Go to the documentation of this file.
44 #define DETECT_MAX_RULE_SIZE 8192
46 #define DETECT_TRANSFORMS_MAX 16
50 #define DETECT_DEFAULT_PRIO 3
135 #define DETECT_SM_LIST_NOTSET INT_MAX
153 #define ADDRESS_FLAG_NOT 0x01
206 #define PORT_FLAG_ANY 0x01
207 #define PORT_FLAG_NOT 0x02
208 #define PORT_SIGGROUPHEAD_COPY 0x04
231 #define SIG_FLAG_SRC_ANY BIT_U32(0)
232 #define SIG_FLAG_DST_ANY BIT_U32(1)
233 #define SIG_FLAG_SP_ANY BIT_U32(2)
234 #define SIG_FLAG_DP_ANY BIT_U32(3)
236 #define SIG_FLAG_NOALERT BIT_U32(4)
237 #define SIG_FLAG_DSIZE BIT_U32(5)
238 #define SIG_FLAG_APPLAYER BIT_U32(6)
242 #define SIG_FLAG_REQUIRE_PACKET BIT_U32(9)
243 #define SIG_FLAG_REQUIRE_STREAM BIT_U32(10)
245 #define SIG_FLAG_MPM_NEG BIT_U32(11)
247 #define SIG_FLAG_FLUSH BIT_U32(12)
251 #define SIG_FLAG_REQUIRE_FLOWVAR BIT_U32(17)
253 #define SIG_FLAG_FILESTORE BIT_U32(18)
255 #define SIG_FLAG_TOSERVER BIT_U32(19)
256 #define SIG_FLAG_TOCLIENT BIT_U32(20)
258 #define SIG_FLAG_TLSSTORE BIT_U32(21)
260 #define SIG_FLAG_BYPASS BIT_U32(22)
262 #define SIG_FLAG_PREFILTER BIT_U32(23)
267 #define SIG_FLAG_SRC_IS_TARGET BIT_U32(25)
269 #define SIG_FLAG_DEST_IS_TARGET BIT_U32(26)
271 #define SIG_FLAG_HAS_TARGET (SIG_FLAG_DEST_IS_TARGET|SIG_FLAG_SRC_IS_TARGET)
275 #define SIG_FLAG_INIT_PACKET BIT_U32(1)
276 #define SIG_FLAG_INIT_FLOW BIT_U32(2)
277 #define SIG_FLAG_INIT_BIDIREC BIT_U32(3)
278 #define SIG_FLAG_INIT_FIRST_IPPROTO_SEEN \
280 #define SIG_FLAG_INIT_STATE_MATCH BIT_U32(6)
281 #define SIG_FLAG_INIT_NEED_FLUSH BIT_U32(7)
282 #define SIG_FLAG_INIT_PRIO_EXPLICIT \
284 #define SIG_FLAG_INIT_FILEDATA BIT_U32(9)
285 #define SIG_FLAG_INIT_JA3 BIT_U32(10)
289 #define SIG_MASK_REQUIRE_PAYLOAD BIT_U8(0)
290 #define SIG_MASK_REQUIRE_FLOW BIT_U8(1)
291 #define SIG_MASK_REQUIRE_FLAGS_INITDEINIT BIT_U8(2)
292 #define SIG_MASK_REQUIRE_FLAGS_UNUSUAL BIT_U8(3)
293 #define SIG_MASK_REQUIRE_NO_PAYLOAD BIT_U8(4)
294 #define SIG_MASK_REQUIRE_DCERPC BIT_U8(5)
296 #define SIG_MASK_REQUIRE_ENGINE_EVENT BIT_U8(7)
299 #define SignatureMask uint8_t
301 #define DETECT_ENGINE_THREAD_CTX_FRAME_ID_SET 0x0001
302 #define DETECT_ENGINE_THREAD_CTX_STREAM_CONTENT_MATCH 0x0004
304 #define FILE_SIG_NEED_FILE 0x01
305 #define FILE_SIG_NEED_FILENAME 0x02
306 #define FILE_SIG_NEED_MAGIC 0x04
307 #define FILE_SIG_NEED_FILECONTENT 0x08
308 #define FILE_SIG_NEED_MD5 0x10
309 #define FILE_SIG_NEED_SHA1 0x20
310 #define FILE_SIG_NEED_SHA256 0x40
311 #define FILE_SIG_NEED_SIZE 0x80
314 #define DE_QUIET 0x01
370 #ifdef DEBUG_VALIDATION
408 Flow *f,
const uint8_t flow_flags,
409 void *txv,
const int list_id);
415 uint8_t
flags,
void *alstate,
void *txv, uint64_t tx_id);
463 Packet *p, uint8_t *alert_flags);
625 uint16_t profiling_id;
724 #define DETECT_VAR_TYPE_FLOW_POSTMATCH 1
725 #define DETECT_VAR_TYPE_PKT_POSTMATCH 2
797 void *(*InitFunc)(
void *);
823 #define FLOW_STATES 2
938 struct SCProfileDetectCtx_ *profile_ctx;
1045 #define ENGINE_SGH_MPM_FACTORY_CONTEXT_START_ID_RANGE (ENGINE_SGH_MPM_FACTORY_CONTEXT_AUTO + 1)
1048 #define DETECT_FILESTORE_MAX 15
1219 uint64_t pkt_stream_add_cnt;
1220 uint64_t payload_mpm_cnt;
1221 uint64_t payload_mpm_size;
1222 uint64_t stream_mpm_cnt;
1223 uint64_t stream_mpm_size;
1224 uint64_t payload_persig_cnt;
1225 uint64_t payload_persig_size;
1226 uint64_t stream_persig_cnt;
1227 uint64_t stream_persig_size;
1229 #ifdef PROFILE_RULES
1230 struct SCProfileData_ *rule_perf_data;
1231 int rule_perf_data_size;
1232 uint32_t rule_perf_last_sync;
1256 uint8_t
flags,
void *alstate,
void *txv,
1310 #define SIG_GROUP_HEAD_HAVERAWSTREAM BIT_U32(0)
1312 #define SIG_GROUP_HEAD_HAVEFILEMAGIC BIT_U32(20)
1314 #define SIG_GROUP_HEAD_HAVEFILEMD5 BIT_U32(21)
1315 #define SIG_GROUP_HEAD_HAVEFILESIZE BIT_U32(22)
1316 #define SIG_GROUP_HEAD_HAVEFILESHA1 BIT_U32(23)
1317 #define SIG_GROUP_HEAD_HAVEFILESHA256 BIT_U32(24)
1344 const struct Frames *frames,
const struct Frame *frame);
1466 #define SIGMATCH_NOOPT BIT_U16(0)
1468 #define SIGMATCH_IPONLY_COMPAT BIT_U16(1)
1470 #define SIGMATCH_DEONLY_COMPAT BIT_U16(2)
1472 #define SIGMATCH_NOT_BUILT BIT_U16(3)
1475 #define SIGMATCH_OPTIONAL_OPT BIT_U16(4)
1478 #define SIGMATCH_QUOTES_OPTIONAL BIT_U16(5)
1482 #define SIGMATCH_QUOTES_MANDATORY BIT_U16(6)
1486 #define SIGMATCH_HANDLE_NEGATION BIT_U16(7)
1488 #define SIGMATCH_INFO_CONTENT_MODIFIER BIT_U16(8)
1490 #define SIGMATCH_INFO_STICKY_BUFFER BIT_U16(9)
1492 #define SIGMATCH_INFO_DEPRECATED BIT_U16(10)
1494 #define SIGMATCH_STRICT_PARSING BIT_U16(11)
1577 uint8_t alert_flags);
struct DetectEngineThreadCtx_::@98 filestore[DETECT_FILESTORE_MAX]
HashListTable * sgh_hash_table
uint32_t pkt_mpms_list_cnt
uint32_t frame_mpms_list_cnt
struct SCFPSupportSMList_ SCFPSupportSMList
uint32_t non_pf_syn_store_cnt
SignatureNonPrefilterStore * non_pf_store_ptr
IPOnlyCIDRItem * cidr_src
uint32_t max_content_list_id
const SigGroupHead * SigMatchSignaturesGetSgh(const DetectEngineCtx *de_ctx, const Packet *p)
Get the SigGroupHead for a packet.
struct SCProfileKeywordData_ ** keyword_perf_data_per_list
PrefilterEngine * tx_engines
void AlertQueueInit(DetectEngineThreadCtx *det_ctx)
SigMatch * SigMatchAlloc(void)
uint16_t alert_queue_size
struct SignatureInitDataBuffer_ SignatureInitDataBuffer
void SigMatchFree(DetectEngineCtx *, SigMatch *sm)
free a SigMatch
HashTable * class_conf_ht
void(* Prefilter)(DetectEngineThreadCtx *det_ctx, Packet *p, const void *pectx)
struct SigMatch_ * smlists[DETECT_SM_LIST_MAX]
struct SCProfileKeywordData_ * keyword_perf_data
DetectMatchAddressIPv6 * addr_src_match6
SC_ATOMIC_DECLARE(int, so_far_used_by_detect)
struct DetectEngineThreadKeywordCtxItem_ DetectEngineThreadKeywordCtxItem
int32_t sgh_mpm_context_proto_tcp_packet
void(* Free)(DetectEngineCtx *, void *)
struct IPOnlyCIDRItem_ IPOnlyCIDRItem
struct SigGroupHead_ * decoder_event_sgh
DetectEngineLookupFlow flow_gh[FLOW_STATES]
struct SCFPSupportSMList_ * next
uint16_t counter_match_list
struct SigString_ SigString
DetectEngineTenantMapping * tenant_mapping_list
const struct DetectFilestoreData_ * filestore_ctx
struct DetectEngineAppInspectionEngine_ * next
int SignatureIsIPOnly(DetectEngineCtx *de_ctx, const Signature *s)
Test is a initialized signature is IP only.
union PrefilterEngine_::@99 ctx
struct SigMatch_ * smlists_tail[DETECT_SM_LIST_MAX]
struct DetectEngineCtx_ DetectEngineCtx
main detection engine ctx
enum DetectEngineType type
Container for matching data for a signature group.
HashListTable * pattern_hash_table
struct SCProfileSghData_ * sgh_perf_data
SCMutex threshold_table_lock
address structure for use in the detection engine.
uint16_t max_uniq_toclient_groups
InspectionBufferMultipleForList * buffers
structure for storing potential rule matches
bool src_contains_negation
uint32_t non_pf_store_cnt_max
struct HtpBodyChunk_ * next
struct DetectPort_ * port
struct DetectEnginePktInspectionEngine::@84 v1
@ DETECT_SM_LIST_DYNAMIC_START
AppLayerDecoderEvents * decoder_events
int SigLoadSignatures(DetectEngineCtx *, char *, int)
Load signatures.
@ DETECT_EVENT_TOO_MANY_BUFFERS
InspectionBufferGetDataPtr GetData
DetectBufferMpmRegistry * pkt_mpms_list
@ DETECT_BUFFER_MPM_TYPE_FRAME
int(* FileMatch)(DetectEngineThreadCtx *, Flow *, uint8_t flags, File *, const Signature *, const SigMatchCtx *)
@ DETECT_SM_LIST_THRESHOLD
InspectionBuffer *(* InspectionBufferGetDataPtr)(struct DetectEngineThreadCtx_ *det_ctx, const DetectEngineTransforms *transforms, Flow *f, const uint8_t flow_flags, void *txv, const int list_id)
MpmStore mpm_store[MPMB_MAX]
Structure for the radix tree.
Signature * SigFindSignatureBySidGid(DetectEngineCtx *, uint32_t, uint32_t)
Find a specific signature by sid and gid.
SCRadixTree * tree_ipv6dst
int inspection_recursion_limit
const DetectEngineTransforms * transforms
main detection engine ctx
struct DetectPatternTracker DetectPatternTracker
void SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
void ** global_keyword_ctxs_array
pcre2_match_data * reference_conf_regex_match
void RuleMatchCandidateTxArrayFree(DetectEngineThreadCtx *det_ctx)
int(* AppLayerTxMatch)(DetectEngineThreadCtx *, Flow *, uint8_t flags, void *alstate, void *txv, const Signature *, const SigMatchCtx *)
InspectionBuffer *(* InspectionBufferGetPktDataPtr)(struct DetectEngineThreadCtx_ *det_ctx, const DetectEngineTransforms *transforms, Packet *p, const int list_id)
TmEcode Detect(ThreadVars *tv, Packet *p, void *data)
Detection engine thread wrapper.
SCRadixTree * tree_ipv4src
struct DetectBufferMpmRegistry_ * next
struct DetectEngineTenantMapping_ * next
struct SCProfileSghDetectCtx_ * profile_sgh_ctx
one time registration of keywords at start up
struct DetectPort_ * next
const struct DetectContentData_ * cd
SpmThreadCtx * spm_thread_ctx
struct DetectAddressHead_ DetectAddressHead
HashListTable * dport_hash_table
void(* Prefilter)(DetectEngineThreadCtx *det_ctx, Packet *p, const void *pectx)
SigMatchData * sm_arrays[DETECT_SM_LIST_MAX]
PrefilterEngine * payload_engines
MpmCtxFactoryContainer * mpm_ctx_factory_container
enum DetectEnginePrefilterSetting prefilter_setting
pcre2_code * reference_conf_regex
struct SigGroupHead_ * sh
void DetectEngineSetEvent(DetectEngineThreadCtx *det_ctx, uint8_t e)
TAILQ_HEAD(, SigString_) failed_sigs
pcre2_code * class_conf_regex
void(* Free)(void *pectx)
void RuleMatchCandidateTxArrayInit(DetectEngineThreadCtx *det_ctx, uint32_t size)
element in sigmatch type table.
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
int32_t sgh_mpm_context_proto_udp_packet
struct DetectPort_ DetectPort
Port structure for detection engine.
HashTable * reference_conf_ht
DetectEngineTransforms transforms
uint32_t content_inspect_window
uint16_t counter_fnonmpm_list
#define DETECT_TRANSFORMS_MAX
uint16_t counter_nonmpm_list
Data structure to store app layer decoder events.
struct SigGroupHead_ SigGroupHead
Container for matching data for a signature group.
struct DetectMatchAddressIPv6_ DetectMatchAddressIPv6
int DetectUnregisterThreadCtxFuncs(DetectEngineCtx *, void *data, const char *name)
Remove Thread keyword context registration.
@ FILE_DECODER_EVENT_LZMA_MEMLIMIT_ERROR
DetectEngineFrameInspectionEngine * frame_inspect
const DetectEngineTransforms * transforms
void SigRegisterTests(void)
void * DetectThreadCtxGetKeywordThreadCtx(DetectEngineThreadCtx *, int)
Retrieve thread local keyword ctx by id.
InspectionBufferFrameInspectFunc Callback
DetectPort * udp_whitelist
HashTable * mt_det_ctxs_hash
struct DetectAddress_ * prev
bool is_last_for_progress
struct PrefilterEngineList_ * next
uint16_t counter_alerts_suppressed
int(* SetupPrefilter)(DetectEngineCtx *de_ctx, struct SigGroupHead_ *sgh)
int32_t sgh_mpm_context_proto_other_packet
struct DetectVarList_ DetectVarList
@ TENANT_SELECTOR_UNKNOWN
@ DETECT_SM_LIST_POSTMATCH
struct DetectEngineTenantMapping_ DetectEngineTenantMapping
HashListTable * prefilter_hash_table
struct DetectReplaceList_ DetectReplaceList
bool sm_types_silent_error[DETECT_TBLSIZE]
SignaturePropertyFlowAction
TAILQ_ENTRY(SigString_) next
DetectEngineTenantSelectors
InspectionBufferGetDataPtr GetData
int(* InspectionBufferPktInspectFunc)(struct DetectEngineThreadCtx_ *, const struct DetectEnginePktInspectionEngine *engine, const struct Signature_ *s, Packet *p, uint8_t *alert_flags)
struct DetectBufferType_ DetectBufferType
pcre2_match_data * class_conf_regex_match
RuleMatchCandidateTx * tx_candidates
struct InspectionBuffer InspectionBuffer
struct DetectEngineMasterCtx_ DetectEngineMasterCtx
DetectMatchAddressIPv4 * addr_src_match4
bool(* TransformValidate)(const uint8_t *content, uint16_t content_len, void *context)
uint16_t counter_alerts_overflow
#define DETECT_FILESTORE_MAX
struct SignatureInitData_ SignatureInitData
InspectionBufferGetPktDataPtr GetData
PrefilterEngineList * tx_engines
SRepCIDRTree * srepCIDR_ctx
@ ENGINE_SGH_MPM_FACTORY_CONTEXT_FULL
const DetectAddressHead * src
uint32_t tx_candidates_size
const struct SignatureProperties signature_properties[SIG_TYPE_MAX]
@ DETECT_SM_LIST_BASE64_DATA
InspectionBuffer * buffers
DetectEngineThreadKeywordCtxItem * keyword_list
PrefilterFrameFn PrefilterFrame
enum DetectEngineTenantSelectors tenant_selector
@ FILE_DECODER_EVENT_INVALID_SWF_LENGTH
HashListTable * keyword_hash
struct timeval last_reload
DetectEnginePktInspectionEngine * pkt_inspect
struct DetectReplaceList_ * next
struct SigGroupHead_ * sgh[256]
DetectReference * references
PrefilterTxFn PrefilterTx
Per thread variable structure.
struct DetectBufferMpmRegistry_::@86::@89 pkt_v1
Signature wrapper used by signature ordering module while ordering signatures.
struct SigTableElmt_ SigTableElmt
element in sigmatch type table.
struct SigMatch_ SigMatch
a single match condition for a signature
DetectEngineFrameInspectionEngine * frame_inspect_engines
struct PrefilterEngineList_ PrefilterEngineList
DetectEngineCtx * free_list
struct DetectEngineThreadKeywordCtxItem_ * next
void(* PrefilterFrameFn)(DetectEngineThreadCtx *det_ctx, const void *pectx, Packet *p, const struct Frames *frames, const struct Frame *frame)
Port structure for detection engine.
SigGroupHeadInitData * init
DetectEngineAppInspectionEngine * app_inspect
Signature reference list.
bool(* ValidateCallback)(const struct Signature_ *, const char **sigerror)
void AlertQueueAppend(DetectEngineThreadCtx *det_ctx, const Signature *s, Packet *p, uint64_t tx_id, uint8_t alert_flags)
Append signature to local packet alert queue for later preprocessing.
char * DetectLoadCompleteSigPath(const DetectEngineCtx *, const char *sig_file)
Create the path if default-rule-path was specified.
struct DetectVarList_ * next
uint64_t raw_stream_progress
DetectThresholdEntry ** th_entry
struct IPOnlyCIDRItem_ * next
int32_t sgh_mpm_context_stream
struct SignatureNonPrefilterStore_ SignatureNonPrefilterStore
struct DetectBufferMpmRegistry_ DetectBufferMpmRegistry
one time registration of keywords at start up
int(* InspectionBufferFrameInspectFunc)(struct DetectEngineThreadCtx_ *, const struct DetectEngineFrameInspectionEngine *engine, const struct Signature_ *s, Packet *p, const struct Frames *frames, const struct Frame *frame)
DetectBufferMpmRegistry * frame_mpms_list
InspectEngineFuncPtr2 Callback
struct TransformData_ TransformData
Structure holding the signature ordering function used by the signature ordering module.
struct PrefilterEngine_ PrefilterEngine
struct DetectEngineCtx_::@91 filedata_config[ALPROTO_MAX]
int DetectRegisterThreadCtxFuncs(DetectEngineCtx *, const char *name, void *(*InitFunc)(void *), void *data, void(*FreeFunc)(void *), int)
Register Thread keyword context Funcs.
@ ENGINE_SGH_MPM_FACTORY_CONTEXT_SINGLE
struct SigFileLoaderStat_ SigFileLoaderStat
Signature loader statistics.
uint16_t max_uniq_toserver_groups
@ DETECT_BUFFER_MPM_TYPE_PKT
InspectionBufferPktInspectFunc Callback
PrefilterFrameFn PrefilterFrame
SignatureInitData * init_data
struct SCProfileKeywordDetectCtx_ * profile_keyword_ctx
uint16_t alert_queue_capacity
struct SigGroupHead_ ** sgh_array
int(* Match)(DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *)
struct MpmStore_ MpmStore
void(* PrefilterTxFn)(DetectEngineThreadCtx *det_ctx, const void *pectx, Packet *p, Flow *f, void *tx, const uint64_t tx_id, const AppLayerTxData *tx_data, const uint8_t flags)
int32_t byte_extract_max_local_id
bool dst_contains_negation
uint16_t addr_dst_match6_cnt
@ SIG_PROP_FLOW_ACTION_PACKET
struct DetectEngineThreadCtx_ DetectEngineThreadCtx
PrefilterEngine * frame_engines
@ FILE_DECODER_EVENT_Z_BUF_ERROR
struct DetectEngineTransforms DetectEngineTransforms
@ DETECT_ENGINE_TYPE_TENANT
HashListTable * dup_sig_hash_table
uint8_t(* InspectEngineFuncPtr2)(struct DetectEngineCtx_ *de_ctx, struct DetectEngineThreadCtx_ *det_ctx, const struct DetectEngineAppInspectionEngine_ *engine, const struct Signature_ *s, Flow *f, uint8_t flags, void *alstate, void *txv, uint64_t tx_id)
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
uint16_t discontinue_matching
PrefilterEngineList * pkt_engines
struct DetectEngineFrameInspectionEngine::@85 v1
InspectionBufferGetPktDataPtr GetData
@ FILE_DECODER_EVENT_Z_DATA_ERROR
@ DETECT_ENGINE_TYPE_NORMAL
DetectAddress * ipv6_head
void DetectMetadataHashFree(DetectEngineCtx *de_ctx)
struct AppLayerTxData AppLayerTxData
struct DetectEngineIPOnlyCtx_ DetectEngineIPOnlyCtx
IP only rules matching ctx.
SigFileLoaderStat sig_stat
HashListTable * address_table
uint32_t * to_clear_queue
struct SCProfilePrefilterDetectCtx_ * profile_prefilter_ctx
struct InspectionBufferMultipleForList InspectionBufferMultipleForList
enum DetectBufferMpmType type
struct SigMatchCtx_ SigMatchCtx
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
SignatureNonPrefilterStore * non_pf_other_store_array
DetectBufferMpmRegistry * app_mpms_list
@ SIG_PROP_FLOW_ACTION_FLOW_IF_STATEFUL
uint64_t prefilter_bytes_called
PrefilterEngineList * frame_engines
@ DETECT_BUFFER_MPM_TYPE_APP
PrefilterEngineList * payload_engines
struct DetectEngineThreadCtx_::@96 inspect
struct DetectBufferMpmRegistry_::@86::@88 app_v2
HashListTable * buffer_type_hash_name
struct DetectEngineCtx_ * next
uint32_t non_pf_other_store_cnt
@ DETECT_ENGINE_TYPE_DD_STUB
struct DetectEngineFrameInspectionEngine * next
void(* Transform)(InspectionBuffer *, void *context)
int inspection_recursion_counter
SignatureInitDataBuffer * curbuf
struct SCProfilePrefilterData_ * prefilter_perf_data
DetectEnginePrefilterSetting
struct DetectPort_ * prev
struct DetectEnginePktInspectionEngine * next
SCRadixTree * tree_ipv4dst
uint64_t frame_inspect_progress
uint32_t profile_match_logging_threshold
struct SCProfileKeywordDetectCtx_ ** profile_keyword_ctx_per_list
struct RuleMatchCandidateTx RuleMatchCandidateTx
DetectPort * tcp_whitelist
DetectEnginePktInspectionEngine * pkt_inspect_engines
struct EngineAnalysisCtx_ * ea
uint32_t sig_mapping_size
SigIntId * non_pf_id_array
@ FILE_DECODER_EVENT_LZMA_UNKNOWN_ERROR
struct SigGroupHeadInitData_ SigGroupHeadInitData
struct DetectAddress_ DetectAddress
address structure for use in the detection engine.
uint32_t app_mpms_list_cnt
uint16_t addr_src_match6_cnt
SignatureInitDataBuffer * buffers
DetectEngineAppInspectionEngine * app_inspect_engines
const DetectAddressHead * dst
int filemagic_thread_ctx_id
struct DetectEngineAppInspectionEngine_::@83 v2
PacketAlert * alert_queue
uint32_t pcre_match_start_offset
int global_keyword_ctxs_size
bool sm_types_prefilter[DETECT_TBLSIZE]
HashListTable * mpm_hash_table
void DumpPatterns(DetectEngineCtx *de_ctx)
DetectMetadataHead * metadata
@ FILE_DECODER_EVENT_Z_STREAM_ERROR
uint32_t non_pf_store_cnt
void ** keyword_ctxs_array
IPOnlyCIDRItem * cidr_dst
@ FILE_DECODER_EVENT_NO_MEM
bool(* SupportsPrefilter)(const Signature *s)
AppLayerDecoderEvents * DetectEngineGetEvents(DetectEngineThreadCtx *det_ctx)
DetectMatchAddressIPv6 * addr_dst_match6
@ FILE_DECODER_EVENT_LZMA_IO_ERROR
@ ENGINE_SGH_MPM_FACTORY_CONTEXT_AUTO
int(* PrefilterRegisterWithListId)(struct DetectEngineCtx_ *de_ctx, struct SigGroupHead_ *sgh, MpmCtx *mpm_ctx, const struct DetectBufferMpmRegistry_ *mpm_reg, int list_id)
int base64_decoded_len_max
struct DetectEngineLookupFlow_ DetectEngineLookupFlow
void DisableDetectFlowFileFlags(Flow *f)
disable file features we don't need Called if we have no detection engine.
DetectEngineTransforms transforms
a single match condition for a signature
const DetectEngineTransforms * transforms
struct DetectEngineThreadCtx_::@97 multi_inspect
struct DetectAddress_ * next
void AlertQueueFree(DetectEngineThreadCtx *det_ctx)
struct DetectEnginePktInspectionEngine DetectEnginePktInspectionEngine
bool filedata_config_initialized
@ FILE_DECODER_EVENT_LZMA_XZ_ERROR
uint32_t content_inspect_min_size
SignatureNonPrefilterStore * non_pf_syn_store_array
@ DETECT_BUFFER_MPM_TYPE_SIZE
@ DETECT_ENGINE_TYPE_MT_STUB
struct Signature_ Signature
Signature container.
IP only rules matching ctx.
@ FILE_DECODER_EVENT_Z_UNKNOWN_ERROR
void(* SetupCallback)(const struct DetectEngineCtx_ *, struct Signature_ *)
int DetectMetadataHashInit(DetectEngineCtx *de_ctx)
SpmGlobalThreadCtx * spm_global_thread_ctx
int DetectFlowbitsAnalyze(DetectEngineCtx *de_ctx)
PrefilterEngine * pkt_engines
@ SIG_PROP_FLOW_ACTION_FLOW
DetectReplaceList * replist
DetectEngineTransforms transforms
@ FILE_DECODER_EVENT_LZMA_HEADER_TOO_SHORT_ERROR
DetectEngineIPOnlyCtx io_ctx
PrefilterTxFn PrefilterTx
struct DetectMatchAddressIPv4_ DetectMatchAddressIPv4
DetectMatchAddressIPv4 * addr_dst_match4
@ FILE_DECODER_EVENT_INVALID_SWF_VERSION
struct DetectContentData_ * cd
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
union PrefilterEngine_::@100 cb
uint16_t addr_src_match4_cnt
@ FILE_DECODER_EVENT_LZMA_DECODER_ERROR
struct DetectEngineAppInspectionEngine_ DetectEngineAppInspectionEngine
@ TENANT_SELECTOR_LIVEDEV
uint16_t addr_dst_match4_cnt
HashTable * metadata_table
SCRadixTree * tree_ipv6src
Signature loader statistics.
HashListTable * buffer_type_hash_id
uint32_t base64_decode_max_len
struct ThresholdCtx_ ThresholdCtx
threshold ctx
@ DETECT_SM_LIST_SUPPRESS
SCFPSupportSMList * fp_support_smlist_list
InspectionBuffer * inspection_buffers
DetectAddress * ipv4_head
enum SignaturePropertyFlowAction flow_action
uint16_t counter_mpm_list
struct DetectEngineFrameInspectionEngine DetectEngineFrameInspectionEngine
struct SigMatchData_ SigMatchData
Data needed for Match()
enum MpmBuiltinBuffers buffer
uint32_t tenant_array_size
struct DetectEngineTenantMapping_ * tenant_array
struct SCSigOrderFunc_ * sc_sig_order_funcs
void(* RegisterTests)(void)
struct DetectBufferMpmRegistry_::@86::@90 frame_v1
struct DetectEngineThreadCtx_ ** mt_det_ctxs
uint32_t(* TenantGetId)(const void *, const Packet *p)