *sgh, uint8_t direction)
360 {
361  uint16_t flow_file_flags = FLOWFILE_INIT;
362 
363  if (sgh == NULL) {
364  SCLogDebug("requesting disabling all file features for flow");
365  flow_file_flags = FLOWFILE_NONE;
366  } else {
367  if (sgh->filestore_cnt == 0) {
368  SCLogDebug("requesting disabling filestore for flow");
369  flow_file_flags |= (FLOWFILE_NO_STORE_TS|FLOWFILE_NO_STORE_TC);
370  }
371 #ifdef HAVE_MAGIC
372  if (!(sgh->flags & SIG_GROUP_HEAD_HAVEFILEMAGIC)) {
373  SCLogDebug("requesting disabling magic for flow");
374  flow_file_flags |= (FLOWFILE_NO_MAGIC_TS|FLOWFILE_NO_MAGIC_TC);
375  }
376 #endif
377  if (!(sgh->flags & SIG_GROUP_HEAD_HAVEFILEMD5)) {
378  SCLogDebug("requesting disabling md5 for flow");
379  flow_file_flags |= (FLOWFILE_NO_MD5_TS|FLOWFILE_NO_MD5_TC);
380  }
381  if (!(sgh->flags & SIG_GROUP_HEAD_HAVEFILESHA1)) {
382  SCLogDebug("requesting disabling sha1 for flow");
383  flow_file_flags |= (FLOWFILE_NO_SHA1_TS|FLOWFILE_NO_SHA1_TC);
384  }
385  if (!(sgh->flags & SIG_GROUP_HEAD_HAVEFILESHA256)) {
386  SCLogDebug("requesting disabling sha256 for flow");
387  flow_file_flags |= (FLOWFILE_NO_SHA256_TS|FLOWFILE_NO_SHA256_TC);
388  }
389  }
390  if (flow_file_flags != 0) {
391  FileUpdateFlowFileFlags(f, flow_file_flags, direction);
392  }
393 }
394 
395 static inline void
396 DetectRunPostGetFirstRuleGroup(const Packet *p, Flow *pflow, const SigGroupHead *sgh)
397 {
398  if ((p->flowflags & FLOW_PKT_TOSERVER) && !(pflow->flags & FLOW_SGH_TOSERVER)) {
399  /* first time we see this toserver sgh, store it */
400  pflow->sgh_toserver = sgh;
401  pflow->flags |= FLOW_SGH_TOSERVER;
402 
403  if (p->proto == IPPROTO_TCP && (sgh == NULL || !(sgh->flags & SIG_GROUP_HEAD_HAVERAWSTREAM))) {
404  if (pflow->protoctx != NULL) {
405  TcpSession *ssn = pflow->protoctx;
406  SCLogDebug("STREAMTCP_STREAM_FLAG_DISABLE_RAW ssn.client");
407  ssn->client.flags |= STREAMTCP_STREAM_FLAG_DISABLE_RAW;
408  }
409  }
410 
411  DetectPostInspectFileFlagsUpdate(pflow,
412  pflow->sgh_toserver, STREAM_TOSERVER);
413 
414  } else if ((p->flowflags & FLOW_PKT_TOCLIENT) && !(pflow->flags & FLOW_SGH_TOCLIENT)) {
415  pflow->sgh_toclient = sgh;
416  pflow->flags |= FLOW_SGH_TOCLIENT;
417 
418  if (p->proto == IPPROTO_TCP && (sgh == NULL || !(sgh->flags & SIG_GROUP_HEAD_HAVERAWSTREAM))) {
419  if (pflow->protoctx != NULL) {
420  TcpSession *ssn = pflow->protoctx;
421  SCLogDebug("STREAMTCP_STREAM_FLAG_DISABLE_RAW ssn.server");
422  ssn->server.flags |= STREAMTCP_STREAM_FLAG_DISABLE_RAW;
423  }
424  }
425 
426  DetectPostInspectFileFlagsUpdate(pflow,
427  pflow->sgh_toclient, STREAM_TOCLIENT);
428  }
429 }
430 
431 static inline void DetectRunGetRuleGroup(
432  const DetectEngineCtx *de_ctx,
433  Packet * const p, Flow * const pflow,
434  DetectRunScratchpad *scratch)
435 {
436  const SigGroupHead *sgh = NULL;
437 
438  if (pflow) {
439  bool use_flow_sgh = false;
440  /* Get the stored sgh from the flow (if any). Make sure we're not using
441  * the sgh for icmp error packets part of the same stream. */
442  if (PacketGetIPProto(p) == pflow->proto) { /* filter out icmp */
443  PACKET_PROFILING_DETECT_START(p, PROF_DETECT_GETSGH);
444  if ((p->flowflags & FLOW_PKT_TOSERVER) && (pflow->flags & FLOW_SGH_TOSERVER)) {
445  sgh = pflow->sgh_toserver;
446  SCLogDebug("sgh = pflow->sgh_toserver; => %p", sgh);
447  use_flow_sgh = true;
448  } else if ((p->flowflags & FLOW_PKT_TOCLIENT) && (pflow->flags & FLOW_SGH_TOCLIENT)) {
449  sgh = pflow->sgh_toclient;
450  SCLogDebug("sgh = pflow->sgh_toclient; => %p", sgh);
451  use_flow_sgh = true;
452  }
453  PACKET_PROFILING_DETECT_END(p, PROF_DETECT_GETSGH);
454  }
455 
456  if (!(use_flow_sgh)) {
457  PACKET_PROFILING_DETECT_START(p, PROF_DETECT_GETSGH);
458  sgh = SigMatchSignaturesGetSgh(de_ctx, p);
459  PACKET_PROFILING_DETECT_END(p, PROF_DETECT_GETSGH);
460 
461  /* HACK: prevent the wrong sgh (or NULL) from being stored in the
462  * flow's sgh pointers */
463  if (PacketIsICMPv4(p) && ICMPV4_DEST_UNREACH_IS_VALID(p)) {
464  ; /* no-op */
465  } else {
466  /* store the found sgh (or NULL) in the flow to save us
467  * from looking it up again for the next packet.
468  * Also run other tasks */
469  DetectRunPostGetFirstRuleGroup(p, pflow, sgh);
470  }
471  }
472  } else { /* p->flags & PKT_HAS_FLOW */
473  /* no flow */
474 
475  PACKET_PROFILING_DETECT_START(p, PROF_DETECT_GETSGH);
476  sgh = SigMatchSignaturesGetSgh(de_ctx, p);
477  PACKET_PROFILING_DETECT_END(p, PROF_DETECT_GETSGH);
478  }
479 
480  scratch->sgh = sgh;
481 }
482 
483 static void DetectRunInspectIPOnly(ThreadVars *tv, const DetectEngineCtx *de_ctx,
484  DetectEngineThreadCtx *det_ctx,
485  Flow * const pflow, Packet * const p)
486 {
487  if (pflow) {
488  if (p->flowflags & (FLOW_PKT_TOSERVER_FIRST | FLOW_PKT_TOCLIENT_FIRST)) {
489  SCLogDebug("testing against \"ip-only\" signatures");
490 
491  PACKET_PROFILING_DETECT_START(p, PROF_DETECT_IPONLY);
492  IPOnlyMatchPacket(tv, de_ctx, det_ctx, &de_ctx->io_ctx, p);
493  PACKET_PROFILING_DETECT_END(p, PROF_DETECT_IPONLY);
494  }
495  } else { /* p->flags & PKT_HAS_FLOW */
496  /* no flow */
497 
498  /* Even without flow we should match the packet src/dst */
499  PACKET_PROFILING_DETECT_START(p, PROF_DETECT_IPONLY);
500  IPOnlyMatchPacket(tv, de_ctx, det_ctx, &de_ctx->io_ctx, p);
501  PACKET_PROFILING_DETECT_END(p, PROF_DETECT_IPONLY);
502  }
503 }
504 
505 /** \internal
506  * \brief inspect the rule header: protocol, ports, etc
507  * \retval bool false if no match, true if match */
508 static inline bool DetectRunInspectRuleHeader(const Packet *p, const Flow *f, const Signature *s,
509  const uint32_t sflags, const uint8_t s_proto_flags)
510 {
511  /* check if this signature has a requirement for flowvars of some type
512  * and if so, if we actually have any in the flow. If not, the sig
513  * can't match and we skip it. */
514  if ((p->flags & PKT_HAS_FLOW) && (sflags & SIG_FLAG_REQUIRE_FLOWVAR)) {
515  DEBUG_VALIDATE_BUG_ON(f == NULL);
516 
517  /* no flowvars? skip this sig */
518  const bool fv = f->flowvar != NULL;
519  if (!fv) {
520  SCLogDebug("skipping sig as the flow has no flowvars and sig "
521  "has SIG_FLAG_REQUIRE_FLOWVAR flag set.");
522  return false;
523  }
524  }
525 
526  if ((s_proto_flags & DETECT_PROTO_IPV4) && !PacketIsIPv4(p)) {
527  SCLogDebug("ip version didn't match");
528  return false;
529  }
530  if ((s_proto_flags & DETECT_PROTO_IPV6) && !PacketIsIPv6(p)) {
531  SCLogDebug("ip version didn't match");
532  return false;
533  }
534 
535  if (DetectProtoContainsProto(&s->proto, PacketGetIPProto(p)) == 0) {
536  SCLogDebug("proto didn't match");
537  return false;
538  }
539 
540  /* check the source & dst port in the sig */
541  if (p->proto == IPPROTO_TCP || p->proto == IPPROTO_UDP || p->proto == IPPROTO_SCTP) {
542  if (!(sflags & SIG_FLAG_DP_ANY)) {
543  if (p->flags & PKT_IS_FRAGMENT)
544  return false;
545  const DetectPort *dport = DetectPortLookupGroup(s->dp, p->dp);
546  if (dport == NULL) {
547  SCLogDebug("dport didn't match.");
548  return false;
549  }
550  }
551  if (!(sflags & SIG_FLAG_SP_ANY)) {
552  if (p->flags & PKT_IS_FRAGMENT)
553  return false;
554  const DetectPort *sport = DetectPortLookupGroup(s->sp, p->sp);
555  if (sport == NULL) {
556  SCLogDebug("sport didn't match.");
557  return false;
558  }
559  }
560  } else if ((sflags & (SIG_FLAG_DP_ANY|SIG_FLAG_SP_ANY)) != (SIG_FLAG_DP_ANY|SIG_FLAG_SP_ANY)) {
561  SCLogDebug("port-less protocol and sig needs ports");
562  return false;
563  }
564 
565  /* check the destination address */
566  if (!(sflags & SIG_FLAG_DST_ANY)) {
567  if (PacketIsIPv4(p)) {
568  if (DetectAddressMatchIPv4(s->addr_dst_match4, s->addr_dst_match4_cnt, &p->dst) == 0)
569  return false;
570  } else if (PacketIsIPv6(p)) {
571  if (DetectAddressMatchIPv6(s->addr_dst_match6, s->addr_dst_match6_cnt, &p->dst) == 0)
572  return false;
573  }
574  }
575  /* check the source address */
576  if (!(sflags & SIG_FLAG_SRC_ANY)) {
577  if (PacketIsIPv4(p)) {
578  if (DetectAddressMatchIPv4(s->addr_src_match4, s->addr_src_match4_cnt, &p->src) == 0)
579  return false;
580  } else if (PacketIsIPv6(p)) {
581  if (DetectAddressMatchIPv6(s->addr_src_match6, s->addr_src_match6_cnt, &p->src) == 0)
582  return false;
583  }
584  }
585 
586  return true;
587 }
588 
589 /** \internal
590  * \brief run packet/stream prefilter engines
591  */
592 static inline void DetectRunPrefilterPkt(ThreadVars *tv, const DetectEngineCtx *de_ctx,
593  DetectEngineThreadCtx *det_ctx, Packet *p, DetectRunScratchpad *scratch)
594 {
595  /* create our prefilter mask */
596  PacketCreateMask(p, &p->sig_mask, scratch->alproto, scratch->app_decoder_events);
597  /* run the prefilter engines */
598  Prefilter(det_ctx, scratch->sgh, p, scratch->flow_flags, p->sig_mask);
599  /* create match list if we have non-pf and/or pf */
600  if (det_ctx->pmq.rule_id_array_cnt) {
601 #ifdef PROFILING
602  if (tv) {
603  StatsCounterAvgAddI64(
604  &tv->stats, det_ctx->counter_mpm_list, (int64_t)det_ctx->pmq.rule_id_array_cnt);
605  }
606 #endif
607  PACKET_PROFILING_DETECT_START(p, PROF_DETECT_PF_SORT2);
608  DetectPrefilterCopyDeDup(de_ctx, det_ctx);
609  PACKET_PROFILING_DETECT_END(p, PROF_DETECT_PF_SORT2);
610  }
611 }
612 
613 /** \internal
614  * \brief check if the tx whose id is given is the only one
615  * live transaction for the flow in the given direction
616  *
617  * \param f flow
618  * \param txid transaction id
619  * \param dir direction
620  *
621  * \retval bool true if we are sure this tx is the only one live in said direction
622  */
623 static bool IsOnlyTxInDirection(Flow *f, uint64_t txid, uint8_t dir)
624 {
625  uint64_t tx_cnt = AppLayerParserGetTxCnt(f, f->alstate);
626  if (tx_cnt == txid + 1) {
627  // only live tx
628  return true;
629  }
630  if (tx_cnt == txid + 2) {
631  // 2 live txs, one after us
632  void *tx = AppLayerParserGetTx(f->proto, f->alproto, f->alstate, txid + 1);
633  if (tx) {
634  AppLayerTxData *txd = AppLayerParserGetTxData(f->proto, f->alproto, tx);
635  // test if the other tx is unidirectional in the other way
636  if ((dir == STREAM_TOSERVER && (txd->flags & APP_LAYER_TX_SKIP_INSPECT_TS)) ||
637  (dir == STREAM_TOCLIENT && (txd->flags & APP_LAYER_TX_SKIP_INSPECT_TC))) {
638  return true;
639  }
640  }
641  }
642  return false;
643 }
644 
645 static int SortHelper(const void *a, const void *b)
646 {
647  const Signature *sa = *(const Signature **)a;
648  const Signature *sb = *(const Signature **)b;
649  if (sa->iid == sb->iid)
650  return 0;
651  return sa->iid > sb->iid ? 1 : -1;
652 }
653 
654 static inline uint8_t DetectRulePacketRules(ThreadVars *const tv,
655  const DetectEngineCtx *const de_ctx, DetectEngineThreadCtx *const det_ctx, Packet *const p,
656  Flow *const pflow, const DetectRunScratchpad *scratch)
657 {
658  uint8_t action = 0;
659  bool fw_verdict = false;
660  const bool have_fw_rules = EngineModeIsFirewall();
661  const Signature *next_s = NULL;
662 
663  /* inspect the sigs against the packet */
664  /* Prefetch the next signature. */
665  SigIntId match_cnt = det_ctx->match_array_cnt;
666 #ifdef PROFILING
667  if (tv) {
668  StatsCounterAvgAddI64(&tv->stats, det_ctx->counter_match_list, (int64_t)match_cnt);
669  }
670 #endif
671  Signature **match_array = det_ctx->match_array;
672 
673  SGH_PROFILING_RECORD(det_ctx, scratch->sgh);
674 #ifdef PROFILING
675  if (match_cnt >= de_ctx->profile_match_logging_threshold)
676  RulesDumpMatchArray(det_ctx, scratch->sgh, p);
677 #endif
678 
679  bool skip_fw = false;
680  uint32_t sflags, next_sflags = 0;
681  if (match_cnt) {
682  next_s = *match_array++;
683  next_sflags = next_s->flags;
684  }
685  while (match_cnt--) {
686  RULE_PROFILING_START(p);
687  bool break_out_of_packet_filter = false;
688  uint8_t alert_flags = 0;
689 #ifdef PROFILE_RULES
690  bool smatch = false; /* signature match */
691 #endif
692  const Signature *s = next_s;
693  sflags = next_sflags;
694  if (match_cnt) {
695  next_s = *match_array++;
696  next_sflags = next_s->flags;
697  }
698  const uint8_t s_proto_flags = s->proto.flags;
699 
700  SCLogDebug("packet %" PRIu64 ": inspecting signature id %" PRIu32 "", p->pcap_cnt, s->id);
701 
702  /* if we accept:hook'd the `packet_filter` hook, we skip the rest of the firewall rules. */
703  if (s->flags & SIG_FLAG_FIREWALL) {
704  if (skip_fw) {
705  SCLogDebug("skipping firewall rule %u", s->id);
706  goto next;
707  }
708  } else if (have_fw_rules) {
709  /* fw mode, we skip anything after the fw rules if:
710  * - flow pass is set
711  * - packet pass (e.g. exception policy) */
712  if (p->flags & PKT_NOPACKET_INSPECTION ||
713  (pflow != NULL && pflow->flags & (FLOW_ACTION_PASS))) {
714  SCLogDebug("skipping firewall rule %u", s->id);
715  break_out_of_packet_filter = true;
716  goto next;
717  }
718  }
719 
720  if (s->app_inspect != NULL) {
721  goto next; // handle sig in DetectRunTx
722  }
723  if (s->frame_inspect != NULL) {
724  goto next; // handle sig in DetectRunFrame
725  }
726 
727  /* skip pkt sigs for flow end packets */
728  if ((p->flags & PKT_PSEUDO_STREAM_END) != 0 && s->type == SIG_TYPE_PKT)
729  goto next;
730 
731  /* don't run mask check for stateful rules.
732  * There we depend on prefilter */
733  if ((s->mask & p->sig_mask) != s->mask) {
734  SCLogDebug("mask mismatch %x & %x != %x", s->mask, p->sig_mask, s->mask);
735  goto next;
736  }
737 
738  if (SigDsizePrefilter(p, s, sflags))
739  goto next;
740 
741  /* if the sig has alproto and the session as well they should match */
742  if (likely(sflags & SIG_FLAG_APPLAYER)) {
743  if (s->alproto != ALPROTO_UNKNOWN && !AppProtoEquals(s->alproto, scratch->alproto)) {
744  SCLogDebug("alproto mismatch");
745  goto next;
746  }
747  }
748 
749  if (!DetectRunInspectRuleHeader(p, pflow, s, sflags, s_proto_flags)) {
750  goto next;
751  }
752 
753  if (!DetectEnginePktInspectionRun(tv, det_ctx, s, pflow, p, &alert_flags)) {
754  goto next;
755  }
756 
757 #ifdef PROFILE_RULES
758  smatch = true;
759 #endif
760  DetectRunPostMatch(tv, det_ctx, p, s);
761 
762  uint64_t txid = PACKET_ALERT_NOTX;
763  if (pflow && pflow->alstate) {
764  uint8_t dir = (p->flowflags & FLOW_PKT_TOCLIENT) ? STREAM_TOCLIENT : STREAM_TOSERVER;
765  txid = AppLayerParserGetTransactionInspectId(pflow->alparser, dir);
766  if ((s->alproto != ALPROTO_UNKNOWN && pflow->proto == IPPROTO_UDP) ||
767  (de_ctx->guess_applayer && IsOnlyTxInDirection(pflow, txid, dir))) {
768  // if there is a UDP specific app-layer signature,
769  // or only one live transaction
770  // try to use the good tx for the packet direction
771  void *tx_ptr =
772  AppLayerParserGetTx(pflow->proto, pflow->alproto, pflow->alstate, txid);
773  AppLayerTxData *txd =
774  tx_ptr ? AppLayerParserGetTxData(pflow->proto, pflow->alproto, tx_ptr)
775  : NULL;
776  if (txd && txd->guessed_applayer_logged < de_ctx->guess_applayer_log_limit) {
777  alert_flags |= PACKET_ALERT_FLAG_TX;
778  if (pflow->proto != IPPROTO_UDP) {
779  alert_flags |= PACKET_ALERT_FLAG_TX_GUESSED;
780  }
781  txd->guessed_applayer_logged++;
782  }
783  }
784  }
785  AlertQueueAppend(det_ctx, s, p, txid, alert_flags);
786 
787  if (det_ctx->post_rule_work_queue.len > 0) {
788  /* run post match prefilter engines on work queue */
789  PrefilterPostRuleMatch(det_ctx, scratch->sgh, p, pflow);
790 
791  if (det_ctx->pmq.rule_id_array_cnt > 0) {
792  /* undo "prefetch" */
793  if (next_s)
794  match_array--;
795  /* create temporary rule pointer array starting
796  * at where we are in the current match array */
797  const Signature *replace[de_ctx->sig_array_len]; // TODO heap?
798  SCLogDebug("sig_array_len %u det_ctx->pmq.rule_id_array_cnt %u",
799  de_ctx->sig_array_len, det_ctx->pmq.rule_id_array_cnt);
800  const Signature **r = replace;
801  for (uint32_t x = 0; x < match_cnt; x++) {
802  *r++ = match_array[x];
803  SCLogDebug("appended %u", match_array[x]->id);
804  }
805  /* append the prefilter results, then sort it */
806  for (uint32_t x = 0; x < det_ctx->pmq.rule_id_array_cnt; x++) {
807  SCLogDebug("adding iid %u", det_ctx->pmq.rule_id_array[x]);
808  Signature *ts = de_ctx->sig_array[det_ctx->pmq.rule_id_array[x]];
809  SCLogDebug("adding id %u", ts->id);
810  if (ts->app_inspect == NULL) {
811  *r++ = ts;
812  match_cnt++;
813  }
814  }
815  if (match_cnt > 1) {
816  qsort(replace, match_cnt, sizeof(Signature *), SortHelper);
817  }
818  /* rewrite match_array to include the new additions, and deduplicate
819  * while at it. */
820  Signature **m = match_array;
821  Signature *last_sig = NULL;
822  uint32_t skipped = 0;
823  for (uint32_t x = 0; x < match_cnt; x++) {
824  /* de-duplicate */
825  if (last_sig == *m) {
826  skipped++;
827  continue;
828  }
829  last_sig = *m;
830  *m++ = (Signature *)replace[x];
831  }
832  match_cnt -= skipped;
833  /* prefetch next */
834  next_s = *match_array++;
835  next_sflags = next_s->flags;
836  SCLogDebug("%u rules added", det_ctx->pmq.rule_id_array_cnt);
837  det_ctx->post_rule_work_queue.len = 0;
838  PMQ_RESET(&det_ctx->pmq);
839  }
840  }
841 
842  /* firewall logic in the packet:filter table:
843  * 1. firewall rules preceed the packet:td rules in the list
844  * 2. if no rule issues an accept, we drop
845  * 3. drop is immediate
846  * 4. accept:
847  * - hook: skip rest of fw rules, inspect packet:td rules
848  * - packet: immediate accept, no packet:td or app:* inspect
849  * - flow: as packet, but applied to all future packets in the
850  * flow as well
851  */
852  if (s->flags & SIG_FLAG_FIREWALL) {
853  if (s->action & (ACTION_ACCEPT)) {
854  fw_verdict = true;
855 
856  enum ActionScope as = s->action_scope;
857  if (as == ACTION_SCOPE_HOOK) {
858  /* accept:hook: jump to first TD. Implemented as:
859  * skip until the first TD rule.
860  * Don't update action as we're just continuing to the next hook. */
861  skip_fw = true;
862 
863  } else if (as == ACTION_SCOPE_PACKET) {
864  /* accept:packet: break loop, return accept */
865  action |= s->action;
866  break_out_of_packet_filter = true;
867 
868  } else if (as == ACTION_SCOPE_FLOW) {
869  /* accept:flow: break loop, return accept */
870  action |= s->action;
871  break_out_of_packet_filter = true;
872 
873  /* set immediately, as we're in hook "packet_filter" */
874  if (pflow) {
875  pflow->flags |= FLOW_ACTION_ACCEPT;
876  }
877  }
878  } else if (s->action & ACTION_DROP) {
879  /* apply a drop immediately here */
880  fw_verdict = true;
881  action |= s->action;
882  break_out_of_packet_filter = true;
883  }
884  }
885 next:
886  DetectVarProcessList(det_ctx, pflow, p);
887  DetectReplaceFree(det_ctx);
888  RULE_PROFILING_END(det_ctx, s, smatch, p);
889 
890  /* fw accept:packet or accept:flow means we're done here */
891  if (break_out_of_packet_filter)
892  break;
893 
894  continue;
895  }
896 
897  /* if no rule told us to accept, and no rule explicitly dropped, we invoke the default drop
898  * policy
899  */
900  if (have_fw_rules && scratch->default_action == ACTION_DROP) {
901  if (!fw_verdict) {
902  DEBUG_VALIDATE_BUG_ON(action & ACTION_DROP);
903  PacketDrop(p, ACTION_DROP, PKT_DROP_REASON_DEFAULT_PACKET_POLICY);
904  action |= ACTION_DROP;
905  } else {
906  /* apply fw action */
907  p->action |= action;
908  }
909  }
910  return action;
911 }
912 
913 /** \internal
914  * \param default_action either ACTION_DROP (drop:packet) or ACTION_ACCEPT (accept:hook)
915  *
916  * ACTION_DROP means the default policy of drop:packet is applied
917  * ACTION_ACCEPT means the default policy of accept:hook is applied
918  */
919 static DetectRunScratchpad DetectRunSetup(const DetectEngineCtx *de_ctx,
920  DetectEngineThreadCtx *det_ctx, Packet *const p, Flow *const pflow,
921  const uint8_t default_action)
922 {
923  AppProto alproto = ALPROTO_UNKNOWN;
924  uint8_t flow_flags = 0; /* flow/state flags */
925  bool app_decoder_events = false;
926 
927  PACKET_PROFILING_DETECT_START(p, PROF_DETECT_SETUP);
928 
929 #ifdef UNITTESTS
930  if (RunmodeIsUnittests()) {
931  p->alerts.cnt = 0;
932  p->alerts.discarded = 0;
933  p->alerts.suppressed = 0;
934  }
935 #endif
936  det_ctx->filestore_cnt = 0;
937  det_ctx->base64_decoded_len = 0;
938  det_ctx->raw_stream_progress = 0;
939  det_ctx->match_array_cnt = 0;
940  det_ctx->json_content_len = 0;
941 
942  det_ctx->alert_queue_size = 0;
943  p->alerts.drop.action = 0;
944 
945 #ifdef DEBUG
946  if (p->flags & PKT_STREAM_ADD) {
947  det_ctx->pkt_stream_add_cnt++;
948  }
949 #endif
950 
951  /* grab the protocol state we will detect on */
952  if (p->flags & PKT_HAS_FLOW) {
953  DEBUG_VALIDATE_BUG_ON(pflow == NULL);
954 
955  if (p->flowflags & FLOW_PKT_TOSERVER) {
956  flow_flags = STREAM_TOSERVER;
957  SCLogDebug("flag STREAM_TOSERVER set");
958  } else if (p->flowflags & FLOW_PKT_TOCLIENT) {
959  flow_flags = STREAM_TOCLIENT;
960  SCLogDebug("flag STREAM_TOCLIENT set");
961  }
962  SCLogDebug("p->flowflags 0x%02x", p->flowflags);
963 
964  if (p->flags & PKT_PSEUDO_STREAM_END) {
965  flow_flags |= STREAM_EOF;
966  SCLogDebug("STREAM_EOF set");
967  }
968 
969  /* store tenant_id in the flow so that we can use it
970  * for creating pseudo packets */
971  if (p->tenant_id > 0 && pflow->tenant_id == 0) {
972  pflow->tenant_id = p->tenant_id;
973  }
974 
975  /* live ruleswap check for flow updates */
976  if (pflow->de_ctx_version == 0) {
977  /* first time this flow is inspected, set id */
978  pflow->de_ctx_version = de_ctx->version;
979  } else if (pflow->de_ctx_version != de_ctx->version) {
980  /* first time we inspect flow with this de_ctx, reset */
981  pflow->flags &= ~FLOW_SGH_TOSERVER;
982  pflow->flags &= ~FLOW_SGH_TOCLIENT;
983  pflow->sgh_toserver = NULL;
984  pflow->sgh_toclient = NULL;
985 
986  pflow->de_ctx_version = de_ctx->version;
987  SCGenericVarFree(pflow->flowvar);
988  pflow->flowvar = NULL;
989 
990  DetectEngineStateResetTxs(pflow);
991  }
992 
993  /* Retrieve the app layer state and protocol and the tcp reassembled
994  * stream chunks. */
995  if ((p->proto == IPPROTO_TCP && (p->flags & PKT_STREAM_EST)) ||
996  (p->proto == IPPROTO_UDP) ||
997  (p->proto == IPPROTO_SCTP && (p->flowflags & FLOW_PKT_ESTABLISHED)))
998  {
999  /* update flow flags with knowledge on disruptions */
1000  flow_flags = FlowGetDisruptionFlags(pflow, flow_flags);
1001  alproto = FlowGetAppProtocol(pflow);
1002  if (p->proto == IPPROTO_TCP && pflow->protoctx &&
1003  StreamReassembleRawHasDataReady(pflow->protoctx, p)) {
1004  p->flags |= PKT_DETECT_HAS_STREAMDATA;
1005  }
1006  SCLogDebug("alproto %u", alproto);
1007  } else {
1008  SCLogDebug("packet doesn't have established flag set (proto %d)", p->proto);
1009  }
1010 
1011  app_decoder_events = AppLayerParserHasDecoderEvents(pflow->alparser);
1012  }
1013 
1014  DetectRunScratchpad pad = { alproto, flow_flags, app_decoder_events, default_action, NULL };
1015  PACKET_PROFILING_DETECT_END(p, PROF_DETECT_SETUP);
1016  return pad;
1017 }
1018 
1019 static inline void DetectRunPostRules(ThreadVars *tv, const DetectEngineCtx *de_ctx,
1020  DetectEngineThreadCtx *det_ctx, Packet *const p, Flow *const pflow,
1021  DetectRunScratchpad *scratch)
1022 {
1023  /* so now let's iterate the alerts and remove the ones after a pass rule
1024  * matched (if any). This is done inside PacketAlertFinalize() */
1025  /* PR: installed "tag" keywords are handled after the threshold inspection */
1026 
1027  PACKET_PROFILING_DETECT_START(p, PROF_DETECT_ALERT);
1028  PacketAlertFinalize(de_ctx, det_ctx, p);
1029  if (p->alerts.cnt > 0) {
1030  StatsCounterAddI64(&tv->stats, det_ctx->counter_alerts, (uint64_t)p->alerts.cnt);
1031  }
1032  if (p->alerts.discarded > 0) {
1033  StatsCounterAddI64(
1034  &tv->stats, det_ctx->counter_alerts_overflow, (uint64_t)p->alerts.discarded);
1035  }
1036  if (p->alerts.suppressed > 0) {
1037  StatsCounterAddI64(
1038  &tv->stats, det_ctx->counter_alerts_suppressed, (uint64_t)p->alerts.suppressed);
1039  }
1040  PACKET_PROFILING_DETECT_END(p, PROF_DETECT_ALERT);
1041 
1042  /* firewall: "fail" closed if we don't have an ACCEPT. This can happen
1043  * if there was no rule group. */
1044  // TODO review packet src types here
1045  if (EngineModeIsFirewall() && !(p->action & ACTION_ACCEPT) && p->pkt_src == PKT_SRC_WIRE &&
1046  scratch->default_action == ACTION_DROP) {
1047  SCLogDebug("packet %" PRIu64 ": droppit as no ACCEPT set %02x (pkt %s)", p->pcap_cnt,
1048  p->action, PktSrcToString(p->pkt_src));
1049  PacketDrop(p, ACTION_DROP, PKT_DROP_REASON_DEFAULT_PACKET_POLICY);
1050  }
1051 }
1052 
1053 static void DetectRunCleanup(DetectEngineThreadCtx *det_ctx,
1054  Packet *p, Flow * const pflow)
1055 {
1056  PACKET_PROFILING_DETECT_START(p, PROF_DETECT_CLEANUP);
1057  InspectionBufferClean(det_ctx);
1058 
1059  if (pflow != NULL) {
1060  /* update inspected tracker for raw reassembly */
1061  if (p->proto == IPPROTO_TCP && pflow->protoctx != NULL &&
1062  (p->flags & PKT_DETECT_HAS_STREAMDATA)) {
1063  StreamReassembleRawUpdateProgress(pflow->protoctx, p,
1064  det_ctx->raw_stream_progress);
1065  }
1066  }
1067  PACKET_PROFILING_DETECT_END(p, PROF_DETECT_CLEANUP);
1068  SCReturn;
1069 }
1070 
1071 void RuleMatchCandidateTxArrayInit(DetectEngineThreadCtx *det_ctx, uint32_t size)
1072 {
1073  DEBUG_VALIDATE_BUG_ON(det_ctx->tx_candidates);
1074  det_ctx->tx_candidates = SCCalloc(size, sizeof(RuleMatchCandidateTx));
1075  if (det_ctx->tx_candidates == NULL) {
1076  FatalError("failed to allocate %" PRIu64 " bytes",
1077  (uint64_t)(size * sizeof(RuleMatchCandidateTx)));
1078  }
1079  det_ctx->tx_candidates_size = size;
1080  SCLogDebug("array initialized to %u elements (%"PRIu64" bytes)",
1081  size, (uint64_t)(size * sizeof(RuleMatchCandidateTx)));
1082 }
1083 
1084 void RuleMatchCandidateTxArrayFree(DetectEngineThreadCtx *det_ctx)
1085 {
1086  SCFree(det_ctx->tx_candidates);
1087  det_ctx->tx_candidates_size = 0;
1088 }
1089 
1090 /* if size >= cur_space */
1091 static inline bool RuleMatchCandidateTxArrayHasSpace(const DetectEngineThreadCtx *det_ctx,
1092  const uint32_t need)
1093 {
1094  if (det_ctx->tx_candidates_size >= need)
1095  return 1;
1096  return 0;
1097 }
1098 
1099 /* realloc */
1100 static int RuleMatchCandidateTxArrayExpand(DetectEngineThreadCtx *det_ctx, const uint32_t needed)
1101 {
1102  const uint32_t old_size = det_ctx->tx_candidates_size;
1103  uint32_t new_size = needed;
1104  void *ptmp = SCRealloc(det_ctx->tx_candidates, (new_size * sizeof(RuleMatchCandidateTx)));
1105  if (ptmp == NULL) {
1106  FatalError("failed to expand to %" PRIu64 " bytes",
1107  (uint64_t)(new_size * sizeof(RuleMatchCandidateTx)));
1108  // TODO can this be handled more gracefully?
1109  }
1110  det_ctx->tx_candidates = ptmp;
1111  det_ctx->tx_candidates_size = new_size;
1112  SCLogDebug("array expanded from %u to %u elements (%"PRIu64" bytes -> %"PRIu64" bytes)",
1113  old_size, new_size, (uint64_t)(old_size * sizeof(RuleMatchCandidateTx)),
1114  (uint64_t)(new_size * sizeof(RuleMatchCandidateTx))); (void)old_size;
1115  return 1;
1116 }
1117 
1118 /** \internal
1119  * \brief sort helper for sorting match candidates by id: ascending
1120  *
1121  * The id field is set from Signature::num, so we sort the candidates to match the signature
1122  * sort order (ascending), where candidates that have flags go first.
1123  */
1124 static int
1125 DetectRunTxSortHelper(const void *a, const void *b)
1126 {
1127  const RuleMatchCandidateTx *s0 = a;
1128  const RuleMatchCandidateTx *s1 = b;
1129  if (s1->id == s0->id) {
1130  if (s1->flags && !s0->flags)
1131  return 1;
1132  else if (!s1->flags && s0->flags)
1133  return -1;
1134  return 0;
1135  } else
1136  return s0->id > s1->id ? 1 : -1;
1137 }
1138 
1139 #if 0
1140 #define TRACE_SID_TXS(sid,txs,...) \
1141  do { \
1142  char _trace_buf[2048]; \
1143  snprintf(_trace_buf, sizeof(_trace_buf), __VA_ARGS__); \
1144  SCLogNotice("%p/%"PRIu64"/%u: %s", txs->tx_ptr, txs->tx_id, sid, _trace_buf); \
1145  } while(0)
1146 #else
1147 #define TRACE_SID_TXS(sid,txs,...)
1148 #endif
1149 
1150 // Get inner transaction for engine
1151 void *DetectGetInnerTx(void *tx_ptr, AppProto alproto, AppProto engine_alproto, uint8_t flow_flags)
1152 {
1153  if (unlikely(alproto == ALPROTO_DOH2)) {
1154  if (engine_alproto == ALPROTO_DNS) {
1155  // need to get the dns tx pointer
1156  tx_ptr = SCDoH2GetDnsTx(tx_ptr, flow_flags);
1157  } else if (engine_alproto != ALPROTO_HTTP2 && engine_alproto != ALPROTO_UNKNOWN) {
1158  // incompatible engine->alproto with flow alproto
1159  tx_ptr = NULL;
1160  }
1161  } else if (engine_alproto != alproto && engine_alproto != ALPROTO_UNKNOWN) {
1162  // incompatible engine->alproto with flow alproto
1163  tx_ptr = NULL;
1164  }
1165  return tx_ptr;
1166 }
1167 
1168 /** \internal
1169  * \brief inspect a rule against a transaction
1170  *
1171  * Inspect a rule. New detection or continued stateful
1172  * detection.
1173  *
1174  * \param stored_flags pointer to stored flags or NULL.
1175  * If stored_flags is set it means we're continuing
1176  * inspection from an earlier run.
1177  *
1178  * \retval bool true sig matched, false didn't match
1179  */
1180 static bool DetectRunTxInspectRule(ThreadVars *tv,
1181  DetectEngineCtx *de_ctx,
1182  DetectEngineThreadCtx *det_ctx,
1183  Packet *p,
1184  Flow *f,
1185  const uint8_t in_flow_flags, // direction, EOF, etc
1186  void *alstate,
1187  DetectTransaction *tx,
1188  const Signature *s,
1189  uint32_t *stored_flags,
1190  RuleMatchCandidateTx *can,
1191  DetectRunScratchpad *scratch)
1192 {
1193  const uint8_t flow_flags = in_flow_flags;
1194  const int direction = (flow_flags & STREAM_TOSERVER) ? 0 : 1;
1195  uint32_t inspect_flags = stored_flags ? *stored_flags : 0;
1196  int total_matches = 0;
1197  uint16_t file_no_match = 0;
1198  bool retval = false;
1199  bool mpm_before_progress = false; // is mpm engine before progress?
1200  bool mpm_in_progress = false; // is mpm engine in a buffer we will revisit?
1201 
1202  TRACE_SID_TXS(s->id, tx, "starting %s", direction ? "toclient" : "toserver");
1203 
1204  /* for a new inspection we inspect pkt header and packet matches */
1205  if (likely(stored_flags == NULL)) {
1206  TRACE_SID_TXS(s->id, tx, "first inspect, run packet matches");
1207  if (!DetectRunInspectRuleHeader(p, f, s, s->flags, s->proto.flags)) {
1208  TRACE_SID_TXS(s->id, tx, "DetectRunInspectRuleHeader() no match");
1209  return false;
1210  }
1211  if (!DetectEnginePktInspectionRun(tv, det_ctx, s, f, p, NULL)) {
1212  TRACE_SID_TXS(s->id, tx, "DetectEnginePktInspectionRun no match");
1213  return false;
1214  }
1215  /* stream mpm and negated mpm sigs can end up here with wrong proto */
1216  if (!(AppProtoEquals(s->alproto, f->alproto) || s->alproto == ALPROTO_UNKNOWN)) {
1217  TRACE_SID_TXS(s->id, tx, "alproto mismatch");
1218  return false;
1219  }
1220  }
1221 
1222  const DetectEngineAppInspectionEngine *engine = s->app_inspect;
1223  do {
1224  TRACE_SID_TXS(s->id, tx, "engine %p inspect_flags %x", engine, inspect_flags);
1225  // also if it is not the same direction, but
1226  // this is a transactional signature, and we are toclient
1227  if (!(inspect_flags & BIT_U32(engine->id)) &&
1228  (direction == engine->dir || ((s->flags & SIG_FLAG_TXBOTHDIR) && direction == 1))) {
1229 
1230  void *tx_ptr = DetectGetInnerTx(tx->tx_ptr, f->alproto, engine->alproto, flow_flags);
1231  if (tx_ptr == NULL) {
1232  if (engine->alproto != ALPROTO_UNKNOWN) {
1233  /* special case: file_data on 'alert tcp' will have engines
1234  * in the list that are not for us. */
1235  engine = engine->next;
1236  continue;
1237  } else {
1238  tx_ptr = tx->tx_ptr;
1239  }
1240  }
1241 
1242  /* engines are sorted per progress, except that the one with
1243  * mpm/prefilter enabled is first */
1244  if (tx->tx_progress < engine->progress) {
1245  SCLogDebug("tx progress %d < engine progress %d",
1246  tx->tx_progress, engine->progress);
1247  break;
1248  }
1249  if (engine->mpm) {
1250  if (tx->tx_progress > engine->progress) {
1251  TRACE_SID_TXS(s->id, tx,
1252  "engine->mpm: t->tx_progress %u > engine->progress %u, so set "
1253  "mpm_before_progress",
1254  tx->tx_progress, engine->progress);
1255  mpm_before_progress = true;
1256  } else if (tx->tx_progress == engine->progress) {
1257  TRACE_SID_TXS(s->id, tx,
1258  "engine->mpm: t->tx_progress %u == engine->progress %u, so set "
1259  "mpm_in_progress",
1260  tx->tx_progress, engine->progress);
1261  mpm_in_progress = true;
1262  }
1263  }
1264 
1265  uint8_t engine_flags = flow_flags;
1266  if (direction != engine->dir) {
1267  engine_flags = flow_flags ^ (STREAM_TOCLIENT | STREAM_TOSERVER);
1268  }
1269  /* run callback: but bypass stream callback if we can */
1270  uint8_t match;
1271  if (unlikely(engine->stream && can->stream_stored)) {
1272  match = can->stream_result;
1273  TRACE_SID_TXS(s->id, tx, "stream skipped, stored result %d used instead", match);
1274  } else if (engine->v2.Callback == NULL) {
1275  /* TODO is this the cleanest way to support a non-app sig on a app hook? */
1276 
1277  if (tx->tx_progress > engine->progress) {
1278  mpm_before_progress = true; // TODO needs a new name now
1279  }
1280 
1281  /* we don't have to store a "hook" match, also don't want to keep any state to make
1282  * sure the hook gets invoked again until tx progress progresses. */
1283  if (tx->tx_progress <= engine->progress)
1284  return DETECT_ENGINE_INSPECT_SIG_MATCH;
1285 
1286  /* if progress > engine progress, track state to avoid additional matches */
1287  match = DETECT_ENGINE_INSPECT_SIG_MATCH;
1288  } else {
1289  KEYWORD_PROFILING_SET_LIST(det_ctx, engine->sm_list);
1290  DEBUG_VALIDATE_BUG_ON(engine->v2.Callback == NULL);
1291  match = engine->v2.Callback(
1292  de_ctx, det_ctx, engine, s, f, engine_flags, alstate, tx_ptr, tx->tx_id);
1293  TRACE_SID_TXS(s->id, tx, "engine %p match %d", engine, match);
1294  if (engine->stream) {
1295  can->stream_stored = true;
1296  can->stream_result = match;
1297  TRACE_SID_TXS(s->id, tx, "stream ran, store result %d for next tx (if any)", match);
1298  }
1299  }
1300  if (match == DETECT_ENGINE_INSPECT_SIG_MATCH) {
1301  inspect_flags |= BIT_U32(engine->id);
1302  engine = engine->next;
1303  total_matches++;
1304  continue;
1305  } else if (match == DETECT_ENGINE_INSPECT_SIG_MATCH_MORE_FILES) {
1306  /* if the file engine matched, but indicated more
1307  * files are still in progress, we don't set inspect
1308  * flags as these would end inspection for this tx */
1309  engine = engine->next;
1310  total_matches++;
1311  continue;
1312  } else if (match == DETECT_ENGINE_INSPECT_SIG_CANT_MATCH) {
1313  inspect_flags |= DE_STATE_FLAG_SIG_CANT_MATCH;
1314  inspect_flags |= BIT_U32(engine->id);
1315  } else if (match == DETECT_ENGINE_INSPECT_SIG_CANT_MATCH_FILES) {
1316  inspect_flags |= DE_STATE_FLAG_SIG_CANT_MATCH;
1317  inspect_flags |= BIT_U32(engine->id);
1318  file_no_match = 1;
1319  }
1320  /* implied DETECT_ENGINE_INSPECT_SIG_NO_MATCH */
1321  if (engine->mpm && mpm_before_progress) {
1322  inspect_flags |= DE_STATE_FLAG_SIG_CANT_MATCH;
1323  inspect_flags |= BIT_U32(engine->id);
1324  }
1325  break;
1326  } else if (!(inspect_flags & BIT_U32(engine->id)) && s->flags & SIG_FLAG_TXBOTHDIR &&
1327  direction != engine->dir) {
1328  // for transactional rules, the engines on the opposite direction
1329  // are ordered by progress on the different side
1330  // so we have a two mixed-up lists, and we skip the elements
1331  if (direction == 0 && engine->next == NULL) {
1332  // do not match yet on request only
1333  break;
1334  }
1335  engine = engine->next;
1336  continue;
1337  }
1338 
1339  engine = engine->next;
1340  } while (engine != NULL);
1341  TRACE_SID_TXS(s->id, tx, "inspect_flags %x, total_matches %u, engine %p",
1342  inspect_flags, total_matches, engine);
1343 
1344  if (engine == NULL && total_matches) {
1345  inspect_flags |= DE_STATE_FLAG_FULL_INSPECT;
1346  TRACE_SID_TXS(s->id, tx, "MATCH");
1347  retval = true;
1348  }
1349 
1350  if (stored_flags) {
1351  *stored_flags = inspect_flags;
1352  TRACE_SID_TXS(s->id, tx, "continue inspect flags %08x", inspect_flags);
1353  } else {
1354  // store... or? If tx is done we might not want to come back to this tx
1355 
1356  // also... if mpmid tracking is enabled, we won't do a sig again for this tx...
1357  TRACE_SID_TXS(s->id, tx, "start inspect flags %08x", inspect_flags);
1358  if (inspect_flags & DE_STATE_FLAG_SIG_CANT_MATCH) {
1359  if (file_no_match) {
1360  /* if we have a mismatch on a file sig, we need to keep state.
1361  * We may get another file on the same tx (for http and smtp
1362  * at least), so for a new file we need to re-eval the sig.
1363  * Thoughts / TODO:
1364  * - not for some protos that have 1 file per tx (e.g. nfs)
1365  * - maybe we only need this for file sigs that mix with
1366  * other matches? E.g. 'POST + filename', is different than
1367  * just 'filename'.
1368  */
1369  DetectRunStoreStateTx(scratch->sgh, f, tx->tx_ptr, tx->tx_id, s,
1370  inspect_flags, flow_flags, file_no_match);
1371  }
1372  } else if ((inspect_flags & DE_STATE_FLAG_FULL_INSPECT) && mpm_before_progress) {
1373  TRACE_SID_TXS(s->id, tx, "no need to store match sig, "
1374  "mpm won't trigger for it anymore");
1375 
1376  if (inspect_flags & DE_STATE_FLAG_FILE_INSPECT) {
1377  TRACE_SID_TXS(s->id, tx, "except that for new files, "
1378  "we may have to revisit anyway");
1379  DetectRunStoreStateTx(scratch->sgh, f, tx->tx_ptr, tx->tx_id, s,
1380  inspect_flags, flow_flags, file_no_match);
1381  }
1382  } else if ((inspect_flags & DE_STATE_FLAG_FULL_INSPECT) == 0 && mpm_in_progress) {
1383  TRACE_SID_TXS(s->id, tx, "no need to store no-match sig, "
1384  "mpm will revisit it");
1385  } else if (inspect_flags != 0 || file_no_match != 0) {
1386  TRACE_SID_TXS(s->id, tx, "storing state: flags %08x", inspect_flags);
1387  DetectRunStoreStateTx(scratch->sgh, f, tx->tx_ptr, tx->tx_id, s,
1388  inspect_flags, flow_flags, file_no_match);
1389  }
1390  }
1391 
1392  return retval;
1393 }
1394 
1395 #define NO_TX \
1396  { \
1397  NULL, 0, NULL, NULL, 0, 0, 0, 0, \
1398  }
1399 
1400 /** \internal
1401  * \brief get a DetectTransaction object
1402  * \retval struct filled with relevant info or all nulls/0s
1403  */
1404 static DetectTransaction GetDetectTx(const uint8_t ipproto, const AppProto alproto,
1405  const uint64_t tx_id, void *tx_ptr, const int tx_end_state, const uint8_t flow_flags)
1406 {
1407  AppLayerTxData *txd = AppLayerParserGetTxData(ipproto, alproto, tx_ptr);
1408  const int tx_progress = AppLayerParserGetStateProgress(ipproto, alproto, tx_ptr, flow_flags);
1409  bool updated = (flow_flags & STREAM_TOSERVER) ? txd->updated_ts : txd->updated_tc;
1410  if (!updated && tx_progress < tx_end_state && ((flow_flags & STREAM_EOF) == 0)) {
1411  DetectTransaction no_tx = NO_TX;
1412  return no_tx;
1413  }
1414  const uint8_t inspected_flag =
1415  (flow_flags & STREAM_TOSERVER) ? APP_LAYER_TX_INSPECTED_TS : APP_LAYER_TX_INSPECTED_TC;
1416  if (unlikely(txd->flags & inspected_flag)) {
1417  SCLogDebug("%" PRIu64 " tx already fully inspected for %s. Flags %02x", tx_id,
1418  flow_flags & STREAM_TOSERVER ? "toserver" : "toclient", txd->flags);
1419  DetectTransaction no_tx = NO_TX;
1420  return no_tx;
1421  }
1422  const uint8_t skip_flag = (flow_flags & STREAM_TOSERVER) ? APP_LAYER_TX_SKIP_INSPECT_TS
1423  : APP_LAYER_TX_SKIP_INSPECT_TC;
1424  if (unlikely(txd->flags & skip_flag)) {
1425  SCLogDebug("%" PRIu64 " tx should not be inspected in direction %s. Flags %02x", tx_id,
1426  flow_flags & STREAM_TOSERVER ? "toserver" : "toclient", txd->flags);
1427  DetectTransaction no_tx = NO_TX;
1428  return no_tx;
1429  }
1430 
1431  const uint8_t detect_progress =
1432  (flow_flags & STREAM_TOSERVER) ? txd->detect_progress_ts : txd->detect_progress_tc;
1433 
1434  const int dir_int = (flow_flags & STREAM_TOSERVER) ? 0 : 1;
1435  DetectEngineState *tx_de_state = txd->de_state;
1436  DetectEngineStateDirection *tx_dir_state =
1437  tx_de_state ? &tx_de_state->dir_state[dir_int] : NULL;
1438  DetectTransaction tx = {
1439  .tx_ptr = tx_ptr,
1440  .tx_id = tx_id,
1441  .tx_data_ptr = (struct AppLayerTxData *)txd,
1442  .de_state = tx_dir_state,
1443  .detect_progress = detect_progress,
1444  .detect_progress_orig = detect_progress,
1445  .tx_progress = tx_progress,
1446  .tx_end_state = tx_end_state,
1447  };
1448  return tx;
1449 }
1450 
1451 static inline void StoreDetectProgress(
1452  DetectTransaction *tx, const uint8_t flow_flags, const uint8_t progress)
1453 {
1454  AppLayerTxData *txd = (AppLayerTxData *)tx->tx_data_ptr;
1455  if (flow_flags & STREAM_TOSERVER) {
1456  txd->detect_progress_ts = progress;
1457  } else {
1458  txd->detect_progress_tc = progress;
1459  }
1460 }
1461 
1462 // Merge 'state' rules from the regular prefilter
1463 // updates array_idx on the way
1464 static inline void RuleMatchCandidateMergeStateRules(
1465  DetectEngineThreadCtx *det_ctx, uint32_t *array_idx)
1466 {
1467  // Now, we will merge 2 sorted lists :
1468  // the one in det_ctx->tx_candidates
1469  // and the one in det_ctx->match_array
1470  // For match_array, we take only the relevant elements where s->app_inspect != NULL
1471 
1472  // Basically, we iterate at the same time over the 2 lists
1473  // comparing and taking an element from either.
1474 
1475  // Trick is to do so in place in det_ctx->tx_candidates,
1476  // so as to minimize the number of moves in det_ctx->tx_candidates.
1477  // For this, the algorithm traverses the lists in reverse order.
1478  // Otherwise, if the first element of match_array was to be put before
1479  // all tx_candidates, we would need to shift all tx_candidates
1480 
1481  // Retain the number of elements sorted in tx_candidates before merge
1482  uint32_t j = *array_idx;
1483  // First loop only counting the number of elements to add
1484  for (uint32_t i = 0; i < det_ctx->match_array_cnt; i++) {
1485  const Signature *s = det_ctx->match_array[i];
1486  if (s->app_inspect != NULL) {
1487  (*array_idx)++;
1488  }
1489  }
1490  // Future number of elements in tx_candidates after merge
1491  uint32_t k = *array_idx;
1492 
1493  if (k == j) {
1494  // no new element from match_array to merge in tx_candidates
1495  return;
1496  }
1497 
1498  // variable i is for all elements of match_array (even not relevant ones)
1499  // variable j is for elements of tx_candidates before merge
1500  // variable k is for elements of tx_candidates after merge
1501  for (uint32_t i = det_ctx->match_array_cnt; i > 0;) {
1502  const Signature *s = det_ctx->match_array[i - 1];
1503  if (s->app_inspect == NULL) {
1504  // no relevant element, get the next one from match_array
1505  i--;
1506  continue;
1507  }
1508  // we have one element from match_array to merge in tx_candidates
1509  k--;
1510  if (j > 0) {
1511  // j > 0 means there is still at least one element in tx_candidates to merge
1512  const RuleMatchCandidateTx *s0 = &det_ctx->tx_candidates[j - 1];
1513  if (s->iid <= s0->id) {
1514  // get next element from previous tx_candidates
1515  j--;
1516  // take the element from tx_candidates before merge
1517  det_ctx->tx_candidates[k].s = det_ctx->tx_candidates[j].s;
1518  det_ctx->tx_candidates[k].id = det_ctx->tx_candidates[j].id;
1519  det_ctx->tx_candidates[k].flags = det_ctx->tx_candidates[j].flags;
1520  det_ctx->tx_candidates[k].stream_reset = det_ctx->tx_candidates[j].stream_reset;
1521  continue;
1522  }
1523  } // otherwise
1524  // get next element from match_array
1525  i--;
1526  // take the element from match_array
1527  det_ctx->tx_candidates[k].s = s;
1528  det_ctx->tx_candidates[k].id = s->iid;
1529  det_ctx->tx_candidates[k].flags = NULL;
1530  det_ctx->tx_candidates[k].stream_reset = 0;
1531  }
1532  // Even if k > 0 or j > 0, the loop is over. (Note that j == k now)
1533  // The remaining elements in tx_candidates up to k were already sorted
1534  // and come before any other element later in the list
1535 }
1536 
1537 /**
1538  * \internal
1539  * \brief Check and update firewall rules state.
1540  *
1541  * \param skip_fw_hook bool to indicate firewall rules skips
1542  * For state `skip_before_progress` should be skipped.
1543  *
1544  * \param skip_before_progress progress value to skip rules before.
1545  * Only used if `skip_fw_hook` is set.
1546  *
1547  * \param last_for_progress[out] set to true if this is the last rule for a progress value
1548  *
1549  * \param fw_next_progress_missing[out] set to true if the next fw rule does not target the next
1550  * progress value, or there is no fw rule for that value.
1551  *
1552  * \retval 0 no action needed
1553  * \retval 1 rest of rules shouldn't inspected
1554  * \retval -1 skip this rule
1555  */
1556 static int DetectRunTxCheckFirewallPolicy(DetectEngineThreadCtx *det_ctx, Packet *p, Flow *f,
1557  DetectTransaction *tx, const Signature *s, const uint32_t can_idx, const uint32_t can_size,
1558  bool *skip_fw_hook, const uint8_t skip_before_progress, bool *last_for_progress,
1559  bool *fw_next_progress_missing)
1560 {
1561  if (s->flags & SIG_FLAG_FIREWALL) {
1562  /* check if the next sig is on the same progress hook. If not, we need to apply our
1563  * default policy in case the current sig doesn't apply one. If the next sig has a
1564  * progress beyond our progress + 1, it means the next progress has no rules and needs
1565  * the default policy applied. But only after we evaluate the current rule first, as
1566  * that may override it.
1567  * TODO should we do this after dedup below? */
1568 
1569  if (can_idx + 1 < can_size) {
1570  const Signature *next_s = det_ctx->tx_candidates[can_idx + 1].s;
1571  SCLogDebug(
1572  "peek: peeking at sid %u / progress %u", next_s->id, next_s->app_progress_hook);
1573  if (next_s->flags & SIG_FLAG_FIREWALL) {
1574  if (s->app_progress_hook != next_s->app_progress_hook) {
1575  SCLogDebug("peek: next sid progress %u != current progress %u, so current "
1576  "is last for progress",
1577  next_s->app_progress_hook, s->app_progress_hook);
1578  *last_for_progress = true;
1579 
1580  if (next_s->app_progress_hook - s->app_progress_hook > 1) {
1581  SCLogDebug("peek: missing progress, so we'll drop that unless we get a "
1582  "sweeping accept first");
1583  *fw_next_progress_missing = true;
1584  }
1585  }
1586  } else {
1587  SCLogDebug("peek: next sid not a fw rule, so current is last for progress");
1588  *last_for_progress = true;
1589  }
1590  } else {
1591  SCLogDebug("peek: no peek beyond last rule");
1592  if (s->app_progress_hook < tx->tx_progress) {
1593  SCLogDebug("peek: there are no rules to allow the state after this rule");
1594  *fw_next_progress_missing = true;
1595  }
1596  }
1597 
1598  if ((*skip_fw_hook) == true) {
1599  if (s->app_progress_hook <= skip_before_progress) {
1600  return -1;
1601  }
1602  *skip_fw_hook = false;
1603  }
1604  } else {
1605  /* fw mode, we skip anything after the fw rules if:
1606  * - flow pass is set
1607  * - packet pass (e.g. exception policy) */
1608  if (p->flags & PKT_NOPACKET_INSPECTION || (f->flags & (FLOW_ACTION_PASS))) {
1609  SCLogDebug("skipping firewall rule %u", s->id);
1610  return 1;
1611  }
1612  }
1613  return 0;
1614 }
1615 
1616 // TODO move into det_ctx?
1617 thread_local Signature default_accept;
1618 static inline void DetectRunAppendDefaultAccept(DetectEngineThreadCtx *det_ctx, Packet *p)
1619 {
1620  if (EngineModeIsFirewall()) {
1621  memset(&default_accept, 0, sizeof(default_accept));
1622  default_accept.action = ACTION_ACCEPT;
1623  default_accept.action_scope = ACTION_SCOPE_PACKET;
1624  default_accept.iid = UINT32_MAX;
1625  default_accept.type = SIG_TYPE_PKT;
1626  default_accept.flags = SIG_FLAG_FIREWALL;
1627  AlertQueueAppend(det_ctx, &default_accept, p, 0, PACKET_ALERT_FLAG_APPLY_ACTION_TO_PACKET);
1628  }
1629 }
1630 
1631 /** \internal
1632  * \brief see if the accept rule needs to apply to the packet
1633  */
1634 static inline bool ApplyAcceptToPacket(
1635  const uint64_t total_txs, const DetectTransaction *tx, const Signature *s)
1636 {
1637  if ((s->flags & SIG_FLAG_FIREWALL) == 0) {
1638  return false;
1639  }
1640  if ((s->action & ACTION_ACCEPT) == 0) {
1641  return false;
1642  }
1643 
1644  /* for accept:tx we need:
1645  * - packet will only be accepted if this is set on the last tx
1646  */
1647  if (s->action_scope == ACTION_SCOPE_TX) {
1648  if (total_txs == tx->tx_id + 1) {
1649  return true;
1650  }
1651  }
1652  /* for accept:hook we need a bit more checking:
1653  * - packet will only be accepted if this is set on the last tx
1654  * - the hook accepted should be the last progress available. */
1655  if (s->action_scope == ACTION_SCOPE_HOOK) {
1656  if ((total_txs == tx->tx_id + 1) && /* last tx */
1657  (s->app_progress_hook == tx->tx_progress)) {
1658  return true;
1659  }
1660  }
1661  return false;
1662 }
1663 
1664 /** \internal
1665  * \retval bool true: break_out_of_app_filter, false: don't break out */
1666 static bool ApplyAccept(Packet *p, const uint8_t flow_flags, const Signature *s,
1667  DetectTransaction *tx, const int tx_end_state, const bool fw_next_progress_missing,
1668  bool *tx_fw_verdict, bool *skip_fw_hook, uint8_t *skip_before_progress)
1669 {
1670  *tx_fw_verdict = true;
1671 
1672  const enum ActionScope as = s->action_scope;
1673  /* accept:hook: jump to first rule of next state.
1674  * Implemented as skip until the first rule of next state. */
1675  if (as == ACTION_SCOPE_HOOK) {
1676  *skip_fw_hook = true;
1677  *skip_before_progress = s->app_progress_hook;
1678 
1679  /* if there is no fw rule for the next progress value,
1680  * we invoke the default drop policy. */
1681  if (fw_next_progress_missing) {
1682  SCLogDebug("%" PRIu64 ": %s default drop for progress", p->pcap_cnt,
1683  flow_flags & STREAM_TOSERVER ? "toserver" : "toclient");
1684  PacketDrop(p, ACTION_DROP, PKT_DROP_REASON_DEFAULT_APP_POLICY);
1685  p->flow->flags |= FLOW_ACTION_DROP;
1686  return true;
1687  }
1688  return false;
1689  } else if (as == ACTION_SCOPE_TX) {
1690  tx->tx_data_ptr->flags |= APP_LAYER_TX_ACCEPT;
1691  *skip_fw_hook = true;
1692  *skip_before_progress = (uint8_t)tx_end_state + 1; // skip all hooks
1693  SCLogDebug(
1694  "accept:tx applied, skip_fw_hook, skip_before_progress %u", *skip_before_progress);
1695  return false;
1696  } else if (as == ACTION_SCOPE_PACKET) {
1697  return true;
1698  } else if (as == ACTION_SCOPE_FLOW) {
1699  return true;
1700  }
1701  return false;
1702 }
1703 
1704 static void DetectRunTx(ThreadVars *tv,
1705  DetectEngineCtx *de_ctx,
1706  DetectEngineThreadCtx *det_ctx,
1707  Packet *p,
1708  Flow *f,
1709  DetectRunScratchpad *scratch)
1710 {
1711  const uint8_t flow_flags = scratch->flow_flags;
1712  const SigGroupHead * const sgh = scratch->sgh;
1713  void * const alstate = f->alstate;
1714  const uint8_t ipproto = f->proto;
1715  const AppProto alproto = f->alproto;
1716 
1717  const uint64_t total_txs = AppLayerParserGetTxCnt(f, alstate);
1718  uint64_t tx_id_min = AppLayerParserGetTransactionInspectId(f->alparser, flow_flags);
1719  const int tx_end_state = AppLayerParserGetStateProgressCompletionStatus(alproto, flow_flags);
1720 
1721  AppLayerGetTxIteratorFunc IterFunc = AppLayerGetTxIterator(ipproto, alproto);
1722  AppLayerGetTxIterState state = { 0 };
1723 
1724  uint32_t fw_verdicted = 0;
1725  uint32_t tx_inspected = 0;
1726  const bool have_fw_rules = EngineModeIsFirewall();
1727 
1728  SCLogDebug("packet %" PRIu64, p->pcap_cnt);
1729 
1730  while (1) {
1731  AppLayerGetTxIterTuple ires = IterFunc(ipproto, alproto, alstate, tx_id_min, total_txs, &state);
1732  if (ires.tx_ptr == NULL)
1733  break;
1734 
1735  DetectTransaction tx =
1736  GetDetectTx(ipproto, alproto, ires.tx_id, ires.tx_ptr, tx_end_state, flow_flags);
1737  if (tx.tx_ptr == NULL) {
1738  SCLogDebug("%p/%"PRIu64" no transaction to inspect",
1739  tx.tx_ptr, tx_id_min);
1740 
1741  tx_id_min++; // next (if any) run look for +1
1742  goto next;
1743  }
1744  tx_id_min = tx.tx_id + 1; // next look for cur + 1
1745  tx_inspected++;
1746 
1747  SCLogDebug("%p/%" PRIu64 " txd flags %02x", tx.tx_ptr, tx_id_min, tx.tx_data_ptr->flags);
1748 
1749  det_ctx->tx_id = tx.tx_id;
1750  det_ctx->tx_id_set = true;
1751  det_ctx->p = p;
1752 
1753  bool do_sort = false; // do we need to sort the tx candidate list?
1754  uint32_t array_idx = 0;
1755  uint32_t total_rules = det_ctx->match_array_cnt;
1756  total_rules += (tx.de_state ? tx.de_state->cnt : 0);
1757 
1758  /* run prefilter engines and merge results into a candidates array */
1759  if (sgh->tx_engines) {
1760  PACKET_PROFILING_DETECT_START(p, PROF_DETECT_PF_TX);
1761  DetectRunPrefilterTx(det_ctx, sgh, p, ipproto, flow_flags, alproto,
1762  alstate, &tx);
1763  PACKET_PROFILING_DETECT_END(p, PROF_DETECT_PF_TX);
1764  SCLogDebug("%p/%"PRIu64" rules added from prefilter: %u candidates",
1765  tx.tx_ptr, tx.tx_id, det_ctx->pmq.rule_id_array_cnt);
1766 
1767  total_rules += det_ctx->pmq.rule_id_array_cnt;
1768  if (!(RuleMatchCandidateTxArrayHasSpace(det_ctx, total_rules))) {
1769  RuleMatchCandidateTxArrayExpand(det_ctx, total_rules);
1770  }
1771 
1772  for (uint32_t i = 0; i < det_ctx->pmq.rule_id_array_cnt; i++) {
1773  const Signature *s = de_ctx->sig_array[det_ctx->pmq.rule_id_array[i]];
1774  const SigIntId id = s->iid;
1775  det_ctx->tx_candidates[array_idx].s = s;
1776  det_ctx->tx_candidates[array_idx].id = id;
1777  det_ctx->tx_candidates[array_idx].flags = NULL;
1778  det_ctx->tx_candidates[array_idx].stream_reset = 0;
1779  array_idx++;
1780  }
1781  PMQ_RESET(&det_ctx->pmq);
1782  } else {
1783  if (!(RuleMatchCandidateTxArrayHasSpace(det_ctx, total_rules))) {
1784  RuleMatchCandidateTxArrayExpand(det_ctx, total_rules);
1785  }
1786  }
1787 
1788  /* merge 'state' rules from the regular prefilter */
1789 #ifdef PROFILING
1790  uint32_t x = array_idx;
1791 #endif
1792  RuleMatchCandidateMergeStateRules(det_ctx, &array_idx);
1793 
1794  /* merge stored state into results */
1795  if (tx.de_state != NULL) {
1796  const uint32_t old = array_idx;
1797 
1798  /* if tx.de_state->flags has 'new file' set and sig below has
1799  * 'file inspected' flag, reset the file part of the state */
1800  const bool have_new_file = (tx.de_state->flags & DETECT_ENGINE_STATE_FLAG_FILE_NEW);
1801  if (have_new_file) {
1802  SCLogDebug("%p/%"PRIu64" destate: need to consider new file",
1803  tx.tx_ptr, tx.tx_id);
1804  tx.de_state->flags &= ~DETECT_ENGINE_STATE_FLAG_FILE_NEW;
1805  }
1806 
1807  SigIntId state_cnt = 0;
1808  DeStateStore *tx_store = tx.de_state->head;
1809  for (; tx_store != NULL; tx_store = tx_store->next) {
1810  SCLogDebug("tx_store %p", tx_store);
1811 
1812  SigIntId store_cnt = 0;
1813  for (store_cnt = 0;
1814  store_cnt < DE_STATE_CHUNK_SIZE && state_cnt < tx.de_state->cnt;
1815  store_cnt++, state_cnt++)
1816  {
1817  DeStateStoreItem *item = &tx_store->store[store_cnt];
1818  SCLogDebug("rule id %u, inspect_flags %u", item->sid, item->flags);
1819  if (have_new_file && (item->flags & DE_STATE_FLAG_FILE_INSPECT)) {
1820  /* remove part of the state. File inspect engine will now
1821  * be able to run again */
1822  item->flags &= ~(DE_STATE_FLAG_SIG_CANT_MATCH|DE_STATE_FLAG_FULL_INSPECT|DE_STATE_FLAG_FILE_INSPECT);
1823  SCLogDebug("rule id %u, post file reset inspect_flags %u", item->sid, item->flags);
1824  }
1825  det_ctx->tx_candidates[array_idx].s = de_ctx->sig_array[item->sid];
1826  det_ctx->tx_candidates[array_idx].id = item->sid;
1827  det_ctx->tx_candidates[array_idx].flags = &item->flags;
1828  det_ctx->tx_candidates[array_idx].stream_reset = 0;
1829  array_idx++;
1830  }
1831  }
1832  do_sort |= (old && old != array_idx); // sort if continue list adds sids
1833  SCLogDebug("%p/%" PRIu64 " rules added from 'continue' list: %u", tx.tx_ptr, tx.tx_id,
1834  array_idx - old);
1835  }
1836  if (do_sort) {
1837  qsort(det_ctx->tx_candidates, array_idx, sizeof(RuleMatchCandidateTx),
1838  DetectRunTxSortHelper);
1839  }
1840 
1841 #ifdef PROFILING
1842  if (array_idx >= de_ctx->profile_match_logging_threshold)
1843  RulesDumpTxMatchArray(det_ctx, scratch->sgh, p, tx.tx_id, array_idx, x);
1844 #endif
1845 
1846 #ifdef DEBUG
1847  for (uint32_t i = 0; i < array_idx; i++) {
1848  RuleMatchCandidateTx *can = &det_ctx->tx_candidates[i];
1849  const Signature *s = det_ctx->tx_candidates[i].s;
1850  SCLogDebug("%u: sid %u flags %p", i, s->id, can->flags);
1851  }
1852 #endif
1853  bool skip_fw_hook = false;
1854  uint8_t skip_before_progress = 0;
1855  bool fw_next_progress_missing = false;
1856 
1857  /* if there are no rules / rule candidates, make sure we don't
1858  * invoke the default drop */
1859  if (have_fw_rules && array_idx == 0 && (tx.tx_data_ptr->flags & APP_LAYER_TX_ACCEPT)) {
1860  fw_verdicted++;
1861 
1862  /* current tx is the last we have, append a blank accept:packet */
1863  if (total_txs == tx.tx_id + 1) {
1864  DetectRunAppendDefaultAccept(det_ctx, p);
1865  return;
1866  }
1867  goto next;
1868  }
1869 
1870  bool tx_fw_verdict = false;
1871  /* run rules: inspect the match candidates */
1872  for (uint32_t i = 0; i < array_idx; i++) {
1873  RuleMatchCandidateTx *can = &det_ctx->tx_candidates[i];
1874  const Signature *s = det_ctx->tx_candidates[i].s;
1875  uint32_t *inspect_flags = det_ctx->tx_candidates[i].flags;
1876  bool break_out_of_app_filter = false;
1877 
1878  SCLogDebug("%" PRIu64 ": sid:%u: %s tx %u/%u/%u sig %u", p->pcap_cnt, s->id,
1879  flow_flags & STREAM_TOSERVER ? "toserver" : "toclient", tx.tx_progress,
1880  tx.detect_progress, tx.detect_progress_orig, s->app_progress_hook);
1881 
1882  /* deduplicate: rules_array is sorted, but not deduplicated:
1883  * both mpm and stored state could give us the same sid.
1884  * As they are back to back in that case we can check for it
1885  * here. We select the stored state one as that comes first
1886  * in the array. */
1887  while ((i + 1) < array_idx &&
1888  det_ctx->tx_candidates[i].s == det_ctx->tx_candidates[i + 1].s) {
1889  SCLogDebug("%p/%" PRIu64 " inspecting SKIP NEXT: sid %u (%u), flags %08x",
1890  tx.tx_ptr, tx.tx_id, s->id, s->iid, inspect_flags ? *inspect_flags : 0);
1891  i++;
1892  }
1893 
1894  /* skip fw rules if we're in accept:tx mode */
1895  if (have_fw_rules && (tx.tx_data_ptr->flags & APP_LAYER_TX_ACCEPT)) {
1896  /* append a blank accept:packet action for the APP_LAYER_TX_ACCEPT,
1897  * if this is the last tx */
1898  if (!tx_fw_verdict) {
1899  const bool accept_tx_applies_to_packet = total_txs == tx.tx_id + 1;
1900  if (accept_tx_applies_to_packet) {
1901  SCLogDebug("accept:(tx|hook): should be applied to the packet");
1902  DetectRunAppendDefaultAccept(det_ctx, p);
1903  }
1904  }
1905  tx_fw_verdict = true;
1906 
1907  if (s->flags & SIG_FLAG_FIREWALL) {
1908  SCLogDebug("APP_LAYER_TX_ACCEPT, so skip rule");
1909  continue;
1910  }
1911 
1912  /* threat detect rules will be inspected */
1913  }
1914 
1915  SCLogDebug("%p/%" PRIu64 " inspecting: sid %u (%u), flags %08x", tx.tx_ptr, tx.tx_id,
1916  s->id, s->iid, inspect_flags ? *inspect_flags : 0);
1917 
1918  if (inspect_flags) {
1919  if (*inspect_flags & DE_STATE_FLAG_FULL_INSPECT) {
1920  SCLogDebug("%p/%" PRIu64
1921  " inspecting: sid %u (%u), flags %08x DE_STATE_FLAG_FULL_INSPECT",
1922  tx.tx_ptr, tx.tx_id, s->id, s->iid, *inspect_flags);
1923 
1924  /* if we're still in the same progress state as an earlier full
1925  * match, we need to apply the same accept */
1926  if (have_fw_rules && (s->flags & SIG_FLAG_FIREWALL) &&
1927  (s->action & ACTION_ACCEPT) && s->app_progress_hook == tx.tx_progress) {
1928  const bool fw_accept_to_packet = ApplyAcceptToPacket(total_txs, &tx, s);
1929  break_out_of_app_filter = ApplyAccept(p, flow_flags, s, &tx, tx_end_state,
1930  fw_next_progress_missing, &tx_fw_verdict, &skip_fw_hook,
1931  &skip_before_progress);
1932  if (fw_accept_to_packet)
1933  DetectRunAppendDefaultAccept(det_ctx, p);
1934  if (break_out_of_app_filter)
1935  break;
1936  }
1937  continue;
1938  }
1939  if (*inspect_flags & DE_STATE_FLAG_SIG_CANT_MATCH) {
1940  SCLogDebug("%p/%" PRIu64
1941  " inspecting: sid %u (%u), flags %08x DE_STATE_FLAG_SIG_CANT_MATCH",
1942  tx.tx_ptr, tx.tx_id, s->id, s->iid, *inspect_flags);
1943  continue;
1944  }
1945  }
1946 
1947  if (inspect_flags) {
1948  /* continue previous inspection */
1949  SCLogDebug("%p/%" PRIu64 " Continuing sid %u", tx.tx_ptr, tx.tx_id, s->id);
1950  } else {
1951  /* start new inspection */
1952  SCLogDebug("%p/%"PRIu64" Start sid %u", tx.tx_ptr, tx.tx_id, s->id);
1953  }
1954 
1955  bool last_for_progress = false;
1956  if (have_fw_rules) {
1957  int fw_r = DetectRunTxCheckFirewallPolicy(det_ctx, p, f, &tx, s, i, array_idx,
1958  &skip_fw_hook, skip_before_progress, &last_for_progress,
1959  &fw_next_progress_missing);
1960  if (fw_r == -1)
1961  continue;
1962  if (fw_r == 1)
1963  break;
1964  }
1965 
1966  /* call individual rule inspection */
1967  RULE_PROFILING_START(p);
1968  const int r = DetectRunTxInspectRule(tv, de_ctx, det_ctx, p, f, flow_flags,
1969  alstate, &tx, s, inspect_flags, can, scratch);
1970  if (r == 1) {
1971  /* match */
1972  DetectRunPostMatch(tv, det_ctx, p, s);
1973 
1974  /* see if we need to apply tx/hook accept to the packet. This can be needed when
1975  * we've completed the inspection so far for an incomplete tx, and an accept:tx or
1976  * accept:hook is the last match.*/
1977  const bool fw_accept_to_packet = ApplyAcceptToPacket(total_txs, &tx, s);
1978 
1979  uint8_t alert_flags = (PACKET_ALERT_FLAG_STATE_MATCH | PACKET_ALERT_FLAG_TX);
1980  if (fw_accept_to_packet) {
1981  SCLogDebug("accept:(tx|hook): should be applied to the packet");
1982  alert_flags |= PACKET_ALERT_FLAG_APPLY_ACTION_TO_PACKET;
1983  }
1984 
1985  SCLogDebug(
1986  "%p/%" PRIu64 " sig %u (%u) matched", tx.tx_ptr, tx.tx_id, s->id, s->iid);
1987  AlertQueueAppend(det_ctx, s, p, tx.tx_id, alert_flags);
1988 
1989  if ((s->flags & SIG_FLAG_FIREWALL) && (s->action & ACTION_ACCEPT)) {
1990  break_out_of_app_filter = ApplyAccept(p, flow_flags, s, &tx, tx_end_state,
1991  fw_next_progress_missing, &tx_fw_verdict, &skip_fw_hook,
1992  &skip_before_progress);
1993  }
1994  } else if (last_for_progress) {
1995  SCLogDebug("sid %u: not a match: %s rule, last_for_progress %s", s->id,
1996  (s->flags & SIG_FLAG_FIREWALL) ? "firewall" : "regular",
1997  BOOL2STR(last_for_progress));
1998  if (s->flags & SIG_FLAG_FIREWALL) {
1999  SCLogDebug("%" PRIu64 ": %s default drop for progress", p->pcap_cnt,
2000  flow_flags & STREAM_TOSERVER ? "toserver" : "toclient");
2001  /* if this rule was the last for our progress state, and it didn't match,
2002  * we have to invoke the default drop policy. */
2003  PacketDrop(p, ACTION_DROP, PKT_DROP_REASON_DEFAULT_APP_POLICY);
2004  p->flow->flags |= FLOW_ACTION_DROP;
2005  break_out_of_app_filter = true;
2006  tx_fw_verdict = true;
2007  }
2008  }
2009  DetectVarProcessList(det_ctx, p->flow, p);
2010  RULE_PROFILING_END(det_ctx, s, r, p);
2011 
2012  if (det_ctx->post_rule_work_queue.len > 0) {
2013  SCLogDebug("%p/%" PRIu64 " post_rule_work_queue len %u", tx.tx_ptr, tx.tx_id,
2014  det_ctx->post_rule_work_queue.len);
2015  /* run post match prefilter engines on work queue */
2016  PrefilterPostRuleMatch(det_ctx, scratch->sgh, p, f);
2017 
2018  uint32_t prev_array_idx = array_idx;
2019  for (uint32_t j = 0; j < det_ctx->pmq.rule_id_array_cnt; j++) {
2020  const Signature *ts = de_ctx->sig_array[det_ctx->pmq.rule_id_array[j]];
2021  if (ts->app_inspect != NULL) {
2022  const SigIntId id = ts->iid;
2023  det_ctx->tx_candidates[array_idx].s = ts;
2024  det_ctx->tx_candidates[array_idx].id = id;
2025  det_ctx->tx_candidates[array_idx].flags = NULL;
2026  det_ctx->tx_candidates[array_idx].stream_reset = 0;
2027  array_idx++;
2028 
2029  SCLogDebug("%p/%" PRIu64 " rule %u (%u) added from 'post match' prefilter",
2030  tx.tx_ptr, tx.tx_id, ts->id, id);
2031  }
2032  }
2033  SCLogDebug("%p/%" PRIu64 " rules added from 'post match' prefilter: %u", tx.tx_ptr,
2034  tx.tx_id, array_idx - prev_array_idx);
2035  if (prev_array_idx != array_idx) {
2036  /* sort, but only part of array we're still going to process */
2037  qsort(det_ctx->tx_candidates + i, array_idx - i, sizeof(RuleMatchCandidateTx),
2038  DetectRunTxSortHelper);
2039  }
2040  det_ctx->post_rule_work_queue.len = 0;
2041  PMQ_RESET(&det_ctx->pmq);
2042  }
2043 
2044  if (break_out_of_app_filter)
2045  break;
2046  }
2047  if (tx_fw_verdict)
2048  fw_verdicted++;
2049 
2050  det_ctx->tx_id = 0;
2051  det_ctx->tx_id_set = false;
2052  det_ctx->p = NULL;
2053 
2054  /* see if we have any updated state to store in the tx */
2055 
2056  /* this side of the tx is done */
2057  if (tx.tx_progress >= tx.tx_end_state) {
2058  SCLogDebug("%" PRIu64 ": %s tx done", p->pcap_cnt,
2059  flow_flags & STREAM_TOSERVER ? "toserver" : "toclient");
2060  const uint8_t inspected_flag = (flow_flags & STREAM_TOSERVER)
2061  ? APP_LAYER_TX_INSPECTED_TS
2062  : APP_LAYER_TX_INSPECTED_TC;
2063  tx.tx_data_ptr->flags |= inspected_flag;
2064  SCLogDebug("%p/%" PRIu64 " tx is done for direction %s. Progress %02x", tx.tx_ptr,
2065  tx.tx_id, flow_flags & STREAM_TOSERVER ? "toserver" : "toclient",
2066  tx.detect_progress);
2067  }
2068 
2069  if (tx.detect_progress != tx.detect_progress_orig) {
2070  SCLogDebug("%" PRIu64 ": %s tx state change %u -> %u", p->pcap_cnt,
2071  flow_flags & STREAM_TOSERVER ? "toserver" : "toclient", tx.detect_progress_orig,
2072  tx.detect_progress);
2073  SCLogDebug("%p/%" PRIu64 " Storing new progress %02x (was %02x)", tx.tx_ptr, tx.tx_id,
2074  tx.detect_progress, tx.detect_progress_orig);
2075 
2076  StoreDetectProgress(&tx, flow_flags, tx.detect_progress);
2077  }
2078 
2079  InspectionBufferClean(det_ctx);
2080 
2081  next:
2082  if (!ires.has_next)
2083  break;
2084  }
2085 
2086  /* apply default policy if there were txs to inspect, we have fw rules and non of the rules
2087  * applied a policy. */
2088  SCLogDebug("packet %" PRIu64 ": tx_inspected %u fw_verdicted %u", p->pcap_cnt, tx_inspected,
2089  fw_verdicted);
2090  if (tx_inspected && have_fw_rules && tx_inspected != fw_verdicted) {
2091  SCLogDebug("%" PRIu64 ": %s default drop", p->pcap_cnt,
2092  flow_flags & STREAM_TOSERVER ? "toserver" : "toclient");
2093  PacketDrop(p, ACTION_DROP, PKT_DROP_REASON_DEFAULT_APP_POLICY);
2094  p->flow->flags |= FLOW_ACTION_DROP;
2095  return;
2096  }
2097  /* if all tables have been bypassed, we accept:packet */
2098  if (tx_inspected == 0 && fw_verdicted == 0 && have_fw_rules) {
2099  DetectRunAppendDefaultAccept(det_ctx, p);
2100  }
2101 }
2102 
2103 static void DetectRunFrames(ThreadVars *tv, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx,
2104  Packet *p, Flow *f, DetectRunScratchpad *scratch)
2105 {
2106  const SigGroupHead *const sgh = scratch->sgh;
2107  const AppProto alproto = f->alproto;
2108 
2109  /* for TCP, limit inspection to pseudo packets or real packet that did
2110  * an app-layer update. */
2111  if (p->proto == IPPROTO_TCP && !PKT_IS_PSEUDOPKT(p) &&
2112  ((PKT_IS_TOSERVER(p) && (f->flags & FLOW_TS_APP_UPDATED) == 0) ||
2113  (PKT_IS_TOCLIENT(p) && (f->flags & FLOW_TC_APP_UPDATED) == 0))) {
2114  SCLogDebug("pcap_cnt %" PRIu64 ": %s: skip frame inspection for TCP w/o APP UPDATE",
2115  p->pcap_cnt, PKT_IS_TOSERVER(p) ? "toserver" : "toclient");
2116  return;
2117  }
2118  FramesContainer *frames_container = AppLayerFramesGetContainer(f);
2119  if (frames_container == NULL) {
2120  return;
2121  }
2122  Frames *frames;
2123  if (PKT_IS_TOSERVER(p)) {
2124  frames = &frames_container->toserver;
2125  } else {
2126  frames = &frames_container->toclient;
2127  }
2128 
2129  for (uint32_t idx = 0; idx < frames->cnt; idx++) {
2130  SCLogDebug("frame %u", idx);
2131  Frame *frame = FrameGetByIndex(frames, idx);
2132  if (frame == NULL) {
2133  continue;
2134  }
2135 
2136  det_ctx->frame_inspect_progress = 0;
2137  uint32_t array_idx = 0;
2138  uint32_t total_rules = det_ctx->match_array_cnt;
2139 
2140  /* run prefilter engines and merge results into a candidates array */
2141  if (sgh->frame_engines) {
2142  // PACKET_PROFILING_DETECT_START(p, PROF_DETECT_PF_TX);
2143  DetectRunPrefilterFrame(det_ctx, sgh, p, frames, frame, alproto);
2144  // PACKET_PROFILING_DETECT_END(p, PROF_DETECT_PF_TX);
2145  SCLogDebug("%p/%" PRIi64 " rules added from prefilter: %u candidates", frame, frame->id,
2146  det_ctx->pmq.rule_id_array_cnt);
2147 
2148  total_rules += det_ctx->pmq.rule_id_array_cnt;
2149 
2150  if (!(RuleMatchCandidateTxArrayHasSpace(
2151  det_ctx, total_rules))) { // TODO is it safe to overload?
2152  RuleMatchCandidateTxArrayExpand(det_ctx, total_rules);
2153  }
2154 
2155  for (uint32_t i = 0; i < det_ctx->pmq.rule_id_array_cnt; i++) {
2156  const Signature *s = de_ctx->sig_array[det_ctx->pmq.rule_id_array[i]];
2157  const SigIntId id = s->iid;
2158  det_ctx->tx_candidates[array_idx].s = s;
2159  det_ctx->tx_candidates[array_idx].id = id;
2160  det_ctx->tx_candidates[array_idx].flags = NULL;
2161  det_ctx->tx_candidates[array_idx].stream_reset = 0;
2162  array_idx++;
2163  }
2164  PMQ_RESET(&det_ctx->pmq);
2165  }
2166  /* merge 'state' rules from the regular prefilter */
2167  uint32_t x = array_idx;
2168  for (uint32_t i = 0; i < det_ctx->match_array_cnt; i++) {
2169  const Signature *s = det_ctx->match_array[i];
2170  if (s->frame_inspect != NULL) {
2171  const SigIntId id = s->iid;
2172  det_ctx->tx_candidates[array_idx].s = s;
2173  det_ctx->tx_candidates[array_idx].id = id;
2174  det_ctx->tx_candidates[array_idx].flags = NULL;
2175  det_ctx->tx_candidates[array_idx].stream_reset = 0;
2176  array_idx++;
2177 
2178  SCLogDebug("%p/%" PRIi64 " rule %u (%u) added from 'match' list", frame, frame->id,
2179  s->id, id);
2180  }
2181  }
2182  SCLogDebug("%p/%" PRIi64 " rules added from 'match' list: %u", frame, frame->id,
2183  array_idx - x);
2184  (void)x;
2185 
2186  /* run rules: inspect the match candidates */
2187  for (uint32_t i = 0; i < array_idx; i++) {
2188  const Signature *s = det_ctx->tx_candidates[i].s;
2189 
2190  /* deduplicate: rules_array is sorted, but not deduplicated.
2191  * As they are back to back in that case we can check for it
2192  * here. We select the stored state one as that comes first
2193  * in the array. */
2194  while ((i + 1) < array_idx &&
2195  det_ctx->tx_candidates[i].s == det_ctx->tx_candidates[i + 1].s) {
2196  i++;
2197  }
2198  SCLogDebug("%p/%" PRIi64 " inspecting: sid %u (%u)", frame, frame->id, s->id, s->iid);
2199 
2200  /* start new inspection */
2201  SCLogDebug("%p/%" PRIi64 " Start sid %u", frame, frame->id, s->id);
2202 
2203  /* call individual rule inspection */
2204  RULE_PROFILING_START(p);
2205  bool r = DetectRunInspectRuleHeader(p, f, s, s->flags, s->proto.flags);
2206  if (r) {
2207  r = DetectRunFrameInspectRule(tv, det_ctx, s, f, p, frames, frame);
2208  if (r) {
2209  /* match */
2210  DetectRunPostMatch(tv, det_ctx, p, s);
2211 
2212  uint8_t alert_flags = (PACKET_ALERT_FLAG_STATE_MATCH | PACKET_ALERT_FLAG_FRAME);
2213  det_ctx->frame_id = frame->id;
2214  SCLogDebug(
2215  "%p/%" PRIi64 " sig %u (%u) matched", frame, frame->id, s->id, s->iid);
2216  if (frame->flags & FRAME_FLAG_TX_ID_SET) {
2217  alert_flags |= PACKET_ALERT_FLAG_TX;
2218  }
2219  AlertQueueAppend(det_ctx, s, p, frame->tx_id, alert_flags);
2220  }
2221  }
2222  DetectVarProcessList(det_ctx, p->flow, p);
2223  RULE_PROFILING_END(det_ctx, s, r, p);
2224  }
2225 
2226  /* update Frame::inspect_progress here instead of in the code above. The reason is that a
2227  * frame might be used more than once in buffers with transforms. */
2228  if (frame->inspect_progress < det_ctx->frame_inspect_progress) {
2229  frame->inspect_progress = det_ctx->frame_inspect_progress;
2230  SCLogDebug("frame->inspect_progress: %" PRIu64 " -> updated", frame->inspect_progress);
2231  } else {
2232  SCLogDebug(
2233  "frame->inspect_progress: %" PRIu64 " -> not updated", frame->inspect_progress);
2234  }
2235 
2236  SCLogDebug("%p/%" PRIi64 " rules inspected, running cleanup", frame, frame->id);
2237  InspectionBufferClean(det_ctx);
2238  }
2239 }
2240 
2241 static DetectEngineThreadCtx *GetTenantById(HashTable *h, uint32_t id)
2242 {
2243  /* technically we need to pass a DetectEngineThreadCtx struct with the
2244  * tenant_id member. But as that member is the first in the struct, we
2245  * can use the id directly. */
2246  return HashTableLookup(h, &id, 0);
2247 }
2248 
2249 static void DetectFlow(ThreadVars *tv,
2250  DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx,
2251  Packet *p)
2252 {
2253  Flow *const f = p->flow;
2254 
2255  /* we check the flow drop here, and not the packet drop. This is
2256  * to allow stream engine "invalid" drop packets to still be
2257  * evaluated by the stream event rules. */
2258  if (f->flags & FLOW_ACTION_DROP) {
2259  DEBUG_VALIDATE_BUG_ON(!(PKT_IS_PSEUDOPKT(p)) && !PacketCheckAction(p, ACTION_DROP));
2260  SCReturn;
2261  }
2262 
2263  /* in firewall mode, we still need to run the fw rulesets even for exception policy pass */
2264  bool skip = false;
2265  if (EngineModeIsFirewall()) {
2266  skip = (f->flags & (FLOW_ACTION_ACCEPT));
2267 
2268  } else {
2269  skip = (p->flags & PKT_NOPACKET_INSPECTION || f->flags & (FLOW_ACTION_PASS));
2270  }
2271  if (skip) {
2272  /* enfore prior accept:flow */
2273  if (f->flags & FLOW_ACTION_ACCEPT) {
2274  p->action |= ACTION_ACCEPT;
2275  }
2276  /* hack: if we are in pass the entire flow mode, we need to still
2277  * update the inspect_id forward. So test for the condition here,
2278  * and call the update code if necessary. */
2279  const int pass = (f->flags & (FLOW_ACTION_PASS | FLOW_ACTION_ACCEPT));
2280  if (pass) {
2281  uint8_t flags = STREAM_FLAGS_FOR_PACKET(p);
2282  flags = FlowGetDisruptionFlags(f, flags);
2283  if (f->alstate) {
2284  AppLayerParserSetTransactionInspectId(f, f->alparser, f->alstate, flags, true);
2285  }
2286  }
2287  SCLogDebug("p->pcap %"PRIu64": no detection on packet, "
2288  "PKT_NOPACKET_INSPECTION is set", p->pcap_cnt);
2289  return;
2290  }
2291 
2292  /* see if the packet matches one or more of the sigs */
2293  DetectRun(tv, de_ctx, det_ctx, p);
2294 }
2295 
2296 
2297 static void DetectNoFlow(ThreadVars *tv,
2298  DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx,
2299  Packet *p)
2300 {
2301  /* No need to perform any detection on this packet, if the given flag is set.*/
2302  if ((p->flags & PKT_NOPACKET_INSPECTION) || (PacketCheckAction(p, ACTION_DROP))) {
2303  return;
2304  }
2305 
2306  /* see if the packet matches one or more of the sigs */
2307  DetectRun(tv, de_ctx, det_ctx, p);
2308 }
2309 
2310 uint8_t DetectPreFlow(ThreadVars *tv, DetectEngineThreadCtx *det_ctx, Packet *p)
2311 {
2312  const DetectEngineCtx *de_ctx = det_ctx->de_ctx;
2313  const SigGroupHead *sgh = de_ctx->pre_flow_sgh;
2314 
2315  SCLogDebug("thread id: %u, packet %" PRIu64 ", sgh %p", tv->id, p->pcap_cnt, sgh);
2316  DetectRunPacketHook(tv, de_ctx, det_ctx, sgh, p);
2317  return p->action;
2318 }
2319 
2320 uint8_t DetectPreStream(ThreadVars *tv, DetectEngineThreadCtx *det_ctx, Packet *p)
2321 {
2322  const DetectEngineCtx *de_ctx = det_ctx->de_ctx;
2323  const int direction = (PKT_IS_TOCLIENT(p) != 0);
2324  const SigGroupHead *sgh = de_ctx->pre_stream_sgh[direction];
2325 
2326  SCLogDebug("thread id: %u, packet %" PRIu64 ", sgh %p", tv->id, p->pcap_cnt, sgh);
2327  DetectRunPacketHook(tv, de_ctx, det_ctx, sgh, p);
2328  return p->action;
2329 }
2330 
2331 /** \brief Detection engine thread wrapper.
2332  * \param tv thread vars
2333  * \param p packet to inspect
2334  * \param data thread specific data
2335  * \param pq packet queue
2336  * \retval TM_ECODE_FAILED error
2337  * \retval TM_ECODE_OK ok
2338  */
2339 TmEcode Detect(ThreadVars *tv, Packet *p, void *data)
2340 {
2341  DEBUG_VALIDATE_PACKET(p);
2342 
2343  DetectEngineCtx *de_ctx = NULL;
2344  DetectEngineThreadCtx *det_ctx = (DetectEngineThreadCtx *)data;
2345  if (det_ctx == NULL) {
2346  printf("ERROR: Detect has no thread ctx\n");
2347  goto error;
2348  }
2349 
2350  if (unlikely(SC_ATOMIC_GET(det_ctx->so_far_used_by_detect) == 0)) {
2351  (void)SC_ATOMIC_SET(det_ctx->so_far_used_by_detect, 1);
2352  SCLogDebug("Detect Engine using new det_ctx - %p",
2353  det_ctx);
2354  }
2355 
2356  /* if in MT mode _and_ we have tenants registered, use
2357  * MT logic. */
2358  if (det_ctx->mt_det_ctxs_cnt > 0 && det_ctx->TenantGetId != NULL)
2359  {
2360  uint32_t tenant_id = p->tenant_id;
2361  if (tenant_id == 0)
2362  tenant_id = det_ctx->TenantGetId(det_ctx, p);
2363  if (tenant_id > 0 && tenant_id < det_ctx->mt_det_ctxs_cnt) {
2364  p->tenant_id = tenant_id;
2365  det_ctx = GetTenantById(det_ctx->mt_det_ctxs_hash, tenant_id);
2366  if (det_ctx == NULL)
2367  return TM_ECODE_OK;
2368  de_ctx = det_ctx->de_ctx;
2369  if (de_ctx == NULL)
2370  return TM_ECODE_OK;
2371 
2372  if (unlikely(SC_ATOMIC_GET(det_ctx->so_far_used_by_detect) == 0)) {
2373  (void)SC_ATOMIC_SET(det_ctx->so_far_used_by_detect, 1);
2374  SCLogDebug("MT de_ctx %p det_ctx %p (tenant %u)", de_ctx, det_ctx, tenant_id);
2375  }
2376  } else {
2377  /* use default if no tenants are registered for this packet */
2378  de_ctx = det_ctx->de_ctx;
2379  }
2380  } else {
2381  de_ctx = det_ctx->de_ctx;
2382  }
2383 
2384  if (p->flow) {
2385  DetectFlow(tv, de_ctx, det_ctx, p);
2386  } else {
2387  DetectNoFlow(tv, de_ctx, det_ctx, p);
2388  }
2389 
2390 #ifdef PROFILE_RULES
2391  /* aggregate statistics */
2392  struct timeval ts;
2393  gettimeofday(&ts, NULL);
2394  if (ts.tv_sec != det_ctx->rule_perf_last_sync) {
2395  SCProfilingRuleThreatAggregate(det_ctx);
2396  det_ctx->rule_perf_last_sync = ts.tv_sec;
2397  }
2398 #endif
2399 
2400  return TM_ECODE_OK;
2401 error:
2402  return TM_ECODE_FAILED;
2403 }
2404 
2405 /** \brief disable file features we don't need
2406  * Called if we have no detection engine.
2407  */
2408 void DisableDetectFlowFileFlags(Flow *f)
2409 {
2410  DetectPostInspectFileFlagsUpdate(f, NULL /* no sgh */, STREAM_TOSERVER);
2411  DetectPostInspectFileFlagsUpdate(f, NULL /* no sgh */, STREAM_TOCLIENT);
2412 }
2413 
2414 #ifdef UNITTESTS
2415 /**
2416  * \brief wrapper for old tests
2417  */
2418 void SigMatchSignatures(
2419  ThreadVars *tv, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
2420 {
2421  if (p->flow) {
2422  DetectFlow(tv, de_ctx, det_ctx, p);
2423  } else {
2424  DetectNoFlow(tv, de_ctx, det_ctx, p);
2425  }
2426 }
2427 #endif
2428 
2429 /*
2430  * TESTS
2431  */
2432 
2433 #ifdef UNITTESTS
2434 #include "tests/detect.c"
2435 #endif
PKT_IS_TOCLIENT
#define PKT_IS_TOCLIENT(p)
Definition: decode.h:239
default_accept
thread_local Signature default_accept
Definition: detect.c:1617
DetectEngineAppInspectionEngine_::stream
bool stream
Definition: detect.h:421
PacketCheckAction
bool PacketCheckAction(const Packet *p, const uint8_t a)
Definition: packet.c:50
FLOWFILE_NO_MD5_TS
#define FLOWFILE_NO_MD5_TS
Definition: flow.h:137
RulesDumpTxMatchArray
void RulesDumpTxMatchArray(const DetectEngineThreadCtx *det_ctx, const SigGroupHead *sgh, const Packet *p, const uint64_t tx_id, const uint32_t rule_cnt, const uint32_t pkt_prefilter_cnt)
Definition: detect-engine-profile.c:34
SIG_GROUP_HEAD_HAVEFILEMD5
#define SIG_GROUP_HEAD_HAVEFILEMD5
Definition: detect.h:1491
PACKET_ALERT_FLAG_TX_GUESSED
#define PACKET_ALERT_FLAG_TX_GUESSED
Definition: decode.h:278
FLOWFILE_NO_MD5_TC
#define FLOWFILE_NO_MD5_TC
Definition: flow.h:138
SigGroupHead_::tx_engines
PrefilterEngine * tx_engines
Definition: detect.h:1640
DetectEngineAppInspectionEngine_
Definition: detect.h:416
Packet_::proto
uint8_t proto
Definition: decode.h:523
DetectTransaction_::tx_data_ptr
struct AppLayerTxData * tx_data_ptr
Definition: detect-engine-prefilter.h:34
DetectEngineAppInspectionEngine_::mpm
bool mpm
Definition: detect.h:420
DE_STATE_CHUNK_SIZE
#define DE_STATE_CHUNK_SIZE
Definition: detect-engine-state.h:55
RuleMatchCandidateTx::stream_stored
bool stream_stored
Definition: detect.h:1204
Frame::inspect_progress
uint64_t inspect_progress
Definition: app-layer-frames.h:53
DetectEngineThreadCtx_::alert_queue_size
uint16_t alert_queue_size
Definition: detect.h:1328
PROF_DETECT_GETSGH
@ PROF_DETECT_GETSGH
Definition: suricata-common.h:458
ts
uint64_t ts
Definition: source-erf-file.c:55
SCAppLayerParserStateIssetFlag
uint16_t SCAppLayerParserStateIssetFlag(AppLayerParserState *pstate, uint16_t flag)
Definition: app-layer-parser.c:1833
detect-engine.h
detect-engine-proto.h
DetectEngineThreadCtx_::match_array_cnt
SigIntId match_array_cnt
Definition: detect.h:1339
Frame::tx_id
uint64_t tx_id
Definition: app-layer-frames.h:52
DetectEngineStateDirection_::flags
uint8_t flags
Definition: detect-engine-state.h:91
DetectEngineThreadCtx_::counter_alerts
StatsCounterId counter_alerts
Definition: detect.h:1290
detect-dsize.h
Signature_::addr_src_match6
DetectMatchAddressIPv6 * addr_src_match6
Definition: detect.h:711
sigmatch_table
SigTableElmt * sigmatch_table
Definition: detect-parse.c:79
PKT_HAS_FLOW
#define PKT_HAS_FLOW
Definition: decode.h:1268
DetectEngineCtx_::decoder_event_sgh
struct SigGroupHead_ * decoder_event_sgh
Definition: detect.h:1018
FlowGetPacketDirection
int FlowGetPacketDirection(const Flow *f, const Packet *p)
determine the direction of the packet compared to the flow
Definition: flow.c:279
DetectEngineCtx_::flow_gh
DetectEngineLookupFlow flow_gh[FLOW_STATES]
Definition: detect.h:960
DE_STATE_FLAG_SIG_CANT_MATCH
#define DE_STATE_FLAG_SIG_CANT_MATCH
Definition: detect-engine-state.h:59
ALPROTO_DNS
@ ALPROTO_DNS
Definition: app-layer-protos.h:47
DetectEngineAppInspectionEngine_::next
struct DetectEngineAppInspectionEngine_ * next
Definition: detect.h:441
DETECT_PROTO_IPV6
#define DETECT_PROTO_IPV6
Definition: detect-engine-proto.h:32
detect-engine-siggroup.h
SigGroupHead_::flags
uint16_t flags
Definition: detect.h:1629
APP_LAYER_TX_SKIP_INSPECT_TC
#define APP_LAYER_TX_SKIP_INSPECT_TC
Definition: app-layer-parser.h:68
PostRuleMatchWorkQueue::len
uint32_t len
Definition: detect.h:1228
PKT_IS_PSEUDOPKT
#define PKT_IS_PSEUDOPKT(p)
return 1 if the packet is a pseudo packet
Definition: decode.h:1323
DetectEngineState_
Definition: detect-engine-state.h:95
stream-tcp.h
PrefilterRuleStore_::rule_id_array_cnt
uint32_t rule_id_array_cnt
Definition: util-prefilter.h:40
detect-engine-event.h
SigGroupHead_
Container for matching data for a signature group.
Definition: detect.h:1628
PACKET_ALERT_FLAG_STATE_MATCH
#define PACKET_ALERT_FLAG_STATE_MATCH
Definition: decode.h:268
DetectEngineCtx_::guess_applayer
bool guess_applayer
Definition: detect.h:980
unlikely
#define unlikely(expr)
Definition: util-optimize.h:35
detect.c
SC_ATOMIC_SET
#define SC_ATOMIC_SET(name, val)
Set the value for the atomic variable.
Definition: util-atomic.h:386
Signature_::app_progress_hook
uint8_t app_progress_hook
Definition: detect.h:705
AppLayerFramesGetContainer
FramesContainer * AppLayerFramesGetContainer(const Flow *f)
Definition: app-layer-parser.c:184
KEYWORD_PROFILING_SET_LIST
#define KEYWORD_PROFILING_SET_LIST(ctx, list)
Definition: util-profiling.h:46
DetectAddressMatchIPv4
int DetectAddressMatchIPv4(const DetectMatchAddressIPv4 *addrs, uint16_t addrs_cnt, const Address *a)
Match a packets address against a signatures addrs array.
Definition: detect-engine-address.c:1590
DetectEngineAppInspectionEngine_::Callback
InspectEngineFuncPtr Callback
Definition: detect.h:434
Signature_::alproto
AppProto alproto
Definition: detect.h:673
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:279
FLOW_SGH_TOCLIENT
#define FLOW_SGH_TOCLIENT
Definition: flow.h:75
Packet_::pcap_cnt
uint64_t pcap_cnt
Definition: decode.h:626
AppLayerParserSetTransactionInspectId
void AppLayerParserSetTransactionInspectId(const Flow *f, AppLayerParserState *pstate, void *alstate, const uint8_t flags, bool tag_txs_as_inspected)
Definition: app-layer-parser.c:740
DetectEngineStateDirection_::cnt
SigIntId cnt
Definition: detect-engine-state.h:89
AppLayerGetTxIterator
AppLayerGetTxIteratorFunc AppLayerGetTxIterator(const uint8_t ipproto, const AppProto alproto)
Definition: app-layer-parser.c:693
next
struct HtpBodyChunk_ * next
Definition: app-layer-htp.h:0
SigMatchData_::is_last
bool is_last
Definition: detect.h:367
InspectionBufferClean
void InspectionBufferClean(DetectEngineThreadCtx *det_ctx)
Definition: detect-engine-inspect-buffer.c:30
Flow_::proto
uint8_t proto
Definition: flow.h:370
AppProto
uint16_t AppProto
Definition: app-layer-protos.h:86
PacketAlerts_::cnt
uint16_t cnt
Definition: decode.h:287
AppLayerParserGetStateProgress
int AppLayerParserGetStateProgress(uint8_t ipproto, AppProto alproto, void *alstate, uint8_t flags)
get the progress value for a tx/protocol
Definition: app-layer-parser.c:1073
DetectEngineThreadCtx_::tx_id
uint64_t tx_id
Definition: detect.h:1319
SigMatchData_::ctx
SigMatchCtx * ctx
Definition: detect.h:368
action-globals.h
FLOWFILE_NO_MAGIC_TS
#define FLOWFILE_NO_MAGIC_TS
Definition: flow.h:130
FramesContainer::toserver
Frames toserver
Definition: app-layer-frames.h:72
Packet_::flags
uint32_t flags
Definition: decode.h:544
Packet_::action
uint8_t action
Definition: decode.h:609
ICMPV4_DEST_UNREACH_IS_VALID
#define ICMPV4_DEST_UNREACH_IS_VALID(p)
Definition: decode-icmpv4.h:253
Frame
Definition: app-layer-frames.h:43
Flow_
Flow data structure.
Definition: flow.h:348
DetectTransaction_::tx_end_state
const int tx_end_state
Definition: detect-engine-prefilter.h:44
PROF_DETECT_ALERT
@ PROF_DETECT_ALERT
Definition: suricata-common.h:469
DetectEngineThreadCtx_::pmq
PrefilterRuleStore pmq
Definition: detect.h:1348
SIG_GROUP_HEAD_HAVEFILESHA1
#define SIG_GROUP_HEAD_HAVEFILESHA1
Definition: detect.h:1493
FLOW_TC_APP_UPDATED
#define FLOW_TC_APP_UPDATED
Definition: flow.h:120
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:933
AppLayerParserGetStateProgressCompletionStatus
int AppLayerParserGetStateProgressCompletionStatus(AppProto alproto, uint8_t direction)
Definition: app-layer-parser.c:1102
DetectEngineCtx_::pre_stream_sgh
struct SigGroupHead_ * pre_stream_sgh[2]
Definition: detect.h:1156
DetectRunScratchpad
struct DetectRunScratchpad DetectRunScratchpad
PROF_DETECT_PF_TX
@ PROF_DETECT_PF_TX
Definition: suricata-common.h:464
Frames::cnt
uint16_t cnt
Definition: app-layer-frames.h:59
Frame::id
int64_t id
Definition: app-layer-frames.h:51
DetectEngineThreadCtx_::p
Packet * p
Definition: detect.h:1323
DetectEngineState_::dir_state
DetectEngineStateDirection dir_state[2]
Definition: detect-engine-state.h:96
FrameGetByIndex
Frame * FrameGetByIndex(Frames *frames, const uint32_t idx)
Definition: app-layer-frames.c:145
RuleMatchCandidateTx::id
SigIntId id
Definition: detect.h:1200
PROF_DETECT_CLEANUP
@ PROF_DETECT_CLEANUP
Definition: suricata-common.h:471
SIG_FLAG_DST_ANY
#define SIG_FLAG_DST_ANY
Definition: detect.h:242
ACTION_SCOPE_FLOW
@ ACTION_SCOPE_FLOW
Definition: action-globals.h:45
NO_TX
#define NO_TX
Definition: detect.c:1395
FLOW_PKT_TOSERVER
#define FLOW_PKT_TOSERVER
Definition: flow.h:225
HashTable_
Definition: util-hash.h:35
SIG_FLAG_TXBOTHDIR
#define SIG_FLAG_TXBOTHDIR
Definition: detect.h:250
Packet_::sig_mask
SignatureMask sig_mask
Definition: decode.h:538
Frames
Definition: app-layer-frames.h:58
FramesContainer
Definition: app-layer-frames.h:71
PacketAlerts_::drop
PacketAlert drop
Definition: decode.h:293
DetectEngineThreadCtx_::counter_alerts_overflow
StatsCounterId counter_alerts_overflow
Definition: detect.h:1292
AppLayerTxData
struct AppLayerTxData AppLayerTxData
Definition: app-layer-parser.h:42
DetectRunScratchpad
Definition: detect.c:69
SIG_GROUP_HEAD_HAVERAWSTREAM
#define SIG_GROUP_HEAD_HAVERAWSTREAM
Definition: detect.h:1487
FLOW_ACTION_DROP
#define FLOW_ACTION_DROP
Definition: flow.h:70
TcpStream_::flags
uint16_t flags
Definition: stream-tcp-private.h:107
FLOWFILE_NONE
#define FLOWFILE_NONE
Definition: flow.h:160
detect-engine-frame.h
SigMatchSignatures
void SigMatchSignatures(ThreadVars *tv, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
Definition: detect.c:2418
Signature_::sm_arrays
SigMatchData * sm_arrays[DETECT_SM_LIST_MAX]
Definition: detect.h:731
proto
uint8_t proto
Definition: decode-template.h:0
m
SCMutex m
Definition: flow-hash.h:6
DetectPort_::sh
struct SigGroupHead_ * sh
Definition: detect.h:231
PKT_NOPAYLOAD_INSPECTION
#define PKT_NOPAYLOAD_INSPECTION
Definition: decode.h:1254
PACKET_PROFILING_DETECT_END
#define PACKET_PROFILING_DETECT_END(p, id)
Definition: util-profiling.h:221
DetectEngineThreadCtx_::counter_alerts_suppressed
StatsCounterId counter_alerts_suppressed
Definition: detect.h:1294
Detect
TmEcode Detect(ThreadVars *tv, Packet *p, void *data)
Detection engine thread wrapper.
Definition: detect.c:2339
detect-engine-payload.h
Packet_::flowflags
uint8_t flowflags
Definition: decode.h:532
EngineModeIsFirewall
bool EngineModeIsFirewall(void)
Definition: suricata.c:238
SIG_FLAG_SRC_ANY
#define SIG_FLAG_SRC_ANY
Definition: detect.h:241
TM_ECODE_FAILED
@ TM_ECODE_FAILED
Definition: tm-threads-common.h:82
DetectRunFrameInspectRule
bool DetectRunFrameInspectRule(ThreadVars *tv, DetectEngineThreadCtx *det_ctx, const Signature *s, Flow *f, Packet *p, const Frames *frames, const Frame *frame)
Definition: detect-engine-frame.c:229
Flow_::protoctx
void * protoctx
Definition: flow.h:433
SigMatchData_
Data needed for Match()
Definition: detect.h:365
DeStateStoreItem_::sid
SigIntId sid
Definition: detect-engine-state.h:77
RuleMatchCandidateTx::s
const Signature * s
Definition: detect.h:1210
KEYWORD_PROFILING_START
#define KEYWORD_PROFILING_START
Definition: util-profiling.h:50
SigMatchData_::type
uint16_t type
Definition: detect.h:366
DetectEngineCtx_::version
uint32_t version
Definition: detect.h:1014
DisableDetectFlowFileFlags
void DisableDetectFlowFileFlags(Flow *f)
disable file features we don't need Called if we have no detection engine.
Definition: detect.c:2408
AppLayerParserGetTransactionInspectId
uint64_t AppLayerParserGetTransactionInspectId(AppLayerParserState *pstate, uint8_t direction)
Definition: app-layer-parser.c:718
Packet_::alerts
PacketAlerts alerts
Definition: decode.h:620
DetectTransaction_::tx_progress
const int tx_progress
Definition: detect-engine-prefilter.h:43
detect-engine-prefilter.h
DetectRunPrefilterFrame
void DetectRunPrefilterFrame(DetectEngineThreadCtx *det_ctx, const SigGroupHead *sgh, Packet *p, const Frames *frames, const Frame *frame, const AppProto alproto)
Definition: detect-engine-frame.c:74
Packet_::events
PacketEngineEvents events
Definition: decode.h:630
Signature_::frame_inspect
DetectEngineFrameInspectionEngine * frame_inspect
Definition: detect.h:727
PROF_DETECT_PF_SORT2
@ PROF_DETECT_PF_SORT2
Definition: suricata-common.h:467
pad
uint16_t pad
Definition: source-erf-file.c:61
TM_ECODE_OK
@ TM_ECODE_OK
Definition: tm-threads-common.h:81
PacketCreateMask
void PacketCreateMask(Packet *p, SignatureMask *mask, AppProto alproto, bool app_decoder_events)
Definition: detect-engine-build.c:401
SIG_FLAG_APPLAYER
#define SIG_FLAG_APPLAYER
Definition: detect.h:249
KEYWORD_PROFILING_END
#define KEYWORD_PROFILING_END(ctx, type, m)
Definition: util-profiling.h:64
detect-flowvar.h
DetectEngineThreadCtx_::mt_det_ctxs_hash
HashTable * mt_det_ctxs_hash
Definition: detect.h:1257
PacketAlert_::action
uint8_t action
Definition: decode.h:250
TcpSession_::flags
uint32_t flags
Definition: stream-tcp-private.h:294
DetectEnginePktInspectionRun
bool DetectEnginePktInspectionRun(ThreadVars *tv, DetectEngineThreadCtx *det_ctx, const Signature *s, Flow *f, Packet *p, uint8_t *alert_flags)
Definition: detect-engine.c:1804
SIG_FLAG_FIREWALL
#define SIG_FLAG_FIREWALL
Definition: detect.h:246
Flow_::sgh_toserver
const struct SigGroupHead_ * sgh_toserver
Definition: flow.h:478
PROF_DETECT_TX_UPDATE
@ PROF_DETECT_TX_UPDATE
Definition: suricata-common.h:470
DetectEngineAppInspectionEngine_::id
uint8_t id
Definition: detect.h:419
DetectRunStoreStateTx
void DetectRunStoreStateTx(const SigGroupHead *sgh, Flow *f, void *tx, uint64_t tx_id, const Signature *s, uint32_t inspect_flags, uint8_t flow_flags, const uint16_t file_no_match)
Definition: detect-engine-state.c:214
StatsCounterAvgAddI64
void StatsCounterAvgAddI64(StatsThreadContext *stats, StatsCounterAvgId id, int64_t x)
Definition: counters.c:240
DetectEngineAppInspectionEngine_::sm_list
uint16_t sm_list
Definition: detect.h:424
FLOWFILE_INIT
#define FLOWFILE_INIT
Definition: flow.h:127
Flow_::alparser
AppLayerParserState * alparser
Definition: flow.h:470
FLOW_ACTION_PASS
#define FLOW_ACTION_PASS
Definition: flow.h:117
DETECT_ENGINE_INSPECT_SIG_CANT_MATCH_FILES
#define DETECT_ENGINE_INSPECT_SIG_CANT_MATCH_FILES
Definition: detect-engine-state.h:46
FLOWFILE_NO_SHA1_TC
#define FLOWFILE_NO_SHA1_TC
Definition: flow.h:142
DETECT_SM_LIST_POSTMATCH
@ DETECT_SM_LIST_POSTMATCH
Definition: detect.h:127
FramesContainer::toclient
Frames toclient
Definition: app-layer-frames.h:73
DetectEngineCtx_::pre_flow_sgh
struct SigGroupHead_ * pre_flow_sgh
Definition: detect.h:1161
DetectEngineThreadCtx_::tx_candidates
RuleMatchCandidateTx * tx_candidates
Definition: detect.h:1341
SIG_TYPE_PKT
@ SIG_TYPE_PKT
Definition: detect.h:72
PKT_DROP_REASON_DEFAULT_APP_POLICY
@ PKT_DROP_REASON_DEFAULT_APP_POLICY
Definition: decode.h:399
Signature_::addr_src_match4
DetectMatchAddressIPv4 * addr_src_match4
Definition: detect.h:708
decode.h
PKT_SRC_WIRE
@ PKT_SRC_WIRE
Definition: decode.h:52
TOSERVER
#define TOSERVER
Definition: flow.h:45
DetectEngineThreadCtx_::counter_mpm_list
StatsCounterAvgId counter_mpm_list
Definition: detect.h:1296
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:18
PKT_IS_TOSERVER
#define PKT_IS_TOSERVER(p)
Definition: decode.h:238
Prefilter
void Prefilter(DetectEngineThreadCtx *det_ctx, const SigGroupHead *sgh, Packet *p, const uint8_t flags, const SignatureMask mask)
Definition: detect-engine-prefilter.c:216
DetectTransaction_::detect_progress_orig
const uint8_t detect_progress_orig
Definition: detect-engine-prefilter.h:41
DetectEngineThreadCtx_
Definition: detect.h:1245
DEBUG_VALIDATE_PACKET
#define DEBUG_VALIDATE_PACKET(p)
Definition: util-validate.h:101
DeStateStoreItem_::flags
uint32_t flags
Definition: detect-engine-state.h:76
PKT_STREAM_ADD
#define PKT_STREAM_ADD
Definition: decode.h:1262
DetectTransaction_::detect_progress
uint8_t detect_progress
Definition: detect-engine-prefilter.h:39
FLOWFILE_NO_STORE_TS
#define FLOWFILE_NO_STORE_TS
Definition: flow.h:134
AppLayerGetTxIterTuple
struct AppLayerGetTxIterTuple AppLayerGetTxIterTuple
Definition: app-layer-parser.h:40
BIT_U32
#define BIT_U32(n)
Definition: suricata-common.h:417
DetectEngineThreadCtx_::tx_candidates_size
uint32_t tx_candidates_size
Definition: detect.h:1342
FRAME_FLAG_TX_ID_SET
#define FRAME_FLAG_TX_ID_SET
Definition: app-layer-frames.h:36
PKT_PSEUDO_STREAM_END
#define PKT_PSEUDO_STREAM_END
Definition: decode.h:1270
PKT_IS_FRAGMENT
#define PKT_IS_FRAGMENT
Definition: decode.h:1292
BOOL2STR
#define BOOL2STR(b)
Definition: util-debug.h:539
STREAM_FLAGS_FOR_PACKET
#define STREAM_FLAGS_FOR_PACKET(p)
Definition: stream.h:30
SCEnter
#define SCEnter(...)
Definition: util-debug.h:281
PMQ_RESET
#define PMQ_RESET(pmq)
Definition: util-prefilter.h:46
detect-engine-mpm.h
DetectEngineLookupFlow_::sgh
struct SigGroupHead_ * sgh[256]
Definition: detect.h:865
HashTableLookup
void * HashTableLookup(HashTable *ht, void *data, uint16_t datalen)
Definition: util-hash.c:182
detect.h
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:58
DeStateStore_::next
struct DeStateStore_ * next
Definition: detect-engine-state.h:82
DetectRunScratchpad::default_action
const uint8_t default_action
Definition: detect.c:79
Packet_::sp
Port sp
Definition: decode.h:508
FLOWFILE_NO_SHA256_TS
#define FLOWFILE_NO_SHA256_TS
Definition: flow.h:145
DETECT_ENGINE_INSPECT_SIG_MATCH
#define DETECT_ENGINE_INSPECT_SIG_MATCH
Definition: detect-engine-state.h:41
PKT_DETECT_HAS_STREAMDATA
#define PKT_DETECT_HAS_STREAMDATA
Definition: decode.h:1307
FLOW_PKT_TOCLIENT_FIRST
#define FLOW_PKT_TOCLIENT_FIRST
Definition: flow.h:229
StreamReassembleRawHasDataReady
bool StreamReassembleRawHasDataReady(TcpSession *ssn, Packet *p)
does the stream engine have data to inspect?
Definition: stream-tcp-reassemble.c:1509
detect-engine-port.h
PktSrcToString
const char * PktSrcToString(enum PktSrcEnum pkt_src)
Definition: decode.c:867
DetectPort_
Port structure for detection engine.
Definition: detect.h:220
PacketAlerts_::discarded
uint16_t discarded
Definition: decode.h:288
app-layer-parser.h
Signature_::app_inspect
DetectEngineAppInspectionEngine * app_inspect
Definition: detect.h:725
ThreadVars_::id
int id
Definition: threadvars.h:86
util-detect.h
detect-engine-profile.h
Flow_::sgh_toclient
const struct SigGroupHead_ * sgh_toclient
Definition: flow.h:475
DetectEngineThreadCtx_::base64_decoded_len
int base64_decoded_len
Definition: detect.h:1326
SIG_FLAG_REQUIRE_FLOWVAR
#define SIG_FLAG_REQUIRE_FLOWVAR
Definition: detect.h:267
RuleMatchCandidateTx::stream_result
uint8_t stream_result
Definition: detect.h:1205
Signature_::action
uint8_t action
Definition: detect.h:683
util-profiling.h
DetectTransaction_::tx_id
const uint64_t tx_id
Definition: detect-engine-prefilter.h:33
DetectEngineLookupFlow_::udp
DetectPort * udp
Definition: detect.h:864
DetectEngineThreadCtx_::raw_stream_progress
uint64_t raw_stream_progress
Definition: detect.h:1266
SigIntId
#define SigIntId
Definition: detect-engine-state.h:38
FileUpdateFlowFileFlags
void FileUpdateFlowFileFlags(Flow *f, uint16_t set_file_flags, uint8_t direction)
set a flow's file flags
Definition: util-file.c:1091
SCReturn
#define SCReturn
Definition: util-debug.h:283
Signature_::flags
uint32_t flags
Definition: detect.h:669
AlertQueueAppend
void AlertQueueAppend(DetectEngineThreadCtx *det_ctx, const Signature *s, Packet *p, uint64_t tx_id, uint8_t alert_flags)
Append signature to local packet alert queue for later preprocessing.
Definition: detect-engine-alert.c:353
RuleMatchCandidateTxArrayFree
void RuleMatchCandidateTxArrayFree(DetectEngineThreadCtx *det_ctx)
Definition: detect.c:1084
AppLayerGetTxIterState
Definition: app-layer-parser.h:134
Packet_
Definition: decode.h:501
detect-engine-build.h
ACTION_SCOPE_TX
@ ACTION_SCOPE_TX
Definition: action-globals.h:47
DetectEngineThreadCtx_::frame_id
int64_t frame_id
Definition: detect.h:1320
detect-engine-alert.h
DetectEngineThreadCtx_::filestore_cnt
uint16_t filestore_cnt
Definition: detect.h:1287
PROF_DETECT_IPONLY
@ PROF_DETECT_IPONLY
Definition: suricata-common.h:459
RULE_PROFILING_END
#define RULE_PROFILING_END(a, b, c, p)
Definition: util-profiling.h:422
TmEcode
TmEcode
Definition: tm-threads-common.h:80
RULE_PROFILING_START
#define RULE_PROFILING_START(p)
Definition: util-profiling.h:421
ALPROTO_DOH2
@ ALPROTO_DOH2
Definition: app-layer-protos.h:66
SCReturnPtr
#define SCReturnPtr(x, type)
Definition: util-debug.h:297
DetectPreFlow
uint8_t DetectPreFlow(ThreadVars *tv, DetectEngineThreadCtx *det_ctx, Packet *p)
Definition: detect.c:2310
DetectTransaction_::de_state
DetectEngineStateDirection * de_state
Definition: detect-engine-prefilter.h:35
detect-engine-state.h
Data structures and function prototypes for keeping state for the detection engine.
detect-filestore.h
SigTableElmt_::Match
int(* Match)(DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *)
Definition: detect.h:1420
detect-replace.h
RulesDumpMatchArray
void RulesDumpMatchArray(const DetectEngineThreadCtx *det_ctx, const SigGroupHead *sgh, const Packet *p)
Definition: detect-engine-profile.c:78
ALPROTO_HTTP2
@ ALPROTO_HTTP2
Definition: app-layer-protos.h:69
Signature_::addr_dst_match6_cnt
uint16_t addr_dst_match6_cnt
Definition: detect.h:695
FLOW_PKT_TOCLIENT
#define FLOW_PKT_TOCLIENT
Definition: flow.h:226
SigGroupHead_::frame_engines
PrefilterEngine * frame_engines
Definition: detect.h:1641
PACKET_ALERT_NOTX
#define PACKET_ALERT_NOTX
Definition: detect.h:55
RunmodeIsUnittests
int RunmodeIsUnittests(void)
Definition: suricata.c:273
Signature_::sp
DetectPort * sp
Definition: detect.h:719
APP_LAYER_PARSER_NO_INSPECTION
#define APP_LAYER_PARSER_NO_INSPECTION
Definition: app-layer-parser.h:49
AppLayerParserGetTx
void * AppLayerParserGetTx(uint8_t ipproto, AppProto alproto, void *alstate, uint64_t tx_id)
Definition: app-layer-parser.c:1095
DetectRunScratchpad::sgh
const SigGroupHead * sgh
Definition: detect.c:80
PACKET_ALERT_FLAG_APPLY_ACTION_TO_PACKET
#define PACKET_ALERT_FLAG_APPLY_ACTION_TO_PACKET
Definition: decode.h:280
PacketAlertFinalize
void PacketAlertFinalize(const DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
Check the threshold of the sigs that match, set actions, break on pass action This function iterate t...
Definition: detect-engine-alert.c:581
DETECT_ENGINE_INSPECT_SIG_CANT_MATCH
#define DETECT_ENGINE_INSPECT_SIG_CANT_MATCH
Definition: detect-engine-state.h:42
DETECT_ENGINE_STATE_FLAG_FILE_NEW
#define DETECT_ENGINE_STATE_FLAG_FILE_NEW
Definition: detect-engine-state.h:73
Flow_::flowvar
GenericVar * flowvar
Definition: flow.h:481
PKT_DROP_REASON_DEFAULT_PACKET_POLICY
@ PKT_DROP_REASON_DEFAULT_PACKET_POLICY
Definition: decode.h:398
RuleMatchCandidateTx::flags
uint32_t * flags
Definition: detect.h:1201
PACKET_ALERT_FLAG_FRAME
#define PACKET_ALERT_FLAG_FRAME
Definition: decode.h:276
Frame::flags
uint8_t flags
Definition: app-layer-frames.h:45
DetectEngineAppInspectionEngine_::alproto
AppProto alproto
Definition: detect.h:417
SCRealloc
#define SCRealloc(ptr, sz)
Definition: util-mem.h:50
detect-engine-analyzer.h
FLOWFILE_NO_SHA256_TC
#define FLOWFILE_NO_SHA256_TC
Definition: flow.h:146
DetectEngineStateDirection_::head
DeStateStore * head
Definition: detect-engine-state.h:86
DETECT_ENGINE_INSPECT_SIG_MATCH_MORE_FILES
#define DETECT_ENGINE_INSPECT_SIG_MATCH_MORE_FILES
Definition: detect-engine-state.h:52
DetectProto_::flags
uint8_t flags
Definition: detect-engine-proto.h:37
DETECT_PROTO_IPV4
#define DETECT_PROTO_IPV4
Definition: detect-engine-proto.h:31
app-layer-frames.h
DetectAddressMatchIPv6
int DetectAddressMatchIPv6(const DetectMatchAddressIPv6 *addrs, uint16_t addrs_cnt, const Address *a)
Match a packets address against a signatures addrs array.
Definition: detect-engine-address.c:1623
Packet_::tenant_id
uint32_t tenant_id
Definition: decode.h:665
Packet_::flow
struct Flow_ * flow
Definition: decode.h:546
DetectEngineStateResetTxs
void DetectEngineStateResetTxs(Flow *f)
Reset de state for active tx' To be used on detect engine reload.
Definition: detect-engine-state.c:260
FLOWFILE_NO_MAGIC_TC
#define FLOWFILE_NO_MAGIC_TC
Definition: flow.h:131
flags
uint8_t flags
Definition: decode-gre.h:0
Signature_::proto
DetectProto proto
Definition: detect.h:687
SCGenericVarFree
void SCGenericVarFree(GenericVar *gv)
Definition: util-var.c:48
suricata-common.h
SIG_FLAG_SP_ANY
#define SIG_FLAG_SP_ANY
Definition: detect.h:243
ActionScope
ActionScope
Definition: action-globals.h:42
ACTION_SCOPE_HOOK
@ ACTION_SCOPE_HOOK
Definition: action-globals.h:46
Signature_::action_scope
uint8_t action_scope
Definition: detect.h:690
packet.h
DeStateStore_
Definition: detect-engine-state.h:80
ACTION_DROP
#define ACTION_DROP
Definition: action-globals.h:30
DetectTransaction_
Definition: detect-engine-prefilter.h:31
Packet_::app_update_direction
uint8_t app_update_direction
Definition: decode.h:535
PROF_DETECT_SETUP
@ PROF_DETECT_SETUP
Definition: suricata-common.h:457
DetectEngineStateDirection_
Definition: detect-engine-state.h:85
DetectEngineThreadCtx_::frame_inspect_progress
uint64_t frame_inspect_progress
Definition: detect.h:1321
DetectEngineCtx_::profile_match_logging_threshold
uint32_t profile_match_logging_threshold
Definition: detect.h:1050
FLOW_TS_APP_UPDATED
#define FLOW_TS_APP_UPDATED
Definition: flow.h:119
AppLayerParserGetTxData
AppLayerTxData * AppLayerParserGetTxData(uint8_t ipproto, AppProto alproto, void *tx)
Definition: app-layer-parser.c:1169
FatalError
#define FatalError(...)
Definition: util-debug.h:514
TcpSession_::client
TcpStream client
Definition: stream-tcp-private.h:297
FLOWFILE_NO_STORE_TC
#define FLOWFILE_NO_STORE_TC
Definition: flow.h:135
tv
ThreadVars * tv
Definition: fuzz_decodepcapfile.c:32
DetectEngineAppInspectionEngine_::progress
int16_t progress
Definition: detect.h:426
FLOW_ACTION_ACCEPT
#define FLOW_ACTION_ACCEPT
Definition: flow.h:62
util-validate.h
DetectTransaction_::tx_ptr
void * tx_ptr
Definition: detect-engine-prefilter.h:32
Signature_::addr_src_match6_cnt
uint16_t addr_src_match6_cnt
Definition: detect.h:696
StreamReassembleRawUpdateProgress
void StreamReassembleRawUpdateProgress(TcpSession *ssn, Packet *p, const uint64_t progress)
update stream engine after detection
Definition: stream-tcp-reassemble.c:1555
DetectEngineAppInspectionEngine_::v2
struct DetectEngineAppInspectionEngine_::@83 v2
FLOWFILE_NO_SHA1_TS
#define FLOWFILE_NO_SHA1_TS
Definition: flow.h:141
PROF_DETECT_RULES
@ PROF_DETECT_RULES
Definition: suricata-common.h:460
APP_LAYER_TX_INSPECTED_TS
#define APP_LAYER_TX_INSPECTED_TS
Definition: app-layer-parser.h:70
DetectRunScratchpad::app_decoder_events
const bool app_decoder_events
Definition: detect.c:72
TcpSession_::server
TcpStream server
Definition: stream-tcp-private.h:296
Signature_::dp
DetectPort * dp
Definition: detect.h:719
PacketAlerts_::suppressed
uint16_t suppressed
Definition: decode.h:289
PACKET_PROFILING_DETECT_START
#define PACKET_PROFILING_DETECT_START(p, id)
Definition: util-profiling.h:214
Signature_::iid
SigIntId iid
Definition: detect.h:680
FLOW_SGH_TOSERVER
#define FLOW_SGH_TOSERVER
Definition: flow.h:73
APP_LAYER_TX_ACCEPT
#define APP_LAYER_TX_ACCEPT
Definition: app-layer-parser.h:73
SCFree
#define SCFree(p)
Definition: util-mem.h:61
Packet_::pkt_src
uint8_t pkt_src
Definition: decode.h:611
SGH_PROFILING_RECORD
#define SGH_PROFILING_RECORD(det_ctx, sgh)
Definition: util-profiling.h:252
Signature_::addr_dst_match6
DetectMatchAddressIPv6 * addr_dst_match6
Definition: detect.h:710
Flow_::alstate
void * alstate
Definition: flow.h:471
Signature_::id
uint32_t id
Definition: detect.h:713
DeStateStore_::store
DeStateStoreItem store[DE_STATE_CHUNK_SIZE]
Definition: detect-engine-state.h:81
DetectEngineCtx_::guess_applayer_log_limit
uint8_t guess_applayer_log_limit
Definition: detect.h:977
Flow_::flags
uint32_t flags
Definition: flow.h:413
RuleMatchCandidateTx::stream_reset
uint32_t stream_reset
Definition: detect.h:1207
ACTION_SCOPE_PACKET
@ ACTION_SCOPE_PACKET
Definition: action-globals.h:44
detect-engine-iponly.h
Signature_
Signature container.
Definition: detect.h:668
PACKET_ALERT_FLAG_TX
#define PACKET_ALERT_FLAG_TX
Definition: decode.h:272
ALPROTO_UNKNOWN
@ ALPROTO_UNKNOWN
Definition: app-layer-protos.h:29
TRACE_SID_TXS
#define TRACE_SID_TXS(sid, txs,...)
Definition: detect.c:1147
FLOW_PKT_ESTABLISHED
#define FLOW_PKT_ESTABLISHED
Definition: flow.h:227
DetectEngineThreadCtx_::tx_id_set
bool tx_id_set
Definition: detect.h:1317
PacketDrop
void PacketDrop(Packet *p, const uint8_t action, enum PacketDropReason r)
issue drop action
Definition: packet.c:34
ACTION_ACCEPT
#define ACTION_ACCEPT
Definition: action-globals.h:36
STREAMTCP_FLAG_APP_LAYER_DISABLED
#define STREAMTCP_FLAG_APP_LAYER_DISABLED
Definition: stream-tcp-private.h:201
DetectRunScratchpad::flow_flags
const uint8_t flow_flags
Definition: detect.c:71
DetectEngineThreadCtx_::de_ctx
DetectEngineCtx * de_ctx
Definition: detect.h:1363
suricata.h
IPOnlyMatchPacket
void IPOnlyMatchPacket(ThreadVars *tv, const DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const DetectEngineIPOnlyCtx *io_ctx, Packet *p)
Match a packet against the IP Only detection engine contexts.
Definition: detect-engine-iponly.c:1000
DetectEngineCtx_::sig_array
Signature ** sig_array
Definition: detect.h:951
Packet_::dst
Address dst
Definition: decode.h:506
PROF_DETECT_TX
@ PROF_DETECT_TX
Definition: suricata-common.h:461
DetectEngineAppInspectionEngine_::dir
uint8_t dir
Definition: detect.h:418
PKT_NOPACKET_INSPECTION
#define PKT_NOPACKET_INSPECTION
Definition: decode.h:1249
PrefilterPostRuleMatch
void PrefilterPostRuleMatch(DetectEngineThreadCtx *det_ctx, const SigGroupHead *sgh, Packet *p, Flow *f)
invoke post-rule match "prefilter" engines
Definition: detect-engine-prefilter.c:193
DetectGetInnerTx
void * DetectGetInnerTx(void *tx_ptr, AppProto alproto, AppProto engine_alproto, uint8_t flow_flags)
Definition: detect.c:1151
DetectPreStream
uint8_t DetectPreStream(ThreadVars *tv, DetectEngineThreadCtx *det_ctx, Packet *p)
Definition: detect.c:2320
DetectRunScratchpad::alproto
const AppProto alproto
Definition: detect.c:70
DE_STATE_FLAG_FULL_INSPECT
#define DE_STATE_FLAG_FULL_INSPECT
Definition: detect-engine-state.h:58
STREAMTCP_STREAM_FLAG_DISABLE_RAW
#define STREAMTCP_STREAM_FLAG_DISABLE_RAW
Definition: stream-tcp-private.h:238
DetectEngineThreadCtx_::json_content_len
uint8_t json_content_len
Definition: detect.h:1284
DetectEngineThreadCtx_::mt_det_ctxs_cnt
uint32_t mt_det_ctxs_cnt
Definition: detect.h:1255
AppLayerGetTxIteratorFunc
AppLayerGetTxIterTuple(* AppLayerGetTxIteratorFunc)(const uint8_t ipproto, const AppProto alproto, void *alstate, uint64_t min_tx_id, uint64_t max_tx_id, AppLayerGetTxIterState *state)
tx iterator prototype
Definition: app-layer-parser.h:143
likely
#define likely(expr)
Definition: util-optimize.h:32
IPPROTO_SCTP
#define IPPROTO_SCTP
Definition: decode.h:1230
DE_STATE_FLAG_FILE_INSPECT
#define DE_STATE_FLAG_FILE_INSPECT
Definition: detect-engine-state.h:63
id
uint32_t id
Definition: detect-flowbits.c:944
DetectEngineThreadCtx_::counter_match_list
StatsCounterAvgId counter_match_list
Definition: detect.h:1297
DetectEngineCtx_::io_ctx
DetectEngineIPOnlyCtx io_ctx
Definition: detect.h:971
SC_ATOMIC_GET
#define SC_ATOMIC_GET(name)
Get the value from the atomic variable.
Definition: util-atomic.h:375
Signature_::addr_dst_match4
DetectMatchAddressIPv4 * addr_dst_match4
Definition: detect.h:707
FlowGetDisruptionFlags
uint8_t FlowGetDisruptionFlags(const Flow *f, uint8_t flags)
get 'disruption' flags: GAP/DEPTH/PASS
Definition: flow.c:1143
TcpSession_
Definition: stream-tcp-private.h:283
flow.h
Signature_::addr_src_match4_cnt
uint16_t addr_src_match4_cnt
Definition: detect.h:694
DeStateStoreItem_
Definition: detect-engine-state.h:75
Signature_::addr_dst_match4_cnt
uint16_t addr_dst_match4_cnt
Definition: detect.h:693
Flow_::alproto
AppProto alproto
application level protocol
Definition: flow.h:442
Packet_::dp
Port dp
Definition: decode.h:516
SCCalloc
#define SCCalloc(nm, sz)
Definition: util-mem.h:53
DetectEngineCtx_::sig_array_len
uint32_t sig_array_len
Definition: detect.h:952
SIG_GROUP_HEAD_HAVEFILESHA256
#define SIG_GROUP_HEAD_HAVEFILESHA256
Definition: detect.h:1494
ThreadVars_::stats
StatsThreadContext stats
Definition: threadvars.h:121
Signature_::type
enum SignatureType type
Definition: detect.h:671
StatsCounterAddI64
void StatsCounterAddI64(StatsThreadContext *stats, StatsCounterId id, int64_t x)
Adds a value of type uint64_t to the local counter.
Definition: counters.c:146
SigGroupHead_::filestore_cnt
uint16_t filestore_cnt
Definition: detect.h:1634
AppLayerParserGetTxCnt
uint64_t AppLayerParserGetTxCnt(const Flow *f, void *alstate)
Definition: app-layer-parser.c:1088
AppLayerParserHasDecoderEvents
bool AppLayerParserHasDecoderEvents(AppLayerParserState *pstate)
Definition: app-layer-parser.c:1499
FLOW_PKT_TOSERVER_FIRST
#define FLOW_PKT_TOSERVER_FIRST
Definition: flow.h:228
DetectEngineLookupFlow_::tcp
DetectPort * tcp
Definition: detect.h:863
DEBUG_VALIDATE_BUG_ON
#define DEBUG_VALIDATE_BUG_ON(exp)
Definition: util-validate.h:102
detect-engine-address.h
Flow_::tenant_id
uint32_t tenant_id
Definition: flow.h:408
Packet_::src
Address src
Definition: decode.h:505
SigMatchSignaturesGetSgh
const SigGroupHead * SigMatchSignaturesGetSgh(const DetectEngineCtx *de_ctx, const Packet *p)
Get the SigGroupHead for a packet.
Definition: detect.c:282
DetectRunPrefilterTx
void DetectRunPrefilterTx(DetectEngineThreadCtx *det_ctx, const SigGroupHead *sgh, Packet *p, const uint8_t ipproto, const uint8_t flow_flags, const AppProto alproto, void *alstate, DetectTransaction *tx)
run prefilter engines on a transaction
Definition: detect-engine-prefilter.c:95
RuleMatchCandidateTxArrayInit
void RuleMatchCandidateTxArrayInit(DetectEngineThreadCtx *det_ctx, uint32_t size)
Definition: detect.c:1071
APP_LAYER_TX_INSPECTED_TC
#define APP_LAYER_TX_INSPECTED_TC
Definition: app-layer-parser.h:71
SIG_FLAG_DP_ANY
#define SIG_FLAG_DP_ANY
Definition: detect.h:244
DetectPortLookupGroup
DetectPort * DetectPortLookupGroup(DetectPort *dp, uint16_t port)
Function that find the group matching port in a group head.
Definition: detect-engine-port.c:613
DetectEngineThreadCtx_::post_rule_work_queue
PostRuleMatchWorkQueue post_rule_work_queue
Definition: detect.h:1346
PKT_STREAM_EST
#define PKT_STREAM_EST
Definition: decode.h:1264
detect-engine-threshold.h
APP_LAYER_TX_SKIP_INSPECT_TS
#define APP_LAYER_TX_SKIP_INSPECT_TS
Definition: app-layer-parser.h:67
Signature_::mask
SignatureMask mask
Definition: detect.h:679
app-layer.h
RuleMatchCandidateTx
Definition: detect.h:1199
DetectEngineThreadCtx_::TenantGetId
uint32_t(* TenantGetId)(const void *, const Packet *p)
Definition: detect.h:1262
PrefilterRuleStore_::rule_id_array
SigIntId * rule_id_array
Definition: util-prefilter.h:38
PacketEngineEvents_::cnt
uint8_t cnt
Definition: decode.h:307
Flow_::de_ctx_version
uint32_t de_ctx_version
Definition: flow.h:456
DetectProtoContainsProto
int DetectProtoContainsProto(const DetectProto *dp, int proto)
see if a DetectProto contains a certain proto
Definition: detect-engine-proto.c:109
DetectEngineThreadCtx_::match_array
Signature ** match_array
Definition: detect.h:1334