suricata
detect.h
Go to the documentation of this file.
1 /* Copyright (C) 2007-2025 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Victor Julien <victor@inliniac.net>
22  */
23 
24 #ifndef SURICATA_DETECT_H
25 #define SURICATA_DETECT_H
26 
27 #include "suricata-common.h"
28 #include "flow.h"
29 
30 #include "detect-engine-proto.h"
31 #include "detect-reference.h"
32 #include "detect-metadata.h"
33 #include "detect-engine-register.h"
35 
36 #include "util-prefilter.h"
37 #include "util-mpm.h"
38 #include "util-spm.h"
39 #include "util-hash.h"
40 #include "util-hashlist.h"
41 #include "util-radix4-tree.h"
42 #include "util-radix6-tree.h"
43 #include "util-file.h"
44 #include "reputation.h"
45 
46 #define DETECT_MAX_RULE_SIZE 8192
47 
48 #define DETECT_TRANSFORMS_MAX 16
49 
50 /** default rule priority if not set through priority keyword or via
51  * classtype. */
52 #define DETECT_DEFAULT_PRIO 3
53 
54 // tx_id value to use when there is no transaction
55 #define PACKET_ALERT_NOTX UINT64_MAX
56 
57 /* forward declaration for sigorder logic in detect-engine-sigorder.[ch] */
58 struct SCSigOrderFunc_;
59 
60 /* Forward declarations for structures from Rust. */
62 
63 // rule types documentation tag start: SignatureType
66  SIG_TYPE_IPONLY, // rule is handled by IPONLY engine
67  SIG_TYPE_LIKE_IPONLY, // rule is handled by pkt engine, has action effect like ip-only
68  /** Proto detect only signature.
69  * Inspected once per direction when protocol detection is done. */
70  SIG_TYPE_PDONLY, // rule is handled by PDONLY engine
75 
76  SIG_TYPE_APPLAYER, // app-layer but not tx, e.g. appproto
77  SIG_TYPE_APP_TX, // rule is handled by TX engine
78 
80 };
81 // rule types documentation tag end: SignatureType
82 
87 };
88 
91 };
92 
94 
95 /*
96  The detection engine groups similar signatures/rules together. Internally a
97  tree of different types of data is created on initialization. This is it's
98  global layout:
99 
100  For TCP/UDP
101 
102  - Flow direction
103  -- Protocol
104  -=- Dst port
105 
106  For the other protocols
107 
108  - Flow direction
109  -- Protocol
110 */
111 
112 /* holds the values for different possible lists in struct Signature.
113  * These codes are access points to particular lists in the array
114  * Signature->init_data->smlists[DETECT_SM_LIST_MAX]. */
116  /* list for non-payload per packet matches, e.g. ttl, flow keyword */
118  /* list for payload and stream match */
120 
121  /* base64_data keyword uses some hardcoded logic so consider
122  * built-in
123  * TODO convert to inspect engine */
125 
126  /* list for post match actions: flowbit set, flowint increment, etc */
128 
129  DETECT_SM_LIST_TMATCH, /**< post-detection tagging */
130 
131  /* lists for alert thresholding and suppression */
134 
136 
137  /* start of dynamically registered lists */
139 };
140 
141 /* used for Signature->list, which indicates which list
142  * we're adding keywords to in cases of sticky buffers like
143  * file_data */
144 #define DETECT_SM_LIST_NOTSET INT_MAX
145 
146 /*
147  * DETECT ADDRESS
148  */
149 
150 /* a is ... than b */
151 enum {
152  ADDRESS_ER = -1, /**< error e.g. compare ipv4 and ipv6 */
153  ADDRESS_LT, /**< smaller [aaa] [bbb] */
154  ADDRESS_LE, /**< smaller with overlap [aa[bab]bb] */
155  ADDRESS_EQ, /**< exactly equal [abababab] */
156  ADDRESS_ES, /**< within [bb[aaa]bb] and [[abab]bbb] and [bbb[abab]] */
157  ADDRESS_EB, /**< completely overlaps [aa[bbb]aa] and [[baba]aaa] and [aaa[baba]] */
158  ADDRESS_GE, /**< bigger with overlap [bb[aba]aa] */
159  ADDRESS_GT, /**< bigger [bbb] [aaa] */
160 };
161 
162 #define ADDRESS_FLAG_NOT 0x01 /**< address is negated */
163 
164 /** \brief address structure for use in the detection engine.
165  *
166  * Contains the address information and matching information.
167  */
168 typedef struct DetectAddress_ {
169  /** address data for this group */
172 
173  /** flags affecting this address */
174  uint8_t flags;
175 
176  /** ptr to the previous address in the list */
178  /** ptr to the next address in the list */
181 
182 /** Address grouping head. IPv4 and IPv6 are split out */
183 typedef struct DetectAddressHead_ {
187 
188 
189 typedef struct DetectMatchAddressIPv4_ {
190  uint32_t ip; /**< address in host order, start of range */
191  uint32_t ip2; /**< address in host order, end of range */
193 
194 typedef struct DetectMatchAddressIPv6_ {
195  uint32_t ip[4];
196  uint32_t ip2[4];
198 
199 /*
200  * DETECT PORT
201  */
202 
203 /* a is ... than b */
204 enum {
205  PORT_ER = -1, /* error */
206  PORT_LT, /* smaller [aaa] [bbb] */
207  PORT_LE, /* smaller with overlap [aa[bab]bb] */
208  PORT_EQ, /* exactly equal [abababab] */
209  PORT_ES, /* within [bb[aaa]bb] and [[abab]bbb] and [bbb[abab]] */
210  PORT_EB, /* completely overlaps [aa[bbb]aa] and [[baba]aaa] and [aaa[baba]] */
211  PORT_GE, /* bigger with overlap [bb[aba]aa] */
212  PORT_GT, /* bigger [bbb] [aaa] */
213 };
214 
215 #define PORT_FLAG_ANY 0x01 /**< 'any' special port */
216 #define PORT_FLAG_NOT 0x02 /**< negated port */
217 #define PORT_SIGGROUPHEAD_COPY 0x04 /**< sgh is a ptr copy */
218 
219 /** \brief Port structure for detection engine */
220 typedef struct DetectPort_ {
221  uint16_t port;
222  uint16_t port2;
223 
224  uint8_t flags; /**< flags for this port */
225 
226  /* signatures that belong in this group
227  *
228  * If the PORT_SIGGROUPHEAD_COPY flag is set, we don't own this pointer
229  * (memory is freed elsewhere).
230  */
231  struct SigGroupHead_ *sh;
232 
233  struct DetectPort_ *prev;
234  struct DetectPort_ *next;
235  struct DetectPort_ *last; /* Pointer to the last node in the list */
237 
238 /* Signature flags */
239 /** \note: additions should be added to the rule analyzer as well */
240 
241 #define SIG_FLAG_SRC_ANY BIT_U32(0) /**< source is any */
242 #define SIG_FLAG_DST_ANY BIT_U32(1) /**< destination is any */
243 #define SIG_FLAG_SP_ANY BIT_U32(2) /**< source port is any */
244 #define SIG_FLAG_DP_ANY BIT_U32(3) /**< destination port is any */
245 
246 #define SIG_FLAG_FIREWALL BIT_U32(4) /**< sig is a firewall rule */
247 
248 #define SIG_FLAG_DSIZE BIT_U32(5) /**< signature has a dsize setting */
249 #define SIG_FLAG_APPLAYER BIT_U32(6) /**< signature applies to app layer instead of packets */
250 #define SIG_FLAG_TXBOTHDIR BIT_U32(7) /**< signature needs tx with both directions to match */
251 
252 // vacancy
253 
254 #define SIG_FLAG_REQUIRE_PACKET BIT_U32(9) /**< signature is requiring packet match */
255 #define SIG_FLAG_REQUIRE_STREAM BIT_U32(10) /**< signature is requiring stream match */
256 
257 #define SIG_FLAG_MPM_NEG BIT_U32(11)
258 
259 #define SIG_FLAG_FLUSH BIT_U32(12) /**< detection logic needs stream flush notification */
260 
261 #define SIG_FLAG_REQUIRE_STREAM_ONLY \
262  BIT_U32(13) /**< signature is requiring stream match. Stream match is not optional, so no \
263  fallback to packet payload. */
264 
265 // vacancies
266 
267 #define SIG_FLAG_REQUIRE_FLOWVAR BIT_U32(17) /**< signature can only match if a flowbit, flowvar or flowint is available. */
268 
269 #define SIG_FLAG_FILESTORE BIT_U32(18) /**< signature has filestore keyword */
270 
271 #define SIG_FLAG_TOSERVER BIT_U32(19)
272 #define SIG_FLAG_TOCLIENT BIT_U32(20)
273 
274 #define SIG_FLAG_TLSSTORE BIT_U32(21)
275 
276 #define SIG_FLAG_BYPASS BIT_U32(22)
277 
278 #define SIG_FLAG_PREFILTER BIT_U32(23) /**< sig is part of a prefilter engine */
279 
280 // vacancy
281 
282 /** Info for Source and Target identification */
283 #define SIG_FLAG_SRC_IS_TARGET BIT_U32(25)
284 /** Info for Source and Target identification */
285 #define SIG_FLAG_DEST_IS_TARGET BIT_U32(26)
286 
287 #define SIG_FLAG_HAS_TARGET (SIG_FLAG_DEST_IS_TARGET|SIG_FLAG_SRC_IS_TARGET)
288 
289 /* signature init flags */
290 // available 0
291 #define SIG_FLAG_INIT_PACKET BIT_U32(1) /**< signature has matches against a packet (as opposed to app layer) */
292 #define SIG_FLAG_INIT_FLOW BIT_U32(2) /**< signature has a flow setting */
293 #define SIG_FLAG_INIT_BIDIREC BIT_U32(3) /**< signature has bidirectional operator */
294 #define SIG_FLAG_INIT_FIRST_IPPROTO_SEEN \
295  BIT_U32(4) /** < signature has seen the first ip_proto keyword */
296 #define SIG_FLAG_INIT_STATE_MATCH BIT_U32(6) /**< signature has matches that require stateful inspection */
297 #define SIG_FLAG_INIT_NEED_FLUSH BIT_U32(7)
298 #define SIG_FLAG_INIT_PRIO_EXPLICIT \
299  BIT_U32(8) /**< priority is explicitly set by the priority keyword */
300 #define SIG_FLAG_INIT_FILEDATA BIT_U32(9) /**< signature has filedata keyword */
301 #define SIG_FLAG_INIT_FORCE_TOCLIENT BIT_U32(10) /**< signature now takes keywords toclient */
302 #define SIG_FLAG_INIT_FORCE_TOSERVER BIT_U32(11) /**< signature now takes keywords toserver */
303 // Two following flags are meant to be mutually exclusive
304 #define SIG_FLAG_INIT_TXDIR_STREAMING_TOSERVER \
305  BIT_U32(12) /**< transactional signature uses a streaming buffer to server */
306 #define SIG_FLAG_INIT_TXDIR_FAST_TOCLIENT \
307  BIT_U32(13) /**< transactional signature uses a fast pattern to client */
308 
309 /* signature mask flags */
310 /** \note: additions should be added to the rule analyzer as well */
311 #define SIG_MASK_REQUIRE_PAYLOAD BIT_U8(0)
312 #define SIG_MASK_REQUIRE_FLOW BIT_U8(1)
313 #define SIG_MASK_REQUIRE_FLAGS_INITDEINIT BIT_U8(2) /* SYN, FIN, RST */
314 #define SIG_MASK_REQUIRE_FLAGS_UNUSUAL BIT_U8(3) /* URG, ECN, CWR */
315 #define SIG_MASK_REQUIRE_NO_PAYLOAD BIT_U8(4)
316 #define SIG_MASK_REQUIRE_REAL_PKT BIT_U8(5)
317 // vacancy 1x
318 #define SIG_MASK_REQUIRE_ENGINE_EVENT BIT_U8(7)
319 
320 #define FILE_SIG_NEED_FILE 0x01
321 #define FILE_SIG_NEED_FILENAME 0x02
322 #define FILE_SIG_NEED_MAGIC 0x04 /**< need the start of the file */
323 #define FILE_SIG_NEED_FILECONTENT 0x08
324 #define FILE_SIG_NEED_MD5 0x10
325 #define FILE_SIG_NEED_SHA1 0x20
326 #define FILE_SIG_NEED_SHA256 0x40
327 #define FILE_SIG_NEED_SIZE 0x80
328 
329 /* Detection Engine flags */
330 #define DE_QUIET 0x01 /**< DE is quiet (esp for unittests) */
331 
332 typedef struct IPOnlyCIDRItem_ {
333  /* address data for this item */
334  uint8_t family;
335  /* netmask in CIDR values (ex. /16 /18 /24..) */
336  uint8_t netmask;
337  /* If this host or net is negated for the signum */
338  uint8_t negated;
339 
340  uint32_t ip[4];
341  SigIntId signum; /**< our internal id */
342 
343  /* linked list, the header should be the biggest network */
345 
347 
348 /** \brief Used to start a pointer to SigMatch context
349  * Should never be dereferenced without casting to something else.
350  */
351 typedef struct SigMatchCtx_ {
352  int foo;
354 
355 /** \brief a single match condition for a signature */
356 typedef struct SigMatch_ {
357  uint16_t type; /**< match type */
358  uint16_t idx; /**< position in the signature */
359  SigMatchCtx *ctx; /**< plugin specific data */
360  struct SigMatch_ *next;
361  struct SigMatch_ *prev;
363 
364 /** \brief Data needed for Match() */
365 typedef struct SigMatchData_ {
366  uint16_t type; /**< match type */
367  bool is_last; /**< Last element of the list */
368  SigMatchCtx *ctx; /**< plugin specific data */
370 
371 struct DetectEngineThreadCtx_;// DetectEngineThreadCtx;
372 
373 /* inspection buffers are kept per tx (in det_ctx), but some protocols
374  * need a bit more. A single TX might have multiple buffers, e.g. files in
375  * SMTP or DNS queries. Since all prefilters+transforms run before the
376  * individual rules need the same buffers, we need a place to store the
377  * transformed data. This array of arrays is that place. */
378 
381  uint32_t size; /**< size in number of elements */
382  uint32_t max:31; /**< max id in use in this run */
383  uint32_t init:1; /**< first time used this run. Used for clean logic */
385 
386 typedef struct TransformData_ {
388  void *options;
390 
391 typedef struct DetectEngineTransforms {
393  int cnt;
395 
396 /** callback for getting the buffer we need to prefilter/inspect */
397 typedef InspectionBuffer *(*InspectionBufferGetDataPtr)(
398  struct DetectEngineThreadCtx_ *det_ctx,
399  const DetectEngineTransforms *transforms,
400  Flow *f, const uint8_t flow_flags,
401  void *txv, const int list_id);
402 
404  const void *txv, const uint8_t flow_flags, const uint8_t **buf, uint32_t *buf_len);
405 
407  const void *txv, const uint8_t flow_flags, uint32_t local_id, const uint8_t **buf,
408  uint32_t *buf_len);
410 
411 typedef uint8_t (*InspectEngineFuncPtr)(struct DetectEngineCtx_ *de_ctx,
412  struct DetectEngineThreadCtx_ *det_ctx,
413  const struct DetectEngineAppInspectionEngine_ *engine, const struct Signature_ *s, Flow *f,
414  uint8_t flags, void *alstate, void *txv, uint64_t tx_id);
415 
418  uint8_t dir;
419  uint8_t id; /**< per sig id used in state keeping */
420  bool mpm;
421  bool stream;
422  /** will match on a NULL buffer (so an absent buffer) */
424  uint16_t sm_list;
425  uint16_t sm_list_base; /**< base buffer being transformed */
426  int16_t progress;
427 
428  struct {
429  union {
433  };
435  /** pointer to the transforms in the 'DetectBuffer entry for this list */
437  } v2;
438 
440 
443 
444 typedef struct TransformIdData_ {
445  const uint8_t *id_data;
446  uint32_t id_data_len;
448 
449 typedef struct DetectBufferType_ {
450  char name[64];
451  char description[128];
452  int id;
454  bool mpm;
455  bool packet; /**< compat to packet matches */
456  bool frame; /**< is about Frame inspection */
458  bool multi_instance; /**< buffer supports multiple buffer instances per tx */
459  void (*SetupCallback)(const struct DetectEngineCtx_ *, struct Signature_ *);
461  const struct Signature_ *, const char **sigerror, const struct DetectBufferType_ *);
465 
467 
468 /**
469  * \param alert_flags[out] for setting PACKET_ALERT_FLAG_*
470  */
472  struct DetectEngineThreadCtx_ *,
473  const struct DetectEnginePktInspectionEngine *engine,
474  const struct Signature_ *s,
475  Packet *p, uint8_t *alert_flags);
476 
477 /** callback for getting the buffer we need to prefilter/inspect */
478 typedef InspectionBuffer *(*InspectionBufferGetPktDataPtr)(
479  struct DetectEngineThreadCtx_ *det_ctx,
480  const DetectEngineTransforms *transforms,
481  Packet *p, const int list_id);
482 
485  bool mpm;
486  uint16_t sm_list;
487  uint16_t sm_list_base;
488  struct {
491  /** pointer to the transforms in the 'DetectBuffer entry for this list */
493  } v1;
496 
497 struct Frame;
498 struct Frames;
500 
501 /**
502  * \param alert_flags[out] for setting PACKET_ALERT_FLAG_*
503  */
505  const struct DetectEngineFrameInspectionEngine *engine, const struct Signature_ *s,
506  Packet *p, const struct Frames *frames, const struct Frame *frame);
507 
510  uint8_t dir;
511  uint8_t type;
512  bool mpm;
513  uint16_t sm_list;
514  uint16_t sm_list_base;
515  struct {
517  /** pointer to the transforms in the 'DetectBuffer entry for this list */
519  } v1;
523 
524 typedef struct SignatureInitDataBuffer_ {
525  uint32_t id; /**< buffer id */
526  bool sm_init; /**< initialized by sigmatch, which is likely something like `urilen:10; http.uri;
527  content:"abc";`. These need to be in the same list. Unset once `http.uri` is
528  set up. */
529  bool multi_capable; /**< true if we can have multiple instances of this buffer, so e.g. for
530  http.uri. */
531  bool only_tc; /**< true if we can only used toclient. */
532  bool only_ts; /**< true if we can only used toserver. */
533  /* sig match list */
537 
543  SIGNATURE_HOOK_PKT_ALL, /**< match each packet */
544 };
545 
550 };
551 
560 
561 #define DETECT_TABLE_PACKET_PRE_FLOW_FLAG BIT_U8(DETECT_TABLE_PACKET_PRE_FLOW)
562 #define DETECT_TABLE_PACKET_PRE_STREAM_FLAG BIT_U8(DETECT_TABLE_PACKET_PRE_STREAM)
563 #define DETECT_TABLE_PACKET_FILTER_FLAG BIT_U8(DETECT_TABLE_PACKET_FILTER)
564 #define DETECT_TABLE_PACKET_TD_FLAG BIT_U8(DETECT_TABLE_PACKET_TD)
565 #define DETECT_TABLE_APP_FILTER_FLAG BIT_U8(DETECT_TABLE_APP_FILTER)
566 #define DETECT_TABLE_APP_TD_FLAG BIT_U8(DETECT_TABLE_APP_TD)
567 };
568 
569 // dns:request_complete should add DetectBufferTypeGetByName("dns:request_complete");
570 // TODO to json
571 typedef struct SignatureHook_ {
572  enum SignatureHookType type;
573  int sm_list; /**< list id for the hook's generic list. e.g. for dns:request_complete:generic */
574  union {
575  struct {
577  /** progress value of the app-layer hook specified in the rule. Sets the app_proto
578  * specific progress value. */
580  } app;
581  struct {
582  enum SignatureHookPkt ph;
583  } pkt;
584  } t;
586 
587 #define SIG_ALPROTO_MAX 4
588 
589 typedef struct SignatureInitData_ {
591 
592  /** Number of sigmatches. Used for assigning SigMatch::idx */
593  uint16_t sm_cnt;
594 
595  /** option was prefixed with '!'. Only set for sigmatches that
596  * have the SIGMATCH_HANDLE_NEGATION flag set. */
597  bool negated;
598 
599  /* track if we saw any negation in the addresses. If so, we
600  * skip it for ip-only */
603 
604  /** see if any of the sigmatches supports an enabled prefilter */
606 
607  /* used to hold flags that are used during init */
608  uint32_t init_flags;
609  /* coccinelle: SignatureInitData:init_flags:SIG_FLAG_INIT_ */
610 
611  /* alproto mask if multiple protocols are possible */
613 
614  /* used at init to determine max dsize */
616 
617  /** netblocks and hosts specified at the sid, in CIDR format */
619 
620  /* list id for `mpm_sm`. Should always match `SigMatchListSMBelongsTo(s, mpm_sm)`. */
622  /* the fast pattern added from this signature */
624  /* used to speed up init of prefilter */
626 
627  /* SigMatch list used for adding content and friends. E.g. file_data; */
628  int list;
629  bool list_set;
630 
632 
633  /** score to influence rule grouping. A higher value leads to a higher
634  * likelihood of a rulegroup with this sig ending up as a contained
635  * group. */
636  int score;
637 
638  /** address settings for this signature */
640 
641  /* holds built-in sm lists */
643  /* holds built-in sm lists' tails */
645 
646  /* Storage for buffers. */
648  uint32_t buffer_index;
649  uint32_t buffers_size;
651 
652  /* highest list/buffer id which holds a DETECT_CONTENT */
654 
655  /* inter-signature state dependency */
662 
663  /* Signature is a "firewall" rule. */
666 
667 /** \brief Signature container */
668 typedef struct Signature_ {
669  uint32_t flags;
670  /* coccinelle: Signature:flags:SIG_FLAG_ */
671  enum SignatureType type;
672 
674 
675  uint16_t dsize_low;
676  uint16_t dsize_high;
677  uint8_t dsize_mode;
678 
680  SigIntId iid; /**< signature internal id */
681 
682  /** inline -- action */
683  uint8_t action;
684  uint8_t file_flags;
685 
686  /** addresses, ports and proto this sig matches on */
688 
689  /* scope setting for the action: enum ActionScope */
690  uint8_t action_scope;
691 
692  /** ipv4 match arrays */
697 
698  /** classification id **/
699  uint16_t class_id;
700 
701  /** detect: pseudo table this rule is part of (enum DetectTable) */
702  uint8_t detect_table;
703 
704  /** firewall: progress value for this signature */
706 
709  /** ipv6 match arrays */
712 
713  uint32_t id; /**< sid, set by the 'sid' rule keyword */
714  uint32_t gid; /**< generator id */
715  uint32_t rev;
716  int prio;
717 
718  /** port settings for this signature */
720 
721 #ifdef PROFILE_RULES
722  uint16_t profiling_id;
723 #endif
724 
728 
729  /* Matching structures for the built-ins. The others are in
730  * their inspect engines. */
732 
733  /* memory is still owned by the sm_lists/sm_arrays entry */
735 
736  char *msg;
737 
738  /** classification message */
739  char *class_msg;
740  /** Reference */
742  /** Metadata */
744 
745  char *sig_str;
746 
748 
749  /** ptr to the next sig in the list */
750  struct Signature_ *next;
752 
757  /* must be last */
759 };
760 
761 /** \brief one time registration of keywords at start up */
762 typedef struct DetectBufferMpmRegistry_ {
763  const char *name;
764  char pname[32]; /**< name used in profiling */
765  int direction; /**< SIG_FLAG_TOSERVER or SIG_FLAG_TOCLIENT */
766  int16_t sm_list;
767  int16_t sm_list_base;
768  int priority;
769  int id; /**< index into this array and result arrays */
772 
774  MpmCtx *mpm_ctx, const struct DetectBufferMpmRegistry_ *mpm_reg, int list_id);
776 
777  union {
778  /* app-layer matching: use if type == DETECT_BUFFER_MPM_TYPE_APP */
779  struct {
780  union {
784  };
788 
789  /* pkt matching: use if type == DETECT_BUFFER_MPM_TYPE_PKT */
790  struct {
792  struct SigGroupHead_ *sgh, MpmCtx *mpm_ctx,
793  const struct DetectBufferMpmRegistry_ *mpm_reg, int list_id);
796 
797  /* frame matching: use if type == DETECT_BUFFER_MPM_TYPE_FRAME */
798  struct {
800  uint8_t type;
802  };
803 
806 
807 /* helper structure to track pattern stats and assign pattern id's. */
808 typedef struct DetectPatternTracker {
809  const struct DetectContentData_ *cd;
810  int sm_list;
811  uint32_t cnt;
812  uint32_t mpm;
814 
815 typedef struct DetectReplaceList_ {
816  const struct DetectContentData_ *cd;
817  uint8_t *found;
820 
821 /** only execute flowvar storage if rule matched */
822 #define DETECT_VAR_TYPE_FLOW_POSTMATCH 1
823 #define DETECT_VAR_TYPE_PKT_POSTMATCH 2
824 
825 /** list for flowvar store candidates, to be stored from
826  * post-match function */
827 typedef struct DetectVarList_ {
828  uint16_t type; /**< type of store candidate POSTMATCH or ALWAYS */
829  uint8_t pad[2];
830  uint32_t idx; /**< flowvar name idx */
831  uint16_t len; /**< data len */
832  uint16_t key_len;
833  uint8_t *key;
834  uint8_t *buffer; /**< alloc'd buffer, may be freed by
835  post-match, post-non-match */
838 
839 typedef struct SCFPSupportSMList_ {
840  int list_id;
841  int priority;
844 
845 /** \brief IP only rules matching ctx. */
846 typedef struct DetectEngineIPOnlyCtx_ {
847  /* Lookup trees */
850 
851  /* Used to build the radix trees */
853  uint32_t max_idx;
854 
855  /* Used to map large signums to smaller values to compact the bitsets
856  * stored in the radix trees */
857  uint32_t *sig_mapping;
860 
861 typedef struct DetectEngineLookupFlow_ {
864  struct SigGroupHead_ *sgh[256];
866 
867 typedef struct SigString_ {
868  char *filename;
869  char *sig_str;
870  char *sig_error;
871  int line;
874 
875 /** \brief Signature loader statistics */
876 typedef struct SigFileLoaderStat_ {
877  TAILQ_HEAD(, SigString_) failed_sigs;
884 
886  void *(*InitFunc)(void *);
887  void (*FreeFunc)(void *);
888  void *data;
890  int id;
891  const char *name; /* keyword name, for error printing */
893 
895 {
896  DETECT_PREFILTER_MPM = 0, /**< use only mpm / fast_pattern */
897  DETECT_PREFILTER_AUTO = 1, /**< use mpm + keyword prefilters */
898 };
899 
901 {
903  DETECT_ENGINE_TYPE_DD_STUB = 1, /* delayed detect stub: can be reloaded */
904  DETECT_ENGINE_TYPE_MT_STUB = 2, /* multi-tenant stub: cannot be reloaded */
906 };
907 
908 /* Flow states:
909  * toserver
910  * toclient
911  */
912 #define FLOW_STATES 2
913 
914 typedef struct {
915  uint32_t content_limit;
918 
919 typedef uint8_t (*DetectPacketHookFunc)(ThreadVars *tv, DetectEngineThreadCtx *det_ctx, Packet *p);
920 
921 /**
922  * \brief Function type for rate filter callback.
923  *
924  * This function should return the new action to be applied. If no change to the
925  * action is to be made, the callback should return the current action provided
926  * in the new_action parameter.
927  */
928 typedef uint8_t (*SCDetectRateFilterFunc)(const Packet *p, uint32_t sid, uint32_t gid, uint32_t rev,
929  uint8_t original_action, uint8_t new_action, void *arg);
930 
931 /** \brief main detection engine ctx */
932 typedef struct DetectEngineCtx_ {
934  uint8_t flags; /**< only DE_QUIET */
935  uint8_t mpm_matcher; /**< mpm matcher this ctx uses */
937  uint8_t spm_matcher; /**< spm matcher this ctx uses */
938 
939  uint32_t tenant_id;
940 
942  uint32_t sig_cnt;
943 
944  /* version of the srep data */
945  uint32_t srep_version;
946 
947  /* reputation for netblocks */
949 
951  uint32_t sig_array_len; /* size in array members */
952 
953  uint32_t signum;
954 
955  /* used by the signature ordering module */
957 
958  /* main sigs */
960 
961  /* init phase vars */
963 
966 
967  /* hash table used to cull out duplicate sigs */
969 
971 
972  /* maximum recursion depth for content inspection */
974 
975  /* maximum number of times a tx will get logged for rules not using app-layer keywords */
977 
978  /* force app-layer tx finding for alerts with signatures not having app-layer keywords */
980 
981  /* registration id for per thread ctx for the filemagic/file.magic keywords */
983 
984  /* spm thread context prototype, built as spm matchers are constructed and
985  * later used to construct thread context for each thread. */
987 
988  /* Config options */
989 
992 
993  /* max flowbit id that is used */
994  uint32_t max_fb_id;
995 
997 
998  /* array containing all sgh's in use so we can loop
999  * through it in Stage4. */
1001  uint32_t sgh_array_cnt;
1002  uint32_t sgh_array_size;
1003 
1008 
1009  /* the max local id used amongst all sigs */
1011 
1012  /** version of the detect engine. The version is incremented on reloads */
1013  uint32_t version;
1014 
1015  /** sgh for signatures that match against invalid packets. In those cases
1016  * we can't lookup by proto, address, port as we don't have these */
1018 
1019  /* Maximum size of the buffer for decoded base64 data. */
1021 
1022  /** Store rule file and line so that parsers can use them in errors. */
1024  const char *rule_file;
1025  const char *sigerror;
1028 
1029  /** The rule errored out due to missing requirements. */
1031 
1032  /* specify the configuration for mpm context factory */
1034 
1036  /** hash list of keywords that need thread local ctxs */
1038 
1040 
1041 #ifdef PROFILE_RULES
1042  struct SCProfileDetectCtx_ *profile_ctx;
1043 #endif
1044 #ifdef PROFILING
1050 #endif
1051  char config_prefix[64];
1052 
1053  enum DetectEngineType type;
1054 
1055  /** how many de_ctx' are referencing this */
1056  uint32_t ref_cnt;
1057  /** list in master: either active or freelist */
1059 
1060  /** id of loader thread 'owning' this de_ctx */
1062 
1063  /** are we using just mpm or also other prefilters */
1065 
1067 
1070 
1071  /** table for storing the string representation with the parsers result */
1073 
1074  /** table to store metadata keys and values */
1076 
1077  /* hash tables with rule-time buffer registration. Start time registration
1078  * is in detect-engine.c::g_buffer_type_hash */
1081  uint32_t buffer_type_id;
1082 
1085  /* list with app inspect engines. Both the start-time registered ones and
1086  * the rule-time registered ones. */
1094 
1095  uint32_t prefilter_id;
1097 
1098  /** time of last ruleset reload */
1099  struct timeval last_reload;
1100 
1101  /** signatures stats */
1103 
1104  /* list of Fast Pattern registrations. Initially filled using a copy of
1105  * `g_fp_support_smlist_list`, then extended at rule loading time if needed */
1107 
1108  /** per keyword flag indicating if a prefilter has been
1109  * set for it. If true, the setup function will have to
1110  * run. */
1113 
1114  /* classification config parsing */
1115 
1116  /* hash table used for holding the classification config info */
1118  pcre2_code *class_conf_regex;
1119  pcre2_match_data *class_conf_regex_match;
1120 
1121  /* reference config parsing */
1122 
1123  /* hash table used for holding the reference config info */
1126  pcre2_match_data *reference_conf_regex_match;
1127 
1128  /* --engine-analysis */
1130 
1131  /* path to the tenant yaml for this engine */
1133 
1134  /* Track rule requirements for reporting after loading rules. */
1136 
1137  /* number of signatures using filestore, limited as u16 */
1138  uint16_t filestore_cnt;
1139 
1140  /* name store for non-prefilter engines. Used in profiling but
1141  * part of the API, so hash is always used. */
1143 
1145 
1146  /* user provided rate filter callbacks. */
1148 
1149  /* use provided data to be passed to rate_filter_callback. */
1151 
1152  /* Hook for pre_stream engine if it is used. */
1154  /** TCP pre_stream hook rule groups. One per direction. */
1156 
1157  /* Hook for pre_flow engine if it is used. */
1159  /** pre_flow hook rule groups. Before flow we don't know a direction yet. */
1162 
1163 /**
1164  * \brief Register a callback when a rate_filter has been applied to
1165  * an alert.
1166  *
1167  * This callback is added to the current detection engine and will be
1168  * copied to all future detection engines over rule reloads.
1169  */
1171 
1172 /* Engine groups profiles (low, medium, high, custom) */
1173 enum {
1179 };
1180 
1181 /* Siggroup mpm context profile */
1182 enum {
1186 #define ENGINE_SGH_MPM_FACTORY_CONTEXT_START_ID_RANGE (ENGINE_SGH_MPM_FACTORY_CONTEXT_AUTO + 1)
1187 };
1188 
1189 #define DETECT_FILESTORE_MAX 15
1196 
1197 /** array of TX inspect rule candidates */
1198 typedef struct RuleMatchCandidateTx {
1199  SigIntId id; /**< internal signature id */
1200  uint32_t *flags; /**< inspect flags ptr */
1201  union {
1202  struct {
1204  uint8_t stream_result;
1205  };
1206  uint32_t stream_reset;
1207  };
1208 
1209  const Signature *s; /**< ptr to sig */
1211 
1212 /** Stores a single u32 for a rule match of the type `sm_type`. Used by
1213  * flowbits prefilter to register DETECT_FLOWBITS,<flowbit id> for post
1214  * match handling. */
1216  int sm_type; /**< sigmatch type e.g. DETECT_FLOWBITS */
1217  uint32_t value; /**< value to be interpreted by the sm_type
1218  * implementation. E.g. flowbit id. */
1219 #ifdef DEBUG
1220  SigIntId id;
1221 #endif
1223 
1224 /** Array of PostRuleMatchWorkQueueItem's. */
1225 typedef struct PostRuleMatchWorkQueue {
1226  PostRuleMatchWorkQueueItem *q; /**< array pointer */
1227  uint32_t len; /**< number of array elements in use. */
1228  uint32_t size; /**< allocation size in number of elements. */
1230 
1231 #define SIG_JSON_CONTENT_ARRAY_LEN 16
1232 #define SIG_JSON_CONTENT_ITEM_LEN 1024
1233 #define SIG_JSON_CONTENT_KEY_LEN 32
1235 /** structure to store the json content with info on sig that triggered it */
1236 typedef struct SigJsonContent {
1237  void *id; /**< pointer to the sig that triggered this json content */
1240 
1241 /**
1242  * Detection engine thread data.
1243  */
1244 typedef struct DetectEngineThreadCtx_ {
1245  /** \note multi-tenant hash lookup code from Detect() *depends*
1246  * on this being the first member */
1247  uint32_t tenant_id;
1248 
1249  SC_ATOMIC_DECLARE(int, so_far_used_by_detect);
1250 
1251  /* the thread to which this detection engine thread belongs */
1253 
1257 
1260 
1261  uint32_t (*TenantGetId)(const void *, const Packet *p);
1262 
1263  /* detection engine variables */
1264 
1266 
1267  /** offset into the payload of the end of the last match by: content, pcre, etc */
1268  uint32_t buffer_offset;
1269 
1270  /** used by pcre match function alone: normally in sync with buffer_offset, but
1271  * points to 1 byte after the start of the last pcre match if a pcre match happened. */
1273 
1274  /** SPM thread context used for scanning. This has been cloned from the
1275  * prototype held by DetectEngineCtx. */
1277 
1278  /* byte_* values */
1279  uint64_t *byte_values;
1280 
1284 
1285  /* counter for the filestore array below -- up here for cache reasons. */
1286  uint16_t filestore_cnt;
1287 
1288  /** id for alert counter */
1289  uint16_t counter_alerts;
1290  /** id for discarded alerts counter */
1292  /** id for suppressed alerts counter */
1294 #ifdef PROFILING
1299 #endif
1300 
1301  struct {
1303  uint32_t buffers_size; /**< in number of elements */
1304  uint32_t to_clear_idx;
1305  uint32_t *to_clear_queue;
1307 
1308  struct {
1309  /** inspection buffers for more complex case. As we can inspect multiple
1310  * buffers in parallel, we need this extra wrapper struct */
1312  uint32_t buffers_size; /**< in number of elements */
1313  uint32_t to_clear_idx;
1314  uint32_t *to_clear_queue;
1316 
1317  /* true if tx_id is set */
1319  /** ID of the transaction currently being inspected. */
1320  uint64_t tx_id;
1321  int64_t frame_id;
1322  uint64_t frame_inspect_progress; /**< used to set Frame::inspect_progress after all inspection
1323  on a frame is complete. */
1325 
1326  uint8_t *base64_decoded;
1328 
1332 
1333  /** array of signature pointers we're going to inspect in the detection
1334  * loop. */
1336  /** size of the array in items (mem size if * sizeof(Signature *)
1337  * Only used during initialization. */
1339  /** size in use */
1341 
1344 
1345  MpmThreadCtx mtc; /**< thread ctx for the mpm */
1346  /* work queue for post-rule matching affecting prefilter */
1348 
1350 
1351  /* string to replace */
1353  /* vars to store in post match function */
1355 
1356  /* Array in which the filestore keyword stores file id and tx id. If the
1357  * full signature matches, these are processed by a post-match filestore
1358  * function to finalize the store. */
1359  struct {
1360  uint32_t file_id;
1361  uint64_t tx_id;
1363 
1365  /** store for keyword contexts that need a per thread storage. Per de_ctx. */
1368  /** store for keyword contexts that need a per thread storage. Global. */
1371 
1373  uint16_t events;
1374 
1375  /** stats id for lua rule errors */
1377 
1378  /** stats id for lua blocked function counts */
1380 
1381  /** stats if for lua instruction limit errors */
1383 
1384  /** stat of lua memory limit errors. */
1386 
1387 #ifdef DEBUG
1388  uint64_t pkt_stream_add_cnt;
1389  uint64_t payload_mpm_cnt;
1390  uint64_t payload_mpm_size;
1391  uint64_t stream_mpm_cnt;
1392  uint64_t stream_mpm_size;
1393  uint64_t payload_persig_cnt;
1394  uint64_t payload_persig_size;
1395  uint64_t stream_persig_cnt;
1396  uint64_t stream_persig_size;
1397 #endif
1398 #ifdef PROFILE_RULES
1399  struct SCProfileData_ *rule_perf_data;
1400  int rule_perf_data_size;
1401  uint32_t rule_perf_last_sync;
1402 #endif
1403 #ifdef PROFILING
1406  int keyword_perf_list; /**< list we're currently inspecting, DETECT_SM_LIST_* */
1408 
1410  /** bytes inspected by current prefilter callback call */
1412  /** number of times we inspected a buffer */
1414 #endif
1416 
1417 /** \brief element in sigmatch type table.
1418  */
1419 typedef struct SigTableElmt_ {
1420  /** Packet match function pointer */
1421  int (*Match)(DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *);
1422 
1423  /** AppLayer TX match function pointer */
1425  uint8_t flags, void *alstate, void *txv,
1426  const Signature *, const SigMatchCtx *);
1427 
1428  /** File match function pointer */
1430  Flow *, /**< *LOCKED* flow */
1431  uint8_t flags, File *, const Signature *, const SigMatchCtx *);
1432 
1433  /** InspectionBuffer transformation callback */
1434  void (*Transform)(DetectEngineThreadCtx *, InspectionBuffer *, void *context);
1435  bool (*TransformValidate)(const uint8_t *content, uint16_t content_len, void *context);
1436 
1437  /** Transform identity callback */
1438  void (*TransformId)(const uint8_t **data, uint32_t *length, void *context);
1439 
1440  /** keyword setup function pointer */
1441  int (*Setup)(DetectEngineCtx *, Signature *, const char *);
1442 
1443  bool (*SupportsPrefilter)(const Signature *s);
1445 
1446  void (*Free)(DetectEngineCtx *, void *);
1447 #ifdef UNITTESTS
1448  void (*RegisterTests)(void);
1449 #endif
1450  uint16_t flags;
1451  /* coccinelle: SigTableElmt:flags:SIGMATCH_ */
1452 
1453  /** bitfield of tables supported by this rule: used by DETECT_TABLE_*_FLAG flags. */
1454  uint8_t tables;
1455 
1456  /** better keyword to replace the current one */
1457  uint16_t alternative;
1458 
1459  const char *name; /**< keyword name alias */
1460  const char *alias; /**< name alias */
1461  const char *desc;
1462  const char *url;
1463 
1464  // Cleanup function for freeing rust allocated name or such
1465  void (*Cleanup)(struct SigTableElmt_ *);
1467 
1468 /* event code */
1469 enum {
1483 
1486 };
1487 
1488 #define SIG_GROUP_HEAD_HAVERAWSTREAM BIT_U16(0)
1489 #ifdef HAVE_MAGIC
1490 #define SIG_GROUP_HEAD_HAVEFILEMAGIC BIT_U16(1)
1491 #endif
1492 #define SIG_GROUP_HEAD_HAVEFILEMD5 BIT_U16(2)
1493 #define SIG_GROUP_HEAD_HAVEFILESIZE BIT_U16(3)
1494 #define SIG_GROUP_HEAD_HAVEFILESHA1 BIT_U16(4)
1495 #define SIG_GROUP_HEAD_HAVEFILESHA256 BIT_U16(5)
1506 };
1507 
1508 typedef struct MpmStore_ {
1509  uint8_t *sid_array;
1510  uint32_t sid_array_size;
1511 
1514  int sm_list;
1518 
1520 
1521 typedef void (*PrefilterPktFn)(DetectEngineThreadCtx *det_ctx, Packet *p, const void *pectx);
1522 typedef void (*PrefilterFrameFn)(DetectEngineThreadCtx *det_ctx, const void *pectx, Packet *p,
1523  const struct Frames *frames, const struct Frame *frame);
1524 
1525 typedef struct AppLayerTxData AppLayerTxData;
1526 typedef void (*PrefilterTxFn)(DetectEngineThreadCtx *det_ctx, const void *pectx, Packet *p, Flow *f,
1527  void *tx, const uint64_t tx_id, const AppLayerTxData *tx_data, const uint8_t flags);
1528 
1529 typedef struct PrefilterEngineList_ {
1530  uint16_t id;
1531 
1532  /** App Proto this engine applies to: only used with Tx Engines */
1534  /** Minimal Tx progress we need before running the engine. Only used
1535  * with Tx Engine. Set to -1 for all states. */
1537 
1538  uint8_t frame_type;
1539 
1540  SignatureMask pkt_mask; /**< mask for pkt engines */
1541 
1543 
1544  /** Context for matching. Might be MpmCtx for MPM engines, other ctx'
1545  * for other engines. */
1546  void *pectx;
1547 
1552  DetectEngineThreadCtx *det_ctx, const void *pectx, Packet *p, Flow *f);
1553 
1555 
1556  /** Free function for pectx data. If NULL the memory is not freed. */
1557  void (*Free)(void *pectx);
1558 
1559  const char *name;
1560  /* global id for this prefilter */
1561  uint32_t gid;
1563 
1564 typedef struct PrefilterEngine_ {
1565  uint16_t local_id;
1566 
1567  /** App Proto this engine applies to: only used with Tx Engines */
1569 
1570  union {
1571  struct {
1572  SignatureMask mask; /**< mask for pkt engines */
1573  uint8_t hook; /**< enum SignatureHookPkt */
1574  } pkt;
1575  /** Minimal Tx progress we need before running the engine. Only used
1576  * with Tx Engine. Set to -1 for all states. */
1578  uint8_t frame_type;
1579  } ctx;
1580 
1581  bool is_last;
1583 
1584  /** Context for matching. Might be MpmCtx for MPM engines, other ctx'
1585  * for other engines. */
1586  void *pectx;
1587 
1588  union {
1593  DetectEngineThreadCtx *det_ctx, const void *pectx, Packet *p, Flow *f);
1594  } cb;
1595 
1596  /* global id for this prefilter */
1597  uint32_t gid;
1599 
1600 typedef struct SigGroupHeadInitData_ {
1602 
1603  uint8_t *sig_array; /**< bit array of sig nums (internal id's) */
1604  uint32_t sig_size; /**< size in bytes */
1605 
1606  uint8_t protos[256]; /**< proto(s) this sgh is for */
1607  uint32_t direction; /**< set to SIG_FLAG_TOSERVER, SIG_FLAG_TOCLIENT or both */
1608  int score; /**< try to make this group a unique one */
1609  uint32_t max_sig_id; /**< max signature idx for this sgh */
1610 
1614 
1620 
1621  /** number of sigs in this group */
1623 
1624  /** Array with sig ptrs... size is sig_cnt * sizeof(Signature *) */
1627 
1628 /** \brief Container for matching data for a signature group */
1629 typedef struct SigGroupHead_ {
1630  uint16_t flags;
1631  /* coccinelle: SigGroupHead:flags:SIG_GROUP_HEAD_ */
1632 
1633  /** the number of signatures in this sgh that have the filestore keyword
1634  * set. */
1635  uint16_t filestore_cnt;
1636 
1637  uint32_t id; /**< unique id used to index sgh_array for stats */
1638 
1643  PrefilterEngine *post_rule_match_engines; /**< engines to run after rules modified a state */
1644 
1645  /* ptr to our init data we only use at... init :) */
1647 
1649 
1650 /** sigmatch has no options, so the parser shouldn't expect any */
1651 #define SIGMATCH_NOOPT BIT_U16(0)
1652 /** sigmatch is compatible with a ip only rule */
1653 #define SIGMATCH_IPONLY_COMPAT BIT_U16(1)
1654 /** sigmatch is compatible with a decode event only rule */
1655 #define SIGMATCH_DEONLY_COMPAT BIT_U16(2)
1657 // vacancy
1658 
1659 /** sigmatch may have options, so the parser should be ready to
1660  * deal with both cases */
1661 #define SIGMATCH_OPTIONAL_OPT BIT_U16(4)
1662 /** input may be wrapped in double quotes. They will be stripped before
1663  * input data is passed to keyword parser */
1664 #define SIGMATCH_QUOTES_OPTIONAL BIT_U16(5)
1665 /** input MUST be wrapped in double quotes. They will be stripped before
1666  * input data is passed to keyword parser. Missing double quotes lead to
1667  * error and signature invalidation. */
1668 #define SIGMATCH_QUOTES_MANDATORY BIT_U16(6)
1669 /** negation parsing is handled by the rule parser. Signature::init_data::negated
1670  * will be set to true or false prior to calling the keyword parser. Exclamation
1671  * mark is stripped from the input to the keyword parser. */
1672 #define SIGMATCH_HANDLE_NEGATION BIT_U16(7)
1673 /** keyword is a content modifier */
1674 #define SIGMATCH_INFO_CONTENT_MODIFIER BIT_U16(8)
1675 /** keyword is a sticky buffer */
1676 #define SIGMATCH_INFO_STICKY_BUFFER BIT_U16(9)
1677 /** keyword is deprecated: used to suggest an alternative */
1678 #define SIGMATCH_INFO_DEPRECATED BIT_U16(10)
1679 /** strict parsing is enabled */
1680 #define SIGMATCH_STRICT_PARSING BIT_U16(11)
1681 /** keyword supported by firewall rules */
1682 #define SIGMATCH_SUPPORT_FIREWALL BIT_U16(12)
1683 /** keyword supporting setting an optional direction */
1684 #define SIGMATCH_SUPPORT_DIR BIT_U16(13)
1687 {
1688  TENANT_SELECTOR_UNKNOWN = 0, /**< not set */
1689  TENANT_SELECTOR_DIRECT, /**< method provides direct tenant id */
1690  TENANT_SELECTOR_VLAN, /**< map vlan to tenant id */
1691  TENANT_SELECTOR_LIVEDEV, /**< map livedev to tenant id */
1692 };
1693 
1695  uint32_t tenant_id;
1696 
1697  /* traffic id that maps to the tenant id */
1698  uint32_t traffic_id;
1699 
1702 
1703 typedef struct DetectEngineMasterCtx_ {
1705 
1706  /** enable multi tenant mode */
1708 
1709  /** version, incremented after each 'apply to threads' */
1710  uint32_t version;
1711 
1712  /** list of active detection engines. This list is used to generate the
1713  * threads det_ctx's */
1715 
1716  /** free list, containing detection engines that will be removed but may
1717  * still be referenced by det_ctx's. Freed as soon as all references are
1718  * gone. */
1720 
1722 
1723  /** list of tenant mappings. Updated under lock. Used to generate lookup
1724  * structures. */
1726 
1727  /** list of keywords that need thread local ctxs,
1728  * only updated by keyword registration at start up. Not
1729  * covered by the lock. */
1733 
1734 /* Table with all SigMatch registrations */
1736 
1737 /** Remember to add the options in SignatureIsIPOnly() at detect.c otherwise it wont be part of a signature group */
1738 
1739 /* detection api */
1740 TmEcode Detect(ThreadVars *tv, Packet *p, void *data);
1741 uint8_t DetectPreFlow(ThreadVars *tv, DetectEngineThreadCtx *det_ctx, Packet *p);
1742 uint8_t DetectPreStream(ThreadVars *tv, DetectEngineThreadCtx *det_ctx, Packet *p);
1743 
1744 SigMatch *SigMatchAlloc(void);
1745 Signature *SigFindSignatureBySidGid(DetectEngineCtx *, uint32_t, uint32_t);
1747 
1748 void SigRegisterTests(void);
1749 
1751 char *DetectLoadCompleteSigPath(const DetectEngineCtx *, const char *sig_file);
1752 int SigLoadSignatures(DetectEngineCtx *, char *, bool);
1754  DetectEngineThreadCtx *det_ctx, Packet *p);
1755 
1758 
1759 int DetectUnregisterThreadCtxFuncs(DetectEngineCtx *, void *data, const char *name);
1760 int DetectRegisterThreadCtxFuncs(DetectEngineCtx *, const char *name, void *(*InitFunc)(void *), void *data, void (*FreeFunc)(void *), int);
1762 void *DetectGetInnerTx(void *tx_ptr, AppProto alproto, AppProto engine_alproto, uint8_t flow_flags);
1763 
1764 void RuleMatchCandidateTxArrayInit(DetectEngineThreadCtx *det_ctx, uint32_t size);
1766 
1768 
1771 
1772 /* events */
1773 void DetectEngineSetEvent(DetectEngineThreadCtx *det_ctx, uint8_t e);
1774 
1776 
1777 #endif /* SURICATA_DETECT_H */
FILE_DECODER_EVENT_LZMA_DECODER_ERROR
@ FILE_DECODER_EVENT_LZMA_DECODER_ERROR
Definition: detect.h:1479
DetectEngineThreadCtx_::byte_values
uint64_t * byte_values
Definition: detect.h:1279
DetectEngineCtx_::sgh_hash_table
HashListTable * sgh_hash_table
Definition: detect.h:962
DetectEngineCtx_::pkt_mpms_list_cnt
uint32_t pkt_mpms_list_cnt
Definition: detect.h:1090
DETECT_TABLE_APP_TD
@ DETECT_TABLE_APP_TD
Definition: detect.h:559
DetectEngineAppInspectionEngine_::stream
bool stream
Definition: detect.h:421
DetectEngineCtx_::frame_mpms_list_cnt
uint32_t frame_mpms_list_cnt
Definition: detect.h:1093
SCFPSupportSMList
struct SCFPSupportSMList_ SCFPSupportSMList
SigFileLoaderStat_::bad_files
int bad_files
Definition: detect.h:878
SIG_TYPE_STREAM
@ SIG_TYPE_STREAM
Definition: detect.h:74
DetectEngineTenantMapping_
Definition: detect.h:1694
InspectionSingleBufferGetDataPtr
bool(* InspectionSingleBufferGetDataPtr)(const void *txv, const uint8_t flow_flags, const uint8_t **buf, uint32_t *buf_len)
Definition: detect.h:403
SignatureInitData_::max_content_list_id
uint32_t max_content_list_id
Definition: detect.h:653
DetectAddress_::ip
Address ip
Definition: detect.h:170
SigMatchSignaturesGetSgh
const SigGroupHead * SigMatchSignaturesGetSgh(const DetectEngineCtx *de_ctx, const Packet *p)
Get the SigGroupHead for a packet.
Definition: detect.c:282
PrefilterEngine_::mask
SignatureMask mask
Definition: detect.h:1572
DetectPatternTracker
Definition: detect.h:808
SignatureInitData_::rule_state_dependant_sids_idx
uint32_t rule_state_dependant_sids_idx
Definition: detect.h:659
PrefilterEngineList_::frame_type
uint8_t frame_type
Definition: detect.h:1538
SCFPSupportSMList_
Definition: detect.h:839
DetectEngineThreadCtx_::keyword_perf_data_per_list
struct SCProfileKeywordData_ ** keyword_perf_data_per_list
Definition: detect.h:1405
SigGroupHead_::tx_engines
PrefilterEngine * tx_engines
Definition: detect.h:1641
SigMatchAlloc
SigMatch * SigMatchAlloc(void)
Definition: detect-parse.c:274
DetectEngineAppInspectionEngine_
Definition: detect.h:416
SigTableElmt_::url
const char * url
Definition: detect.h:1462
DetectBufferType_::supports_transforms
bool supports_transforms
Definition: detect.h:457
SigLoadSignatures
int SigLoadSignatures(DetectEngineCtx *, char *, bool)
Load signatures.
Definition: detect-engine-loader.c:372
MPMB_UDP_TS
@ MPMB_UDP_TS
Definition: detect.h:1502
SignatureInitDataBuffer_::head
SigMatch * head
Definition: detect.h:534
SigMatch_::prev
struct SigMatch_ * prev
Definition: detect.h:361
DetectEngineAppInspectionEngine_::mpm
bool mpm
Definition: detect.h:420
SCProfileKeywordData_
Definition: util-profiling-keywords.c:41
TransformIdData_
Definition: detect.h:444
DetectBufferType_::mpm
bool mpm
Definition: detect.h:454
PrefilterEngineList_::Prefilter
PrefilterPktFn Prefilter
Definition: detect.h:1548
SignatureInitDataBuffer_::sm_init
bool sm_init
Definition: detect.h:526
RuleMatchCandidateTx::stream_stored
bool stream_stored
Definition: detect.h:1203
DetectReplaceList_::cd
const struct DetectContentData_ * cd
Definition: detect.h:816
DetectEngineThreadCtx_::alert_queue_size
uint16_t alert_queue_size
Definition: detect.h:1329
DetectEngineThreadCtx_::buffer_offset
uint32_t buffer_offset
Definition: detect.h:1268
DETECT_SM_LIST_PMATCH
@ DETECT_SM_LIST_PMATCH
Definition: detect.h:119
DetectBufferMpmRegistry_::direction
int direction
Definition: detect.h:765
DetectEngineThreadCtx_::to_clear_idx
uint32_t to_clear_idx
Definition: detect.h:1304
SignatureInitDataBuffer
struct SignatureInitDataBuffer_ SignatureInitDataBuffer
SigMatchFree
void SigMatchFree(DetectEngineCtx *, SigMatch *sm)
free a SigMatch
Definition: detect-parse.c:288
DetectEngineCtx_::class_conf_ht
HashTable * class_conf_ht
Definition: detect.h:1117
SignatureInitData_::smlists
struct SigMatch_ * smlists[DETECT_SM_LIST_MAX]
Definition: detect.h:642
detect-engine-proto.h
DetectEngineThreadCtx_::keyword_perf_data
struct SCProfileKeywordData_ * keyword_perf_data
Definition: detect.h:1404
DetectEngineThreadCtx_::match_array_cnt
SigIntId match_array_cnt
Definition: detect.h:1340
DetectVarList_::idx
uint32_t idx
Definition: detect.h:830
MpmStore_::sid_array_size
uint32_t sid_array_size
Definition: detect.h:1510
PrefilterEngine_::PrefilterPostRule
void(* PrefilterPostRule)(DetectEngineThreadCtx *det_ctx, const void *pectx, Packet *p, Flow *f)
Definition: detect.h:1592
PORT_GT
@ PORT_GT
Definition: detect.h:212
SignatureHook_
Definition: detect.h:571
SigTableElmt_::desc
const char * desc
Definition: detect.h:1461
SignatureInitData_::list_set
bool list_set
Definition: detect.h:629
Signature_::addr_src_match6
DetectMatchAddressIPv6 * addr_src_match6
Definition: detect.h:711
DetectEngineThreadCtx_::SC_ATOMIC_DECLARE
SC_ATOMIC_DECLARE(int, so_far_used_by_detect)
Signature_::sig_str
char * sig_str
Definition: detect.h:745
MpmStore_::sid_array
uint8_t * sid_array
Definition: detect.h:1509
DetectEngineThreadKeywordCtxItem
struct DetectEngineThreadKeywordCtxItem_ DetectEngineThreadKeywordCtxItem
DetectEngineCtx_::sgh_mpm_context_proto_tcp_packet
int32_t sgh_mpm_context_proto_tcp_packet
Definition: detect.h:1004
DetectEngineIPOnlyCtx_::tree_ipv6dst
SCRadix6Tree tree_ipv6dst
Definition: detect.h:849
SIG_TYPE_APP_TX
@ SIG_TYPE_APP_TX
Definition: detect.h:77
DetectPreFlow
uint8_t DetectPreFlow(ThreadVars *tv, DetectEngineThreadCtx *det_ctx, Packet *p)
Definition: detect.c:2312
ENGINE_SGH_MPM_FACTORY_CONTEXT_SINGLE
@ ENGINE_SGH_MPM_FACTORY_CONTEXT_SINGLE
Definition: detect.h:1184
DetectVarList_::buffer
uint8_t * buffer
Definition: detect.h:834
SigTableElmt_::Free
void(* Free)(DetectEngineCtx *, void *)
Definition: detect.h:1446
IPOnlyCIDRItem
struct IPOnlyCIDRItem_ IPOnlyCIDRItem
util-hashlist.h
DetectEngineCtx_::decoder_event_sgh
struct SigGroupHead_ * decoder_event_sgh
Definition: detect.h:1017
SignatureHook_::sm_list
int sm_list
Definition: detect.h:573
DetectEngineCtx_::flow_gh
DetectEngineLookupFlow flow_gh[FLOW_STATES]
Definition: detect.h:959
DETECT_TABLE_APP_FILTER
@ DETECT_TABLE_APP_FILTER
Definition: detect.h:558
SCFPSupportSMList_::next
struct SCFPSupportSMList_ * next
Definition: detect.h:842
DetectEngineThreadCtx_::counter_match_list
uint16_t counter_match_list
Definition: detect.h:1298
SigString
struct SigString_ SigString
DetectEnginePktInspectionEngine
Definition: detect.h:483
DetectEngineMasterCtx_::tenant_mapping_list
DetectEngineTenantMapping * tenant_mapping_list
Definition: detect.h:1725
Signature_::filestore_ctx
const struct DetectFilestoreData_ * filestore_ctx
Definition: detect.h:734
DetectEngineAppInspectionEngine_::next
struct DetectEngineAppInspectionEngine_ * next
Definition: detect.h:441
SigGroupHead_::flags
uint16_t flags
Definition: detect.h:1630
ADDRESS_LE
@ ADDRESS_LE
Definition: detect.h:154
SignatureIsIPOnly
int SignatureIsIPOnly(DetectEngineCtx *de_ctx, const Signature *s)
Test is a initialized signature is IP only.
Definition: detect-engine-build.c:210
PostRuleMatchWorkQueue::len
uint32_t len
Definition: detect.h:1227
PostRuleMatchWorkQueueItem::sm_type
int sm_type
Definition: detect.h:1216
SCFPSupportSMList_::list_id
int list_id
Definition: detect.h:840
SigTableElmt_::name
const char * name
Definition: detect.h:1459
DetectEngineMasterCtx_::list
DetectEngineCtx * list
Definition: detect.h:1714
SignatureInitData_::smlists_tail
struct SigMatch_ * smlists_tail[DETECT_SM_LIST_MAX]
Definition: detect.h:644
MpmThreadCtx_
Definition: util-mpm.h:46
DetectPatternTracker::mpm
uint32_t mpm
Definition: detect.h:812
DetectEngineCtx
struct DetectEngineCtx_ DetectEngineCtx
main detection engine ctx
IPOnlyCIDRItem_::netmask
uint8_t netmask
Definition: detect.h:336
DetectEngineCtx_::type
enum DetectEngineType type
Definition: detect.h:1053
SigGroupHead_
Container for matching data for a signature group.
Definition: detect.h:1629
DetectEngineCtx_::pattern_hash_table
HashListTable * pattern_hash_table
Definition: detect.h:965
DetectEngineThreadCtx_::sgh_perf_data
struct SCProfileSghData_ * sgh_perf_data
Definition: detect.h:1407
DetectEngineCtx_::firewall_rule_file_exclusive
const char * firewall_rule_file_exclusive
Definition: detect.h:1144
DetectEngineCtx_::guess_applayer
bool guess_applayer
Definition: detect.h:979
PostRuleMatchWorkQueueItem
Definition: detect.h:1215
DetectEngineIPOnlyCtx_::tree_ipv4dst
SCRadix4Tree tree_ipv4dst
Definition: detect.h:848
DetectEngineTransforms
Definition: detect.h:391
PrefilterEngineList_::id
uint16_t id
Definition: detect.h:1530
DetectBufferMpmRegistry_::sm_list_base
int16_t sm_list_base
Definition: detect.h:767
SigGroupHeadInitData_::sig_array
uint8_t * sig_array
Definition: detect.h:1603
SCProfileSghDetectCtx_
Definition: util-profiling-rulegroups.c:49
DetectEngineCtx_::PreFlowHook
DetectPacketHookFunc PreFlowHook
Definition: detect.h:1158
Signature_::app_progress_hook
uint8_t app_progress_hook
Definition: detect.h:705
DetectAddress_
address structure for use in the detection engine.
Definition: detect.h:168
DetectEngineCtx_::max_uniq_toclient_groups
uint16_t max_uniq_toclient_groups
Definition: detect.h:990
DetectEngineThreadCtx_::buffers
InspectionBufferMultipleForList * buffers
Definition: detect.h:1311
SignatureInitData_::prefilter_sm
SigMatch * prefilter_sm
Definition: detect.h:625
PrefilterRuleStore_
structure for storing potential rule matches
Definition: util-prefilter.h:34
SignatureInitData_::src_contains_negation
bool src_contains_negation
Definition: detect.h:601
DetectEngineCtx_::ref_cnt
uint32_t ref_cnt
Definition: detect.h:1056
DetectEngineCtx_::sigerror_silent
bool sigerror_silent
Definition: detect.h:1026
DetectEngineAppInspectionEngine_::Callback
InspectEngineFuncPtr Callback
Definition: detect.h:434
Signature_::alproto
AppProto alproto
Definition: detect.h:673
DETECT_TABLE_PACKET_PRE_STREAM
@ DETECT_TABLE_PACKET_PRE_STREAM
Definition: detect.h:555
SignatureInitData_::is_rule_state_dependant
bool is_rule_state_dependant
Definition: detect.h:656
SignatureNonPrefilterStore_::id
SigIntId id
Definition: detect.h:1192
SigString_
Definition: detect.h:867
DetectAddressHead_
Definition: detect.h:183
FILE_DECODER_EVENT_Z_STREAM_ERROR
@ FILE_DECODER_EVENT_Z_STREAM_ERROR
Definition: detect.h:1474
MPMB_OTHERIP
@ MPMB_OTHERIP
Definition: detect.h:1504
DetectEngineCtx_::filedata_config
DetectFileDataCfg * filedata_config
Definition: detect.h:1039
next
struct HtpBodyChunk_ * next
Definition: app-layer-htp.h:0
DetectEngineFrameInspectionEngine::sm_list_base
uint16_t sm_list_base
Definition: detect.h:514
DetectPort_::port
uint16_t port
Definition: detect.h:221
SigMatchData_::is_last
bool is_last
Definition: detect.h:367
DetectEngineIPOnlyCtx_::ip_src
IPOnlyCIDRItem * ip_src
Definition: detect.h:852
AppProto
uint16_t AppProto
Definition: app-layer-protos.h:86
DETECT_SM_LIST_DYNAMIC_START
@ DETECT_SM_LIST_DYNAMIC_START
Definition: detect.h:138
IPOnlyCIDRItem_
Definition: detect.h:332
DetectFileDataCfg
Definition: detect.h:914
DetectEngineThreadCtx_::tx_id
uint64_t tx_id
Definition: detect.h:1320
DetectEngineThreadCtx_::decoder_events
AppLayerDecoderEvents * decoder_events
Definition: detect.h:1372
SigMatchData_::ctx
SigMatchCtx * ctx
Definition: detect.h:368
InspectionBuffer
Definition: detect-engine-inspect-buffer.h:34
DetectVarList_::key_len
uint16_t key_len
Definition: detect.h:832
DetectEngineCtx_::PreStreamHook
DetectPacketHookFunc PreStreamHook
Definition: detect.h:1153
MpmStore_::sm_list
int sm_list
Definition: detect.h:1514
DetectEngineAppInspectionEngine_::GetData
InspectionBufferGetDataPtr GetData
Definition: detect.h:430
DetectEngineThreadKeywordCtxItem_
Definition: detect.h:885
DetectTable
DetectTable
Definition: detect.h:552
DetectEngineCtx_::pkt_mpms_list
DetectBufferMpmRegistry * pkt_mpms_list
Definition: detect.h:1089
DETECT_BUFFER_MPM_TYPE_FRAME
@ DETECT_BUFFER_MPM_TYPE_FRAME
Definition: detect.h:756
Frame
Definition: app-layer-frames.h:45
Flow_
Flow data structure.
Definition: flow.h:356
SigTableElmt_::FileMatch
int(* FileMatch)(DetectEngineThreadCtx *, Flow *, uint8_t flags, File *, const Signature *, const SigMatchCtx *)
Definition: detect.h:1429
DetectVarList_
Definition: detect.h:827
DETECT_SM_LIST_THRESHOLD
@ DETECT_SM_LIST_THRESHOLD
Definition: detect.h:133
DetectReplaceList_::found
uint8_t * found
Definition: detect.h:817
PrefilterEngine_::tx_min_progress
int8_t tx_min_progress
Definition: detect.h:1577
DetectEngineThreadKeywordCtxItem_::data
void * data
Definition: detect.h:888
DetectEngineThreadCtx_::pmq
PrefilterRuleStore pmq
Definition: detect.h:1349
util-hash.h
EngineAnalysisCtx_
Definition: detect-engine-analyzer.c:83
InspectionBufferGetDataPtr
InspectionBuffer *(* InspectionBufferGetDataPtr)(struct DetectEngineThreadCtx_ *det_ctx, const DetectEngineTransforms *transforms, Flow *f, const uint8_t flow_flags, void *txv, const int list_id)
Definition: detect.h:397
SigGroupHeadInitData_::mpm_store
MpmStore mpm_store[MPMB_MAX]
Definition: detect.h:1601
SigTableElmt_::flags
uint16_t flags
Definition: detect.h:1450
SigFindSignatureBySidGid
Signature * SigFindSignatureBySidGid(DetectEngineCtx *, uint32_t, uint32_t)
Find a specific signature by sid and gid.
Definition: detect-engine-build.c:80
DetectEngineIPOnlyCtx_::tree_ipv4src
SCRadix4Tree tree_ipv4src
Definition: detect.h:848
DetectEngineCtx_::inspection_recursion_limit
int inspection_recursion_limit
Definition: detect.h:973
PrefilterEngineList_::name
const char * name
Definition: detect.h:1559
DetectVarList_::len
uint16_t len
Definition: detect.h:831
DetectEngineFrameInspectionEngine::transforms
const DetectEngineTransforms * transforms
Definition: detect.h:518
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:932
DetectEngineFrameInspectionEngine::v1
struct DetectEngineFrameInspectionEngine::@94 v1
DetectEnginePktInspectionEngine::smd
SigMatchData * smd
Definition: detect.h:484
DetectPatternTracker
struct DetectPatternTracker DetectPatternTracker
SCProfilePrefilterDetectCtx_
Definition: util-profiling-prefilter.c:48
SIG_TYPE_PKT_STREAM
@ SIG_TYPE_PKT_STREAM
Definition: detect.h:73
DetectEngineCtx_::pre_stream_sgh
struct SigGroupHead_ * pre_stream_sgh[2]
Definition: detect.h:1155
DetectEngineThreadCtx_::lua_blocked_function_errors
uint16_t lua_blocked_function_errors
Definition: detect.h:1379
SigMatchSignatures
void SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
Definition: detect.c:2420
DetectEngineThreadCtx_::global_keyword_ctxs_array
void ** global_keyword_ctxs_array
Definition: detect.h:1370
TransformData_::options
void * options
Definition: detect.h:388
DetectEngineFrameInspectionEngine::mpm
bool mpm
Definition: detect.h:512
detect-engine-register.h
SIGNATURE_HOOK_PKT_NOT_SET
@ SIGNATURE_HOOK_PKT_NOT_SET
Definition: detect.h:539
SCDetectRateFilterFunc
uint8_t(* SCDetectRateFilterFunc)(const Packet *p, uint32_t sid, uint32_t gid, uint32_t rev, uint8_t original_action, uint8_t new_action, void *arg)
Function type for rate filter callback.
Definition: detect.h:928
DetectEngineCtx_::reference_conf_regex_match
pcre2_match_data * reference_conf_regex_match
Definition: detect.h:1126
RuleMatchCandidateTxArrayFree
void RuleMatchCandidateTxArrayFree(DetectEngineThreadCtx *det_ctx)
Definition: detect.c:1086
DetectEngineThreadCtx_::p
Packet * p
Definition: detect.h:1324
SigTableElmt_::AppLayerTxMatch
int(* AppLayerTxMatch)(DetectEngineThreadCtx *, Flow *, uint8_t flags, void *alstate, void *txv, const Signature *, const SigMatchCtx *)
Definition: detect.h:1424
DetectEngineThreadCtx_::keyword_perf_list
int keyword_perf_list
Definition: detect.h:1406
DetectEngineCtx_::mpm_cfg
MpmConfig * mpm_cfg
Definition: detect.h:936
InspectionBufferGetPktDataPtr
InspectionBuffer *(* InspectionBufferGetPktDataPtr)(struct DetectEngineThreadCtx_ *det_ctx, const DetectEngineTransforms *transforms, Packet *p, const int list_id)
Definition: detect.h:478
DetectEngineCtx_::keyword_id
int keyword_id
Definition: detect.h:1035
RuleMatchCandidateTx::id
SigIntId id
Definition: detect.h:1199
Detect
TmEcode Detect(ThreadVars *tv, Packet *p, void *data)
Detection engine thread wrapper.
Definition: detect.c:2341
DetectBufferMpmRegistry_::type
uint8_t type
Definition: detect.h:800
SignatureProperties
Definition: detect.h:89
DetectBufferMpmRegistry_::pkt_v1
struct DetectBufferMpmRegistry_::@98::@101 pkt_v1
DetectBufferMpmRegistry_::next
struct DetectBufferMpmRegistry_ * next
Definition: detect.h:804
HashTable_
Definition: util-hash.h:35
DetectPatternTracker::cnt
uint32_t cnt
Definition: detect.h:811
DetectEngineTenantMapping_::next
struct DetectEngineTenantMapping_ * next
Definition: detect.h:1700
DetectEngineThreadCtx_::buffers_size
uint32_t buffers_size
Definition: detect.h:1303
DetectEngineCtx_::srep_version
uint32_t srep_version
Definition: detect.h:945
DetectEngineCtx_::profile_sgh_ctx
struct SCProfileSghDetectCtx_ * profile_sgh_ctx
Definition: detect.h:1048
Frames
Definition: app-layer-frames.h:60
DetectBufferMpmRegistry_
one time registration of keywords at start up
Definition: detect.h:762
DetectPort_::next
struct DetectPort_ * next
Definition: detect.h:234
DetectEngineCtx_::tcp_priorityports
DetectPort * tcp_priorityports
Definition: detect.h:1068
DetectReplaceList_
Definition: detect.h:815
MPMB_TCP_STREAM_TS
@ MPMB_TCP_STREAM_TS
Definition: detect.h:1500
DetectEngineAppInspectionEngine_::sm_list_base
uint16_t sm_list_base
Definition: detect.h:425
AppLayerTxData
struct AppLayerTxData AppLayerTxData
Definition: app-layer-parser.h:42
Address_
Definition: decode.h:112
DetectPatternTracker::cd
const struct DetectContentData_ * cd
Definition: detect.h:809
DetectEngineCtx_::sigerror_requires
bool sigerror_requires
Definition: detect.h:1030
DetectEngineThreadCtx_::spm_thread_ctx
SpmThreadCtx * spm_thread_ctx
Definition: detect.h:1276
DetectAddressHead
struct DetectAddressHead_ DetectAddressHead
DetectEngineCtx_::dport_hash_table
HashListTable * dport_hash_table
Definition: detect.h:1066
SignatureInitDataBuffer_::multi_capable
bool multi_capable
Definition: detect.h:529
Signature_::sm_arrays
SigMatchData * sm_arrays[DETECT_SM_LIST_MAX]
Definition: detect.h:731
SigGroupHead_::payload_engines
PrefilterEngine * payload_engines
Definition: detect.h:1640
DetectEngineCtx_::mpm_ctx_factory_container
MpmCtxFactoryContainer * mpm_ctx_factory_container
Definition: detect.h:996
DETECT_EVENT_POST_MATCH_QUEUE_FAILED
@ DETECT_EVENT_POST_MATCH_QUEUE_FAILED
Definition: detect.h:1485
DetectEngineCtx_::prefilter_setting
enum DetectEnginePrefilterSetting prefilter_setting
Definition: detect.h:1064
SignatureInitData_::init_flags
uint32_t init_flags
Definition: detect.h:608
DetectEngineCtx_::reference_conf_regex
pcre2_code * reference_conf_regex
Definition: detect.h:1125
DetectBufferType_
Definition: detect.h:449
DetectPort_::sh
struct SigGroupHead_ * sh
Definition: detect.h:231
DetectEngineThreadCtx_::multi_inspect
struct DetectEngineThreadCtx_::@110 multi_inspect
DetectEngineCtx_::udp_priorityports
DetectPort * udp_priorityports
Definition: detect.h:1069
DetectContentData_
Definition: detect-content.h:93
DetectEngineSetEvent
void DetectEngineSetEvent(DetectEngineThreadCtx *det_ctx, uint8_t e)
Definition: detect-engine.c:5009
SigFileLoaderStat_::TAILQ_HEAD
TAILQ_HEAD(, SigString_) failed_sigs
PostRuleMatchWorkQueue::size
uint32_t size
Definition: detect.h:1228
DetectEngineCtx_::sigerror_ok
bool sigerror_ok
Definition: detect.h:1027
DetectEngineCtx_::class_conf_regex
pcre2_code * class_conf_regex
Definition: detect.h:1118
ENGINE_SGH_MPM_FACTORY_CONTEXT_FULL
@ ENGINE_SGH_MPM_FACTORY_CONTEXT_FULL
Definition: detect.h:1183
PrefilterEngine_::local_id
uint16_t local_id
Definition: detect.h:1565
PrefilterEngineList_::Free
void(* Free)(void *pectx)
Definition: detect.h:1557
DetectEngineThreadCtx_::lua_instruction_limit_errors
uint16_t lua_instruction_limit_errors
Definition: detect.h:1382
PostRuleMatchWorkQueueItem
struct PostRuleMatchWorkQueueItem PostRuleMatchWorkQueueItem
RuleMatchCandidateTxArrayInit
void RuleMatchCandidateTxArrayInit(DetectEngineThreadCtx *det_ctx, uint32_t size)
Definition: detect.c:1073
FILE_DECODER_EVENT_Z_BUF_ERROR
@ FILE_DECODER_EVENT_Z_BUF_ERROR
Definition: detect.h:1475
MPMB_MAX
@ MPMB_MAX
Definition: detect.h:1505
SigTableElmt_
element in sigmatch type table.
Definition: detect.h:1419
SCDetectRequiresStatus
struct SCDetectRequiresStatus SCDetectRequiresStatus
Definition: detect.h:61
FILE_DECODER_EVENT_LZMA_XZ_ERROR
@ FILE_DECODER_EVENT_LZMA_XZ_ERROR
Definition: detect.h:1481
SigMatchData_
Data needed for Match()
Definition: detect.h:365
InspectionBufferMultipleForList::init
uint32_t init
Definition: detect.h:383
SigTableElmt_::Setup
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1441
DetectEngineCtx_::sgh_mpm_context_proto_udp_packet
int32_t sgh_mpm_context_proto_udp_packet
Definition: detect.h:1005
DetectPort
struct DetectPort_ DetectPort
Port structure for detection engine.
RuleMatchCandidateTx::s
const Signature * s
Definition: detect.h:1209
DetectEngineCtx_::reference_conf_ht
HashTable * reference_conf_ht
Definition: detect.h:1124
DetectBufferMpmRegistry_::transforms
DetectEngineTransforms transforms
Definition: detect.h:775
SIG_TYPE_APPLAYER
@ SIG_TYPE_APPLAYER
Definition: detect.h:76
DetectEngineThreadCtx_::counter_fnonmpm_list
uint16_t counter_fnonmpm_list
Definition: detect.h:1297
SigMatchData_::type
uint16_t type
Definition: detect.h:366
DetectEngineCtx_::version
uint32_t version
Definition: detect.h:1013
DetectMatchAddressIPv4_::ip
uint32_t ip
Definition: detect.h:190
DETECT_TRANSFORMS_MAX
#define DETECT_TRANSFORMS_MAX
Definition: detect.h:48
ENGINE_PROFILE_HIGH
@ ENGINE_PROFILE_HIGH
Definition: detect.h:1177
DetectEngineThreadCtx_::varlist
DetectVarList * varlist
Definition: detect.h:1354
Signature_::dsize_low
uint16_t dsize_low
Definition: detect.h:675
DetectEnginePktInspectionEngine::v1
struct DetectEnginePktInspectionEngine::@93 v1
DetectPort_::port2
uint16_t port2
Definition: detect.h:222
DetectEngineCtx_::non_pf_engine_names
HashTable * non_pf_engine_names
Definition: detect.h:1142
SignatureNonPrefilterStore_
Definition: detect.h:1191
DetectEngineThreadCtx_::counter_nonmpm_list
uint16_t counter_nonmpm_list
Definition: detect.h:1296
MPMB_TCP_STREAM_TC
@ MPMB_TCP_STREAM_TC
Definition: detect.h:1501
DetectEngineThreadCtx_::events
uint16_t events
Definition: detect.h:1373
SIG_JSON_CONTENT_ITEM_LEN
#define SIG_JSON_CONTENT_ITEM_LEN
Definition: detect.h:1232
AppLayerDecoderEvents_
Data structure to store app layer decoder events.
Definition: app-layer-events.h:36
SigGroupHead
struct SigGroupHead_ SigGroupHead
Container for matching data for a signature group.
DetectMatchAddressIPv6
struct DetectMatchAddressIPv6_ DetectMatchAddressIPv6
DetectUnregisterThreadCtxFuncs
int DetectUnregisterThreadCtxFuncs(DetectEngineCtx *, void *data, const char *name)
Remove Thread keyword context registration.
Definition: detect-engine.c:3715
TransformIdData
struct TransformIdData_ TransformIdData
TransformData_
Definition: detect.h:386
FLOW_STATES
#define FLOW_STATES
Definition: detect.h:912
DETECT_EVENT_TOO_MANY_BUFFERS
@ DETECT_EVENT_TOO_MANY_BUFFERS
Definition: detect.h:1484
Signature_::frame_inspect
DetectEngineFrameInspectionEngine * frame_inspect
Definition: detect.h:727
DetectEngineIPOnlyCtx_::tree_ipv6src
SCRadix6Tree tree_ipv6src
Definition: detect.h:849
DetectEnginePktInspectionEngine::transforms
const DetectEngineTransforms * transforms
Definition: detect.h:492
MpmBuiltinBuffers
MpmBuiltinBuffers
Definition: detect.h:1497
DetectPort_::flags
uint8_t flags
Definition: detect.h:224
SigRegisterTests
void SigRegisterTests(void)
Definition: detect.c:4960
DetectThreadCtxGetKeywordThreadCtx
void * DetectThreadCtxGetKeywordThreadCtx(DetectEngineThreadCtx *, int)
Retrieve thread local keyword ctx by id.
Definition: detect-engine.c:3733
DetectEngineFrameInspectionEngine::Callback
InspectionBufferFrameInspectFunc Callback
Definition: detect.h:516
InspectionBufferMultipleForList::size
uint32_t size
Definition: detect.h:381
DetectEngineThreadCtx_::mt_det_ctxs_hash
HashTable * mt_det_ctxs_hash
Definition: detect.h:1256
DetectAddress_::prev
struct DetectAddress_ * prev
Definition: detect.h:177
DETECT_PREFILTER_AUTO
@ DETECT_PREFILTER_AUTO
Definition: detect.h:897
DetectEngineThreadCtx_::keyword_ctxs_size
int keyword_ctxs_size
Definition: detect.h:1367
PrefilterEngine_::is_last_for_progress
bool is_last_for_progress
Definition: detect.h:1582
detect-reference.h
Signature_::gid
uint32_t gid
Definition: detect.h:714
DetectEngineThreadCtx_::lua_rule_errors
uint16_t lua_rule_errors
Definition: detect.h:1376
DetectEngineCtx_::prefilter_id
uint32_t prefilter_id
Definition: detect.h:1095
DetectEngineCtx_::sgh_array_size
uint32_t sgh_array_size
Definition: detect.h:1002
SigGroupHeadInitData_::pkt_mpms
MpmCtx ** pkt_mpms
Definition: detect.h:1612
SigString_::sig_error
char * sig_error
Definition: detect.h:870
DetectMatchAddressIPv6_::ip2
uint32_t ip2[4]
Definition: detect.h:196
DetectEngineAppInspectionEngine_::id
uint8_t id
Definition: detect.h:419
SCRadix4Tree_
Structure for the radix tree.
Definition: util-radix4-tree.h:66
PrefilterEngineList_::next
struct PrefilterEngineList_ * next
Definition: detect.h:1554
DetectEngineThreadCtx_::counter_alerts_suppressed
uint16_t counter_alerts_suppressed
Definition: detect.h:1293
SigTableElmt_::SetupPrefilter
int(* SetupPrefilter)(DetectEngineCtx *de_ctx, struct SigGroupHead_ *sgh)
Definition: detect.h:1444
DetectEngineCtx_::base64_decode_max_len
uint16_t base64_decode_max_len
Definition: detect.h:1020
SIGNATURE_HOOK_TYPE_APP
@ SIGNATURE_HOOK_TYPE_APP
Definition: detect.h:549
Signature_::next
struct Signature_ * next
Definition: detect.h:750
DetectEngineCtx_::sgh_mpm_context_proto_other_packet
int32_t sgh_mpm_context_proto_other_packet
Definition: detect.h:1006
DetectVarList
struct DetectVarList_ DetectVarList
DetectEngineAppInspectionEngine_::sm_list
uint16_t sm_list
Definition: detect.h:424
TENANT_SELECTOR_UNKNOWN
@ TENANT_SELECTOR_UNKNOWN
Definition: detect.h:1688
PORT_LT
@ PORT_LT
Definition: detect.h:206
DetectEngineTenantMapping_::tenant_id
uint32_t tenant_id
Definition: detect.h:1695
InspectionBufferMultipleForList
Definition: detect.h:379
SigFileLoaderStat_::skipped_sigs_total
int skipped_sigs_total
Definition: detect.h:882
DetectBufferMpmType
DetectBufferMpmType
Definition: detect.h:753
DETECT_SM_LIST_POSTMATCH
@ DETECT_SM_LIST_POSTMATCH
Definition: detect.h:127
DetectEngineTenantMapping
struct DetectEngineTenantMapping_ DetectEngineTenantMapping
DetectEngineCtx_::prefilter_hash_table
HashListTable * prefilter_hash_table
Definition: detect.h:1096
SigGroupHeadInitData_::score
int score
Definition: detect.h:1608
DetectReplaceList
struct DetectReplaceList_ DetectReplaceList
SignaturePropertyFlowAction
SignaturePropertyFlowAction
Definition: detect.h:83
DetectPreStream
uint8_t DetectPreStream(ThreadVars *tv, DetectEngineThreadCtx *det_ctx, Packet *p)
Definition: detect.c:2322
SigString_::TAILQ_ENTRY
TAILQ_ENTRY(SigString_) next
DetectEngineTenantSelectors
DetectEngineTenantSelectors
Definition: detect.h:1687
DetectBufferMpmRegistry_::GetData
InspectionBufferGetDataPtr GetData
Definition: detect.h:781
detect-engine-inspect-buffer.h
DetectFileDataCfg::content_inspect_min_size
uint32_t content_inspect_min_size
Definition: detect.h:916
ADDRESS_ES
@ ADDRESS_ES
Definition: detect.h:156
InspectionBufferPktInspectFunc
int(* InspectionBufferPktInspectFunc)(struct DetectEngineThreadCtx_ *, const struct DetectEnginePktInspectionEngine *engine, const struct Signature_ *s, Packet *p, uint8_t *alert_flags)
Definition: detect.h:471
DetectEngineCtx_::pre_flow_sgh
struct SigGroupHead_ * pre_flow_sgh
Definition: detect.h:1160
DetectBufferType
struct DetectBufferType_ DetectBufferType
DetectEngineCtx_::class_conf_regex_match
pcre2_match_data * class_conf_regex_match
Definition: detect.h:1119
DetectEngineThreadCtx_::tx_candidates
RuleMatchCandidateTx * tx_candidates
Definition: detect.h:1342
SIG_TYPE_PKT
@ SIG_TYPE_PKT
Definition: detect.h:72
DetectEngineCtx_::requirements
SCDetectRequiresStatus * requirements
Definition: detect.h:1135
DetectEngineMasterCtx
struct DetectEngineMasterCtx_ DetectEngineMasterCtx
Signature_::addr_src_match4
DetectMatchAddressIPv4 * addr_src_match4
Definition: detect.h:708
SigTableElmt_::TransformValidate
bool(* TransformValidate)(const uint8_t *content, uint16_t content_len, void *context)
Definition: detect.h:1435
PrefilterEngineList_::pkt_hook
enum SignatureHookPkt pkt_hook
Definition: detect.h:1542
Signature_::class_id
uint16_t class_id
Definition: detect.h:699
DetectEngineThreadCtx_::counter_alerts_overflow
uint16_t counter_alerts_overflow
Definition: detect.h:1291
DetectBufferType_::ValidateCallback
bool(* ValidateCallback)(const struct Signature_ *, const char **sigerror, const struct DetectBufferType_ *)
Definition: detect.h:460
DETECT_FILESTORE_MAX
#define DETECT_FILESTORE_MAX
Definition: detect.h:1189
PrefilterEngineList_::alproto
AppProto alproto
Definition: detect.h:1533
SignatureInitData
struct SignatureInitData_ SignatureInitData
ADDRESS_GE
@ ADDRESS_GE
Definition: detect.h:158
SigGroupHeadInitData_::sig_cnt
SigIntId sig_cnt
Definition: detect.h:1622
SRepCIDRTree_
Definition: reputation.h:36
DetectBufferMpmRegistry_::sgh_mpm_context
int sgh_mpm_context
Definition: detect.h:771
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:18
FILE_DECODER_EVENT_LZMA_HEADER_TOO_SHORT_ERROR
@ FILE_DECODER_EVENT_LZMA_HEADER_TOO_SHORT_ERROR
Definition: detect.h:1478
DetectEnginePktInspectionEngine::sm_list
uint16_t sm_list
Definition: detect.h:486
DetectEngineThreadCtx_::match_array_len
uint32_t match_array_len
Definition: detect.h:1338
DetectBufferMpmRegistry_::GetData
InspectionBufferGetPktDataPtr GetData
Definition: detect.h:794
IPOnlyCIDRItem_::negated
uint8_t negated
Definition: detect.h:338
SignatureInitData_::buffers_size
uint32_t buffers_size
Definition: detect.h:649
DetectEngineThreadCtx_
Definition: detect.h:1244
ENGINE_PROFILE_LOW
@ ENGINE_PROFILE_LOW
Definition: detect.h:1175
PrefilterEngine_
Definition: detect.h:1564
MpmStore_
Definition: detect.h:1508
SigGroupHeadInitData_::tx_engines
PrefilterEngineList * tx_engines
Definition: detect.h:1617
SIG_TYPE_IPONLY
@ SIG_TYPE_IPONLY
Definition: detect.h:66
SCProfileKeywordDetectCtx_
Definition: util-profiling-keywords.c:49
SignatureInitData_::mpm_sm
SigMatch * mpm_sm
Definition: detect.h:623
PORT_ES
@ PORT_ES
Definition: detect.h:209
DetectEngineCtx_::srepCIDR_ctx
SRepCIDRTree * srepCIDR_ctx
Definition: detect.h:948
SignatureInitData_::src
const DetectAddressHead * src
Definition: detect.h:639
DetectEngineThreadCtx_::tx_candidates_size
uint32_t tx_candidates_size
Definition: detect.h:1343
signature_properties
const struct SignatureProperties signature_properties[SIG_TYPE_MAX]
Definition: detect-engine.c:115
DETECT_SM_LIST_BASE64_DATA
@ DETECT_SM_LIST_BASE64_DATA
Definition: detect.h:124
DetectEngineThreadKeywordCtxItem_::id
int id
Definition: detect.h:890
DetectBufferMpmRegistry_::sm_list
int16_t sm_list
Definition: detect.h:766
DetectEngineThreadCtx_::buffers
InspectionBuffer * buffers
Definition: detect.h:1302
DetectEngineMasterCtx_::keyword_list
DetectEngineThreadKeywordCtxItem * keyword_list
Definition: detect.h:1730
SigTableElmt_::Cleanup
void(* Cleanup)(struct SigTableElmt_ *)
Definition: detect.h:1465
SignatureInitData_::mpm_sm_list
int mpm_sm_list
Definition: detect.h:621
FILE_DECODER_EVENT_INVALID_SWF_VERSION
@ FILE_DECODER_EVENT_INVALID_SWF_VERSION
Definition: detect.h:1472
PrefilterEngineList_::PrefilterFrame
PrefilterFrameFn PrefilterFrame
Definition: detect.h:1550
DetectEngineMasterCtx_::tenant_selector
enum DetectEngineTenantSelectors tenant_selector
Definition: detect.h:1721
DetectEngineCtx_::keyword_hash
HashListTable * keyword_hash
Definition: detect.h:1037
PrefilterEngineList_::pectx
void * pectx
Definition: detect.h:1546
SignatureInitData_::cidr_dst
IPOnlyCIDRItem * cidr_dst
Definition: detect.h:618
DetectEngineCtx_::last_reload
struct timeval last_reload
Definition: detect.h:1099
SignatureInitData_::list
int list
Definition: detect.h:628
DetectEngineCtx_::failure_fatal
bool failure_fatal
Definition: detect.h:933
Signature_::pkt_inspect
DetectEnginePktInspectionEngine * pkt_inspect
Definition: detect.h:726
DetectEngineAppInspectionEngine_::GetMultiData
InspectionMultiBufferGetDataPtr GetMultiData
Definition: detect.h:432
SCProfileSghData_
Definition: util-profiling-rulegroups.c:38
DetectReplaceList_::next
struct DetectReplaceList_ * next
Definition: detect.h:818
DetectEngineLookupFlow_::sgh
struct SigGroupHead_ * sgh[256]
Definition: detect.h:864
Signature_::references
DetectReference * references
Definition: detect.h:741
ADDRESS_GT
@ ADDRESS_GT
Definition: detect.h:159
SigTableElmt_::tables
uint8_t tables
Definition: detect.h:1454
PrefilterEngineList_::PrefilterTx
PrefilterTxFn PrefilterTx
Definition: detect.h:1549
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:58
DetectEngineCtx_::sm_types_prefilter
bool * sm_types_prefilter
Definition: detect.h:1111
SignatureNonPrefilterStore_::alproto
AppProto alproto
Definition: detect.h:1194
SignatureInitData_::rule_state_flowbits_ids_size
uint32_t rule_state_flowbits_ids_size
Definition: detect.h:661
SignatureHookPkt
SignatureHookPkt
Definition: detect.h:538
PrefilterEngineList_::gid
uint32_t gid
Definition: detect.h:1561
DetectEngineFrameInspectionEngine::sm_list
uint16_t sm_list
Definition: detect.h:513
DetectMetadataHead
Definition: detect-metadata.h:39
SigTableElmt
struct SigTableElmt_ SigTableElmt
element in sigmatch type table.
SigMatch
struct SigMatch_ SigMatch
a single match condition for a signature
SigMatch_::next
struct SigMatch_ * next
Definition: detect.h:360
DetectEngineCtx_::mpm_matcher
uint8_t mpm_matcher
Definition: detect.h:935
DETECT_TABLE_PACKET_PRE_FLOW
@ DETECT_TABLE_PACKET_PRE_FLOW
Definition: detect.h:554
DetectBufferMpmRegistry_::GetDataSingle
InspectionSingleBufferGetDataPtr GetDataSingle
Definition: detect.h:782
ENGINE_PROFILE_CUSTOM
@ ENGINE_PROFILE_CUSTOM
Definition: detect.h:1178
DETECT_TABLE_PACKET_FILTER
@ DETECT_TABLE_PACKET_FILTER
Definition: detect.h:556
DetectEngineCtx_::frame_inspect_engines
DetectEngineFrameInspectionEngine * frame_inspect_engines
Definition: detect.h:1091
DetectBufferMpmRegistry_::priority
int priority
Definition: detect.h:768
PrefilterEngineList
struct PrefilterEngineList_ PrefilterEngineList
DetectEngineMasterCtx_::free_list
DetectEngineCtx * free_list
Definition: detect.h:1719
DetectVarList_::type
uint16_t type
Definition: detect.h:828
DetectEngineCtx_::filestore_cnt
uint16_t filestore_cnt
Definition: detect.h:1138
ENGINE_PROFILE_UNKNOWN
@ ENGINE_PROFILE_UNKNOWN
Definition: detect.h:1174
DetectEngineThreadKeywordCtxItem_::next
struct DetectEngineThreadKeywordCtxItem_ * next
Definition: detect.h:889
DetectAddress_::ip2
Address ip2
Definition: detect.h:171
PrefilterFrameFn
void(* PrefilterFrameFn)(DetectEngineThreadCtx *det_ctx, const void *pectx, Packet *p, const struct Frames *frames, const struct Frame *frame)
Definition: detect.h:1522
DETECT_SM_LIST_MATCH
@ DETECT_SM_LIST_MATCH
Definition: detect.h:117
SignatureHook_::pkt
struct SignatureHook_::@95::@97 pkt
DetectPort_
Port structure for detection engine.
Definition: detect.h:220
SigGroupHead_::init
SigGroupHeadInitData * init
Definition: detect.h:1646
DetectEngineCtx_::sig_cnt
uint32_t sig_cnt
Definition: detect.h:942
DetectEngineThreadCtx_::json_content_capacity
uint8_t json_content_capacity
Definition: detect.h:1282
SigTableElmt_::alternative
uint16_t alternative
Definition: detect.h:1457
SignatureInitData_::cidr_src
IPOnlyCIDRItem * cidr_src
Definition: detect.h:618
Signature_::app_inspect
DetectEngineAppInspectionEngine * app_inspect
Definition: detect.h:725
SigMatch_::ctx
SigMatchCtx * ctx
Definition: detect.h:359
DetectReference_
Signature reference list.
Definition: detect-reference.h:30
SignatureInitData_::hook
SignatureHook hook
Definition: detect.h:590
SIGNATURE_HOOK_TYPE_NOT_SET
@ SIGNATURE_HOOK_TYPE_NOT_SET
Definition: detect.h:547
SigFileLoaderStat_::bad_sigs_total
int bad_sigs_total
Definition: detect.h:881
SignatureHook_::t
union SignatureHook_::@95 t
SigGroupHeadInitData_::direction
uint32_t direction
Definition: detect.h:1607
DetectLoadCompleteSigPath
char * DetectLoadCompleteSigPath(const DetectEngineCtx *, const char *sig_file)
Create the path if default-rule-path was specified.
Definition: detect-engine-loader.c:106
MpmStore_::direction
int direction
Definition: detect.h:1512
DetectEngineThreadCtx_::base64_decoded_len
int base64_decoded_len
Definition: detect.h:1327
DetectVarList_::next
struct DetectVarList_ * next
Definition: detect.h:836
DetectEngineThreadCtx_::lua_memory_limit_errors
uint16_t lua_memory_limit_errors
Definition: detect.h:1385
RuleMatchCandidateTx::stream_result
uint8_t stream_result
Definition: detect.h:1204
Signature_::action
uint8_t action
Definition: detect.h:683
DetectEngineLookupFlow_::udp
DetectPort * udp
Definition: detect.h:863
DetectEngineThreadCtx_::raw_stream_progress
uint64_t raw_stream_progress
Definition: detect.h:1265
SignatureHook_::alproto
AppProto alproto
Definition: detect.h:576
SignatureHookType
SignatureHookType
Definition: detect.h:546
PrefilterEngine_::alproto
AppProto alproto
Definition: detect.h:1568
Signature_::flags
uint32_t flags
Definition: detect.h:669
PostRuleMatchWorkQueue
struct PostRuleMatchWorkQueue PostRuleMatchWorkQueue
DetectBufferType_::xform_id
TransformIdData xform_id[DETECT_TRANSFORMS_MAX]
Definition: detect.h:463
IPOnlyCIDRItem_::next
struct IPOnlyCIDRItem_ * next
Definition: detect.h:344
DetectEngineCtx_::max_fb_id
uint32_t max_fb_id
Definition: detect.h:994
DetectEngineIPOnlyCtx_::sig_mapping
uint32_t * sig_mapping
Definition: detect.h:857
Packet_
Definition: decode.h:501
DetectEngineFrameInspectionEngine::alproto
AppProto alproto
Definition: detect.h:509
DetectEngineCtx_::sgh_mpm_context_stream
int32_t sgh_mpm_context_stream
Definition: detect.h:1007
SignatureNonPrefilterStore
struct SignatureNonPrefilterStore_ SignatureNonPrefilterStore
DetectBufferMpmRegistry
struct DetectBufferMpmRegistry_ DetectBufferMpmRegistry
one time registration of keywords at start up
DetectPort_::last
struct DetectPort_ * last
Definition: detect.h:235
sigmatch_table
SigTableElmt * sigmatch_table
Definition: detect-parse.c:79
DetectEngineThreadCtx_::frame_id
int64_t frame_id
Definition: detect.h:1321
InspectionBufferFrameInspectFunc
int(* InspectionBufferFrameInspectFunc)(struct DetectEngineThreadCtx_ *, const struct DetectEngineFrameInspectionEngine *engine, const struct Signature_ *s, Packet *p, const struct Frames *frames, const struct Frame *frame)
Definition: detect.h:504
DetectEngineCtx_::frame_mpms_list
DetectBufferMpmRegistry * frame_mpms_list
Definition: detect.h:1092
TransformData
struct TransformData_ TransformData
DetectEngineCtx_::sgh_mpm_ctx_cnf
uint8_t sgh_mpm_ctx_cnf
Definition: detect.h:1033
DetectEngineAppInspectionEngine_::match_on_null
bool match_on_null
Definition: detect.h:423
DetectBufferType_::packet
bool packet
Definition: detect.h:455
SCSigOrderFunc_
Structure holding the signature ordering function used by the signature ordering module.
Definition: detect-engine-sigorder.c:101
PrefilterEngine
struct PrefilterEngine_ PrefilterEngine
MpmStore_::alproto
AppProto alproto
Definition: detect.h:1516
DetectEngineMasterCtx_::multi_tenant_enabled
int multi_tenant_enabled
Definition: detect.h:1707
DetectRegisterThreadCtxFuncs
int DetectRegisterThreadCtxFuncs(DetectEngineCtx *, const char *name, void *(*InitFunc)(void *), void *data, void(*FreeFunc)(void *), int)
Register Thread keyword context Funcs.
Definition: detect-engine.c:3663
DetectEngineThreadCtx_::filestore_cnt
uint16_t filestore_cnt
Definition: detect.h:1286
DetectEngineFrameInspectionEngine
Definition: detect.h:508
DetectFileDataCfg::content_limit
uint32_t content_limit
Definition: detect.h:915
SigFileLoaderStat
struct SigFileLoaderStat_ SigFileLoaderStat
Signature loader statistics.
DetectEngineCtx_::max_uniq_toserver_groups
uint16_t max_uniq_toserver_groups
Definition: detect.h:991
DETECT_BUFFER_MPM_TYPE_PKT
@ DETECT_BUFFER_MPM_TYPE_PKT
Definition: detect.h:754
InspectionMultiBufferGetDataPtr
bool(* InspectionMultiBufferGetDataPtr)(struct DetectEngineThreadCtx_ *det_ctx, const void *txv, const uint8_t flow_flags, uint32_t local_id, const uint8_t **buf, uint32_t *buf_len)
Definition: detect.h:406
DETECT_TABLE_PACKET_TD
@ DETECT_TABLE_PACKET_TD
Definition: detect.h:557
TmEcode
TmEcode
Definition: tm-threads-common.h:80
DetectEnginePktInspectionEngine::Callback
InspectionBufferPktInspectFunc Callback
Definition: detect.h:490
PrefilterEngine_::PrefilterFrame
PrefilterFrameFn PrefilterFrame
Definition: detect.h:1591
PrefilterEngine_::frame_type
uint8_t frame_type
Definition: detect.h:1578
DetectBufferType_::name
char name[64]
Definition: detect.h:450
name
const char * name
Definition: tm-threads.c:2163
Signature_::init_data
SignatureInitData * init_data
Definition: detect.h:747
DetectEngineCtx_::profile_keyword_ctx
struct SCProfileKeywordDetectCtx_ * profile_keyword_ctx
Definition: detect.h:1045
ADDRESS_EB
@ ADDRESS_EB
Definition: detect.h:157
DetectEngineAppInspectionEngine_::GetDataSingle
InspectionSingleBufferGetDataPtr GetDataSingle
Definition: detect.h:431
SigGroupHeadInitData_::max_sig_id
uint32_t max_sig_id
Definition: detect.h:1609
DetectEngineCtx_::sgh_array_cnt
uint32_t sgh_array_cnt
Definition: detect.h:1001
SignatureInitData_::rule_state_dependant_sids_array
uint32_t * rule_state_dependant_sids_array
Definition: detect.h:657
DetectEngineThreadCtx_::alert_queue_capacity
uint16_t alert_queue_capacity
Definition: detect.h:1330
SignatureInitData_::negated
bool negated
Definition: detect.h:597
DetectEngineCtx_::sgh_array
struct SigGroupHead_ ** sgh_array
Definition: detect.h:1000
SigTableElmt_::Match
int(* Match)(DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *)
Definition: detect.h:1421
reputation.h
MpmStore
struct MpmStore_ MpmStore
SignatureInitData_
Definition: detect.h:589
SCFPSupportSMList_::priority
int priority
Definition: detect.h:841
HashListTable_
Definition: util-hashlist.h:37
PrefilterTxFn
void(* PrefilterTxFn)(DetectEngineThreadCtx *det_ctx, const void *pectx, Packet *p, Flow *f, void *tx, const uint64_t tx_id, const AppLayerTxData *tx_data, const uint8_t flags)
Definition: detect.h:1526
SignatureInitData_::rule_state_dependant_sids_size
uint32_t rule_state_dependant_sids_size
Definition: detect.h:658
DetectEngineCtx_::byte_extract_max_local_id
int32_t byte_extract_max_local_id
Definition: detect.h:1010
SignatureInitData_::dst_contains_negation
bool dst_contains_negation
Definition: detect.h:602
DetectEnginePktInspectionEngine::sm_list_base
uint16_t sm_list_base
Definition: detect.h:487
DetectEngineTransforms::transforms
TransformData transforms[DETECT_TRANSFORMS_MAX]
Definition: detect.h:392
PORT_ER
@ PORT_ER
Definition: detect.h:205
Signature_::addr_dst_match6_cnt
uint16_t addr_dst_match6_cnt
Definition: detect.h:695
SIG_TYPE_DEONLY
@ SIG_TYPE_DEONLY
Definition: detect.h:71
SIGNATURE_HOOK_PKT_PRE_STREAM
@ SIGNATURE_HOOK_PKT_PRE_STREAM
Definition: detect.h:542
SIG_PROP_FLOW_ACTION_PACKET
@ SIG_PROP_FLOW_ACTION_PACKET
Definition: detect.h:84
DetectEngineThreadCtx
struct DetectEngineThreadCtx_ DetectEngineThreadCtx
SigGroupHead_::frame_engines
PrefilterEngine * frame_engines
Definition: detect.h:1642
SigGroupHeadInitData_::app_mpms
MpmCtx ** app_mpms
Definition: detect.h:1611
DetectEngineCtx_::RateFilterCallback
SCDetectRateFilterFunc RateFilterCallback
Definition: detect.h:1147
SIG_ALPROTO_MAX
#define SIG_ALPROTO_MAX
Definition: detect.h:587
FILE_DECODER_EVENT_Z_UNKNOWN_ERROR
@ FILE_DECODER_EVENT_Z_UNKNOWN_ERROR
Definition: detect.h:1476
DetectEngineFrameInspectionEngine::dir
uint8_t dir
Definition: detect.h:510
DetectEngineTransforms
struct DetectEngineTransforms DetectEngineTransforms
Signature_::sp
DetectPort * sp
Definition: detect.h:719
SIG_TYPE_NOT_SET
@ SIG_TYPE_NOT_SET
Definition: detect.h:65
DetectEngineThreadCtx_::mtc
MpmThreadCtx mtc
Definition: detect.h:1345
SigString_::filename
char * filename
Definition: detect.h:868
DetectBufferType_::multi_instance
bool multi_instance
Definition: detect.h:458
DETECT_ENGINE_TYPE_TENANT
@ DETECT_ENGINE_TYPE_TENANT
Definition: detect.h:905
RuleMatchCandidateTx::flags
uint32_t * flags
Definition: detect.h:1200
PostRuleMatchWorkQueue
Definition: detect.h:1225
DetectEngineCtx_::dup_sig_hash_table
HashListTable * dup_sig_hash_table
Definition: detect.h:968
DetectEngineCtx_::config_prefix
char config_prefix[64]
Definition: detect.h:1051
PrefilterEngineList_::tx_min_progress
int8_t tx_min_progress
Definition: detect.h:1536
DetectEngineAppInspectionEngine_::alproto
AppProto alproto
Definition: detect.h:417
SigMatchCtx_
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
Definition: detect.h:351
Signature_::class_msg
char * class_msg
Definition: detect.h:739
DetectPatternTracker::sm_list
int sm_list
Definition: detect.h:810
DetectEngineAppInspectionEngine_::smd
SigMatchData * smd
Definition: detect.h:439
SigGroupHeadInitData_::pkt_engines
PrefilterEngineList * pkt_engines
Definition: detect.h:1615
DetectBufferMpmRegistry_::GetMultiData
InspectionMultiBufferGetDataPtr GetMultiData
Definition: detect.h:783
DetectBufferType_::id
int id
Definition: detect.h:452
DetectEngineCtx_::spm_matcher
uint8_t spm_matcher
Definition: detect.h:937
SigGroupHead_::post_rule_match_engines
PrefilterEngine * post_rule_match_engines
Definition: detect.h:1643
DetectEnginePktInspectionEngine::GetData
InspectionBufferGetPktDataPtr GetData
Definition: detect.h:489
DETECT_ENGINE_TYPE_NORMAL
@ DETECT_ENGINE_TYPE_NORMAL
Definition: detect.h:902
SignatureInitDataBuffer_::tail
SigMatch * tail
Definition: detect.h:535
FILE_DECODER_EVENT_NO_MEM
@ FILE_DECODER_EVENT_NO_MEM
Definition: detect.h:1470
ADDRESS_LT
@ ADDRESS_LT
Definition: detect.h:153
DetectEngineIPOnlyCtx_::ip_dst
IPOnlyCIDRItem * ip_dst
Definition: detect.h:852
MpmStore_::mpm_ctx
MpmCtx * mpm_ctx
Definition: detect.h:1517
util-file.h
DetectAddressHead_::ipv6_head
DetectAddress * ipv6_head
Definition: detect.h:185
DetectMetadataHashFree
void DetectMetadataHashFree(DetectEngineCtx *de_ctx)
Definition: detect-metadata.c:80
util-prefilter.h
SignatureInitData_::dsize_sm
SigMatch * dsize_sm
Definition: detect.h:615
DetectBufferType_::frame
bool frame
Definition: detect.h:456
File_
Definition: util-file.h:79
DetectEngineIPOnlyCtx
struct DetectEngineIPOnlyCtx_ DetectEngineIPOnlyCtx
IP only rules matching ctx.
MPMB_TCP_PKT_TC
@ MPMB_TCP_PKT_TC
Definition: detect.h:1499
DetectBufferMpmRegistry_::app_v2
struct DetectBufferMpmRegistry_::@98::@100 app_v2
DetectEngineCtx_::sig_stat
SigFileLoaderStat sig_stat
Definition: detect.h:1102
DetectEngineCtx_::address_table
HashListTable * address_table
Definition: detect.h:1072
DetectEngineThreadCtx_::to_clear_queue
uint32_t * to_clear_queue
Definition: detect.h:1305
DetectBufferMpmRegistry_::frame_v1
struct DetectBufferMpmRegistry_::@98::@102 frame_v1
DetectEngineAppInspectionEngine_::v2
struct DetectEngineAppInspectionEngine_::@90 v2
DetectEngineCtx_::profile_prefilter_ctx
struct SCProfilePrefilterDetectCtx_ * profile_prefilter_ctx
Definition: detect.h:1046
TENANT_SELECTOR_DIRECT
@ TENANT_SELECTOR_DIRECT
Definition: detect.h:1689
DetectEngineCtx_::rule_file
const char * rule_file
Definition: detect.h:1024
InspectionBufferMultipleForList
struct InspectionBufferMultipleForList InspectionBufferMultipleForList
util-mpm.h
InspectEngineFuncPtr
uint8_t(* InspectEngineFuncPtr)(struct DetectEngineCtx_ *de_ctx, struct DetectEngineThreadCtx_ *det_ctx, const struct DetectEngineAppInspectionEngine_ *engine, const struct Signature_ *s, Flow *f, uint8_t flags, void *alstate, void *txv, uint64_t tx_id)
Definition: detect.h:411
flags
uint8_t flags
Definition: decode-gre.h:0
Signature_::proto
DetectProto proto
Definition: detect.h:687
SigTableElmt_::alias
const char * alias
Definition: detect.h:1460
DetectBufferMpmRegistry_::type
enum DetectBufferMpmType type
Definition: detect.h:770
SigMatchCtx
struct SigMatchCtx_ SigMatchCtx
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
DetectEngineMasterCtx_::keyword_id
int keyword_id
Definition: detect.h:1731
FILE_DECODER_EVENT_LZMA_MEMLIMIT_ERROR
@ FILE_DECODER_EVENT_LZMA_MEMLIMIT_ERROR
Definition: detect.h:1480
DetectEngineCtx_::app_mpms_list
DetectBufferMpmRegistry * app_mpms_list
Definition: detect.h:1084
suricata-common.h
SigMatch_::idx
uint16_t idx
Definition: detect.h:358
SIG_PROP_FLOW_ACTION_FLOW_IF_STATEFUL
@ SIG_PROP_FLOW_ACTION_FLOW_IF_STATEFUL
Definition: detect.h:86
DetectEngineThreadCtx_::prefilter_bytes_called
uint64_t prefilter_bytes_called
Definition: detect.h:1413
SigString_::line
int line
Definition: detect.h:871
SigGroupHeadInitData_::frame_engines
PrefilterEngineList * frame_engines
Definition: detect.h:1618
SigMatch_::type
uint16_t type
Definition: detect.h:357
DETECT_BUFFER_MPM_TYPE_APP
@ DETECT_BUFFER_MPM_TYPE_APP
Definition: detect.h:755
SigGroupHeadInitData_::payload_engines
PrefilterEngineList * payload_engines
Definition: detect.h:1616
DetectEngineThreadCtx_::tenant_id
uint32_t tenant_id
Definition: detect.h:1247
SigGroupHeadInitData_::match_array
Signature ** match_array
Definition: detect.h:1625
SignatureHook_::ph
enum SignatureHookPkt ph
Definition: detect.h:582
DetectEngineCtx_::buffer_type_hash_name
HashListTable * buffer_type_hash_name
Definition: detect.h:1079
DetectEngineCtx_::next
struct DetectEngineCtx_ * next
Definition: detect.h:1058
Signature_::dsize_high
uint16_t dsize_high
Definition: detect.h:676
DETECT_TABLE_NOT_SET
@ DETECT_TABLE_NOT_SET
Definition: detect.h:553
Signature_::file_flags
uint8_t file_flags
Definition: detect.h:684
DetectBufferMpmRegistry_::name
const char * name
Definition: detect.h:763
detect-metadata.h
Signature_::action_scope
uint8_t action_scope
Definition: detect.h:690
DETECT_ENGINE_TYPE_DD_STUB
@ DETECT_ENGINE_TYPE_DD_STUB
Definition: detect.h:903
TENANT_SELECTOR_VLAN
@ TENANT_SELECTOR_VLAN
Definition: detect.h:1690
DetectEngineFrameInspectionEngine::next
struct DetectEngineFrameInspectionEngine * next
Definition: detect.h:521
SignatureInitData_::curbuf
SignatureInitDataBuffer * curbuf
Definition: detect.h:650
DetectEngineThreadCtx_::prefilter_perf_data
struct SCProfilePrefilterData_ * prefilter_perf_data
Definition: detect.h:1409
DetectEnginePrefilterSetting
DetectEnginePrefilterSetting
Definition: detect.h:895
FILE_DECODER_EVENT_LZMA_IO_ERROR
@ FILE_DECODER_EVENT_LZMA_IO_ERROR
Definition: detect.h:1477
SignatureHook_::type
enum SignatureHookType type
Definition: detect.h:572
DetectPort_::prev
struct DetectPort_ * prev
Definition: detect.h:233
util-spm.h
DetectEnginePktInspectionEngine::next
struct DetectEnginePktInspectionEngine * next
Definition: detect.h:494
SignatureType
SignatureType
Definition: detect.h:64
DetectEngineCtx_::rate_filter_callback_arg
void * rate_filter_callback_arg
Definition: detect.h:1150
PORT_GE
@ PORT_GE
Definition: detect.h:211
PrefilterEngineList_::PrefilterPostRule
void(* PrefilterPostRule)(DetectEngineThreadCtx *det_ctx, const void *pectx, Packet *p, Flow *f)
Definition: detect.h:1551
SigGroupHeadInitData_::sig_size
uint32_t sig_size
Definition: detect.h:1604
PrefilterEngineList_
Definition: detect.h:1529
SigFileLoaderStat_::total_files
int total_files
Definition: detect.h:879
util-radix4-tree.h
SIGNATURE_HOOK_PKT_PRE_FLOW
@ SIGNATURE_HOOK_PKT_PRE_FLOW
Definition: detect.h:541
DetectEngineThreadCtx_::frame_inspect_progress
uint64_t frame_inspect_progress
Definition: detect.h:1322
DetectMatchAddressIPv4_::ip2
uint32_t ip2
Definition: detect.h:191
DetectEngineCtx_::profile_match_logging_threshold
uint32_t profile_match_logging_threshold
Definition: detect.h:1049
PostRuleMatchWorkQueue::q
PostRuleMatchWorkQueueItem * q
Definition: detect.h:1226
IPOnlyCIDRItem_::ip
uint32_t ip[4]
Definition: detect.h:340
TransformIdData_::id_data_len
uint32_t id_data_len
Definition: detect.h:446
PrefilterEngine_::gid
uint32_t gid
Definition: detect.h:1597
Signature_::rev
uint32_t rev
Definition: detect.h:715
SignatureInitData_::sm_cnt
uint16_t sm_cnt
Definition: detect.h:593
util-radix6-tree.h
SIGNATURE_HOOK_TYPE_PKT
@ SIGNATURE_HOOK_TYPE_PKT
Definition: detect.h:548
DetectEngineCtx_::sig_list
Signature * sig_list
Definition: detect.h:941
DETECT_SM_LIST_TMATCH
@ DETECT_SM_LIST_TMATCH
Definition: detect.h:129
DetectEngineCtx_::profile_keyword_ctx_per_list
struct SCProfileKeywordDetectCtx_ ** profile_keyword_ctx_per_list
Definition: detect.h:1047
RuleMatchCandidateTx
struct RuleMatchCandidateTx RuleMatchCandidateTx
PrefilterPktFn
void(* PrefilterPktFn)(DetectEngineThreadCtx *det_ctx, Packet *p, const void *pectx)
Definition: detect.h:1521
DetectEngineCtx_::loader_id
int loader_id
Definition: detect.h:1061
TransformData_::transform
int transform
Definition: detect.h:387
DetectEngineCtx_::pkt_inspect_engines
DetectEnginePktInspectionEngine * pkt_inspect_engines
Definition: detect.h:1088
SIG_TYPE_MAX
@ SIG_TYPE_MAX
Definition: detect.h:79
tv
ThreadVars * tv
Definition: fuzz_decodepcapfile.c:32
Signature_::prio
int prio
Definition: detect.h:716
DetectEngineCtx_::ea
struct EngineAnalysisCtx_ * ea
Definition: detect.h:1129
DetectEngineIPOnlyCtx_::sig_mapping_size
uint32_t sig_mapping_size
Definition: detect.h:858
DetectEngineCtx_::sm_types_silent_error
bool * sm_types_silent_error
Definition: detect.h:1112
DetectEngineAppInspectionEngine_::progress
int16_t progress
Definition: detect.h:426
DetectEngineThreadKeywordCtxItem_::FreeFunc
void(* FreeFunc)(void *)
Definition: detect.h:887
DetectMatchAddressIPv6_::ip
uint32_t ip[4]
Definition: detect.h:195
DetectEngineThreadCtx_::inspect
struct DetectEngineThreadCtx_::@109 inspect
SignatureInitDataBuffer_::only_ts
bool only_ts
Definition: detect.h:532
SigGroupHeadInitData
struct SigGroupHeadInitData_ SigGroupHeadInitData
DetectAddress
struct DetectAddress_ DetectAddress
address structure for use in the detection engine.
SpmGlobalThreadCtx_
Definition: util-spm.h:47
FILE_DECODER_EVENT_Z_DATA_ERROR
@ FILE_DECODER_EVENT_Z_DATA_ERROR
Definition: detect.h:1473
DetectEngineCtx_::app_mpms_list_cnt
uint32_t app_mpms_list_cnt
Definition: detect.h:1083
Signature_::addr_src_match6_cnt
uint16_t addr_src_match6_cnt
Definition: detect.h:696
DetectProto_
Definition: detect-engine-proto.h:35
DetectFilestoreData_
Definition: detect-filestore.h:36
SigGroupHeadInitData_
Definition: detect.h:1600
SignatureInitData_::buffers
SignatureInitDataBuffer * buffers
Definition: detect.h:647
DetectEngineCtx_::app_inspect_engines
DetectEngineAppInspectionEngine * app_inspect_engines
Definition: detect.h:1087
SignatureInitData_::dst
const DetectAddressHead * dst
Definition: detect.h:639
DetectEngineCtx_::filemagic_thread_ctx_id
int filemagic_thread_ctx_id
Definition: detect.h:982
SigJsonContent
Definition: detect.h:1236
PrefilterEngine_::pectx
void * pectx
Definition: detect.h:1586
SignatureInitData_::firewall_rule
bool firewall_rule
Definition: detect.h:664
DetectEngineThreadCtx_::alert_queue
PacketAlert * alert_queue
Definition: detect.h:1331
SIGNATURE_HOOK_PKT_ALL
@ SIGNATURE_HOOK_PKT_ALL
Definition: detect.h:543
DetectEngineThreadCtx_::pcre_match_start_offset
uint32_t pcre_match_start_offset
Definition: detect.h:1272
DetectEngineThreadCtx_::global_keyword_ctxs_size
int global_keyword_ctxs_size
Definition: detect.h:1369
Signature_::dp
DetectPort * dp
Definition: detect.h:719
DetectEngineThreadCtx_::json_content
SigJsonContent * json_content
Definition: detect.h:1281
DetectEngineCtx_::mpm_hash_table
HashListTable * mpm_hash_table
Definition: detect.h:964
DumpPatterns
void DumpPatterns(DetectEngineCtx *de_ctx)
Definition: detect-engine-analyzer.c:1418
Signature_::metadata
DetectMetadataHead * metadata
Definition: detect.h:743
DetectEngineThreadCtx_::tv
ThreadVars * tv
Definition: detect.h:1252
MPMB_UDP_TC
@ MPMB_UDP_TC
Definition: detect.h:1503
Signature_::iid
SigIntId iid
Definition: detect.h:680
DetectBufferMpmRegistry_::id
int id
Definition: detect.h:769
DetectEngineThreadCtx_::counter_alerts
uint16_t counter_alerts
Definition: detect.h:1289
SCRadix6Tree_
Structure for the radix tree.
Definition: util-radix6-tree.h:64
DetectVarList_::key
uint8_t * key
Definition: detect.h:833
DetectEngineThreadCtx_::keyword_ctxs_array
void ** keyword_ctxs_array
Definition: detect.h:1366
SignatureHook_::app_progress
int app_progress
Definition: detect.h:579
SigGroupHeadInitData_::post_rule_match_engines
PrefilterEngineList * post_rule_match_engines
Definition: detect.h:1619
SigFileLoaderStat_::good_sigs_total
int good_sigs_total
Definition: detect.h:880
MpmConfig_
Definition: util-mpm.h:89
SigTableElmt_::SupportsPrefilter
bool(* SupportsPrefilter)(const Signature *s)
Definition: detect.h:1443
Signature_::addr_dst_match6
DetectMatchAddressIPv6 * addr_dst_match6
Definition: detect.h:710
DetectEngineMasterCtx_
Definition: detect.h:1703
Signature_::id
uint32_t id
Definition: detect.h:713
SignatureHook
struct SignatureHook_ SignatureHook
DetectBufferMpmRegistry_::PrefilterRegisterWithListId
int(* PrefilterRegisterWithListId)(struct DetectEngineCtx_ *de_ctx, struct SigGroupHead_ *sgh, MpmCtx *mpm_ctx, const struct DetectBufferMpmRegistry_ *mpm_reg, int list_id)
Definition: detect.h:773
DetectEngineThreadKeywordCtxItem_::name
const char * name
Definition: detect.h:891
DetectEngineCtx_::guess_applayer_log_limit
uint8_t guess_applayer_log_limit
Definition: detect.h:976
DetectEngineLookupFlow
struct DetectEngineLookupFlow_ DetectEngineLookupFlow
PrefilterEngine_::pkt
struct PrefilterEngine_::@112::@114 pkt
RuleMatchCandidateTx::stream_reset
uint32_t stream_reset
Definition: detect.h:1206
DisableDetectFlowFileFlags
void DisableDetectFlowFileFlags(Flow *f)
disable file features we don't need Called if we have no detection engine.
Definition: detect.c:2410
DetectBufferType_::transforms
DetectEngineTransforms transforms
Definition: detect.h:462
DetectEngineType
DetectEngineType
Definition: detect.h:901
SignatureInitData_::score
int score
Definition: detect.h:636
SignatureInitDataBuffer_::id
uint32_t id
Definition: detect.h:525
Signature_
Signature container.
Definition: detect.h:668
SigMatch_
a single match condition for a signature
Definition: detect.h:356
DetectEngineCtx_::tenant_path
char * tenant_path
Definition: detect.h:1132
PrefilterEngineList_::pkt_mask
SignatureMask pkt_mask
Definition: detect.h:1540
DetectVarList_::pad
uint8_t pad[2]
Definition: detect.h:829
SCProfilePrefilterData_
Definition: util-profiling-prefilter.c:36
DetectBufferMpmRegistry_::tx_min_progress
int tx_min_progress
Definition: detect.h:786
DetectEngineAppInspectionEngine_::transforms
const DetectEngineTransforms * transforms
Definition: detect.h:436
DETECT_SM_LIST_MAX
@ DETECT_SM_LIST_MAX
Definition: detect.h:135
SigMatchCtx_::foo
int foo
Definition: detect.h:352
DetectBufferType_::parent_id
int parent_id
Definition: detect.h:453
DETECT_PREFILTER_MPM
@ DETECT_PREFILTER_MPM
Definition: detect.h:896
ADDRESS_EQ
@ ADDRESS_EQ
Definition: detect.h:155
DetectBufferMpmRegistry_::alproto
AppProto alproto
Definition: detect.h:785
DetectAddress_::next
struct DetectAddress_ * next
Definition: detect.h:179
TransformIdData_::id_data
const uint8_t * id_data
Definition: detect.h:445
DetectEngineTenantMapping_::traffic_id
uint32_t traffic_id
Definition: detect.h:1698
SigGroupHeadInitData_::protos
uint8_t protos[256]
Definition: detect.h:1606
DetectMatchAddressIPv6_
Definition: detect.h:194
PostRuleMatchWorkQueueItem::value
uint32_t value
Definition: detect.h:1217
MPMB_TCP_PKT_TS
@ MPMB_TCP_PKT_TS
Definition: detect.h:1498
DetectMatchAddressIPv4_
Definition: detect.h:189
DetectEngineThreadCtx_::tx_id_set
bool tx_id_set
Definition: detect.h:1318
DetectEnginePktInspectionEngine
struct DetectEnginePktInspectionEngine DetectEnginePktInspectionEngine
DetectEngineThreadCtx_::base64_decoded
uint8_t * base64_decoded
Definition: detect.h:1326
Signature_::dsize_mode
uint8_t dsize_mode
Definition: detect.h:677
DetectEngineLookupFlow_
Definition: detect.h:861
ENGINE_PROFILE_MEDIUM
@ ENGINE_PROFILE_MEDIUM
Definition: detect.h:1176
SignatureInitData_::has_possible_prefilter
bool has_possible_prefilter
Definition: detect.h:605
FILE_DECODER_EVENT_LZMA_UNKNOWN_ERROR
@ FILE_DECODER_EVENT_LZMA_UNKNOWN_ERROR
Definition: detect.h:1482
SIGNATURE_HOOK_PKT_FLOW_START
@ SIGNATURE_HOOK_PKT_FLOW_START
Definition: detect.h:540
DetectEngineTransforms::cnt
int cnt
Definition: detect.h:393
PrefilterEngine_::is_last
bool is_last
Definition: detect.h:1581
PrefilterEngine_::cb
union PrefilterEngine_::@113 cb
DetectEngineThreadCtx_::de_ctx
DetectEngineCtx * de_ctx
Definition: detect.h:1364
PrefilterEngine_::hook
uint8_t hook
Definition: detect.h:1573
DetectEngineCtx_::sig_array
Signature ** sig_array
Definition: detect.h:950
PacketAlert_
Definition: decode.h:248
DetectEngineAppInspectionEngine_::dir
uint8_t dir
Definition: detect.h:418
PrefilterEngine_::ctx
union PrefilterEngine_::@112 ctx
DETECT_BUFFER_MPM_TYPE_SIZE
@ DETECT_BUFFER_MPM_TYPE_SIZE
Definition: detect.h:758
DETECT_ENGINE_TYPE_MT_STUB
@ DETECT_ENGINE_TYPE_MT_STUB
Definition: detect.h:904
Signature_::detect_table
uint8_t detect_table
Definition: detect.h:702
SignatureInitDataBuffer_::only_tc
bool only_tc
Definition: detect.h:531
SignatureNonPrefilterStore_::mask
SignatureMask mask
Definition: detect.h:1193
DetectEngineCtx_::buffer_type_id
uint32_t buffer_type_id
Definition: detect.h:1081
SCDetectEngineRegisterRateFilterCallback
void SCDetectEngineRegisterRateFilterCallback(SCDetectRateFilterFunc cb, void *arg)
Register a callback when a rate_filter has been applied to an alert.
Definition: detect-engine.c:5056
Signature
struct Signature_ Signature
Signature container.
DetectEngineIPOnlyCtx_
IP only rules matching ctx.
Definition: detect.h:846
SignatureHook_::app
struct SignatureHook_::@95::@96 app
DetectEngineCtx_::sigerror
const char * sigerror
Definition: detect.h:1025
DetectEngineThreadCtx_::json_content_len
uint8_t json_content_len
Definition: detect.h:1283
DetectBufferType_::SetupCallback
void(* SetupCallback)(const struct DetectEngineCtx_ *, struct Signature_ *)
Definition: detect.h:459
DetectEngineThreadCtx_::mt_det_ctxs_cnt
uint32_t mt_det_ctxs_cnt
Definition: detect.h:1254
DetectMetadataHashInit
int DetectMetadataHashInit(DetectEngineCtx *de_ctx)
Definition: detect-metadata.c:69
DetectEngineMasterCtx_::lock
SCMutex lock
Definition: detect.h:1704
DetectEnginePktInspectionEngine::mpm
bool mpm
Definition: detect.h:485
DetectEngineCtx_::spm_global_thread_ctx
SpmGlobalThreadCtx * spm_global_thread_ctx
Definition: detect.h:986
DetectFlowbitsAnalyze
int DetectFlowbitsAnalyze(DetectEngineCtx *de_ctx)
Definition: detect-flowbits.c:569
id
uint32_t id
Definition: detect-flowbits.c:938
SigGroupHead_::pkt_engines
PrefilterEngine * pkt_engines
Definition: detect.h:1639
SignatureInitData_::rule_state_flowbits_ids_array
uint32_t * rule_state_flowbits_ids_array
Definition: detect.h:660
DetectEngineCtx_::flags
uint8_t flags
Definition: detect.h:934
SIG_PROP_FLOW_ACTION_FLOW
@ SIG_PROP_FLOW_ACTION_FLOW
Definition: detect.h:85
DetectEngineThreadCtx_::replist
DetectReplaceList * replist
Definition: detect.h:1352
SignatureInitData_::transforms
DetectEngineTransforms transforms
Definition: detect.h:631
PrefilterEngine_::Prefilter
PrefilterPktFn Prefilter
Definition: detect.h:1589
PORT_EQ
@ PORT_EQ
Definition: detect.h:208
SigString_::sig_str
char * sig_str
Definition: detect.h:869
DetectEngineCtx_::io_ctx
DetectEngineIPOnlyCtx io_ctx
Definition: detect.h:970
PrefilterEngine_::PrefilterTx
PrefilterTxFn PrefilterTx
Definition: detect.h:1590
DetectMatchAddressIPv4
struct DetectMatchAddressIPv4_ DetectMatchAddressIPv4
DetectEngineCtx_::rule_line
int rule_line
Definition: detect.h:1023
MpmCtx_
Definition: util-mpm.h:93
Signature_::addr_dst_match4
DetectMatchAddressIPv4 * addr_dst_match4
Definition: detect.h:707
Signature_::msg
char * msg
Definition: detect.h:736
PORT_EB
@ PORT_EB
Definition: detect.h:210
flow.h
SignatureInitDataBuffer_
Definition: detect.h:524
Signature_::addr_src_match4_cnt
uint16_t addr_src_match4_cnt
Definition: detect.h:694
SigIntId
#define SigIntId
Definition: suricata-common.h:332
SigTableElmt_::Transform
void(* Transform)(DetectEngineThreadCtx *, InspectionBuffer *, void *context)
Definition: detect.h:1434
DetectGetInnerTx
void * DetectGetInnerTx(void *tx_ptr, AppProto alproto, AppProto engine_alproto, uint8_t flow_flags)
Definition: detect.c:1153
DetectEngineAppInspectionEngine
struct DetectEngineAppInspectionEngine_ DetectEngineAppInspectionEngine
TENANT_SELECTOR_LIVEDEV
@ TENANT_SELECTOR_LIVEDEV
Definition: detect.h:1691
Signature_::addr_dst_match4_cnt
uint16_t addr_dst_match4_cnt
Definition: detect.h:693
DetectEngineFrameInspectionEngine::type
uint8_t type
Definition: detect.h:511
DetectSigmatchListEnum
DetectSigmatchListEnum
Definition: detect.h:115
DetectEngineMasterCtx_::version
uint32_t version
Definition: detect.h:1710
DetectEngineCtx_::sig_array_len
uint32_t sig_array_len
Definition: detect.h:951
DetectEngineCtx_::metadata_table
HashTable * metadata_table
Definition: detect.h:1075
Signature_::type
enum SignatureType type
Definition: detect.h:671
FILE_DECODER_EVENT_INVALID_SWF_LENGTH
@ FILE_DECODER_EVENT_INVALID_SWF_LENGTH
Definition: detect.h:1471
DetectEngineCtx_::signum
uint32_t signum
Definition: detect.h:953
DetectEngineCtx_::tenant_id
uint32_t tenant_id
Definition: detect.h:939
ENGINE_SGH_MPM_FACTORY_CONTEXT_AUTO
@ ENGINE_SGH_MPM_FACTORY_CONTEXT_AUTO
Definition: detect.h:1185
SigGroupHead_::filestore_cnt
uint16_t filestore_cnt
Definition: detect.h:1635
SignatureInitData_::buffer_index
uint32_t buffer_index
Definition: detect.h:648
IPOnlyCIDRItem_::signum
SigIntId signum
Definition: detect.h:341
SigFileLoaderStat_
Signature loader statistics.
Definition: detect.h:876
ADDRESS_ER
@ ADDRESS_ER
Definition: detect.h:152
DetectAddress_::flags
uint8_t flags
Definition: detect.h:174
DetectEngineCtx_::buffer_type_hash_id
HashListTable * buffer_type_hash_id
Definition: detect.h:1080
DetectEngineLookupFlow_::tcp
DetectPort * tcp
Definition: detect.h:862
SigTableElmt_::TransformId
void(* TransformId)(const uint8_t **data, uint32_t *length, void *context)
Definition: detect.h:1438
DETECT_SM_LIST_SUPPRESS
@ DETECT_SM_LIST_SUPPRESS
Definition: detect.h:132
SCMutex
#define SCMutex
Definition: threads-debug.h:114
DetectEngineCtx_::fp_support_smlist_list
SCFPSupportSMList * fp_support_smlist_list
Definition: detect.h:1106
SIG_TYPE_PDONLY
@ SIG_TYPE_PDONLY
Definition: detect.h:70
InspectionBufferMultipleForList::inspection_buffers
InspectionBuffer * inspection_buffers
Definition: detect.h:380
MpmStore_::sgh_mpm_context
int32_t sgh_mpm_context
Definition: detect.h:1515
InspectionBufferMultipleForList::max
uint32_t max
Definition: detect.h:382
DetectAddressHead_::ipv4_head
DetectAddress * ipv4_head
Definition: detect.h:184
SignatureProperties::flow_action
enum SignaturePropertyFlowAction flow_action
Definition: detect.h:90
SigGroupHead_::id
uint32_t id
Definition: detect.h:1637
IPOnlyCIDRItem_::family
uint8_t family
Definition: detect.h:334
DetectEngineThreadCtx_::counter_mpm_list
uint16_t counter_mpm_list
Definition: detect.h:1295
DetectEngineThreadCtx_::prefilter_bytes
uint64_t prefilter_bytes
Definition: detect.h:1411
DetectEngineFrameInspectionEngine
struct DetectEngineFrameInspectionEngine DetectEngineFrameInspectionEngine
SigJsonContent::json_content
char json_content[SIG_JSON_CONTENT_ITEM_LEN]
Definition: detect.h:1238
SigJsonContent::id
void * id
Definition: detect.h:1237
SigMatchData
struct SigMatchData_ SigMatchData
Data needed for Match()
DetectEngineThreadCtx_::filestore
struct DetectEngineThreadCtx_::@111 filestore[DETECT_FILESTORE_MAX]
PORT_LE
@ PORT_LE
Definition: detect.h:207
MpmStore_::buffer
enum MpmBuiltinBuffers buffer
Definition: detect.h:1513
DetectEngineThreadCtx_::post_rule_work_queue
PostRuleMatchWorkQueue post_rule_work_queue
Definition: detect.h:1347
DetectEngineThreadCtx_::tenant_array_size
uint32_t tenant_array_size
Definition: detect.h:1259
DetectEngineThreadCtx_::tenant_array
struct DetectEngineTenantMapping_ * tenant_array
Definition: detect.h:1258
DetectEngineCtx_::sc_sig_order_funcs
struct SCSigOrderFunc_ * sc_sig_order_funcs
Definition: detect.h:956
MpmCtxFactoryContainer_
Definition: util-mpm.h:130
SigTableElmt_::RegisterTests
void(* RegisterTests)(void)
Definition: detect.h:1448
DetectEngineThreadCtx_::file_id
uint32_t file_id
Definition: detect.h:1360
DetectPacketHookFunc
uint8_t(* DetectPacketHookFunc)(ThreadVars *tv, DetectEngineThreadCtx *det_ctx, Packet *p)
Definition: detect.h:919
SignatureMask
#define SignatureMask
Definition: decode.h:99
DetectEngineThreadCtx_::mt_det_ctxs
struct DetectEngineThreadCtx_ ** mt_det_ctxs
Definition: detect.h:1255
Signature_::mask
SignatureMask mask
Definition: detect.h:679
SignatureInitData_::alprotos
AppProto alprotos[SIG_ALPROTO_MAX]
Definition: detect.h:612
RuleMatchCandidateTx
Definition: detect.h:1198
SIG_TYPE_LIKE_IPONLY
@ SIG_TYPE_LIKE_IPONLY
Definition: detect.h:67
DetectEngineThreadCtx_::TenantGetId
uint32_t(* TenantGetId)(const void *, const Packet *p)
Definition: detect.h:1261
DetectBufferType_::description
char description[128]
Definition: detect.h:451
SigJsonContent
struct SigJsonContent SigJsonContent
DetectEngineIPOnlyCtx_::max_idx
uint32_t max_idx
Definition: detect.h:853
SigGroupHeadInitData_::frame_mpms
MpmCtx ** frame_mpms
Definition: detect.h:1613
DetectBufferMpmRegistry_::pname
char pname[32]
Definition: detect.h:764
SpmThreadCtx_
Definition: util-spm.h:54
DetectEngineFrameInspectionEngine::smd
SigMatchData * smd
Definition: detect.h:520
DetectEngineThreadCtx_::match_array
Signature ** match_array
Definition: detect.h:1335