Go to the documentation of this file.
45 #define DETECT_MAX_RULE_SIZE 8192
47 #define DETECT_TRANSFORMS_MAX 16
51 #define DETECT_DEFAULT_PRIO 3
106 #define DETECT_SM_LIST_NOTSET INT_MAX
124 #define ADDRESS_FLAG_NOT 0x01
177 #define PORT_FLAG_ANY 0x01
178 #define PORT_FLAG_NOT 0x02
179 #define PORT_SIGGROUPHEAD_COPY 0x04
202 #define SIG_FLAG_SRC_ANY BIT_U32(0)
203 #define SIG_FLAG_DST_ANY BIT_U32(1)
204 #define SIG_FLAG_SP_ANY BIT_U32(2)
205 #define SIG_FLAG_DP_ANY BIT_U32(3)
207 #define SIG_FLAG_NOALERT BIT_U32(4)
208 #define SIG_FLAG_DSIZE BIT_U32(5)
209 #define SIG_FLAG_APPLAYER BIT_U32(6)
210 #define SIG_FLAG_IPONLY BIT_U32(7)
211 #define SIG_FLAG_LIKE_IPONLY \
217 #define SIG_FLAG_REQUIRE_PACKET BIT_U32(9)
218 #define SIG_FLAG_REQUIRE_STREAM BIT_U32(10)
220 #define SIG_FLAG_MPM_NEG BIT_U32(11)
222 #define SIG_FLAG_FLUSH BIT_U32(12)
226 #define SIG_FLAG_REQUIRE_FLOWVAR BIT_U32(17)
228 #define SIG_FLAG_FILESTORE BIT_U32(18)
230 #define SIG_FLAG_TOSERVER BIT_U32(19)
231 #define SIG_FLAG_TOCLIENT BIT_U32(20)
233 #define SIG_FLAG_TLSSTORE BIT_U32(21)
235 #define SIG_FLAG_BYPASS BIT_U32(22)
237 #define SIG_FLAG_PREFILTER BIT_U32(23)
241 #define SIG_FLAG_PDONLY BIT_U32(24)
243 #define SIG_FLAG_SRC_IS_TARGET BIT_U32(25)
245 #define SIG_FLAG_DEST_IS_TARGET BIT_U32(26)
247 #define SIG_FLAG_HAS_TARGET (SIG_FLAG_DEST_IS_TARGET|SIG_FLAG_SRC_IS_TARGET)
250 #define SIG_FLAG_INIT_DEONLY BIT_U32(0)
251 #define SIG_FLAG_INIT_PACKET BIT_U32(1)
252 #define SIG_FLAG_INIT_FLOW BIT_U32(2)
253 #define SIG_FLAG_INIT_BIDIREC BIT_U32(3)
254 #define SIG_FLAG_INIT_FIRST_IPPROTO_SEEN BIT_U32(4)
255 #define SIG_FLAG_INIT_HAS_TRANSFORM BIT_U32(5)
256 #define SIG_FLAG_INIT_STATE_MATCH BIT_U32(6)
257 #define SIG_FLAG_INIT_NEED_FLUSH BIT_U32(7)
258 #define SIG_FLAG_INIT_PRIO_EXPLICT BIT_U32(8)
259 #define SIG_FLAG_INIT_FILEDATA BIT_U32(9)
260 #define SIG_FLAG_INIT_JA3 BIT_U32(10)
264 #define SIG_MASK_REQUIRE_PAYLOAD BIT_U8(0)
265 #define SIG_MASK_REQUIRE_FLOW BIT_U8(1)
266 #define SIG_MASK_REQUIRE_FLAGS_INITDEINIT BIT_U8(2)
267 #define SIG_MASK_REQUIRE_FLAGS_UNUSUAL BIT_U8(3)
268 #define SIG_MASK_REQUIRE_NO_PAYLOAD BIT_U8(4)
269 #define SIG_MASK_REQUIRE_DCERPC BIT_U8(5)
271 #define SIG_MASK_REQUIRE_ENGINE_EVENT BIT_U8(7)
274 #define SignatureMask uint8_t
276 #define DETECT_ENGINE_THREAD_CTX_FRAME_ID_SET 0x0001
277 #define DETECT_ENGINE_THREAD_CTX_STREAM_CONTENT_MATCH 0x0004
279 #define FILE_SIG_NEED_FILE 0x01
280 #define FILE_SIG_NEED_FILENAME 0x02
281 #define FILE_SIG_NEED_MAGIC 0x04
282 #define FILE_SIG_NEED_FILECONTENT 0x08
283 #define FILE_SIG_NEED_MD5 0x10
284 #define FILE_SIG_NEED_SHA1 0x20
285 #define FILE_SIG_NEED_SHA256 0x40
286 #define FILE_SIG_NEED_SIZE 0x80
289 #define DE_QUIET 0x01
345 #ifdef DEBUG_VALIDATION
383 Flow *f,
const uint8_t flow_flags,
384 void *txv,
const int list_id);
390 uint8_t
flags,
void *alstate,
void *txv, uint64_t tx_id);
437 Packet *p, uint8_t *alert_flags);
487 #define sm_lists init_data->smlists
488 #define sm_lists_tail init_data->smlists_tail
685 #define DETECT_VAR_TYPE_FLOW_POSTMATCH 1
686 #define DETECT_VAR_TYPE_PKT_POSTMATCH 2
758 void *(*InitFunc)(
void *);
784 #define FLOW_STATES 2
998 #define ENGINE_SGH_MPM_FACTORY_CONTEXT_START_ID_RANGE (ENGINE_SGH_MPM_FACTORY_CONTEXT_AUTO + 1)
1001 #define DETECT_FILESTORE_MAX 15
1177 uint64_t pkt_stream_add_cnt;
1178 uint64_t payload_mpm_cnt;
1179 uint64_t payload_mpm_size;
1180 uint64_t stream_mpm_cnt;
1181 uint64_t stream_mpm_size;
1182 uint64_t payload_persig_cnt;
1183 uint64_t payload_persig_size;
1184 uint64_t stream_persig_cnt;
1185 uint64_t stream_persig_size;
1212 uint8_t
flags,
void *alstate,
void *txv,
1269 #define SIG_GROUP_HEAD_HAVERAWSTREAM BIT_U32(0)
1271 #define SIG_GROUP_HEAD_HAVEFILEMAGIC BIT_U32(20)
1273 #define SIG_GROUP_HEAD_HAVEFILEMD5 BIT_U32(21)
1274 #define SIG_GROUP_HEAD_HAVEFILESIZE BIT_U32(22)
1275 #define SIG_GROUP_HEAD_HAVEFILESHA1 BIT_U32(23)
1276 #define SIG_GROUP_HEAD_HAVEFILESHA256 BIT_U32(24)
1303 const struct Frames *frames,
const struct Frame *frame);
1425 #define SIGMATCH_NOOPT BIT_U16(0)
1427 #define SIGMATCH_IPONLY_COMPAT BIT_U16(1)
1429 #define SIGMATCH_DEONLY_COMPAT BIT_U16(2)
1431 #define SIGMATCH_NOT_BUILT BIT_U16(3)
1434 #define SIGMATCH_OPTIONAL_OPT BIT_U16(4)
1437 #define SIGMATCH_QUOTES_OPTIONAL BIT_U16(5)
1441 #define SIGMATCH_QUOTES_MANDATORY BIT_U16(6)
1445 #define SIGMATCH_HANDLE_NEGATION BIT_U16(7)
1447 #define SIGMATCH_INFO_CONTENT_MODIFIER BIT_U16(8)
1449 #define SIGMATCH_INFO_STICKY_BUFFER BIT_U16(9)
1451 #define SIGMATCH_INFO_DEPRECATED BIT_U16(10)
1453 #define SIGMATCH_STRICT_PARSING BIT_U16(11)
1544 uint8_t alert_flags);
HashListTable * sgh_hash_table
uint32_t pkt_mpms_list_cnt
uint32_t frame_mpms_list_cnt
struct SCFPSupportSMList_ SCFPSupportSMList
uint32_t non_pf_syn_store_cnt
SignatureNonPrefilterStore * non_pf_store_ptr
IPOnlyCIDRItem * cidr_src
const SigGroupHead * SigMatchSignaturesGetSgh(const DetectEngineCtx *de_ctx, const Packet *p)
Get the SigGroupHead for a packet.
struct SCProfileKeywordData_ ** keyword_perf_data_per_list
PrefilterEngine * tx_engines
void AlertQueueInit(DetectEngineThreadCtx *det_ctx)
SigMatch * SigMatchAlloc(void)
@ FILE_DECODER_EVENT_NO_MEM
@ FILE_DECODER_EVENT_LZMA_HEADER_TOO_SHORT_ERROR
uint16_t alert_queue_size
void SigMatchFree(DetectEngineCtx *, SigMatch *sm)
free a SigMatch
HashTable * class_conf_ht
void(* Prefilter)(DetectEngineThreadCtx *det_ctx, Packet *p, const void *pectx)
struct SCProfileKeywordData_ * keyword_perf_data
DetectMatchAddressIPv6 * addr_src_match6
SC_ATOMIC_DECLARE(int, so_far_used_by_detect)
struct DetectEngineThreadKeywordCtxItem_ DetectEngineThreadKeywordCtxItem
int32_t sgh_mpm_context_proto_tcp_packet
void(* Free)(DetectEngineCtx *, void *)
struct IPOnlyCIDRItem_ IPOnlyCIDRItem
struct SigGroupHead_ * decoder_event_sgh
DetectEngineLookupFlow flow_gh[FLOW_STATES]
@ FILE_DECODER_EVENT_Z_UNKNOWN_ERROR
struct SCFPSupportSMList_ * next
uint16_t counter_match_list
struct SigString_ SigString
DetectEngineTenantMapping * tenant_mapping_list
const struct DetectFilestoreData_ * filestore_ctx
struct DetectEngineAppInspectionEngine_ * next
int DetectEngineGetEventInfo(const char *event_name, int *event_id, AppLayerEventType *event_type)
int SignatureIsIPOnly(DetectEngineCtx *de_ctx, const Signature *s)
Test is a initialized signature is IP only.
struct DetectEngineCtx_ DetectEngineCtx
main detection engine ctx
enum DetectEngineType type
Container for matching data for a signature group.
HashListTable * pattern_hash_table
struct SCProfileSghData_ * sgh_perf_data
SCMutex threshold_table_lock
@ FILE_DECODER_EVENT_INVALID_SWF_VERSION
address structure for use in the detection engine.
uint16_t max_uniq_toclient_groups
InspectionBufferMultipleForList * buffers
structure for storing potential rule matches
bool src_contains_negation
uint32_t non_pf_store_cnt_max
struct HtpBodyChunk_ * next
struct DetectPort_ * port
@ DETECT_SM_LIST_DYNAMIC_START
DetectEngineTransforms transforms
void SigMatchSignaturesBuildMatchArray(DetectEngineThreadCtx *, Packet *, SignatureMask, uint16_t)
AppLayerDecoderEvents * decoder_events
int SigLoadSignatures(DetectEngineCtx *, char *, int)
Load signatures.
InspectionBufferGetDataPtr GetData
@ DETECT_BUFFER_MPM_TYPE_FRAME
int(* FileMatch)(DetectEngineThreadCtx *, Flow *, uint8_t flags, File *, const Signature *, const SigMatchCtx *)
@ DETECT_SM_LIST_THRESHOLD
@ ENGINE_SGH_MPM_FACTORY_CONTEXT_SINGLE
enum AppLayerEventType_ AppLayerEventType
InspectionBuffer *(* InspectionBufferGetDataPtr)(struct DetectEngineThreadCtx_ *det_ctx, const DetectEngineTransforms *transforms, Flow *f, const uint8_t flow_flags, void *txv, const int list_id)
MpmStore mpm_store[MPMB_MAX]
DetectBufferMpmRegistery * frame_mpms_list
Structure for the radix tree.
Signature * SigFindSignatureBySidGid(DetectEngineCtx *, uint32_t, uint32_t)
Find a specific signature by sid and gid.
SCRadixTree * tree_ipv6dst
struct DetectBufferMpmRegistery_::@87::@89 app_v2
int inspection_recursion_limit
const DetectEngineTransforms * transforms
main detection engine ctx
enum DetectBufferMpmType type
struct DetectPatternTracker DetectPatternTracker
void SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
void ** global_keyword_ctxs_array
void RuleMatchCandidateTxArrayFree(DetectEngineThreadCtx *det_ctx)
int(* AppLayerTxMatch)(DetectEngineThreadCtx *, Flow *, uint8_t flags, void *alstate, void *txv, const Signature *, const SigMatchCtx *)
InspectionBuffer *(* InspectionBufferGetPktDataPtr)(struct DetectEngineThreadCtx_ *det_ctx, const DetectEngineTransforms *transforms, Packet *p, const int list_id)
TmEcode Detect(ThreadVars *tv, Packet *p, void *data)
Detection engine thread wrapper.
SCRadixTree * tree_ipv4src
struct DetectEngineTenantMapping_ * next
struct SCProfileSghDetectCtx_ * profile_sgh_ctx
struct DetectPort_ * next
const struct DetectContentData_ * cd
one time registration of keywords at start up
SpmThreadCtx * spm_thread_ctx
struct DetectAddressHead_ DetectAddressHead
HashListTable * dport_hash_table
void(* Prefilter)(DetectEngineThreadCtx *det_ctx, Packet *p, const void *pectx)
SigMatchData * sm_arrays[DETECT_SM_LIST_MAX]
PrefilterEngine * payload_engines
MpmCtxFactoryContainer * mpm_ctx_factory_container
enum DetectEnginePrefilterSetting prefilter_setting
struct DetectEngineCtx_::@92 filedata_config[ALPROTO_MAX]
struct SigGroupHead_ * sh
void DetectEngineSetEvent(DetectEngineThreadCtx *det_ctx, uint8_t e)
TAILQ_HEAD(, SigString_) failed_sigs
InspectionBufferGetDataPtr GetData
InspectionBufferGetPktDataPtr GetData
void(* Free)(void *pectx)
void RuleMatchCandidateTxArrayInit(DetectEngineThreadCtx *det_ctx, uint32_t size)
element in sigmatch type table.
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
int32_t sgh_mpm_context_proto_udp_packet
struct DetectPort_ DetectPort
Port structure for detection engine.
HashTable * reference_conf_ht
uint32_t content_inspect_window
uint16_t counter_fnonmpm_list
@ FILE_DECODER_EVENT_LZMA_XZ_ERROR
struct DetectEngineAppInspectionEngine_::@84 v2
#define DETECT_TRANSFORMS_MAX
uint16_t counter_nonmpm_list
Data structure to store app layer decoder events.
struct SigGroupHead_ SigGroupHead
Container for matching data for a signature group.
struct DetectMatchAddressIPv6_ DetectMatchAddressIPv6
int DetectUnregisterThreadCtxFuncs(DetectEngineCtx *, void *data, const char *name)
Remove Thread keyword context registration.
DetectEngineFrameInspectionEngine * frame_inspect
struct DetectBufferMpmRegistery_::@87::@91 frame_v1
const DetectEngineTransforms * transforms
@ FILE_DECODER_EVENT_Z_BUF_ERROR
DetectBufferMpmRegistery * app_mpms_list
void SigRegisterTests(void)
void * DetectThreadCtxGetKeywordThreadCtx(DetectEngineThreadCtx *, int)
Retrieve thread local keyword ctx by id.
@ FILE_DECODER_EVENT_INVALID_SWF_LENGTH
InspectionBufferFrameInspectFunc Callback
DetectPort * udp_whitelist
HashTable * mt_det_ctxs_hash
struct DetectAddress_ * prev
bool is_last_for_progress
void TmModuleDetectRegister(void)
struct PrefilterEngineList_ * next
uint16_t counter_alerts_suppressed
int(* SetupPrefilter)(DetectEngineCtx *de_ctx, struct SigGroupHead_ *sgh)
int32_t sgh_mpm_context_proto_other_packet
struct DetectVarList_ DetectVarList
@ TENANT_SELECTOR_UNKNOWN
struct SigMatch_ ** smlists_tail
@ ENGINE_SGH_MPM_FACTORY_CONTEXT_AUTO
@ DETECT_SM_LIST_POSTMATCH
struct DetectEngineTenantMapping_ DetectEngineTenantMapping
HashListTable * prefilter_hash_table
struct DetectReplaceList_ DetectReplaceList
bool sm_types_silent_error[DETECT_TBLSIZE]
TAILQ_ENTRY(SigString_) next
DetectEngineTenantSelectors
int(* InspectionBufferPktInspectFunc)(struct DetectEngineThreadCtx_ *, const struct DetectEnginePktInspectionEngine *engine, const struct Signature_ *s, Packet *p, uint8_t *alert_flags)
struct DetectBufferType_ DetectBufferType
RuleMatchCandidateTx * tx_candidates
struct InspectionBuffer InspectionBuffer
struct DetectEngineMasterCtx_ DetectEngineMasterCtx
DetectMatchAddressIPv4 * addr_src_match4
bool(* TransformValidate)(const uint8_t *content, uint16_t content_len, void *context)
uint16_t counter_alerts_overflow
#define DETECT_FILESTORE_MAX
struct SignatureInitData_ SignatureInitData
struct DetectEngineThreadCtx_::@99 filestore[DETECT_FILESTORE_MAX]
PrefilterEngineList * tx_engines
SRepCIDRTree * srepCIDR_ctx
int(* PrefilterRegisterWithListId)(struct DetectEngineCtx_ *de_ctx, struct SigGroupHead_ *sgh, MpmCtx *mpm_ctx, const struct DetectBufferMpmRegistery_ *mpm_reg, int list_id)
const DetectAddressHead * src
uint32_t tx_candidates_size
@ DETECT_SM_LIST_BASE64_DATA
InspectionBuffer * buffers
void SigAddressPrepareBidirectionals(DetectEngineCtx *)
DetectEngineThreadKeywordCtxItem * keyword_list
PrefilterFrameFn PrefilterFrame
uint8_t * sig_match_array
enum DetectEngineTenantSelectors tenant_selector
HashListTable * keyword_hash
struct timeval last_reload
DetectEnginePktInspectionEngine * pkt_inspect
struct DetectReplaceList_ * next
struct SigGroupHead_ * sgh[256]
DetectReference * references
PrefilterTxFn PrefilterTx
Per thread variable structure.
Signature wrapper used by signature ordering module while ordering signatures.
struct SigTableElmt_ SigTableElmt
element in sigmatch type table.
struct SigMatch_ SigMatch
a single match condition for a signature
DetectEngineFrameInspectionEngine * frame_inspect_engines
struct PrefilterEngineList_ PrefilterEngineList
DetectEngineCtx * free_list
struct DetectEngineThreadKeywordCtxItem_ * next
void(* PrefilterFrameFn)(DetectEngineThreadCtx *det_ctx, const void *pectx, Packet *p, const struct Frames *frames, const struct Frame *frame)
Port structure for detection engine.
SigGroupHeadInitData * init
DetectEngineAppInspectionEngine * app_inspect
Signature reference list.
bool(* ValidateCallback)(const struct Signature_ *, const char **sigerror)
void AlertQueueAppend(DetectEngineThreadCtx *det_ctx, const Signature *s, Packet *p, uint64_t tx_id, uint8_t alert_flags)
Append signature to local packet alert queue for later preprocessing.
char * DetectLoadCompleteSigPath(const DetectEngineCtx *, const char *sig_file)
Create the path if default-rule-path was specified.
struct DetectVarList_ * next
uint64_t raw_stream_progress
struct SCProfileDetectCtx_ * profile_ctx
@ FILE_DECODER_EVENT_LZMA_UNKNOWN_ERROR
DetectThresholdEntry ** th_entry
struct DetectEngineFrameInspectionEngine::@86 v1
struct IPOnlyCIDRItem_ * next
int32_t sgh_mpm_context_stream
struct SignatureNonPrefilterStore_ SignatureNonPrefilterStore
int(* InspectionBufferFrameInspectFunc)(struct DetectEngineThreadCtx_ *, const struct DetectEngineFrameInspectionEngine *engine, const struct Signature_ *s, Packet *p, const struct Frames *frames, const struct Frame *frame)
InspectEngineFuncPtr2 Callback
struct TransformData_ TransformData
Structure holding the signature ordering function used by the signature ordering module.
struct PrefilterEngine_ PrefilterEngine
int DetectRegisterThreadCtxFuncs(DetectEngineCtx *, const char *name, void *(*InitFunc)(void *), void *data, void(*FreeFunc)(void *), int)
Register Thread keyword context Funcs.
union PrefilterEngine_::@101 cb
struct SigFileLoaderStat_ SigFileLoaderStat
Signature loader statistics.
uint16_t max_uniq_toserver_groups
@ DETECT_BUFFER_MPM_TYPE_PKT
InspectionBufferPktInspectFunc Callback
PrefilterFrameFn PrefilterFrame
SignatureInitData * init_data
struct SCProfileKeywordDetectCtx_ * profile_keyword_ctx
uint16_t alert_queue_capacity
struct SigGroupHead_ ** sgh_array
int(* Match)(DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *)
struct MpmStore_ MpmStore
struct SigMatch_ ** smlists
void(* PrefilterTxFn)(DetectEngineThreadCtx *det_ctx, const void *pectx, Packet *p, Flow *f, void *tx, const uint64_t tx_id, const AppLayerTxData *tx_data, const uint8_t flags)
int32_t byte_extract_max_local_id
bool dst_contains_negation
uint16_t addr_dst_match6_cnt
struct SCProfileData_ * rule_perf_data
struct DetectEngineThreadCtx_ DetectEngineThreadCtx
PrefilterEngine * frame_engines
struct DetectEngineTransforms DetectEngineTransforms
@ DETECT_ENGINE_TYPE_TENANT
HashListTable * dup_sig_hash_table
uint8_t(* InspectEngineFuncPtr2)(struct DetectEngineCtx_ *de_ctx, struct DetectEngineThreadCtx_ *det_ctx, const struct DetectEngineAppInspectionEngine_ *engine, const struct Signature_ *s, Flow *f, uint8_t flags, void *alstate, void *txv, uint64_t tx_id)
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
uint16_t discontinue_matching
PrefilterEngineList * pkt_engines
Signature * DetectGetTagSignature(void)
InspectionBufferGetPktDataPtr GetData
@ DETECT_ENGINE_TYPE_NORMAL
DetectAddress * ipv6_head
void DetectMetadataHashFree(DetectEngineCtx *de_ctx)
@ FILE_DECODER_EVENT_LZMA_IO_ERROR
struct AppLayerTxData AppLayerTxData
struct DetectEngineIPOnlyCtx_ DetectEngineIPOnlyCtx
IP only rules matching ctx.
SigFileLoaderStat sig_stat
HashListTable * address_table
uint32_t * to_clear_queue
struct SCProfilePrefilterDetectCtx_ * profile_prefilter_ctx
struct InspectionBufferMultipleForList InspectionBufferMultipleForList
struct SigMatchCtx_ SigMatchCtx
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
SignatureNonPrefilterStore * non_pf_other_store_array
struct DetectEnginePktInspectionEngine::@85 v1
uint64_t prefilter_bytes_called
PrefilterEngineList * frame_engines
@ DETECT_BUFFER_MPM_TYPE_APP
PrefilterEngineList * payload_engines
@ FILE_DECODER_EVENT_Z_DATA_ERROR
HashListTable * buffer_type_hash_name
struct DetectEngineCtx_ * next
uint32_t non_pf_other_store_cnt
@ DETECT_ENGINE_TYPE_DD_STUB
struct DetectEngineFrameInspectionEngine * next
void(* Transform)(InspectionBuffer *, void *context)
int inspection_recursion_counter
struct SCProfilePrefilterData_ * prefilter_perf_data
DetectEnginePrefilterSetting
struct DetectPort_ * prev
struct DetectEnginePktInspectionEngine * next
SCRadixTree * tree_ipv4dst
uint64_t frame_inspect_progress
uint32_t profile_match_logging_threshold
struct SCProfileKeywordDetectCtx_ ** profile_keyword_ctx_per_list
struct RuleMatchCandidateTx RuleMatchCandidateTx
DetectPort * tcp_whitelist
DetectEnginePktInspectionEngine * pkt_inspect_engines
SigIntId * non_pf_id_array
struct SigGroupHeadInitData_ SigGroupHeadInitData
struct DetectAddress_ DetectAddress
address structure for use in the detection engine.
uint32_t app_mpms_list_cnt
uint16_t addr_src_match6_cnt
DetectEngineAppInspectionEngine * app_inspect_engines
const DetectAddressHead * dst
PacketAlert * alert_queue
uint32_t pcre_match_start_offset
int global_keyword_ctxs_size
bool sm_types_prefilter[DETECT_TBLSIZE]
HashListTable * mpm_hash_table
void DumpPatterns(DetectEngineCtx *de_ctx)
DetectMetadataHead * metadata
uint32_t non_pf_store_cnt
void ** keyword_ctxs_array
IPOnlyCIDRItem * cidr_dst
bool(* SupportsPrefilter)(const Signature *s)
AppLayerDecoderEvents * DetectEngineGetEvents(DetectEngineThreadCtx *det_ctx)
DetectMatchAddressIPv6 * addr_dst_match6
int base64_decoded_len_max
struct DetectEngineLookupFlow_ DetectEngineLookupFlow
void DisableDetectFlowFileFlags(Flow *f)
disable file features we don't need Called if we have no detection engine.
DetectEngineTransforms transforms
a single match condition for a signature
const DetectEngineTransforms * transforms
struct DetectAddress_ * next
struct DetectBufferMpmRegistery_::@87::@90 pkt_v1
@ FILE_DECODER_EVENT_LZMA_MEMLIMIT_ERROR
void AlertQueueFree(DetectEngineThreadCtx *det_ctx)
struct DetectEnginePktInspectionEngine DetectEnginePktInspectionEngine
bool filedata_config_initialized
DetectBufferMpmRegistery * pkt_mpms_list
union PrefilterEngine_::@100 ctx
uint32_t content_inspect_min_size
SignatureNonPrefilterStore * non_pf_syn_store_array
@ DETECT_BUFFER_MPM_TYPE_SIZE
@ DETECT_ENGINE_TYPE_MT_STUB
struct Signature_ Signature
Signature container.
IP only rules matching ctx.
void(* SetupCallback)(const struct DetectEngineCtx_ *, struct Signature_ *)
int DetectMetadataHashInit(DetectEngineCtx *de_ctx)
struct DetectEngineIPOnlyThreadCtx_ DetectEngineIPOnlyThreadCtx
SpmGlobalThreadCtx * spm_global_thread_ctx
int DetectFlowbitsAnalyze(DetectEngineCtx *de_ctx)
PrefilterEngine * pkt_engines
DetectReplaceList * replist
DetectEngineTransforms transforms
DetectEngineIPOnlyCtx io_ctx
struct DetectEngineThreadCtx_::@98 multi_inspect
PrefilterTxFn PrefilterTx
struct DetectMatchAddressIPv4_ DetectMatchAddressIPv4
struct DetectBufferMpmRegistery_ DetectBufferMpmRegistery
one time registration of keywords at start up
DetectMatchAddressIPv4 * addr_dst_match4
struct DetectEngineThreadCtx_::@97 inspect
struct DetectContentData_ * cd
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
uint16_t addr_src_match4_cnt
struct DetectEngineAppInspectionEngine_ DetectEngineAppInspectionEngine
@ DETECT_EVENT_TOO_MANY_BUFFERS
@ TENANT_SELECTOR_LIVEDEV
uint16_t addr_dst_match4_cnt
@ FILE_DECODER_EVENT_Z_STREAM_ERROR
HashTable * metadata_table
SCRadixTree * tree_ipv6src
Signature loader statistics.
HashListTable * buffer_type_hash_id
uint32_t base64_decode_max_len
struct ThresholdCtx_ ThresholdCtx
threshold ctx
@ DETECT_SM_LIST_SUPPRESS
SCFPSupportSMList * fp_support_smlist_list
InspectionBuffer * inspection_buffers
DetectAddress * ipv4_head
@ ENGINE_SGH_MPM_FACTORY_CONTEXT_FULL
uint16_t counter_mpm_list
struct DetectEngineFrameInspectionEngine DetectEngineFrameInspectionEngine
struct SigMatchData_ SigMatchData
Data needed for Match()
enum MpmBuiltinBuffers buffer
uint32_t tenant_array_size
struct DetectEngineTenantMapping_ * tenant_array
struct SCSigOrderFunc_ * sc_sig_order_funcs
void(* RegisterTests)(void)
@ FILE_DECODER_EVENT_LZMA_DECODER_ERROR
DetectEngineIPOnlyThreadCtx io_ctx
struct DetectEngineThreadCtx_ ** mt_det_ctxs
struct DetectBufferMpmRegistery_ * next
uint32_t smlists_array_size
uint32_t(* TenantGetId)(const void *, const Packet *p)