suricata
detect.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2022 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Victor Julien <victor@inliniac.net>
22  *
23  * Basic detection engine
24  */
25 
26 #include "suricata-common.h"
27 #include "suricata.h"
28 #include "conf.h"
29 
30 #include "decode.h"
31 #include "packet.h"
32 #include "flow.h"
33 #include "stream-tcp.h"
34 #include "app-layer.h"
35 #include "app-layer-parser.h"
36 #include "app-layer-frames.h"
37 
38 #include "detect.h"
39 #include "detect-dsize.h"
40 #include "detect-engine.h"
41 #include "detect-engine-build.h"
42 #include "detect-engine-frame.h"
43 #include "detect-engine-profile.h"
44 
45 #include "detect-engine-alert.h"
46 #include "detect-engine-siggroup.h"
47 #include "detect-engine-address.h"
48 #include "detect-engine-proto.h"
49 #include "detect-engine-port.h"
50 #include "detect-engine-mpm.h"
51 #include "detect-engine-iponly.h"
52 #include "detect-engine-threshold.h"
53 #include "detect-engine-prefilter.h"
54 #include "detect-engine-state.h"
55 #include "detect-engine-analyzer.h"
56 
57 #include "detect-engine-payload.h"
58 #include "detect-engine-event.h"
59 
60 #include "detect-filestore.h"
61 #include "detect-flowvar.h"
62 #include "detect-replace.h"
63 
64 #include "util-validate.h"
65 #include "util-detect.h"
66 #include "util-profiling.h"
67 
68 #include "action-globals.h"
69 
70 typedef struct DetectRunScratchpad {
71  const AppProto alproto;
72  const uint8_t flow_flags; /* flow/state flags: STREAM_* */
73  const bool app_decoder_events;
74  const SigGroupHead *sgh;
75  SignatureMask pkt_mask;
76 } DetectRunScratchpad;
77 
78 /* prototypes */
79 static DetectRunScratchpad DetectRunSetup(const DetectEngineCtx *de_ctx,
80  DetectEngineThreadCtx *det_ctx, Packet * const p, Flow * const pflow);
81 static void DetectRunInspectIPOnly(ThreadVars *tv, const DetectEngineCtx *de_ctx,
82  DetectEngineThreadCtx *det_ctx, Flow * const pflow, Packet * const p);
83 static inline void DetectRunGetRuleGroup(const DetectEngineCtx *de_ctx,
84  Packet * const p, Flow * const pflow, DetectRunScratchpad *scratch);
85 static inline void DetectRunPrefilterPkt(ThreadVars *tv,
86  DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p,
87  DetectRunScratchpad *scratch);
88 static inline void DetectRulePacketRules(ThreadVars * const tv,
89  DetectEngineCtx * const de_ctx, DetectEngineThreadCtx * const det_ctx,
90  Packet * const p, Flow * const pflow, const DetectRunScratchpad *scratch);
91 static void DetectRunTx(ThreadVars *tv, DetectEngineCtx *de_ctx,
92  DetectEngineThreadCtx *det_ctx, Packet *p,
93  Flow *f, DetectRunScratchpad *scratch);
94 static void DetectRunFrames(ThreadVars *tv, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx,
95  Packet *p, Flow *f, DetectRunScratchpad *scratch);
96 static inline void DetectRunPostRules(ThreadVars *tv, DetectEngineCtx *de_ctx,
97  DetectEngineThreadCtx *det_ctx, Packet * const p, Flow * const pflow,
98  DetectRunScratchpad *scratch);
99 static void DetectRunCleanup(DetectEngineThreadCtx *det_ctx,
100  Packet *p, Flow * const pflow);
101 
102 /** \internal
103  */
104 static void DetectRun(ThreadVars *th_v,
105  DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx,
106  Packet *p)
107 {
108  SCEnter();
109  SCLogDebug("p->pcap_cnt %" PRIu64 " direction %s pkt_src %s", p->pcap_cnt,
110  p->flow ? (FlowGetPacketDirection(p->flow, p) == TOSERVER ? "toserver" : "toclient")
111  : "noflow",
112  PktSrcToString(p->pkt_src));
113 
114  /* bail early if packet should not be inspected */
115  if (p->flags & PKT_NOPACKET_INSPECTION) {
116  /* nothing to do */
117  SCReturn;
118  }
119 
120  /* Load the Packet's flow early, even though it might not be needed.
121  * Mark as a constant pointer, although the flow itself can change. */
122  Flow * const pflow = p->flow;
123 
124  DetectRunScratchpad scratch = DetectRunSetup(de_ctx, det_ctx, p, pflow);
125 
126  /* run the IPonly engine */
127  DetectRunInspectIPOnly(th_v, de_ctx, det_ctx, pflow, p);
128 
129  /* get our rule group */
130  DetectRunGetRuleGroup(de_ctx, p, pflow, &scratch);
131  /* if we didn't get a sig group head, we
132  * have nothing to do.... */
133  if (scratch.sgh == NULL) {
134  SCLogDebug("no sgh for this packet, nothing to match against");
135  goto end;
136  }
137 
138  /* run the prefilters for packets */
139  DetectRunPrefilterPkt(th_v, de_ctx, det_ctx, p, &scratch);
140 
141  PACKET_PROFILING_DETECT_START(p, PROF_DETECT_RULES);
142  /* inspect the rules against the packet */
143  DetectRulePacketRules(th_v, de_ctx, det_ctx, p, pflow, &scratch);
144  PACKET_PROFILING_DETECT_END(p, PROF_DETECT_RULES);
145 
146  /* run tx/state inspection. Don't call for ICMP error msgs. */
147  if (pflow && pflow->alstate && likely(pflow->proto == p->proto)) {
148  if (p->proto == IPPROTO_TCP) {
149  const TcpSession *ssn = p->flow->protoctx;
150  if (ssn && (ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED) == 0) {
151  // PACKET_PROFILING_DETECT_START(p, PROF_DETECT_TX);
152  DetectRunFrames(th_v, de_ctx, det_ctx, p, pflow, &scratch);
153  // PACKET_PROFILING_DETECT_END(p, PROF_DETECT_TX);
154  }
155  } else if (p->proto == IPPROTO_UDP) {
156  DetectRunFrames(th_v, de_ctx, det_ctx, p, pflow, &scratch);
157  }
158 
159  PACKET_PROFILING_DETECT_START(p, PROF_DETECT_TX);
160  DetectRunTx(th_v, de_ctx, det_ctx, p, pflow, &scratch);
161  PACKET_PROFILING_DETECT_END(p, PROF_DETECT_TX);
162  }
163 
164 end:
165  DetectRunPostRules(th_v, de_ctx, det_ctx, p, pflow, &scratch);
166 
167  DetectRunCleanup(det_ctx, p, pflow);
168  SCReturn;
169 }
170 
171 static void DetectRunPostMatch(ThreadVars *tv,
172  DetectEngineThreadCtx *det_ctx, Packet *p,
173  const Signature *s)
174 {
175  /* run the packet match functions */
176  const SigMatchData *smd = s->sm_arrays[DETECT_SM_LIST_POSTMATCH];
177  if (smd != NULL) {
178  KEYWORD_PROFILING_SET_LIST(det_ctx, DETECT_SM_LIST_POSTMATCH);
179 
180  SCLogDebug("running match functions, sm %p", smd);
181 
182  while (1) {
183  KEYWORD_PROFILING_START;
184  (void)sigmatch_table[smd->type].Match(det_ctx, p, s, smd->ctx);
185  KEYWORD_PROFILING_END(det_ctx, smd->type, 1);
186  if (smd->is_last)
187  break;
188  smd++;
189  }
190  }
191 }
192 
193 /**
194  * \brief Get the SigGroupHead for a packet.
195  *
196  * \param de_ctx detection engine context
197  * \param p packet
198  *
199  * \retval sgh the SigGroupHead or NULL if non applies to the packet
200  */
201 const SigGroupHead *SigMatchSignaturesGetSgh(const DetectEngineCtx *de_ctx,
202  const Packet *p)
203 {
204  SCEnter();
205 
206  int f;
207  SigGroupHead *sgh = NULL;
208 
209  /* if the packet proto is 0 (not set), we're inspecting it against
210  * the decoder events sgh we have. */
211  if (p->proto == 0 && p->events.cnt > 0) {
212  SCReturnPtr(de_ctx->decoder_event_sgh, "SigGroupHead");
213  } else if (p->proto == 0) {
214  if (!(PKT_IS_IPV4(p) || PKT_IS_IPV6(p))) {
215  /* not IP, so nothing to do */
216  SCReturnPtr(NULL, "SigGroupHead");
217  }
218  }
219 
220  /* select the flow_gh */
221  if (p->flowflags & FLOW_PKT_TOCLIENT)
222  f = 0;
223  else
224  f = 1;
225 
226  int proto = IP_GET_IPPROTO(p);
227  if (proto == IPPROTO_TCP) {
228  DetectPort *list = de_ctx->flow_gh[f].tcp;
229  SCLogDebug("tcp toserver %p, tcp toclient %p: going to use %p",
230  de_ctx->flow_gh[1].tcp, de_ctx->flow_gh[0].tcp, de_ctx->flow_gh[f].tcp);
231  uint16_t port = f ? p->dp : p->sp;
232  SCLogDebug("tcp port %u -> %u:%u", port, p->sp, p->dp);
233  DetectPort *sghport = DetectPortLookupGroup(list, port);
234  if (sghport != NULL)
235  sgh = sghport->sh;
236  SCLogDebug("TCP list %p, port %u, direction %s, sghport %p, sgh %p",
237  list, port, f ? "toserver" : "toclient", sghport, sgh);
238  } else if (proto == IPPROTO_UDP) {
239  DetectPort *list = de_ctx->flow_gh[f].udp;
240  uint16_t port = f ? p->dp : p->sp;
241  DetectPort *sghport = DetectPortLookupGroup(list, port);
242  if (sghport != NULL)
243  sgh = sghport->sh;
244  SCLogDebug("UDP list %p, port %u, direction %s, sghport %p, sgh %p",
245  list, port, f ? "toserver" : "toclient", sghport, sgh);
246  } else {
247  sgh = de_ctx->flow_gh[f].sgh[proto];
248  }
249 
250  SCReturnPtr(sgh, "SigGroupHead");
251 }
252 
253 static inline void DetectPrefilterMergeSort(DetectEngineCtx *de_ctx,
254  DetectEngineThreadCtx *det_ctx)
255 {
256  SigIntId mpm, nonmpm;
257  SigIntId *mpm_ptr = det_ctx->pmq.rule_id_array;
258  SigIntId *nonmpm_ptr = det_ctx->non_pf_id_array;
259  uint32_t m_cnt = det_ctx->pmq.rule_id_array_cnt;
260  uint32_t n_cnt = det_ctx->non_pf_id_cnt;
261  SigIntId *final_ptr;
262  uint32_t final_cnt;
263  SigIntId id;
264  SigIntId previous_id = (SigIntId)-1;
265  Signature **sig_array = de_ctx->sig_array;
266  Signature **match_array = det_ctx->match_array;
267  Signature *s;
268 
269  SCLogDebug("PMQ rule id array count %d", det_ctx->pmq.rule_id_array_cnt);
270 
271  /* Load first values. */
272  if (likely(m_cnt)) {
273  mpm = *mpm_ptr;
274  } else {
275  /* mpm list is empty */
276  final_ptr = nonmpm_ptr;
277  final_cnt = n_cnt;
278  goto final;
279  }
280  if (likely(n_cnt)) {
281  nonmpm = *nonmpm_ptr;
282  } else {
283  /* non-mpm list is empty. */
284  final_ptr = mpm_ptr;
285  final_cnt = m_cnt;
286  goto final;
287  }
288  while (1) {
289  if (mpm < nonmpm) {
290  /* Take from mpm list */
291  id = mpm;
292 
293  s = sig_array[id];
294  /* As the mpm list can contain duplicates, check for that here. */
295  if (likely(id != previous_id)) {
296  *match_array++ = s;
297  previous_id = id;
298  }
299  if (unlikely(--m_cnt == 0)) {
300  /* mpm list is now empty */
301  final_ptr = nonmpm_ptr;
302  final_cnt = n_cnt;
303  goto final;
304  }
305  mpm_ptr++;
306  mpm = *mpm_ptr;
307  } else if (mpm > nonmpm) {
308  id = nonmpm;
309 
310  s = sig_array[id];
311  /* As the mpm list can contain duplicates, check for that here. */
312  if (likely(id != previous_id)) {
313  *match_array++ = s;
314  previous_id = id;
315  }
316  if (unlikely(--n_cnt == 0)) {
317  final_ptr = mpm_ptr;
318  final_cnt = m_cnt;
319  goto final;
320  }
321  nonmpm_ptr++;
322  nonmpm = *nonmpm_ptr;
323 
324  } else { /* implied mpm == nonmpm */
325  /* special case: if on both lists, it's a negated mpm pattern */
326 
327  /* mpm list may have dups, so skip past them here */
328  while (--m_cnt != 0) {
329  mpm_ptr++;
330  mpm = *mpm_ptr;
331  if (mpm != nonmpm)
332  break;
333  }
334  /* if mpm is done, update nonmpm_ptrs and jump to final */
335  if (unlikely(m_cnt == 0)) {
336  n_cnt--;
337 
338  /* mpm list is now empty */
339  final_ptr = ++nonmpm_ptr;
340  final_cnt = n_cnt;
341  goto final;
342  }
343  /* otherwise, if nonmpm is done jump to final for mpm
344  * mpm ptrs already updated */
345  if (unlikely(--n_cnt == 0)) {
346  final_ptr = mpm_ptr;
347  final_cnt = m_cnt;
348  goto final;
349  }
350 
351  /* not at end of the lists, update nonmpm. Mpm already
352  * updated in while loop above. */
353  nonmpm_ptr++;
354  nonmpm = *nonmpm_ptr;
355  }
356  }
357 
358  final: /* Only one list remaining. Just walk that list. */
359 
360  while (final_cnt-- > 0) {
361  id = *final_ptr++;
362  s = sig_array[id];
363 
364  /* As the mpm list can contain duplicates, check for that here. */
365  if (likely(id != previous_id)) {
366  *match_array++ = s;
367  previous_id = id;
368  }
369  }
370 
371  det_ctx->match_array_cnt = match_array - det_ctx->match_array;
372  DEBUG_VALIDATE_BUG_ON((det_ctx->pmq.rule_id_array_cnt + det_ctx->non_pf_id_cnt) < det_ctx->match_array_cnt);
373  PMQ_RESET(&det_ctx->pmq);
374 }
375 
376 /** \internal
377  * \brief build non-prefilter list based on the rule group list we've set.
378  */
379 static inline void DetectPrefilterBuildNonPrefilterList(
380  DetectEngineThreadCtx *det_ctx, const SignatureMask mask, const AppProto alproto)
381 {
382  for (uint32_t x = 0; x < det_ctx->non_pf_store_cnt; x++) {
383  /* only if the mask matches this rule can possibly match,
384  * so build the non_mpm array only for match candidates */
385  const SignatureMask rule_mask = det_ctx->non_pf_store_ptr[x].mask;
386  const AppProto rule_alproto = det_ctx->non_pf_store_ptr[x].alproto;
387  if ((rule_mask & mask) == rule_mask &&
388  (rule_alproto == 0 || AppProtoEquals(rule_alproto, alproto))) {
389  det_ctx->non_pf_id_array[det_ctx->non_pf_id_cnt++] = det_ctx->non_pf_store_ptr[x].id;
390  }
391  }
392 }
393 
394 /** \internal
395  * \brief select non-mpm list
396  * Based on the packet properties, select the non-mpm list to use
397  * \todo move non_pf_store* into scratchpad */
398 static inline void
399 DetectPrefilterSetNonPrefilterList(const Packet *p, DetectEngineThreadCtx *det_ctx, DetectRunScratchpad *scratch)
400 {
401  if ((p->proto == IPPROTO_TCP) && (p->tcph != NULL) && (p->tcph->th_flags & TH_SYN)) {
402  det_ctx->non_pf_store_ptr = scratch->sgh->non_pf_syn_store_array;
403  det_ctx->non_pf_store_cnt = scratch->sgh->non_pf_syn_store_cnt;
404  } else {
405  det_ctx->non_pf_store_ptr = scratch->sgh->non_pf_other_store_array;
406  det_ctx->non_pf_store_cnt = scratch->sgh->non_pf_other_store_cnt;
407  }
408  SCLogDebug("sgh non_pf ptr %p cnt %u (syn %p/%u, other %p/%u)",
409  det_ctx->non_pf_store_ptr, det_ctx->non_pf_store_cnt,
410  scratch->sgh->non_pf_syn_store_array, scratch->sgh->non_pf_syn_store_cnt,
411  scratch->sgh->non_pf_other_store_array, scratch->sgh->non_pf_other_store_cnt);
412 }
413 
414 /** \internal
415  * \brief update flow's file tracking flags based on the detection engine
416  * A set of flags is prepared that is sent to the File API. The
417  File API may reject one or more based on the global force settings.
418  */
419 static inline void
420 DetectPostInspectFileFlagsUpdate(Flow *f, const SigGroupHead *sgh, uint8_t direction)
421 {
422  uint16_t flow_file_flags = FLOWFILE_INIT;
423 
424  if (sgh == NULL) {
425  SCLogDebug("requesting disabling all file features for flow");
426  flow_file_flags = FLOWFILE_NONE;
427  } else {
428  if (sgh->filestore_cnt == 0) {
429  SCLogDebug("requesting disabling filestore for flow");
430  flow_file_flags |= (FLOWFILE_NO_STORE_TS|FLOWFILE_NO_STORE_TC);
431  }
432 #ifdef HAVE_MAGIC
433  if (!(sgh->flags & SIG_GROUP_HEAD_HAVEFILEMAGIC)) {
434  SCLogDebug("requesting disabling magic for flow");
435  flow_file_flags |= (FLOWFILE_NO_MAGIC_TS|FLOWFILE_NO_MAGIC_TC);
436  }
437 #endif
438  if (!(sgh->flags & SIG_GROUP_HEAD_HAVEFILEMD5)) {
439  SCLogDebug("requesting disabling md5 for flow");
440  flow_file_flags |= (FLOWFILE_NO_MD5_TS|FLOWFILE_NO_MD5_TC);
441  }
442  if (!(sgh->flags & SIG_GROUP_HEAD_HAVEFILESHA1)) {
443  SCLogDebug("requesting disabling sha1 for flow");
444  flow_file_flags |= (FLOWFILE_NO_SHA1_TS|FLOWFILE_NO_SHA1_TC);
445  }
446  if (!(sgh->flags & SIG_GROUP_HEAD_HAVEFILESHA256)) {
447  SCLogDebug("requesting disabling sha256 for flow");
448  flow_file_flags |= (FLOWFILE_NO_SHA256_TS|FLOWFILE_NO_SHA256_TC);
449  }
450  if (!(sgh->flags & SIG_GROUP_HEAD_HAVEFILESIZE)) {
451  SCLogDebug("requesting disabling filesize for flow");
452  flow_file_flags |= (FLOWFILE_NO_SIZE_TS|FLOWFILE_NO_SIZE_TC);
453  }
454  }
455  if (flow_file_flags != 0) {
456  FileUpdateFlowFileFlags(f, flow_file_flags, direction);
457  }
458 }
459 
460 static inline void
461 DetectRunPostGetFirstRuleGroup(const Packet *p, Flow *pflow, const SigGroupHead *sgh)
462 {
463  if ((p->flowflags & FLOW_PKT_TOSERVER) && !(pflow->flags & FLOW_SGH_TOSERVER)) {
464  /* first time we see this toserver sgh, store it */
465  pflow->sgh_toserver = sgh;
466  pflow->flags |= FLOW_SGH_TOSERVER;
467 
468  if (p->proto == IPPROTO_TCP && (sgh == NULL || !(sgh->flags & SIG_GROUP_HEAD_HAVERAWSTREAM))) {
469  if (pflow->protoctx != NULL) {
470  TcpSession *ssn = pflow->protoctx;
471  SCLogDebug("STREAMTCP_STREAM_FLAG_DISABLE_RAW ssn.client");
472  ssn->client.flags |= STREAMTCP_STREAM_FLAG_DISABLE_RAW;
473  }
474  }
475 
476  DetectPostInspectFileFlagsUpdate(pflow,
477  pflow->sgh_toserver, STREAM_TOSERVER);
478 
479  } else if ((p->flowflags & FLOW_PKT_TOCLIENT) && !(pflow->flags & FLOW_SGH_TOCLIENT)) {
480  pflow->sgh_toclient = sgh;
481  pflow->flags |= FLOW_SGH_TOCLIENT;
482 
483  if (p->proto == IPPROTO_TCP && (sgh == NULL || !(sgh->flags & SIG_GROUP_HEAD_HAVERAWSTREAM))) {
484  if (pflow->protoctx != NULL) {
485  TcpSession *ssn = pflow->protoctx;
486  SCLogDebug("STREAMTCP_STREAM_FLAG_DISABLE_RAW ssn.server");
487  ssn->server.flags |= STREAMTCP_STREAM_FLAG_DISABLE_RAW;
488  }
489  }
490 
491  DetectPostInspectFileFlagsUpdate(pflow,
492  pflow->sgh_toclient, STREAM_TOCLIENT);
493  }
494 }
495 
496 static inline void DetectRunGetRuleGroup(
497  const DetectEngineCtx *de_ctx,
498  Packet * const p, Flow * const pflow,
499  DetectRunScratchpad *scratch)
500 {
501  const SigGroupHead *sgh = NULL;
502 
503  if (pflow) {
504  bool use_flow_sgh = false;
505  /* Get the stored sgh from the flow (if any). Make sure we're not using
506  * the sgh for icmp error packets part of the same stream. */
507  if (IP_GET_IPPROTO(p) == pflow->proto) { /* filter out icmp */
508  PACKET_PROFILING_DETECT_START(p, PROF_DETECT_GETSGH);
509  if ((p->flowflags & FLOW_PKT_TOSERVER) && (pflow->flags & FLOW_SGH_TOSERVER)) {
510  sgh = pflow->sgh_toserver;
511  SCLogDebug("sgh = pflow->sgh_toserver; => %p", sgh);
512  use_flow_sgh = true;
513  } else if ((p->flowflags & FLOW_PKT_TOCLIENT) && (pflow->flags & FLOW_SGH_TOCLIENT)) {
514  sgh = pflow->sgh_toclient;
515  SCLogDebug("sgh = pflow->sgh_toclient; => %p", sgh);
516  use_flow_sgh = true;
517  }
518  PACKET_PROFILING_DETECT_END(p, PROF_DETECT_GETSGH);
519  }
520 
521  if (!(use_flow_sgh)) {
522  PACKET_PROFILING_DETECT_START(p, PROF_DETECT_GETSGH);
523  sgh = SigMatchSignaturesGetSgh(de_ctx, p);
524  PACKET_PROFILING_DETECT_END(p, PROF_DETECT_GETSGH);
525 
526  /* HACK: prevent the wrong sgh (or NULL) from being stored in the
527  * flow's sgh pointers */
528  if (PKT_IS_ICMPV4(p) && ICMPV4_DEST_UNREACH_IS_VALID(p)) {
529  ; /* no-op */
530  } else {
531  /* store the found sgh (or NULL) in the flow to save us
532  * from looking it up again for the next packet.
533  * Also run other tasks */
534  DetectRunPostGetFirstRuleGroup(p, pflow, sgh);
535  }
536  }
537  } else { /* p->flags & PKT_HAS_FLOW */
538  /* no flow */
539 
540  PACKET_PROFILING_DETECT_START(p, PROF_DETECT_GETSGH);
541  sgh = SigMatchSignaturesGetSgh(de_ctx, p);
542  PACKET_PROFILING_DETECT_END(p, PROF_DETECT_GETSGH);
543  }
544 
545  scratch->sgh = sgh;
546 }
547 
548 static void DetectRunInspectIPOnly(ThreadVars *tv, const DetectEngineCtx *de_ctx,
549  DetectEngineThreadCtx *det_ctx,
550  Flow * const pflow, Packet * const p)
551 {
552  if (pflow) {
553  /* set the iponly stuff */
554  if (pflow->flags & FLOW_TOCLIENT_IPONLY_SET)
555  p->flowflags |= FLOW_PKT_TOCLIENT_IPONLY_SET;
556  if (pflow->flags & FLOW_TOSERVER_IPONLY_SET)
557  p->flowflags |= FLOW_PKT_TOSERVER_IPONLY_SET;
558 
559  if (((p->flowflags & FLOW_PKT_TOSERVER) && !(p->flowflags & FLOW_PKT_TOSERVER_IPONLY_SET)) ||
560  ((p->flowflags & FLOW_PKT_TOCLIENT) && !(p->flowflags & FLOW_PKT_TOCLIENT_IPONLY_SET)))
561  {
562  SCLogDebug("testing against \"ip-only\" signatures");
563 
564  PACKET_PROFILING_DETECT_START(p, PROF_DETECT_IPONLY);
565  IPOnlyMatchPacket(tv, de_ctx, det_ctx, &de_ctx->io_ctx, p);
566  PACKET_PROFILING_DETECT_END(p, PROF_DETECT_IPONLY);
567 
568  /* save in the flow that we scanned this direction... */
569  FlowSetIPOnlyFlag(pflow, p->flowflags & FLOW_PKT_TOSERVER ? 1 : 0);
570  }
571  } else { /* p->flags & PKT_HAS_FLOW */
572  /* no flow */
573 
574  /* Even without flow we should match the packet src/dst */
575  PACKET_PROFILING_DETECT_START(p, PROF_DETECT_IPONLY);
576  IPOnlyMatchPacket(tv, de_ctx, det_ctx, &de_ctx->io_ctx, p);
577  PACKET_PROFILING_DETECT_END(p, PROF_DETECT_IPONLY);
578  }
579 }
580 
581 /* returns 0 if no match, 1 if match */
582 static inline int DetectRunInspectRuleHeader(
583  const Packet *p,
584  const Flow *f,
585  const Signature *s,
586  const uint32_t sflags,
587  const uint8_t s_proto_flags)
588 {
589  /* check if this signature has a requirement for flowvars of some type
590  * and if so, if we actually have any in the flow. If not, the sig
591  * can't match and we skip it. */
592  if ((p->flags & PKT_HAS_FLOW) && (sflags & SIG_FLAG_REQUIRE_FLOWVAR)) {
593  DEBUG_VALIDATE_BUG_ON(f == NULL);
594 
595  int m = f->flowvar ? 1 : 0;
596 
597  /* no flowvars? skip this sig */
598  if (m == 0) {
599  SCLogDebug("skipping sig as the flow has no flowvars and sig "
600  "has SIG_FLAG_REQUIRE_FLOWVAR flag set.");
601  return 0;
602  }
603  }
604 
605  if ((s_proto_flags & DETECT_PROTO_IPV4) && !PKT_IS_IPV4(p)) {
606  SCLogDebug("ip version didn't match");
607  return 0;
608  }
609  if ((s_proto_flags & DETECT_PROTO_IPV6) && !PKT_IS_IPV6(p)) {
610  SCLogDebug("ip version didn't match");
611  return 0;
612  }
613 
614  if (DetectProtoContainsProto(&s->proto, IP_GET_IPPROTO(p)) == 0) {
615  SCLogDebug("proto didn't match");
616  return 0;
617  }
618 
619  /* check the source & dst port in the sig */
620  if (p->proto == IPPROTO_TCP || p->proto == IPPROTO_UDP || p->proto == IPPROTO_SCTP) {
621  if (!(sflags & SIG_FLAG_DP_ANY)) {
622  if (p->flags & PKT_IS_FRAGMENT)
623  return 0;
624  DetectPort *dport = DetectPortLookupGroup(s->dp,p->dp);
625  if (dport == NULL) {
626  SCLogDebug("dport didn't match.");
627  return 0;
628  }
629  }
630  if (!(sflags & SIG_FLAG_SP_ANY)) {
631  if (p->flags & PKT_IS_FRAGMENT)
632  return 0;
633  DetectPort *sport = DetectPortLookupGroup(s->sp,p->sp);
634  if (sport == NULL) {
635  SCLogDebug("sport didn't match.");
636  return 0;
637  }
638  }
639  } else if ((sflags & (SIG_FLAG_DP_ANY|SIG_FLAG_SP_ANY)) != (SIG_FLAG_DP_ANY|SIG_FLAG_SP_ANY)) {
640  SCLogDebug("port-less protocol and sig needs ports");
641  return 0;
642  }
643 
644  /* check the destination address */
645  if (!(sflags & SIG_FLAG_DST_ANY)) {
646  if (PKT_IS_IPV4(p)) {
647  if (DetectAddressMatchIPv4(s->addr_dst_match4, s->addr_dst_match4_cnt, &p->dst) == 0)
648  return 0;
649  } else if (PKT_IS_IPV6(p)) {
650  if (DetectAddressMatchIPv6(s->addr_dst_match6, s->addr_dst_match6_cnt, &p->dst) == 0)
651  return 0;
652  }
653  }
654  /* check the source address */
655  if (!(sflags & SIG_FLAG_SRC_ANY)) {
656  if (PKT_IS_IPV4(p)) {
657  if (DetectAddressMatchIPv4(s->addr_src_match4, s->addr_src_match4_cnt, &p->src) == 0)
658  return 0;
659  } else if (PKT_IS_IPV6(p)) {
660  if (DetectAddressMatchIPv6(s->addr_src_match6, s->addr_src_match6_cnt, &p->src) == 0)
661  return 0;
662  }
663  }
664 
665  return 1;
666 }
667 
668 /** \internal
669  * \brief run packet/stream prefilter engines
670  */
671 static inline void DetectRunPrefilterPkt(
672  ThreadVars *tv,
673  DetectEngineCtx *de_ctx,
674  DetectEngineThreadCtx *det_ctx,
675  Packet *p,
676  DetectRunScratchpad *scratch
677 )
678 {
679  DetectPrefilterSetNonPrefilterList(p, det_ctx, scratch);
680 
681  /* create our prefilter mask */
682  PacketCreateMask(p, &scratch->pkt_mask, scratch->alproto, scratch->app_decoder_events);
683 
684  /* build and prefilter non_pf list against the mask of the packet */
685  PACKET_PROFILING_DETECT_START(p, PROF_DETECT_NONMPMLIST);
686  det_ctx->non_pf_id_cnt = 0;
687  if (likely(det_ctx->non_pf_store_cnt > 0)) {
688  DetectPrefilterBuildNonPrefilterList(det_ctx, scratch->pkt_mask, scratch->alproto);
689  }
690  PACKET_PROFILING_DETECT_END(p, PROF_DETECT_NONMPMLIST);
691 
692  /* run the prefilter engines */
693  Prefilter(det_ctx, scratch->sgh, p, scratch->flow_flags);
694  /* create match list if we have non-pf and/or pf */
695  if (det_ctx->non_pf_store_cnt || det_ctx->pmq.rule_id_array_cnt) {
696 #ifdef PROFILING
697  if (tv) {
698  StatsAddUI64(tv, det_ctx->counter_mpm_list, (uint64_t)det_ctx->pmq.rule_id_array_cnt);
699  }
700 #endif
701  PACKET_PROFILING_DETECT_START(p, PROF_DETECT_PF_SORT2);
702  DetectPrefilterMergeSort(de_ctx, det_ctx);
703  PACKET_PROFILING_DETECT_END(p, PROF_DETECT_PF_SORT2);
704  }
705 
706 #ifdef PROFILING
707  if (tv) {
708  StatsAddUI64(tv, det_ctx->counter_nonmpm_list,
709  (uint64_t)det_ctx->non_pf_store_cnt);
710  /* non mpm sigs after mask prefilter */
711  StatsAddUI64(tv, det_ctx->counter_fnonmpm_list,
712  (uint64_t)det_ctx->non_pf_id_cnt);
713  }
714 #endif
715 }
716 
717 static inline void DetectRulePacketRules(
718  ThreadVars * const tv,
719  DetectEngineCtx * const de_ctx,
720  DetectEngineThreadCtx * const det_ctx,
721  Packet * const p,
722  Flow * const pflow,
723  const DetectRunScratchpad *scratch
724 )
725 {
726  const Signature *s = NULL;
727  const Signature *next_s = NULL;
728 
729  /* inspect the sigs against the packet */
730  /* Prefetch the next signature. */
731  SigIntId match_cnt = det_ctx->match_array_cnt;
732 #ifdef PROFILING
733  if (tv) {
734  StatsAddUI64(tv, det_ctx->counter_match_list,
735  (uint64_t)match_cnt);
736  }
737 #endif
738  Signature **match_array = det_ctx->match_array;
739 
740  SGH_PROFILING_RECORD(det_ctx, scratch->sgh);
741 #ifdef PROFILING
742  if (match_cnt >= de_ctx->profile_match_logging_threshold)
743  RulesDumpMatchArray(det_ctx, scratch->sgh, p);
744 #endif
745 
746  uint32_t sflags, next_sflags = 0;
747  if (match_cnt) {
748  next_s = *match_array++;
749  next_sflags = next_s->flags;
750  }
751  while (match_cnt--) {
752  RULE_PROFILING_START(p);
753  uint8_t alert_flags = 0;
754 #ifdef PROFILE_RULES
755  bool smatch = false; /* signature match */
756 #endif
757  s = next_s;
758  sflags = next_sflags;
759  if (match_cnt) {
760  next_s = *match_array++;
761  next_sflags = next_s->flags;
762  }
763  const uint8_t s_proto_flags = s->proto.flags;
764 
765  SCLogDebug("inspecting signature id %"PRIu32"", s->id);
766 
767  if (s->app_inspect != NULL) {
768  goto next; // handle sig in DetectRunTx
769  }
770  if (s->frame_inspect != NULL) {
771  goto next; // handle sig in DetectRunFrame
772  }
773 
774  /* don't run mask check for stateful rules.
775  * There we depend on prefilter */
776  if ((s->mask & scratch->pkt_mask) != s->mask) {
777  SCLogDebug("mask mismatch %x & %x != %x", s->mask, scratch->pkt_mask, s->mask);
778  goto next;
779  }
780 
781  if (SigDsizePrefilter(p, s, sflags))
782  goto next;
783 
784  /* if the sig has alproto and the session as well they should match */
785  if (likely(sflags & SIG_FLAG_APPLAYER)) {
786  if (s->alproto != ALPROTO_UNKNOWN && !AppProtoEquals(s->alproto, scratch->alproto)) {
787  SCLogDebug("alproto mismatch");
788  goto next;
789  }
790  }
791 
792  if (DetectRunInspectRuleHeader(p, pflow, s, sflags, s_proto_flags) == 0) {
793  goto next;
794  }
795 
796  if (DetectEnginePktInspectionRun(tv, det_ctx, s, pflow, p, &alert_flags) == false) {
797  goto next;
798  }
799 
800 #ifdef PROFILE_RULES
801  smatch = true;
802 #endif
803  DetectRunPostMatch(tv, det_ctx, p, s);
804 
805  AlertQueueAppend(det_ctx, s, p, 0, alert_flags);
806 next:
807  DetectVarProcessList(det_ctx, pflow, p);
808  DetectReplaceFree(det_ctx);
809  RULE_PROFILING_END(det_ctx, s, smatch, p);
810 
811  det_ctx->flags = 0;
812  continue;
813  }
814 }
815 
816 static DetectRunScratchpad DetectRunSetup(
817  const DetectEngineCtx *de_ctx,
818  DetectEngineThreadCtx *det_ctx,
819  Packet * const p, Flow * const pflow)
820 {
821  AppProto alproto = ALPROTO_UNKNOWN;
822  uint8_t flow_flags = 0; /* flow/state flags */
823  bool app_decoder_events = false;
824 
825  PACKET_PROFILING_DETECT_START(p, PROF_DETECT_SETUP);
826 
827 #ifdef UNITTESTS
828  p->alerts.cnt = 0;
829  p->alerts.discarded = 0;
830  p->alerts.suppressed = 0;
831 #endif
832  det_ctx->filestore_cnt = 0;
833  det_ctx->base64_decoded_len = 0;
834  det_ctx->raw_stream_progress = 0;
835  det_ctx->match_array_cnt = 0;
836 
837  det_ctx->alert_queue_size = 0;
838  p->alerts.drop.action = 0;
839 
840 #ifdef DEBUG
841  if (p->flags & PKT_STREAM_ADD) {
842  det_ctx->pkt_stream_add_cnt++;
843  }
844 #endif
845 
846  /* grab the protocol state we will detect on */
847  if (p->flags & PKT_HAS_FLOW) {
848  DEBUG_VALIDATE_BUG_ON(pflow == NULL);
849 
850  if (p->flowflags & FLOW_PKT_TOSERVER) {
851  flow_flags = STREAM_TOSERVER;
852  SCLogDebug("flag STREAM_TOSERVER set");
853  } else if (p->flowflags & FLOW_PKT_TOCLIENT) {
854  flow_flags = STREAM_TOCLIENT;
855  SCLogDebug("flag STREAM_TOCLIENT set");
856  }
857  SCLogDebug("p->flowflags 0x%02x", p->flowflags);
858 
859  if (p->flags & PKT_STREAM_EOF) {
860  flow_flags |= STREAM_EOF;
861  SCLogDebug("STREAM_EOF set");
862  }
863 
864  /* store tenant_id in the flow so that we can use it
865  * for creating pseudo packets */
866  if (p->tenant_id > 0 && pflow->tenant_id == 0) {
867  pflow->tenant_id = p->tenant_id;
868  }
869 
870  /* live ruleswap check for flow updates */
871  if (pflow->de_ctx_version == 0) {
872  /* first time this flow is inspected, set id */
873  pflow->de_ctx_version = de_ctx->version;
874  } else if (pflow->de_ctx_version != de_ctx->version) {
875  /* first time we inspect flow with this de_ctx, reset */
876  pflow->flags &= ~FLOW_SGH_TOSERVER;
877  pflow->flags &= ~FLOW_SGH_TOCLIENT;
878  pflow->sgh_toserver = NULL;
879  pflow->sgh_toclient = NULL;
880 
881  pflow->de_ctx_version = de_ctx->version;
882  GenericVarFree(pflow->flowvar);
883  pflow->flowvar = NULL;
884 
885  DetectEngineStateResetTxs(pflow);
886  }
887 
888  /* Retrieve the app layer state and protocol and the tcp reassembled
889  * stream chunks. */
890  if ((p->proto == IPPROTO_TCP && (p->flags & PKT_STREAM_EST)) ||
891  (p->proto == IPPROTO_UDP) ||
892  (p->proto == IPPROTO_SCTP && (p->flowflags & FLOW_PKT_ESTABLISHED)))
893  {
894  /* update flow flags with knowledge on disruptions */
895  flow_flags = FlowGetDisruptionFlags(pflow, flow_flags);
896  alproto = FlowGetAppProtocol(pflow);
897  if (p->proto == IPPROTO_TCP && pflow->protoctx &&
898  StreamReassembleRawHasDataReady(pflow->protoctx, p)) {
899  p->flags |= PKT_DETECT_HAS_STREAMDATA;
900  }
901  SCLogDebug("alproto %u", alproto);
902  } else {
903  SCLogDebug("packet doesn't have established flag set (proto %d)", p->proto);
904  }
905 
906  app_decoder_events = AppLayerParserHasDecoderEvents(pflow->alparser);
907  }
908 
909  DetectRunScratchpad pad = { alproto, flow_flags, app_decoder_events, NULL, 0 };
910  PACKET_PROFILING_DETECT_END(p, PROF_DETECT_SETUP);
911  return pad;
912 }
913 
914 static inline void DetectRunPostRules(
915  ThreadVars *tv,
916  DetectEngineCtx *de_ctx,
917  DetectEngineThreadCtx *det_ctx,
918  Packet * const p,
919  Flow * const pflow,
920  DetectRunScratchpad *scratch)
921 {
922  /* see if we need to increment the inspect_id and reset the de_state */
923  if (pflow && pflow->alstate) {
924  PACKET_PROFILING_DETECT_START(p, PROF_DETECT_TX_UPDATE);
925  AppLayerParserSetTransactionInspectId(pflow, pflow->alparser, pflow->alstate,
926  scratch->flow_flags, (scratch->sgh == NULL));
927  PACKET_PROFILING_DETECT_END(p, PROF_DETECT_TX_UPDATE);
928  }
929 
930  /* so now let's iterate the alerts and remove the ones after a pass rule
931  * matched (if any). This is done inside PacketAlertFinalize() */
932  /* PR: installed "tag" keywords are handled after the threshold inspection */
933 
934  PACKET_PROFILING_DETECT_START(p, PROF_DETECT_ALERT);
935  PacketAlertFinalize(de_ctx, det_ctx, p);
936  if (p->alerts.cnt > 0) {
937  StatsAddUI64(tv, det_ctx->counter_alerts, (uint64_t)p->alerts.cnt);
938  }
939  if (p->alerts.discarded > 0) {
940  StatsAddUI64(tv, det_ctx->counter_alerts_overflow, (uint64_t)p->alerts.discarded);
941  }
942  if (p->alerts.suppressed > 0) {
943  StatsAddUI64(tv, det_ctx->counter_alerts_suppressed, (uint64_t)p->alerts.suppressed);
944  }
945  PACKET_PROFILING_DETECT_END(p, PROF_DETECT_ALERT);
946 }
947 
948 static void DetectRunCleanup(DetectEngineThreadCtx *det_ctx,
949  Packet *p, Flow * const pflow)
950 {
951  PACKET_PROFILING_DETECT_START(p, PROF_DETECT_CLEANUP);
952  InspectionBufferClean(det_ctx);
953 
954  if (pflow != NULL) {
955  /* update inspected tracker for raw reassembly */
956  if (p->proto == IPPROTO_TCP && pflow->protoctx != NULL &&
957  (p->flags & PKT_DETECT_HAS_STREAMDATA)) {
958  StreamReassembleRawUpdateProgress(pflow->protoctx, p,
959  det_ctx->raw_stream_progress);
960  }
961  }
962  PACKET_PROFILING_DETECT_END(p, PROF_DETECT_CLEANUP);
963  SCReturn;
964 }
965 
966 void RuleMatchCandidateTxArrayInit(DetectEngineThreadCtx *det_ctx, uint32_t size)
967 {
968  DEBUG_VALIDATE_BUG_ON(det_ctx->tx_candidates);
969  det_ctx->tx_candidates = SCCalloc(size, sizeof(RuleMatchCandidateTx));
970  if (det_ctx->tx_candidates == NULL) {
971  FatalError("failed to allocate %" PRIu64 " bytes",
972  (uint64_t)(size * sizeof(RuleMatchCandidateTx)));
973  }
974  det_ctx->tx_candidates_size = size;
975  SCLogDebug("array initialized to %u elements (%"PRIu64" bytes)",
976  size, (uint64_t)(size * sizeof(RuleMatchCandidateTx)));
977 }
978 
979 void RuleMatchCandidateTxArrayFree(DetectEngineThreadCtx *det_ctx)
980 {
981  SCFree(det_ctx->tx_candidates);
982  det_ctx->tx_candidates_size = 0;
983 }
984 
985 /* if size >= cur_space */
986 static inline bool RuleMatchCandidateTxArrayHasSpace(const DetectEngineThreadCtx *det_ctx,
987  const uint32_t need)
988 {
989  if (det_ctx->tx_candidates_size >= need)
990  return 1;
991  return 0;
992 }
993 
994 /* realloc */
995 static int RuleMatchCandidateTxArrayExpand(DetectEngineThreadCtx *det_ctx, const uint32_t needed)
996 {
997  const uint32_t old_size = det_ctx->tx_candidates_size;
998  uint32_t new_size = needed;
999  void *ptmp = SCRealloc(det_ctx->tx_candidates, (new_size * sizeof(RuleMatchCandidateTx)));
1000  if (ptmp == NULL) {
1001  FatalError("failed to expand to %" PRIu64 " bytes",
1002  (uint64_t)(new_size * sizeof(RuleMatchCandidateTx)));
1003  // TODO can this be handled more gracefully?
1004  }
1005  det_ctx->tx_candidates = ptmp;
1006  det_ctx->tx_candidates_size = new_size;
1007  SCLogDebug("array expanded from %u to %u elements (%"PRIu64" bytes -> %"PRIu64" bytes)",
1008  old_size, new_size, (uint64_t)(old_size * sizeof(RuleMatchCandidateTx)),
1009  (uint64_t)(new_size * sizeof(RuleMatchCandidateTx))); (void)old_size;
1010  return 1;
1011 }
1012 
1013 /** \internal
1014  * \brief sort helper for sorting match candidates by id: ascending
1015  *
1016  * The id field is set from Signature::num, so we sort the candidates to match the signature
1017  * sort order (ascending), where candidates that have flags go first.
1018  */
1019 static int
1020 DetectRunTxSortHelper(const void *a, const void *b)
1021 {
1022  const RuleMatchCandidateTx *s0 = a;
1023  const RuleMatchCandidateTx *s1 = b;
1024  if (s1->id == s0->id) {
1025  if (s1->flags && !s0->flags)
1026  return 1;
1027  else if (!s1->flags && s0->flags)
1028  return -1;
1029  return 0;
1030  } else
1031  return s0->id > s1->id ? 1 : -1;
1032 }
1033 
1034 #if 0
1035 #define TRACE_SID_TXS(sid,txs,...) \
1036  do { \
1037  char _trace_buf[2048]; \
1038  snprintf(_trace_buf, sizeof(_trace_buf), __VA_ARGS__); \
1039  SCLogNotice("%p/%"PRIu64"/%u: %s", txs->tx_ptr, txs->tx_id, sid, _trace_buf); \
1040  } while(0)
1041 #else
1042 #define TRACE_SID_TXS(sid,txs,...)
1043 #endif
1044 
1045 /** \internal
1046  * \brief inspect a rule against a transaction
1047  *
1048  * Inspect a rule. New detection or continued stateful
1049  * detection.
1050  *
1051  * \param stored_flags pointer to stored flags or NULL.
1052  * If stored_flags is set it means we're continuing
1053  * inspection from an earlier run.
1054  *
1055  * \retval bool true sig matched, false didn't match
1056  */
1057 static bool DetectRunTxInspectRule(ThreadVars *tv,
1058  DetectEngineCtx *de_ctx,
1059  DetectEngineThreadCtx *det_ctx,
1060  Packet *p,
1061  Flow *f,
1062  const uint8_t in_flow_flags, // direction, EOF, etc
1063  void *alstate,
1064  DetectTransaction *tx,
1065  const Signature *s,
1066  uint32_t *stored_flags,
1067  RuleMatchCandidateTx *can,
1068  DetectRunScratchpad *scratch)
1069 {
1070  uint8_t flow_flags = in_flow_flags;
1071  const int direction = (flow_flags & STREAM_TOSERVER) ? 0 : 1;
1072  uint32_t inspect_flags = stored_flags ? *stored_flags : 0;
1073  int total_matches = 0;
1074  uint16_t file_no_match = 0;
1075  bool retval = false;
1076  bool mpm_before_progress = false; // is mpm engine before progress?
1077  bool mpm_in_progress = false; // is mpm engine in a buffer we will revisit?
1078 
1079  TRACE_SID_TXS(s->id, tx, "starting %s", direction ? "toclient" : "toserver");
1080 
1081  /* for a new inspection we inspect pkt header and packet matches */
1082  if (likely(stored_flags == NULL)) {
1083  TRACE_SID_TXS(s->id, tx, "first inspect, run packet matches");
1084  if (DetectRunInspectRuleHeader(p, f, s, s->flags, s->proto.flags) == 0) {
1085  TRACE_SID_TXS(s->id, tx, "DetectRunInspectRuleHeader() no match");
1086  return false;
1087  }
1088  if (DetectEnginePktInspectionRun(tv, det_ctx, s, f, p, NULL) == false) {
1089  TRACE_SID_TXS(s->id, tx, "DetectEnginePktInspectionRun no match");
1090  return false;
1091  }
1092  /* stream mpm and negated mpm sigs can end up here with wrong proto */
1093  if (!(AppProtoEquals(s->alproto, f->alproto) || s->alproto == ALPROTO_UNKNOWN)) {
1094  TRACE_SID_TXS(s->id, tx, "alproto mismatch");
1095  return false;
1096  }
1097  }
1098 
1099  const DetectEngineAppInspectionEngine *engine = s->app_inspect;
1100  while (engine != NULL) { // TODO could be do {} while as s->app_inspect cannot be null
1101  TRACE_SID_TXS(s->id, tx, "engine %p inspect_flags %x", engine, inspect_flags);
1102  if (!(inspect_flags & BIT_U32(engine->id)) &&
1103  direction == engine->dir)
1104  {
1105  const bool skip_engine = (engine->alproto != 0 && engine->alproto != f->alproto);
1106  /* special case: file_data on 'alert tcp' will have engines
1107  * in the list that are not for us. */
1108  if (unlikely(skip_engine)) {
1109  engine = engine->next;
1110  continue;
1111  }
1112 
1113  /* engines are sorted per progress, except that the one with
1114  * mpm/prefilter enabled is first */
1115  if (tx->tx_progress < engine->progress) {
1116  SCLogDebug("tx progress %d < engine progress %d",
1117  tx->tx_progress, engine->progress);
1118  break;
1119  }
1120  if (engine->mpm) {
1121  if (tx->tx_progress > engine->progress) {
1122  TRACE_SID_TXS(s->id, tx,
1123  "engine->mpm: t->tx_progress %u > engine->progress %u, so set "
1124  "mpm_before_progress",
1125  tx->tx_progress, engine->progress);
1126  mpm_before_progress = true;
1127  } else if (tx->tx_progress == engine->progress) {
1128  TRACE_SID_TXS(s->id, tx,
1129  "engine->mpm: t->tx_progress %u == engine->progress %u, so set "
1130  "mpm_in_progress",
1131  tx->tx_progress, engine->progress);
1132  mpm_in_progress = true;
1133  }
1134  }
1135 
1136  /* run callback: but bypass stream callback if we can */
1137  uint8_t match;
1138  if (unlikely(engine->stream && can->stream_stored)) {
1139  match = can->stream_result;
1140  TRACE_SID_TXS(s->id, tx, "stream skipped, stored result %d used instead", match);
1141  } else {
1142  KEYWORD_PROFILING_SET_LIST(det_ctx, engine->sm_list);
1143  DEBUG_VALIDATE_BUG_ON(engine->v2.Callback == NULL);
1144  match = engine->v2.Callback(
1145  de_ctx, det_ctx, engine, s, f, flow_flags, alstate, tx->tx_ptr, tx->tx_id);
1146  TRACE_SID_TXS(s->id, tx, "engine %p match %d", engine, match);
1147  if (engine->stream) {
1148  can->stream_stored = true;
1149  can->stream_result = match;
1150  TRACE_SID_TXS(s->id, tx, "stream ran, store result %d for next tx (if any)", match);
1151  }
1152  }
1153  if (match == DETECT_ENGINE_INSPECT_SIG_MATCH) {
1154  inspect_flags |= BIT_U32(engine->id);
1155  engine = engine->next;
1156  total_matches++;
1157  continue;
1158  } else if (match == DETECT_ENGINE_INSPECT_SIG_MATCH_MORE_FILES) {
1159  /* if the file engine matched, but indicated more
1160  * files are still in progress, we don't set inspect
1161  * flags as these would end inspection for this tx */
1162  engine = engine->next;
1163  total_matches++;
1164  continue;
1165  } else if (match == DETECT_ENGINE_INSPECT_SIG_CANT_MATCH) {
1166  inspect_flags |= DE_STATE_FLAG_SIG_CANT_MATCH;
1167  inspect_flags |= BIT_U32(engine->id);
1168  } else if (match == DETECT_ENGINE_INSPECT_SIG_CANT_MATCH_FILES) {
1169  inspect_flags |= DE_STATE_FLAG_SIG_CANT_MATCH;
1170  inspect_flags |= BIT_U32(engine->id);
1171  file_no_match = 1;
1172  }
1173  /* implied DETECT_ENGINE_INSPECT_SIG_NO_MATCH */
1174  if (engine->mpm && mpm_before_progress) {
1175  inspect_flags |= DE_STATE_FLAG_SIG_CANT_MATCH;
1176  inspect_flags |= BIT_U32(engine->id);
1177  }
1178  break;
1179  }
1180  engine = engine->next;
1181  }
1182  TRACE_SID_TXS(s->id, tx, "inspect_flags %x, total_matches %u, engine %p",
1183  inspect_flags, total_matches, engine);
1184 
1185  if (engine == NULL && total_matches) {
1186  inspect_flags |= DE_STATE_FLAG_FULL_INSPECT;
1187  TRACE_SID_TXS(s->id, tx, "MATCH");
1188  retval = true;
1189  }
1190 
1191  if (stored_flags) {
1192  *stored_flags = inspect_flags;
1193  TRACE_SID_TXS(s->id, tx, "continue inspect flags %08x", inspect_flags);
1194  } else {
1195  // store... or? If tx is done we might not want to come back to this tx
1196 
1197  // also... if mpmid tracking is enabled, we won't do a sig again for this tx...
1198  TRACE_SID_TXS(s->id, tx, "start inspect flags %08x", inspect_flags);
1199  if (inspect_flags & DE_STATE_FLAG_SIG_CANT_MATCH) {
1200  if (file_no_match) {
1201  /* if we have a mismatch on a file sig, we need to keep state.
1202  * We may get another file on the same tx (for http and smtp
1203  * at least), so for a new file we need to re-eval the sig.
1204  * Thoughts / TODO:
1205  * - not for some protos that have 1 file per tx (e.g. nfs)
1206  * - maybe we only need this for file sigs that mix with
1207  * other matches? E.g. 'POST + filename', is different than
1208  * just 'filename'.
1209  */
1210  DetectRunStoreStateTx(scratch->sgh, f, tx->tx_ptr, tx->tx_id, s,
1211  inspect_flags, flow_flags, file_no_match);
1212  }
1213  } else if ((inspect_flags & DE_STATE_FLAG_FULL_INSPECT) && mpm_before_progress) {
1214  TRACE_SID_TXS(s->id, tx, "no need to store match sig, "
1215  "mpm won't trigger for it anymore");
1216 
1217  if (inspect_flags & DE_STATE_FLAG_FILE_INSPECT) {
1218  TRACE_SID_TXS(s->id, tx, "except that for new files, "
1219  "we may have to revisit anyway");
1220  DetectRunStoreStateTx(scratch->sgh, f, tx->tx_ptr, tx->tx_id, s,
1221  inspect_flags, flow_flags, file_no_match);
1222  }
1223  } else if ((inspect_flags & DE_STATE_FLAG_FULL_INSPECT) == 0 && mpm_in_progress) {
1224  TRACE_SID_TXS(s->id, tx, "no need to store no-match sig, "
1225  "mpm will revisit it");
1226  } else {
1227  TRACE_SID_TXS(s->id, tx, "storing state: flags %08x", inspect_flags);
1228  DetectRunStoreStateTx(scratch->sgh, f, tx->tx_ptr, tx->tx_id, s,
1229  inspect_flags, flow_flags, file_no_match);
1230  }
1231  }
1232 
1233  return retval;
1234 }
1235 
1236 #define NO_TX \
1237  { \
1238  NULL, 0, NULL, NULL, 0, 0, 0, 0, 0, \
1239  }
1240 
1241 /** \internal
1242  * \brief get a DetectTransaction object
1243  * \retval struct filled with relevant info or all nulls/0s
1244  */
1245 static DetectTransaction GetDetectTx(const uint8_t ipproto, const AppProto alproto,
1246  void *alstate, const uint64_t tx_id, void *tx_ptr, const int tx_end_state,
1247  const uint8_t flow_flags)
1248 {
1249  AppLayerTxData *txd = AppLayerParserGetTxData(ipproto, alproto, tx_ptr);
1250  if (unlikely(txd == NULL)) {
1251  DetectTransaction no_tx = NO_TX;
1252  return no_tx;
1253  }
1254  uint64_t detect_flags =
1255  (flow_flags & STREAM_TOSERVER) ? txd->detect_flags_ts : txd->detect_flags_tc;
1256  if (detect_flags & APP_LAYER_TX_INSPECTED_FLAG) {
1257  SCLogDebug("%"PRIu64" tx already fully inspected for %s. Flags %016"PRIx64,
1258  tx_id, flow_flags & STREAM_TOSERVER ? "toserver" : "toclient",
1259  detect_flags);
1260  DetectTransaction no_tx = NO_TX;
1261  return no_tx;
1262  }
1263  if (detect_flags & APP_LAYER_TX_SKIP_INSPECT_FLAG) {
1264  SCLogDebug("%" PRIu64 " tx should not be inspected in direction %s. Flags %016" PRIx64,
1265  tx_id, flow_flags & STREAM_TOSERVER ? "toserver" : "toclient", detect_flags);
1266  DetectTransaction no_tx = NO_TX;
1267  return no_tx;
1268  }
1269 
1270  const int tx_progress = AppLayerParserGetStateProgress(ipproto, alproto, tx_ptr, flow_flags);
1271  const int dir_int = (flow_flags & STREAM_TOSERVER) ? 0 : 1;
1272  DetectEngineState *tx_de_state = txd->de_state;
1273  DetectEngineStateDirection *tx_dir_state = tx_de_state ? &tx_de_state->dir_state[dir_int] : NULL;
1274  uint64_t prefilter_flags = detect_flags & APP_LAYER_TX_PREFILTER_MASK;
1275  DEBUG_VALIDATE_BUG_ON(prefilter_flags & APP_LAYER_TX_RESERVED_FLAGS);
1276 
1277  DetectTransaction tx = {
1278  .tx_ptr = tx_ptr,
1279  .tx_id = tx_id,
1280  .tx_data_ptr = (struct AppLayerTxData *)txd,
1281  .de_state = tx_dir_state,
1282  .detect_flags = detect_flags,
1283  .prefilter_flags = prefilter_flags,
1284  .prefilter_flags_orig = prefilter_flags,
1285  .tx_progress = tx_progress,
1286  .tx_end_state = tx_end_state,
1287  };
1288  return tx;
1289 }
1290 
1291 static inline void StoreDetectFlags(DetectTransaction *tx, const uint8_t flow_flags,
1292  const uint8_t ipproto, const AppProto alproto, const uint64_t detect_flags)
1293 {
1294  AppLayerTxData *txd = (AppLayerTxData *)tx->tx_data_ptr;
1295  if (likely(txd != NULL)) {
1296  if (flow_flags & STREAM_TOSERVER) {
1297  txd->detect_flags_ts = detect_flags;
1298  } else {
1299  txd->detect_flags_tc = detect_flags;
1300  }
1301  }
1302 }
1303 
1304 static void DetectRunTx(ThreadVars *tv,
1305  DetectEngineCtx *de_ctx,
1306  DetectEngineThreadCtx *det_ctx,
1307  Packet *p,
1308  Flow *f,
1309  DetectRunScratchpad *scratch)
1310 {
1311  const uint8_t flow_flags = scratch->flow_flags;
1312  const SigGroupHead * const sgh = scratch->sgh;
1313  void * const alstate = f->alstate;
1314  const uint8_t ipproto = f->proto;
1315  const AppProto alproto = f->alproto;
1316 
1317  const uint64_t total_txs = AppLayerParserGetTxCnt(f, alstate);
1318  uint64_t tx_id_min = AppLayerParserGetTransactionInspectId(f->alparser, flow_flags);
1319  const int tx_end_state = AppLayerParserGetStateProgressCompletionStatus(alproto, flow_flags);
1320 
1321  AppLayerGetTxIteratorFunc IterFunc = AppLayerGetTxIterator(ipproto, alproto);
1322  AppLayerGetTxIterState state;
1323  memset(&state, 0, sizeof(state));
1324 
1325  while (1) {
1326  AppLayerGetTxIterTuple ires = IterFunc(ipproto, alproto, alstate, tx_id_min, total_txs, &state);
1327  if (ires.tx_ptr == NULL)
1328  break;
1329 
1330  DetectTransaction tx = GetDetectTx(ipproto, alproto,
1331  alstate, ires.tx_id, ires.tx_ptr, tx_end_state, flow_flags);
1332  if (tx.tx_ptr == NULL) {
1333  SCLogDebug("%p/%"PRIu64" no transaction to inspect",
1334  tx.tx_ptr, tx_id_min);
1335 
1336  tx_id_min++; // next (if any) run look for +1
1337  goto next;
1338  }
1339  tx_id_min = tx.tx_id + 1; // next look for cur + 1
1340 
1341  bool do_sort = false; // do we need to sort the tx candidate list?
1342  uint32_t array_idx = 0;
1343  uint32_t total_rules = det_ctx->match_array_cnt;
1344  total_rules += (tx.de_state ? tx.de_state->cnt : 0);
1345 
1346  /* run prefilter engines and merge results into a candidates array */
1347  if (sgh->tx_engines) {
1348  PACKET_PROFILING_DETECT_START(p, PROF_DETECT_PF_TX);
1349  DetectRunPrefilterTx(det_ctx, sgh, p, ipproto, flow_flags, alproto,
1350  alstate, &tx);
1351  PACKET_PROFILING_DETECT_END(p, PROF_DETECT_PF_TX);
1352  SCLogDebug("%p/%"PRIu64" rules added from prefilter: %u candidates",
1353  tx.tx_ptr, tx.tx_id, det_ctx->pmq.rule_id_array_cnt);
1354 
1355  total_rules += det_ctx->pmq.rule_id_array_cnt;
1356  if (!(RuleMatchCandidateTxArrayHasSpace(det_ctx, total_rules))) {
1357  RuleMatchCandidateTxArrayExpand(det_ctx, total_rules);
1358  }
1359 
1360  for (uint32_t i = 0; i < det_ctx->pmq.rule_id_array_cnt; i++) {
1361  const Signature *s = de_ctx->sig_array[det_ctx->pmq.rule_id_array[i]];
1362  const SigIntId id = s->num;
1363  det_ctx->tx_candidates[array_idx].s = s;
1364  det_ctx->tx_candidates[array_idx].id = id;
1365  det_ctx->tx_candidates[array_idx].flags = NULL;
1366  det_ctx->tx_candidates[array_idx].stream_reset = 0;
1367  array_idx++;
1368  }
1369  PMQ_RESET(&det_ctx->pmq);
1370  } else {
1371  if (!(RuleMatchCandidateTxArrayHasSpace(det_ctx, total_rules))) {
1372  RuleMatchCandidateTxArrayExpand(det_ctx, total_rules);
1373  }
1374  }
1375 
1376  /* merge 'state' rules from the regular prefilter */
1377  uint32_t x = array_idx;
1378  for (uint32_t i = 0; i < det_ctx->match_array_cnt; i++) {
1379  const Signature *s = det_ctx->match_array[i];
1380  if (s->app_inspect != NULL) {
1381  const SigIntId id = s->num;
1382  det_ctx->tx_candidates[array_idx].s = s;
1383  det_ctx->tx_candidates[array_idx].id = id;
1384  det_ctx->tx_candidates[array_idx].flags = NULL;
1385  det_ctx->tx_candidates[array_idx].stream_reset = 0;
1386  array_idx++;
1387 
1388  SCLogDebug("%p/%"PRIu64" rule %u (%u) added from 'match' list",
1389  tx.tx_ptr, tx.tx_id, s->id, id);
1390  }
1391  }
1392  do_sort = (array_idx > x); // sort if match added anything
1393  SCLogDebug("%p/%" PRIu64 " rules added from 'match' list: %u", tx.tx_ptr, tx.tx_id,
1394  array_idx - x);
1395 
1396  /* merge stored state into results */
1397  if (tx.de_state != NULL) {
1398  const uint32_t old = array_idx;
1399 
1400  /* if tx.de_state->flags has 'new file' set and sig below has
1401  * 'file inspected' flag, reset the file part of the state */
1402  const bool have_new_file = (tx.de_state->flags & DETECT_ENGINE_STATE_FLAG_FILE_NEW);
1403  if (have_new_file) {
1404  SCLogDebug("%p/%"PRIu64" destate: need to consider new file",
1405  tx.tx_ptr, tx.tx_id);
1406  tx.de_state->flags &= ~DETECT_ENGINE_STATE_FLAG_FILE_NEW;
1407  }
1408 
1409  SigIntId state_cnt = 0;
1410  DeStateStore *tx_store = tx.de_state->head;
1411  for (; tx_store != NULL; tx_store = tx_store->next) {
1412  SCLogDebug("tx_store %p", tx_store);
1413 
1414  SigIntId store_cnt = 0;
1415  for (store_cnt = 0;
1416  store_cnt < DE_STATE_CHUNK_SIZE && state_cnt < tx.de_state->cnt;
1417  store_cnt++, state_cnt++)
1418  {
1419  DeStateStoreItem *item = &tx_store->store[store_cnt];
1420  SCLogDebug("rule id %u, inspect_flags %u", item->sid, item->flags);
1421  if (have_new_file && (item->flags & DE_STATE_FLAG_FILE_INSPECT)) {
1422  /* remove part of the state. File inspect engine will now
1423  * be able to run again */
1424  item->flags &= ~(DE_STATE_FLAG_SIG_CANT_MATCH|DE_STATE_FLAG_FULL_INSPECT|DE_STATE_FLAG_FILE_INSPECT);
1425  SCLogDebug("rule id %u, post file reset inspect_flags %u", item->sid, item->flags);
1426  }
1427  det_ctx->tx_candidates[array_idx].s = de_ctx->sig_array[item->sid];
1428  det_ctx->tx_candidates[array_idx].id = item->sid;
1429  det_ctx->tx_candidates[array_idx].flags = &item->flags;
1430  det_ctx->tx_candidates[array_idx].stream_reset = 0;
1431  array_idx++;
1432  }
1433  }
1434  do_sort |= (old && old != array_idx); // sort if continue list adds sids
1435  SCLogDebug("%p/%" PRIu64 " rules added from 'continue' list: %u", tx.tx_ptr, tx.tx_id,
1436  array_idx - old);
1437  }
1438  if (do_sort) {
1439  qsort(det_ctx->tx_candidates, array_idx, sizeof(RuleMatchCandidateTx),
1440  DetectRunTxSortHelper);
1441  }
1442 
1443 #ifdef PROFILING
1444  if (array_idx >= de_ctx->profile_match_logging_threshold)
1445  RulesDumpTxMatchArray(det_ctx, scratch->sgh, p, tx.tx_id, array_idx, x);
1446 #endif
1447  det_ctx->tx_id = tx.tx_id;
1448  det_ctx->tx_id_set = true;
1449  det_ctx->p = p;
1450 
1451 #ifdef DEBUG
1452  for (uint32_t i = 0; i < array_idx; i++) {
1453  RuleMatchCandidateTx *can = &det_ctx->tx_candidates[i];
1454  const Signature *s = det_ctx->tx_candidates[i].s;
1455  SCLogDebug("%u: sid %u flags %p", i, s->id, can->flags);
1456  }
1457 #endif
1458  /* run rules: inspect the match candidates */
1459  for (uint32_t i = 0; i < array_idx; i++) {
1460  RuleMatchCandidateTx *can = &det_ctx->tx_candidates[i];
1461  const Signature *s = det_ctx->tx_candidates[i].s;
1462  uint32_t *inspect_flags = det_ctx->tx_candidates[i].flags;
1463 
1464  /* deduplicate: rules_array is sorted, but not deduplicated:
1465  * both mpm and stored state could give us the same sid.
1466  * As they are back to back in that case we can check for it
1467  * here. We select the stored state one as that comes first
1468  * in the array. */
1469  while ((i + 1) < array_idx &&
1470  det_ctx->tx_candidates[i].s == det_ctx->tx_candidates[i + 1].s) {
1471  SCLogDebug("%p/%" PRIu64 " inspecting SKIP NEXT: sid %u (%u), flags %08x",
1472  tx.tx_ptr, tx.tx_id, s->id, s->num, inspect_flags ? *inspect_flags : 0);
1473  i++;
1474  }
1475 
1476  SCLogDebug("%p/%"PRIu64" inspecting: sid %u (%u), flags %08x",
1477  tx.tx_ptr, tx.tx_id, s->id, s->num, inspect_flags ? *inspect_flags : 0);
1478 
1479  if (inspect_flags) {
1480  if (*inspect_flags & (DE_STATE_FLAG_FULL_INSPECT|DE_STATE_FLAG_SIG_CANT_MATCH)) {
1481  SCLogDebug("%p/%"PRIu64" inspecting: sid %u (%u), flags %08x ALREADY COMPLETE",
1482  tx.tx_ptr, tx.tx_id, s->id, s->num, *inspect_flags);
1483  continue;
1484  }
1485  }
1486 
1487  if (inspect_flags) {
1488  /* continue previous inspection */
1489  SCLogDebug("%p/%" PRIu64 " Continuing sid %u", tx.tx_ptr, tx.tx_id, s->id);
1490  } else {
1491  /* start new inspection */
1492  SCLogDebug("%p/%"PRIu64" Start sid %u", tx.tx_ptr, tx.tx_id, s->id);
1493  }
1494 
1495  /* call individual rule inspection */
1496  RULE_PROFILING_START(p);
1497  const int r = DetectRunTxInspectRule(tv, de_ctx, det_ctx, p, f, flow_flags,
1498  alstate, &tx, s, inspect_flags, can, scratch);
1499  if (r == 1) {
1500  /* match */
1501  DetectRunPostMatch(tv, det_ctx, p, s);
1502 
1503  const uint8_t alert_flags = (PACKET_ALERT_FLAG_STATE_MATCH | PACKET_ALERT_FLAG_TX);
1504  SCLogDebug("%p/%"PRIu64" sig %u (%u) matched", tx.tx_ptr, tx.tx_id, s->id, s->num);
1505  AlertQueueAppend(det_ctx, s, p, tx.tx_id, alert_flags);
1506  }
1507  DetectVarProcessList(det_ctx, p->flow, p);
1508  RULE_PROFILING_END(det_ctx, s, r, p);
1509  }
1510 
1511  det_ctx->tx_id = 0;
1512  det_ctx->tx_id_set = false;
1513  det_ctx->p = NULL;
1514 
1515  /* see if we have any updated state to store in the tx */
1516 
1517  uint64_t new_detect_flags = 0;
1518  /* this side of the tx is done */
1519  if (tx.tx_progress >= tx.tx_end_state) {
1520  new_detect_flags |= APP_LAYER_TX_INSPECTED_FLAG;
1521  SCLogDebug("%p/%"PRIu64" tx is done for direction %s. Flag %016"PRIx64,
1522  tx.tx_ptr, tx.tx_id,
1523  flow_flags & STREAM_TOSERVER ? "toserver" : "toclient",
1524  new_detect_flags);
1525  }
1526  if (tx.prefilter_flags != tx.prefilter_flags_orig) {
1527  new_detect_flags |= tx.prefilter_flags;
1528  DEBUG_VALIDATE_BUG_ON(new_detect_flags & APP_LAYER_TX_RESERVED_FLAGS);
1529  SCLogDebug("%p/%"PRIu64" updated prefilter flags %016"PRIx64" "
1530  "(was: %016"PRIx64") for direction %s. Flag %016"PRIx64,
1531  tx.tx_ptr, tx.tx_id, tx.prefilter_flags, tx.prefilter_flags_orig,
1532  flow_flags & STREAM_TOSERVER ? "toserver" : "toclient",
1533  new_detect_flags);
1534  }
1535  if (new_detect_flags != 0 &&
1536  (new_detect_flags | tx.detect_flags) != tx.detect_flags)
1537  {
1538  new_detect_flags |= tx.detect_flags;
1539  DEBUG_VALIDATE_BUG_ON(new_detect_flags & APP_LAYER_TX_RESERVED_FLAGS);
1540  SCLogDebug("%p/%"PRIu64" Storing new flags %016"PRIx64" (was %016"PRIx64")",
1541  tx.tx_ptr, tx.tx_id, new_detect_flags, tx.detect_flags);
1542 
1543  StoreDetectFlags(&tx, flow_flags, ipproto, alproto, new_detect_flags);
1544  }
1545 next:
1546  InspectionBufferClean(det_ctx);
1547 
1548  if (!ires.has_next)
1549  break;
1550  }
1551 }
1552 
1553 static void DetectRunFrames(ThreadVars *tv, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx,
1554  Packet *p, Flow *f, DetectRunScratchpad *scratch)
1555 {
1556  const SigGroupHead *const sgh = scratch->sgh;
1557  const AppProto alproto = f->alproto;
1558 
1559  FramesContainer *frames_container = AppLayerFramesGetContainer(f);
1560  if (frames_container == NULL) {
1561  return;
1562  }
1563  Frames *frames;
1564  if (PKT_IS_TOSERVER(p)) {
1565  frames = &frames_container->toserver;
1566  } else {
1567  frames = &frames_container->toclient;
1568  }
1569 
1570  for (uint32_t idx = 0; idx < frames->cnt; idx++) {
1571  SCLogDebug("frame %u", idx);
1572  Frame *frame = FrameGetByIndex(frames, idx);
1573  if (frame == NULL) {
1574  continue;
1575  }
1576 
1577  det_ctx->frame_inspect_progress = 0;
1578  uint32_t array_idx = 0;
1579  uint32_t total_rules = det_ctx->match_array_cnt;
1580 
1581  /* run prefilter engines and merge results into a candidates array */
1582  if (sgh->frame_engines) {
1583  // PACKET_PROFILING_DETECT_START(p, PROF_DETECT_PF_TX);
1584  DetectRunPrefilterFrame(det_ctx, sgh, p, frames, frame, alproto);
1585  // PACKET_PROFILING_DETECT_END(p, PROF_DETECT_PF_TX);
1586  SCLogDebug("%p/%" PRIi64 " rules added from prefilter: %u candidates", frame, frame->id,
1587  det_ctx->pmq.rule_id_array_cnt);
1588 
1589  total_rules += det_ctx->pmq.rule_id_array_cnt;
1590 
1591  if (!(RuleMatchCandidateTxArrayHasSpace(
1592  det_ctx, total_rules))) { // TODO is it safe to overload?
1593  RuleMatchCandidateTxArrayExpand(det_ctx, total_rules);
1594  }
1595 
1596  for (uint32_t i = 0; i < det_ctx->pmq.rule_id_array_cnt; i++) {
1597  const Signature *s = de_ctx->sig_array[det_ctx->pmq.rule_id_array[i]];
1598  const SigIntId id = s->num;
1599  det_ctx->tx_candidates[array_idx].s = s;
1600  det_ctx->tx_candidates[array_idx].id = id;
1601  det_ctx->tx_candidates[array_idx].flags = NULL;
1602  det_ctx->tx_candidates[array_idx].stream_reset = 0;
1603  array_idx++;
1604  }
1605  PMQ_RESET(&det_ctx->pmq);
1606  }
1607  /* merge 'state' rules from the regular prefilter */
1608  uint32_t x = array_idx;
1609  for (uint32_t i = 0; i < det_ctx->match_array_cnt; i++) {
1610  const Signature *s = det_ctx->match_array[i];
1611  if (s->frame_inspect != NULL) {
1612  const SigIntId id = s->num;
1613  det_ctx->tx_candidates[array_idx].s = s;
1614  det_ctx->tx_candidates[array_idx].id = id;
1615  det_ctx->tx_candidates[array_idx].flags = NULL;
1616  det_ctx->tx_candidates[array_idx].stream_reset = 0;
1617  array_idx++;
1618 
1619  SCLogDebug("%p/%" PRIi64 " rule %u (%u) added from 'match' list", frame, frame->id,
1620  s->id, id);
1621  }
1622  }
1623  SCLogDebug("%p/%" PRIi64 " rules added from 'match' list: %u", frame, frame->id,
1624  array_idx - x);
1625  (void)x;
1626 
1627  /* run rules: inspect the match candidates */
1628  for (uint32_t i = 0; i < array_idx; i++) {
1629  const Signature *s = det_ctx->tx_candidates[i].s;
1630 
1631  /* deduplicate: rules_array is sorted, but not deduplicated.
1632  * As they are back to back in that case we can check for it
1633  * here. We select the stored state one as that comes first
1634  * in the array. */
1635  while ((i + 1) < array_idx &&
1636  det_ctx->tx_candidates[i].s == det_ctx->tx_candidates[i + 1].s) {
1637  i++;
1638  }
1639  SCLogDebug("%p/%" PRIi64 " inspecting: sid %u (%u)", frame, frame->id, s->id, s->num);
1640 
1641  /* start new inspection */
1642  SCLogDebug("%p/%" PRIi64 " Start sid %u", frame, frame->id, s->id);
1643 
1644  /* call individual rule inspection */
1645  RULE_PROFILING_START(p);
1646  int r = DetectRunInspectRuleHeader(p, f, s, s->flags, s->proto.flags);
1647  if (r == 1) {
1648  r = DetectRunFrameInspectRule(tv, det_ctx, s, f, p, frames, frame);
1649  if (r == 1) {
1650  /* match */
1651  DetectRunPostMatch(tv, det_ctx, p, s);
1652 
1653  const uint8_t alert_flags =
1654  (PACKET_ALERT_FLAG_STATE_MATCH | PACKET_ALERT_FLAG_FRAME);
1655  det_ctx->flags |= DETECT_ENGINE_THREAD_CTX_FRAME_ID_SET;
1656  det_ctx->frame_id = frame->id;
1657  SCLogDebug(
1658  "%p/%" PRIi64 " sig %u (%u) matched", frame, frame->id, s->id, s->num);
1659  AlertQueueAppend(det_ctx, s, p, frame->tx_id, alert_flags);
1660  }
1661  }
1662  DetectVarProcessList(det_ctx, p->flow, p);
1663  RULE_PROFILING_END(det_ctx, s, r, p);
1664  }
1665 
1666  /* update Frame::inspect_progress here instead of in the code above. The reason is that a
1667  * frame might be used more than once in buffers with transforms. */
1668  if (frame->inspect_progress < det_ctx->frame_inspect_progress) {
1669  frame->inspect_progress = det_ctx->frame_inspect_progress;
1670  SCLogDebug("frame->inspect_progress: %" PRIu64 " -> updated", frame->inspect_progress);
1671  } else {
1672  SCLogDebug(
1673  "frame->inspect_progress: %" PRIu64 " -> not updated", frame->inspect_progress);
1674  }
1675 
1676  SCLogDebug("%p/%" PRIi64 " rules inspected, running cleanup", frame, frame->id);
1677  InspectionBufferClean(det_ctx);
1678  }
1679 }
1680 
1681 static DetectEngineThreadCtx *GetTenantById(HashTable *h, uint32_t id)
1682 {
1683  /* technically we need to pass a DetectEngineThreadCtx struct with the
1684  * tenant_id member. But as that member is the first in the struct, we
1685  * can use the id directly. */
1686  return HashTableLookup(h, &id, 0);
1687 }
1688 
1689 static void DetectFlow(ThreadVars *tv,
1690  DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx,
1691  Packet *p)
1692 {
1693  Flow *const f = p->flow;
1694 
1695  if (p->flags & PKT_NOPACKET_INSPECTION) {
1696  /* hack: if we are in pass the entire flow mode, we need to still
1697  * update the inspect_id forward. So test for the condition here,
1698  * and call the update code if necessary. */
1699  const int pass = ((f->flags & FLOW_NOPACKET_INSPECTION));
1700  if (pass) {
1701  uint8_t flags = STREAM_FLAGS_FOR_PACKET(p);
1702  flags = FlowGetDisruptionFlags(f, flags);
1703  if (f->alstate) {
1704  AppLayerParserSetTransactionInspectId(f, f->alparser, f->alstate, flags, true);
1705  }
1706  }
1707  SCLogDebug("p->pcap %"PRIu64": no detection on packet, "
1708  "PKT_NOPACKET_INSPECTION is set", p->pcap_cnt);
1709  return;
1710  }
1711 
1712  /* if flow is set to drop, we enforce that here */
1713  if (f->flags & FLOW_ACTION_DROP) {
1714  PacketDrop(p, ACTION_DROP, PKT_DROP_REASON_FLOW_DROP);
1715  SCReturn;
1716  }
1717 
1718  /* see if the packet matches one or more of the sigs */
1719  (void)DetectRun(tv, de_ctx, det_ctx, p);
1720 }
1721 
1722 
1723 static void DetectNoFlow(ThreadVars *tv,
1724  DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx,
1725  Packet *p)
1726 {
1727  /* No need to perform any detection on this packet, if the given flag is set.*/
1728  if ((p->flags & PKT_NOPACKET_INSPECTION) || (PacketCheckAction(p, ACTION_DROP))) {
1729  return;
1730  }
1731 
1732  /* see if the packet matches one or more of the sigs */
1733  DetectRun(tv, de_ctx, det_ctx, p);
1734  return;
1735 }
1736 
1737 /** \brief Detection engine thread wrapper.
1738  * \param tv thread vars
1739  * \param p packet to inspect
1740  * \param data thread specific data
1741  * \param pq packet queue
1742  * \retval TM_ECODE_FAILED error
1743  * \retval TM_ECODE_OK ok
1744  */
1745 TmEcode Detect(ThreadVars *tv, Packet *p, void *data)
1746 {
1747  DEBUG_VALIDATE_PACKET(p);
1748 
1749  DetectEngineCtx *de_ctx = NULL;
1750  DetectEngineThreadCtx *det_ctx = (DetectEngineThreadCtx *)data;
1751  if (det_ctx == NULL) {
1752  printf("ERROR: Detect has no thread ctx\n");
1753  goto error;
1754  }
1755 
1756  if (unlikely(SC_ATOMIC_GET(det_ctx->so_far_used_by_detect) == 0)) {
1757  (void)SC_ATOMIC_SET(det_ctx->so_far_used_by_detect, 1);
1758  SCLogDebug("Detect Engine using new det_ctx - %p",
1759  det_ctx);
1760  }
1761 
1762  /* if in MT mode _and_ we have tenants registered, use
1763  * MT logic. */
1764  if (det_ctx->mt_det_ctxs_cnt > 0 && det_ctx->TenantGetId != NULL)
1765  {
1766  uint32_t tenant_id = p->tenant_id;
1767  if (tenant_id == 0)
1768  tenant_id = det_ctx->TenantGetId(det_ctx, p);
1769  if (tenant_id > 0 && tenant_id < det_ctx->mt_det_ctxs_cnt) {
1770  p->tenant_id = tenant_id;
1771  det_ctx = GetTenantById(det_ctx->mt_det_ctxs_hash, tenant_id);
1772  if (det_ctx == NULL)
1773  return TM_ECODE_OK;
1774  de_ctx = det_ctx->de_ctx;
1775  if (de_ctx == NULL)
1776  return TM_ECODE_OK;
1777 
1778  if (unlikely(SC_ATOMIC_GET(det_ctx->so_far_used_by_detect) == 0)) {
1779  (void)SC_ATOMIC_SET(det_ctx->so_far_used_by_detect, 1);
1780  SCLogDebug("MT de_ctx %p det_ctx %p (tenant %u)", de_ctx, det_ctx, tenant_id);
1781  }
1782  } else {
1783  /* use default if no tenants are registered for this packet */
1784  de_ctx = det_ctx->de_ctx;
1785  }
1786  } else {
1787  de_ctx = det_ctx->de_ctx;
1788  }
1789 
1790  if (p->flow) {
1791  DetectFlow(tv, de_ctx, det_ctx, p);
1792  } else {
1793  DetectNoFlow(tv, de_ctx, det_ctx, p);
1794  }
1795 
1796 #ifdef PROFILE_RULES
1797  /* aggregate statistics */
1798  if (SCTIME_SECS(p->ts) != det_ctx->rule_perf_last_sync) {
1799  SCProfilingRuleThreatAggregate(det_ctx);
1800  det_ctx->rule_perf_last_sync = SCTIME_SECS(p->ts);
1801  }
1802 #endif
1803 
1804  return TM_ECODE_OK;
1805 error:
1806  return TM_ECODE_FAILED;
1807 }
1808 
1809 /** \brief disable file features we don't need
1810  * Called if we have no detection engine.
1811  */
1812 void DisableDetectFlowFileFlags(Flow *f)
1813 {
1814  DetectPostInspectFileFlagsUpdate(f, NULL /* no sgh */, STREAM_TOSERVER);
1815  DetectPostInspectFileFlagsUpdate(f, NULL /* no sgh */, STREAM_TOCLIENT);
1816 }
1817 
1818 #ifdef UNITTESTS
1819 /**
1820  * \brief wrapper for old tests
1821  */
1822 void SigMatchSignatures(
1823  ThreadVars *tv, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
1824 {
1825  if (p->flow) {
1826  DetectFlow(tv, de_ctx, det_ctx, p);
1827  } else {
1828  DetectNoFlow(tv, de_ctx, det_ctx, p);
1829  }
1830 }
1831 #endif
1832 
1833 /*
1834  * TESTS
1835  */
1836 
1837 #ifdef UNITTESTS
1838 #include "tests/detect.c"
1839 #endif
1840 
DetectEngineAppInspectionEngine_::stream
bool stream
Definition: detect.h:423
SigGroupHead_::non_pf_syn_store_cnt
uint32_t non_pf_syn_store_cnt
Definition: detect.h:1431
PacketCheckAction
bool PacketCheckAction(const Packet *p, const uint8_t a)
Definition: packet.c:48
FLOWFILE_NO_MD5_TS
#define FLOWFILE_NO_MD5_TS
Definition: flow.h:127
DetectEngineThreadCtx_::non_pf_store_ptr
SignatureNonPrefilterStore * non_pf_store_ptr
Definition: detect.h:1156
RulesDumpTxMatchArray
void RulesDumpTxMatchArray(const DetectEngineThreadCtx *det_ctx, const SigGroupHead *sgh, const Packet *p, const uint64_t tx_id, const uint32_t rule_cnt, const uint32_t pkt_prefilter_cnt)
Definition: detect-engine-profile.c:34
SIG_GROUP_HEAD_HAVEFILEMD5
#define SIG_GROUP_HEAD_HAVEFILEMD5
Definition: detect.h:1301
FLOWFILE_NO_MD5_TC
#define FLOWFILE_NO_MD5_TC
Definition: flow.h:128
SigGroupHead_::tx_engines
PrefilterEngine * tx_engines
Definition: detect.h:1444
DetectEngineAppInspectionEngine_
Definition: detect.h:418
Packet_::proto
uint8_t proto
Definition: decode.h:451
DetectTransaction_::tx_data_ptr
struct AppLayerTxData * tx_data_ptr
Definition: detect-engine-prefilter.h:34
DetectEngineAppInspectionEngine_::mpm
bool mpm
Definition: detect.h:422
DE_STATE_CHUNK_SIZE
#define DE_STATE_CHUNK_SIZE
Definition: detect-engine-state.h:53
RuleMatchCandidateTx::stream_stored
bool stream_stored
Definition: detect.h:1046
FLOWFILE_NO_SIZE_TS
#define FLOWFILE_NO_SIZE_TS
Definition: flow.h:139
Frame::inspect_progress
uint64_t inspect_progress
Definition: app-layer-frames.h:55
DetectEngineThreadCtx_::alert_queue_size
uint16_t alert_queue_size
Definition: detect.h:1135
PROF_DETECT_GETSGH
@ PROF_DETECT_GETSGH
Definition: suricata-common.h:436
FLOWFILE_NO_SIZE_TC
#define FLOWFILE_NO_SIZE_TC
Definition: flow.h:140
detect-engine.h
detect-engine-proto.h
DetectEngineThreadCtx_::match_array_cnt
SigIntId match_array_cnt
Definition: detect.h:1151
Frame::tx_id
uint64_t tx_id
Definition: app-layer-frames.h:54
DetectEngineStateDirection_::flags
uint8_t flags
Definition: detect-engine-state.h:89
detect-dsize.h
Signature_::addr_src_match6
DetectMatchAddressIPv6 * addr_src_match6
Definition: detect.h:615
PKT_HAS_FLOW
#define PKT_HAS_FLOW
Definition: decode.h:1007
PACKET_ALERT_FLAG_TX
#define PACKET_ALERT_FLAG_TX
Definition: decode.h:280
DetectEngineCtx_::decoder_event_sgh
struct SigGroupHead_ * decoder_event_sgh
Definition: detect.h:914
FlowGetPacketDirection
int FlowGetPacketDirection(const Flow *f, const Packet *p)
determine the direction of the packet compared to the flow
Definition: flow.c:312
DetectEngineCtx_::flow_gh
DetectEngineLookupFlow flow_gh[FLOW_STATES]
Definition: detect.h:860
DE_STATE_FLAG_SIG_CANT_MATCH
#define DE_STATE_FLAG_SIG_CANT_MATCH
Definition: detect-engine-state.h:57
DetectEngineThreadCtx_::counter_match_list
uint16_t counter_match_list
Definition: detect.h:1103
DetectEngineAppInspectionEngine_::next
struct DetectEngineAppInspectionEngine_ * next
Definition: detect.h:437
DETECT_PROTO_IPV6
#define DETECT_PROTO_IPV6
Definition: detect-engine-proto.h:34
detect-engine-siggroup.h
PKT_IS_IPV6
#define PKT_IS_IPV6(p)
Definition: decode.h:247
DetectEngineState_
Definition: detect-engine-state.h:93
Signature_::num
SigIntId num
Definition: detect.h:594
stream-tcp.h
Prefilter
void Prefilter(DetectEngineThreadCtx *det_ctx, const SigGroupHead *sgh, Packet *p, const uint8_t flags)
Definition: detect-engine-prefilter.c:143
PrefilterRuleStore_::rule_id_array_cnt
uint32_t rule_id_array_cnt
Definition: util-prefilter.h:40
detect-engine-event.h
SigGroupHead_
Container for matching data for a signature group.
Definition: detect.h:1425
SIG_GROUP_HEAD_HAVEFILESIZE
#define SIG_GROUP_HEAD_HAVEFILESIZE
Definition: detect.h:1302
unlikely
#define unlikely(expr)
Definition: util-optimize.h:35
detect.c
SC_ATOMIC_SET
#define SC_ATOMIC_SET(name, val)
Set the value for the atomic variable.
Definition: util-atomic.h:387
KEYWORD_PROFILING_SET_LIST
#define KEYWORD_PROFILING_SET_LIST(ctx, list)
Definition: util-profiling.h:46
DetectAddressMatchIPv4
int DetectAddressMatchIPv4(const DetectMatchAddressIPv4 *addrs, uint16_t addrs_cnt, const Address *a)
Match a packets address against a signatures addrs array.
Definition: detect-engine-address.c:1603
Signature_::alproto
AppProto alproto
Definition: detect.h:587
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:269
SignatureNonPrefilterStore_::id
SigIntId id
Definition: detect.h:1035
FLOW_SGH_TOCLIENT
#define FLOW_SGH_TOCLIENT
Definition: flow.h:71
Packet_::pcap_cnt
uint64_t pcap_cnt
Definition: decode.h:595
AppLayerParserSetTransactionInspectId
void AppLayerParserSetTransactionInspectId(const Flow *f, AppLayerParserState *pstate, void *alstate, const uint8_t flags, bool tag_txs_as_inspected)
Definition: app-layer-parser.c:760
DetectEngineStateDirection_::cnt
SigIntId cnt
Definition: detect-engine-state.h:87
AppLayerGetTxIterator
AppLayerGetTxIteratorFunc AppLayerGetTxIterator(const uint8_t ipproto, const AppProto alproto)
Definition: app-layer-parser.c:704
next
struct HtpBodyChunk_ * next
Definition: app-layer-htp.h:0
Flow_::proto
uint8_t proto
Definition: flow.h:365
AppProto
uint16_t AppProto
Definition: app-layer-protos.h:80
PacketAlerts_::cnt
uint16_t cnt
Definition: decode.h:290
AppLayerParserGetStateProgress
int AppLayerParserGetStateProgress(uint8_t ipproto, AppProto alproto, void *alstate, uint8_t flags)
get the progress value for a tx/protocol
Definition: app-layer-parser.c:1105
DetectEngineThreadCtx_::tx_id
uint64_t tx_id
Definition: detect.h:1129
SigMatchData_::ctx
SigMatchCtx * ctx
Definition: detect.h:353
action-globals.h
FLOWFILE_NO_MAGIC_TS
#define FLOWFILE_NO_MAGIC_TS
Definition: flow.h:120
FramesContainer::toserver
Frames toserver
Definition: app-layer-frames.h:74
Packet_::flags
uint32_t flags
Definition: decode.h:464
ICMPV4_DEST_UNREACH_IS_VALID
#define ICMPV4_DEST_UNREACH_IS_VALID(p)
Definition: decode-icmpv4.h:267
Frame
Definition: app-layer-frames.h:45
Flow_
Flow data structure.
Definition: flow.h:343
DetectTransaction_::tx_end_state
const int tx_end_state
Definition: detect-engine-prefilter.h:41
PROF_DETECT_ALERT
@ PROF_DETECT_ALERT
Definition: suricata-common.h:447
DetectEngineThreadCtx_::pmq
PrefilterRuleStore pmq
Definition: detect.h:1165
SIG_GROUP_HEAD_HAVEFILESHA1
#define SIG_GROUP_HEAD_HAVEFILESHA1
Definition: detect.h:1303
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:827
AppLayerParserGetStateProgressCompletionStatus
int AppLayerParserGetStateProgressCompletionStatus(AppProto alproto, uint8_t direction)
Definition: app-layer-parser.c:1134
DetectRunScratchpad
struct DetectRunScratchpad DetectRunScratchpad
PROF_DETECT_PF_TX
@ PROF_DETECT_PF_TX
Definition: suricata-common.h:442
Frames::cnt
uint16_t cnt
Definition: app-layer-frames.h:61
Frame::id
int64_t id
Definition: app-layer-frames.h:53
APP_LAYER_TX_SKIP_INSPECT_FLAG
#define APP_LAYER_TX_SKIP_INSPECT_FLAG
Definition: app-layer-parser.h:79
DetectEngineThreadCtx_::p
Packet * p
Definition: detect.h:1133
DetectEngineState_::dir_state
DetectEngineStateDirection dir_state[2]
Definition: detect-engine-state.h:94
FrameGetByIndex
Frame * FrameGetByIndex(Frames *frames, const uint32_t idx)
Definition: app-layer-frames.c:106
RuleMatchCandidateTx::id
SigIntId id
Definition: detect.h:1042
PROF_DETECT_CLEANUP
@ PROF_DETECT_CLEANUP
Definition: suricata-common.h:449
SIG_FLAG_DST_ANY
#define SIG_FLAG_DST_ANY
Definition: detect.h:233
NO_TX
#define NO_TX
Definition: detect.c:1236
FLOW_PKT_TOSERVER
#define FLOW_PKT_TOSERVER
Definition: flow.h:218
HashTable_
Definition: util-hash.h:35
DetectEngineThreadCtx_::flags
uint16_t flags
Definition: detect.h:1124
Frames
Definition: app-layer-frames.h:60
FramesContainer
Definition: app-layer-frames.h:73
PacketAlerts_::drop
PacketAlert drop
Definition: decode.h:296
APP_LAYER_TX_INSPECTED_FLAG
#define APP_LAYER_TX_INSPECTED_FLAG
Definition: app-layer-parser.h:81
DetectRunScratchpad
Definition: detect.c:70
SIG_GROUP_HEAD_HAVERAWSTREAM
#define SIG_GROUP_HEAD_HAVERAWSTREAM
Definition: detect.h:1297
FLOW_ACTION_DROP
#define FLOW_ACTION_DROP
Definition: flow.h:66
TcpStream_::flags
uint16_t flags
Definition: stream-tcp-private.h:107
FLOWFILE_NONE
#define FLOWFILE_NONE
Definition: flow.h:157
detect-engine-frame.h
SigMatchSignatures
void SigMatchSignatures(ThreadVars *tv, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
Definition: detect.c:1822
Signature_::sm_arrays
SigMatchData * sm_arrays[DETECT_SM_LIST_MAX]
Definition: detect.h:638
proto
uint8_t proto
Definition: decode-template.h:0
m
SCMutex m
Definition: flow-hash.h:6
DetectPort_::sh
struct SigGroupHead_ * sh
Definition: detect.h:223
PACKET_PROFILING_DETECT_END
#define PACKET_PROFILING_DETECT_END(p, id)
Definition: util-profiling.h:222
Detect
TmEcode Detect(ThreadVars *tv, Packet *p, void *data)
Detection engine thread wrapper.
Definition: detect.c:1745
FLOW_PKT_TOCLIENT_IPONLY_SET
#define FLOW_PKT_TOCLIENT_IPONLY_SET
Definition: flow.h:222
detect-engine-payload.h
Packet_::flowflags
uint8_t flowflags
Definition: decode.h:460
SIG_FLAG_SRC_ANY
#define SIG_FLAG_SRC_ANY
Definition: detect.h:232
TM_ECODE_FAILED
@ TM_ECODE_FAILED
Definition: tm-threads-common.h:85
Flow_::protoctx
void * protoctx
Definition: flow.h:433
SigMatchData_
Data needed for Match()
Definition: detect.h:350
DeStateStoreItem_::sid
SigIntId sid
Definition: detect-engine-state.h:75
RuleMatchCandidateTx::s
const Signature * s
Definition: detect.h:1052
KEYWORD_PROFILING_START
#define KEYWORD_PROFILING_START
Definition: util-profiling.h:50
DetectEngineThreadCtx_::counter_fnonmpm_list
uint16_t counter_fnonmpm_list
Definition: detect.h:1102
SigMatchData_::type
uint16_t type
Definition: detect.h:351
DetectEngineCtx_::version
uint32_t version
Definition: detect.h:910
DisableDetectFlowFileFlags
void DisableDetectFlowFileFlags(Flow *f)
disable file features we don't need Called if we have no detection engine.
Definition: detect.c:1812
AppLayerParserGetTransactionInspectId
uint64_t AppLayerParserGetTransactionInspectId(AppLayerParserState *pstate, uint8_t direction)
Definition: app-layer-parser.c:729
Packet_::alerts
PacketAlerts alerts
Definition: decode.h:589
DetectTransaction_::tx_progress
const int tx_progress
Definition: detect-engine-prefilter.h:40
DetectEngineThreadCtx_::counter_nonmpm_list
uint16_t counter_nonmpm_list
Definition: detect.h:1101
detect-engine-prefilter.h
DetectRunPrefilterFrame
void DetectRunPrefilterFrame(DetectEngineThreadCtx *det_ctx, const SigGroupHead *sgh, Packet *p, const Frames *frames, const Frame *frame, const AppProto alproto)
Definition: detect-engine-frame.c:73
Packet_::events
PacketEngineEvents events
Definition: decode.h:599
Signature_::frame_inspect
DetectEngineFrameInspectionEngine * frame_inspect
Definition: detect.h:634
DetectTransaction_::prefilter_flags_orig
const uint64_t prefilter_flags_orig
Definition: detect-engine-prefilter.h:39
PROF_DETECT_PF_SORT2
@ PROF_DETECT_PF_SORT2
Definition: suricata-common.h:445
pad
uint16_t pad
Definition: source-erf-file.c:61
TM_ECODE_OK
@ TM_ECODE_OK
Definition: tm-threads-common.h:84
PacketCreateMask
void PacketCreateMask(Packet *p, SignatureMask *mask, AppProto alproto, bool app_decoder_events)
Definition: detect-engine-build.c:398
SIG_FLAG_APPLAYER
#define SIG_FLAG_APPLAYER
Definition: detect.h:239
KEYWORD_PROFILING_END
#define KEYWORD_PROFILING_END(ctx, type, m)
Definition: util-profiling.h:64
detect-flowvar.h
DetectEngineThreadCtx_::mt_det_ctxs_hash
HashTable * mt_det_ctxs_hash
Definition: detect.h:1073
PacketAlert_::action
uint8_t action
Definition: decode.h:266
TcpSession_::flags
uint32_t flags
Definition: stream-tcp-private.h:292
DetectEnginePktInspectionRun
bool DetectEnginePktInspectionRun(ThreadVars *tv, DetectEngineThreadCtx *det_ctx, const Signature *s, Flow *f, Packet *p, uint8_t *alert_flags)
Definition: detect-engine.c:2004
Flow_::sgh_toserver
const struct SigGroupHead_ * sgh_toserver
Definition: flow.h:475
PROF_DETECT_TX_UPDATE
@ PROF_DETECT_TX_UPDATE
Definition: suricata-common.h:448
DetectEngineAppInspectionEngine_::id
uint8_t id
Definition: detect.h:421
DetectEngineThreadCtx_::counter_alerts_suppressed
uint16_t counter_alerts_suppressed
Definition: detect.h:1098
DetectRunStoreStateTx
void DetectRunStoreStateTx(const SigGroupHead *sgh, Flow *f, void *tx, uint64_t tx_id, const Signature *s, uint32_t inspect_flags, uint8_t flow_flags, const uint16_t file_no_match)
Definition: detect-engine-state.c:223
DetectEngineAppInspectionEngine_::sm_list
uint16_t sm_list
Definition: detect.h:424
FLOWFILE_INIT
#define FLOWFILE_INIT
Definition: flow.h:117
Flow_::alparser
AppLayerParserState * alparser
Definition: flow.h:467
DETECT_ENGINE_INSPECT_SIG_CANT_MATCH_FILES
#define DETECT_ENGINE_INSPECT_SIG_CANT_MATCH_FILES
Definition: detect-engine-state.h:44
FLOWFILE_NO_SHA1_TC
#define FLOWFILE_NO_SHA1_TC
Definition: flow.h:132
DETECT_SM_LIST_POSTMATCH
@ DETECT_SM_LIST_POSTMATCH
Definition: detect.h:119
FramesContainer::toclient
Frames toclient
Definition: app-layer-frames.h:75
DetectEngineThreadCtx_::tx_candidates
RuleMatchCandidateTx * tx_candidates
Definition: detect.h:1153
Signature_::addr_src_match4
DetectMatchAddressIPv4 * addr_src_match4
Definition: detect.h:612
decode.h
DetectEngineThreadCtx_::counter_alerts_overflow
uint16_t counter_alerts_overflow
Definition: detect.h:1096
TOSERVER
#define TOSERVER
Definition: flow.h:43
DETECT_ENGINE_THREAD_CTX_FRAME_ID_SET
#define DETECT_ENGINE_THREAD_CTX_FRAME_ID_SET
Definition: detect.h:302
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:17
PKT_IS_TOSERVER
#define PKT_IS_TOSERVER(p)
Definition: decode.h:252
DetectEngineThreadCtx_
Definition: detect.h:1058
DEBUG_VALIDATE_PACKET
#define DEBUG_VALIDATE_PACKET(p)
Definition: util-validate.h:103
DeStateStoreItem_::flags
uint32_t flags
Definition: detect-engine-state.h:74
PKT_STREAM_ADD
#define PKT_STREAM_ADD
Definition: decode.h:1002
Packet_::ts
SCTime_t ts
Definition: decode.h:472
FLOWFILE_NO_STORE_TS
#define FLOWFILE_NO_STORE_TS
Definition: flow.h:124
BIT_U32
#define BIT_U32(n)
Definition: suricata-common.h:395
DetectEngineThreadCtx_::tx_candidates_size
uint32_t tx_candidates_size
Definition: detect.h:1154
FLOW_PKT_TOSERVER_IPONLY_SET
#define FLOW_PKT_TOSERVER_IPONLY_SET
Definition: flow.h:221
PKT_IS_FRAGMENT
#define PKT_IS_FRAGMENT
Definition: decode.h:1031
STREAM_FLAGS_FOR_PACKET
#define STREAM_FLAGS_FOR_PACKET(p)
Definition: stream.h:30
SCEnter
#define SCEnter(...)
Definition: util-debug.h:271
PMQ_RESET
#define PMQ_RESET(pmq)
Definition: util-prefilter.h:46
detect-engine-mpm.h
DetectEngineLookupFlow_::sgh
struct SigGroupHead_ * sgh[256]
Definition: detect.h:766
HashTableLookup
void * HashTableLookup(HashTable *ht, void *data, uint16_t datalen)
Definition: util-hash.c:194
detect.h
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:57
DeStateStore_::next
struct DeStateStore_ * next
Definition: detect-engine-state.h:80
SignatureNonPrefilterStore_::alproto
AppProto alproto
Definition: detect.h:1037
Packet_::sp
Port sp
Definition: decode.h:436
FLOWFILE_NO_SHA256_TS
#define FLOWFILE_NO_SHA256_TS
Definition: flow.h:135
DETECT_ENGINE_INSPECT_SIG_MATCH
#define DETECT_ENGINE_INSPECT_SIG_MATCH
Definition: detect-engine-state.h:39
PKT_DETECT_HAS_STREAMDATA
#define PKT_DETECT_HAS_STREAMDATA
Definition: decode.h:1046
StreamReassembleRawHasDataReady
bool StreamReassembleRawHasDataReady(TcpSession *ssn, Packet *p)
does the stream engine have data to inspect?
Definition: stream-tcp-reassemble.c:1462
detect-engine-port.h
PktSrcToString
const char * PktSrcToString(enum PktSrcEnum pkt_src)
Definition: decode.c:746
DetectEngineThreadCtx_::non_pf_id_cnt
uint32_t non_pf_id_cnt
Definition: detect.h:1069
DetectPort_
Port structure for detection engine.
Definition: detect.h:212
PacketAlerts_::discarded
uint16_t discarded
Definition: decode.h:291
app-layer-parser.h
Signature_::app_inspect
DetectEngineAppInspectionEngine * app_inspect
Definition: detect.h:632
util-detect.h
detect-engine-profile.h
Flow_::sgh_toclient
const struct SigGroupHead_ * sgh_toclient
Definition: flow.h:472
DetectEngineThreadCtx_::base64_decoded_len
int base64_decoded_len
Definition: detect.h:1196
SIG_FLAG_REQUIRE_FLOWVAR
#define SIG_FLAG_REQUIRE_FLOWVAR
Definition: detect.h:252
RuleMatchCandidateTx::stream_result
uint8_t stream_result
Definition: detect.h:1047
util-profiling.h
DetectTransaction_::tx_id
const uint64_t tx_id
Definition: detect-engine-prefilter.h:33
DetectEngineLookupFlow_::udp
DetectPort * udp
Definition: detect.h:765
DetectEngineThreadCtx_::raw_stream_progress
uint64_t raw_stream_progress
Definition: detect.h:1082
FileUpdateFlowFileFlags
void FileUpdateFlowFileFlags(Flow *f, uint16_t set_file_flags, uint8_t direction)
set a flow's file flags
Definition: util-file.c:1119
SCReturn
#define SCReturn
Definition: util-debug.h:273
Signature_::flags
uint32_t flags
Definition: detect.h:583
AlertQueueAppend
void AlertQueueAppend(DetectEngineThreadCtx *det_ctx, const Signature *s, Packet *p, uint64_t tx_id, uint8_t alert_flags)
Append signature to local packet alert queue for later preprocessing.
Definition: detect-engine-alert.c:283
RuleMatchCandidateTxArrayFree
void RuleMatchCandidateTxArrayFree(DetectEngineThreadCtx *det_ctx)
Definition: detect.c:979
AppLayerGetTxIterState
Definition: app-layer-parser.h:144
DetectTransaction_::prefilter_flags
uint64_t prefilter_flags
Definition: detect-engine-prefilter.h:37
Packet_
Definition: decode.h:429
detect-engine-build.h
AppLayerFramesGetContainer
FramesContainer * AppLayerFramesGetContainer(Flow *f)
Definition: app-layer-parser.c:183
DetectEngineThreadCtx_::frame_id
int64_t frame_id
Definition: detect.h:1130
DetectEngineAppInspectionEngine_::Callback
InspectEngineFuncPtr2 Callback
Definition: detect.h:430
APP_LAYER_TX_PREFILTER_MASK
#define APP_LAYER_TX_PREFILTER_MASK
Definition: app-layer-parser.h:84
detect-engine-alert.h
conf.h
DetectRunScratchpad::pkt_mask
SignatureMask pkt_mask
Definition: detect.c:75
FlowSetIPOnlyFlag
void FlowSetIPOnlyFlag(Flow *f, int direction)
Set the IPOnly scanned flag for 'direction'.
Definition: flow.c:159
FLOW_TOSERVER_IPONLY_SET
#define FLOW_TOSERVER_IPONLY_SET
Definition: flow.h:56
DetectEngineThreadCtx_::filestore_cnt
uint16_t filestore_cnt
Definition: detect.h:1091
PROF_DETECT_IPONLY
@ PROF_DETECT_IPONLY
Definition: suricata-common.h:437
RULE_PROFILING_END
#define RULE_PROFILING_END(a, b, c, p)
Definition: util-profiling.h:431
TmEcode
TmEcode
Definition: tm-threads-common.h:83
RULE_PROFILING_START
#define RULE_PROFILING_START(p)
Definition: util-profiling.h:430
PKT_STREAM_EOF
#define PKT_STREAM_EOF
Definition: decode.h:1006
SCReturnPtr
#define SCReturnPtr(x, type)
Definition: util-debug.h:287
DetectTransaction_::de_state
DetectEngineStateDirection * de_state
Definition: detect-engine-prefilter.h:35
detect-engine-state.h
Data structures and function prototypes for keeping state for the detection engine.
detect-filestore.h
SigTableElmt_::Match
int(* Match)(DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *)
Definition: detect.h:1236
detect-replace.h
RulesDumpMatchArray
void RulesDumpMatchArray(const DetectEngineThreadCtx *det_ctx, const SigGroupHead *sgh, const Packet *p)
Definition: detect-engine-profile.c:79
Signature_::addr_dst_match6_cnt
uint16_t addr_dst_match6_cnt
Definition: detect.h:609
FLOW_PKT_TOCLIENT
#define FLOW_PKT_TOCLIENT
Definition: flow.h:219
SigGroupHead_::frame_engines
PrefilterEngine * frame_engines
Definition: detect.h:1445
Signature_::sp
DetectPort * sp
Definition: detect.h:623
DetectRunScratchpad::sgh
const SigGroupHead * sgh
Definition: detect.c:74
DETECT_ENGINE_INSPECT_SIG_CANT_MATCH
#define DETECT_ENGINE_INSPECT_SIG_CANT_MATCH
Definition: detect-engine-state.h:40
DETECT_ENGINE_STATE_FLAG_FILE_NEW
#define DETECT_ENGINE_STATE_FLAG_FILE_NEW
Definition: detect-engine-state.h:71
Flow_::flowvar
GenericVar * flowvar
Definition: flow.h:478
RuleMatchCandidateTx::flags
uint32_t * flags
Definition: detect.h:1043
DetectEngineAppInspectionEngine_::alproto
AppProto alproto
Definition: detect.h:419
SCRealloc
#define SCRealloc(ptr, sz)
Definition: util-mem.h:50
detect-engine-analyzer.h
FLOWFILE_NO_SHA256_TC
#define FLOWFILE_NO_SHA256_TC
Definition: flow.h:136
DetectEngineStateDirection_::head
DeStateStore * head
Definition: detect-engine-state.h:84
DETECT_ENGINE_INSPECT_SIG_MATCH_MORE_FILES
#define DETECT_ENGINE_INSPECT_SIG_MATCH_MORE_FILES
Definition: detect-engine-state.h:50
DetectProto_::flags
uint8_t flags
Definition: detect-engine-proto.h:38
AppLayerTxData
struct AppLayerTxData AppLayerTxData
Definition: detect.h:1333
DETECT_PROTO_IPV4
#define DETECT_PROTO_IPV4
Definition: detect-engine-proto.h:33
app-layer-frames.h
DetectAddressMatchIPv6
int DetectAddressMatchIPv6(const DetectMatchAddressIPv6 *addrs, uint16_t addrs_cnt, const Address *a)
Match a packets address against a signatures addrs array.
Definition: detect-engine-address.c:1636
Packet_::tenant_id
uint32_t tenant_id
Definition: decode.h:631
Packet_::flow
struct Flow_ * flow
Definition: decode.h:466
DetectEngineStateResetTxs
void DetectEngineStateResetTxs(Flow *f)
Reset de state for active tx' To be used on detect engine reload.
Definition: detect-engine-state.c:269
FLOWFILE_NO_MAGIC_TC
#define FLOWFILE_NO_MAGIC_TC
Definition: flow.h:121
TH_SYN
#define TH_SYN
Definition: decode-tcp.h:35
flags
uint8_t flags
Definition: decode-gre.h:0
Signature_::proto
DetectProto proto
Definition: detect.h:601
SigGroupHead_::non_pf_other_store_array
SignatureNonPrefilterStore * non_pf_other_store_array
Definition: detect.h:1432
FLOW_TOCLIENT_IPONLY_SET
#define FLOW_TOCLIENT_IPONLY_SET
Definition: flow.h:58
SigMatchData_::is_last
uint8_t is_last
Definition: detect.h:352
suricata-common.h
SIG_FLAG_SP_ANY
#define SIG_FLAG_SP_ANY
Definition: detect.h:234
APP_LAYER_TX_RESERVED_FLAGS
#define APP_LAYER_TX_RESERVED_FLAGS
Definition: app-layer-parser.h:69
Packet_::tcph
TCPHdr * tcph
Definition: decode.h:554
SigGroupHead_::non_pf_other_store_cnt
uint32_t non_pf_other_store_cnt
Definition: detect.h:1430
packet.h
DeStateStore_
Definition: detect-engine-state.h:78
sigmatch_table
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
Definition: detect-parse.c:77
ACTION_DROP
#define ACTION_DROP
Definition: action-globals.h:30
DetectTransaction_
Definition: detect-engine-prefilter.h:31
SCTIME_SECS
#define SCTIME_SECS(t)
Definition: util-time.h:57
PROF_DETECT_SETUP
@ PROF_DETECT_SETUP
Definition: suricata-common.h:435
DetectEngineStateDirection_
Definition: detect-engine-state.h:83
DetectEngineThreadCtx_::frame_inspect_progress
uint64_t frame_inspect_progress
Definition: detect.h:1131
DetectEngineCtx_::profile_match_logging_threshold
uint32_t profile_match_logging_threshold
Definition: detect.h:949
AppLayerParserGetTxData
AppLayerTxData * AppLayerParserGetTxData(uint8_t ipproto, AppProto alproto, void *tx)
Definition: app-layer-parser.c:1199
FatalError
#define FatalError(...)
Definition: util-debug.h:502
TcpSession_::client
TcpStream client
Definition: stream-tcp-private.h:295
FLOWFILE_NO_STORE_TC
#define FLOWFILE_NO_STORE_TC
Definition: flow.h:125
tv
ThreadVars * tv
Definition: fuzz_decodepcapfile.c:32
DetectEngineThreadCtx_::non_pf_id_array
SigIntId * non_pf_id_array
Definition: detect.h:1068
DetectEngineAppInspectionEngine_::progress
int16_t progress
Definition: detect.h:426
PKT_IS_ICMPV4
#define PKT_IS_ICMPV4(p)
Definition: decode.h:250
util-validate.h
DetectTransaction_::tx_ptr
void * tx_ptr
Definition: detect-engine-prefilter.h:32
Signature_::addr_src_match6_cnt
uint16_t addr_src_match6_cnt
Definition: detect.h:610
StreamReassembleRawUpdateProgress
void StreamReassembleRawUpdateProgress(TcpSession *ssn, Packet *p, const uint64_t progress)
update stream engine after detection
Definition: stream-tcp-reassemble.c:1508
StatsAddUI64
void StatsAddUI64(ThreadVars *tv, uint16_t id, uint64_t x)
Adds a value of type uint64_t to the local counter.
Definition: counters.c:146
DetectEngineAppInspectionEngine_::v2
struct DetectEngineAppInspectionEngine_::@83 v2
FLOWFILE_NO_SHA1_TS
#define FLOWFILE_NO_SHA1_TS
Definition: flow.h:131
PROF_DETECT_RULES
@ PROF_DETECT_RULES
Definition: suricata-common.h:438
DetectRunScratchpad::app_decoder_events
const bool app_decoder_events
Definition: detect.c:73
TcpSession_::server
TcpStream server
Definition: stream-tcp-private.h:294
PROF_DETECT_NONMPMLIST
@ PROF_DETECT_NONMPMLIST
Definition: suricata-common.h:446
Signature_::dp
DetectPort * dp
Definition: detect.h:623
PacketAlerts_::suppressed
uint16_t suppressed
Definition: decode.h:292
PACKET_PROFILING_DETECT_START
#define PACKET_PROFILING_DETECT_START(p, id)
Definition: util-profiling.h:215
PACKET_ALERT_FLAG_FRAME
#define PACKET_ALERT_FLAG_FRAME
Definition: decode.h:284
DetectEngineThreadCtx_::non_pf_store_cnt
uint32_t non_pf_store_cnt
Definition: detect.h:1157
FLOW_SGH_TOSERVER
#define FLOW_SGH_TOSERVER
Definition: flow.h:69
DetectEngineThreadCtx_::counter_alerts
uint16_t counter_alerts
Definition: detect.h:1094
SigGroupHead_::flags
uint32_t flags
Definition: detect.h:1426
SCFree
#define SCFree(p)
Definition: util-mem.h:61
Packet_::pkt_src
uint8_t pkt_src
Definition: decode.h:580
SGH_PROFILING_RECORD
#define SGH_PROFILING_RECORD(det_ctx, sgh)
Definition: util-profiling.h:253
PacketAlertFinalize
void PacketAlertFinalize(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
Check the threshold of the sigs that match, set actions, break on pass action This function iterate t...
Definition: detect-engine-alert.c:367
Signature_::addr_dst_match6
DetectMatchAddressIPv6 * addr_dst_match6
Definition: detect.h:614
Flow_::alstate
void * alstate
Definition: flow.h:468
Signature_::id
uint32_t id
Definition: detect.h:617
DeStateStore_::store
DeStateStoreItem store[DE_STATE_CHUNK_SIZE]
Definition: detect-engine-state.h:79
Flow_::flags
uint32_t flags
Definition: flow.h:413
RuleMatchCandidateTx::stream_reset
uint32_t stream_reset
Definition: detect.h:1049
detect-engine-iponly.h
Signature_
Signature container.
Definition: detect.h:582
IP_GET_IPPROTO
#define IP_GET_IPPROTO(p)
Definition: decode.h:258
InspectionBufferClean
void InspectionBufferClean(DetectEngineThreadCtx *det_ctx)
Definition: detect-engine.c:1521
SignatureMask
#define SignatureMask
Definition: detect.h:300
ALPROTO_UNKNOWN
@ ALPROTO_UNKNOWN
Definition: app-layer-protos.h:29
TRACE_SID_TXS
#define TRACE_SID_TXS(sid, txs,...)
Definition: detect.c:1042
FLOW_PKT_ESTABLISHED
#define FLOW_PKT_ESTABLISHED
Definition: flow.h:220
DetectEngineThreadCtx_::tx_id_set
bool tx_id_set
Definition: detect.h:1127
PacketDrop
void PacketDrop(Packet *p, const uint8_t action, enum PacketDropReason r)
issue drop action
Definition: packet.c:32
STREAMTCP_FLAG_APP_LAYER_DISABLED
#define STREAMTCP_FLAG_APP_LAYER_DISABLED
Definition: stream-tcp-private.h:201
DetectRunScratchpad::flow_flags
const uint8_t flow_flags
Definition: detect.c:72
DetectEngineThreadCtx_::de_ctx
DetectEngineCtx * de_ctx
Definition: detect.h:1187
suricata.h
IPOnlyMatchPacket
void IPOnlyMatchPacket(ThreadVars *tv, const DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const DetectEngineIPOnlyCtx *io_ctx, Packet *p)
Match a packet against the IP Only detection engine contexts.
Definition: detect-engine-iponly.c:975
DetectEngineCtx_::sig_array
Signature ** sig_array
Definition: detect.h:841
Packet_::dst
Address dst
Definition: decode.h:434
SigGroupHead_::non_pf_syn_store_array
SignatureNonPrefilterStore * non_pf_syn_store_array
Definition: detect.h:1434
PROF_DETECT_TX
@ PROF_DETECT_TX
Definition: suricata-common.h:439
DetectEngineAppInspectionEngine_::dir
uint8_t dir
Definition: detect.h:420
PKT_NOPACKET_INSPECTION
#define PKT_NOPACKET_INSPECTION
Definition: decode.h:992
SignatureNonPrefilterStore_::mask
SignatureMask mask
Definition: detect.h:1036
DetectRunScratchpad::alproto
const AppProto alproto
Definition: detect.c:71
DE_STATE_FLAG_FULL_INSPECT
#define DE_STATE_FLAG_FULL_INSPECT
Definition: detect-engine-state.h:56
STREAMTCP_STREAM_FLAG_DISABLE_RAW
#define STREAMTCP_STREAM_FLAG_DISABLE_RAW
Definition: stream-tcp-private.h:238
DetectEngineThreadCtx_::mt_det_ctxs_cnt
uint32_t mt_det_ctxs_cnt
Definition: detect.h:1071
AppLayerGetTxIteratorFunc
AppLayerGetTxIterTuple(* AppLayerGetTxIteratorFunc)(const uint8_t ipproto, const AppProto alproto, void *alstate, uint64_t min_tx_id, uint64_t max_tx_id, AppLayerGetTxIterState *state)
tx iterator prototype
Definition: app-layer-parser.h:153
likely
#define likely(expr)
Definition: util-optimize.h:32
IPPROTO_SCTP
#define IPPROTO_SCTP
Definition: decode.h:935
DE_STATE_FLAG_FILE_INSPECT
#define DE_STATE_FLAG_FILE_INSPECT
Definition: detect-engine-state.h:61
FLOW_NOPACKET_INSPECTION
#define FLOW_NOPACKET_INSPECTION
Definition: flow.h:61
DetectEngineCtx_::io_ctx
DetectEngineIPOnlyCtx io_ctx
Definition: detect.h:871
SC_ATOMIC_GET
#define SC_ATOMIC_GET(name)
Get the value from the atomic variable.
Definition: util-atomic.h:376
Signature_::addr_dst_match4
DetectMatchAddressIPv4 * addr_dst_match4
Definition: detect.h:611
FlowGetDisruptionFlags
uint8_t FlowGetDisruptionFlags(const Flow *f, uint8_t flags)
get 'disruption' flags: GAP/DEPTH/PASS
Definition: flow.c:1151
TcpSession_
Definition: stream-tcp-private.h:283
flow.h
Signature_::addr_src_match4_cnt
uint16_t addr_src_match4_cnt
Definition: detect.h:608
SigIntId
#define SigIntId
Definition: suricata-common.h:310
DeStateStoreItem_
Definition: detect-engine-state.h:73
GenericVarFree
void GenericVarFree(GenericVar *gv)
Definition: util-var.c:47
Signature_::addr_dst_match4_cnt
uint16_t addr_dst_match4_cnt
Definition: detect.h:607
Flow_::alproto
AppProto alproto
application level protocol
Definition: flow.h:442
Packet_::dp
Port dp
Definition: decode.h:444
SCCalloc
#define SCCalloc(nm, sz)
Definition: util-mem.h:53
SIG_GROUP_HEAD_HAVEFILESHA256
#define SIG_GROUP_HEAD_HAVEFILESHA256
Definition: detect.h:1304
SigGroupHead_::filestore_cnt
uint16_t filestore_cnt
Definition: detect.h:1438
AppLayerParserGetTxCnt
uint64_t AppLayerParserGetTxCnt(const Flow *f, void *alstate)
Definition: app-layer-parser.c:1120
PKT_IS_IPV4
#define PKT_IS_IPV4(p)
Definition: decode.h:246
PACKET_ALERT_FLAG_STATE_MATCH
#define PACKET_ALERT_FLAG_STATE_MATCH
Definition: decode.h:276
AppLayerParserHasDecoderEvents
bool AppLayerParserHasDecoderEvents(AppLayerParserState *pstate)
Definition: app-layer-parser.c:1531
DetectEngineLookupFlow_::tcp
DetectPort * tcp
Definition: detect.h:764
DEBUG_VALIDATE_BUG_ON
#define DEBUG_VALIDATE_BUG_ON(exp)
Definition: util-validate.h:104
DetectTransaction_::detect_flags
const uint64_t detect_flags
Definition: detect-engine-prefilter.h:36
PKT_DROP_REASON_FLOW_DROP
@ PKT_DROP_REASON_FLOW_DROP
Definition: decode.h:397
detect-engine-address.h
Flow_::tenant_id
uint32_t tenant_id
Definition: flow.h:408
Packet_::src
Address src
Definition: decode.h:433
DetectEngineThreadCtx_::counter_mpm_list
uint16_t counter_mpm_list
Definition: detect.h:1100
SigMatchSignaturesGetSgh
const SigGroupHead * SigMatchSignaturesGetSgh(const DetectEngineCtx *de_ctx, const Packet *p)
Get the SigGroupHead for a packet.
Definition: detect.c:201
DetectRunPrefilterTx
void DetectRunPrefilterTx(DetectEngineThreadCtx *det_ctx, const SigGroupHead *sgh, Packet *p, const uint8_t ipproto, const uint8_t flow_flags, const AppProto alproto, void *alstate, DetectTransaction *tx)
run prefilter engines on a transaction
Definition: detect-engine-prefilter.c:93
RuleMatchCandidateTxArrayInit
void RuleMatchCandidateTxArrayInit(DetectEngineThreadCtx *det_ctx, uint32_t size)
Definition: detect.c:966
SIG_FLAG_DP_ANY
#define SIG_FLAG_DP_ANY
Definition: detect.h:235
DetectPortLookupGroup
DetectPort * DetectPortLookupGroup(DetectPort *dp, uint16_t port)
Function that find the group matching address in a group head.
Definition: detect-engine-port.c:677
PKT_STREAM_EST
#define PKT_STREAM_EST
Definition: decode.h:1004
detect-engine-threshold.h
Signature_::mask
SignatureMask mask
Definition: detect.h:593
app-layer.h
RuleMatchCandidateTx
Definition: detect.h:1041
DetectEngineThreadCtx_::TenantGetId
uint32_t(* TenantGetId)(const void *, const Packet *p)
Definition: detect.h:1078
PrefilterRuleStore_::rule_id_array
SigIntId * rule_id_array
Definition: util-prefilter.h:38
PacketEngineEvents_::cnt
uint8_t cnt
Definition: decode.h:309
Flow_::de_ctx_version
uint32_t de_ctx_version
Definition: flow.h:456
DetectRunFrameInspectRule
int DetectRunFrameInspectRule(ThreadVars *tv, DetectEngineThreadCtx *det_ctx, const Signature *s, Flow *f, Packet *p, const Frames *frames, const Frame *frame)
Definition: detect-engine-frame.c:227
DetectProtoContainsProto
int DetectProtoContainsProto(const DetectProto *dp, int proto)
see if a DetectProto contains a certain proto
Definition: detect-engine-proto.c:135
DetectEngineThreadCtx_::match_array
Signature ** match_array
Definition: detect.h:1146