suricata
detect.h
Go to the documentation of this file.
1 /* Copyright (C) 2007-2014 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Victor Julien <victor@inliniac.net>
22  */
23 
24 #ifndef __DETECT_H__
25 #define __DETECT_H__
26 
27 #include "suricata-common.h"
28 
29 #include "flow.h"
30 
31 #include "detect-engine-proto.h"
32 #include "detect-reference.h"
33 #include "detect-metadata.h"
34 #include "detect-engine-register.h"
35 #include "packet-queue.h"
36 
37 #include "util-prefilter.h"
38 #include "util-mpm.h"
39 #include "util-spm.h"
40 #include "util-hash.h"
41 #include "util-hashlist.h"
42 #include "util-debug.h"
43 #include "util-error.h"
44 #include "util-radix-tree.h"
45 #include "util-file.h"
46 #include "reputation.h"
47 
48 #include "detect-mark.h"
49 
50 #include "stream.h"
51 
52 #include "util-var-name.h"
53 
54 #include "app-layer-events.h"
55 
56 #define DETECT_MAX_RULE_SIZE 8192
57 
58 #define DETECT_TRANSFORMS_MAX 16
59 
60 /* forward declarations for the structures from detect-engine-sigorder.h */
61 struct SCSigOrderFunc_;
63 
64 /*
65  The detection engine groups similar signatures/rules together. Internally a
66  tree of different types of data is created on initialization. This is it's
67  global layout:
68 
69  For TCP/UDP
70 
71  - Flow direction
72  -- Protocol
73  -=- Dst port
74 
75  For the other protocols
76 
77  - Flow direction
78  -- Protocol
79 */
80 
81 /* holds the values for different possible lists in struct Signature.
82  * These codes are access points to particular lists in the array
83  * Signature->sm_lists[DETECT_SM_LIST_MAX]. */
87 
88  /* base64_data keyword uses some hardcoded logic so consider
89  * built-in
90  * TODO convert to inspect engine */
92 
93  /* list for post match actions: flowbit set, flowint increment, etc */
95 
96  DETECT_SM_LIST_TMATCH, /**< post-detection tagging */
97 
98  /* lists for alert thresholding and suppression */
101 
103 
104  /* start of dynamically registered lists */
106 };
107 
108 /* used for Signature->list, which indicates which list
109  * we're adding keywords to in cases of sticky buffers like
110  * file_data */
111 #define DETECT_SM_LIST_NOTSET INT_MAX
112 
113 /*
114  * DETECT ADDRESS
115  */
116 
117 /* a is ... than b */
118 enum {
119  ADDRESS_ER = -1, /**< error e.g. compare ipv4 and ipv6 */
120  ADDRESS_LT, /**< smaller [aaa] [bbb] */
121  ADDRESS_LE, /**< smaller with overlap [aa[bab]bb] */
122  ADDRESS_EQ, /**< exactly equal [abababab] */
123  ADDRESS_ES, /**< within [bb[aaa]bb] and [[abab]bbb] and [bbb[abab]] */
124  ADDRESS_EB, /**< completely overlaps [aa[bbb]aa] and [[baba]aaa] and [aaa[baba]] */
125  ADDRESS_GE, /**< bigger with overlap [bb[aba]aa] */
126  ADDRESS_GT, /**< bigger [bbb] [aaa] */
127 };
128 
129 #define ADDRESS_FLAG_NOT 0x01 /**< address is negated */
130 
131 /** \brief address structure for use in the detection engine.
132  *
133  * Contains the address information and matching information.
134  */
135 typedef struct DetectAddress_ {
136  /** address data for this group */
139 
140  /** flags affecting this address */
141  uint8_t flags;
142 
143  /** ptr to the previous address in the list */
145  /** ptr to the next address in the list */
147 } DetectAddress;
148 
149 /** Address grouping head. IPv4 and IPv6 are split out */
150 typedef struct DetectAddressHead_ {
154 
155 
156 typedef struct DetectMatchAddressIPv4_ {
157  uint32_t ip; /**< address in host order, start of range */
158  uint32_t ip2; /**< address in host order, end of range */
160 
161 typedef struct DetectMatchAddressIPv6_ {
162  uint32_t ip[4];
163  uint32_t ip2[4];
165 
166 /*
167  * DETECT PORT
168  */
169 
170 /* a is ... than b */
171 enum {
172  PORT_ER = -1, /* error e.g. compare ipv4 and ipv6 */
173  PORT_LT, /* smaller [aaa] [bbb] */
174  PORT_LE, /* smaller with overlap [aa[bab]bb] */
175  PORT_EQ, /* exactly equal [abababab] */
176  PORT_ES, /* within [bb[aaa]bb] and [[abab]bbb] and [bbb[abab]] */
177  PORT_EB, /* completely overlaps [aa[bbb]aa] and [[baba]aaa] and [aaa[baba]] */
178  PORT_GE, /* bigger with overlap [bb[aba]aa] */
179  PORT_GT, /* bigger [bbb] [aaa] */
180 };
181 
182 #define PORT_FLAG_ANY 0x01 /**< 'any' special port */
183 #define PORT_FLAG_NOT 0x02 /**< negated port */
184 #define PORT_SIGGROUPHEAD_COPY 0x04 /**< sgh is a ptr copy */
185 
186 /** \brief Port structure for detection engine */
187 typedef struct DetectPort_ {
188  uint16_t port;
189  uint16_t port2;
190 
191  uint8_t flags; /**< flags for this port */
192 
193  /* signatures that belong in this group
194  *
195  * If the PORT_SIGGROUPHEAD_COPY flag is set, we don't own this pointer
196  * (memory is freed elsewhere).
197  */
198  struct SigGroupHead_ *sh;
199 
200  struct DetectPort_ *prev;
201  struct DetectPort_ *next;
202 } DetectPort;
203 
204 /* Signature flags */
205 /** \note: additions should be added to the rule analyzer as well */
206 
207 #define SIG_FLAG_SRC_ANY BIT_U32(0) /**< source is any */
208 #define SIG_FLAG_DST_ANY BIT_U32(1) /**< destination is any */
209 #define SIG_FLAG_SP_ANY BIT_U32(2) /**< source port is any */
210 #define SIG_FLAG_DP_ANY BIT_U32(3) /**< destination port is any */
211 
212 #define SIG_FLAG_NOALERT BIT_U32(4) /**< no alert flag is set */
213 #define SIG_FLAG_DSIZE BIT_U32(5) /**< signature has a dsize setting */
214 #define SIG_FLAG_APPLAYER BIT_U32(6) /**< signature applies to app layer instead of packets */
215 #define SIG_FLAG_IPONLY BIT_U32(7) /**< ip only signature */
216 
217 // vacancy
218 
219 #define SIG_FLAG_REQUIRE_PACKET BIT_U32(9) /**< signature is requiring packet match */
220 #define SIG_FLAG_REQUIRE_STREAM BIT_U32(10) /**< signature is requiring stream match */
221 
222 #define SIG_FLAG_MPM_NEG BIT_U32(11)
223 
224 #define SIG_FLAG_FLUSH BIT_U32(12) /**< detection logic needs stream flush notification */
225 
226 // vacancies
227 
228 #define SIG_FLAG_REQUIRE_FLOWVAR BIT_U32(17) /**< signature can only match if a flowbit, flowvar or flowint is available. */
229 
230 #define SIG_FLAG_FILESTORE BIT_U32(18) /**< signature has filestore keyword */
231 
232 #define SIG_FLAG_TOSERVER BIT_U32(19)
233 #define SIG_FLAG_TOCLIENT BIT_U32(20)
234 
235 #define SIG_FLAG_TLSSTORE BIT_U32(21)
236 
237 #define SIG_FLAG_BYPASS BIT_U32(22)
238 
239 #define SIG_FLAG_PREFILTER BIT_U32(23) /**< sig is part of a prefilter engine */
240 
241 /** Proto detect only signature.
242  * Inspected once per direction when protocol detection is done. */
243 #define SIG_FLAG_PDONLY BIT_U32(24)
244 /** Info for Source and Target identification */
245 #define SIG_FLAG_SRC_IS_TARGET BIT_U32(25)
246 /** Info for Source and Target identification */
247 #define SIG_FLAG_DEST_IS_TARGET BIT_U32(26)
248 
249 #define SIG_FLAG_HAS_TARGET (SIG_FLAG_DEST_IS_TARGET|SIG_FLAG_SRC_IS_TARGET)
250 
251 /* signature init flags */
252 #define SIG_FLAG_INIT_DEONLY (1<<0) /**< decode event only signature */
253 #define SIG_FLAG_INIT_PACKET (1<<1) /**< signature has matches against a packet (as opposed to app layer) */
254 #define SIG_FLAG_INIT_FLOW (1<<2) /**< signature has a flow setting */
255 #define SIG_FLAG_INIT_BIDIREC (1<<3) /**< signature has bidirectional operator */
256 #define SIG_FLAG_INIT_FIRST_IPPROTO_SEEN (1<<4) /** < signature has seen the first ip_proto keyword */
257 #define SIG_FLAG_INIT_HAS_TRANSFORM (1<<5)
258 #define SIG_FLAG_INIT_STATE_MATCH (1<<6) /**< signature has matches that require stateful inspection */
259 #define SIG_FLAG_INIT_NEED_FLUSH (1<<7)
260 
261 /* signature mask flags */
262 /** \note: additions should be added to the rule analyzer as well */
263 #define SIG_MASK_REQUIRE_PAYLOAD BIT_U8(0)
264 #define SIG_MASK_REQUIRE_FLOW BIT_U8(1)
265 #define SIG_MASK_REQUIRE_FLAGS_INITDEINIT BIT_U8(2) /* SYN, FIN, RST */
266 #define SIG_MASK_REQUIRE_FLAGS_UNUSUAL BIT_U8(3) /* URG, ECN, CWR */
267 #define SIG_MASK_REQUIRE_NO_PAYLOAD BIT_U8(4)
268 #define SIG_MASK_REQUIRE_DCERPC BIT_U8(5) /* require either SMB+DCE or raw DCE */
269 // vacancy
270 #define SIG_MASK_REQUIRE_ENGINE_EVENT BIT_U8(7)
271 
272 /* for now a uint8_t is enough */
273 #define SignatureMask uint8_t
274 
275 #define DETECT_ENGINE_THREAD_CTX_STREAM_CONTENT_MATCH 0x0004
276 
277 #define FILE_SIG_NEED_FILE 0x01
278 #define FILE_SIG_NEED_FILENAME 0x02
279 #define FILE_SIG_NEED_MAGIC 0x04 /**< need the start of the file */
280 #define FILE_SIG_NEED_FILECONTENT 0x08
281 #define FILE_SIG_NEED_MD5 0x10
282 #define FILE_SIG_NEED_SHA1 0x20
283 #define FILE_SIG_NEED_SHA256 0x40
284 #define FILE_SIG_NEED_SIZE 0x80
285 
286 /* Detection Engine flags */
287 #define DE_QUIET 0x01 /**< DE is quiet (esp for unittests) */
288 
289 typedef struct IPOnlyCIDRItem_ {
290  /* address data for this item */
291  uint8_t family;
292  /* netmask in CIDR values (ex. /16 /18 /24..) */
293  uint8_t netmask;
294  /* If this host or net is negated for the signum */
295  uint8_t negated;
296 
297  uint32_t ip[4];
298  SigIntId signum; /**< our internal id */
299 
300  /* linked list, the header should be the biggest network */
302 
304 
305 /** \brief Used to start a pointer to SigMatch context
306  * Should never be dereferenced without casting to something else.
307  */
308 typedef struct SigMatchCtx_ {
309  int foo;
310 } SigMatchCtx;
311 
312 /** \brief a single match condition for a signature */
313 typedef struct SigMatch_ {
314  uint8_t type; /**< match type */
315  uint16_t idx; /**< position in the signature */
316  SigMatchCtx *ctx; /**< plugin specific data */
317  struct SigMatch_ *next;
318  struct SigMatch_ *prev;
319 } SigMatch;
320 
321 /** \brief Data needed for Match() */
322 typedef struct SigMatchData_ {
323  uint8_t type; /**< match type */
324  uint8_t is_last; /**< Last element of the list */
325  SigMatchCtx *ctx; /**< plugin specific data */
326 } SigMatchData;
327 
328 struct DetectEngineThreadCtx_;// DetectEngineThreadCtx;
329 
330 /* inspection buffer is a simple structure that is passed between prefilter,
331  * transformation functions and inspection functions.
332  * Initialy setup with 'orig' ptr and len, transformations can then take
333  * then and fill the 'buf'. Multiple transformations can update the buffer,
334  * both growing and shrinking it.
335  * Prefilter and inspection will only deal with 'inspect'. */
336 
337 typedef struct InspectionBuffer {
338  const uint8_t *inspect; /**< active pointer, points either to ::buf or ::orig */
339  uint64_t inspect_offset;
340  uint32_t inspect_len; /**< size of active data. See to ::len or ::orig_len */
341  uint8_t flags; /**< DETECT_CI_FLAGS_* for use with DetectEngineContentInspection */
342 
343  uint32_t len; /**< how much is in use */
344  uint8_t *buf;
345  uint32_t size; /**< size of the memory allocation */
346 
347  uint32_t orig_len;
348  const uint8_t *orig;
350 
351 /* inspection buffers are kept per tx (in det_ctx), but some protocols
352  * need a bit more. A single TX might have multiple buffers, e.g. files in
353  * SMTP or DNS queries. Since all prefilters+transforms run before the
354  * individual rules need the same buffers, we need a place to store the
355  * transformed data. This array of arrays is that place. */
356 
359  uint32_t size; /**< size in number of elements */
360  uint32_t max:31; /**< max id in use in this run */
361  uint32_t init:1; /**< first time used this run. Used for clean logic */
363 
364 typedef struct DetectEngineTransforms {
365  int transforms[DETECT_TRANSFORMS_MAX];
366  int cnt;
368 
369 /** callback for getting the buffer we need to prefilter/inspect */
370 typedef InspectionBuffer *(*InspectionBufferGetDataPtr)(
371  struct DetectEngineThreadCtx_ *det_ctx,
372  const DetectEngineTransforms *transforms,
373  Flow *f, const uint8_t flow_flags,
374  void *txv, const int list_id);
375 
377  struct DetectEngineCtx_ *de_ctx, struct DetectEngineThreadCtx_ *det_ctx,
378  const struct Signature_ *sig, const SigMatchData *smd,
379  Flow *f, uint8_t flags, void *alstate,
380  void *tx, uint64_t tx_id);
381 
383 
384 typedef int (*InspectEngineFuncPtr2)(
385  struct DetectEngineCtx_ *de_ctx, struct DetectEngineThreadCtx_ *det_ctx,
386  const struct DetectEngineAppInspectionEngine_ *engine,
387  const struct Signature_ *s,
388  Flow *f, uint8_t flags, void *alstate, void *txv, uint64_t tx_id);
389 
392  uint8_t dir;
393  uint8_t id; /**< per sig id used in state keeping */
394  uint16_t mpm:1;
395  uint16_t stream:1;
396  uint16_t sm_list:14;
397  int16_t progress;
398 
399  /* \retval 0 No match. Don't discontinue matching yet. We need more data.
400  * 1 Match.
401  * 2 Sig can't match.
402  * 3 Special value used by filestore sigs to indicate disabling
403  * filestore for the tx.
404  */
406 
407  struct {
410  /** pointer to the transforms in the 'DetectBuffer entry for this list */
412  } v2;
413 
415 
418 
419 typedef struct DetectBufferType_ {
420  const char *string;
421  const char *description;
422  int id;
424  _Bool mpm;
425  _Bool packet; /**< compat to packet matches */
427  void (*SetupCallback)(const struct DetectEngineCtx_ *, struct Signature_ *);
428  bool (*ValidateCallback)(const struct Signature_ *, const char **sigerror);
431 
433 
434 /**
435  * \param alert_flags[out] for setting PACKET_ALERT_FLAG_*
436  */
438  struct DetectEngineThreadCtx_ *,
439  const struct DetectEnginePktInspectionEngine *engine,
440  const struct Signature_ *s,
441  Packet *p, uint8_t *alert_flags);
442 
443 /** callback for getting the buffer we need to prefilter/inspect */
444 typedef InspectionBuffer *(*InspectionBufferGetPktDataPtr)(
445  struct DetectEngineThreadCtx_ *det_ctx,
446  const DetectEngineTransforms *transforms,
447  Packet *p, const int list_id);
448 
451  uint16_t mpm:1;
452  uint16_t sm_list:15;
453  struct {
456  /** pointer to the transforms in the 'DetectBuffer entry for this list */
458  } v1;
461 
462 #ifdef UNITTESTS
463 #define sm_lists init_data->smlists
464 #define sm_lists_tail init_data->smlists_tail
465 #endif
466 
467 typedef struct SignatureInitData_ {
468  /** Number of sigmatches. Used for assigning SigMatch::idx */
469  uint16_t sm_cnt;
470 
471  /** option was prefixed with '!'. Only set for sigmatches that
472  * have the SIGMATCH_HANDLE_NEGATION flag set. */
473  bool negated;
474 
475  /* track if we saw any negation in the addresses. If so, we
476  * skip it for ip-only */
479 
480  /* used to hold flags that are used during init */
481  uint32_t init_flags;
482  /* coccinelle: SignatureInitData:init_flags:SIG_FLAG_INIT_ */
483 
484  /* used at init to determine max dsize */
486 
487  /* the fast pattern added from this signature */
489  /* used to speed up init of prefilter */
491 
492  /* SigMatch list used for adding content and friends. E.g. file_data; */
493  int list;
494  bool list_set;
495 
496  int transforms[DETECT_TRANSFORMS_MAX];
498 
499  /** score to influence rule grouping. A higher value leads to a higher
500  * likelyhood of a rulegroup with this sig ending up as a contained
501  * group. */
503 
504  /** address settings for this signature */
506 
508 
510  /* holds all sm lists */
511  struct SigMatch_ **smlists;
512  /* holds all sm lists' tails */
515 
516 /** \brief Signature container */
517 typedef struct Signature_ {
518  uint32_t flags;
519  /* coccinelle: Signature:flags:SIG_FLAG_ */
520 
522 
523  uint16_t dsize_low;
524  uint16_t dsize_high;
525 
527  SigIntId num; /**< signature number, internal id */
528 
529  /** inline -- action */
530  uint8_t action;
531  uint8_t file_flags;
532 
533  /** addresses, ports and proto this sig matches on */
535 
536  /** classification id **/
537  uint8_t class;
538 
539  /** ipv4 match arrays */
546  /** ipv6 match arrays */
549 
550  uint32_t id; /**< sid, set by the 'sid' rule keyword */
551  uint32_t gid; /**< generator id */
552  uint32_t rev;
553  int prio;
554 
555  /** port settings for this signature */
556  DetectPort *sp, *dp;
557 
558 #ifdef PROFILING
559  uint16_t profiling_id;
560 #endif
561 
562  /** netblocks and hosts specified at the sid, in CIDR format */
564 
567 
568  /* Matching structures for the built-ins. The others are in
569  * their inspect engines. */
571 
572  /* memory is still owned by the sm_lists/sm_arrays entry */
574 
575  char *msg;
576 
577  /** classification message */
578  char *class_msg;
579  /** Reference */
581  /** Metadata */
583 
584  char *sig_str;
585 
587 
588  /** ptr to the next sig in the list */
589  struct Signature_ *next;
590 } Signature;
591 
595  /* must be last */
597 };
598 
599 /** \brief one time registration of keywords at start up */
601  const char *name;
602  char pname[32]; /**< name used in profiling */
603  int direction; /**< SIG_FLAG_TOSERVER or SIG_FLAG_TOCLIENT */
604  int sm_list;
605  int priority;
606  int id; /**< index into this array and result arrays */
609 
610  int (*PrefilterRegisterWithListId)(struct DetectEngineCtx_ *de_ctx,
611  struct SigGroupHead_ *sgh, MpmCtx *mpm_ctx,
612  const struct DetectBufferMpmRegistery_ *mpm_reg, int list_id);
614 
615  union {
616  /* app-layer matching: use if type == DETECT_BUFFER_MPM_TYPE_APP */
617  struct {
621  } app_v2;
622 
623  /* pkt matching: use if type == DETECT_BUFFER_MPM_TYPE_PKT */
624  struct {
625  int (*PrefilterRegisterWithListId)(struct DetectEngineCtx_ *de_ctx,
626  struct SigGroupHead_ *sgh, MpmCtx *mpm_ctx,
627  const struct DetectBufferMpmRegistery_ *mpm_reg, int list_id);
629  } pkt_v1;
630  };
631 
634 
635 typedef struct DetectReplaceList_ {
637  uint8_t *found;
640 
641 /** only execute flowvar storage if rule matched */
642 #define DETECT_VAR_TYPE_FLOW_POSTMATCH 1
643 #define DETECT_VAR_TYPE_PKT_POSTMATCH 2
644 
645 /** list for flowvar store candidates, to be stored from
646  * post-match function */
647 typedef struct DetectVarList_ {
648  uint32_t idx; /**< flowvar name idx */
649  uint16_t len; /**< data len */
650  uint16_t key_len;
651  int type; /**< type of store candidate POSTMATCH or ALWAYS */
652  uint8_t *key;
653  uint8_t *buffer; /**< alloc'd buffer, may be freed by
654  post-match, post-non-match */
656 } DetectVarList;
657 
659  uint8_t *sig_match_array; /* bit array of sig nums */
660  uint32_t sig_match_size; /* size in bytes of the array */
662 
663 /** \brief IP only rules matching ctx. */
664 typedef struct DetectEngineIPOnlyCtx_ {
665  /* lookup hashes */
666  HashListTable *ht16_src, *ht16_dst;
667  HashListTable *ht24_src, *ht24_dst;
668 
669  /* Lookup trees */
670  SCRadixTree *tree_ipv4src, *tree_ipv4dst;
671  SCRadixTree *tree_ipv6src, *tree_ipv6dst;
672 
673  /* Used to build the radix trees */
675 
676  /* counters */
677  uint32_t a_src_uniq16, a_src_total16;
678  uint32_t a_dst_uniq16, a_dst_total16;
679  uint32_t a_src_uniq24, a_src_total24;
680  uint32_t a_dst_uniq24, a_dst_total24;
681 
682  uint32_t max_idx;
683 
684  uint8_t *sig_init_array; /* bit array of sig nums */
685  uint32_t sig_init_size; /* size in bytes of the array */
686 
687  /* number of sigs in this head */
688  uint32_t sig_cnt;
689  uint32_t *match_array;
691 
692 typedef struct DetectEngineLookupFlow_ {
695  struct SigGroupHead_ *sgh[256];
697 
698 #include "detect-threshold.h"
699 
700 /** \brief threshold ctx */
701 typedef struct ThresholdCtx_ {
702  SCMutex threshold_table_lock; /**< Mutex for hash table */
703 
704  /** to support rate_filter "by_rule" option */
706  uint32_t th_size;
707 } ThresholdCtx;
708 
709 typedef struct SigString_ {
710  char *filename;
711  char *sig_str;
712  char *sig_error;
713  int line;
715 } SigString;
716 
717 /** \brief Signature loader statistics */
718 typedef struct SigFileLoaderStat_ {
719  TAILQ_HEAD(, SigString_) failed_sigs;
725 
727  void *(*InitFunc)(void *);
728  void (*FreeFunc)(void *);
729  void *data;
731  int id;
732  const char *name; /* keyword name, for error printing */
734 
736 {
737  DETECT_PREFILTER_MPM = 0, /**< use only mpm / fast_pattern */
738  DETECT_PREFILTER_AUTO = 1, /**< use mpm + keyword prefilters */
739 };
740 
742 {
744  DETECT_ENGINE_TYPE_DD_STUB = 1, /* delayed detect stub: can be reloaded */
745  DETECT_ENGINE_TYPE_MT_STUB = 2, /* multi-tenant stub: cannot be reloaded */
747 };
748 
749 /* Flow states:
750  * toserver
751  * toclient
752  */
753 #define FLOW_STATES 2
754 
755 /** \brief main detection engine ctx */
756 typedef struct DetectEngineCtx_ {
757  uint8_t flags;
759 
761 
763  uint32_t sig_cnt;
764 
765  /* version of the srep data */
766  uint32_t srep_version;
767 
768  /* reputation for netblocks */
770 
772  uint32_t sig_array_size; /* size in bytes */
773  uint32_t sig_array_len; /* size in array members */
774 
775  uint32_t signum;
776 
777  /** Maximum value of all our sgh's non_mpm_store_cnt setting,
778  * used to alloc det_ctx::non_mpm_id_array */
780 
781  /* used by the signature ordering module */
783 
784  /* hash table used for holding the classification config info */
786  /* hash table used for holding the reference config info */
788 
789  /* main sigs */
791 
792  uint32_t gh_unique, gh_reuse;
793 
794  /* init phase vars */
796 
798 
799  /* hash table used to cull out duplicate sigs */
801 
804 
805  uint16_t mpm_matcher; /**< mpm matcher this ctx uses */
806  uint16_t spm_matcher; /**< spm matcher this ctx uses */
807 
808  /* spm thread context prototype, built as spm matchers are constructed and
809  * later used to construct thread context for each thread. */
811 
812  /* Config options */
813 
816 
817  /* specify the configuration for mpm context factory */
819 
820  /* max flowbit id that is used */
821  uint32_t max_fb_id;
822 
823  uint32_t max_fp_id;
824 
826 
827  /* maximum recursion depth for content inspection */
829 
830  /* conf parameter that limits the length of the http request body inspected */
832  /* conf parameter that limits the length of the http response body inspected */
834 
835  /* array containing all sgh's in use so we can loop
836  * through it in Stage4. */
838  uint32_t sgh_array_cnt;
839  uint32_t sgh_array_size;
840 
845 
846  /* the max local id used amongst all sigs */
848 
849  /** version of the detect engine */
850  uint32_t version;
851 
852  /** sgh for signatures that match against invalid packets. In those cases
853  * we can't lookup by proto, address, port as we don't have these */
855 
856  /* Maximum size of the buffer for decoded base64 data. */
858 
859  /** Store rule file and line so that parsers can use them in errors. */
860  char *rule_file;
862  const char *sigerror;
863 
864  /** list of keywords that need thread local ctxs */
867 
868  struct {
869  uint32_t content_limit;
872  } filedata_config[ALPROTO_MAX];
874 
875 #ifdef PROFILING
882 #endif
883  uint32_t prefilter_maxid;
884 
885  char config_prefix[64];
886 
888 
889  /** how many de_ctx' are referencing this */
890  uint32_t ref_cnt;
891  /** list in master: either active or freelist */
893 
894  /** id of loader thread 'owning' this de_ctx */
896 
897  /** are we useing just mpm or also other prefilters */
899 
901 
904 
905  /** table for storing the string representation with the parsers result */
907 
908  /** table to store metadata keys and values */
910 
913 
914  /* hash table with rule-time buffer registration. Start time registration
915  * is in detect-engine.c::g_buffer_type_hash */
918 
919  /* list with app inspect engines. Both the start-time registered ones and
920  * the rule-time registered ones. */
927 
928  uint32_t prefilter_id;
930 
931  /** time of last ruleset reload */
932  struct timeval last_reload;
933 
934  /** signatures stats */
936 
937  /** per keyword flag indicating if a prefilter has been
938  * set for it. If true, the setup function will have to
939  * run. */
940  bool sm_types_prefilter[DETECT_TBLSIZE];
941 
943 
944 /* Engine groups profiles (low, medium, high, custom) */
945 enum {
952 };
953 
954 /* Siggroup mpm context profile */
955 enum {
959 };
960 
961 typedef struct HttpReassembledBody_ {
962  const uint8_t *buffer;
964  uint32_t buffer_size; /**< size of the buffer itself */
965  uint32_t buffer_len; /**< data len in the buffer */
967  uint64_t offset; /**< data offset */
969 
970 #define DETECT_FILESTORE_MAX 15
971 
975  uint8_t alproto;
977 
978 /** array of TX inspect rule candidates */
979 typedef struct RuleMatchCandidateTx {
980  SigIntId id; /**< internal signature id */
981  uint32_t *flags; /**< inspect flags ptr */
982  union {
983  struct {
985  uint8_t stream_result;
986  };
987  uint32_t stream_reset;
988  };
989 
990  const Signature *s; /**< ptr to sig */
992 
993 /**
994  * Detection engine thread data.
995  */
996 typedef struct DetectEngineThreadCtx_ {
997  /** \note multi-tenant hash lookup code from Detect() *depends*
998  * on this beeing the first member */
999  uint32_t tenant_id;
1000 
1001  /** ticker that is incremented once per packet. */
1002  uint64_t ticker;
1003 
1004  /* the thread to which this detection engine thread belongs */
1006 
1008  uint32_t non_pf_id_cnt; // size is cnt * sizeof(uint32_t)
1009 
1013 
1016 
1017  uint32_t (*TenantGetId)(const void *, const Packet *p);
1018 
1019  /* detection engine variables */
1020 
1022 
1023  /** offset into the payload of the last match by:
1024  * content, pcre, etc */
1025  uint32_t buffer_offset;
1026  /* used by pcre match function alone */
1028 
1029  /* counter for the filestore array below -- up here for cache reasons. */
1030  uint16_t filestore_cnt;
1031 
1032  /** id for alert counter */
1033  uint16_t counter_alerts;
1034 #ifdef PROFILING
1039 #endif
1040 
1041  int inspect_list; /**< list we're currently inspecting, DETECT_SM_LIST_* */
1042 
1043  struct {
1045  uint32_t buffers_size; /**< in number of elements */
1046  uint32_t to_clear_idx;
1047  uint32_t *to_clear_queue;
1048  } inspect;
1049 
1050  struct {
1051  /** inspection buffers for more complex case. As we can inspect multiple
1052  * buffers in parallel, we need this extra wrapper struct */
1054  uint32_t buffers_size; /**< in number of elements */
1055  uint32_t to_clear_idx;
1056  uint32_t *to_clear_queue;
1057  } multi_inspect;
1058 
1059  /* used to discontinue any more matching */
1061  uint16_t flags;
1062 
1063  /* bool: if tx_id is set, this is 1, otherwise 0 */
1064  uint16_t tx_id_set;
1065  /** ID of the transaction currently being inspected. */
1066  uint64_t tx_id;
1068 
1069  SC_ATOMIC_DECLARE(int, so_far_used_by_detect);
1070 
1071  /* holds the current recursion depth on content inspection */
1073 
1074  /** array of signature pointers we're going to inspect in the detection
1075  * loop. */
1077  /** size of the array in items (mem size if * sizeof(Signature *)
1078  * Only used during initialization. */
1080  /** size in use */
1082 
1085 
1088 
1089  /** pointer to the current mpm ctx that is stored
1090  * in a rule group head -- can be either a content
1091  * or uricontent ctx. */
1092  MpmThreadCtx mtc; /**< thread ctx for the mpm */
1093  MpmThreadCtx mtcu; /**< thread ctx for uricontent mpm */
1094  MpmThreadCtx mtcs; /**< thread ctx for stream mpm */
1096 
1097  /** SPM thread context used for scanning. This has been cloned from the
1098  * prototype held by DetectEngineCtx. */
1100 
1101  /** ip only rules ctx */
1103 
1104  /* byte jump values */
1105  uint64_t *bj_values;
1106 
1107  /* string to replace */
1109  /* vars to store in post match function */
1111 
1112  /* Array in which the filestore keyword stores file id and tx id. If the
1113  * full signature matches, these are processed by a post-match filestore
1114  * function to finalize the store. */
1115  struct {
1116  uint32_t file_id;
1117  uint64_t tx_id;
1118  } filestore[DETECT_FILESTORE_MAX];
1119 
1121  /** store for keyword contexts that need a per thread storage. Per de_ctx. */
1124  /** store for keyword contexts that need a per thread storage. Global. */
1127 
1128  uint8_t *base64_decoded;
1131 
1133  uint16_t events;
1134 
1135 #ifdef DEBUG
1136  uint64_t pkt_stream_add_cnt;
1137  uint64_t payload_mpm_cnt;
1138  uint64_t payload_mpm_size;
1139  uint64_t stream_mpm_cnt;
1140  uint64_t stream_mpm_size;
1141  uint64_t payload_persig_cnt;
1142  uint64_t payload_persig_size;
1143  uint64_t stream_persig_cnt;
1144  uint64_t stream_persig_size;
1145 #endif
1146 #ifdef PROFILING
1151  int keyword_perf_list; /**< list we're currently inspecting, DETECT_SM_LIST_* */
1153 
1156 #endif
1158 
1159 /** \brief element in sigmatch type table.
1160  */
1161 typedef struct SigTableElmt_ {
1162  /** Packet match function pointer */
1163  int (*Match)(DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *);
1164 
1165  /** AppLayer TX match function pointer */
1166  int (*AppLayerTxMatch)(DetectEngineThreadCtx *, Flow *,
1167  uint8_t flags, void *alstate, void *txv,
1168  const Signature *, const SigMatchCtx *);
1169 
1170  /** File match function pointer */
1171  int (*FileMatch)(DetectEngineThreadCtx *,
1172  Flow *, /**< *LOCKED* flow */
1173  uint8_t flags, File *, const Signature *, const SigMatchCtx *);
1174 
1175  /** InspectionBuffer transformation callback */
1176  void (*Transform)(InspectionBuffer *);
1177 
1178  /** keyword setup function pointer */
1179  int (*Setup)(DetectEngineCtx *, Signature *, const char *);
1180 
1181  _Bool (*SupportsPrefilter)(const Signature *s);
1182  int (*SetupPrefilter)(DetectEngineCtx *de_ctx, struct SigGroupHead_ *sgh);
1183 
1184  void (*Free)(void *);
1185  void (*RegisterTests)(void);
1186 
1187  uint16_t flags;
1188  /* coccinelle: SigTableElmt:flags:SIGMATCH_ */
1189 
1190  /** better keyword to replace the current one */
1191  uint16_t alternative;
1192 
1193  const char *name; /**< keyword name alias */
1194  const char *alias; /**< name alias */
1195  const char *desc;
1196  const char *url;
1197 
1198 } SigTableElmt;
1199 
1200 /* event code */
1201 enum {
1202 #ifdef UNITTESTS
1204 #endif
1219 };
1220 
1221 #define SIG_GROUP_HEAD_HAVERAWSTREAM BIT_U32(0)
1222 #ifdef HAVE_MAGIC
1223 #define SIG_GROUP_HEAD_HAVEFILEMAGIC BIT_U32(20)
1224 #endif
1225 #define SIG_GROUP_HEAD_HAVEFILEMD5 BIT_U32(21)
1226 #define SIG_GROUP_HEAD_HAVEFILESIZE BIT_U32(22)
1227 #define SIG_GROUP_HEAD_HAVEFILESHA1 BIT_U32(23)
1228 #define SIG_GROUP_HEAD_HAVEFILESHA256 BIT_U32(24)
1229 
1239 };
1240 
1241 typedef struct MpmStore_ {
1242  uint8_t *sid_array;
1243  uint32_t sid_array_size;
1244 
1246  enum MpmBuiltinBuffers buffer;
1247  int sm_list;
1249 
1251 
1252 } MpmStore;
1253 
1254 typedef struct PrefilterEngineList_ {
1255  uint16_t id;
1256 
1257  /** App Proto this engine applies to: only used with Tx Engines */
1259  /** Minimal Tx progress we need before running the engine. Only used
1260  * with Tx Engine */
1262 
1263  /** Context for matching. Might be MpmCtx for MPM engines, other ctx'
1264  * for other engines. */
1265  void *pectx;
1266 
1267  void (*Prefilter)(DetectEngineThreadCtx *det_ctx, Packet *p, const void *pectx);
1268  void (*PrefilterTx)(DetectEngineThreadCtx *det_ctx, const void *pectx,
1269  Packet *p, Flow *f, void *tx,
1270  const uint64_t idx, const uint8_t flags);
1271 
1273 
1274  /** Free function for pectx data. If NULL the memory is not freed. */
1275  void (*Free)(void *pectx);
1276 
1277  const char *name;
1278  /* global id for this prefilter */
1279  uint32_t gid;
1281 
1282 typedef struct PrefilterEngine_ {
1283  uint16_t local_id;
1284 
1285  /** App Proto this engine applies to: only used with Tx Engines */
1287  /** Minimal Tx progress we need before running the engine. Only used
1288  * with Tx Engine */
1290 
1291  /** Context for matching. Might be MpmCtx for MPM engines, other ctx'
1292  * for other engines. */
1293  void *pectx;
1294 
1295  union {
1296  void (*Prefilter)(DetectEngineThreadCtx *det_ctx, Packet *p, const void *pectx);
1297  void (*PrefilterTx)(DetectEngineThreadCtx *det_ctx, const void *pectx,
1298  Packet *p, Flow *f, void *tx,
1299  const uint64_t idx, const uint8_t flags);
1300  } cb;
1301 
1302  /* global id for this prefilter */
1303  uint32_t gid;
1304  int is_last;
1305 } PrefilterEngine;
1306 
1307 typedef struct SigGroupHeadInitData_ {
1308  MpmStore mpm_store[MPMB_MAX];
1309 
1310  uint8_t *sig_array; /**< bit array of sig nums (internal id's) */
1311  uint32_t sig_size; /**< size in bytes */
1312 
1313  uint8_t protos[256]; /**< proto(s) this sgh is for */
1314  uint32_t direction; /**< set to SIG_FLAG_TOSERVER, SIG_FLAG_TOCLIENT or both */
1315  int whitelist; /**< try to make this group a unique one */
1316 
1319 
1323 
1324  /* port ptr */
1327 
1328 /** \brief Container for matching data for a signature group */
1329 typedef struct SigGroupHead_ {
1330  uint32_t flags;
1331  /* coccinelle: SigGroupHead:flags:SIG_GROUP_HEAD_ */
1332 
1333  /* number of sigs in this head */
1335 
1336  /* non prefilter list excluding SYN rules */
1339  SignatureNonPrefilterStore *non_pf_other_store_array; // size is non_mpm_store_cnt * sizeof(SignatureNonPrefilterStore)
1340  /* non mpm list including SYN rules */
1341  SignatureNonPrefilterStore *non_pf_syn_store_array; // size is non_mpm_syn_store_cnt * sizeof(SignatureNonPrefilterStore)
1342 
1343  /** the number of signatures in this sgh that have the filestore keyword
1344  * set. */
1345  uint16_t filestore_cnt;
1346 
1347  uint32_t id; /**< unique id used to index sgh_array for stats */
1348 
1352 
1353  /** Array with sig ptrs... size is sig_cnt * sizeof(Signature *) */
1355 
1356  /* ptr to our init data we only use at... init :) */
1358 
1359 } SigGroupHead;
1360 
1361 /** sigmatch has no options, so the parser shouldn't expect any */
1362 #define SIGMATCH_NOOPT BIT_U16(0)
1363 /** sigmatch is compatible with a ip only rule */
1364 #define SIGMATCH_IPONLY_COMPAT BIT_U16(1)
1365 /** sigmatch is compatible with a decode event only rule */
1366 #define SIGMATCH_DEONLY_COMPAT BIT_U16(2)
1367 /**< Flag to indicate that the signature is not built-in */
1368 #define SIGMATCH_NOT_BUILT BIT_U16(3)
1369 /** sigmatch may have options, so the parser should be ready to
1370  * deal with both cases */
1371 #define SIGMATCH_OPTIONAL_OPT BIT_U16(4)
1372 /** input may be wrapped in double quotes. They will be stripped before
1373  * input data is passed to keyword parser */
1374 #define SIGMATCH_QUOTES_OPTIONAL BIT_U16(5)
1375 /** input MUST be wrapped in double quotes. They will be stripped before
1376  * input data is passed to keyword parser. Missing double quotes lead to
1377  * error and signature invalidation. */
1378 #define SIGMATCH_QUOTES_MANDATORY BIT_U16(6)
1379 /** negation parsing is handled by the rule parser. Signature::init_data::negated
1380  * will be set to true or false prior to calling the keyword parser. Exclamation
1381  * mark is stripped from the input to the keyword parser. */
1382 #define SIGMATCH_HANDLE_NEGATION BIT_U16(7)
1383 /** keyword is a content modifier */
1384 #define SIGMATCH_INFO_CONTENT_MODIFIER BIT_U16(8)
1385 /** keyword is a sticky buffer */
1386 #define SIGMATCH_INFO_STICKY_BUFFER BIT_U16(9)
1387 /** keyword is deprecated: used to suggest an alternative */
1388 #define SIGMATCH_INFO_DEPRECATED BIT_U16(10)
1389 
1391 {
1392  TENANT_SELECTOR_UNKNOWN = 0, /**< not set */
1393  TENANT_SELECTOR_DIRECT, /**< method provides direct tenant id */
1394  TENANT_SELECTOR_VLAN, /**< map vlan to tenant id */
1395  TENANT_SELECTOR_LIVEDEV, /**< map livedev to tenant id */
1396 };
1397 
1399  uint32_t tenant_id;
1400 
1401  /* traffic id that maps to the tenant id */
1402  uint32_t traffic_id;
1403 
1406 
1407 typedef struct DetectEngineMasterCtx_ {
1409 
1410  /** enable multi tenant mode */
1412 
1413  /** version, incremented after each 'apply to threads' */
1414  uint32_t version;
1415 
1416  /** list of active detection engines. This list is used to generate the
1417  * threads det_ctx's */
1419 
1420  /** free list, containing detection engines that will be removed but may
1421  * still be referenced by det_ctx's. Freed as soon as all references are
1422  * gone. */
1424 
1425  enum DetectEngineTenantSelectors tenant_selector;
1426 
1427  /** list of tenant mappings. Updated under lock. Used to generate lookup
1428  * structures. */
1430 
1431  /** list of keywords that need thread local ctxs,
1432  * only updated by keyword registration at start up. Not
1433  * covered by the lock. */
1437 
1438 /* Table with all SigMatch registrations */
1440 
1441 /** Remember to add the options in SignatureIsIPOnly() at detect.c otherwise it wont be part of a signature group */
1442 
1443 /* detection api */
1444 TmEcode Detect(ThreadVars *tv, Packet *p, void *data, PacketQueue *pq, PacketQueue *postpq);
1445 
1446 SigMatch *SigMatchAlloc(void);
1447 Signature *SigFindSignatureBySidGid(DetectEngineCtx *, uint32_t, uint32_t);
1449  Packet *, SignatureMask,
1450  uint16_t);
1451 void SigMatchFree(SigMatch *sm);
1452 
1453 void SigRegisterTests(void);
1454 void TmModuleDetectRegister (void);
1455 
1457 
1459 char *DetectLoadCompleteSigPath(const DetectEngineCtx *, const char *sig_file);
1460 int SigLoadSignatures (DetectEngineCtx *, char *, int);
1461 void SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx,
1462  DetectEngineThreadCtx *det_ctx, Packet *p);
1463 
1464 int SignatureIsIPOnly(DetectEngineCtx *de_ctx, const Signature *s);
1465 const SigGroupHead *SigMatchSignaturesGetSgh(const DetectEngineCtx *de_ctx, const Packet *p);
1466 
1468 
1469 
1470 int DetectRegisterThreadCtxFuncs(DetectEngineCtx *, const char *name, void *(*InitFunc)(void *), void *data, void (*FreeFunc)(void *), int);
1472 
1473 void DetectSignatureApplyActions(Packet *p, const Signature *s, const uint8_t);
1474 
1475 void RuleMatchCandidateTxArrayInit(DetectEngineThreadCtx *det_ctx, uint32_t size);
1477 
1479 
1482 
1483 /* events */
1484 void DetectEngineSetEvent(DetectEngineThreadCtx *det_ctx, uint8_t e);
1486 int DetectEngineGetEventInfo(const char *event_name, int *event_id,
1488 
1489 #include "detect-engine-build.h"
1490 #include "detect-engine-register.h"
1491 
1492 #endif /* __DETECT_H__ */
1493 
struct DetectEngineTenantMapping_ DetectEngineTenantMapping
int DetectMetadataHashInit(DetectEngineCtx *de_ctx)
void ** keyword_ctxs_array
Definition: detect.h:1122
uint16_t filestore_cnt
Definition: detect.h:1345
struct DetectEngineTenantMapping_ * next
Definition: detect.h:1404
uint16_t profiling_id
Definition: detect.h:559
struct SCProfileSghData_ * sgh_perf_data
Definition: detect.h:1152
#define SCMutex
DetectReference * references
Definition: detect.h:580
MpmThreadCtx mtcs
Definition: detect.h:1094
enum AppLayerEventType_ AppLayerEventType
const char * description
Definition: detect.h:421
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
Definition: detect.h:1439
SignatureNonPrefilterStore * non_pf_syn_store_array
Definition: detect.h:1341
DetectProto proto
Definition: detect.h:534
uint16_t sm_cnt
Definition: detect.h:469
SigIntId sig_cnt
Definition: detect.h:1334
SignatureInitData * init_data
Definition: detect.h:586
int SigLoadSignatures(DetectEngineCtx *, char *, int)
Load signatures.
SCRadixTree * tree_ipv6src
Definition: detect.h:671
SpmGlobalThreadCtx * spm_global_thread_ctx
Definition: detect.h:810
InspectionBufferGetDataPtr GetData
Definition: detect.h:408
DetectMetadata * metadata
Definition: detect.h:582
SigMatch * dsize_sm
Definition: detect.h:485
DetectEnginePrefilterSetting
Definition: detect.h:735
Signature * SigFindSignatureBySidGid(DetectEngineCtx *, uint32_t, uint32_t)
Find a specific signature by sid and gid.
Signature ** sig_array
Definition: detect.h:771
uint32_t tx_candidates_size
Definition: detect.h:1084
struct DetectAddress_ DetectAddress
address structure for use in the detection engine.
#define SC_ATOMIC_DECLARE(type, name)
wrapper to declare an atomic variable including a (spin) lock to protect it.
Definition: util-atomic.h:56
struct DetectEngineAppInspectionEngine_ DetectEngineAppInspectionEngine
struct DetectAddress_ * prev
Definition: detect.h:144
struct DetectMatchAddressIPv6_ DetectMatchAddressIPv6
#define SignatureMask
Definition: detect.h:273
uint32_t sig_array_len
Definition: detect.h:773
int32_t sgh_mpm_context
Definition: detect.h:1248
InspectionBuffer *(* InspectionBufferGetPktDataPtr)(struct DetectEngineThreadCtx_ *det_ctx, const DetectEngineTransforms *transforms, Packet *p, const int list_id)
Definition: detect.h:444
InspectionBuffer * inspection_buffers
Definition: detect.h:358
uint16_t spm_matcher
Definition: detect.h:806
Signature loader statistics.
Definition: detect.h:718
const Signature * s
Definition: detect.h:990
int32_t byte_extract_max_local_id
Definition: detect.h:847
uint32_t tenant_array_size
Definition: detect.h:1015
uint16_t dsize_high
Definition: detect.h:524
uint32_t buffer_len
Definition: detect.h:965
struct DetectEngineLookupFlow_ DetectEngineLookupFlow
SigMatch * prefilter_sm
Definition: detect.h:490
const char * string
Definition: detect.h:420
uint32_t non_pf_store_cnt
Definition: detect.h:1087
uint16_t discontinue_matching
Definition: detect.h:1060
uint32_t flags
Definition: detect.h:518
uint32_t event_type
uint32_t * match_array
Definition: detect.h:689
char * msg
Definition: detect.h:575
uint32_t max_fb_id
Definition: detect.h:821
int DetectEngineGetEventInfo(const char *event_name, int *event_id, AppLayerEventType *event_type)
int(* InspectionBufferPktInspectFunc)(struct DetectEngineThreadCtx_ *, const struct DetectEnginePktInspectionEngine *engine, const struct Signature_ *s, Packet *p, uint8_t *alert_flags)
Definition: detect.h:437
uint32_t id
Definition: detect.h:550
struct SigGroupHead_ * sh
Definition: detect.h:198
int hcbd_buffer_limit
Definition: detect.h:831
Signature ** match_array
Definition: detect.h:1354
struct DetectAddressHead_ DetectAddressHead
uint32_t sid_array_size
Definition: detect.h:1243
uint64_t * bj_values
Definition: detect.h:1105
uint32_t non_pf_other_store_cnt
Definition: detect.h:1337
uint16_t counter_fnonmpm_list
Definition: detect.h:1037
DetectPort * tcp_whitelist
Definition: detect.h:902
DetectEngineTransforms transforms
Definition: detect.h:613
void DisableDetectFlowFileFlags(Flow *f)
disable file features we don&#39;t need Called if we have no detection engine.
Definition: detect.c:1660
Address ip
Definition: detect.h:137
uint8_t is_last
Definition: detect.h:324
ThreadVars * tv
Definition: detect.h:1005
struct SigMatch_ SigMatch
a single match condition for a signature
HashTable * class_conf_ht
Definition: detect.h:785
struct InspectionBuffer InspectionBuffer
struct DetectEngineThreadCtx_ ** mt_det_ctxs
Definition: detect.h:1011
void SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
Definition: detect.c:1670
uint8_t netmask
Definition: detect.h:293
DetectPort * udp_whitelist
Definition: detect.h:903
struct SignatureInitData_ SignatureInitData
int prio
Definition: detect.h:553
address structure for use in the detection engine.
Definition: detect.h:135
void SigAddressPrepareBidirectionals(DetectEngineCtx *)
struct SigMatch_ * prev
Definition: detect.h:318
struct DetectPort_ * port
Definition: detect.h:1325
uint16_t key_len
Definition: detect.h:650
uint8_t * sig_init_array
Definition: detect.h:684
Signature * sig_list
Definition: detect.h:762
int buffer_type_id
Definition: detect.h:917
int32_t sgh_mpm_context_proto_tcp_packet
Definition: detect.h:841
uint8_t * sid_array
Definition: detect.h:1242
uint32_t match_array_len
Definition: detect.h:1079
uint32_t size
Definition: detect.h:345
IPOnlyCIDRItem * ip_src
Definition: detect.h:674
RuleMatchCandidateTx * tx_candidates
Definition: detect.h:1083
DetectEngineThreadKeywordCtxItem * keyword_list
Definition: detect.h:865
uint32_t sig_array_size
Definition: detect.h:772
IPOnlyCIDRItem * CidrSrc
Definition: detect.h:563
uint32_t non_pf_store_cnt_max
Definition: detect.h:779
SigIntId * non_pf_id_array
Definition: detect.h:1007
int DetectRegisterThreadCtxFuncs(DetectEngineCtx *, const char *name, void *(*InitFunc)(void *), void *data, void(*FreeFunc)(void *), int)
Register Thread keyword context Funcs.
void TmModuleDetectRegister(void)
struct DetectEngineTransforms DetectEngineTransforms
DetectReplaceList * replist
Definition: detect.h:1108
int SignatureIsIPOnly(DetectEngineCtx *de_ctx, const Signature *s)
Test is a initialized signature is IP only.
struct DetectMatchAddressIPv4_ DetectMatchAddressIPv4
Data needed for Match()
Definition: detect.h:322
struct SCProfileKeywordData_ * keyword_perf_data
Definition: detect.h:1149
struct DetectVarList_ DetectVarList
uint16_t len
Definition: detect.h:649
uint32_t content_inspect_window
Definition: detect.h:871
struct SCProfileData_ * rule_perf_data
Definition: detect.h:1147
DetectEngineTransforms transforms
Definition: detect.h:429
uint32_t to_clear_idx
Definition: detect.h:1046
Container for matching data for a signature group.
Definition: detect.h:1329
uint32_t srep_version
Definition: detect.h:766
MpmThreadCtx mtc
Definition: detect.h:1092
element in sigmatch type table.
Definition: detect.h:1161
uint32_t orig_len
Definition: detect.h:347
DetectBufferMpmRegistery * pkt_mpms_list
Definition: detect.h:925
uint32_t buffer_offset
Definition: detect.h:1025
#define TAILQ_HEAD(name, type)
Definition: queue.h:321
struct InspectionBufferMultipleForList InspectionBufferMultipleForList
#define DETECT_FILESTORE_MAX
Definition: detect.h:970
uint32_t non_pf_syn_store_cnt
Definition: detect.h:1338
struct IPOnlyCIDRItem_ IPOnlyCIDRItem
InspectionBuffer * buffers
Definition: detect.h:1044
const char * name
Definition: detect.h:1193
uint16_t AppProto
struct DetectPort_ DetectPort
Port structure for detection engine.
void SigMatchSignaturesBuildMatchArray(DetectEngineThreadCtx *, Packet *, SignatureMask, uint16_t)
Signature container.
Definition: detect.h:517
struct PrefilterEngine_ PrefilterEngine
#define DETECT_TRANSFORMS_MAX
Definition: detect.h:58
PrefilterEngineList * tx_engines
Definition: detect.h:1322
void SigMatchFree(SigMatch *sm)
free a SigMatch
Definition: detect-parse.c:247
int32_t sgh_mpm_context_proto_other_packet
Definition: detect.h:843
uint8_t action
Definition: detect.h:530
HashListTable * mpm_hash_table
Definition: detect.h:797
int sm_list
Definition: detect.h:1247
void DetectEngineSetEvent(DetectEngineThreadCtx *det_ctx, uint8_t e)
uint16_t addr_src_match6_cnt
Definition: detect.h:543
uint32_t * to_clear_queue
Definition: detect.h:1047
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
Definition: detect.h:308
const char * sigerror
Definition: detect.h:862
uint32_t id
Definition: detect.h:1347
uint32_t signum
Definition: detect.h:775
struct SigGroupHead_ * decoder_event_sgh
Definition: detect.h:854
struct DetectEngineTenantMapping_ * tenant_array
Definition: detect.h:1014
int(* InspectEngineFuncPtr)(ThreadVars *tv, struct DetectEngineCtx_ *de_ctx, struct DetectEngineThreadCtx_ *det_ctx, const struct Signature_ *sig, const SigMatchData *smd, Flow *f, uint8_t flags, void *alstate, void *tx, uint64_t tx_id)
Definition: detect.h:376
Signature metadata list.
uint32_t content_inspect_min_size
Definition: detect.h:870
void RuleMatchCandidateTxArrayInit(DetectEngineThreadCtx *det_ctx, uint32_t size)
Definition: detect.c:967
struct DetectEngineMasterCtx_ DetectEngineMasterCtx
struct MpmStore_ MpmStore
DetectMatchAddressIPv6 * addr_dst_match6
Definition: detect.h:547
SigIntId num
Definition: detect.h:527
struct SigMatch_ * next
Definition: detect.h:317
main detection engine ctx
Definition: detect.h:756
void * pectx
Definition: detect.h:1293
struct Signature_ Signature
Signature container.
struct DetectEnginePktInspectionEngine * next
Definition: detect.h:459
uint16_t addr_src_match4_cnt
Definition: detect.h:541
PrefilterEngine * tx_engines
Definition: detect.h:1351
uint32_t max_fp_id
Definition: detect.h:823
MpmBuiltinBuffers
Definition: detect.h:1230
int(* InspectEngineFuncPtr2)(struct DetectEngineCtx_ *de_ctx, struct DetectEngineThreadCtx_ *det_ctx, const struct DetectEngineAppInspectionEngine_ *engine, const struct Signature_ *s, Flow *f, uint8_t flags, void *alstate, void *txv, uint64_t tx_id)
Definition: detect.h:384
SCMutex threshold_table_lock
Definition: detect.h:702
void * DetectThreadCtxGetKeywordThreadCtx(DetectEngineThreadCtx *, int)
Retrieve thread local keyword ctx by id.
DetectPort * udp
Definition: detect.h:694
const uint8_t * orig
Definition: detect.h:348
PrefilterEngine * pkt_engines
Definition: detect.h:1349
struct DetectPort_ * prev
Definition: detect.h:200
bool src_contains_negation
Definition: detect.h:477
HashListTable * buffer_type_hash
Definition: detect.h:916
uint32_t pkt_mpms_list_cnt
Definition: detect.h:926
struct HttpReassembledBody_ HttpReassembledBody
DetectMatchAddressIPv4 * addr_dst_match4
Definition: detect.h:544
uint32_t sgh_array_cnt
Definition: detect.h:838
DetectVarList * varlist
Definition: detect.h:1110
MpmCtx ** pkt_mpms
Definition: detect.h:1318
bool filedata_config_initialized
Definition: detect.h:873
struct DetectAddress_ * next
Definition: detect.h:146
DetectEngineCtx * free_list
Definition: detect.h:1423
void DetectFlowbitsAnalyze(DetectEngineCtx *de_ctx)
uint16_t dst
uint16_t local_id
Definition: detect.h:1283
Data structure to store app layer decoder events.
DetectMatchAddressIPv6 * addr_src_match6
Definition: detect.h:548
struct DetectVarList_ * next
Definition: detect.h:655
SigMatch * SigMatchAlloc(void)
Definition: detect-parse.c:232
uint16_t max_uniq_toserver_groups
Definition: detect.h:815
HashListTable * address_table
Definition: detect.h:906
uint8_t flags
Definition: detect.h:141
struct DetectBufferMpmRegistery_ DetectBufferMpmRegistery
one time registration of keywords at start up
Signature wrapper used by signature ordering module while ordering signatures.
uint8_t flags
Definition: detect.h:341
int32_t sgh_mpm_context_stream
Definition: detect.h:844
struct SCProfileSghDetectCtx_ * profile_sgh_ctx
Definition: detect.h:880
uint8_t * key
Definition: detect.h:652
DetectPort * tcp
Definition: detect.h:693
DetectEngineTenantSelectors
Definition: detect.h:1390
char * rule_file
Definition: detect.h:860
uint8_t flags
Definition: detect.h:757
uint16_t filestore_cnt
Definition: detect.h:1030
uint64_t inspect_offset
Definition: detect.h:339
int direction
Definition: detect.h:1245
MpmCtx ** app_mpms
Definition: detect.h:1317
SCRadixTree * tree_ipv4src
Definition: detect.h:670
uint8_t type
struct DetectEngineAppInspectionEngine_ * next
Definition: detect.h:416
uint16_t counter_alerts
Definition: detect.h:1033
void Prefilter(DetectEngineThreadCtx *det_ctx, const SigGroupHead *sgh, Packet *p, const uint8_t flags)
const uint8_t * buffer
Definition: detect.h:962
DetectMatchAddressIPv4 * addr_src_match4
Definition: detect.h:545
char * filename
Definition: detect.h:710
HashListTable * ht24_src
Definition: detect.h:667
struct DetectEngineCtx_ DetectEngineCtx
main detection engine ctx
MpmCtxFactoryContainer * mpm_ctx_factory_container
Definition: detect.h:825
uint32_t buffer_size
Definition: detect.h:964
bool dst_contains_negation
Definition: detect.h:478
uint16_t mpm_matcher
Definition: detect.h:805
char * DetectLoadCompleteSigPath(const DetectEngineCtx *, const char *sig_file)
Create the path if default-rule-path was specified.
HashListTable * sgh_hash_table
Definition: detect.h:795
struct DetectBufferType_ DetectBufferType
one time registration of keywords at start up
Definition: detect.h:600
struct DetectEngineCtx_ * next
Definition: detect.h:892
struct SCProfilePrefilterData_ * prefilter_perf_data
Definition: detect.h:1154
DetectBufferMpmType
Definition: detect.h:592
struct SCSigOrderFunc_ * sc_sig_order_funcs
Definition: detect.h:782
uint32_t content_limit
Definition: detect.h:869
PrefilterRuleStore pmq
Definition: detect.h:1095
struct DetectEngineThreadCtx_ DetectEngineThreadCtx
struct RuleMatchCandidateTx RuleMatchCandidateTx
const struct DetectFilestoreData_ * filestore_ctx
Definition: detect.h:573
Signature * DetectGetTagSignature(void)
uint32_t profile_match_logging_threshold
Definition: detect.h:881
SigFileLoaderStat sig_stat
Definition: detect.h:935
threshold ctx
Definition: detect.h:701
uint8_t * found
Definition: detect.h:637
uint16_t counter_match_list
Definition: detect.h:1038
uint16_t alternative
Definition: detect.h:1191
uint16_t addr_dst_match6_cnt
Definition: detect.h:542
AppLayerDecoderEvents * DetectEngineGetEvents(DetectEngineThreadCtx *det_ctx)
uint32_t buffer_type_map_elements
Definition: detect.h:912
struct DetectEngineThreadKeywordCtxItem_ * next
Definition: detect.h:730
Address ip2
Definition: detect.h:138
HashTable * mt_det_ctxs_hash
Definition: detect.h:1012
PrefilterEngineList * payload_engines
Definition: detect.h:1321
SigIntId match_array_cnt
Definition: detect.h:1081
DetectEngineAppInspectionEngine * app_inspect_engines
Definition: detect.h:921
AppProto alproto
Definition: detect.h:521
struct SigMatch_ ** smlists_tail
Definition: detect.h:513
DetectAddress * ipv4_head
Definition: detect.h:151
DetectEngineTenantMapping * tenant_mapping_list
Definition: detect.h:1429
PrefilterEngine * payload_engines
Definition: detect.h:1350
uint32_t prefilter_id
Definition: detect.h:928
struct SCProfilePrefilterDetectCtx_ * profile_prefilter_ctx
Definition: detect.h:878
uint16_t max_uniq_toclient_groups
Definition: detect.h:814
HashTable * reference_conf_ht
Definition: detect.h:787
uint32_t flags
Definition: detect.h:1330
uint32_t ref_cnt
Definition: detect.h:890
uint32_t a_src_uniq24
Definition: detect.h:679
struct Signature_ * next
Definition: detect.h:589
PrefilterEngineList * pkt_engines
Definition: detect.h:1320
HashTable * metadata_table
Definition: detect.h:909
uint8_t negated
Definition: detect.h:295
struct SigFileLoaderStat_ SigFileLoaderStat
Signature loader statistics.
uint32_t gid
Definition: detect.h:551
uint8_t type
Definition: detect.h:314
uint8_t * decompressed_buffer
Definition: detect.h:963
uint32_t stream_reset
Definition: detect.h:987
InspectEngineFuncPtr Callback
Definition: detect.h:405
uint32_t a_src_uniq16
Definition: detect.h:677
DetectEngineIPOnlyCtx io_ctx
Definition: detect.h:802
struct DetectReplaceList_ DetectReplaceList
int32_t sgh_mpm_context_proto_udp_packet
Definition: detect.h:842
const char * desc
Definition: detect.h:1195
uint32_t gh_unique
Definition: detect.h:792
struct SigMatch_ ** smlists
Definition: detect.h:511
HashListTable * dup_sig_hash_table
Definition: detect.h:800
uint32_t sgh_array_size
Definition: detect.h:839
char * class_msg
Definition: detect.h:578
uint32_t version
Definition: detect.h:850
uint32_t decompressed_buffer_len
Definition: detect.h:966
const DetectEngineTransforms * transforms
Definition: detect.h:457
uint8_t * buf
Definition: detect.h:344
uint32_t smlists_array_size
Definition: detect.h:509
enum DetectEnginePrefilterSetting prefilter_setting
Definition: detect.h:898
SigMatchCtx * ctx
Definition: detect.h:316
struct DetectEngineThreadKeywordCtxItem_ DetectEngineThreadKeywordCtxItem
uint32_t len
Definition: detect.h:343
struct DetectEngineIPOnlyThreadCtx_ DetectEngineIPOnlyThreadCtx
const char * alias
Definition: detect.h:1194
IP only rules matching ctx.
Definition: detect.h:664
char * sig_error
Definition: detect.h:712
DetectEngineCtx * de_ctx
Definition: detect.h:1120
uint8_t flags
Definition: detect.h:191
TmEcode Detect(ThreadVars *tv, Packet *p, void *data, PacketQueue *pq, PacketQueue *postpq)
Detection engine thread wrapper.
Definition: detect.c:1602
uint32_t direction
Definition: detect.h:1314
uint32_t gid
Definition: detect.h:1303
DetectEngineType
Definition: detect.h:741
const SigGroupHead * SigMatchSignaturesGetSgh(const DetectEngineCtx *de_ctx, const Packet *p)
Get the SigGroupHead for a packet.
Definition: detect.c:177
struct IPOnlyCIDRItem_ * next
Definition: detect.h:301
uint16_t counter_nonmpm_list
Definition: detect.h:1036
DetectBufferType ** buffer_type_map
Definition: detect.h:911
uint64_t raw_stream_progress
Definition: detect.h:1021
uint8_t type
Definition: detect.h:323
char * sig_str
Definition: detect.h:584
void SigRegisterTests(void)
Definition: detect.c:5323
uint32_t idx
Definition: detect.h:648
struct SCProfileKeywordDetectCtx_ * profile_keyword_ctx
Definition: detect.h:877
struct SigGroupHead_ ** sgh_array
Definition: detect.h:837
DetectPort * sp
Definition: detect.h:556
InspectEngineFuncPtr2 Callback
Definition: detect.h:409
struct SigGroupHead_ SigGroupHead
Container for matching data for a signature group.
DetectEnginePktInspectionEngine * pkt_inspect
Definition: detect.h:566
uint16_t addr_dst_match4_cnt
Definition: detect.h:540
#define TAILQ_ENTRY(type)
Definition: queue.h:330
MpmCtx * mpm_ctx
Definition: detect.h:1250
uint16_t port
Definition: detect.h:188
uint16_t tx_id
Structure holding the signature ordering function used by the signature ordering module.
uint32_t pcre_match_start_offset
Definition: detect.h:1027
uint32_t init_flags
Definition: detect.h:481
struct SCProfileKeywordDetectCtx_ ** profile_keyword_ctx_per_list
Definition: detect.h:879
MpmThreadCtx mtcu
Definition: detect.h:1093
DetectEngineThreadKeywordCtxItem * keyword_list
Definition: detect.h:1434
int hsbd_buffer_limit
Definition: detect.h:833
AppProto alproto
Definition: detect.h:1258
struct PrefilterEngineList_ PrefilterEngineList
SRepCIDRTree * srepCIDR_ctx
Definition: detect.h:769
const char * name
Definition: detect.h:1277
DetectEngineAppInspectionEngine * app_inspect
Definition: detect.h:565
ThresholdCtx ths_ctx
Definition: detect.h:803
int failure_fatal
Definition: detect.h:758
void DetectMetadataHashFree(DetectEngineCtx *de_ctx)
struct DetectPort_ * next
Definition: detect.h:201
SigIntId signum
Definition: detect.h:298
uint32_t a_dst_uniq24
Definition: detect.h:680
const char * url
Definition: detect.h:1196
InspectionBufferGetPktDataPtr GetData
Definition: detect.h:628
HashListTable * ht16_src
Definition: detect.h:666
struct DetectContentData_ * cd
Definition: detect.h:636
int line
Definition: detect.h:713
structure for storing potential rule matches
uint8_t family
Definition: detect.h:291
HashListTable * prefilter_hash_table
Definition: detect.h:929
uint32_t rev
Definition: detect.h:552
DetectBufferMpmRegistery * app_mpms_list
Definition: detect.h:922
InspectionBufferGetDataPtr GetData
Definition: detect.h:618
struct DetectEngineIPOnlyCtx_ DetectEngineIPOnlyCtx
IP only rules matching ctx.
InspectionBufferPktInspectFunc Callback
Definition: detect.h:455
uint8_t * buffer
Definition: detect.h:653
uint8_t * base64_decoded
Definition: detect.h:1128
uint32_t tenant_id
Definition: detect.h:999
DetectThresholdEntry ** th_entry
Definition: detect.h:705
struct SCProfileKeywordData_ ** keyword_perf_data_per_list
Definition: detect.h:1150
struct SigMatchData_ SigMatchData
Data needed for Match()
uint32_t prefilter_maxid
Definition: detect.h:883
Signature ** match_array
Definition: detect.h:1076
struct PrefilterEngineList_ * next
Definition: detect.h:1272
SignatureMask mask
Definition: detect.h:974
Signature reference list.
int inspection_recursion_counter
Definition: detect.h:1072
uint16_t idx
Definition: detect.h:315
SignatureNonPrefilterStore * non_pf_store_ptr
Definition: detect.h:1086
uint32_t inspect_len
Definition: detect.h:340
uint32_t sig_init_size
Definition: detect.h:685
uint32_t th_size
Definition: detect.h:706
void DetectSignatureApplyActions(Packet *p, const Signature *s, const uint8_t)
Apply action(s) and Set &#39;drop&#39; sig info, if applicable.
Definition: detect.c:1519
struct SCProfileDetectCtx_ * profile_ctx
Definition: detect.h:876
uint8_t sgh_mpm_context
Definition: detect.h:818
const uint8_t * inspect
Definition: detect.h:338
uint32_t * flags
Definition: detect.h:981
DetectEngineIPOnlyThreadCtx io_ctx
Definition: detect.h:1102
void RuleMatchCandidateTxArrayFree(DetectEngineThreadCtx *det_ctx)
Definition: detect.c:980
char * sig_str
Definition: detect.h:711
uint32_t a_dst_uniq16
Definition: detect.h:678
int tx_min_progress
Definition: detect.h:1289
uint8_t stream_result
Definition: detect.h:985
struct SignatureNonPrefilterStore_ SignatureNonPrefilterStore
bool supports_transforms
Definition: detect.h:426
SignatureNonPrefilterStore * non_pf_other_store_array
Definition: detect.h:1339
void(* Free)(void *pectx)
Definition: detect.h:1275
struct SigGroupHeadInitData_ SigGroupHeadInitData
DetectEngineCtx * list
Definition: detect.h:1418
Per thread variable structure.
Definition: threadvars.h:57
SignatureMask mask
Definition: detect.h:526
struct SigMatchCtx_ SigMatchCtx
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
struct DetectEnginePktInspectionEngine DetectEnginePktInspectionEngine
InspectionBufferGetPktDataPtr GetData
Definition: detect.h:454
uint16_t counter_mpm_list
Definition: detect.h:1035
uint8_t file_flags
Definition: detect.h:531
InspectionBufferMultipleForList * buffers
Definition: detect.h:1053
uint16_t port2
Definition: detect.h:189
uint32_t app_mpms_list_cnt
Definition: detect.h:923
uint32_t sig_cnt
Definition: detect.h:763
uint32_t non_pf_id_cnt
Definition: detect.h:1008
void ** global_keyword_ctxs_array
Definition: detect.h:1126
struct DetectReplaceList_ * next
Definition: detect.h:638
uint16_t dsize_low
Definition: detect.h:523
uint16_t flags
Definition: detect.h:1187
Structure for the radix tree.
SpmThreadCtx * spm_thread_ctx
Definition: detect.h:1099
InspectionBuffer *(* InspectionBufferGetDataPtr)(struct DetectEngineThreadCtx_ *det_ctx, const DetectEngineTransforms *transforms, Flow *f, const uint8_t flow_flags, void *txv, const int list_id)
Definition: detect.h:370
AppLayerDecoderEvents * decoder_events
Definition: detect.h:1132
AppProto alproto
Definition: detect.h:1286
struct DetectBufferMpmRegistery_ * next
Definition: detect.h:632
SigMatch * mpm_sm
Definition: detect.h:488
const DetectAddressHead * src
Definition: detect.h:505
const char * name
Definition: detect.h:601
HashListTable * dport_hash_table
Definition: detect.h:900
struct DetectBufferMpmRegistery_::@94::@97 pkt_v1
uint8_t * sig_array
Definition: detect.h:1310
#define FLOW_STATES
Definition: detect.h:753
Flow data structure.
Definition: flow.h:325
DetectEnginePktInspectionEngine * pkt_inspect_engines
Definition: detect.h:924
uint32_t base64_decode_max_len
Definition: detect.h:857
uint32_t mt_det_ctxs_cnt
Definition: detect.h:1010
#define SigIntId
DetectAddress * ipv6_head
Definition: detect.h:152
DetectSigmatchListEnum
Definition: detect.h:84
Port structure for detection engine.
Definition: detect.h:187
uint32_t buffers_size
Definition: detect.h:1045
uint64_t offset
Definition: detect.h:967
a single match condition for a signature
Definition: detect.h:313
const DetectEngineTransforms * transforms
Definition: detect.h:411
SigMatchCtx * ctx
Definition: detect.h:325
int inspection_recursion_limit
Definition: detect.h:828
struct SigTableElmt_ SigTableElmt
element in sigmatch type table.
struct ThresholdCtx_ ThresholdCtx
threshold ctx
SigGroupHeadInitData * init
Definition: detect.h:1357