suricata
detect.h
Go to the documentation of this file.
1 /* Copyright (C) 2007-2014 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Victor Julien <victor@inliniac.net>
22  */
23 
24 #ifndef __DETECT_H__
25 #define __DETECT_H__
26 
27 #include "suricata-common.h"
28 
29 #include "flow.h"
30 
31 #include "detect-engine-proto.h"
32 #include "detect-reference.h"
33 #include "detect-metadata.h"
34 #include "detect-engine-register.h"
35 #include "packet-queue.h"
36 
37 #include "util-prefilter.h"
38 #include "util-mpm.h"
39 #include "util-spm.h"
40 #include "util-hash.h"
41 #include "util-hashlist.h"
42 #include "util-debug.h"
43 #include "util-error.h"
44 #include "util-radix-tree.h"
45 #include "util-file.h"
46 #include "reputation.h"
47 
48 #include "detect-mark.h"
49 
50 #include "stream.h"
51 
52 #include "util-var-name.h"
53 
54 #include "app-layer-events.h"
55 
56 #define DETECT_MAX_RULE_SIZE 8192
57 
58 #define DETECT_TRANSFORMS_MAX 16
59 
60 /* forward declarations for the structures from detect-engine-sigorder.h */
61 struct SCSigOrderFunc_;
63 
64 /*
65 
66  The detection engine groups similar signatures/rules together. Internally a
67  tree of different types of data is created on initialization. This is it's
68  global layout:
69 
70  For TCP/UDP
71 
72  - Flow direction
73  -- Protocol
74  -=- Src address
75  -==- Dst address
76  -===- Src port
77  -====- Dst port
78 
79  For the other protocols
80 
81  - Flow direction
82  -- Protocol
83  -=- Src address
84  -==- Dst address
85 
86 */
87 
88 /* holds the values for different possible lists in struct Signature.
89  * These codes are access points to particular lists in the array
90  * Signature->sm_lists[DETECT_SM_LIST_MAX]. */
94 
95  /* base64_data keyword uses some hardcoded logic so consider
96  * built-in
97  * TODO convert to inspect engine */
99 
100  /* list for post match actions: flowbit set, flowint increment, etc */
102 
103  DETECT_SM_LIST_TMATCH, /**< post-detection tagging */
104 
105  /* lists for alert thresholding and suppression */
108 
110 
111  /* start of dynamically registered lists */
113 };
114 
115 /* used for Signature->list, which indicates which list
116  * we're adding keywords to in cases of sticky buffers like
117  * file_data */
118 #define DETECT_SM_LIST_NOTSET INT_MAX
119 
120 /*
121  * DETECT ADDRESS
122  */
123 
124 /* a is ... than b */
125 enum {
126  ADDRESS_ER = -1, /**< error e.g. compare ipv4 and ipv6 */
127  ADDRESS_LT, /**< smaller [aaa] [bbb] */
128  ADDRESS_LE, /**< smaller with overlap [aa[bab]bb] */
129  ADDRESS_EQ, /**< exactly equal [abababab] */
130  ADDRESS_ES, /**< within [bb[aaa]bb] and [[abab]bbb] and [bbb[abab]] */
131  ADDRESS_EB, /**< completely overlaps [aa[bbb]aa] and [[baba]aaa] and [aaa[baba]] */
132  ADDRESS_GE, /**< bigger with overlap [bb[aba]aa] */
133  ADDRESS_GT, /**< bigger [bbb] [aaa] */
134 };
135 
136 #define ADDRESS_FLAG_NOT 0x01 /**< address is negated */
137 
138 /** \brief address structure for use in the detection engine.
139  *
140  * Contains the address information and matching information.
141  */
142 typedef struct DetectAddress_ {
143  /** address data for this group */
146 
147  /** flags affecting this address */
148  uint8_t flags;
149 
150  /** ptr to the previous address in the list */
152  /** ptr to the next address in the list */
154 } DetectAddress;
155 
156 /** Signature grouping head. Here 'any', ipv4 and ipv6 are split out */
157 typedef struct DetectAddressHead_ {
161 
162 
163 #include "detect-threshold.h"
164 
165 typedef struct DetectMatchAddressIPv4_ {
166  uint32_t ip; /**< address in host order, start of range */
167  uint32_t ip2; /**< address in host order, end of range */
169 
170 typedef struct DetectMatchAddressIPv6_ {
171  uint32_t ip[4];
172  uint32_t ip2[4];
174 
175 /*
176  * DETECT PORT
177  */
178 
179 /* a is ... than b */
180 enum {
181  PORT_ER = -1, /* error e.g. compare ipv4 and ipv6 */
182  PORT_LT, /* smaller [aaa] [bbb] */
183  PORT_LE, /* smaller with overlap [aa[bab]bb] */
184  PORT_EQ, /* exactly equal [abababab] */
185  PORT_ES, /* within [bb[aaa]bb] and [[abab]bbb] and [bbb[abab]] */
186  PORT_EB, /* completely overlaps [aa[bbb]aa] and [[baba]aaa] and [aaa[baba]] */
187  PORT_GE, /* bigger with overlap [bb[aba]aa] */
188  PORT_GT, /* bigger [bbb] [aaa] */
189 };
190 
191 #define PORT_FLAG_ANY 0x01 /**< 'any' special port */
192 #define PORT_FLAG_NOT 0x02 /**< negated port */
193 #define PORT_SIGGROUPHEAD_COPY 0x04 /**< sgh is a ptr copy */
194 
195 /** \brief Port structure for detection engine */
196 typedef struct DetectPort_ {
197  uint16_t port;
198  uint16_t port2;
199 
200  uint8_t flags; /**< flags for this port */
201 
202  /* signatures that belong in this group
203  *
204  * If the PORT_SIGGROUPHEAD_COPY flag is set, we don't own this pointer
205  * (memory is freed elsewhere).
206  */
207  struct SigGroupHead_ *sh;
208 
209  struct DetectPort_ *prev;
210  struct DetectPort_ *next;
211 } DetectPort;
212 
213 /* Signature flags */
214 /** \note: additions should be added to the rule analyzer as well */
215 
216 #define SIG_FLAG_SRC_ANY BIT_U32(0) /**< source is any */
217 #define SIG_FLAG_DST_ANY BIT_U32(1) /**< destination is any */
218 #define SIG_FLAG_SP_ANY BIT_U32(2) /**< source port is any */
219 #define SIG_FLAG_DP_ANY BIT_U32(3) /**< destination port is any */
220 
221 #define SIG_FLAG_NOALERT BIT_U32(4) /**< no alert flag is set */
222 #define SIG_FLAG_DSIZE BIT_U32(5) /**< signature has a dsize setting */
223 #define SIG_FLAG_APPLAYER BIT_U32(6) /**< signature applies to app layer instead of packets */
224 #define SIG_FLAG_IPONLY BIT_U32(7) /**< ip only signature */
225 
226 // vacancy
227 
228 #define SIG_FLAG_REQUIRE_PACKET BIT_U32(9) /**< signature is requiring packet match */
229 #define SIG_FLAG_REQUIRE_STREAM BIT_U32(10) /**< signature is requiring stream match */
230 
231 #define SIG_FLAG_MPM_NEG BIT_U32(11)
232 
233 #define SIG_FLAG_FLUSH BIT_U32(12) /**< detection logic needs stream flush notification */
234 
235 // vacancies
236 
237 #define SIG_FLAG_REQUIRE_FLOWVAR BIT_U32(17) /**< signature can only match if a flowbit, flowvar or flowint is available. */
238 
239 #define SIG_FLAG_FILESTORE BIT_U32(18) /**< signature has filestore keyword */
240 
241 #define SIG_FLAG_TOSERVER BIT_U32(19)
242 #define SIG_FLAG_TOCLIENT BIT_U32(20)
243 
244 #define SIG_FLAG_TLSSTORE BIT_U32(21)
245 
246 #define SIG_FLAG_BYPASS BIT_U32(22)
247 
248 #define SIG_FLAG_PREFILTER BIT_U32(23) /**< sig is part of a prefilter engine */
249 
250 /** Proto detect only signature.
251  * Inspected once per direction when protocol detection is done. */
252 #define SIG_FLAG_PDONLY BIT_U32(24)
253 /** Info for Source and Target identification */
254 #define SIG_FLAG_SRC_IS_TARGET BIT_U32(25)
255 /** Info for Source and Target identification */
256 #define SIG_FLAG_DEST_IS_TARGET BIT_U32(26)
257 
258 #define SIG_FLAG_HAS_TARGET (SIG_FLAG_DEST_IS_TARGET|SIG_FLAG_SRC_IS_TARGET)
259 
260 /* signature init flags */
261 #define SIG_FLAG_INIT_DEONLY (1<<0) /**< decode event only signature */
262 #define SIG_FLAG_INIT_PACKET (1<<1) /**< signature has matches against a packet (as opposed to app layer) */
263 #define SIG_FLAG_INIT_FLOW (1<<2) /**< signature has a flow setting */
264 #define SIG_FLAG_INIT_BIDIREC (1<<3) /**< signature has bidirectional operator */
265 #define SIG_FLAG_INIT_FIRST_IPPROTO_SEEN (1<<4) /** < signature has seen the first ip_proto keyword */
266 #define SIG_FLAG_INIT_HAS_TRANSFORM (1<<5)
267 #define SIG_FLAG_INIT_STATE_MATCH (1<<6) /**< signature has matches that require stateful inspection */
268 #define SIG_FLAG_INIT_NEED_FLUSH (1<<7)
269 
270 /* signature mask flags */
271 /** \note: additions should be added to the rule analyzer as well */
272 #define SIG_MASK_REQUIRE_PAYLOAD BIT_U8(0)
273 #define SIG_MASK_REQUIRE_FLOW BIT_U8(1)
274 #define SIG_MASK_REQUIRE_FLAGS_INITDEINIT BIT_U8(2) /* SYN, FIN, RST */
275 #define SIG_MASK_REQUIRE_FLAGS_UNUSUAL BIT_U8(3) /* URG, ECN, CWR */
276 #define SIG_MASK_REQUIRE_NO_PAYLOAD BIT_U8(4)
277 #define SIG_MASK_REQUIRE_DCERPC BIT_U8(5) /* require either SMB+DCE or raw DCE */
278 // vacancy
279 #define SIG_MASK_REQUIRE_ENGINE_EVENT BIT_U8(7)
280 
281 /* for now a uint8_t is enough */
282 #define SignatureMask uint8_t
283 
284 #define DETECT_ENGINE_THREAD_CTX_STREAM_CONTENT_MATCH 0x0004
285 
286 #define FILE_SIG_NEED_FILE 0x01
287 #define FILE_SIG_NEED_FILENAME 0x02
288 #define FILE_SIG_NEED_MAGIC 0x04 /**< need the start of the file */
289 #define FILE_SIG_NEED_FILECONTENT 0x08
290 #define FILE_SIG_NEED_MD5 0x10
291 #define FILE_SIG_NEED_SHA1 0x20
292 #define FILE_SIG_NEED_SHA256 0x40
293 #define FILE_SIG_NEED_SIZE 0x80
294 
295 /* Detection Engine flags */
296 #define DE_QUIET 0x01 /**< DE is quiet (esp for unittests) */
297 
298 typedef struct IPOnlyCIDRItem_ {
299  /* address data for this item */
300  uint8_t family;
301  /* netmask in CIDR values (ex. /16 /18 /24..) */
302  uint8_t netmask;
303  /* If this host or net is negated for the signum */
304  uint8_t negated;
305 
306  uint32_t ip[4];
307  SigIntId signum; /**< our internal id */
308 
309  /* linked list, the header should be the biggest network */
311 
313 
314 /** \brief Used to start a pointer to SigMatch context
315  * Should never be dereferenced without casting to something else.
316  */
317 typedef struct SigMatchCtx_ {
318  int foo;
319 } SigMatchCtx;
320 
321 /** \brief a single match condition for a signature */
322 typedef struct SigMatch_ {
323  uint8_t type; /**< match type */
324  uint16_t idx; /**< position in the signature */
325  SigMatchCtx *ctx; /**< plugin specific data */
326  struct SigMatch_ *next;
327  struct SigMatch_ *prev;
328 } SigMatch;
329 
330 /** \brief Data needed for Match() */
331 typedef struct SigMatchData_ {
332  uint8_t type; /**< match type */
333  uint8_t is_last; /**< Last element of the list */
334  SigMatchCtx *ctx; /**< plugin specific data */
335 } SigMatchData;
336 
337 struct DetectEngineThreadCtx_;// DetectEngineThreadCtx;
338 
339 /* inspection buffer is a simple structure that is passed between prefilter,
340  * transformation functions and inspection functions.
341  * Initialy setup with 'orig' ptr and len, transformations can then take
342  * then and fill the 'buf'. Multiple transformations can update the buffer,
343  * both growing and shrinking it.
344  * Prefilter and inspection will only deal with 'inspect'. */
345 
346 typedef struct InspectionBuffer {
347  const uint8_t *inspect; /**< active pointer, points either to ::buf or ::orig */
348  uint64_t inspect_offset;
349  uint32_t inspect_len; /**< size of active data. See to ::len or ::orig_len */
350  uint8_t flags; /**< DETECT_CI_FLAGS_* for use with DetectEngineContentInspection */
351 
352  uint32_t len; /**< how much is in use */
353  uint8_t *buf;
354  uint32_t size; /**< size of the memory allocation */
355 
356  uint32_t orig_len;
357  const uint8_t *orig;
359 
360 /* inspection buffers are kept per tx (in det_ctx), but some protocols
361  * need a bit more. A single TX might have multiple buffers, e.g. files in
362  * SMTP or DNS queries. Since all prefilters+transforms run before the
363  * individual rules need the same buffers, we need a place to store the
364  * transformed data. This array of arrays is that place. */
365 
368  uint32_t size; /**< size in number of elements */
369  uint32_t max:31; /**< max id in use in this run */
370  uint32_t init:1; /**< first time used this run. Used for clean logic */
372 
373 typedef struct DetectEngineTransforms {
374  int transforms[DETECT_TRANSFORMS_MAX];
375  int cnt;
377 
378 /** callback for getting the buffer we need to prefilter/inspect */
379 typedef InspectionBuffer *(*InspectionBufferGetDataPtr)(
380  struct DetectEngineThreadCtx_ *det_ctx,
381  const DetectEngineTransforms *transforms,
382  Flow *f, const uint8_t flow_flags,
383  void *txv, const int list_id);
384 
386  struct DetectEngineCtx_ *de_ctx, struct DetectEngineThreadCtx_ *det_ctx,
387  const struct Signature_ *sig, const SigMatchData *smd,
388  Flow *f, uint8_t flags, void *alstate,
389  void *tx, uint64_t tx_id);
390 
392 
393 typedef int (*InspectEngineFuncPtr2)(
394  struct DetectEngineCtx_ *de_ctx, struct DetectEngineThreadCtx_ *det_ctx,
395  const struct DetectEngineAppInspectionEngine_ *engine,
396  const struct Signature_ *s,
397  Flow *f, uint8_t flags, void *alstate, void *txv, uint64_t tx_id);
398 
401  uint8_t dir;
402  uint8_t id; /**< per sig id used in state keeping */
403  uint16_t mpm:1;
404  uint16_t stream:1;
405  uint16_t sm_list:14;
406  int16_t progress;
407 
408  /* \retval 0 No match. Don't discontinue matching yet. We need more data.
409  * 1 Match.
410  * 2 Sig can't match.
411  * 3 Special value used by filestore sigs to indicate disabling
412  * filestore for the tx.
413  */
415 
416  struct {
419  /** pointer to the transforms in the 'DetectBuffer entry for this list */
421  } v2;
422 
424 
427 
428 typedef struct DetectBufferType_ {
429  const char *string;
430  const char *description;
431  int id;
433  _Bool mpm;
434  _Bool packet; /**< compat to packet matches */
436  void (*SetupCallback)(const struct DetectEngineCtx_ *, struct Signature_ *);
437  bool (*ValidateCallback)(const struct Signature_ *, const char **sigerror);
440 
441 #ifdef UNITTESTS
442 #define sm_lists init_data->smlists
443 #define sm_lists_tail init_data->smlists_tail
444 #endif
445 
446 typedef struct SignatureInitData_ {
447  /** Number of sigmatches. Used for assigning SigMatch::idx */
448  uint16_t sm_cnt;
449 
450  /** option was prefixed with '!'. Only set for sigmatches that
451  * have the SIGMATCH_HANDLE_NEGATION flag set. */
452  bool negated;
453 
454  /* track if we saw any negation in the addresses. If so, we
455  * skip it for ip-only */
458 
459  /* used to hold flags that are used during init */
460  uint32_t init_flags;
461  /* coccinelle: SignatureInitData:init_flags:SIG_FLAG_INIT_ */
462 
463  /* used at init to determine max dsize */
465 
466  /* the fast pattern added from this signature */
468  /* used to speed up init of prefilter */
470 
471  /* SigMatch list used for adding content and friends. E.g. file_data; */
472  int list;
473  bool list_set;
474 
475  int transforms[DETECT_TRANSFORMS_MAX];
477 
478  /** score to influence rule grouping. A higher value leads to a higher
479  * likelyhood of a rulegroup with this sig ending up as a contained
480  * group. */
482 
483  /** address settings for this signature */
485 
487 
489  /* holds all sm lists */
490  struct SigMatch_ **smlists;
491  /* holds all sm lists' tails */
494 
495 /** \brief Signature container */
496 typedef struct Signature_ {
497  uint32_t flags;
498  /* coccinelle: Signature:flags:SIG_FLAG_ */
499 
501 
502  uint16_t dsize_low;
503  uint16_t dsize_high;
504 
506  SigIntId num; /**< signature number, internal id */
507 
508  /** inline -- action */
509  uint8_t action;
510  uint8_t file_flags;
511 
512  /** addresses, ports and proto this sig matches on */
514 
515  /** classification id **/
516  uint8_t class;
517 
518  /** ipv4 match arrays */
525  /** ipv6 match arrays */
528 
529  uint32_t id; /**< sid, set by the 'sid' rule keyword */
530  uint32_t gid; /**< generator id */
531  uint32_t rev;
532  int prio;
533 
534  /** port settings for this signature */
535  DetectPort *sp, *dp;
536 
537 #ifdef PROFILING
538  uint16_t profiling_id;
539 #endif
540 
541  /** netblocks and hosts specified at the sid, in CIDR format */
543 
545 
546  /* Matching structures for the built-ins. The others are in
547  * their inspect engines. */
549 
550  /* memory is still owned by the sm_lists/sm_arrays entry */
552 
553  char *msg;
554 
555  /** classification message */
556  char *class_msg;
557  /** Reference */
559  /** Metadata */
561 
562  char *sig_str;
563 
565 
566  /** ptr to the next sig in the list */
567  struct Signature_ *next;
568 } Signature;
569 
570 /** \brief one time registration of keywords at start up */
572  const char *name;
573  char pname[32]; /**< name used in profiling */
574  int direction; /**< SIG_FLAG_TOSERVER or SIG_FLAG_TOCLIENT */
575  int sm_list;
576 
577  int (*PrefilterRegister)(struct DetectEngineCtx_ *de_ctx,
578  struct SigGroupHead_ *sgh, MpmCtx *mpm_ctx);
579 
580  int priority;
581 
582  struct {
583  int (*PrefilterRegisterWithListId)(struct DetectEngineCtx_ *de_ctx,
584  struct SigGroupHead_ *sgh, MpmCtx *mpm_ctx,
585  const struct DetectMpmAppLayerRegistery_ *mpm_reg, int list_id);
590  } v2;
591 
592  int id; /**< index into this array and result arrays */
593 
596 
597 /** \brief structure for storing per detect engine mpm keyword settings
598  */
601  int32_t sgh_mpm_context; /**< mpm factory id */
603 
604 typedef struct DetectReplaceList_ {
606  uint8_t *found;
609 
610 /** only execute flowvar storage if rule matched */
611 #define DETECT_VAR_TYPE_FLOW_POSTMATCH 1
612 #define DETECT_VAR_TYPE_PKT_POSTMATCH 2
613 
614 /** list for flowvar store candidates, to be stored from
615  * post-match function */
616 typedef struct DetectVarList_ {
617  uint32_t idx; /**< flowvar name idx */
618  uint16_t len; /**< data len */
619  uint16_t key_len;
620  int type; /**< type of store candidate POSTMATCH or ALWAYS */
621  uint8_t *key;
622  uint8_t *buffer; /**< alloc'd buffer, may be freed by
623  post-match, post-non-match */
625 } DetectVarList;
626 
628  uint8_t *sig_match_array; /* bit array of sig nums */
629  uint32_t sig_match_size; /* size in bytes of the array */
631 
632 /** \brief IP only rules matching ctx. */
633 typedef struct DetectEngineIPOnlyCtx_ {
634  /* lookup hashes */
635  HashListTable *ht16_src, *ht16_dst;
636  HashListTable *ht24_src, *ht24_dst;
637 
638  /* Lookup trees */
639  SCRadixTree *tree_ipv4src, *tree_ipv4dst;
640  SCRadixTree *tree_ipv6src, *tree_ipv6dst;
641 
642  /* Used to build the radix trees */
644 
645  /* counters */
646  uint32_t a_src_uniq16, a_src_total16;
647  uint32_t a_dst_uniq16, a_dst_total16;
648  uint32_t a_src_uniq24, a_src_total24;
649  uint32_t a_dst_uniq24, a_dst_total24;
650 
651  uint32_t max_idx;
652 
653  uint8_t *sig_init_array; /* bit array of sig nums */
654  uint32_t sig_init_size; /* size in bytes of the array */
655 
656  /* number of sigs in this head */
657  uint32_t sig_cnt;
658  uint32_t *match_array;
660 
661 typedef struct DetectEngineLookupFlow_ {
664  struct SigGroupHead_ *sgh[256];
666 
667 /* Flow status
668  *
669  * to server
670  * to client
671  */
672 #define FLOW_STATES 2
673 
674 /** \brief threshold ctx */
675 typedef struct ThresholdCtx_ {
676  SCMutex threshold_table_lock; /**< Mutex for hash table */
677 
678  /** to support rate_filter "by_rule" option */
680  uint32_t th_size;
681 } ThresholdCtx;
682 
683 typedef struct SigString_ {
684  char *filename;
685  char *sig_str;
686  char *sig_error;
687  int line;
689 } SigString;
690 
691 /** \brief Signature loader statistics */
692 typedef struct SigFileLoaderStat_ {
693  TAILQ_HEAD(, SigString_) failed_sigs;
699 
701  void *(*InitFunc)(void *);
702  void (*FreeFunc)(void *);
703  void *data;
705  int id;
706  const char *name; /* keyword name, for error printing */
708 
710 {
711  DETECT_PREFILTER_MPM = 0, /**< use only mpm / fast_pattern */
712  DETECT_PREFILTER_AUTO = 1, /**< use mpm + keyword prefilters */
713 };
714 
716 {
718  DETECT_ENGINE_TYPE_DD_STUB = 1, /* delayed detect stub: can be reloaded */
719  DETECT_ENGINE_TYPE_MT_STUB = 2, /* multi-tenant stub: cannot be reloaded */
721 };
722 
723 /** \brief main detection engine ctx */
724 typedef struct DetectEngineCtx_ {
725  uint8_t flags;
727 
729 
731  uint32_t sig_cnt;
732 
733  /* version of the srep data */
734  uint32_t srep_version;
735 
736  /* reputation for netblocks */
738 
740  uint32_t sig_array_size; /* size in bytes */
741  uint32_t sig_array_len; /* size in array members */
742 
743  uint32_t signum;
744 
745  /** Maximum value of all our sgh's non_mpm_store_cnt setting,
746  * used to alloc det_ctx::non_mpm_id_array */
748 
749  /* used by the signature ordering module */
751 
752  /* hash table used for holding the classification config info */
754  /* hash table used for holding the reference config info */
756 
757  /* main sigs */
759 
760  uint32_t gh_unique, gh_reuse;
761 
762  /* init phase vars */
764 
766 
767  /* hash table used to cull out duplicate sigs */
769 
772 
773  uint16_t mpm_matcher; /**< mpm matcher this ctx uses */
774  uint16_t spm_matcher; /**< spm matcher this ctx uses */
775 
776  /* spm thread context prototype, built as spm matchers are constructed and
777  * later used to construct thread context for each thread. */
779 
780  /* Config options */
781 
784 
785  /* specify the configuration for mpm context factory */
787 
788  /* max flowbit id that is used */
789  uint32_t max_fb_id;
790 
791  uint32_t max_fp_id;
792 
794 
795  /* maximum recursion depth for content inspection */
797 
798  /* conf parameter that limits the length of the http request body inspected */
800  /* conf parameter that limits the length of the http response body inspected */
802 
803  /* array containing all sgh's in use so we can loop
804  * through it in Stage4. */
806  uint32_t sgh_array_cnt;
807  uint32_t sgh_array_size;
808 
813 
814  /* the max local id used amongst all sigs */
816 
817  /** version of the detect engine */
818  uint32_t version;
819 
820  /** sgh for signatures that match against invalid packets. In those cases
821  * we can't lookup by proto, address, port as we don't have these */
823 
824  /* Maximum size of the buffer for decoded base64 data. */
826 
827  /** Store rule file and line so that parsers can use them in errors. */
828  char *rule_file;
830  const char *sigerror;
831 
832  /** list of keywords that need thread local ctxs */
835 
836  struct {
837  uint32_t content_limit;
840  } filedata_config[ALPROTO_MAX];
842 
843 #ifdef PROFILING
850 #endif
851  uint32_t prefilter_maxid;
852 
853  char config_prefix[64];
854 
856 
857  /** how many de_ctx' are referencing this */
858  uint32_t ref_cnt;
859  /** list in master: either active or freelist */
861 
862  /** id of loader thread 'owning' this de_ctx */
864 
865  /** are we useing just mpm or also other prefilters */
867 
869 
872 
873  /** table for storing the string representation with the parsers result */
875 
876  /** table to store metadata keys and values */
878 
881 
882  /* hash table with rule-time buffer registration. Start time registration
883  * is in detect-engine.c::g_buffer_type_hash */
886 
887  /* list with app inspect engines. Both the start-time registered ones and
888  * the rule-time registered ones. */
892 
893  uint32_t prefilter_id;
895 
896  /** table with mpms and their registration function
897  * \todo we only need this at init, so perhaps this
898  * can move to a DetectEngineCtx 'init' struct */
900 
901  /** time of last ruleset reload */
902  struct timeval last_reload;
903 
904  /** signatures stats */
906 
907  /** per keyword flag indicating if a prefilter has been
908  * set for it. If true, the setup function will have to
909  * run. */
910  bool sm_types_prefilter[DETECT_TBLSIZE];
911 
913 
914 /* Engine groups profiles (low, medium, high, custom) */
915 enum {
922 };
923 
924 /* Siggroup mpm context profile */
925 enum {
929 };
930 
931 typedef struct HttpReassembledBody_ {
932  const uint8_t *buffer;
934  uint32_t buffer_size; /**< size of the buffer itself */
935  uint32_t buffer_len; /**< data len in the buffer */
937  uint64_t offset; /**< data offset */
939 
940 #define DETECT_FILESTORE_MAX 15
941 
945  uint8_t alproto;
947 
948 /** array of TX inspect rule candidates */
949 typedef struct RuleMatchCandidateTx {
950  SigIntId id; /**< internal signature id */
951  uint32_t *flags; /**< inspect flags ptr */
952  union {
953  struct {
955  uint8_t stream_result;
956  };
957  uint32_t stream_reset;
958  };
959 
960  const Signature *s; /**< ptr to sig */
962 
963 /**
964  * Detection engine thread data.
965  */
966 typedef struct DetectEngineThreadCtx_ {
967  /** \note multi-tenant hash lookup code from Detect() *depends*
968  * on this beeing the first member */
969  uint32_t tenant_id;
970 
971  /** ticker that is incremented once per packet. */
972  uint64_t ticker;
973 
974  /* the thread to which this detection engine thread belongs */
976 
978  uint32_t non_pf_id_cnt; // size is cnt * sizeof(uint32_t)
979 
980  uint32_t mt_det_ctxs_cnt;
983 
986 
987  uint32_t (*TenantGetId)(const void *, const Packet *p);
988 
989  /* detection engine variables */
990 
992 
993  /** offset into the payload of the last match by:
994  * content, pcre, etc */
995  uint32_t buffer_offset;
996  /* used by pcre match function alone */
998 
999  /* counter for the filestore array below -- up here for cache reasons. */
1000  uint16_t filestore_cnt;
1001 
1002  /** id for alert counter */
1003  uint16_t counter_alerts;
1004 #ifdef PROFILING
1009 #endif
1010 
1011  int inspect_list; /**< list we're currently inspecting, DETECT_SM_LIST_* */
1012 
1013  struct {
1015  uint32_t buffers_size; /**< in number of elements */
1016  uint32_t to_clear_idx;
1017  uint32_t *to_clear_queue;
1018  } inspect;
1019 
1020  struct {
1021  /** inspection buffers for more complex case. As we can inspect multiple
1022  * buffers in parallel, we need this extra wrapper struct */
1024  uint32_t buffers_size; /**< in number of elements */
1025  uint32_t to_clear_idx;
1026  uint32_t *to_clear_queue;
1027  } multi_inspect;
1028 
1029  /* used to discontinue any more matching */
1031  uint16_t flags;
1032 
1033  /* bool: if tx_id is set, this is 1, otherwise 0 */
1034  uint16_t tx_id_set;
1035  /** ID of the transaction currently being inspected. */
1036  uint64_t tx_id;
1038 
1039  SC_ATOMIC_DECLARE(int, so_far_used_by_detect);
1040 
1041  /* holds the current recursion depth on content inspection */
1043 
1044  /** array of signature pointers we're going to inspect in the detection
1045  * loop. */
1047  /** size of the array in items (mem size if * sizeof(Signature *)
1048  * Only used during initialization. */
1050  /** size in use */
1052 
1055 
1058 
1059  /** pointer to the current mpm ctx that is stored
1060  * in a rule group head -- can be either a content
1061  * or uricontent ctx. */
1062  MpmThreadCtx mtc; /**< thread ctx for the mpm */
1063  MpmThreadCtx mtcu; /**< thread ctx for uricontent mpm */
1064  MpmThreadCtx mtcs; /**< thread ctx for stream mpm */
1066 
1067  /** SPM thread context used for scanning. This has been cloned from the
1068  * prototype held by DetectEngineCtx. */
1070 
1071  /** ip only rules ctx */
1073 
1074  /* byte jump values */
1075  uint64_t *bj_values;
1076 
1077  /* string to replace */
1079  /* vars to store in post match function */
1081 
1082  /* Array in which the filestore keyword stores file id and tx id. If the
1083  * full signature matches, these are processed by a post-match filestore
1084  * function to finalize the store. */
1085  struct {
1086  uint32_t file_id;
1087  uint64_t tx_id;
1088  } filestore[DETECT_FILESTORE_MAX];
1089 
1091  /** store for keyword contexts that need a per thread storage. Per de_ctx. */
1094  /** store for keyword contexts that need a per thread storage. Global. */
1097 
1098  uint8_t *base64_decoded;
1101 
1103  uint16_t events;
1104 
1105 #ifdef DEBUG
1106  uint64_t pkt_stream_add_cnt;
1107  uint64_t payload_mpm_cnt;
1108  uint64_t payload_mpm_size;
1109  uint64_t stream_mpm_cnt;
1110  uint64_t stream_mpm_size;
1111  uint64_t payload_persig_cnt;
1112  uint64_t payload_persig_size;
1113  uint64_t stream_persig_cnt;
1114  uint64_t stream_persig_size;
1115 #endif
1116 #ifdef PROFILING
1121  int keyword_perf_list; /**< list we're currently inspecting, DETECT_SM_LIST_* */
1123 
1126 #endif
1128 
1129 /** \brief element in sigmatch type table.
1130  */
1131 typedef struct SigTableElmt_ {
1132  /** Packet match function pointer */
1133  int (*Match)(ThreadVars *, DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *);
1134 
1135  /** AppLayer TX match function pointer */
1136  int (*AppLayerTxMatch)(ThreadVars *, DetectEngineThreadCtx *, Flow *,
1137  uint8_t flags, void *alstate, void *txv,
1138  const Signature *, const SigMatchCtx *);
1139 
1140  /** File match function pointer */
1141  int (*FileMatch)(ThreadVars *, /**< thread local vars */
1142  DetectEngineThreadCtx *,
1143  Flow *, /**< *LOCKED* flow */
1144  uint8_t flags, File *, const Signature *, const SigMatchCtx *);
1145 
1146  /** InspectionBuffer transformation callback */
1147  void (*Transform)(InspectionBuffer *);
1148 
1149  /** keyword setup function pointer */
1150  int (*Setup)(DetectEngineCtx *, Signature *, const char *);
1151 
1152  _Bool (*SupportsPrefilter)(const Signature *s);
1153  int (*SetupPrefilter)(DetectEngineCtx *de_ctx, struct SigGroupHead_ *sgh);
1154 
1155  void (*Free)(void *);
1156  void (*RegisterTests)(void);
1157 
1158  uint16_t flags;
1159  /* coccinelle: SigTableElmt:flags:SIGMATCH_ */
1160 
1161  /** better keyword to replace the current one */
1162  uint16_t alternative;
1163 
1164  const char *name; /**< keyword name alias */
1165  const char *alias; /**< name alias */
1166  const char *desc;
1167  const char *url;
1168 
1169 } SigTableElmt;
1170 
1171 /* event code */
1172 enum {
1173 #ifdef UNITTESTS
1175 #endif
1190 };
1191 
1192 #define SIG_GROUP_HEAD_HAVERAWSTREAM BIT_U32(0)
1193 #ifdef HAVE_MAGIC
1194 #define SIG_GROUP_HEAD_HAVEFILEMAGIC BIT_U32(20)
1195 #endif
1196 #define SIG_GROUP_HEAD_HAVEFILEMD5 BIT_U32(21)
1197 #define SIG_GROUP_HEAD_HAVEFILESIZE BIT_U32(22)
1198 #define SIG_GROUP_HEAD_HAVEFILESHA1 BIT_U32(23)
1199 #define SIG_GROUP_HEAD_HAVEFILESHA256 BIT_U32(24)
1200 
1210 };
1211 
1212 typedef struct MpmStore_ {
1213  uint8_t *sid_array;
1214  uint32_t sid_array_size;
1215 
1217  enum MpmBuiltinBuffers buffer;
1218  int sm_list;
1220 
1222 
1223 } MpmStore;
1224 
1225 typedef struct PrefilterEngineList_ {
1226  uint16_t id;
1227 
1228  /** App Proto this engine applies to: only used with Tx Engines */
1230  /** Minimal Tx progress we need before running the engine. Only used
1231  * with Tx Engine */
1233 
1234  /** Context for matching. Might be MpmCtx for MPM engines, other ctx'
1235  * for other engines. */
1236  void *pectx;
1237 
1238  void (*Prefilter)(DetectEngineThreadCtx *det_ctx, Packet *p, const void *pectx);
1239  void (*PrefilterTx)(DetectEngineThreadCtx *det_ctx, const void *pectx,
1240  Packet *p, Flow *f, void *tx,
1241  const uint64_t idx, const uint8_t flags);
1242 
1244 
1245  /** Free function for pectx data. If NULL the memory is not freed. */
1246  void (*Free)(void *pectx);
1247 
1248  const char *name;
1249  /* global id for this prefilter */
1250  uint32_t gid;
1252 
1253 typedef struct PrefilterEngine_ {
1254  uint16_t local_id;
1255 
1256  /** App Proto this engine applies to: only used with Tx Engines */
1258  /** Minimal Tx progress we need before running the engine. Only used
1259  * with Tx Engine */
1261 
1262  /** Context for matching. Might be MpmCtx for MPM engines, other ctx'
1263  * for other engines. */
1264  void *pectx;
1265 
1266  union {
1267  void (*Prefilter)(DetectEngineThreadCtx *det_ctx, Packet *p, const void *pectx);
1268  void (*PrefilterTx)(DetectEngineThreadCtx *det_ctx, const void *pectx,
1269  Packet *p, Flow *f, void *tx,
1270  const uint64_t idx, const uint8_t flags);
1271  } cb;
1272 
1273  /* global id for this prefilter */
1274  uint32_t gid;
1275  int is_last;
1276 } PrefilterEngine;
1277 
1278 typedef struct SigGroupHeadInitData_ {
1279  MpmStore mpm_store[MPMB_MAX];
1280 
1281  uint8_t *sig_array; /**< bit array of sig nums (internal id's) */
1282  uint32_t sig_size; /**< size in bytes */
1283 
1284  uint8_t protos[256]; /**< proto(s) this sgh is for */
1285  uint32_t direction; /**< set to SIG_FLAG_TOSERVER, SIG_FLAG_TOCLIENT or both */
1286  int whitelist; /**< try to make this group a unique one */
1287 
1289 
1293 
1294  /* port ptr */
1297 
1298 /** \brief Container for matching data for a signature group */
1299 typedef struct SigGroupHead_ {
1300  uint32_t flags;
1301  /* coccinelle: SigGroupHead:flags:SIG_GROUP_HEAD_ */
1302 
1303  /* number of sigs in this head */
1305 
1306  /* non prefilter list excluding SYN rules */
1309  SignatureNonPrefilterStore *non_pf_other_store_array; // size is non_mpm_store_cnt * sizeof(SignatureNonPrefilterStore)
1310  /* non mpm list including SYN rules */
1311  SignatureNonPrefilterStore *non_pf_syn_store_array; // size is non_mpm_syn_store_cnt * sizeof(SignatureNonPrefilterStore)
1312 
1313  /** the number of signatures in this sgh that have the filestore keyword
1314  * set. */
1315  uint16_t filestore_cnt;
1316 
1317  uint32_t id; /**< unique id used to index sgh_array for stats */
1318 
1322 
1323  /** Array with sig ptrs... size is sig_cnt * sizeof(Signature *) */
1325 
1326  /* ptr to our init data we only use at... init :) */
1328 
1329 } SigGroupHead;
1330 
1331 /** sigmatch has no options, so the parser shouldn't expect any */
1332 #define SIGMATCH_NOOPT BIT_U16(0)
1333 /** sigmatch is compatible with a ip only rule */
1334 #define SIGMATCH_IPONLY_COMPAT BIT_U16(1)
1335 /** sigmatch is compatible with a decode event only rule */
1336 #define SIGMATCH_DEONLY_COMPAT BIT_U16(2)
1337 /**< Flag to indicate that the signature is not built-in */
1338 #define SIGMATCH_NOT_BUILT BIT_U16(3)
1339 /** sigmatch may have options, so the parser should be ready to
1340  * deal with both cases */
1341 #define SIGMATCH_OPTIONAL_OPT BIT_U16(4)
1342 /** input may be wrapped in double quotes. They will be stripped before
1343  * input data is passed to keyword parser */
1344 #define SIGMATCH_QUOTES_OPTIONAL BIT_U16(5)
1345 /** input MUST be wrapped in double quotes. They will be stripped before
1346  * input data is passed to keyword parser. Missing double quotes lead to
1347  * error and signature invalidation. */
1348 #define SIGMATCH_QUOTES_MANDATORY BIT_U16(6)
1349 /** negation parsing is handled by the rule parser. Signature::init_data::negated
1350  * will be set to true or false prior to calling the keyword parser. Exclamation
1351  * mark is stripped from the input to the keyword parser. */
1352 #define SIGMATCH_HANDLE_NEGATION BIT_U16(7)
1353 /** keyword is a content modifier */
1354 #define SIGMATCH_INFO_CONTENT_MODIFIER BIT_U16(8)
1355 /** keyword is a sticky buffer */
1356 #define SIGMATCH_INFO_STICKY_BUFFER BIT_U16(9)
1357 /** keyword is deprecated: used to suggest an alternative */
1358 #define SIGMATCH_INFO_DEPRECATED BIT_U16(10)
1359 
1361 {
1362  TENANT_SELECTOR_UNKNOWN = 0, /**< not set */
1363  TENANT_SELECTOR_DIRECT, /**< method provides direct tenant id */
1364  TENANT_SELECTOR_VLAN, /**< map vlan to tenant id */
1365  TENANT_SELECTOR_LIVEDEV, /**< map livedev to tenant id */
1366 };
1367 
1369  uint32_t tenant_id;
1370 
1371  /* traffic id that maps to the tenant id */
1372  uint32_t traffic_id;
1373 
1376 
1377 typedef struct DetectEngineMasterCtx_ {
1379 
1380  /** enable multi tenant mode */
1382 
1383  /** version, incremented after each 'apply to threads' */
1384  uint32_t version;
1385 
1386  /** list of active detection engines. This list is used to generate the
1387  * threads det_ctx's */
1389 
1390  /** free list, containing detection engines that will be removed but may
1391  * still be referenced by det_ctx's. Freed as soon as all references are
1392  * gone. */
1394 
1395  enum DetectEngineTenantSelectors tenant_selector;
1396 
1397  /** list of tenant mappings. Updated under lock. Used to generate lookup
1398  * structures. */
1400 
1401  /** list of keywords that need thread local ctxs,
1402  * only updated by keyword registration at start up. Not
1403  * covered by the lock. */
1407 
1408 /* Table with all SigMatch registrations */
1410 
1411 /** Remember to add the options in SignatureIsIPOnly() at detect.c otherwise it wont be part of a signature group */
1412 
1413 /* detection api */
1414 TmEcode Detect(ThreadVars *tv, Packet *p, void *data, PacketQueue *pq, PacketQueue *postpq);
1415 
1416 SigMatch *SigMatchAlloc(void);
1417 Signature *SigFindSignatureBySidGid(DetectEngineCtx *, uint32_t, uint32_t);
1419  Packet *, SignatureMask,
1420  uint16_t);
1421 void SigMatchFree(SigMatch *sm);
1422 
1423 void SigRegisterTests(void);
1424 void TmModuleDetectRegister (void);
1425 
1427 
1429 char *DetectLoadCompleteSigPath(const DetectEngineCtx *, const char *sig_file);
1430 int SigLoadSignatures (DetectEngineCtx *, char *, int);
1431 void SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx,
1432  DetectEngineThreadCtx *det_ctx, Packet *p);
1433 
1434 int SignatureIsIPOnly(DetectEngineCtx *de_ctx, const Signature *s);
1435 const SigGroupHead *SigMatchSignaturesGetSgh(const DetectEngineCtx *de_ctx, const Packet *p);
1436 
1438 
1439 
1440 int DetectRegisterThreadCtxFuncs(DetectEngineCtx *, const char *name, void *(*InitFunc)(void *), void *data, void (*FreeFunc)(void *), int);
1442 
1443 void DetectSignatureApplyActions(Packet *p, const Signature *s, const uint8_t);
1444 
1445 void RuleMatchCandidateTxArrayInit(DetectEngineThreadCtx *det_ctx, uint32_t size);
1447 
1449 
1452 
1453 /* events */
1454 void DetectEngineSetEvent(DetectEngineThreadCtx *det_ctx, uint8_t e);
1456 int DetectEngineGetEventInfo(const char *event_name, int *event_id,
1458 
1459 #include "detect-engine-build.h"
1460 #include "detect-engine-register.h"
1461 
1462 #endif /* __DETECT_H__ */
1463 
struct DetectEngineTenantMapping_ DetectEngineTenantMapping
int DetectMetadataHashInit(DetectEngineCtx *de_ctx)
void ** keyword_ctxs_array
Definition: detect.h:1092
uint16_t filestore_cnt
Definition: detect.h:1315
struct DetectEngineTenantMapping_ * next
Definition: detect.h:1374
uint16_t profiling_id
Definition: detect.h:538
struct SCProfileSghData_ * sgh_perf_data
Definition: detect.h:1122
#define SCMutex
DetectReference * references
Definition: detect.h:558
MpmThreadCtx mtcs
Definition: detect.h:1064
enum AppLayerEventType_ AppLayerEventType
const char * description
Definition: detect.h:430
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
Definition: detect.h:1409
SignatureNonPrefilterStore * non_pf_syn_store_array
Definition: detect.h:1311
DetectProto proto
Definition: detect.h:513
uint16_t sm_cnt
Definition: detect.h:448
SigIntId sig_cnt
Definition: detect.h:1304
SignatureInitData * init_data
Definition: detect.h:564
int SigLoadSignatures(DetectEngineCtx *, char *, int)
Load signatures.
SCRadixTree * tree_ipv6src
Definition: detect.h:640
SpmGlobalThreadCtx * spm_global_thread_ctx
Definition: detect.h:778
InspectionBufferGetDataPtr GetData
Definition: detect.h:417
DetectMetadata * metadata
Definition: detect.h:560
SigMatch * dsize_sm
Definition: detect.h:464
DetectEnginePrefilterSetting
Definition: detect.h:709
Signature * SigFindSignatureBySidGid(DetectEngineCtx *, uint32_t, uint32_t)
Find a specific signature by sid and gid.
Signature ** sig_array
Definition: detect.h:739
uint32_t tx_candidates_size
Definition: detect.h:1054
struct DetectAddress_ DetectAddress
address structure for use in the detection engine.
#define SC_ATOMIC_DECLARE(type, name)
wrapper to declare an atomic variable including a (spin) lock to protect it.
Definition: util-atomic.h:56
struct DetectEngineAppInspectionEngine_ DetectEngineAppInspectionEngine
struct DetectAddress_ * prev
Definition: detect.h:151
struct DetectMatchAddressIPv6_ DetectMatchAddressIPv6
#define SignatureMask
Definition: detect.h:282
uint32_t sig_array_len
Definition: detect.h:741
int32_t sgh_mpm_context
Definition: detect.h:1219
InspectionBuffer * inspection_buffers
Definition: detect.h:367
uint16_t spm_matcher
Definition: detect.h:774
Signature loader statistics.
Definition: detect.h:692
const Signature * s
Definition: detect.h:960
int32_t byte_extract_max_local_id
Definition: detect.h:815
uint32_t tenant_array_size
Definition: detect.h:985
uint16_t dsize_high
Definition: detect.h:503
uint32_t buffer_len
Definition: detect.h:935
struct DetectEngineLookupFlow_ DetectEngineLookupFlow
SigMatch * prefilter_sm
Definition: detect.h:469
const char * string
Definition: detect.h:429
uint32_t non_pf_store_cnt
Definition: detect.h:1057
uint16_t discontinue_matching
Definition: detect.h:1030
uint32_t flags
Definition: detect.h:497
uint32_t event_type
uint32_t * match_array
Definition: detect.h:658
char * msg
Definition: detect.h:553
uint32_t max_fb_id
Definition: detect.h:789
int DetectEngineGetEventInfo(const char *event_name, int *event_id, AppLayerEventType *event_type)
uint32_t id
Definition: detect.h:529
struct SigGroupHead_ * sh
Definition: detect.h:207
int hcbd_buffer_limit
Definition: detect.h:799
Signature ** match_array
Definition: detect.h:1324
struct DetectAddressHead_ DetectAddressHead
uint32_t sid_array_size
Definition: detect.h:1214
uint64_t * bj_values
Definition: detect.h:1075
uint32_t non_pf_other_store_cnt
Definition: detect.h:1307
uint16_t counter_fnonmpm_list
Definition: detect.h:1007
DetectPort * tcp_whitelist
Definition: detect.h:870
void DisableDetectFlowFileFlags(Flow *f)
disable file features we don&#39;t need Called if we have no detection engine.
Definition: detect.c:1732
Address ip
Definition: detect.h:144
uint8_t is_last
Definition: detect.h:333
ThreadVars * tv
Definition: detect.h:975
struct SigMatch_ SigMatch
a single match condition for a signature
HashTable * class_conf_ht
Definition: detect.h:753
struct InspectionBuffer InspectionBuffer
struct DetectEngineThreadCtx_ ** mt_det_ctxs
Definition: detect.h:981
void SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
Definition: detect.c:1742
uint8_t netmask
Definition: detect.h:302
DetectPort * udp_whitelist
Definition: detect.h:871
DetectMpmAppLayerKeyword * app_mpms
Definition: detect.h:899
struct SignatureInitData_ SignatureInitData
int prio
Definition: detect.h:532
address structure for use in the detection engine.
Definition: detect.h:142
void SigAddressPrepareBidirectionals(DetectEngineCtx *)
InspectionBufferGetDataPtr GetData
Definition: detect.h:586
struct SigMatch_ * prev
Definition: detect.h:327
struct DetectPort_ * port
Definition: detect.h:1295
uint16_t key_len
Definition: detect.h:619
uint8_t * sig_init_array
Definition: detect.h:653
Signature * sig_list
Definition: detect.h:730
int buffer_type_id
Definition: detect.h:885
one time registration of keywords at start up
Definition: detect.h:571
int32_t sgh_mpm_context_proto_tcp_packet
Definition: detect.h:809
uint8_t * sid_array
Definition: detect.h:1213
uint32_t match_array_len
Definition: detect.h:1049
uint32_t size
Definition: detect.h:354
IPOnlyCIDRItem * ip_src
Definition: detect.h:643
RuleMatchCandidateTx * tx_candidates
Definition: detect.h:1053
DetectEngineThreadKeywordCtxItem * keyword_list
Definition: detect.h:833
uint32_t sig_array_size
Definition: detect.h:740
IPOnlyCIDRItem * CidrSrc
Definition: detect.h:542
uint32_t non_pf_store_cnt_max
Definition: detect.h:747
SigIntId * non_pf_id_array
Definition: detect.h:977
int DetectRegisterThreadCtxFuncs(DetectEngineCtx *, const char *name, void *(*InitFunc)(void *), void *data, void(*FreeFunc)(void *), int)
Register Thread keyword context Funcs.
void TmModuleDetectRegister(void)
struct DetectEngineTransforms DetectEngineTransforms
DetectReplaceList * replist
Definition: detect.h:1078
int SignatureIsIPOnly(DetectEngineCtx *de_ctx, const Signature *s)
Test is a initialized signature is IP only.
struct DetectMatchAddressIPv4_ DetectMatchAddressIPv4
Data needed for Match()
Definition: detect.h:331
struct SCProfileKeywordData_ * keyword_perf_data
Definition: detect.h:1119
struct DetectVarList_ DetectVarList
uint16_t len
Definition: detect.h:618
uint32_t content_inspect_window
Definition: detect.h:839
struct SCProfileData_ * rule_perf_data
Definition: detect.h:1117
DetectEngineTransforms transforms
Definition: detect.h:438
uint32_t to_clear_idx
Definition: detect.h:1016
Container for matching data for a signature group.
Definition: detect.h:1299
uint32_t srep_version
Definition: detect.h:734
MpmThreadCtx mtc
Definition: detect.h:1062
element in sigmatch type table.
Definition: detect.h:1131
struct DetectMpmAppLayerRegistery_ DetectMpmAppLayerRegistery
one time registration of keywords at start up
uint32_t orig_len
Definition: detect.h:356
uint32_t buffer_offset
Definition: detect.h:995
#define TAILQ_HEAD(name, type)
Definition: queue.h:321
struct InspectionBufferMultipleForList InspectionBufferMultipleForList
#define DETECT_FILESTORE_MAX
Definition: detect.h:940
uint32_t non_pf_syn_store_cnt
Definition: detect.h:1308
struct IPOnlyCIDRItem_ IPOnlyCIDRItem
InspectionBuffer * buffers
Definition: detect.h:1014
const char * name
Definition: detect.h:1164
uint16_t AppProto
struct DetectPort_ DetectPort
Port structure for detection engine.
void SigMatchSignaturesBuildMatchArray(DetectEngineThreadCtx *, Packet *, SignatureMask, uint16_t)
Signature container.
Definition: detect.h:496
struct PrefilterEngine_ PrefilterEngine
#define DETECT_TRANSFORMS_MAX
Definition: detect.h:58
PrefilterEngineList * tx_engines
Definition: detect.h:1292
void SigMatchFree(SigMatch *sm)
free a SigMatch
Definition: detect-parse.c:247
int32_t sgh_mpm_context_proto_other_packet
Definition: detect.h:811
uint8_t action
Definition: detect.h:509
HashListTable * mpm_hash_table
Definition: detect.h:765
int sm_list
Definition: detect.h:1218
void DetectEngineSetEvent(DetectEngineThreadCtx *det_ctx, uint8_t e)
uint16_t addr_src_match6_cnt
Definition: detect.h:522
uint32_t * to_clear_queue
Definition: detect.h:1017
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
Definition: detect.h:317
const char * sigerror
Definition: detect.h:830
uint32_t id
Definition: detect.h:1317
uint32_t signum
Definition: detect.h:743
struct SigGroupHead_ * decoder_event_sgh
Definition: detect.h:822
struct DetectEngineTenantMapping_ * tenant_array
Definition: detect.h:984
int(* InspectEngineFuncPtr)(ThreadVars *tv, struct DetectEngineCtx_ *de_ctx, struct DetectEngineThreadCtx_ *det_ctx, const struct Signature_ *sig, const SigMatchData *smd, Flow *f, uint8_t flags, void *alstate, void *tx, uint64_t tx_id)
Definition: detect.h:385
Signature metadata list.
structure for storing per detect engine mpm keyword settings
Definition: detect.h:599
uint32_t content_inspect_min_size
Definition: detect.h:838
void RuleMatchCandidateTxArrayInit(DetectEngineThreadCtx *det_ctx, uint32_t size)
Definition: detect.c:1039
struct DetectEngineMasterCtx_ DetectEngineMasterCtx
struct MpmStore_ MpmStore
DetectMatchAddressIPv6 * addr_dst_match6
Definition: detect.h:526
SigIntId num
Definition: detect.h:506
struct SigMatch_ * next
Definition: detect.h:326
main detection engine ctx
Definition: detect.h:724
void * pectx
Definition: detect.h:1264
struct Signature_ Signature
Signature container.
uint16_t addr_src_match4_cnt
Definition: detect.h:520
PrefilterEngine * tx_engines
Definition: detect.h:1321
uint32_t max_fp_id
Definition: detect.h:791
MpmBuiltinBuffers
Definition: detect.h:1201
struct DetectMpmAppLayerRegistery_ * next
Definition: detect.h:594
int(* InspectEngineFuncPtr2)(struct DetectEngineCtx_ *de_ctx, struct DetectEngineThreadCtx_ *det_ctx, const struct DetectEngineAppInspectionEngine_ *engine, const struct Signature_ *s, Flow *f, uint8_t flags, void *alstate, void *txv, uint64_t tx_id)
Definition: detect.h:393
SCMutex threshold_table_lock
Definition: detect.h:676
void * DetectThreadCtxGetKeywordThreadCtx(DetectEngineThreadCtx *, int)
Retrieve thread local keyword ctx by id.
DetectPort * udp
Definition: detect.h:663
const uint8_t * orig
Definition: detect.h:357
PrefilterEngine * pkt_engines
Definition: detect.h:1319
struct DetectPort_ * prev
Definition: detect.h:209
bool src_contains_negation
Definition: detect.h:456
HashListTable * buffer_type_hash
Definition: detect.h:884
struct HttpReassembledBody_ HttpReassembledBody
DetectMatchAddressIPv4 * addr_dst_match4
Definition: detect.h:523
uint32_t sgh_array_cnt
Definition: detect.h:806
DetectVarList * varlist
Definition: detect.h:1080
bool filedata_config_initialized
Definition: detect.h:841
struct DetectAddress_ * next
Definition: detect.h:153
DetectEngineCtx * free_list
Definition: detect.h:1393
void DetectFlowbitsAnalyze(DetectEngineCtx *de_ctx)
uint16_t dst
uint16_t local_id
Definition: detect.h:1254
Data structure to store app layer decoder events.
DetectMatchAddressIPv6 * addr_src_match6
Definition: detect.h:527
struct DetectVarList_ * next
Definition: detect.h:624
SigMatch * SigMatchAlloc(void)
Definition: detect-parse.c:232
uint16_t max_uniq_toserver_groups
Definition: detect.h:783
HashListTable * address_table
Definition: detect.h:874
uint8_t flags
Definition: detect.h:148
Signature wrapper used by signature ordering module while ordering signatures.
uint8_t flags
Definition: detect.h:350
int32_t sgh_mpm_context_stream
Definition: detect.h:812
struct SCProfileSghDetectCtx_ * profile_sgh_ctx
Definition: detect.h:848
uint8_t * key
Definition: detect.h:621
DetectPort * tcp
Definition: detect.h:662
DetectEngineTenantSelectors
Definition: detect.h:1360
char * rule_file
Definition: detect.h:828
uint8_t flags
Definition: detect.h:725
uint16_t filestore_cnt
Definition: detect.h:1000
uint64_t inspect_offset
Definition: detect.h:348
int direction
Definition: detect.h:1216
MpmCtx ** app_mpms
Definition: detect.h:1288
SCRadixTree * tree_ipv4src
Definition: detect.h:639
uint8_t type
struct DetectEngineAppInspectionEngine_ * next
Definition: detect.h:425
uint16_t counter_alerts
Definition: detect.h:1003
void Prefilter(DetectEngineThreadCtx *det_ctx, const SigGroupHead *sgh, Packet *p, const uint8_t flags)
const uint8_t * buffer
Definition: detect.h:932
DetectMatchAddressIPv4 * addr_src_match4
Definition: detect.h:524
char * filename
Definition: detect.h:684
HashListTable * ht24_src
Definition: detect.h:636
struct DetectEngineCtx_ DetectEngineCtx
main detection engine ctx
MpmCtxFactoryContainer * mpm_ctx_factory_container
Definition: detect.h:793
uint32_t buffer_size
Definition: detect.h:934
bool dst_contains_negation
Definition: detect.h:457
uint16_t mpm_matcher
Definition: detect.h:773
char * DetectLoadCompleteSigPath(const DetectEngineCtx *, const char *sig_file)
Create the path if default-rule-path was specified.
HashListTable * sgh_hash_table
Definition: detect.h:763
struct DetectBufferType_ DetectBufferType
struct DetectEngineCtx_ * next
Definition: detect.h:860
struct SCProfilePrefilterData_ * prefilter_perf_data
Definition: detect.h:1124
DetectMpmAppLayerRegistery * app_mpms_list
Definition: detect.h:890
struct SCSigOrderFunc_ * sc_sig_order_funcs
Definition: detect.h:750
uint32_t content_limit
Definition: detect.h:837
PrefilterRuleStore pmq
Definition: detect.h:1065
struct DetectEngineThreadCtx_ DetectEngineThreadCtx
struct RuleMatchCandidateTx RuleMatchCandidateTx
const struct DetectFilestoreData_ * filestore_ctx
Definition: detect.h:551
Signature * DetectGetTagSignature(void)
uint32_t profile_match_logging_threshold
Definition: detect.h:849
SigFileLoaderStat sig_stat
Definition: detect.h:905
threshold ctx
Definition: detect.h:675
uint8_t * found
Definition: detect.h:606
uint16_t counter_match_list
Definition: detect.h:1008
uint16_t alternative
Definition: detect.h:1162
uint16_t addr_dst_match6_cnt
Definition: detect.h:521
AppLayerDecoderEvents * DetectEngineGetEvents(DetectEngineThreadCtx *det_ctx)
uint32_t buffer_type_map_elements
Definition: detect.h:880
struct DetectEngineThreadKeywordCtxItem_ * next
Definition: detect.h:704
struct DetectMpmAppLayerRegistery_::@93 v2
Address ip2
Definition: detect.h:145
HashTable * mt_det_ctxs_hash
Definition: detect.h:982
PrefilterEngineList * payload_engines
Definition: detect.h:1291
SigIntId match_array_cnt
Definition: detect.h:1051
DetectEngineAppInspectionEngine * app_inspect_engines
Definition: detect.h:889
AppProto alproto
Definition: detect.h:500
struct SigMatch_ ** smlists_tail
Definition: detect.h:492
DetectAddress * ipv4_head
Definition: detect.h:158
DetectEngineTenantMapping * tenant_mapping_list
Definition: detect.h:1399
PrefilterEngine * payload_engines
Definition: detect.h:1320
uint32_t prefilter_id
Definition: detect.h:893
struct SCProfilePrefilterDetectCtx_ * profile_prefilter_ctx
Definition: detect.h:846
uint16_t max_uniq_toclient_groups
Definition: detect.h:782
HashTable * reference_conf_ht
Definition: detect.h:755
uint32_t flags
Definition: detect.h:1300
uint32_t ref_cnt
Definition: detect.h:858
uint32_t a_src_uniq24
Definition: detect.h:648
struct Signature_ * next
Definition: detect.h:567
PrefilterEngineList * pkt_engines
Definition: detect.h:1290
HashTable * metadata_table
Definition: detect.h:877
uint8_t negated
Definition: detect.h:304
struct SigFileLoaderStat_ SigFileLoaderStat
Signature loader statistics.
uint32_t gid
Definition: detect.h:530
uint8_t type
Definition: detect.h:323
uint8_t * decompressed_buffer
Definition: detect.h:933
uint32_t stream_reset
Definition: detect.h:957
InspectEngineFuncPtr Callback
Definition: detect.h:414
uint32_t a_src_uniq16
Definition: detect.h:646
DetectEngineIPOnlyCtx io_ctx
Definition: detect.h:770
struct DetectReplaceList_ DetectReplaceList
int32_t sgh_mpm_context_proto_udp_packet
Definition: detect.h:810
const char * desc
Definition: detect.h:1166
uint32_t gh_unique
Definition: detect.h:760
struct SigMatch_ ** smlists
Definition: detect.h:490
HashListTable * dup_sig_hash_table
Definition: detect.h:768
uint32_t sgh_array_size
Definition: detect.h:807
char * class_msg
Definition: detect.h:556
uint32_t version
Definition: detect.h:818
uint32_t decompressed_buffer_len
Definition: detect.h:936
uint8_t * buf
Definition: detect.h:353
uint32_t smlists_array_size
Definition: detect.h:488
enum DetectEnginePrefilterSetting prefilter_setting
Definition: detect.h:866
SigMatchCtx * ctx
Definition: detect.h:325
struct DetectEngineThreadKeywordCtxItem_ DetectEngineThreadKeywordCtxItem
uint32_t len
Definition: detect.h:352
struct DetectEngineIPOnlyThreadCtx_ DetectEngineIPOnlyThreadCtx
const char * alias
Definition: detect.h:1165
IP only rules matching ctx.
Definition: detect.h:633
char * sig_error
Definition: detect.h:686
DetectEngineCtx * de_ctx
Definition: detect.h:1090
uint8_t flags
Definition: detect.h:200
TmEcode Detect(ThreadVars *tv, Packet *p, void *data, PacketQueue *pq, PacketQueue *postpq)
Detection engine thread wrapper.
Definition: detect.c:1674
uint32_t direction
Definition: detect.h:1285
uint32_t gid
Definition: detect.h:1274
DetectEngineType
Definition: detect.h:715
const SigGroupHead * SigMatchSignaturesGetSgh(const DetectEngineCtx *de_ctx, const Packet *p)
Get the SigGroupHead for a packet.
Definition: detect.c:177
struct IPOnlyCIDRItem_ * next
Definition: detect.h:310
uint16_t counter_nonmpm_list
Definition: detect.h:1006
DetectBufferType ** buffer_type_map
Definition: detect.h:879
uint64_t raw_stream_progress
Definition: detect.h:991
uint8_t type
Definition: detect.h:332
char * sig_str
Definition: detect.h:562
const DetectMpmAppLayerRegistery * reg
Definition: detect.h:600
void SigRegisterTests(void)
Definition: detect.c:5323
uint32_t idx
Definition: detect.h:617
struct SCProfileKeywordDetectCtx_ * profile_keyword_ctx
Definition: detect.h:845
struct SigGroupHead_ ** sgh_array
Definition: detect.h:805
DetectPort * sp
Definition: detect.h:535
InspectEngineFuncPtr2 Callback
Definition: detect.h:418
struct SigGroupHead_ SigGroupHead
Container for matching data for a signature group.
uint16_t addr_dst_match4_cnt
Definition: detect.h:519
#define TAILQ_ENTRY(type)
Definition: queue.h:330
MpmCtx * mpm_ctx
Definition: detect.h:1221
uint16_t port
Definition: detect.h:197
uint16_t tx_id
Structure holding the signature ordering function used by the signature ordering module.
DetectEngineTransforms transforms
Definition: detect.h:589
uint32_t pcre_match_start_offset
Definition: detect.h:997
uint32_t init_flags
Definition: detect.h:460
struct SCProfileKeywordDetectCtx_ ** profile_keyword_ctx_per_list
Definition: detect.h:847
MpmThreadCtx mtcu
Definition: detect.h:1063
DetectEngineThreadKeywordCtxItem * keyword_list
Definition: detect.h:1404
int hsbd_buffer_limit
Definition: detect.h:801
AppProto alproto
Definition: detect.h:1229
struct PrefilterEngineList_ PrefilterEngineList
SRepCIDRTree * srepCIDR_ctx
Definition: detect.h:737
const char * name
Definition: detect.h:1248
DetectEngineAppInspectionEngine * app_inspect
Definition: detect.h:544
ThresholdCtx ths_ctx
Definition: detect.h:771
int failure_fatal
Definition: detect.h:726
void DetectMetadataHashFree(DetectEngineCtx *de_ctx)
struct DetectPort_ * next
Definition: detect.h:210
SigIntId signum
Definition: detect.h:307
uint32_t a_dst_uniq24
Definition: detect.h:649
const char * url
Definition: detect.h:1167
HashListTable * ht16_src
Definition: detect.h:635
struct DetectContentData_ * cd
Definition: detect.h:605
int line
Definition: detect.h:687
structure for storing potential rule matches
uint8_t family
Definition: detect.h:300
HashListTable * prefilter_hash_table
Definition: detect.h:894
uint32_t rev
Definition: detect.h:531
struct DetectEngineIPOnlyCtx_ DetectEngineIPOnlyCtx
IP only rules matching ctx.
uint8_t * buffer
Definition: detect.h:622
uint8_t * base64_decoded
Definition: detect.h:1098
uint32_t tenant_id
Definition: detect.h:969
DetectThresholdEntry ** th_entry
Definition: detect.h:679
struct SCProfileKeywordData_ ** keyword_perf_data_per_list
Definition: detect.h:1120
struct SigMatchData_ SigMatchData
Data needed for Match()
uint32_t prefilter_maxid
Definition: detect.h:851
Signature ** match_array
Definition: detect.h:1046
struct PrefilterEngineList_ * next
Definition: detect.h:1243
SignatureMask mask
Definition: detect.h:944
Signature reference list.
int inspection_recursion_counter
Definition: detect.h:1042
uint16_t idx
Definition: detect.h:324
SignatureNonPrefilterStore * non_pf_store_ptr
Definition: detect.h:1056
uint32_t inspect_len
Definition: detect.h:349
uint32_t sig_init_size
Definition: detect.h:654
uint32_t th_size
Definition: detect.h:680
void DetectSignatureApplyActions(Packet *p, const Signature *s, const uint8_t)
Apply action(s) and Set &#39;drop&#39; sig info, if applicable.
Definition: detect.c:1591
struct SCProfileDetectCtx_ * profile_ctx
Definition: detect.h:844
uint8_t sgh_mpm_context
Definition: detect.h:786
const uint8_t * inspect
Definition: detect.h:347
struct DetectMpmAppLayerKeyword_ DetectMpmAppLayerKeyword
structure for storing per detect engine mpm keyword settings
uint32_t * flags
Definition: detect.h:951
DetectEngineIPOnlyThreadCtx io_ctx
Definition: detect.h:1072
void RuleMatchCandidateTxArrayFree(DetectEngineThreadCtx *det_ctx)
Definition: detect.c:1052
char * sig_str
Definition: detect.h:685
uint32_t a_dst_uniq16
Definition: detect.h:647
int tx_min_progress
Definition: detect.h:1260
uint8_t stream_result
Definition: detect.h:955
struct SignatureNonPrefilterStore_ SignatureNonPrefilterStore
bool supports_transforms
Definition: detect.h:435
SignatureNonPrefilterStore * non_pf_other_store_array
Definition: detect.h:1309
void(* Free)(void *pectx)
Definition: detect.h:1246
struct SigGroupHeadInitData_ SigGroupHeadInitData
DetectEngineCtx * list
Definition: detect.h:1388
Per thread variable structure.
Definition: threadvars.h:57
SignatureMask mask
Definition: detect.h:505
struct SigMatchCtx_ SigMatchCtx
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
uint16_t counter_mpm_list
Definition: detect.h:1005
uint8_t file_flags
Definition: detect.h:510
InspectionBufferMultipleForList * buffers
Definition: detect.h:1023
uint16_t port2
Definition: detect.h:198
uint32_t app_mpms_list_cnt
Definition: detect.h:891
uint32_t sig_cnt
Definition: detect.h:731
uint32_t non_pf_id_cnt
Definition: detect.h:978
void ** global_keyword_ctxs_array
Definition: detect.h:1096
struct DetectReplaceList_ * next
Definition: detect.h:607
uint16_t dsize_low
Definition: detect.h:502
uint16_t flags
Definition: detect.h:1158
Structure for the radix tree.
SpmThreadCtx * spm_thread_ctx
Definition: detect.h:1069
InspectionBuffer *(* InspectionBufferGetDataPtr)(struct DetectEngineThreadCtx_ *det_ctx, const DetectEngineTransforms *transforms, Flow *f, const uint8_t flow_flags, void *txv, const int list_id)
Definition: detect.h:379
AppLayerDecoderEvents * decoder_events
Definition: detect.h:1102
AppProto alproto
Definition: detect.h:1257
SigMatch * mpm_sm
Definition: detect.h:467
const DetectAddressHead * src
Definition: detect.h:484
HashListTable * dport_hash_table
Definition: detect.h:868
uint8_t * sig_array
Definition: detect.h:1281
#define FLOW_STATES
Definition: detect.h:672
Flow data structure.
Definition: flow.h:325
uint32_t base64_decode_max_len
Definition: detect.h:825
uint32_t mt_det_ctxs_cnt
Definition: detect.h:980
#define SigIntId
DetectAddress * ipv6_head
Definition: detect.h:159
DetectSigmatchListEnum
Definition: detect.h:91
Port structure for detection engine.
Definition: detect.h:196
uint32_t buffers_size
Definition: detect.h:1015
uint64_t offset
Definition: detect.h:937
a single match condition for a signature
Definition: detect.h:322
const DetectEngineTransforms * transforms
Definition: detect.h:420
SigMatchCtx * ctx
Definition: detect.h:334
int inspection_recursion_limit
Definition: detect.h:796
struct SigTableElmt_ SigTableElmt
element in sigmatch type table.
struct ThresholdCtx_ ThresholdCtx
threshold ctx
SigGroupHeadInitData * init
Definition: detect.h:1327