suricata
detect.h
Go to the documentation of this file.
1 /* Copyright (C) 2007-2023 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Victor Julien <victor@inliniac.net>
22  */
23 
24 #ifndef SURICATA_DETECT_H
25 #define SURICATA_DETECT_H
26 
27 #include "suricata-common.h"
28 #include "flow.h"
29 
30 #include "detect-engine-proto.h"
31 #include "detect-reference.h"
32 #include "detect-metadata.h"
33 #include "detect-engine-register.h"
34 
35 #include "util-prefilter.h"
36 #include "util-mpm.h"
37 #include "util-spm.h"
38 #include "util-hash.h"
39 #include "util-hashlist.h"
40 #include "util-radix-tree.h"
41 #include "util-file.h"
42 #include "reputation.h"
43 
44 #define DETECT_MAX_RULE_SIZE 8192
45 
46 #define DETECT_TRANSFORMS_MAX 16
47 
48 /** default rule priority if not set through priority keyword or via
49  * classtype. */
50 #define DETECT_DEFAULT_PRIO 3
51 
52 // tx_id value to use when there is no transaction
53 #define PACKET_ALERT_NOTX UINT64_MAX
54 
55 /* forward declarations for the structures from detect-engine-sigorder.h */
56 struct SCSigOrderFunc_;
58 
59 /* Forward declarations for structures from Rust. */
61 
64  SIG_TYPE_IPONLY, // rule is handled by IPONLY engine
65  SIG_TYPE_LIKE_IPONLY, // rule is handled by pkt engine, has action effect like ip-only
66  /** Proto detect only signature.
67  * Inspected once per direction when protocol detection is done. */
68  SIG_TYPE_PDONLY, // rule is handled by PDONLY engine
73 
74  SIG_TYPE_APPLAYER, // app-layer but not tx, e.g. appproto
75  SIG_TYPE_APP_TX, // rule is handled by TX engine
76 
78 };
79 
84 };
85 
88 };
89 
91 
92 /*
93  The detection engine groups similar signatures/rules together. Internally a
94  tree of different types of data is created on initialization. This is it's
95  global layout:
96 
97  For TCP/UDP
98 
99  - Flow direction
100  -- Protocol
101  -=- Dst port
102 
103  For the other protocols
104 
105  - Flow direction
106  -- Protocol
107 */
108 
109 /* holds the values for different possible lists in struct Signature.
110  * These codes are access points to particular lists in the array
111  * Signature->init_data->smlists[DETECT_SM_LIST_MAX]. */
113  /* list for non-payload per packet matches, e.g. ttl, flow keyword */
115  /* list for payload and stream match */
117 
118  /* base64_data keyword uses some hardcoded logic so consider
119  * built-in
120  * TODO convert to inspect engine */
122 
123  /* list for post match actions: flowbit set, flowint increment, etc */
125 
126  DETECT_SM_LIST_TMATCH, /**< post-detection tagging */
127 
128  /* lists for alert thresholding and suppression */
131 
133 
134  /* start of dynamically registered lists */
136 };
137 
138 /* used for Signature->list, which indicates which list
139  * we're adding keywords to in cases of sticky buffers like
140  * file_data */
141 #define DETECT_SM_LIST_NOTSET INT_MAX
142 
143 /*
144  * DETECT ADDRESS
145  */
146 
147 /* a is ... than b */
148 enum {
149  ADDRESS_ER = -1, /**< error e.g. compare ipv4 and ipv6 */
150  ADDRESS_LT, /**< smaller [aaa] [bbb] */
151  ADDRESS_LE, /**< smaller with overlap [aa[bab]bb] */
152  ADDRESS_EQ, /**< exactly equal [abababab] */
153  ADDRESS_ES, /**< within [bb[aaa]bb] and [[abab]bbb] and [bbb[abab]] */
154  ADDRESS_EB, /**< completely overlaps [aa[bbb]aa] and [[baba]aaa] and [aaa[baba]] */
155  ADDRESS_GE, /**< bigger with overlap [bb[aba]aa] */
156  ADDRESS_GT, /**< bigger [bbb] [aaa] */
157 };
158 
159 #define ADDRESS_FLAG_NOT 0x01 /**< address is negated */
160 
161 /** \brief address structure for use in the detection engine.
162  *
163  * Contains the address information and matching information.
164  */
165 typedef struct DetectAddress_ {
166  /** address data for this group */
169 
170  /** flags affecting this address */
171  uint8_t flags;
172 
173  /** ptr to the previous address in the list */
175  /** ptr to the next address in the list */
178 
179 /** Address grouping head. IPv4 and IPv6 are split out */
180 typedef struct DetectAddressHead_ {
184 
185 
186 typedef struct DetectMatchAddressIPv4_ {
187  uint32_t ip; /**< address in host order, start of range */
188  uint32_t ip2; /**< address in host order, end of range */
190 
191 typedef struct DetectMatchAddressIPv6_ {
192  uint32_t ip[4];
193  uint32_t ip2[4];
195 
196 /*
197  * DETECT PORT
198  */
199 
200 /* a is ... than b */
201 enum {
202  PORT_ER = -1, /* error */
203  PORT_LT, /* smaller [aaa] [bbb] */
204  PORT_LE, /* smaller with overlap [aa[bab]bb] */
205  PORT_EQ, /* exactly equal [abababab] */
206  PORT_ES, /* within [bb[aaa]bb] and [[abab]bbb] and [bbb[abab]] */
207  PORT_EB, /* completely overlaps [aa[bbb]aa] and [[baba]aaa] and [aaa[baba]] */
208  PORT_GE, /* bigger with overlap [bb[aba]aa] */
209  PORT_GT, /* bigger [bbb] [aaa] */
210 };
211 
212 #define PORT_FLAG_ANY 0x01 /**< 'any' special port */
213 #define PORT_FLAG_NOT 0x02 /**< negated port */
214 #define PORT_SIGGROUPHEAD_COPY 0x04 /**< sgh is a ptr copy */
215 
216 /** \brief Port structure for detection engine */
217 typedef struct DetectPort_ {
218  uint16_t port;
219  uint16_t port2;
220 
221  uint8_t flags; /**< flags for this port */
222 
223  /* signatures that belong in this group
224  *
225  * If the PORT_SIGGROUPHEAD_COPY flag is set, we don't own this pointer
226  * (memory is freed elsewhere).
227  */
228  struct SigGroupHead_ *sh;
229 
230  struct DetectPort_ *prev;
231  struct DetectPort_ *next;
232  struct DetectPort_ *last; /* Pointer to the last node in the list */
234 
235 /* Signature flags */
236 /** \note: additions should be added to the rule analyzer as well */
237 
238 #define SIG_FLAG_SRC_ANY BIT_U32(0) /**< source is any */
239 #define SIG_FLAG_DST_ANY BIT_U32(1) /**< destination is any */
240 #define SIG_FLAG_SP_ANY BIT_U32(2) /**< source port is any */
241 #define SIG_FLAG_DP_ANY BIT_U32(3) /**< destination port is any */
242 
243 #define SIG_FLAG_NOALERT BIT_U32(4) /**< no alert flag is set */
244 #define SIG_FLAG_DSIZE BIT_U32(5) /**< signature has a dsize setting */
245 #define SIG_FLAG_APPLAYER BIT_U32(6) /**< signature applies to app layer instead of packets */
246 
247 // vacancy
248 
249 #define SIG_FLAG_REQUIRE_PACKET BIT_U32(9) /**< signature is requiring packet match */
250 #define SIG_FLAG_REQUIRE_STREAM BIT_U32(10) /**< signature is requiring stream match */
251 
252 #define SIG_FLAG_MPM_NEG BIT_U32(11)
253 
254 #define SIG_FLAG_FLUSH BIT_U32(12) /**< detection logic needs stream flush notification */
255 
256 #define SIG_FLAG_REQUIRE_STREAM_ONLY \
257  BIT_U32(13) /**< signature is requiring stream match. Stream match is not optional, so no \
258  fallback to packet payload. */
259 
260 // vacancies
261 
262 #define SIG_FLAG_REQUIRE_FLOWVAR BIT_U32(17) /**< signature can only match if a flowbit, flowvar or flowint is available. */
263 
264 #define SIG_FLAG_FILESTORE BIT_U32(18) /**< signature has filestore keyword */
265 
266 #define SIG_FLAG_TOSERVER BIT_U32(19)
267 #define SIG_FLAG_TOCLIENT BIT_U32(20)
268 
269 #define SIG_FLAG_TLSSTORE BIT_U32(21)
270 
271 #define SIG_FLAG_BYPASS BIT_U32(22)
272 
273 #define SIG_FLAG_PREFILTER BIT_U32(23) /**< sig is part of a prefilter engine */
274 
275 // vacancy
276 
277 /** Info for Source and Target identification */
278 #define SIG_FLAG_SRC_IS_TARGET BIT_U32(25)
279 /** Info for Source and Target identification */
280 #define SIG_FLAG_DEST_IS_TARGET BIT_U32(26)
281 
282 #define SIG_FLAG_HAS_TARGET (SIG_FLAG_DEST_IS_TARGET|SIG_FLAG_SRC_IS_TARGET)
283 
284 /* signature init flags */
285 // available 0
286 #define SIG_FLAG_INIT_PACKET BIT_U32(1) /**< signature has matches against a packet (as opposed to app layer) */
287 #define SIG_FLAG_INIT_FLOW BIT_U32(2) /**< signature has a flow setting */
288 #define SIG_FLAG_INIT_BIDIREC BIT_U32(3) /**< signature has bidirectional operator */
289 #define SIG_FLAG_INIT_FIRST_IPPROTO_SEEN \
290  BIT_U32(4) /** < signature has seen the first ip_proto keyword */
291 #define SIG_FLAG_INIT_STATE_MATCH BIT_U32(6) /**< signature has matches that require stateful inspection */
292 #define SIG_FLAG_INIT_NEED_FLUSH BIT_U32(7)
293 #define SIG_FLAG_INIT_PRIO_EXPLICIT \
294  BIT_U32(8) /**< priority is explicitly set by the priority keyword */
295 #define SIG_FLAG_INIT_FILEDATA BIT_U32(9) /**< signature has filedata keyword */
296 #define SIG_FLAG_INIT_JA BIT_U32(10) /**< signature has ja3/ja4 keyword */
297 
298 /* signature mask flags */
299 /** \note: additions should be added to the rule analyzer as well */
300 #define SIG_MASK_REQUIRE_PAYLOAD BIT_U8(0)
301 #define SIG_MASK_REQUIRE_FLOW BIT_U8(1)
302 #define SIG_MASK_REQUIRE_FLAGS_INITDEINIT BIT_U8(2) /* SYN, FIN, RST */
303 #define SIG_MASK_REQUIRE_FLAGS_UNUSUAL BIT_U8(3) /* URG, ECN, CWR */
304 #define SIG_MASK_REQUIRE_NO_PAYLOAD BIT_U8(4)
305 // vacancy 2x
306 #define SIG_MASK_REQUIRE_ENGINE_EVENT BIT_U8(7)
307 
308 /* for now a uint8_t is enough */
309 #define SignatureMask uint8_t
310 
311 #define DETECT_ENGINE_THREAD_CTX_FRAME_ID_SET 0x0001
312 #define DETECT_ENGINE_THREAD_CTX_STREAM_CONTENT_MATCH 0x0004
313 
314 #define FILE_SIG_NEED_FILE 0x01
315 #define FILE_SIG_NEED_FILENAME 0x02
316 #define FILE_SIG_NEED_MAGIC 0x04 /**< need the start of the file */
317 #define FILE_SIG_NEED_FILECONTENT 0x08
318 #define FILE_SIG_NEED_MD5 0x10
319 #define FILE_SIG_NEED_SHA1 0x20
320 #define FILE_SIG_NEED_SHA256 0x40
321 #define FILE_SIG_NEED_SIZE 0x80
322 
323 /* Detection Engine flags */
324 #define DE_QUIET 0x01 /**< DE is quiet (esp for unittests) */
325 
326 typedef struct IPOnlyCIDRItem_ {
327  /* address data for this item */
328  uint8_t family;
329  /* netmask in CIDR values (ex. /16 /18 /24..) */
330  uint8_t netmask;
331  /* If this host or net is negated for the signum */
332  uint8_t negated;
333 
334  uint32_t ip[4];
335  SigIntId signum; /**< our internal id */
336 
337  /* linked list, the header should be the biggest network */
339 
341 
342 /** \brief Used to start a pointer to SigMatch context
343  * Should never be dereferenced without casting to something else.
344  */
345 typedef struct SigMatchCtx_ {
346  int foo;
348 
349 /** \brief a single match condition for a signature */
350 typedef struct SigMatch_ {
351  uint16_t type; /**< match type */
352  uint16_t idx; /**< position in the signature */
353  SigMatchCtx *ctx; /**< plugin specific data */
354  struct SigMatch_ *next;
355  struct SigMatch_ *prev;
357 
358 /** \brief Data needed for Match() */
359 typedef struct SigMatchData_ {
360  uint16_t type; /**< match type */
361  bool is_last; /**< Last element of the list */
362  SigMatchCtx *ctx; /**< plugin specific data */
364 
365 struct DetectEngineThreadCtx_;// DetectEngineThreadCtx;
366 
367 /* inspection buffer is a simple structure that is passed between prefilter,
368  * transformation functions and inspection functions.
369  * Initially setup with 'orig' ptr and len, transformations can then take
370  * then and fill the 'buf'. Multiple transformations can update the buffer,
371  * both growing and shrinking it.
372  * Prefilter and inspection will only deal with 'inspect'. */
373 
374 typedef struct InspectionBuffer {
375  const uint8_t *inspect; /**< active pointer, points either to ::buf or ::orig */
376  uint64_t inspect_offset;
377  uint32_t inspect_len; /**< size of active data. See to ::len or ::orig_len */
378  bool initialized; /**< is initialized. ::inspect might be NULL if transform lead to 0 size */
379  uint8_t flags; /**< DETECT_CI_FLAGS_* for use with DetectEngineContentInspection */
380 #ifdef DEBUG_VALIDATION
381  bool multi;
382 #endif
383  uint32_t len; /**< how much is in use */
384  uint8_t *buf;
385  uint32_t size; /**< size of the memory allocation */
386 
387  uint32_t orig_len;
388  const uint8_t *orig;
390 
391 /* inspection buffers are kept per tx (in det_ctx), but some protocols
392  * need a bit more. A single TX might have multiple buffers, e.g. files in
393  * SMTP or DNS queries. Since all prefilters+transforms run before the
394  * individual rules need the same buffers, we need a place to store the
395  * transformed data. This array of arrays is that place. */
396 
399  uint32_t size; /**< size in number of elements */
400  uint32_t max:31; /**< max id in use in this run */
401  uint32_t init:1; /**< first time used this run. Used for clean logic */
403 
404 typedef struct TransformData_ {
406  void *options;
408 
409 typedef struct DetectEngineTransforms {
411  int cnt;
413 
414 /** callback for getting the buffer we need to prefilter/inspect */
415 typedef InspectionBuffer *(*InspectionBufferGetDataPtr)(
416  struct DetectEngineThreadCtx_ *det_ctx,
417  const DetectEngineTransforms *transforms,
418  Flow *f, const uint8_t flow_flags,
419  void *txv, const int list_id);
420 typedef InspectionBuffer *(*InspectionMultiBufferGetDataPtr)(struct DetectEngineThreadCtx_ *det_ctx,
421  const DetectEngineTransforms *transforms, Flow *f, const uint8_t flow_flags, void *txv,
422  const int list_id, const uint32_t local_id);
424 
425 typedef uint8_t (*InspectEngineFuncPtr)(struct DetectEngineCtx_ *de_ctx,
426  struct DetectEngineThreadCtx_ *det_ctx,
427  const struct DetectEngineAppInspectionEngine_ *engine, const struct Signature_ *s, Flow *f,
428  uint8_t flags, void *alstate, void *txv, uint64_t tx_id);
429 
432  uint8_t dir;
433  uint8_t id; /**< per sig id used in state keeping */
434  bool mpm;
435  bool stream;
436  uint16_t sm_list;
437  uint16_t sm_list_base; /**< base buffer being transformed */
438  int16_t progress;
439 
440  struct {
441  union {
444  };
446  /** pointer to the transforms in the 'DetectBuffer entry for this list */
448  } v2;
449 
451 
454 
455 typedef struct DetectBufferType_ {
456  char name[32];
457  char description[128];
458  int id;
460  bool mpm;
461  bool packet; /**< compat to packet matches */
462  bool frame; /**< is about Frame inspection */
464  bool multi_instance; /**< buffer supports multiple buffer instances per tx */
465  void (*SetupCallback)(const struct DetectEngineCtx_ *, struct Signature_ *);
466  bool (*ValidateCallback)(const struct Signature_ *, const char **sigerror);
469 
471 
472 /**
473  * \param alert_flags[out] for setting PACKET_ALERT_FLAG_*
474  */
476  struct DetectEngineThreadCtx_ *,
477  const struct DetectEnginePktInspectionEngine *engine,
478  const struct Signature_ *s,
479  Packet *p, uint8_t *alert_flags);
480 
481 /** callback for getting the buffer we need to prefilter/inspect */
482 typedef InspectionBuffer *(*InspectionBufferGetPktDataPtr)(
483  struct DetectEngineThreadCtx_ *det_ctx,
484  const DetectEngineTransforms *transforms,
485  Packet *p, const int list_id);
486 
489  bool mpm;
490  uint16_t sm_list;
491  uint16_t sm_list_base;
492  struct {
495  /** pointer to the transforms in the 'DetectBuffer entry for this list */
497  } v1;
500 
501 struct Frame;
502 struct Frames;
504 
505 /**
506  * \param alert_flags[out] for setting PACKET_ALERT_FLAG_*
507  */
509  const struct DetectEngineFrameInspectionEngine *engine, const struct Signature_ *s,
510  Packet *p, const struct Frames *frames, const struct Frame *frame);
511 
514  uint8_t dir;
515  uint8_t type;
516  bool mpm;
517  uint16_t sm_list;
518  uint16_t sm_list_base;
519  struct {
521  /** pointer to the transforms in the 'DetectBuffer entry for this list */
523  } v1;
527 
528 typedef struct SignatureInitDataBuffer_ {
529  uint32_t id; /**< buffer id */
530  bool sm_init; /**< initialized by sigmatch, which is likely something like `urilen:10; http.uri;
531  content:"abc";`. These need to be in the same list. Unset once `http.uri` is
532  set up. */
533  bool multi_capable; /**< true if we can have multiple instances of this buffer, so e.g. for
534  http.uri. */
535  /* sig match list */
539 
540 typedef struct SignatureInitData_ {
541  /** Number of sigmatches. Used for assigning SigMatch::idx */
542  uint16_t sm_cnt;
543 
544  /** option was prefixed with '!'. Only set for sigmatches that
545  * have the SIGMATCH_HANDLE_NEGATION flag set. */
546  bool negated;
547 
548  /* track if we saw any negation in the addresses. If so, we
549  * skip it for ip-only */
552 
553  /* used to hold flags that are used during init */
554  uint32_t init_flags;
555  /* coccinelle: SignatureInitData:init_flags:SIG_FLAG_INIT_ */
556 
557  /* used at init to determine max dsize */
559 
560  /** netblocks and hosts specified at the sid, in CIDR format */
562 
563  /* list id for `mpm_sm`. Should always match `SigMatchListSMBelongsTo(s, mpm_sm)`. */
565  /* the fast pattern added from this signature */
567  /* used to speed up init of prefilter */
569 
570  /* SigMatch list used for adding content and friends. E.g. file_data; */
571  int list;
572  bool list_set;
573 
575 
576  /** score to influence rule grouping. A higher value leads to a higher
577  * likelihood of a rulegroup with this sig ending up as a contained
578  * group. */
579  int score;
580 
581  /** address settings for this signature */
583 
585 
586  /* holds built-in sm lists */
588  /* holds built-in sm lists' tails */
590 
591  /* Storage for buffers. */
593  uint32_t buffer_index;
594  uint32_t buffers_size;
596 
597  /* highest list/buffer id which holds a DETECT_CONTENT */
600 
601 /** \brief Signature container */
602 typedef struct Signature_ {
603  uint32_t flags;
604  /* coccinelle: Signature:flags:SIG_FLAG_ */
605  enum SignatureType type;
606 
608 
609  uint16_t dsize_low;
610  uint16_t dsize_high;
611  uint8_t dsize_mode;
612 
614  SigIntId num; /**< signature number, internal id */
615 
616  /** inline -- action */
617  uint8_t action;
618  uint8_t file_flags;
619 
620  /** addresses, ports and proto this sig matches on */
622 
623  /** classification id **/
624  uint16_t class_id;
625 
626  /** ipv4 match arrays */
633  /** ipv6 match arrays */
636 
637  uint32_t id; /**< sid, set by the 'sid' rule keyword */
638  uint32_t gid; /**< generator id */
639  uint32_t rev;
640  int prio;
641 
642  /** port settings for this signature */
644 
645 #ifdef PROFILE_RULES
646  uint16_t profiling_id;
647 #endif
648 
652 
653  /* Matching structures for the built-ins. The others are in
654  * their inspect engines. */
656 
657  /* memory is still owned by the sm_lists/sm_arrays entry */
659 
660  char *msg;
661 
662  /** classification message */
663  char *class_msg;
664  /** Reference */
666  /** Metadata */
668 
669  char *sig_str;
670 
672 
673  /** ptr to the next sig in the list */
674  struct Signature_ *next;
676 
681  /* must be last */
683 };
684 
685 /** \brief one time registration of keywords at start up */
686 typedef struct DetectBufferMpmRegistry_ {
687  const char *name;
688  char pname[32]; /**< name used in profiling */
689  int direction; /**< SIG_FLAG_TOSERVER or SIG_FLAG_TOCLIENT */
690  int16_t sm_list;
691  int16_t sm_list_base;
692  int priority;
693  int id; /**< index into this array and result arrays */
696 
698  MpmCtx *mpm_ctx, const struct DetectBufferMpmRegistry_ *mpm_reg, int list_id);
700 
701  union {
702  /* app-layer matching: use if type == DETECT_BUFFER_MPM_TYPE_APP */
703  struct {
704  union {
707  };
711 
712  /* pkt matching: use if type == DETECT_BUFFER_MPM_TYPE_PKT */
713  struct {
715  struct SigGroupHead_ *sgh, MpmCtx *mpm_ctx,
716  const struct DetectBufferMpmRegistry_ *mpm_reg, int list_id);
719 
720  /* frame matching: use if type == DETECT_BUFFER_MPM_TYPE_FRAME */
721  struct {
723  uint8_t type;
725  };
726 
729 
730 /* helper structure to track pattern stats and assign pattern id's. */
731 typedef struct DetectPatternTracker {
732  const struct DetectContentData_ *cd;
733  int sm_list;
734  uint32_t cnt;
735  uint32_t mpm;
737 
738 typedef struct DetectReplaceList_ {
739  const struct DetectContentData_ *cd;
740  uint8_t *found;
743 
744 /** only execute flowvar storage if rule matched */
745 #define DETECT_VAR_TYPE_FLOW_POSTMATCH 1
746 #define DETECT_VAR_TYPE_PKT_POSTMATCH 2
747 
748 /** list for flowvar store candidates, to be stored from
749  * post-match function */
750 typedef struct DetectVarList_ {
751  uint32_t idx; /**< flowvar name idx */
752  uint16_t len; /**< data len */
753  uint16_t key_len;
754  int type; /**< type of store candidate POSTMATCH or ALWAYS */
755  uint8_t *key;
756  uint8_t *buffer; /**< alloc'd buffer, may be freed by
757  post-match, post-non-match */
760 
761 typedef struct SCFPSupportSMList_ {
762  int list_id;
763  int priority;
766 
767 /** \brief IP only rules matching ctx. */
768 typedef struct DetectEngineIPOnlyCtx_ {
769  /* Lookup trees */
772 
773  /* Used to build the radix trees */
775  uint32_t max_idx;
776 
777  /* Used to map large signums to smaller values to compact the bitsets
778  * stored in the radix trees */
779  uint32_t *sig_mapping;
782 
783 typedef struct DetectEngineLookupFlow_ {
786  struct SigGroupHead_ *sgh[256];
788 
789 #include "detect-threshold.h"
790 
791 /** \brief threshold ctx */
792 typedef struct ThresholdCtx_ {
793  SCMutex threshold_table_lock; /**< Mutex for hash table */
794 
795  /** to support rate_filter "by_rule" option */
797  uint32_t th_size;
799 
800 typedef struct SigString_ {
801  char *filename;
802  char *sig_str;
803  char *sig_error;
804  int line;
807 
808 /** \brief Signature loader statistics */
809 typedef struct SigFileLoaderStat_ {
810  TAILQ_HEAD(, SigString_) failed_sigs;
817 
819  void *(*InitFunc)(void *);
820  void (*FreeFunc)(void *);
821  void *data;
823  int id;
824  const char *name; /* keyword name, for error printing */
826 
828 {
829  DETECT_PREFILTER_MPM = 0, /**< use only mpm / fast_pattern */
830  DETECT_PREFILTER_AUTO = 1, /**< use mpm + keyword prefilters */
831 };
832 
834 {
836  DETECT_ENGINE_TYPE_DD_STUB = 1, /* delayed detect stub: can be reloaded */
837  DETECT_ENGINE_TYPE_MT_STUB = 2, /* multi-tenant stub: cannot be reloaded */
839 };
840 
841 /* Flow states:
842  * toserver
843  * toclient
844  */
845 #define FLOW_STATES 2
846 
847 /** \brief main detection engine ctx */
848 typedef struct DetectEngineCtx_ {
850  uint8_t flags; /**< only DE_QUIET */
851  uint8_t mpm_matcher; /**< mpm matcher this ctx uses */
852  uint8_t spm_matcher; /**< spm matcher this ctx uses */
853 
854  uint32_t tenant_id;
855 
857  uint32_t sig_cnt;
858 
859  /* version of the srep data */
860  uint32_t srep_version;
861 
862  /* reputation for netblocks */
864 
866  uint32_t sig_array_len; /* size in array members */
867 
868  uint32_t signum;
869 
870  /** Maximum value of all our sgh's non_mpm_store_cnt setting,
871  * used to alloc det_ctx::non_mpm_id_array */
873 
874  /* used by the signature ordering module */
876 
877  /* main sigs */
879 
880  /* init phase vars */
882 
885 
886  /* hash table used to cull out duplicate sigs */
888 
891 
892  /* maximum recursion depth for content inspection */
894 
895  /* registration id for per thread ctx for the filemagic/file.magic keywords */
897 
898  /* spm thread context prototype, built as spm matchers are constructed and
899  * later used to construct thread context for each thread. */
901 
902  /* Config options */
903 
906 
907  /* max flowbit id that is used */
908  uint32_t max_fb_id;
909 
911 
912  /* array containing all sgh's in use so we can loop
913  * through it in Stage4. */
915  uint32_t sgh_array_cnt;
916  uint32_t sgh_array_size;
917 
922 
923  /* the max local id used amongst all sigs */
925 
926  /** version of the detect engine. The version is incremented on reloads */
927  uint32_t version;
928 
929  /** sgh for signatures that match against invalid packets. In those cases
930  * we can't lookup by proto, address, port as we don't have these */
932 
933  /* Maximum size of the buffer for decoded base64 data. */
935 
936  /** Store rule file and line so that parsers can use them in errors. */
938  char *rule_file;
939  const char *sigerror;
942 
943  /** The rule errored out due to missing requirements. */
945 
947 
948  /* specify the configuration for mpm context factory */
950 
952  /** hash list of keywords that need thread local ctxs */
954 
955  struct {
956  uint32_t content_limit;
960 
961 #ifdef PROFILE_RULES
962  struct SCProfileDetectCtx_ *profile_ctx;
963 #endif
964 #ifdef PROFILING
970 #endif
971  char config_prefix[64];
972 
973  enum DetectEngineType type;
974 
975  /** how many de_ctx' are referencing this */
976  uint32_t ref_cnt;
977  /** list in master: either active or freelist */
979 
980  /** id of loader thread 'owning' this de_ctx */
982 
983  /** are we using just mpm or also other prefilters */
985 
987 
990 
991  /** table for storing the string representation with the parsers result */
993 
994  /** table to store metadata keys and values */
996 
997  /* hash tables with rule-time buffer registration. Start time registration
998  * is in detect-engine.c::g_buffer_type_hash */
1001  uint32_t buffer_type_id;
1002 
1005  /* list with app inspect engines. Both the start-time registered ones and
1006  * the rule-time registered ones. */
1014 
1015  uint32_t prefilter_id;
1017 
1018  /** time of last ruleset reload */
1019  struct timeval last_reload;
1020 
1021  /** signatures stats */
1023 
1024  /* list of Fast Pattern registrations. Initially filled using a copy of
1025  * `g_fp_support_smlist_list`, then extended at rule loading time if needed */
1027 
1028  /** per keyword flag indicating if a prefilter has been
1029  * set for it. If true, the setup function will have to
1030  * run. */
1033 
1034  /* classification config parsing */
1035 
1036  /* hash table used for holding the classification config info */
1038  pcre2_code *class_conf_regex;
1039  pcre2_match_data *class_conf_regex_match;
1040 
1041  /* reference config parsing */
1042 
1043  /* hash table used for holding the reference config info */
1046  pcre2_match_data *reference_conf_regex_match;
1047 
1048  /* --engine-analysis */
1050 
1051  /* path to the tenant yaml for this engine */
1053 
1054  /* Track rule requirements for reporting after loading rules. */
1056 
1057  /* number of signatures using filestore, limited as u16 */
1058  uint16_t filestore_cnt;
1060 
1061 /* Engine groups profiles (low, medium, high, custom) */
1062 enum {
1068 };
1069 
1070 /* Siggroup mpm context profile */
1071 enum {
1075 #define ENGINE_SGH_MPM_FACTORY_CONTEXT_START_ID_RANGE (ENGINE_SGH_MPM_FACTORY_CONTEXT_AUTO + 1)
1076 };
1077 
1078 #define DETECT_FILESTORE_MAX 15
1085 
1086 /** array of TX inspect rule candidates */
1087 typedef struct RuleMatchCandidateTx {
1088  SigIntId id; /**< internal signature id */
1089  uint32_t *flags; /**< inspect flags ptr */
1090  union {
1091  struct {
1093  uint8_t stream_result;
1094  };
1095  uint32_t stream_reset;
1096  };
1097 
1098  const Signature *s; /**< ptr to sig */
1100 
1101 /**
1102  * Detection engine thread data.
1103  */
1104 typedef struct DetectEngineThreadCtx_ {
1105  /** \note multi-tenant hash lookup code from Detect() *depends*
1106  * on this being the first member */
1107  uint32_t tenant_id;
1108 
1109  SC_ATOMIC_DECLARE(int, so_far_used_by_detect);
1110 
1111  /* the thread to which this detection engine thread belongs */
1113 
1114  /** Array of non-prefiltered sigs that need to be evaluated. Updated
1115  * per packet based on the rule group and traffic properties. */
1117  uint32_t non_pf_id_cnt; // size is cnt * sizeof(uint32_t)
1118 
1122 
1125 
1126  uint32_t (*TenantGetId)(const void *, const Packet *p);
1127 
1128  /* detection engine variables */
1129 
1131 
1132  /** offset into the payload of the end of the last match by: content, pcre, etc */
1133  uint32_t buffer_offset;
1134 
1135  /** used by pcre match function alone: normally in sync with buffer_offset, but
1136  * points to 1 byte after the start of the last pcre match if a pcre match happened. */
1138 
1139  /** SPM thread context used for scanning. This has been cloned from the
1140  * prototype held by DetectEngineCtx. */
1142 
1143  /* byte_* values */
1144  uint64_t *byte_values;
1145 
1146  uint8_t *base64_decoded;
1149 
1150  /* counter for the filestore array below -- up here for cache reasons. */
1151  uint16_t filestore_cnt;
1152 
1153  /** id for alert counter */
1154  uint16_t counter_alerts;
1155  /** id for discarded alerts counter */
1157  /** id for suppressed alerts counter */
1159 #ifdef PROFILING
1164 #endif
1165 
1166  struct {
1168  uint32_t buffers_size; /**< in number of elements */
1169  uint32_t to_clear_idx;
1170  uint32_t *to_clear_queue;
1172 
1173  struct {
1174  /** inspection buffers for more complex case. As we can inspect multiple
1175  * buffers in parallel, we need this extra wrapper struct */
1177  uint32_t buffers_size; /**< in number of elements */
1178  uint32_t to_clear_idx;
1179  uint32_t *to_clear_queue;
1181 
1182  uint16_t flags; /**< DETECT_ENGINE_THREAD_CTX_* flags */
1183 
1184  /* true if tx_id is set */
1186  /** ID of the transaction currently being inspected. */
1187  uint64_t tx_id;
1188  int64_t frame_id;
1189  uint64_t frame_inspect_progress; /**< used to set Frame::inspect_progress after all inspection
1190  on a frame is complete. */
1192 
1196 
1197  /** array of signature pointers we're going to inspect in the detection
1198  * loop. */
1200  /** size of the array in items (mem size if * sizeof(Signature *)
1201  * Only used during initialization. */
1203  /** size in use */
1205 
1208 
1211 
1212  MpmThreadCtx mtc; /**< thread ctx for the mpm */
1214 
1215  /* string to replace */
1217  /* vars to store in post match function */
1219 
1220  /* Array in which the filestore keyword stores file id and tx id. If the
1221  * full signature matches, these are processed by a post-match filestore
1222  * function to finalize the store. */
1223  struct {
1224  uint32_t file_id;
1225  uint64_t tx_id;
1227 
1229  /** store for keyword contexts that need a per thread storage. Per de_ctx. */
1232  /** store for keyword contexts that need a per thread storage. Global. */
1235 
1237  uint16_t events;
1238 
1239  /** stats id for lua rule errors */
1241 
1242 #ifdef DEBUG
1243  uint64_t pkt_stream_add_cnt;
1244  uint64_t payload_mpm_cnt;
1245  uint64_t payload_mpm_size;
1246  uint64_t stream_mpm_cnt;
1247  uint64_t stream_mpm_size;
1248  uint64_t payload_persig_cnt;
1249  uint64_t payload_persig_size;
1250  uint64_t stream_persig_cnt;
1251  uint64_t stream_persig_size;
1252 #endif
1253 #ifdef PROFILE_RULES
1254  struct SCProfileData_ *rule_perf_data;
1255  int rule_perf_data_size;
1256  uint32_t rule_perf_last_sync;
1257 #endif
1258 #ifdef PROFILING
1261  int keyword_perf_list; /**< list we're currently inspecting, DETECT_SM_LIST_* */
1263 
1265  /** bytes inspected by current prefilter callback call */
1267  /** number of times we inspected a buffer */
1269 #endif
1271 
1272 /** \brief element in sigmatch type table.
1273  */
1274 typedef struct SigTableElmt_ {
1275  /** Packet match function pointer */
1276  int (*Match)(DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *);
1277 
1278  /** AppLayer TX match function pointer */
1280  uint8_t flags, void *alstate, void *txv,
1281  const Signature *, const SigMatchCtx *);
1282 
1283  /** File match function pointer */
1285  Flow *, /**< *LOCKED* flow */
1286  uint8_t flags, File *, const Signature *, const SigMatchCtx *);
1287 
1288  /** InspectionBuffer transformation callback */
1289  void (*Transform)(InspectionBuffer *, void *context);
1290  bool (*TransformValidate)(const uint8_t *content, uint16_t content_len, void *context);
1291 
1292  /** keyword setup function pointer */
1293  int (*Setup)(DetectEngineCtx *, Signature *, const char *);
1294 
1295  bool (*SupportsPrefilter)(const Signature *s);
1297 
1298  void (*Free)(DetectEngineCtx *, void *);
1299 #ifdef UNITTESTS
1300  void (*RegisterTests)(void);
1301 #endif
1302  uint16_t flags;
1303  /* coccinelle: SigTableElmt:flags:SIGMATCH_ */
1304 
1305  /** better keyword to replace the current one */
1306  uint16_t alternative;
1307 
1308  const char *name; /**< keyword name alias */
1309  const char *alias; /**< name alias */
1310  const char *desc;
1311  const char *url;
1312 
1314 
1315 /* event code */
1316 enum {
1330 
1332 };
1333 
1334 #define SIG_GROUP_HEAD_HAVERAWSTREAM BIT_U16(0)
1335 #ifdef HAVE_MAGIC
1336 #define SIG_GROUP_HEAD_HAVEFILEMAGIC BIT_U16(1)
1337 #endif
1338 #define SIG_GROUP_HEAD_HAVEFILEMD5 BIT_U16(2)
1339 #define SIG_GROUP_HEAD_HAVEFILESIZE BIT_U16(3)
1340 #define SIG_GROUP_HEAD_HAVEFILESHA1 BIT_U16(4)
1341 #define SIG_GROUP_HEAD_HAVEFILESHA256 BIT_U16(5)
1352 };
1353 
1354 typedef struct MpmStore_ {
1355  uint8_t *sid_array;
1356  uint32_t sid_array_size;
1357 
1360  int sm_list;
1364 
1366 
1367 typedef void (*PrefilterFrameFn)(DetectEngineThreadCtx *det_ctx, const void *pectx, Packet *p,
1368  const struct Frames *frames, const struct Frame *frame);
1369 
1370 typedef struct AppLayerTxData AppLayerTxData;
1371 typedef void (*PrefilterTxFn)(DetectEngineThreadCtx *det_ctx, const void *pectx, Packet *p, Flow *f,
1372  void *tx, const uint64_t tx_id, const AppLayerTxData *tx_data, const uint8_t flags);
1373 
1374 typedef struct PrefilterEngineList_ {
1375  uint16_t id;
1376 
1377  /** App Proto this engine applies to: only used with Tx Engines */
1379  /** Minimal Tx progress we need before running the engine. Only used
1380  * with Tx Engine */
1382 
1383  uint8_t frame_type;
1384 
1385  /** Context for matching. Might be MpmCtx for MPM engines, other ctx'
1386  * for other engines. */
1387  void *pectx;
1388 
1389  void (*Prefilter)(DetectEngineThreadCtx *det_ctx, Packet *p, const void *pectx);
1392 
1394 
1395  /** Free function for pectx data. If NULL the memory is not freed. */
1396  void (*Free)(void *pectx);
1397 
1398  const char *name;
1399  /* global id for this prefilter */
1400  uint32_t gid;
1402 
1403 typedef struct PrefilterEngine_ {
1404  uint16_t local_id;
1405 
1406  /** App Proto this engine applies to: only used with Tx Engines */
1408 
1409  union {
1410  /** Minimal Tx progress we need before running the engine. Only used
1411  * with Tx Engine */
1413  uint8_t frame_type;
1414  } ctx;
1415 
1416  /** Context for matching. Might be MpmCtx for MPM engines, other ctx'
1417  * for other engines. */
1418  void *pectx;
1419 
1420  union {
1421  void (*Prefilter)(DetectEngineThreadCtx *det_ctx, Packet *p, const void *pectx);
1424  } cb;
1425 
1426  /* global id for this prefilter */
1427  uint32_t gid;
1428  bool is_last;
1431 
1432 typedef struct SigGroupHeadInitData_ {
1434 
1435  uint8_t *sig_array; /**< bit array of sig nums (internal id's) */
1436  uint32_t sig_size; /**< size in bytes */
1437 
1438  uint8_t protos[256]; /**< proto(s) this sgh is for */
1439  uint32_t direction; /**< set to SIG_FLAG_TOSERVER, SIG_FLAG_TOCLIENT or both */
1440  int score; /**< try to make this group a unique one */
1441  uint32_t max_sig_id; /**< max signature idx for this sgh */
1442 
1446 
1451 
1452  /** number of sigs in this group */
1454 
1455  /** Array with sig ptrs... size is sig_cnt * sizeof(Signature *) */
1458 
1459 /** \brief Container for matching data for a signature group */
1460 typedef struct SigGroupHead_ {
1461  uint16_t flags;
1462  /* coccinelle: SigGroupHead:flags:SIG_GROUP_HEAD_ */
1463 
1464  /** the number of signatures in this sgh that have the filestore keyword
1465  * set. */
1466  uint16_t filestore_cnt;
1467 
1468  uint32_t id; /**< unique id used to index sgh_array for stats */
1469 
1470  /* non prefilter list excluding SYN rules */
1473  SignatureNonPrefilterStore *non_pf_other_store_array; // size is non_mpm_store_cnt * sizeof(SignatureNonPrefilterStore)
1474  /* non mpm list including SYN rules */
1475  SignatureNonPrefilterStore *non_pf_syn_store_array; // size is non_mpm_syn_store_cnt * sizeof(SignatureNonPrefilterStore)
1476 
1481 
1482  /* ptr to our init data we only use at... init :) */
1484 
1486 
1487 /** sigmatch has no options, so the parser shouldn't expect any */
1488 #define SIGMATCH_NOOPT BIT_U16(0)
1489 /** sigmatch is compatible with a ip only rule */
1490 #define SIGMATCH_IPONLY_COMPAT BIT_U16(1)
1491 /** sigmatch is compatible with a decode event only rule */
1492 #define SIGMATCH_DEONLY_COMPAT BIT_U16(2)
1493 /**< Flag to indicate that the signature is not built-in */
1494 #define SIGMATCH_NOT_BUILT BIT_U16(3)
1495 /** sigmatch may have options, so the parser should be ready to
1496  * deal with both cases */
1497 #define SIGMATCH_OPTIONAL_OPT BIT_U16(4)
1498 /** input may be wrapped in double quotes. They will be stripped before
1499  * input data is passed to keyword parser */
1500 #define SIGMATCH_QUOTES_OPTIONAL BIT_U16(5)
1501 /** input MUST be wrapped in double quotes. They will be stripped before
1502  * input data is passed to keyword parser. Missing double quotes lead to
1503  * error and signature invalidation. */
1504 #define SIGMATCH_QUOTES_MANDATORY BIT_U16(6)
1505 /** negation parsing is handled by the rule parser. Signature::init_data::negated
1506  * will be set to true or false prior to calling the keyword parser. Exclamation
1507  * mark is stripped from the input to the keyword parser. */
1508 #define SIGMATCH_HANDLE_NEGATION BIT_U16(7)
1509 /** keyword is a content modifier */
1510 #define SIGMATCH_INFO_CONTENT_MODIFIER BIT_U16(8)
1511 /** keyword is a sticky buffer */
1512 #define SIGMATCH_INFO_STICKY_BUFFER BIT_U16(9)
1513 /** keyword is deprecated: used to suggest an alternative */
1514 #define SIGMATCH_INFO_DEPRECATED BIT_U16(10)
1515 /** strict parsing is enabled */
1516 #define SIGMATCH_STRICT_PARSING BIT_U16(11)
1519 {
1520  TENANT_SELECTOR_UNKNOWN = 0, /**< not set */
1521  TENANT_SELECTOR_DIRECT, /**< method provides direct tenant id */
1522  TENANT_SELECTOR_VLAN, /**< map vlan to tenant id */
1523  TENANT_SELECTOR_LIVEDEV, /**< map livedev to tenant id */
1524 };
1525 
1527  uint32_t tenant_id;
1528 
1529  /* traffic id that maps to the tenant id */
1530  uint32_t traffic_id;
1531 
1534 
1535 typedef struct DetectEngineMasterCtx_ {
1537 
1538  /** enable multi tenant mode */
1540 
1541  /** version, incremented after each 'apply to threads' */
1542  uint32_t version;
1543 
1544  /** list of active detection engines. This list is used to generate the
1545  * threads det_ctx's */
1547 
1548  /** free list, containing detection engines that will be removed but may
1549  * still be referenced by det_ctx's. Freed as soon as all references are
1550  * gone. */
1552 
1554 
1555  /** list of tenant mappings. Updated under lock. Used to generate lookup
1556  * structures. */
1558 
1559  /** list of keywords that need thread local ctxs,
1560  * only updated by keyword registration at start up. Not
1561  * covered by the lock. */
1565 
1566 /* Table with all SigMatch registrations */
1568 
1569 /** Remember to add the options in SignatureIsIPOnly() at detect.c otherwise it wont be part of a signature group */
1570 
1571 /* detection api */
1572 TmEcode Detect(ThreadVars *tv, Packet *p, void *data);
1573 
1574 SigMatch *SigMatchAlloc(void);
1575 Signature *SigFindSignatureBySidGid(DetectEngineCtx *, uint32_t, uint32_t);
1577 
1578 void SigRegisterTests(void);
1579 
1581 char *DetectLoadCompleteSigPath(const DetectEngineCtx *, const char *sig_file);
1582 int SigLoadSignatures(DetectEngineCtx *, char *, bool);
1584  DetectEngineThreadCtx *det_ctx, Packet *p);
1585 
1588 
1589 int DetectUnregisterThreadCtxFuncs(DetectEngineCtx *, void *data, const char *name);
1590 int DetectRegisterThreadCtxFuncs(DetectEngineCtx *, const char *name, void *(*InitFunc)(void *), void *data, void (*FreeFunc)(void *), int);
1592 
1593 void RuleMatchCandidateTxArrayInit(DetectEngineThreadCtx *det_ctx, uint32_t size);
1595 
1596 void AlertQueueInit(DetectEngineThreadCtx *det_ctx);
1597 void AlertQueueFree(DetectEngineThreadCtx *det_ctx);
1598 void AlertQueueAppend(DetectEngineThreadCtx *det_ctx, const Signature *s, Packet *p, uint64_t tx_id,
1599  uint8_t alert_flags);
1600 
1602 
1605 
1606 /* events */
1607 void DetectEngineSetEvent(DetectEngineThreadCtx *det_ctx, uint8_t e);
1608 
1610 
1611 #endif /* SURICATA_DETECT_H */
ADDRESS_EQ
@ ADDRESS_EQ
Definition: detect.h:152
DetectEngineThreadCtx_::byte_values
uint64_t * byte_values
Definition: detect.h:1144
DetectEngineCtx_::sgh_hash_table
HashListTable * sgh_hash_table
Definition: detect.h:881
DetectEngineCtx_::pkt_mpms_list_cnt
uint32_t pkt_mpms_list_cnt
Definition: detect.h:1010
DetectEngineAppInspectionEngine_::stream
bool stream
Definition: detect.h:435
DetectEngineCtx_::frame_mpms_list_cnt
uint32_t frame_mpms_list_cnt
Definition: detect.h:1013
SCFPSupportSMList
struct SCFPSupportSMList_ SCFPSupportSMList
SigFileLoaderStat_::bad_files
int bad_files
Definition: detect.h:811
SigGroupHead_::non_pf_syn_store_cnt
uint32_t non_pf_syn_store_cnt
Definition: detect.h:1472
SIG_TYPE_STREAM
@ SIG_TYPE_STREAM
Definition: detect.h:72
DetectEngineThreadCtx_::non_pf_store_ptr
SignatureNonPrefilterStore * non_pf_store_ptr
Definition: detect.h:1209
DetectEngineTenantMapping_
Definition: detect.h:1526
SignatureInitData_::max_content_list_id
uint32_t max_content_list_id
Definition: detect.h:598
DetectAddress_::ip
Address ip
Definition: detect.h:167
SigMatchSignaturesGetSgh
const SigGroupHead * SigMatchSignaturesGetSgh(const DetectEngineCtx *de_ctx, const Packet *p)
Get the SigGroupHead for a packet.
Definition: detect.c:215
DetectPatternTracker
Definition: detect.h:731
PrefilterEngineList_::frame_type
uint8_t frame_type
Definition: detect.h:1383
SCFPSupportSMList_
Definition: detect.h:761
DetectEngineThreadCtx_::keyword_perf_data_per_list
struct SCProfileKeywordData_ ** keyword_perf_data_per_list
Definition: detect.h:1260
SigGroupHead_::tx_engines
PrefilterEngine * tx_engines
Definition: detect.h:1479
AlertQueueInit
void AlertQueueInit(DetectEngineThreadCtx *det_ctx)
Definition: detect-engine-alert.c:222
SigMatchAlloc
SigMatch * SigMatchAlloc(void)
Definition: detect-parse.c:322
DetectEngineAppInspectionEngine_
Definition: detect.h:430
SigTableElmt_::url
const char * url
Definition: detect.h:1311
DetectBufferType_::supports_transforms
bool supports_transforms
Definition: detect.h:463
SigLoadSignatures
int SigLoadSignatures(DetectEngineCtx *, char *, bool)
Load signatures.
Definition: detect-engine-loader.c:287
MPMB_UDP_TS
@ MPMB_UDP_TS
Definition: detect.h:1348
SignatureInitDataBuffer_::head
SigMatch * head
Definition: detect.h:536
SigMatch_::prev
struct SigMatch_ * prev
Definition: detect.h:355
DetectEngineAppInspectionEngine_::mpm
bool mpm
Definition: detect.h:434
SCProfileKeywordData_
Definition: util-profiling-keywords.c:40
DetectBufferType_::mpm
bool mpm
Definition: detect.h:460
SignatureInitDataBuffer_::sm_init
bool sm_init
Definition: detect.h:530
RuleMatchCandidateTx::stream_stored
bool stream_stored
Definition: detect.h:1092
DetectReplaceList_::cd
const struct DetectContentData_ * cd
Definition: detect.h:739
DetectEngineThreadCtx_::alert_queue_size
uint16_t alert_queue_size
Definition: detect.h:1193
DetectEngineThreadCtx_::inspect
struct DetectEngineThreadCtx_::@100 inspect
DetectEngineThreadCtx_::buffer_offset
uint32_t buffer_offset
Definition: detect.h:1133
DETECT_SM_LIST_PMATCH
@ DETECT_SM_LIST_PMATCH
Definition: detect.h:116
DetectBufferMpmRegistry_::direction
int direction
Definition: detect.h:689
DetectEngineThreadCtx_::to_clear_idx
uint32_t to_clear_idx
Definition: detect.h:1169
SignatureInitDataBuffer
struct SignatureInitDataBuffer_ SignatureInitDataBuffer
SigMatchFree
void SigMatchFree(DetectEngineCtx *, SigMatch *sm)
free a SigMatch
Definition: detect-parse.c:336
DetectEngineCtx_::class_conf_ht
HashTable * class_conf_ht
Definition: detect.h:1037
PrefilterEngine_::Prefilter
void(* Prefilter)(DetectEngineThreadCtx *det_ctx, Packet *p, const void *pectx)
Definition: detect.h:1421
SignatureInitData_::smlists
struct SigMatch_ * smlists[DETECT_SM_LIST_MAX]
Definition: detect.h:587
detect-engine-proto.h
DetectEngineThreadCtx_::keyword_perf_data
struct SCProfileKeywordData_ * keyword_perf_data
Definition: detect.h:1259
DetectEngineThreadCtx_::match_array_cnt
SigIntId match_array_cnt
Definition: detect.h:1204
DetectVarList_::idx
uint32_t idx
Definition: detect.h:751
MpmStore_::sid_array_size
uint32_t sid_array_size
Definition: detect.h:1356
SigTableElmt_::desc
const char * desc
Definition: detect.h:1310
SignatureInitData_::list_set
bool list_set
Definition: detect.h:572
Signature_::addr_src_match6
DetectMatchAddressIPv6 * addr_src_match6
Definition: detect.h:635
DetectEngineThreadCtx_::SC_ATOMIC_DECLARE
SC_ATOMIC_DECLARE(int, so_far_used_by_detect)
Signature_::sig_str
char * sig_str
Definition: detect.h:669
MpmStore_::sid_array
uint8_t * sid_array
Definition: detect.h:1355
DetectEngineThreadKeywordCtxItem
struct DetectEngineThreadKeywordCtxItem_ DetectEngineThreadKeywordCtxItem
DetectEngineCtx_::sgh_mpm_context_proto_tcp_packet
int32_t sgh_mpm_context_proto_tcp_packet
Definition: detect.h:918
SIG_TYPE_APP_TX
@ SIG_TYPE_APP_TX
Definition: detect.h:75
DetectVarList_::buffer
uint8_t * buffer
Definition: detect.h:756
SigTableElmt_::Free
void(* Free)(DetectEngineCtx *, void *)
Definition: detect.h:1298
IPOnlyCIDRItem
struct IPOnlyCIDRItem_ IPOnlyCIDRItem
util-hashlist.h
DetectEngineCtx_::decoder_event_sgh
struct SigGroupHead_ * decoder_event_sgh
Definition: detect.h:931
DetectEngineCtx_::flow_gh
DetectEngineLookupFlow flow_gh[FLOW_STATES]
Definition: detect.h:878
SCFPSupportSMList_::next
struct SCFPSupportSMList_ * next
Definition: detect.h:764
DetectEngineThreadCtx_::counter_match_list
uint16_t counter_match_list
Definition: detect.h:1163
SigString
struct SigString_ SigString
DetectEnginePktInspectionEngine
Definition: detect.h:487
DetectEngineMasterCtx_::tenant_mapping_list
DetectEngineTenantMapping * tenant_mapping_list
Definition: detect.h:1557
Signature_::filestore_ctx
const struct DetectFilestoreData_ * filestore_ctx
Definition: detect.h:658
DetectEngineAppInspectionEngine_::next
struct DetectEngineAppInspectionEngine_ * next
Definition: detect.h:452
SigGroupHead_::flags
uint16_t flags
Definition: detect.h:1461
SignatureIsIPOnly
int SignatureIsIPOnly(DetectEngineCtx *de_ctx, const Signature *s)
Test is a initialized signature is IP only.
Definition: detect-engine-build.c:208
SCFPSupportSMList_::list_id
int list_id
Definition: detect.h:762
SigTableElmt_::name
const char * name
Definition: detect.h:1308
DetectEngineMasterCtx_::list
DetectEngineCtx * list
Definition: detect.h:1546
SignatureInitData_::smlists_tail
struct SigMatch_ * smlists_tail[DETECT_SM_LIST_MAX]
Definition: detect.h:589
InspectionBuffer::initialized
bool initialized
Definition: detect.h:378
ADDRESS_GT
@ ADDRESS_GT
Definition: detect.h:156
MpmThreadCtx_
Definition: util-mpm.h:46
DetectPatternTracker::mpm
uint32_t mpm
Definition: detect.h:735
Signature_::num
SigIntId num
Definition: detect.h:614
DetectEngineCtx
struct DetectEngineCtx_ DetectEngineCtx
main detection engine ctx
IPOnlyCIDRItem_::netmask
uint8_t netmask
Definition: detect.h:330
DetectEngineCtx_::type
enum DetectEngineType type
Definition: detect.h:973
SigGroupHead_
Container for matching data for a signature group.
Definition: detect.h:1460
DetectEnginePktInspectionEngine::v1
struct DetectEnginePktInspectionEngine::@86 v1
DetectEngineCtx_::pattern_hash_table
HashListTable * pattern_hash_table
Definition: detect.h:884
DetectEngineThreadCtx_::sgh_perf_data
struct SCProfileSghData_ * sgh_perf_data
Definition: detect.h:1262
ThresholdCtx_::threshold_table_lock
SCMutex threshold_table_lock
Definition: detect.h:793
DetectEngineCtx_::rule_file
char * rule_file
Definition: detect.h:938
DetectEngineTransforms
Definition: detect.h:409
PrefilterEngineList_::id
uint16_t id
Definition: detect.h:1375
DetectBufferMpmRegistry_::sm_list_base
int16_t sm_list_base
Definition: detect.h:691
SigGroupHeadInitData_::sig_array
uint8_t * sig_array
Definition: detect.h:1435
SCProfileSghDetectCtx_
Definition: util-profiling-rulegroups.c:51
DetectAddress_
address structure for use in the detection engine.
Definition: detect.h:165
DetectEngineCtx_::max_uniq_toclient_groups
uint16_t max_uniq_toclient_groups
Definition: detect.h:904
DetectEngineThreadCtx_::buffers
InspectionBufferMultipleForList * buffers
Definition: detect.h:1176
SignatureInitData_::prefilter_sm
SigMatch * prefilter_sm
Definition: detect.h:568
PrefilterRuleStore_
structure for storing potential rule matches
Definition: util-prefilter.h:34
SignatureInitData_::src_contains_negation
bool src_contains_negation
Definition: detect.h:550
DetectEngineCtx_::ref_cnt
uint32_t ref_cnt
Definition: detect.h:976
DetectEngineCtx_::sigerror_silent
bool sigerror_silent
Definition: detect.h:940
DetectEngineAppInspectionEngine_::Callback
InspectEngineFuncPtr Callback
Definition: detect.h:445
Signature_::alproto
AppProto alproto
Definition: detect.h:607
SignatureNonPrefilterStore_::id
SigIntId id
Definition: detect.h:1081
SigString_
Definition: detect.h:800
DetectAddressHead_
Definition: detect.h:180
PrefilterEngine_::cb
union PrefilterEngine_::@104 cb
MPMB_OTHERIP
@ MPMB_OTHERIP
Definition: detect.h:1350
DetectEngineCtx_::non_pf_store_cnt_max
uint32_t non_pf_store_cnt_max
Definition: detect.h:872
next
struct HtpBodyChunk_ * next
Definition: app-layer-htp.h:0
DetectEngineFrameInspectionEngine::sm_list_base
uint16_t sm_list_base
Definition: detect.h:518
DetectPort_::port
uint16_t port
Definition: detect.h:218
SigMatchData_::is_last
bool is_last
Definition: detect.h:361
DetectEngineIPOnlyCtx_::ip_src
IPOnlyCIDRItem * ip_src
Definition: detect.h:774
DetectBufferMpmRegistry_::frame_v1
struct DetectBufferMpmRegistry_::@88::@92 frame_v1
AppProto
uint16_t AppProto
Definition: app-layer-protos.h:82
DETECT_SM_LIST_DYNAMIC_START
@ DETECT_SM_LIST_DYNAMIC_START
Definition: detect.h:135
IPOnlyCIDRItem_
Definition: detect.h:326
DetectEngineThreadCtx_::tx_id
uint64_t tx_id
Definition: detect.h:1187
DetectEngineThreadCtx_::decoder_events
AppLayerDecoderEvents * decoder_events
Definition: detect.h:1236
SigMatchData_::ctx
SigMatchCtx * ctx
Definition: detect.h:362
InspectionMultiBufferGetDataPtr
InspectionBuffer *(* InspectionMultiBufferGetDataPtr)(struct DetectEngineThreadCtx_ *det_ctx, const DetectEngineTransforms *transforms, Flow *f, const uint8_t flow_flags, void *txv, const int list_id, const uint32_t local_id)
Definition: detect.h:420
InspectionBuffer
Definition: detect.h:374
DETECT_EVENT_TOO_MANY_BUFFERS
@ DETECT_EVENT_TOO_MANY_BUFFERS
Definition: detect.h:1331
DetectVarList_::key_len
uint16_t key_len
Definition: detect.h:753
MpmStore_::sm_list
int sm_list
Definition: detect.h:1360
DetectEngineAppInspectionEngine_::GetData
InspectionBufferGetDataPtr GetData
Definition: detect.h:442
DetectEngineThreadKeywordCtxItem_
Definition: detect.h:818
DetectEngineCtx_::pkt_mpms_list
DetectBufferMpmRegistry * pkt_mpms_list
Definition: detect.h:1009
DETECT_BUFFER_MPM_TYPE_FRAME
@ DETECT_BUFFER_MPM_TYPE_FRAME
Definition: detect.h:680
Frame
Definition: app-layer-frames.h:45
DETECT_TBLSIZE
@ DETECT_TBLSIZE
Definition: detect-engine-register.h:359
Flow_
Flow data structure.
Definition: flow.h:356
SigTableElmt_::FileMatch
int(* FileMatch)(DetectEngineThreadCtx *, Flow *, uint8_t flags, File *, const Signature *, const SigMatchCtx *)
Definition: detect.h:1284
DetectVarList_
Definition: detect.h:750
DETECT_SM_LIST_THRESHOLD
@ DETECT_SM_LIST_THRESHOLD
Definition: detect.h:130
DetectReplaceList_::found
uint8_t * found
Definition: detect.h:740
DetectEngineThreadKeywordCtxItem_::data
void * data
Definition: detect.h:821
DetectEngineThreadCtx_::pmq
PrefilterRuleStore pmq
Definition: detect.h:1213
util-hash.h
EngineAnalysisCtx_
Definition: detect-engine-analyzer.c:79
InspectionBufferGetDataPtr
InspectionBuffer *(* InspectionBufferGetDataPtr)(struct DetectEngineThreadCtx_ *det_ctx, const DetectEngineTransforms *transforms, Flow *f, const uint8_t flow_flags, void *txv, const int list_id)
Definition: detect.h:415
SigGroupHeadInitData_::mpm_store
MpmStore mpm_store[MPMB_MAX]
Definition: detect.h:1433
SigTableElmt_::flags
uint16_t flags
Definition: detect.h:1302
SCRadixTree_
Structure for the radix tree.
Definition: util-radix-tree.h:86
SigFindSignatureBySidGid
Signature * SigFindSignatureBySidGid(DetectEngineCtx *, uint32_t, uint32_t)
Find a specific signature by sid and gid.
Definition: detect-engine-build.c:78
DetectEngineIPOnlyCtx_::tree_ipv6dst
SCRadixTree * tree_ipv6dst
Definition: detect.h:771
DetectEngineCtx_::inspection_recursion_limit
int inspection_recursion_limit
Definition: detect.h:893
PrefilterEngineList_::name
const char * name
Definition: detect.h:1398
DetectVarList_::len
uint16_t len
Definition: detect.h:752
DetectEngineFrameInspectionEngine::transforms
const DetectEngineTransforms * transforms
Definition: detect.h:522
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:848
DetectEnginePktInspectionEngine::smd
SigMatchData * smd
Definition: detect.h:488
DetectPatternTracker
struct DetectPatternTracker DetectPatternTracker
SCProfilePrefilterDetectCtx_
Definition: util-profiling-prefilter.c:47
SIG_TYPE_PKT_STREAM
@ SIG_TYPE_PKT_STREAM
Definition: detect.h:71
SigMatchSignatures
void SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
Definition: detect.c:1899
DetectEngineThreadCtx_::global_keyword_ctxs_array
void ** global_keyword_ctxs_array
Definition: detect.h:1234
TransformData_::options
void * options
Definition: detect.h:406
DetectEngineFrameInspectionEngine::mpm
bool mpm
Definition: detect.h:516
detect-engine-register.h
ThresholdCtx_::th_size
uint32_t th_size
Definition: detect.h:797
PrefilterEngine_::tx_min_progress
uint8_t tx_min_progress
Definition: detect.h:1412
InspectionBuffer::orig
const uint8_t * orig
Definition: detect.h:388
DetectEngineCtx_::reference_conf_regex_match
pcre2_match_data * reference_conf_regex_match
Definition: detect.h:1046
RuleMatchCandidateTxArrayFree
void RuleMatchCandidateTxArrayFree(DetectEngineThreadCtx *det_ctx)
Definition: detect.c:989
DetectEngineThreadCtx_::p
Packet * p
Definition: detect.h:1191
SigTableElmt_::AppLayerTxMatch
int(* AppLayerTxMatch)(DetectEngineThreadCtx *, Flow *, uint8_t flags, void *alstate, void *txv, const Signature *, const SigMatchCtx *)
Definition: detect.h:1279
DetectEngineThreadCtx_::keyword_perf_list
int keyword_perf_list
Definition: detect.h:1261
InspectionBufferGetPktDataPtr
InspectionBuffer *(* InspectionBufferGetPktDataPtr)(struct DetectEngineThreadCtx_ *det_ctx, const DetectEngineTransforms *transforms, Packet *p, const int list_id)
Definition: detect.h:482
ADDRESS_ES
@ ADDRESS_ES
Definition: detect.h:153
DetectEngineCtx_::keyword_id
int keyword_id
Definition: detect.h:951
RuleMatchCandidateTx::id
SigIntId id
Definition: detect.h:1088
Detect
TmEcode Detect(ThreadVars *tv, Packet *p, void *data)
Detection engine thread wrapper.
Definition: detect.c:1820
PORT_ER
@ PORT_ER
Definition: detect.h:202
DetectBufferMpmRegistry_::type
uint8_t type
Definition: detect.h:723
DetectEngineIPOnlyCtx_::tree_ipv4src
SCRadixTree * tree_ipv4src
Definition: detect.h:770
SignatureProperties
Definition: detect.h:86
DetectBufferMpmRegistry_::next
struct DetectBufferMpmRegistry_ * next
Definition: detect.h:727
HashTable_
Definition: util-hash.h:35
DetectEngineThreadCtx_::flags
uint16_t flags
Definition: detect.h:1182
DetectPatternTracker::cnt
uint32_t cnt
Definition: detect.h:734
DetectEngineTenantMapping_::next
struct DetectEngineTenantMapping_ * next
Definition: detect.h:1532
DetectEngineThreadCtx_::buffers_size
uint32_t buffers_size
Definition: detect.h:1168
DetectEngineCtx_::srep_version
uint32_t srep_version
Definition: detect.h:860
DetectBufferType_::name
char name[32]
Definition: detect.h:456
DetectEngineCtx_::profile_sgh_ctx
struct SCProfileSghDetectCtx_ * profile_sgh_ctx
Definition: detect.h:968
Frames
Definition: app-layer-frames.h:60
DetectBufferMpmRegistry_
one time registration of keywords at start up
Definition: detect.h:686
DetectPort_::next
struct DetectPort_ * next
Definition: detect.h:231
DetectReplaceList_
Definition: detect.h:738
MPMB_TCP_STREAM_TS
@ MPMB_TCP_STREAM_TS
Definition: detect.h:1346
DetectEngineAppInspectionEngine_::sm_list_base
uint16_t sm_list_base
Definition: detect.h:437
Address_
Definition: decode.h:117
DetectPatternTracker::cd
const struct DetectContentData_ * cd
Definition: detect.h:732
DetectEngineCtx_::sigerror_requires
bool sigerror_requires
Definition: detect.h:944
DetectThresholdEntry_
Definition: detect-threshold.h:64
InspectionBuffer::size
uint32_t size
Definition: detect.h:385
DetectEngineThreadCtx_::spm_thread_ctx
SpmThreadCtx * spm_thread_ctx
Definition: detect.h:1141
DetectAddressHead
struct DetectAddressHead_ DetectAddressHead
InspectionBuffer::flags
uint8_t flags
Definition: detect.h:379
DetectEngineCtx_::dport_hash_table
HashListTable * dport_hash_table
Definition: detect.h:986
PrefilterEngineList_::Prefilter
void(* Prefilter)(DetectEngineThreadCtx *det_ctx, Packet *p, const void *pectx)
Definition: detect.h:1389
SignatureInitDataBuffer_::multi_capable
bool multi_capable
Definition: detect.h:533
Signature_::sm_arrays
SigMatchData * sm_arrays[DETECT_SM_LIST_MAX]
Definition: detect.h:655
SigGroupHead_::payload_engines
PrefilterEngine * payload_engines
Definition: detect.h:1478
DetectEngineCtx_::mpm_ctx_factory_container
MpmCtxFactoryContainer * mpm_ctx_factory_container
Definition: detect.h:910
DetectEngineCtx_::prefilter_setting
enum DetectEnginePrefilterSetting prefilter_setting
Definition: detect.h:984
SignatureInitData_::init_flags
uint32_t init_flags
Definition: detect.h:554
DetectEngineCtx_::reference_conf_regex
pcre2_code * reference_conf_regex
Definition: detect.h:1045
DetectBufferType_
Definition: detect.h:455
DetectPort_::sh
struct SigGroupHead_ * sh
Definition: detect.h:228
DetectBufferMpmRegistry_::app_v2
struct DetectBufferMpmRegistry_::@88::@90 app_v2
DetectContentData_
Definition: detect-content.h:93
DetectEngineSetEvent
void DetectEngineSetEvent(DetectEngineThreadCtx *det_ctx, uint8_t e)
Definition: detect-engine.c:4909
SigFileLoaderStat_::TAILQ_HEAD
TAILQ_HEAD(, SigString_) failed_sigs
DetectEngineCtx_::sigerror_ok
bool sigerror_ok
Definition: detect.h:941
DetectEngineCtx_::class_conf_regex
pcre2_code * class_conf_regex
Definition: detect.h:1038
PrefilterEngine_::local_id
uint16_t local_id
Definition: detect.h:1404
PrefilterEngineList_::Free
void(* Free)(void *pectx)
Definition: detect.h:1396
RuleMatchCandidateTxArrayInit
void RuleMatchCandidateTxArrayInit(DetectEngineThreadCtx *det_ctx, uint32_t size)
Definition: detect.c:976
ALPROTO_MAX
@ ALPROTO_MAX
Definition: app-layer-protos.h:77
MPMB_MAX
@ MPMB_MAX
Definition: detect.h:1351
SigTableElmt_
element in sigmatch type table.
Definition: detect.h:1274
SCDetectRequiresStatus
struct SCDetectRequiresStatus SCDetectRequiresStatus
Definition: detect.h:60
SigMatchData_
Data needed for Match()
Definition: detect.h:359
InspectionBufferMultipleForList::init
uint32_t init
Definition: detect.h:401
SigTableElmt_::Setup
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1293
DetectEngineCtx_::sgh_mpm_context_proto_udp_packet
int32_t sgh_mpm_context_proto_udp_packet
Definition: detect.h:919
DetectPort
struct DetectPort_ DetectPort
Port structure for detection engine.
RuleMatchCandidateTx::s
const Signature * s
Definition: detect.h:1098
DetectEngineCtx_::reference_conf_ht
HashTable * reference_conf_ht
Definition: detect.h:1044
DetectBufferMpmRegistry_::transforms
DetectEngineTransforms transforms
Definition: detect.h:699
DetectEngineCtx_::content_inspect_window
uint32_t content_inspect_window
Definition: detect.h:958
SIG_TYPE_APPLAYER
@ SIG_TYPE_APPLAYER
Definition: detect.h:74
DetectEngineThreadCtx_::counter_fnonmpm_list
uint16_t counter_fnonmpm_list
Definition: detect.h:1162
SigMatchData_::type
uint16_t type
Definition: detect.h:360
DetectEngineCtx_::version
uint32_t version
Definition: detect.h:927
PORT_EQ
@ PORT_EQ
Definition: detect.h:205
DetectMatchAddressIPv4_::ip
uint32_t ip
Definition: detect.h:187
DETECT_TRANSFORMS_MAX
#define DETECT_TRANSFORMS_MAX
Definition: detect.h:46
InspectionBuffer::orig_len
uint32_t orig_len
Definition: detect.h:387
DetectEngineThreadCtx_::varlist
DetectVarList * varlist
Definition: detect.h:1218
Signature_::dsize_low
uint16_t dsize_low
Definition: detect.h:609
DetectPort_::port2
uint16_t port2
Definition: detect.h:219
SignatureNonPrefilterStore_
Definition: detect.h:1080
DetectEngineThreadCtx_::counter_nonmpm_list
uint16_t counter_nonmpm_list
Definition: detect.h:1161
MPMB_TCP_STREAM_TC
@ MPMB_TCP_STREAM_TC
Definition: detect.h:1347
DetectEngineThreadCtx_::events
uint16_t events
Definition: detect.h:1237
AppLayerDecoderEvents_
Data structure to store app layer decoder events.
Definition: app-layer-events.h:35
SigGroupHead
struct SigGroupHead_ SigGroupHead
Container for matching data for a signature group.
DetectMatchAddressIPv6
struct DetectMatchAddressIPv6_ DetectMatchAddressIPv6
DetectUnregisterThreadCtxFuncs
int DetectUnregisterThreadCtxFuncs(DetectEngineCtx *, void *data, const char *name)
Remove Thread keyword context registration.
Definition: detect-engine.c:3622
TransformData_
Definition: detect.h:404
FILE_DECODER_EVENT_LZMA_MEMLIMIT_ERROR
@ FILE_DECODER_EVENT_LZMA_MEMLIMIT_ERROR
Definition: detect.h:1327
FLOW_STATES
#define FLOW_STATES
Definition: detect.h:845
Signature_::frame_inspect
DetectEngineFrameInspectionEngine * frame_inspect
Definition: detect.h:651
DetectEnginePktInspectionEngine::transforms
const DetectEngineTransforms * transforms
Definition: detect.h:496
MpmBuiltinBuffers
MpmBuiltinBuffers
Definition: detect.h:1343
DetectPort_::flags
uint8_t flags
Definition: detect.h:221
SigRegisterTests
void SigRegisterTests(void)
Definition: detect.c:4961
DetectThreadCtxGetKeywordThreadCtx
void * DetectThreadCtxGetKeywordThreadCtx(DetectEngineThreadCtx *, int)
Retrieve thread local keyword ctx by id.
Definition: detect-engine.c:3640
DetectEngineFrameInspectionEngine::Callback
InspectionBufferFrameInspectFunc Callback
Definition: detect.h:520
InspectionBufferMultipleForList::size
uint32_t size
Definition: detect.h:399
DetectEngineCtx_::udp_whitelist
DetectPort * udp_whitelist
Definition: detect.h:989
DetectEngineThreadCtx_::mt_det_ctxs_hash
HashTable * mt_det_ctxs_hash
Definition: detect.h:1121
DetectAddress_::prev
struct DetectAddress_ * prev
Definition: detect.h:174
DETECT_PREFILTER_AUTO
@ DETECT_PREFILTER_AUTO
Definition: detect.h:830
DetectEngineThreadCtx_::keyword_ctxs_size
int keyword_ctxs_size
Definition: detect.h:1231
PrefilterEngine_::is_last_for_progress
bool is_last_for_progress
Definition: detect.h:1429
detect-reference.h
Signature_::gid
uint32_t gid
Definition: detect.h:638
DetectEngineThreadCtx_::lua_rule_errors
uint16_t lua_rule_errors
Definition: detect.h:1240
DetectEngineCtx_::prefilter_id
uint32_t prefilter_id
Definition: detect.h:1015
DetectEngineCtx_::sgh_array_size
uint32_t sgh_array_size
Definition: detect.h:916
SigGroupHeadInitData_::pkt_mpms
MpmCtx ** pkt_mpms
Definition: detect.h:1444
SigString_::sig_error
char * sig_error
Definition: detect.h:803
DetectMatchAddressIPv6_::ip2
uint32_t ip2[4]
Definition: detect.h:193
DetectEngineAppInspectionEngine_::id
uint8_t id
Definition: detect.h:433
PrefilterEngineList_::next
struct PrefilterEngineList_ * next
Definition: detect.h:1393
DetectEngineThreadCtx_::counter_alerts_suppressed
uint16_t counter_alerts_suppressed
Definition: detect.h:1158
SigTableElmt_::SetupPrefilter
int(* SetupPrefilter)(DetectEngineCtx *de_ctx, struct SigGroupHead_ *sgh)
Definition: detect.h:1296
Signature_::next
struct Signature_ * next
Definition: detect.h:674
DetectEngineCtx_::sgh_mpm_context_proto_other_packet
int32_t sgh_mpm_context_proto_other_packet
Definition: detect.h:920
DetectVarList
struct DetectVarList_ DetectVarList
DetectEngineAppInspectionEngine_::sm_list
uint16_t sm_list
Definition: detect.h:436
TENANT_SELECTOR_UNKNOWN
@ TENANT_SELECTOR_UNKNOWN
Definition: detect.h:1520
DetectEngineTenantMapping_::tenant_id
uint32_t tenant_id
Definition: detect.h:1527
InspectionBufferMultipleForList
Definition: detect.h:397
SigFileLoaderStat_::skipped_sigs_total
int skipped_sigs_total
Definition: detect.h:815
DetectBufferMpmType
DetectBufferMpmType
Definition: detect.h:677
DETECT_SM_LIST_POSTMATCH
@ DETECT_SM_LIST_POSTMATCH
Definition: detect.h:124
DetectEngineTenantMapping
struct DetectEngineTenantMapping_ DetectEngineTenantMapping
DetectEngineCtx_::prefilter_hash_table
HashListTable * prefilter_hash_table
Definition: detect.h:1016
SigGroupHeadInitData_::score
int score
Definition: detect.h:1440
DetectReplaceList
struct DetectReplaceList_ DetectReplaceList
DetectEngineCtx_::sm_types_silent_error
bool sm_types_silent_error[DETECT_TBLSIZE]
Definition: detect.h:1032
SignaturePropertyFlowAction
SignaturePropertyFlowAction
Definition: detect.h:80
SigString_::TAILQ_ENTRY
TAILQ_ENTRY(SigString_) next
DetectEngineTenantSelectors
DetectEngineTenantSelectors
Definition: detect.h:1519
DetectBufferMpmRegistry_::GetData
InspectionBufferGetDataPtr GetData
Definition: detect.h:705
InspectionBufferPktInspectFunc
int(* InspectionBufferPktInspectFunc)(struct DetectEngineThreadCtx_ *, const struct DetectEnginePktInspectionEngine *engine, const struct Signature_ *s, Packet *p, uint8_t *alert_flags)
Definition: detect.h:475
DetectBufferType
struct DetectBufferType_ DetectBufferType
DetectEngineCtx_::class_conf_regex_match
pcre2_match_data * class_conf_regex_match
Definition: detect.h:1039
DetectEngineThreadCtx_::tx_candidates
RuleMatchCandidateTx * tx_candidates
Definition: detect.h:1206
InspectionBuffer
struct InspectionBuffer InspectionBuffer
SIG_TYPE_PKT
@ SIG_TYPE_PKT
Definition: detect.h:70
DetectEngineCtx_::requirements
SCDetectRequiresStatus * requirements
Definition: detect.h:1055
DetectEngineMasterCtx
struct DetectEngineMasterCtx_ DetectEngineMasterCtx
SignatureInitData_::prefilter_list
int prefilter_list
Definition: detect.h:584
Signature_::addr_src_match4
DetectMatchAddressIPv4 * addr_src_match4
Definition: detect.h:632
ADDRESS_EB
@ ADDRESS_EB
Definition: detect.h:154
SigTableElmt_::TransformValidate
bool(* TransformValidate)(const uint8_t *content, uint16_t content_len, void *context)
Definition: detect.h:1290
Signature_::class_id
uint16_t class_id
Definition: detect.h:624
DetectEngineThreadCtx_::counter_alerts_overflow
uint16_t counter_alerts_overflow
Definition: detect.h:1156
DETECT_FILESTORE_MAX
#define DETECT_FILESTORE_MAX
Definition: detect.h:1078
PrefilterEngineList_::alproto
AppProto alproto
Definition: detect.h:1378
SignatureInitData
struct SignatureInitData_ SignatureInitData
SigGroupHeadInitData_::sig_cnt
SigIntId sig_cnt
Definition: detect.h:1453
SRepCIDRTree_
Definition: reputation.h:35
ENGINE_PROFILE_HIGH
@ ENGINE_PROFILE_HIGH
Definition: detect.h:1066
DetectBufferMpmRegistry_::sgh_mpm_context
int sgh_mpm_context
Definition: detect.h:695
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:17
DetectEnginePktInspectionEngine::sm_list
uint16_t sm_list
Definition: detect.h:490
DetectEngineThreadCtx_::match_array_len
uint32_t match_array_len
Definition: detect.h:1202
DetectBufferMpmRegistry_::GetData
InspectionBufferGetPktDataPtr GetData
Definition: detect.h:717
IPOnlyCIDRItem_::negated
uint8_t negated
Definition: detect.h:332
SignatureInitData_::buffers_size
uint32_t buffers_size
Definition: detect.h:594
PORT_GT
@ PORT_GT
Definition: detect.h:209
DetectEngineThreadCtx_
Definition: detect.h:1104
PrefilterEngine_
Definition: detect.h:1403
MpmStore_
Definition: detect.h:1354
SigGroupHeadInitData_::tx_engines
PrefilterEngineList * tx_engines
Definition: detect.h:1449
SIG_TYPE_IPONLY
@ SIG_TYPE_IPONLY
Definition: detect.h:64
SCProfileKeywordDetectCtx_
Definition: util-profiling-keywords.c:48
SignatureInitData_::mpm_sm
SigMatch * mpm_sm
Definition: detect.h:566
ENGINE_PROFILE_MEDIUM
@ ENGINE_PROFILE_MEDIUM
Definition: detect.h:1065
DetectEngineCtx_::srepCIDR_ctx
SRepCIDRTree * srepCIDR_ctx
Definition: detect.h:863
ENGINE_SGH_MPM_FACTORY_CONTEXT_FULL
@ ENGINE_SGH_MPM_FACTORY_CONTEXT_FULL
Definition: detect.h:1072
SignatureInitData_::src
const DetectAddressHead * src
Definition: detect.h:582
DetectEngineThreadCtx_::tx_candidates_size
uint32_t tx_candidates_size
Definition: detect.h:1207
signature_properties
const struct SignatureProperties signature_properties[SIG_TYPE_MAX]
Definition: detect-engine.c:111
DETECT_SM_LIST_BASE64_DATA
@ DETECT_SM_LIST_BASE64_DATA
Definition: detect.h:121
DetectEngineThreadKeywordCtxItem_::id
int id
Definition: detect.h:823
DetectBufferMpmRegistry_::sm_list
int16_t sm_list
Definition: detect.h:690
DetectEngineThreadCtx_::buffers
InspectionBuffer * buffers
Definition: detect.h:1167
DetectEngineMasterCtx_::keyword_list
DetectEngineThreadKeywordCtxItem * keyword_list
Definition: detect.h:1562
SignatureInitData_::mpm_sm_list
int mpm_sm_list
Definition: detect.h:564
PrefilterEngineList_::PrefilterFrame
PrefilterFrameFn PrefilterFrame
Definition: detect.h:1391
DetectEngineMasterCtx_::tenant_selector
enum DetectEngineTenantSelectors tenant_selector
Definition: detect.h:1553
FILE_DECODER_EVENT_INVALID_SWF_LENGTH
@ FILE_DECODER_EVENT_INVALID_SWF_LENGTH
Definition: detect.h:1318
DetectEngineCtx_::keyword_hash
HashListTable * keyword_hash
Definition: detect.h:953
PrefilterEngineList_::pectx
void * pectx
Definition: detect.h:1387
SignatureInitData_::cidr_dst
IPOnlyCIDRItem * cidr_dst
Definition: detect.h:561
DetectEngineCtx_::last_reload
struct timeval last_reload
Definition: detect.h:1019
SignatureInitData_::list
int list
Definition: detect.h:571
DetectEngineCtx_::failure_fatal
bool failure_fatal
Definition: detect.h:849
Signature_::pkt_inspect
DetectEnginePktInspectionEngine * pkt_inspect
Definition: detect.h:650
DetectEngineAppInspectionEngine_::GetMultiData
InspectionMultiBufferGetDataPtr GetMultiData
Definition: detect.h:443
SCProfileSghData_
Definition: util-profiling-rulegroups.c:37
DetectReplaceList_::next
struct DetectReplaceList_ * next
Definition: detect.h:741
DetectEngineLookupFlow_::sgh
struct SigGroupHead_ * sgh[256]
Definition: detect.h:786
Signature_::references
DetectReference * references
Definition: detect.h:665
PrefilterEngineList_::PrefilterTx
PrefilterTxFn PrefilterTx
Definition: detect.h:1390
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:57
SignatureNonPrefilterStore_::alproto
AppProto alproto
Definition: detect.h:1083
PrefilterEngineList_::gid
uint32_t gid
Definition: detect.h:1400
DetectEngineFrameInspectionEngine::sm_list
uint16_t sm_list
Definition: detect.h:517
DetectEngineThreadCtx_::filestore
struct DetectEngineThreadCtx_::@102 filestore[DETECT_FILESTORE_MAX]
DetectMetadataHead
Definition: detect-metadata.h:39
SCSigSignatureWrapper_
Signature wrapper used by signature ordering module while ordering signatures.
Definition: detect-engine-sigorder.h:45
SigTableElmt
struct SigTableElmt_ SigTableElmt
element in sigmatch type table.
SigMatch
struct SigMatch_ SigMatch
a single match condition for a signature
SigMatch_::next
struct SigMatch_ * next
Definition: detect.h:354
DetectEngineCtx_::mpm_matcher
uint8_t mpm_matcher
Definition: detect.h:851
ENGINE_PROFILE_UNKNOWN
@ ENGINE_PROFILE_UNKNOWN
Definition: detect.h:1063
ADDRESS_LE
@ ADDRESS_LE
Definition: detect.h:151
InspectionBuffer::inspect_offset
uint64_t inspect_offset
Definition: detect.h:376
DetectEngineCtx_::frame_inspect_engines
DetectEngineFrameInspectionEngine * frame_inspect_engines
Definition: detect.h:1011
DetectBufferMpmRegistry_::priority
int priority
Definition: detect.h:692
PrefilterEngineList
struct PrefilterEngineList_ PrefilterEngineList
DetectEngineMasterCtx_::free_list
DetectEngineCtx * free_list
Definition: detect.h:1551
DetectEngineCtx_::filestore_cnt
uint16_t filestore_cnt
Definition: detect.h:1058
ENGINE_PROFILE_CUSTOM
@ ENGINE_PROFILE_CUSTOM
Definition: detect.h:1067
DetectEngineThreadKeywordCtxItem_::next
struct DetectEngineThreadKeywordCtxItem_ * next
Definition: detect.h:822
DetectAddress_::ip2
Address ip2
Definition: detect.h:168
DetectEngineThreadCtx_::non_pf_id_cnt
uint32_t non_pf_id_cnt
Definition: detect.h:1117
PrefilterFrameFn
void(* PrefilterFrameFn)(DetectEngineThreadCtx *det_ctx, const void *pectx, Packet *p, const struct Frames *frames, const struct Frame *frame)
Definition: detect.h:1367
DETECT_SM_LIST_MATCH
@ DETECT_SM_LIST_MATCH
Definition: detect.h:114
DetectPort_
Port structure for detection engine.
Definition: detect.h:217
SigGroupHead_::init
SigGroupHeadInitData * init
Definition: detect.h:1483
DetectEngineCtx_::ths_ctx
ThresholdCtx ths_ctx
Definition: detect.h:890
DetectEngineCtx_::sig_cnt
uint32_t sig_cnt
Definition: detect.h:857
InspectionBuffer::buf
uint8_t * buf
Definition: detect.h:384
SigTableElmt_::alternative
uint16_t alternative
Definition: detect.h:1306
DetectBufferMpmRegistry_::pkt_v1
struct DetectBufferMpmRegistry_::@88::@91 pkt_v1
SignatureInitData_::cidr_src
IPOnlyCIDRItem * cidr_src
Definition: detect.h:561
Signature_::app_inspect
DetectEngineAppInspectionEngine * app_inspect
Definition: detect.h:649
SigMatch_::ctx
SigMatchCtx * ctx
Definition: detect.h:353
DetectReference_
Signature reference list.
Definition: detect-reference.h:30
DetectBufferType_::ValidateCallback
bool(* ValidateCallback)(const struct Signature_ *, const char **sigerror)
Definition: detect.h:466
AlertQueueAppend
void AlertQueueAppend(DetectEngineThreadCtx *det_ctx, const Signature *s, Packet *p, uint64_t tx_id, uint8_t alert_flags)
Append signature to local packet alert queue for later preprocessing.
Definition: detect-engine-alert.c:283
SigFileLoaderStat_::bad_sigs_total
int bad_sigs_total
Definition: detect.h:814
SigGroupHeadInitData_::direction
uint32_t direction
Definition: detect.h:1439
DetectLoadCompleteSigPath
char * DetectLoadCompleteSigPath(const DetectEngineCtx *, const char *sig_file)
Create the path if default-rule-path was specified.
Definition: detect-engine-loader.c:62
MpmStore_::direction
int direction
Definition: detect.h:1358
DetectEngineThreadCtx_::base64_decoded_len
int base64_decoded_len
Definition: detect.h:1147
DetectVarList_::next
struct DetectVarList_ * next
Definition: detect.h:758
RuleMatchCandidateTx::stream_result
uint8_t stream_result
Definition: detect.h:1093
Signature_::action
uint8_t action
Definition: detect.h:617
DetectEngineLookupFlow_::udp
DetectPort * udp
Definition: detect.h:785
DetectEngineThreadCtx_::raw_stream_progress
uint64_t raw_stream_progress
Definition: detect.h:1130
PrefilterEngine_::alproto
AppProto alproto
Definition: detect.h:1407
Signature_::flags
uint32_t flags
Definition: detect.h:603
ThresholdCtx_::th_entry
DetectThresholdEntry ** th_entry
Definition: detect.h:796
IPOnlyCIDRItem_::next
struct IPOnlyCIDRItem_ * next
Definition: detect.h:338
DetectEngineCtx_::max_fb_id
uint32_t max_fb_id
Definition: detect.h:908
DetectEngineIPOnlyCtx_::sig_mapping
uint32_t * sig_mapping
Definition: detect.h:779
Packet_
Definition: decode.h:482
DetectEngineFrameInspectionEngine::alproto
AppProto alproto
Definition: detect.h:513
DetectEngineCtx_::sgh_mpm_context_stream
int32_t sgh_mpm_context_stream
Definition: detect.h:921
SignatureNonPrefilterStore
struct SignatureNonPrefilterStore_ SignatureNonPrefilterStore
DetectBufferMpmRegistry
struct DetectBufferMpmRegistry_ DetectBufferMpmRegistry
one time registration of keywords at start up
DetectPort_::last
struct DetectPort_ * last
Definition: detect.h:232
DetectEngineThreadCtx_::frame_id
int64_t frame_id
Definition: detect.h:1188
InspectionBufferFrameInspectFunc
int(* InspectionBufferFrameInspectFunc)(struct DetectEngineThreadCtx_ *, const struct DetectEngineFrameInspectionEngine *engine, const struct Signature_ *s, Packet *p, const struct Frames *frames, const struct Frame *frame)
Definition: detect.h:508
DetectEngineCtx_::frame_mpms_list
DetectBufferMpmRegistry * frame_mpms_list
Definition: detect.h:1012
PrefilterEngine_::ctx
union PrefilterEngine_::@103 ctx
TransformData
struct TransformData_ TransformData
DetectEngineCtx_::sgh_mpm_ctx_cnf
uint8_t sgh_mpm_ctx_cnf
Definition: detect.h:949
DetectBufferType_::packet
bool packet
Definition: detect.h:461
SCSigOrderFunc_
Structure holding the signature ordering function used by the signature ordering module.
Definition: detect-engine-sigorder.h:59
PrefilterEngine
struct PrefilterEngine_ PrefilterEngine
MpmStore_::alproto
AppProto alproto
Definition: detect.h:1362
DetectEngineMasterCtx_::multi_tenant_enabled
int multi_tenant_enabled
Definition: detect.h:1539
DetectRegisterThreadCtxFuncs
int DetectRegisterThreadCtxFuncs(DetectEngineCtx *, const char *name, void *(*InitFunc)(void *), void *data, void(*FreeFunc)(void *), int)
Register Thread keyword context Funcs.
Definition: detect-engine.c:3570
DetectEngineThreadCtx_::filestore_cnt
uint16_t filestore_cnt
Definition: detect.h:1151
DetectEngineFrameInspectionEngine
Definition: detect.h:512
ENGINE_SGH_MPM_FACTORY_CONTEXT_SINGLE
@ ENGINE_SGH_MPM_FACTORY_CONTEXT_SINGLE
Definition: detect.h:1073
SigFileLoaderStat
struct SigFileLoaderStat_ SigFileLoaderStat
Signature loader statistics.
DetectEngineCtx_::max_uniq_toserver_groups
uint16_t max_uniq_toserver_groups
Definition: detect.h:905
DETECT_BUFFER_MPM_TYPE_PKT
@ DETECT_BUFFER_MPM_TYPE_PKT
Definition: detect.h:678
util-radix-tree.h
TmEcode
TmEcode
Definition: tm-threads-common.h:83
DetectEnginePktInspectionEngine::Callback
InspectionBufferPktInspectFunc Callback
Definition: detect.h:494
PrefilterEngine_::PrefilterFrame
PrefilterFrameFn PrefilterFrame
Definition: detect.h:1423
PrefilterEngine_::frame_type
uint8_t frame_type
Definition: detect.h:1413
Signature_::init_data
SignatureInitData * init_data
Definition: detect.h:671
PORT_LT
@ PORT_LT
Definition: detect.h:203
DetectEngineCtx_::profile_keyword_ctx
struct SCProfileKeywordDetectCtx_ * profile_keyword_ctx
Definition: detect.h:965
SigGroupHeadInitData_::max_sig_id
uint32_t max_sig_id
Definition: detect.h:1441
DetectEngineCtx_::sgh_array_cnt
uint32_t sgh_array_cnt
Definition: detect.h:915
DetectEngineThreadCtx_::alert_queue_capacity
uint16_t alert_queue_capacity
Definition: detect.h:1194
SignatureInitData_::negated
bool negated
Definition: detect.h:546
DetectEngineCtx_::filedata_config
struct DetectEngineCtx_::@95 filedata_config[ALPROTO_MAX]
DetectEngineCtx_::sgh_array
struct SigGroupHead_ ** sgh_array
Definition: detect.h:914
SigTableElmt_::Match
int(* Match)(DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *)
Definition: detect.h:1276
reputation.h
MpmStore
struct MpmStore_ MpmStore
SignatureInitData_
Definition: detect.h:540
SCFPSupportSMList_::priority
int priority
Definition: detect.h:763
HashListTable_
Definition: util-hashlist.h:37
PrefilterTxFn
void(* PrefilterTxFn)(DetectEngineThreadCtx *det_ctx, const void *pectx, Packet *p, Flow *f, void *tx, const uint64_t tx_id, const AppLayerTxData *tx_data, const uint8_t flags)
Definition: detect.h:1371
DetectEngineCtx_::byte_extract_max_local_id
int32_t byte_extract_max_local_id
Definition: detect.h:924
SignatureInitData_::dst_contains_negation
bool dst_contains_negation
Definition: detect.h:551
DetectEnginePktInspectionEngine::sm_list_base
uint16_t sm_list_base
Definition: detect.h:491
DetectEngineTransforms::transforms
TransformData transforms[DETECT_TRANSFORMS_MAX]
Definition: detect.h:410
Signature_::addr_dst_match6_cnt
uint16_t addr_dst_match6_cnt
Definition: detect.h:629
SIG_TYPE_DEONLY
@ SIG_TYPE_DEONLY
Definition: detect.h:69
SIG_PROP_FLOW_ACTION_PACKET
@ SIG_PROP_FLOW_ACTION_PACKET
Definition: detect.h:81
DetectEngineThreadCtx
struct DetectEngineThreadCtx_ DetectEngineThreadCtx
SigGroupHead_::frame_engines
PrefilterEngine * frame_engines
Definition: detect.h:1480
SigGroupHeadInitData_::app_mpms
MpmCtx ** app_mpms
Definition: detect.h:1443
FILE_DECODER_EVENT_Z_BUF_ERROR
@ FILE_DECODER_EVENT_Z_BUF_ERROR
Definition: detect.h:1322
DetectEngineFrameInspectionEngine::dir
uint8_t dir
Definition: detect.h:514
DetectEngineTransforms
struct DetectEngineTransforms DetectEngineTransforms
Signature_::sp
DetectPort * sp
Definition: detect.h:643
SIG_TYPE_NOT_SET
@ SIG_TYPE_NOT_SET
Definition: detect.h:63
DetectEngineThreadCtx_::mtc
MpmThreadCtx mtc
Definition: detect.h:1212
SigString_::filename
char * filename
Definition: detect.h:801
DetectBufferType_::multi_instance
bool multi_instance
Definition: detect.h:464
DETECT_ENGINE_TYPE_TENANT
@ DETECT_ENGINE_TYPE_TENANT
Definition: detect.h:838
RuleMatchCandidateTx::flags
uint32_t * flags
Definition: detect.h:1089
DetectEngineCtx_::dup_sig_hash_table
HashListTable * dup_sig_hash_table
Definition: detect.h:887
DetectEngineCtx_::config_prefix
char config_prefix[64]
Definition: detect.h:971
DetectVarList_::type
int type
Definition: detect.h:754
DetectEngineAppInspectionEngine_::alproto
AppProto alproto
Definition: detect.h:431
SigMatchCtx_
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
Definition: detect.h:345
Signature_::class_msg
char * class_msg
Definition: detect.h:663
ThresholdCtx_
threshold ctx
Definition: detect.h:792
DetectPatternTracker::sm_list
int sm_list
Definition: detect.h:733
DetectEngineAppInspectionEngine_::smd
SigMatchData * smd
Definition: detect.h:450
SigGroupHeadInitData_::pkt_engines
PrefilterEngineList * pkt_engines
Definition: detect.h:1447
DetectBufferMpmRegistry_::GetMultiData
InspectionMultiBufferGetDataPtr GetMultiData
Definition: detect.h:706
DetectBufferType_::id
int id
Definition: detect.h:458
DetectEngineCtx_::spm_matcher
uint8_t spm_matcher
Definition: detect.h:852
DetectEnginePktInspectionEngine::GetData
InspectionBufferGetPktDataPtr GetData
Definition: detect.h:493
FILE_DECODER_EVENT_Z_DATA_ERROR
@ FILE_DECODER_EVENT_Z_DATA_ERROR
Definition: detect.h:1320
DETECT_ENGINE_TYPE_NORMAL
@ DETECT_ENGINE_TYPE_NORMAL
Definition: detect.h:835
SignatureInitDataBuffer_::tail
SigMatch * tail
Definition: detect.h:537
DetectEngineIPOnlyCtx_::ip_dst
IPOnlyCIDRItem * ip_dst
Definition: detect.h:774
MpmStore_::mpm_ctx
MpmCtx * mpm_ctx
Definition: detect.h:1363
util-file.h
DetectAddressHead_::ipv6_head
DetectAddress * ipv6_head
Definition: detect.h:182
DetectMetadataHashFree
void DetectMetadataHashFree(DetectEngineCtx *de_ctx)
Definition: detect-metadata.c:80
util-prefilter.h
SignatureInitData_::dsize_sm
SigMatch * dsize_sm
Definition: detect.h:558
DetectBufferType_::frame
bool frame
Definition: detect.h:462
File_
Definition: util-file.h:79
AppLayerTxData
struct AppLayerTxData AppLayerTxData
Definition: detect.h:1370
DetectEngineIPOnlyCtx
struct DetectEngineIPOnlyCtx_ DetectEngineIPOnlyCtx
IP only rules matching ctx.
MPMB_TCP_PKT_TC
@ MPMB_TCP_PKT_TC
Definition: detect.h:1345
DetectEngineCtx_::sig_stat
SigFileLoaderStat sig_stat
Definition: detect.h:1022
DetectEngineCtx_::address_table
HashListTable * address_table
Definition: detect.h:992
DetectEngineThreadCtx_::to_clear_queue
uint32_t * to_clear_queue
Definition: detect.h:1170
DetectEngineCtx_::profile_prefilter_ctx
struct SCProfilePrefilterDetectCtx_ * profile_prefilter_ctx
Definition: detect.h:966
PORT_LE
@ PORT_LE
Definition: detect.h:204
TENANT_SELECTOR_DIRECT
@ TENANT_SELECTOR_DIRECT
Definition: detect.h:1521
InspectionBufferMultipleForList
struct InspectionBufferMultipleForList InspectionBufferMultipleForList
util-mpm.h
InspectEngineFuncPtr
uint8_t(* InspectEngineFuncPtr)(struct DetectEngineCtx_ *de_ctx, struct DetectEngineThreadCtx_ *det_ctx, const struct DetectEngineAppInspectionEngine_ *engine, const struct Signature_ *s, Flow *f, uint8_t flags, void *alstate, void *txv, uint64_t tx_id)
Definition: detect.h:425
flags
uint8_t flags
Definition: decode-gre.h:0
Signature_::proto
DetectProto proto
Definition: detect.h:621
SigTableElmt_::alias
const char * alias
Definition: detect.h:1309
DetectBufferMpmRegistry_::type
enum DetectBufferMpmType type
Definition: detect.h:694
SigMatchCtx
struct SigMatchCtx_ SigMatchCtx
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
SigGroupHead_::non_pf_other_store_array
SignatureNonPrefilterStore * non_pf_other_store_array
Definition: detect.h:1473
DetectEngineMasterCtx_::keyword_id
int keyword_id
Definition: detect.h:1563
DetectEngineCtx_::app_mpms_list
DetectBufferMpmRegistry * app_mpms_list
Definition: detect.h:1004
suricata-common.h
SigMatch_::idx
uint16_t idx
Definition: detect.h:352
SIG_PROP_FLOW_ACTION_FLOW_IF_STATEFUL
@ SIG_PROP_FLOW_ACTION_FLOW_IF_STATEFUL
Definition: detect.h:83
DetectEngineThreadCtx_::prefilter_bytes_called
uint64_t prefilter_bytes_called
Definition: detect.h:1268
SigString_::line
int line
Definition: detect.h:804
SigGroupHeadInitData_::frame_engines
PrefilterEngineList * frame_engines
Definition: detect.h:1450
SigMatch_::type
uint16_t type
Definition: detect.h:351
DETECT_BUFFER_MPM_TYPE_APP
@ DETECT_BUFFER_MPM_TYPE_APP
Definition: detect.h:679
SigGroupHeadInitData_::payload_engines
PrefilterEngineList * payload_engines
Definition: detect.h:1448
DetectEngineThreadCtx_::tenant_id
uint32_t tenant_id
Definition: detect.h:1107
SigGroupHeadInitData_::match_array
Signature ** match_array
Definition: detect.h:1456
DetectEngineCtx_::buffer_type_hash_name
HashListTable * buffer_type_hash_name
Definition: detect.h:999
DetectEngineCtx_::next
struct DetectEngineCtx_ * next
Definition: detect.h:978
Signature_::dsize_high
uint16_t dsize_high
Definition: detect.h:610
SigGroupHead_::non_pf_other_store_cnt
uint32_t non_pf_other_store_cnt
Definition: detect.h:1471
Signature_::file_flags
uint8_t file_flags
Definition: detect.h:618
DetectBufferMpmRegistry_::name
const char * name
Definition: detect.h:687
detect-metadata.h
DETECT_ENGINE_TYPE_DD_STUB
@ DETECT_ENGINE_TYPE_DD_STUB
Definition: detect.h:836
TENANT_SELECTOR_VLAN
@ TENANT_SELECTOR_VLAN
Definition: detect.h:1522
DetectEngineFrameInspectionEngine::next
struct DetectEngineFrameInspectionEngine * next
Definition: detect.h:525
SigTableElmt_::Transform
void(* Transform)(InspectionBuffer *, void *context)
Definition: detect.h:1289
SignatureInitData_::curbuf
SignatureInitDataBuffer * curbuf
Definition: detect.h:595
DetectEngineThreadCtx_::prefilter_perf_data
struct SCProfilePrefilterData_ * prefilter_perf_data
Definition: detect.h:1264
DetectEnginePrefilterSetting
DetectEnginePrefilterSetting
Definition: detect.h:828
DetectPort_::prev
struct DetectPort_ * prev
Definition: detect.h:230
util-spm.h
DetectEnginePktInspectionEngine::next
struct DetectEnginePktInspectionEngine * next
Definition: detect.h:498
SignatureType
SignatureType
Definition: detect.h:62
SigGroupHeadInitData_::sig_size
uint32_t sig_size
Definition: detect.h:1436
PrefilterEngineList_
Definition: detect.h:1374
SigFileLoaderStat_::total_files
int total_files
Definition: detect.h:812
ADDRESS_GE
@ ADDRESS_GE
Definition: detect.h:155
DetectEngineIPOnlyCtx_::tree_ipv4dst
SCRadixTree * tree_ipv4dst
Definition: detect.h:770
DetectEngineThreadCtx_::frame_inspect_progress
uint64_t frame_inspect_progress
Definition: detect.h:1189
DetectMatchAddressIPv4_::ip2
uint32_t ip2
Definition: detect.h:188
DetectEngineCtx_::profile_match_logging_threshold
uint32_t profile_match_logging_threshold
Definition: detect.h:969
IPOnlyCIDRItem_::ip
uint32_t ip[4]
Definition: detect.h:334
PrefilterEngine_::gid
uint32_t gid
Definition: detect.h:1427
Signature_::rev
uint32_t rev
Definition: detect.h:639
SignatureInitData_::sm_cnt
uint16_t sm_cnt
Definition: detect.h:542
PORT_ES
@ PORT_ES
Definition: detect.h:206
DetectEngineCtx_::sig_list
Signature * sig_list
Definition: detect.h:856
DETECT_SM_LIST_TMATCH
@ DETECT_SM_LIST_TMATCH
Definition: detect.h:126
DetectEngineCtx_::profile_keyword_ctx_per_list
struct SCProfileKeywordDetectCtx_ ** profile_keyword_ctx_per_list
Definition: detect.h:967
RuleMatchCandidateTx
struct RuleMatchCandidateTx RuleMatchCandidateTx
DetectEngineCtx_::tcp_whitelist
DetectPort * tcp_whitelist
Definition: detect.h:988
DetectEngineCtx_::loader_id
int loader_id
Definition: detect.h:981
TransformData_::transform
int transform
Definition: detect.h:405
DetectEngineCtx_::pkt_inspect_engines
DetectEnginePktInspectionEngine * pkt_inspect_engines
Definition: detect.h:1008
SIG_TYPE_MAX
@ SIG_TYPE_MAX
Definition: detect.h:77
tv
ThreadVars * tv
Definition: fuzz_decodepcapfile.c:32
Signature_::prio
int prio
Definition: detect.h:640
DetectEngineCtx_::ea
struct EngineAnalysisCtx_ * ea
Definition: detect.h:1049
DetectEngineIPOnlyCtx_::sig_mapping_size
uint32_t sig_mapping_size
Definition: detect.h:780
DetectEngineThreadCtx_::non_pf_id_array
SigIntId * non_pf_id_array
Definition: detect.h:1116
DetectEngineAppInspectionEngine_::progress
int16_t progress
Definition: detect.h:438
DetectEngineThreadKeywordCtxItem_::FreeFunc
void(* FreeFunc)(void *)
Definition: detect.h:820
DetectMatchAddressIPv6_::ip
uint32_t ip[4]
Definition: detect.h:192
FILE_DECODER_EVENT_LZMA_UNKNOWN_ERROR
@ FILE_DECODER_EVENT_LZMA_UNKNOWN_ERROR
Definition: detect.h:1329
SigGroupHeadInitData
struct SigGroupHeadInitData_ SigGroupHeadInitData
DetectAddress
struct DetectAddress_ DetectAddress
address structure for use in the detection engine.
SpmGlobalThreadCtx_
Definition: util-spm.h:47
DetectEngineCtx_::app_mpms_list_cnt
uint32_t app_mpms_list_cnt
Definition: detect.h:1003
Signature_::addr_src_match6_cnt
uint16_t addr_src_match6_cnt
Definition: detect.h:630
DetectProto_
Definition: detect-engine-proto.h:36
DetectFilestoreData_
Definition: detect-filestore.h:36
SigGroupHeadInitData_
Definition: detect.h:1432
InspectionBuffer::inspect_len
uint32_t inspect_len
Definition: detect.h:377
SignatureInitData_::buffers
SignatureInitDataBuffer * buffers
Definition: detect.h:592
DetectEngineCtx_::app_inspect_engines
DetectEngineAppInspectionEngine * app_inspect_engines
Definition: detect.h:1007
SignatureInitData_::dst
const DetectAddressHead * dst
Definition: detect.h:582
DetectEngineCtx_::filemagic_thread_ctx_id
int filemagic_thread_ctx_id
Definition: detect.h:896
DetectEngineAppInspectionEngine_::v2
struct DetectEngineAppInspectionEngine_::@83 v2
PrefilterEngine_::pectx
void * pectx
Definition: detect.h:1418
DetectEngineThreadCtx_::alert_queue
PacketAlert * alert_queue
Definition: detect.h:1195
DetectEngineThreadCtx_::pcre_match_start_offset
uint32_t pcre_match_start_offset
Definition: detect.h:1137
ADDRESS_LT
@ ADDRESS_LT
Definition: detect.h:150
DetectEngineThreadCtx_::global_keyword_ctxs_size
int global_keyword_ctxs_size
Definition: detect.h:1233
Signature_::dp
DetectPort * dp
Definition: detect.h:643
DetectEngineCtx_::sm_types_prefilter
bool sm_types_prefilter[DETECT_TBLSIZE]
Definition: detect.h:1031
DetectEngineCtx_::mpm_hash_table
HashListTable * mpm_hash_table
Definition: detect.h:883
InspectionBuffer::inspect
const uint8_t * inspect
Definition: detect.h:375
DumpPatterns
void DumpPatterns(DetectEngineCtx *de_ctx)
Definition: detect-engine-analyzer.c:1290
Signature_::metadata
DetectMetadataHead * metadata
Definition: detect.h:667
DetectEngineThreadCtx_::tv
ThreadVars * tv
Definition: detect.h:1112
FILE_DECODER_EVENT_Z_STREAM_ERROR
@ FILE_DECODER_EVENT_Z_STREAM_ERROR
Definition: detect.h:1321
MPMB_UDP_TC
@ MPMB_UDP_TC
Definition: detect.h:1349
DetectEngineThreadCtx_::non_pf_store_cnt
uint32_t non_pf_store_cnt
Definition: detect.h:1210
DetectBufferMpmRegistry_::id
int id
Definition: detect.h:693
DetectEngineThreadCtx_::counter_alerts
uint16_t counter_alerts
Definition: detect.h:1154
InspectionBuffer::len
uint32_t len
Definition: detect.h:383
DetectVarList_::key
uint8_t * key
Definition: detect.h:755
DetectEngineThreadCtx_::keyword_ctxs_array
void ** keyword_ctxs_array
Definition: detect.h:1230
SigFileLoaderStat_::good_sigs_total
int good_sigs_total
Definition: detect.h:813
FILE_DECODER_EVENT_NO_MEM
@ FILE_DECODER_EVENT_NO_MEM
Definition: detect.h:1317
SigTableElmt_::SupportsPrefilter
bool(* SupportsPrefilter)(const Signature *s)
Definition: detect.h:1295
Signature_::addr_dst_match6
DetectMatchAddressIPv6 * addr_dst_match6
Definition: detect.h:634
DetectEngineMasterCtx_
Definition: detect.h:1535
FILE_DECODER_EVENT_LZMA_IO_ERROR
@ FILE_DECODER_EVENT_LZMA_IO_ERROR
Definition: detect.h:1324
Signature_::id
uint32_t id
Definition: detect.h:637
ENGINE_SGH_MPM_FACTORY_CONTEXT_AUTO
@ ENGINE_SGH_MPM_FACTORY_CONTEXT_AUTO
Definition: detect.h:1074
DetectBufferMpmRegistry_::PrefilterRegisterWithListId
int(* PrefilterRegisterWithListId)(struct DetectEngineCtx_ *de_ctx, struct SigGroupHead_ *sgh, MpmCtx *mpm_ctx, const struct DetectBufferMpmRegistry_ *mpm_reg, int list_id)
Definition: detect.h:697
DetectEngineThreadKeywordCtxItem_::name
const char * name
Definition: detect.h:824
DetectEngineThreadCtx_::base64_decoded_len_max
int base64_decoded_len_max
Definition: detect.h:1148
DetectEngineLookupFlow
struct DetectEngineLookupFlow_ DetectEngineLookupFlow
RuleMatchCandidateTx::stream_reset
uint32_t stream_reset
Definition: detect.h:1095
DisableDetectFlowFileFlags
void DisableDetectFlowFileFlags(Flow *f)
disable file features we don't need Called if we have no detection engine.
Definition: detect.c:1889
DetectBufferType_::transforms
DetectEngineTransforms transforms
Definition: detect.h:467
DetectEngineCtx_::content_limit
uint32_t content_limit
Definition: detect.h:956
DetectEngineType
DetectEngineType
Definition: detect.h:834
SignatureInitData_::score
int score
Definition: detect.h:579
SignatureInitDataBuffer_::id
uint32_t id
Definition: detect.h:529
Signature_
Signature container.
Definition: detect.h:602
SigMatch_
a single match condition for a signature
Definition: detect.h:350
DetectEngineCtx_::tenant_path
char * tenant_path
Definition: detect.h:1052
SCProfilePrefilterData_
Definition: util-profiling-prefilter.c:35
DetectBufferMpmRegistry_::tx_min_progress
int tx_min_progress
Definition: detect.h:709
DetectEngineAppInspectionEngine_::transforms
const DetectEngineTransforms * transforms
Definition: detect.h:447
DETECT_SM_LIST_MAX
@ DETECT_SM_LIST_MAX
Definition: detect.h:132
detect-threshold.h
SigMatchCtx_::foo
int foo
Definition: detect.h:346
DetectBufferType_::parent_id
int parent_id
Definition: detect.h:459
DETECT_PREFILTER_MPM
@ DETECT_PREFILTER_MPM
Definition: detect.h:829
SignatureMask
#define SignatureMask
Definition: detect.h:309
DetectBufferMpmRegistry_::alproto
AppProto alproto
Definition: detect.h:708
DetectAddress_::next
struct DetectAddress_ * next
Definition: detect.h:176
DetectEngineTenantMapping_::traffic_id
uint32_t traffic_id
Definition: detect.h:1530
SigGroupHeadInitData_::protos
uint8_t protos[256]
Definition: detect.h:1438
DetectMatchAddressIPv6_
Definition: detect.h:191
MPMB_TCP_PKT_TS
@ MPMB_TCP_PKT_TS
Definition: detect.h:1344
DetectMatchAddressIPv4_
Definition: detect.h:186
DetectEngineThreadCtx_::tx_id_set
bool tx_id_set
Definition: detect.h:1185
ENGINE_PROFILE_LOW
@ ENGINE_PROFILE_LOW
Definition: detect.h:1064
AlertQueueFree
void AlertQueueFree(DetectEngineThreadCtx *det_ctx)
Definition: detect-engine-alert.c:235
DetectEnginePktInspectionEngine
struct DetectEnginePktInspectionEngine DetectEnginePktInspectionEngine
DetectEngineThreadCtx_::base64_decoded
uint8_t * base64_decoded
Definition: detect.h:1146
Signature_::dsize_mode
uint8_t dsize_mode
Definition: detect.h:611
DetectEngineLookupFlow_
Definition: detect.h:783
DetectEngineCtx_::filedata_config_initialized
bool filedata_config_initialized
Definition: detect.h:946
FILE_DECODER_EVENT_LZMA_XZ_ERROR
@ FILE_DECODER_EVENT_LZMA_XZ_ERROR
Definition: detect.h:1328
DetectEngineCtx_::content_inspect_min_size
uint32_t content_inspect_min_size
Definition: detect.h:957
DetectEngineTransforms::cnt
int cnt
Definition: detect.h:411
PrefilterEngine_::is_last
bool is_last
Definition: detect.h:1428
DetectEngineThreadCtx_::de_ctx
DetectEngineCtx * de_ctx
Definition: detect.h:1228
DetectEngineCtx_::sig_array
Signature ** sig_array
Definition: detect.h:865
SigGroupHead_::non_pf_syn_store_array
SignatureNonPrefilterStore * non_pf_syn_store_array
Definition: detect.h:1475
PacketAlert_
Definition: decode.h:248
PrefilterEngineList_::tx_min_progress
uint8_t tx_min_progress
Definition: detect.h:1381
DetectEngineAppInspectionEngine_::dir
uint8_t dir
Definition: detect.h:432
DETECT_BUFFER_MPM_TYPE_SIZE
@ DETECT_BUFFER_MPM_TYPE_SIZE
Definition: detect.h:682
DETECT_ENGINE_TYPE_MT_STUB
@ DETECT_ENGINE_TYPE_MT_STUB
Definition: detect.h:837
SignatureNonPrefilterStore_::mask
SignatureMask mask
Definition: detect.h:1082
DetectEngineCtx_::buffer_type_id
uint32_t buffer_type_id
Definition: detect.h:1001
Signature
struct Signature_ Signature
Signature container.
DetectEngineIPOnlyCtx_
IP only rules matching ctx.
Definition: detect.h:768
FILE_DECODER_EVENT_Z_UNKNOWN_ERROR
@ FILE_DECODER_EVENT_Z_UNKNOWN_ERROR
Definition: detect.h:1323
DetectEngineCtx_::sigerror
const char * sigerror
Definition: detect.h:939
DetectBufferType_::SetupCallback
void(* SetupCallback)(const struct DetectEngineCtx_ *, struct Signature_ *)
Definition: detect.h:465
DetectEngineThreadCtx_::mt_det_ctxs_cnt
uint32_t mt_det_ctxs_cnt
Definition: detect.h:1119
DetectMetadataHashInit
int DetectMetadataHashInit(DetectEngineCtx *de_ctx)
Definition: detect-metadata.c:69
DetectEngineMasterCtx_::lock
SCMutex lock
Definition: detect.h:1536
DetectEnginePktInspectionEngine::mpm
bool mpm
Definition: detect.h:489
DetectEngineCtx_::spm_global_thread_ctx
SpmGlobalThreadCtx * spm_global_thread_ctx
Definition: detect.h:900
DetectFlowbitsAnalyze
int DetectFlowbitsAnalyze(DetectEngineCtx *de_ctx)
Definition: detect-flowbits.c:419
SigGroupHead_::pkt_engines
PrefilterEngine * pkt_engines
Definition: detect.h:1477
DetectEngineCtx_::flags
uint8_t flags
Definition: detect.h:850
SIG_PROP_FLOW_ACTION_FLOW
@ SIG_PROP_FLOW_ACTION_FLOW
Definition: detect.h:82
DetectEngineThreadCtx_::replist
DetectReplaceList * replist
Definition: detect.h:1216
SignatureInitData_::transforms
DetectEngineTransforms transforms
Definition: detect.h:574
FILE_DECODER_EVENT_LZMA_HEADER_TOO_SHORT_ERROR
@ FILE_DECODER_EVENT_LZMA_HEADER_TOO_SHORT_ERROR
Definition: detect.h:1325
SigString_::sig_str
char * sig_str
Definition: detect.h:802
DetectEngineCtx_::io_ctx
DetectEngineIPOnlyCtx io_ctx
Definition: detect.h:889
PrefilterEngine_::PrefilterTx
PrefilterTxFn PrefilterTx
Definition: detect.h:1422
DetectMatchAddressIPv4
struct DetectMatchAddressIPv4_ DetectMatchAddressIPv4
DetectEngineCtx_::rule_line
int rule_line
Definition: detect.h:937
MpmCtx_
Definition: util-mpm.h:88
Signature_::addr_dst_match4
DetectMatchAddressIPv4 * addr_dst_match4
Definition: detect.h:631
Signature_::msg
char * msg
Definition: detect.h:660
flow.h
FILE_DECODER_EVENT_INVALID_SWF_VERSION
@ FILE_DECODER_EVENT_INVALID_SWF_VERSION
Definition: detect.h:1319
sigmatch_table
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
Definition: detect-parse.c:127
SignatureInitDataBuffer_
Definition: detect.h:528
Signature_::addr_src_match4_cnt
uint16_t addr_src_match4_cnt
Definition: detect.h:628
SigIntId
#define SigIntId
Definition: suricata-common.h:315
FILE_DECODER_EVENT_LZMA_DECODER_ERROR
@ FILE_DECODER_EVENT_LZMA_DECODER_ERROR
Definition: detect.h:1326
DetectEngineAppInspectionEngine
struct DetectEngineAppInspectionEngine_ DetectEngineAppInspectionEngine
TENANT_SELECTOR_LIVEDEV
@ TENANT_SELECTOR_LIVEDEV
Definition: detect.h:1523
Signature_::addr_dst_match4_cnt
uint16_t addr_dst_match4_cnt
Definition: detect.h:627
DetectEngineFrameInspectionEngine::type
uint8_t type
Definition: detect.h:515
DetectEngineFrameInspectionEngine::v1
struct DetectEngineFrameInspectionEngine::@87 v1
DetectSigmatchListEnum
DetectSigmatchListEnum
Definition: detect.h:112
DetectEngineMasterCtx_::version
uint32_t version
Definition: detect.h:1542
DetectEngineCtx_::sig_array_len
uint32_t sig_array_len
Definition: detect.h:866
DetectEngineCtx_::metadata_table
HashTable * metadata_table
Definition: detect.h:995
DetectEngineIPOnlyCtx_::tree_ipv6src
SCRadixTree * tree_ipv6src
Definition: detect.h:771
Signature_::type
enum SignatureType type
Definition: detect.h:605
DetectEngineCtx_::signum
uint32_t signum
Definition: detect.h:868
DetectEngineCtx_::tenant_id
uint32_t tenant_id
Definition: detect.h:854
SigGroupHead_::filestore_cnt
uint16_t filestore_cnt
Definition: detect.h:1466
SignatureInitData_::buffer_index
uint32_t buffer_index
Definition: detect.h:593
IPOnlyCIDRItem_::signum
SigIntId signum
Definition: detect.h:335
SigFileLoaderStat_
Signature loader statistics.
Definition: detect.h:809
DetectAddress_::flags
uint8_t flags
Definition: detect.h:171
DetectEngineCtx_::buffer_type_hash_id
HashListTable * buffer_type_hash_id
Definition: detect.h:1000
DetectEngineCtx_::base64_decode_max_len
uint32_t base64_decode_max_len
Definition: detect.h:934
DetectEngineLookupFlow_::tcp
DetectPort * tcp
Definition: detect.h:784
ThresholdCtx
struct ThresholdCtx_ ThresholdCtx
threshold ctx
DETECT_SM_LIST_SUPPRESS
@ DETECT_SM_LIST_SUPPRESS
Definition: detect.h:129
SCMutex
#define SCMutex
Definition: threads-debug.h:114
ADDRESS_ER
@ ADDRESS_ER
Definition: detect.h:149
DetectEngineCtx_::fp_support_smlist_list
SCFPSupportSMList * fp_support_smlist_list
Definition: detect.h:1026
SIG_TYPE_PDONLY
@ SIG_TYPE_PDONLY
Definition: detect.h:68
InspectionBufferMultipleForList::inspection_buffers
InspectionBuffer * inspection_buffers
Definition: detect.h:398
MpmStore_::sgh_mpm_context
int32_t sgh_mpm_context
Definition: detect.h:1361
InspectionBufferMultipleForList::max
uint32_t max
Definition: detect.h:400
DetectAddressHead_::ipv4_head
DetectAddress * ipv4_head
Definition: detect.h:181
PORT_EB
@ PORT_EB
Definition: detect.h:207
SignatureProperties::flow_action
enum SignaturePropertyFlowAction flow_action
Definition: detect.h:87
SigGroupHead_::id
uint32_t id
Definition: detect.h:1468
IPOnlyCIDRItem_::family
uint8_t family
Definition: detect.h:328
DetectEngineThreadCtx_::counter_mpm_list
uint16_t counter_mpm_list
Definition: detect.h:1160
DetectEngineThreadCtx_::prefilter_bytes
uint64_t prefilter_bytes
Definition: detect.h:1266
DetectEngineFrameInspectionEngine
struct DetectEngineFrameInspectionEngine DetectEngineFrameInspectionEngine
SigMatchData
struct SigMatchData_ SigMatchData
Data needed for Match()
MpmStore_::buffer
enum MpmBuiltinBuffers buffer
Definition: detect.h:1359
DetectEngineThreadCtx_::tenant_array_size
uint32_t tenant_array_size
Definition: detect.h:1124
DetectEngineThreadCtx_::tenant_array
struct DetectEngineTenantMapping_ * tenant_array
Definition: detect.h:1123
DetectEngineCtx_::sc_sig_order_funcs
struct SCSigOrderFunc_ * sc_sig_order_funcs
Definition: detect.h:875
MpmCtxFactoryContainer_
Definition: util-mpm.h:125
SigTableElmt_::RegisterTests
void(* RegisterTests)(void)
Definition: detect.h:1300
DetectEngineThreadCtx_::file_id
uint32_t file_id
Definition: detect.h:1224
DetectEngineThreadCtx_::mt_det_ctxs
struct DetectEngineThreadCtx_ ** mt_det_ctxs
Definition: detect.h:1120
Signature_::mask
SignatureMask mask
Definition: detect.h:613
RuleMatchCandidateTx
Definition: detect.h:1087
SIG_TYPE_LIKE_IPONLY
@ SIG_TYPE_LIKE_IPONLY
Definition: detect.h:65
DetectEngineThreadCtx_::TenantGetId
uint32_t(* TenantGetId)(const void *, const Packet *p)
Definition: detect.h:1126
DetectBufferType_::description
char description[128]
Definition: detect.h:457
DetectEngineIPOnlyCtx_::max_idx
uint32_t max_idx
Definition: detect.h:775
SigGroupHeadInitData_::frame_mpms
MpmCtx ** frame_mpms
Definition: detect.h:1445
DetectBufferMpmRegistry_::pname
char pname[32]
Definition: detect.h:688
SpmThreadCtx_
Definition: util-spm.h:54
PORT_GE
@ PORT_GE
Definition: detect.h:208
DetectEngineFrameInspectionEngine::smd
SigMatchData * smd
Definition: detect.h:524
DetectEngineThreadCtx_::multi_inspect
struct DetectEngineThreadCtx_::@101 multi_inspect
DetectEngineThreadCtx_::match_array
Signature ** match_array
Definition: detect.h:1199