120 DetectRunInspectIPOnly(th_v,
de_ctx, det_ctx, pflow, p);
123 DetectRunGetRuleGroup(
de_ctx, p, pflow, &scratch);
126 if (scratch.
sgh == NULL) {
127 SCLogDebug(
"no sgh for this packet, nothing to match against");
132 DetectRunPrefilterPkt(th_v,
de_ctx, det_ctx, p, &scratch);
136 const uint8_t pkt_policy = DetectRulePacketRules(th_v,
de_ctx, det_ctx, p, pflow, &scratch);
152 if (p->
proto == IPPROTO_TCP) {
155 DetectRunAppendDefaultAccept(det_ctx, p);
167 DetectRunFrames(th_v,
de_ctx, det_ctx, p, pflow, &scratch);
175 DetectRunAppendDefaultAccept(det_ctx, p);
178 }
else if (p->
proto == IPPROTO_UDP) {
179 DetectRunFrames(th_v,
de_ctx, det_ctx, p, pflow, &scratch);
183 DetectRunTx(th_v,
de_ctx, det_ctx, p, pflow, &scratch);
192 DetectRunAppendDefaultAccept(det_ctx, p);
196 DetectRunPostRules(th_v,
de_ctx, det_ctx, p, pflow, &scratch);
198 DetectRunCleanup(det_ctx, p, pflow);
211 SCLogDebug(
"running match functions, sm %p", smd);
242 }
else if (p->
proto == 0) {
243 if (!(PacketIsIPv4(p) || PacketIsIPv6(p))) {
252 int proto = PacketGetIPProto(p);
253 if (
proto == IPPROTO_TCP) {
257 const uint16_t port = dir ? p->
dp : p->
sp;
262 SCLogDebug(
"TCP list %p, port %u, direction %s, sghport %p, sgh %p", list, port,
263 dir ?
"toserver" :
"toclient", sghport, sgh);
264 }
else if (
proto == IPPROTO_UDP) {
266 uint16_t port = dir ? p->
dp : p->
sp;
270 SCLogDebug(
"UDP list %p, port %u, direction %s, sghport %p, sgh %p", list, port,
271 dir ?
"toserver" :
"toclient", sghport, sgh);
286 while (final_cnt-- > 0) {
291 if (
likely(
id != previous_id)) {
308 DetectPostInspectFileFlagsUpdate(
Flow *f,
const SigGroupHead *sgh, uint8_t direction)
313 SCLogDebug(
"requesting disabling all file features for flow");
317 SCLogDebug(
"requesting disabling filestore for flow");
321 if (!(sgh->
flags & SIG_GROUP_HEAD_HAVEFILEMAGIC)) {
322 SCLogDebug(
"requesting disabling magic for flow");
327 SCLogDebug(
"requesting disabling md5 for flow");
331 SCLogDebug(
"requesting disabling sha1 for flow");
335 SCLogDebug(
"requesting disabling sha256 for flow");
339 SCLogDebug(
"requesting disabling filesize for flow");
343 if (flow_file_flags != 0) {
359 SCLogDebug(
"STREAMTCP_STREAM_FLAG_DISABLE_RAW ssn.client");
364 DetectPostInspectFileFlagsUpdate(pflow,
374 SCLogDebug(
"STREAMTCP_STREAM_FLAG_DISABLE_RAW ssn.server");
379 DetectPostInspectFileFlagsUpdate(pflow,
384 static inline void DetectRunGetRuleGroup(
392 bool use_flow_sgh =
false;
395 if (PacketGetIPProto(p) == pflow->
proto) {
399 SCLogDebug(
"sgh = pflow->sgh_toserver; => %p", sgh);
403 SCLogDebug(
"sgh = pflow->sgh_toclient; => %p", sgh);
409 if (!(use_flow_sgh)) {
422 DetectRunPostGetFirstRuleGroup(p, pflow, sgh);
442 SCLogDebug(
"testing against \"ip-only\" signatures");
461 static inline bool DetectRunInspectRuleHeader(
const Packet *p,
const Flow *f,
const Signature *s,
462 const uint32_t sflags,
const uint8_t s_proto_flags)
471 const bool fv = f->
flowvar != NULL;
473 SCLogDebug(
"skipping sig as the flow has no flowvars and sig "
474 "has SIG_FLAG_REQUIRE_FLOWVAR flag set.");
514 SCLogDebug(
"port-less protocol and sig needs ports");
520 if (PacketIsIPv4(p)) {
523 }
else if (PacketIsIPv6(p)) {
530 if (PacketIsIPv4(p)) {
533 }
else if (PacketIsIPv6(p)) {
545 static inline void DetectRunPrefilterPkt(
565 DetectPrefilterCopyDeDup(
de_ctx, det_ctx);
580 static bool IsOnlyTxInDirection(
Flow *f, uint64_t txid, uint8_t dir)
583 if (tx_cnt == txid + 1) {
587 if (tx_cnt == txid + 2) {
602 static int SortHelper(
const void *a,
const void *b)
608 return sa->
num > sb->
num ? 1 : -1;
616 bool fw_verdict =
false;
626 (uint64_t)match_cnt);
637 bool skip_fw =
false;
638 uint32_t sflags, next_sflags = 0;
640 next_s = *match_array++;
641 next_sflags = next_s->
flags;
643 while (match_cnt--) {
645 bool break_out_of_packet_filter =
false;
646 uint8_t alert_flags = 0;
651 sflags = next_sflags;
653 next_s = *match_array++;
654 next_sflags = next_s->
flags;
666 }
else if (have_fw_rules) {
673 break_out_of_packet_filter =
true;
696 if (SigDsizePrefilter(p, s, sflags))
707 if (!DetectRunInspectRuleHeader(p, pflow, s, sflags, s_proto_flags)) {
718 DetectRunPostMatch(
tv, det_ctx, p, s);
736 if (pflow->
proto != IPPROTO_UDP) {
739 txd->guessed_applayer_logged++;
756 SCLogDebug(
"sig_array_len %u det_ctx->pmq.rule_id_array_cnt %u",
759 for (uint32_t x = 0; x < match_cnt; x++) {
760 *r++ = match_array[x];
761 SCLogDebug(
"appended %u", match_array[x]->
id);
768 if (
ts->app_inspect == NULL) {
774 qsort(replace, match_cnt,
sizeof(
Signature *), SortHelper);
780 uint32_t skipped = 0;
781 for (uint32_t x = 0; x < match_cnt; x++) {
783 if (last_sig == *
m) {
790 match_cnt -= skipped;
792 next_s = *match_array++;
793 next_sflags = next_s->
flags;
824 break_out_of_packet_filter =
true;
829 break_out_of_packet_filter =
true;
840 break_out_of_packet_filter =
true;
844 DetectVarProcessList(det_ctx, pflow, p);
845 DetectReplaceFree(det_ctx);
849 if (break_out_of_packet_filter)
877 uint8_t flow_flags = 0;
878 bool app_decoder_events =
false;
897 det_ctx->pkt_stream_add_cnt++;
906 flow_flags = STREAM_TOSERVER;
909 flow_flags = STREAM_TOCLIENT;
915 flow_flags |= STREAM_EOF;
946 (p->
proto == IPPROTO_UDP) ||
951 alproto = FlowGetAppProtocol(pflow);
958 SCLogDebug(
"packet doesn't have established flag set (proto %d)", p->
proto);
969 static inline void DetectRunPostRules(
1011 if (pflow != NULL) {
1028 FatalError(
"failed to allocate %" PRIu64
" bytes",
1032 SCLogDebug(
"array initialized to %u elements (%"PRIu64
" bytes)",
1044 const uint32_t need)
1055 uint32_t new_size = needed;
1058 FatalError(
"failed to expand to %" PRIu64
" bytes",
1064 SCLogDebug(
"array expanded from %u to %u elements (%"PRIu64
" bytes -> %"PRIu64
" bytes)",
1077 DetectRunTxSortHelper(
const void *a,
const void *b)
1081 if (s1->
id == s0->
id) {
1088 return s0->
id > s1->
id ? 1 : -1;
1092 #define TRACE_SID_TXS(sid,txs,...) \
1094 char _trace_buf[2048]; \
1095 snprintf(_trace_buf, sizeof(_trace_buf), __VA_ARGS__); \
1096 SCLogNotice("%p/%"PRIu64"/%u: %s", txs->tx_ptr, txs->tx_id, sid, _trace_buf); \
1099 #define TRACE_SID_TXS(sid,txs,...)
1108 tx_ptr = SCDoH2GetDnsTx(tx_ptr, flow_flags);
1113 }
else if (engine_alproto != alproto && engine_alproto !=
ALPROTO_UNKNOWN) {
1137 const uint8_t in_flow_flags,
1141 uint32_t *stored_flags,
1145 const uint8_t flow_flags = in_flow_flags;
1146 const int direction = (flow_flags & STREAM_TOSERVER) ? 0 : 1;
1147 uint32_t inspect_flags = stored_flags ? *stored_flags : 0;
1148 int total_matches = 0;
1149 uint16_t file_no_match = 0;
1150 bool retval =
false;
1151 bool mpm_before_progress =
false;
1152 bool mpm_in_progress =
false;
1154 TRACE_SID_TXS(s->
id, tx,
"starting %s", direction ?
"toclient" :
"toserver");
1157 if (
likely(stored_flags == NULL)) {
1176 TRACE_SID_TXS(s->
id, tx,
"engine %p inspect_flags %x", engine, inspect_flags);
1179 if (!(inspect_flags &
BIT_U32(engine->
id)) &&
1183 if (tx_ptr == NULL) {
1187 engine = engine->
next;
1197 SCLogDebug(
"tx progress %d < engine progress %d",
1204 "engine->mpm: t->tx_progress %u > engine->progress %u, so set "
1205 "mpm_before_progress",
1207 mpm_before_progress =
true;
1210 "engine->mpm: t->tx_progress %u == engine->progress %u, so set "
1213 mpm_in_progress =
true;
1217 uint8_t engine_flags = flow_flags;
1218 if (direction != engine->
dir) {
1219 engine_flags = flow_flags ^ (STREAM_TOCLIENT | STREAM_TOSERVER);
1225 TRACE_SID_TXS(s->
id, tx,
"stream skipped, stored result %d used instead", match);
1230 mpm_before_progress =
true;
1244 de_ctx, det_ctx, engine, s, f, engine_flags, alstate, tx_ptr, tx->
tx_id);
1249 TRACE_SID_TXS(s->
id, tx,
"stream ran, store result %d for next tx (if any)", match);
1254 engine = engine->
next;
1261 engine = engine->
next;
1273 if (engine->
mpm && mpm_before_progress) {
1279 direction != engine->
dir) {
1283 if (direction == 0 && engine->
next == NULL) {
1287 engine = engine->
next;
1291 engine = engine->
next;
1292 }
while (engine != NULL);
1293 TRACE_SID_TXS(s->
id, tx,
"inspect_flags %x, total_matches %u, engine %p",
1294 inspect_flags, total_matches, engine);
1296 if (engine == NULL && total_matches) {
1303 *stored_flags = inspect_flags;
1304 TRACE_SID_TXS(s->
id, tx,
"continue inspect flags %08x", inspect_flags);
1311 if (file_no_match) {
1322 inspect_flags, flow_flags, file_no_match);
1326 "mpm won't trigger for it anymore");
1330 "we may have to revisit anyway");
1332 inspect_flags, flow_flags, file_no_match);
1336 "mpm will revisit it");
1337 }
else if (inspect_flags != 0 || file_no_match != 0) {
1340 inspect_flags, flow_flags, file_no_match);
1349 NULL, 0, NULL, NULL, 0, 0, 0, 0, \
1357 const uint64_t tx_id,
void *tx_ptr,
const int tx_end_state,
const uint8_t flow_flags)
1361 bool updated = (flow_flags & STREAM_TOSERVER) ? txd->updated_ts : txd->updated_tc;
1362 if (!updated && tx_progress < tx_end_state && ((flow_flags & STREAM_EOF) == 0)) {
1366 const uint8_t inspected_flag =
1368 if (
unlikely(txd->flags & inspected_flag)) {
1369 SCLogDebug(
"%" PRIu64
" tx already fully inspected for %s. Flags %02x", tx_id,
1370 flow_flags & STREAM_TOSERVER ?
"toserver" :
"toclient", txd->flags);
1376 if (
unlikely(txd->flags & skip_flag)) {
1377 SCLogDebug(
"%" PRIu64
" tx should not be inspected in direction %s. Flags %02x", tx_id,
1378 flow_flags & STREAM_TOSERVER ?
"toserver" :
"toclient", txd->flags);
1383 const uint8_t detect_progress =
1384 (flow_flags & STREAM_TOSERVER) ? txd->detect_progress_ts : txd->detect_progress_tc;
1386 const int dir_int = (flow_flags & STREAM_TOSERVER) ? 0 : 1;
1389 tx_de_state ? &tx_de_state->
dir_state[dir_int] : NULL;
1394 .de_state = tx_dir_state,
1395 .detect_progress = detect_progress,
1396 .detect_progress_orig = detect_progress,
1397 .tx_progress = tx_progress,
1398 .tx_end_state = tx_end_state,
1403 static inline void StoreDetectProgress(
1407 if (flow_flags & STREAM_TOSERVER) {
1408 txd->detect_progress_ts = progress;
1410 txd->detect_progress_tc = progress;
1416 static inline void RuleMatchCandidateMergeStateRules(
1434 uint32_t j = *array_idx;
1443 uint32_t k = *array_idx;
1465 if (s->
num <= s0->
id) {
1510 bool *skip_fw_hook,
const uint8_t skip_before_progress,
bool *last_for_progress,
1511 bool *fw_next_progress_missing)
1521 if (can_idx + 1 < can_size) {
1527 SCLogDebug(
"peek: next sid progress %u != current progress %u, so current "
1528 "is last for progress",
1530 *last_for_progress =
true;
1533 SCLogDebug(
"peek: missing progress, so we'll drop that unless we get a "
1534 "sweeping accept first");
1535 *fw_next_progress_missing =
true;
1539 SCLogDebug(
"peek: next sid not a fw rule, so current is last for progress");
1540 *last_for_progress =
true;
1543 SCLogDebug(
"peek: no peek beyond last rule");
1545 SCLogDebug(
"peek: there are no rules to allow the state after this rule");
1546 *fw_next_progress_missing =
true;
1550 if ((*skip_fw_hook) ==
true) {
1554 *skip_fw_hook =
false;
1586 static inline bool ApplyAcceptToPacket(
1600 if (total_txs == tx->
tx_id + 1) {
1608 if ((total_txs == tx->
tx_id + 1) &&
1618 static bool ApplyAccept(
Packet *p,
const uint8_t flow_flags,
const Signature *s,
1619 DetectTransaction *tx,
const int tx_end_state,
const bool fw_next_progress_missing,
1620 bool *tx_fw_verdict,
bool *skip_fw_hook, uint8_t *skip_before_progress)
1622 *tx_fw_verdict =
true;
1628 *skip_fw_hook =
true;
1633 if (fw_next_progress_missing) {
1635 flow_flags & STREAM_TOSERVER ?
"toserver" :
"toclient");
1643 *skip_fw_hook =
true;
1644 *skip_before_progress = (uint8_t)tx_end_state + 1;
1646 "accept:tx applied, skip_fw_hook, skip_before_progress %u", *skip_before_progress);
1663 const uint8_t flow_flags = scratch->
flow_flags;
1665 void *
const alstate = f->
alstate;
1666 const uint8_t ipproto = f->
proto;
1676 uint32_t fw_verdicted = 0;
1677 uint32_t tx_inspected = 0;
1683 AppLayerGetTxIterTuple ires = IterFunc(ipproto, alproto, alstate, tx_id_min, total_txs, &state);
1684 if (ires.tx_ptr == NULL)
1688 GetDetectTx(ipproto, alproto, ires.tx_id, ires.tx_ptr, tx_end_state, flow_flags);
1690 SCLogDebug(
"%p/%"PRIu64
" no transaction to inspect",
1696 tx_id_min = tx.
tx_id + 1;
1701 bool do_sort =
false;
1702 uint32_t array_idx = 0;
1712 SCLogDebug(
"%p/%"PRIu64
" rules added from prefilter: %u candidates",
1716 if (!(RuleMatchCandidateTxArrayHasSpace(det_ctx, total_rules))) {
1717 RuleMatchCandidateTxArrayExpand(det_ctx, total_rules);
1731 if (!(RuleMatchCandidateTxArrayHasSpace(det_ctx, total_rules))) {
1732 RuleMatchCandidateTxArrayExpand(det_ctx, total_rules);
1738 uint32_t x = array_idx;
1740 RuleMatchCandidateMergeStateRules(det_ctx, &array_idx);
1744 const uint32_t old = array_idx;
1749 if (have_new_file) {
1750 SCLogDebug(
"%p/%"PRIu64
" destate: need to consider new file",
1757 for (; tx_store != NULL; tx_store = tx_store->
next) {
1763 store_cnt++, state_cnt++)
1780 do_sort |= (old && old != array_idx);
1786 DetectRunTxSortHelper);
1798 for (uint32_t i = 0; i < array_idx; i++) {
1804 bool skip_fw_hook =
false;
1805 uint8_t skip_before_progress = 0;
1806 bool fw_next_progress_missing =
false;
1814 if (total_txs == tx.
tx_id + 1) {
1815 DetectRunAppendDefaultAccept(det_ctx, p);
1821 bool tx_fw_verdict =
false;
1823 for (uint32_t i = 0; i < array_idx; i++) {
1827 bool break_out_of_app_filter =
false;
1830 flow_flags & STREAM_TOSERVER ?
"toserver" :
"toclient", tx.
tx_progress,
1838 while ((i + 1) < array_idx &&
1840 SCLogDebug(
"%p/%" PRIu64
" inspecting SKIP NEXT: sid %u (%u), flags %08x",
1849 if (!tx_fw_verdict) {
1850 const bool accept_tx_applies_to_packet = total_txs == tx.
tx_id + 1;
1851 if (accept_tx_applies_to_packet) {
1852 SCLogDebug(
"accept:(tx|hook): should be applied to the packet");
1853 DetectRunAppendDefaultAccept(det_ctx, p);
1856 tx_fw_verdict =
true;
1859 SCLogDebug(
"APP_LAYER_TX_ACCEPT, so skip rule");
1866 SCLogDebug(
"%p/%"PRIu64
" inspecting: sid %u (%u), flags %08x",
1869 if (inspect_flags) {
1872 " inspecting: sid %u (%u), flags %08x DE_STATE_FLAG_FULL_INSPECT",
1879 const bool fw_accept_to_packet = ApplyAcceptToPacket(total_txs, &tx, s);
1880 break_out_of_app_filter = ApplyAccept(p, flow_flags, s, &tx, tx_end_state,
1881 fw_next_progress_missing, &tx_fw_verdict, &skip_fw_hook,
1882 &skip_before_progress);
1883 if (fw_accept_to_packet)
1884 DetectRunAppendDefaultAccept(det_ctx, p);
1885 if (break_out_of_app_filter)
1892 " inspecting: sid %u (%u), flags %08x DE_STATE_FLAG_SIG_CANT_MATCH",
1898 if (inspect_flags) {
1906 bool last_for_progress =
false;
1907 if (have_fw_rules) {
1908 int fw_r = DetectRunTxCheckFirewallPolicy(det_ctx, p, f, &tx, s, i, array_idx,
1909 &skip_fw_hook, skip_before_progress, &last_for_progress,
1910 &fw_next_progress_missing);
1919 const int r = DetectRunTxInspectRule(
tv,
de_ctx, det_ctx, p, f, flow_flags,
1920 alstate, &tx, s, inspect_flags, can, scratch);
1923 DetectRunPostMatch(
tv, det_ctx, p, s);
1928 const bool fw_accept_to_packet = ApplyAcceptToPacket(total_txs, &tx, s);
1931 if (fw_accept_to_packet) {
1932 SCLogDebug(
"accept:(tx|hook): should be applied to the packet");
1940 break_out_of_app_filter = ApplyAccept(p, flow_flags, s, &tx, tx_end_state,
1941 fw_next_progress_missing, &tx_fw_verdict, &skip_fw_hook,
1942 &skip_before_progress);
1944 }
else if (last_for_progress) {
1945 SCLogDebug(
"sid %u: not a match: %s rule, last_for_progress %s", s->
id,
1950 flow_flags & STREAM_TOSERVER ?
"toserver" :
"toclient");
1955 break_out_of_app_filter =
true;
1956 tx_fw_verdict =
true;
1959 DetectVarProcessList(det_ctx, p->
flow, p);
1968 uint32_t prev_array_idx = array_idx;
1971 if (
ts->app_inspect != NULL) {
1979 SCLogDebug(
"%p/%" PRIu64
" rule %u (%u) added from 'post match' prefilter",
1983 SCLogDebug(
"%p/%" PRIu64
" rules added from 'post match' prefilter: %u", tx.
tx_ptr,
1984 tx.
tx_id, array_idx - prev_array_idx);
1985 if (prev_array_idx != array_idx) {
1988 DetectRunTxSortHelper);
1994 if (break_out_of_app_filter)
2009 flow_flags & STREAM_TOSERVER ?
"toserver" :
"toclient");
2010 const uint8_t inspected_flag = (flow_flags & STREAM_TOSERVER)
2014 SCLogDebug(
"%p/%" PRIu64
" tx is done for direction %s. Progress %02x", tx.
tx_ptr,
2015 tx.
tx_id, flow_flags & STREAM_TOSERVER ?
"toserver" :
"toclient",
2038 SCLogDebug(
"packet %" PRIu64
": tx_inspected %u fw_verdicted %u", p->
pcap_cnt, tx_inspected,
2040 if (tx_inspected && have_fw_rules && tx_inspected != fw_verdicted) {
2042 flow_flags & STREAM_TOSERVER ?
"toserver" :
"toclient");
2048 if (tx_inspected == 0 && fw_verdicted == 0 && have_fw_rules) {
2049 DetectRunAppendDefaultAccept(det_ctx, p);
2064 SCLogDebug(
"pcap_cnt %" PRIu64
": %s: skip frame inspection for TCP w/o APP UPDATE",
2069 if (frames_container == NULL) {
2074 frames = &frames_container->
toserver;
2076 frames = &frames_container->
toclient;
2079 for (uint32_t idx = 0; idx < frames->
cnt; idx++) {
2082 if (frame == NULL) {
2087 uint32_t array_idx = 0;
2095 SCLogDebug(
"%p/%" PRIi64
" rules added from prefilter: %u candidates", frame, frame->
id,
2100 if (!(RuleMatchCandidateTxArrayHasSpace(
2101 det_ctx, total_rules))) {
2102 RuleMatchCandidateTxArrayExpand(det_ctx, total_rules);
2117 uint32_t x = array_idx;
2128 SCLogDebug(
"%p/%" PRIi64
" rule %u (%u) added from 'match' list", frame, frame->
id,
2132 SCLogDebug(
"%p/%" PRIi64
" rules added from 'match' list: %u", frame, frame->
id,
2137 for (uint32_t i = 0; i < array_idx; i++) {
2144 while ((i + 1) < array_idx &&
2148 SCLogDebug(
"%p/%" PRIi64
" inspecting: sid %u (%u)", frame, frame->
id, s->
id, s->
num);
2151 SCLogDebug(
"%p/%" PRIi64
" Start sid %u", frame, frame->
id, s->
id);
2155 bool r = DetectRunInspectRuleHeader(p, f, s, s->
flags, s->
proto.
flags);
2160 DetectRunPostMatch(
tv, det_ctx, p, s);
2165 "%p/%" PRIi64
" sig %u (%u) matched", frame, frame->
id, s->
id, s->
num);
2172 DetectVarProcessList(det_ctx, p->
flow, p);
2183 "frame->inspect_progress: %" PRIu64
" -> not updated", frame->
inspect_progress);
2186 SCLogDebug(
"%p/%" PRIi64
" rules inspected, running cleanup", frame, frame->
id);
2237 SCLogDebug(
"p->pcap %"PRIu64
": no detection on packet, "
2238 "PKT_NOPACKET_INSPECTION is set", p->
pcap_cnt);
2274 if (det_ctx == NULL) {
2275 printf(
"ERROR: Detect has no thread ctx\n");
2281 SCLogDebug(
"Detect Engine using new det_ctx - %p",
2292 if (tenant_id > 0 && tenant_id < det_ctx->mt_det_ctxs_cnt) {
2295 if (det_ctx == NULL)
2303 SCLogDebug(
"MT de_ctx %p det_ctx %p (tenant %u)",
de_ctx, det_ctx, tenant_id);
2314 DetectFlow(
tv,
de_ctx, det_ctx, p);
2316 DetectNoFlow(
tv,
de_ctx, det_ctx, p);
2319 #ifdef PROFILE_RULES
2322 gettimeofday(&
ts, NULL);
2323 if (
ts.tv_sec != det_ctx->rule_perf_last_sync) {
2324 SCProfilingRuleThreatAggregate(det_ctx);
2325 det_ctx->rule_perf_last_sync =
ts.tv_sec;
2339 DetectPostInspectFileFlagsUpdate(f, NULL , STREAM_TOSERVER);
2340 DetectPostInspectFileFlagsUpdate(f, NULL , STREAM_TOCLIENT);
2351 DetectFlow(
tv,
de_ctx, det_ctx, p);
2353 DetectNoFlow(
tv,
de_ctx, det_ctx, p);