suricata
detect.h
Go to the documentation of this file.
1 /* Copyright (C) 2007-2021 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Victor Julien <victor@inliniac.net>
22  */
23 
24 #ifndef __DETECT_H__
25 #define __DETECT_H__
26 
27 #include "suricata-common.h"
28 
29 #include "flow.h"
30 
31 #include "detect-engine-proto.h"
32 #include "detect-reference.h"
33 #include "detect-metadata.h"
34 #include "detect-engine-register.h"
35 #include "packet-queue.h"
36 
37 #include "util-prefilter.h"
38 #include "util-mpm.h"
39 #include "util-spm.h"
40 #include "util-hash.h"
41 #include "util-hashlist.h"
42 #include "util-debug.h"
43 #include "util-error.h"
44 #include "util-radix-tree.h"
45 #include "util-file.h"
46 #include "reputation.h"
47 
48 #include "detect-mark.h"
49 
50 #include "stream.h"
51 
52 #include "util-var-name.h"
53 
54 #include "app-layer-events.h"
55 
56 #define DETECT_MAX_RULE_SIZE 8192
57 
58 #define DETECT_TRANSFORMS_MAX 16
59 
60 /** default rule priority if not set through priority keyword or via
61  * classtype. */
62 #define DETECT_DEFAULT_PRIO 3
63 
64 /* forward declarations for the structures from detect-engine-sigorder.h */
65 struct SCSigOrderFunc_;
67 
68 /*
69  The detection engine groups similar signatures/rules together. Internally a
70  tree of different types of data is created on initialization. This is it's
71  global layout:
72 
73  For TCP/UDP
74 
75  - Flow direction
76  -- Protocol
77  -=- Dst port
78 
79  For the other protocols
80 
81  - Flow direction
82  -- Protocol
83 */
84 
85 /* holds the values for different possible lists in struct Signature.
86  * These codes are access points to particular lists in the array
87  * Signature->sm_lists[DETECT_SM_LIST_MAX]. */
91 
92  /* base64_data keyword uses some hardcoded logic so consider
93  * built-in
94  * TODO convert to inspect engine */
96 
97  /* list for post match actions: flowbit set, flowint increment, etc */
99 
100  DETECT_SM_LIST_TMATCH, /**< post-detection tagging */
101 
102  /* lists for alert thresholding and suppression */
105 
107 
108  /* start of dynamically registered lists */
110 };
111 
112 /* used for Signature->list, which indicates which list
113  * we're adding keywords to in cases of sticky buffers like
114  * file_data */
115 #define DETECT_SM_LIST_NOTSET INT_MAX
116 
117 /*
118  * DETECT ADDRESS
119  */
120 
121 /* a is ... than b */
122 enum {
123  ADDRESS_ER = -1, /**< error e.g. compare ipv4 and ipv6 */
124  ADDRESS_LT, /**< smaller [aaa] [bbb] */
125  ADDRESS_LE, /**< smaller with overlap [aa[bab]bb] */
126  ADDRESS_EQ, /**< exactly equal [abababab] */
127  ADDRESS_ES, /**< within [bb[aaa]bb] and [[abab]bbb] and [bbb[abab]] */
128  ADDRESS_EB, /**< completely overlaps [aa[bbb]aa] and [[baba]aaa] and [aaa[baba]] */
129  ADDRESS_GE, /**< bigger with overlap [bb[aba]aa] */
130  ADDRESS_GT, /**< bigger [bbb] [aaa] */
131 };
132 
133 #define ADDRESS_FLAG_NOT 0x01 /**< address is negated */
134 
135 /** \brief address structure for use in the detection engine.
136  *
137  * Contains the address information and matching information.
138  */
139 typedef struct DetectAddress_ {
140  /** address data for this group */
143 
144  /** flags affecting this address */
145  uint8_t flags;
146 
147  /** ptr to the previous address in the list */
149  /** ptr to the next address in the list */
152 
153 /** Address grouping head. IPv4 and IPv6 are split out */
154 typedef struct DetectAddressHead_ {
158 
159 
160 typedef struct DetectMatchAddressIPv4_ {
161  uint32_t ip; /**< address in host order, start of range */
162  uint32_t ip2; /**< address in host order, end of range */
164 
165 typedef struct DetectMatchAddressIPv6_ {
166  uint32_t ip[4];
167  uint32_t ip2[4];
169 
170 /*
171  * DETECT PORT
172  */
173 
174 /* a is ... than b */
175 enum {
176  PORT_ER = -1, /* error e.g. compare ipv4 and ipv6 */
177  PORT_LT, /* smaller [aaa] [bbb] */
178  PORT_LE, /* smaller with overlap [aa[bab]bb] */
179  PORT_EQ, /* exactly equal [abababab] */
180  PORT_ES, /* within [bb[aaa]bb] and [[abab]bbb] and [bbb[abab]] */
181  PORT_EB, /* completely overlaps [aa[bbb]aa] and [[baba]aaa] and [aaa[baba]] */
182  PORT_GE, /* bigger with overlap [bb[aba]aa] */
183  PORT_GT, /* bigger [bbb] [aaa] */
184 };
185 
186 #define PORT_FLAG_ANY 0x01 /**< 'any' special port */
187 #define PORT_FLAG_NOT 0x02 /**< negated port */
188 #define PORT_SIGGROUPHEAD_COPY 0x04 /**< sgh is a ptr copy */
189 
190 /** \brief Port structure for detection engine */
191 typedef struct DetectPort_ {
192  uint16_t port;
193  uint16_t port2;
194 
195  uint8_t flags; /**< flags for this port */
196 
197  /* signatures that belong in this group
198  *
199  * If the PORT_SIGGROUPHEAD_COPY flag is set, we don't own this pointer
200  * (memory is freed elsewhere).
201  */
202  struct SigGroupHead_ *sh;
203 
204  struct DetectPort_ *prev;
205  struct DetectPort_ *next;
207 
208 /* Signature flags */
209 /** \note: additions should be added to the rule analyzer as well */
210 
211 #define SIG_FLAG_SRC_ANY BIT_U32(0) /**< source is any */
212 #define SIG_FLAG_DST_ANY BIT_U32(1) /**< destination is any */
213 #define SIG_FLAG_SP_ANY BIT_U32(2) /**< source port is any */
214 #define SIG_FLAG_DP_ANY BIT_U32(3) /**< destination port is any */
215 
216 #define SIG_FLAG_NOALERT BIT_U32(4) /**< no alert flag is set */
217 #define SIG_FLAG_DSIZE BIT_U32(5) /**< signature has a dsize setting */
218 #define SIG_FLAG_APPLAYER BIT_U32(6) /**< signature applies to app layer instead of packets */
219 #define SIG_FLAG_IPONLY BIT_U32(7) /**< ip only signature */
220 
221 // vacancy
222 
223 #define SIG_FLAG_REQUIRE_PACKET BIT_U32(9) /**< signature is requiring packet match */
224 #define SIG_FLAG_REQUIRE_STREAM BIT_U32(10) /**< signature is requiring stream match */
225 
226 #define SIG_FLAG_MPM_NEG BIT_U32(11)
227 
228 #define SIG_FLAG_FLUSH BIT_U32(12) /**< detection logic needs stream flush notification */
229 
230 // vacancies
231 
232 #define SIG_FLAG_REQUIRE_FLOWVAR BIT_U32(17) /**< signature can only match if a flowbit, flowvar or flowint is available. */
233 
234 #define SIG_FLAG_FILESTORE BIT_U32(18) /**< signature has filestore keyword */
235 
236 #define SIG_FLAG_TOSERVER BIT_U32(19)
237 #define SIG_FLAG_TOCLIENT BIT_U32(20)
238 
239 #define SIG_FLAG_TLSSTORE BIT_U32(21)
240 
241 #define SIG_FLAG_BYPASS BIT_U32(22)
242 
243 #define SIG_FLAG_PREFILTER BIT_U32(23) /**< sig is part of a prefilter engine */
244 
245 /** Proto detect only signature.
246  * Inspected once per direction when protocol detection is done. */
247 #define SIG_FLAG_PDONLY BIT_U32(24)
248 /** Info for Source and Target identification */
249 #define SIG_FLAG_SRC_IS_TARGET BIT_U32(25)
250 /** Info for Source and Target identification */
251 #define SIG_FLAG_DEST_IS_TARGET BIT_U32(26)
252 
253 #define SIG_FLAG_HAS_TARGET (SIG_FLAG_DEST_IS_TARGET|SIG_FLAG_SRC_IS_TARGET)
254 
255 /* signature init flags */
256 #define SIG_FLAG_INIT_DEONLY BIT_U32(0) /**< decode event only signature */
257 #define SIG_FLAG_INIT_PACKET BIT_U32(1) /**< signature has matches against a packet (as opposed to app layer) */
258 #define SIG_FLAG_INIT_FLOW BIT_U32(2) /**< signature has a flow setting */
259 #define SIG_FLAG_INIT_BIDIREC BIT_U32(3) /**< signature has bidirectional operator */
260 #define SIG_FLAG_INIT_FIRST_IPPROTO_SEEN BIT_U32(4) /** < signature has seen the first ip_proto keyword */
261 #define SIG_FLAG_INIT_HAS_TRANSFORM BIT_U32(5)
262 #define SIG_FLAG_INIT_STATE_MATCH BIT_U32(6) /**< signature has matches that require stateful inspection */
263 #define SIG_FLAG_INIT_NEED_FLUSH BIT_U32(7)
264 #define SIG_FLAG_INIT_PRIO_EXPLICT BIT_U32(8) /**< priority is explicitly set by the priority keyword */
265 #define SIG_FLAG_INIT_FILEDATA BIT_U32(9) /**< signature has filedata keyword */
266 #define SIG_FLAG_INIT_DCERPC BIT_U32(10) /**< signature has DCERPC keyword */
267 
268 /* signature mask flags */
269 /** \note: additions should be added to the rule analyzer as well */
270 #define SIG_MASK_REQUIRE_PAYLOAD BIT_U8(0)
271 #define SIG_MASK_REQUIRE_FLOW BIT_U8(1)
272 #define SIG_MASK_REQUIRE_FLAGS_INITDEINIT BIT_U8(2) /* SYN, FIN, RST */
273 #define SIG_MASK_REQUIRE_FLAGS_UNUSUAL BIT_U8(3) /* URG, ECN, CWR */
274 #define SIG_MASK_REQUIRE_NO_PAYLOAD BIT_U8(4)
275 #define SIG_MASK_REQUIRE_DCERPC BIT_U8(5) /* require either SMB+DCE or raw DCE */
276 // vacancy
277 #define SIG_MASK_REQUIRE_ENGINE_EVENT BIT_U8(7)
278 
279 /* for now a uint8_t is enough */
280 #define SignatureMask uint8_t
281 
282 #define DETECT_ENGINE_THREAD_CTX_FRAME_ID_SET 0x0001
283 #define DETECT_ENGINE_THREAD_CTX_STREAM_CONTENT_MATCH 0x0004
284 
285 #define FILE_SIG_NEED_FILE 0x01
286 #define FILE_SIG_NEED_FILENAME 0x02
287 #define FILE_SIG_NEED_MAGIC 0x04 /**< need the start of the file */
288 #define FILE_SIG_NEED_FILECONTENT 0x08
289 #define FILE_SIG_NEED_MD5 0x10
290 #define FILE_SIG_NEED_SHA1 0x20
291 #define FILE_SIG_NEED_SHA256 0x40
292 #define FILE_SIG_NEED_SIZE 0x80
293 
294 /* Detection Engine flags */
295 #define DE_QUIET 0x01 /**< DE is quiet (esp for unittests) */
296 
297 typedef struct IPOnlyCIDRItem_ {
298  /* address data for this item */
299  uint8_t family;
300  /* netmask in CIDR values (ex. /16 /18 /24..) */
301  uint8_t netmask;
302  /* If this host or net is negated for the signum */
303  uint8_t negated;
304 
305  uint32_t ip[4];
306  SigIntId signum; /**< our internal id */
307 
308  /* linked list, the header should be the biggest network */
310 
312 
313 /** \brief Used to start a pointer to SigMatch context
314  * Should never be dereferenced without casting to something else.
315  */
316 typedef struct SigMatchCtx_ {
317  int foo;
319 
320 /** \brief a single match condition for a signature */
321 typedef struct SigMatch_ {
322  uint16_t type; /**< match type */
323  uint16_t idx; /**< position in the signature */
324  SigMatchCtx *ctx; /**< plugin specific data */
325  struct SigMatch_ *next;
326  struct SigMatch_ *prev;
328 
329 /** \brief Data needed for Match() */
330 typedef struct SigMatchData_ {
331  uint16_t type; /**< match type */
332  uint8_t is_last; /**< Last element of the list */
333  SigMatchCtx *ctx; /**< plugin specific data */
335 
336 struct DetectEngineThreadCtx_;// DetectEngineThreadCtx;
337 
338 /* inspection buffer is a simple structure that is passed between prefilter,
339  * transformation functions and inspection functions.
340  * Initially setup with 'orig' ptr and len, transformations can then take
341  * then and fill the 'buf'. Multiple transformations can update the buffer,
342  * both growing and shrinking it.
343  * Prefilter and inspection will only deal with 'inspect'. */
344 
345 typedef struct InspectionBuffer {
346  const uint8_t *inspect; /**< active pointer, points either to ::buf or ::orig */
347  uint64_t inspect_offset;
348  uint32_t inspect_len; /**< size of active data. See to ::len or ::orig_len */
349  uint8_t flags; /**< DETECT_CI_FLAGS_* for use with DetectEngineContentInspection */
350 #ifdef DEBUG_VALIDATION
351  bool multi;
352 #endif
353  uint32_t len; /**< how much is in use */
354  uint8_t *buf;
355  uint32_t size; /**< size of the memory allocation */
356 
357  uint32_t orig_len;
358  const uint8_t *orig;
360 
361 /* inspection buffers are kept per tx (in det_ctx), but some protocols
362  * need a bit more. A single TX might have multiple buffers, e.g. files in
363  * SMTP or DNS queries. Since all prefilters+transforms run before the
364  * individual rules need the same buffers, we need a place to store the
365  * transformed data. This array of arrays is that place. */
366 
369  uint32_t size; /**< size in number of elements */
370  uint32_t max:31; /**< max id in use in this run */
371  uint32_t init:1; /**< first time used this run. Used for clean logic */
373 
374 typedef struct TransformData_ {
376  void *options;
378 
379 typedef struct DetectEngineTransforms {
381  int cnt;
383 
384 /** callback for getting the buffer we need to prefilter/inspect */
385 typedef InspectionBuffer *(*InspectionBufferGetDataPtr)(
386  struct DetectEngineThreadCtx_ *det_ctx,
387  const DetectEngineTransforms *transforms,
388  Flow *f, const uint8_t flow_flags,
389  void *txv, const int list_id);
391 
392 typedef int (*InspectEngineFuncPtr2)(
393  struct DetectEngineCtx_ *de_ctx, struct DetectEngineThreadCtx_ *det_ctx,
394  const struct DetectEngineAppInspectionEngine_ *engine,
395  const struct Signature_ *s,
396  Flow *f, uint8_t flags, void *alstate, void *txv, uint64_t tx_id);
397 
400  uint8_t dir;
401  uint8_t id; /**< per sig id used in state keeping */
402  bool mpm;
403  bool stream;
404  uint16_t sm_list;
405  uint16_t sm_list_base; /**< base buffer being transformed */
406  int16_t progress;
407 
408  struct {
411  /** pointer to the transforms in the 'DetectBuffer entry for this list */
413  } v2;
414 
416 
419 
420 typedef struct DetectBufferType_ {
421  char name[32];
422  char description[128];
423  int id;
425  bool mpm;
426  bool packet; /**< compat to packet matches */
427  bool frame; /**< is about Frame inspection */
429  void (*SetupCallback)(const struct DetectEngineCtx_ *, struct Signature_ *);
430  bool (*ValidateCallback)(const struct Signature_ *, const char **sigerror);
433 
435 
436 /**
437  * \param alert_flags[out] for setting PACKET_ALERT_FLAG_*
438  */
440  struct DetectEngineThreadCtx_ *,
441  const struct DetectEnginePktInspectionEngine *engine,
442  const struct Signature_ *s,
443  Packet *p, uint8_t *alert_flags);
444 
445 /** callback for getting the buffer we need to prefilter/inspect */
446 typedef InspectionBuffer *(*InspectionBufferGetPktDataPtr)(
447  struct DetectEngineThreadCtx_ *det_ctx,
448  const DetectEngineTransforms *transforms,
449  Packet *p, const int list_id);
450 
453  bool mpm;
454  uint16_t sm_list;
455  uint16_t sm_list_base;
456  struct {
459  /** pointer to the transforms in the 'DetectBuffer entry for this list */
461  } v1;
464 
465 struct Frame;
466 struct Frames;
468 
469 /**
470  * \param alert_flags[out] for setting PACKET_ALERT_FLAG_*
471  */
473  const struct DetectEngineFrameInspectionEngine *engine, const struct Signature_ *s,
474  Packet *p, const struct Frames *frames, const struct Frame *frame, const uint32_t idx);
475 
478  uint8_t dir;
479  uint8_t type;
480  bool mpm;
481  uint16_t sm_list;
482  uint16_t sm_list_base;
483  struct {
485  /** pointer to the transforms in the 'DetectBuffer entry for this list */
487  } v1;
491 
492 #ifdef UNITTESTS
493 #define sm_lists init_data->smlists
494 #define sm_lists_tail init_data->smlists_tail
495 #endif
496 
497 typedef struct SignatureInitData_ {
498  /** Number of sigmatches. Used for assigning SigMatch::idx */
499  uint16_t sm_cnt;
500 
501  /** option was prefixed with '!'. Only set for sigmatches that
502  * have the SIGMATCH_HANDLE_NEGATION flag set. */
503  bool negated;
504 
505  /* track if we saw any negation in the addresses. If so, we
506  * skip it for ip-only */
509 
510  /* used to hold flags that are used during init */
511  uint32_t init_flags;
512  /* coccinelle: SignatureInitData:init_flags:SIG_FLAG_INIT_ */
513 
514  /* used at init to determine max dsize */
516 
517  /* the fast pattern added from this signature */
519  /* used to speed up init of prefilter */
521 
522  /* SigMatch list used for adding content and friends. E.g. file_data; */
523  int list;
524  bool list_set;
525 
527 
528  /** score to influence rule grouping. A higher value leads to a higher
529  * likelihood of a rulegroup with this sig ending up as a contained
530  * group. */
532 
533  /** address settings for this signature */
535 
537 
539  /* holds all sm lists */
540  struct SigMatch_ **smlists;
541  /* holds all sm lists' tails */
544 
545 /** \brief Signature container */
546 typedef struct Signature_ {
547  uint32_t flags;
548  /* coccinelle: Signature:flags:SIG_FLAG_ */
549 
551 
552  uint16_t dsize_low;
553  uint16_t dsize_high;
554  uint8_t dsize_mode;
555 
557  SigIntId num; /**< signature number, internal id */
558 
559  /** inline -- action */
560  uint8_t action;
561  uint8_t file_flags;
562 
563  /** addresses, ports and proto this sig matches on */
565 
566  /** classification id **/
567  uint16_t class_id;
568 
569  /** ipv4 match arrays */
576  /** ipv6 match arrays */
579 
580  uint32_t id; /**< sid, set by the 'sid' rule keyword */
581  uint32_t gid; /**< generator id */
582  uint32_t rev;
583  int prio;
584 
585  /** port settings for this signature */
587 
588 #ifdef PROFILING
589  uint16_t profiling_id;
590 #endif
591 
592  /** netblocks and hosts specified at the sid, in CIDR format */
594 
598 
599  /* Matching structures for the built-ins. The others are in
600  * their inspect engines. */
602 
603  /* memory is still owned by the sm_lists/sm_arrays entry */
605 
606  char *msg;
607 
608  /** classification message */
609  char *class_msg;
610  /** Reference */
612  /** Metadata */
614 
615  char *sig_str;
616 
618 
619  /** ptr to the next sig in the list */
620  struct Signature_ *next;
622 
627  /* must be last */
629 };
630 
631 /** \brief one time registration of keywords at start up */
633  const char *name;
634  char pname[32]; /**< name used in profiling */
635  int direction; /**< SIG_FLAG_TOSERVER or SIG_FLAG_TOCLIENT */
636  int16_t sm_list;
637  int16_t sm_list_base;
638  int priority;
639  int id; /**< index into this array and result arrays */
642 
644  struct SigGroupHead_ *sgh, MpmCtx *mpm_ctx,
645  const struct DetectBufferMpmRegistery_ *mpm_reg, int list_id);
647 
648  union {
649  /* app-layer matching: use if type == DETECT_BUFFER_MPM_TYPE_APP */
650  struct {
655 
656  /* pkt matching: use if type == DETECT_BUFFER_MPM_TYPE_PKT */
657  struct {
659  struct SigGroupHead_ *sgh, MpmCtx *mpm_ctx,
660  const struct DetectBufferMpmRegistery_ *mpm_reg, int list_id);
663 
664  /* frame matching: use if type == DETECT_BUFFER_MPM_TYPE_FRAME */
665  struct {
667  uint8_t type;
669  };
670 
673 
674 typedef struct DetectReplaceList_ {
676  uint8_t *found;
679 
680 /** only execute flowvar storage if rule matched */
681 #define DETECT_VAR_TYPE_FLOW_POSTMATCH 1
682 #define DETECT_VAR_TYPE_PKT_POSTMATCH 2
683 
684 /** list for flowvar store candidates, to be stored from
685  * post-match function */
686 typedef struct DetectVarList_ {
687  uint32_t idx; /**< flowvar name idx */
688  uint16_t len; /**< data len */
689  uint16_t key_len;
690  int type; /**< type of store candidate POSTMATCH or ALWAYS */
691  uint8_t *key;
692  uint8_t *buffer; /**< alloc'd buffer, may be freed by
693  post-match, post-non-match */
696 
697 typedef struct SCFPSupportSMList_ {
698  int list_id;
699  int priority;
702 
704  uint8_t *sig_match_array; /* bit array of sig nums */
705  uint32_t sig_match_size; /* size in bytes of the array */
707 
708 /** \brief IP only rules matching ctx. */
709 typedef struct DetectEngineIPOnlyCtx_ {
710  /* lookup hashes */
713 
714  /* Lookup trees */
717 
718  /* Used to build the radix trees */
720 
721  /* counters */
726 
727  uint32_t max_idx;
728 
729  uint8_t *sig_init_array; /* bit array of sig nums */
730  uint32_t sig_init_size; /* size in bytes of the array */
731 
732  /* number of sigs in this head */
733  uint32_t sig_cnt;
734  uint32_t *match_array;
736 
737 typedef struct DetectEngineLookupFlow_ {
740  struct SigGroupHead_ *sgh[256];
742 
743 #include "detect-threshold.h"
744 
745 /** \brief threshold ctx */
746 typedef struct ThresholdCtx_ {
747  SCMutex threshold_table_lock; /**< Mutex for hash table */
748 
749  /** to support rate_filter "by_rule" option */
751  uint32_t th_size;
753 
754 typedef struct SigString_ {
755  char *filename;
756  char *sig_str;
757  char *sig_error;
758  int line;
761 
762 /** \brief Signature loader statistics */
763 typedef struct SigFileLoaderStat_ {
764  TAILQ_HEAD(, SigString_) failed_sigs;
770 
772  void *(*InitFunc)(void *);
773  void (*FreeFunc)(void *);
774  void *data;
776  int id;
777  const char *name; /* keyword name, for error printing */
779 
781 {
782  DETECT_PREFILTER_MPM = 0, /**< use only mpm / fast_pattern */
783  DETECT_PREFILTER_AUTO = 1, /**< use mpm + keyword prefilters */
784 };
785 
787 {
789  DETECT_ENGINE_TYPE_DD_STUB = 1, /* delayed detect stub: can be reloaded */
790  DETECT_ENGINE_TYPE_MT_STUB = 2, /* multi-tenant stub: cannot be reloaded */
792 };
793 
794 /* Flow states:
795  * toserver
796  * toclient
797  */
798 #define FLOW_STATES 2
799 
800 /** \brief main detection engine ctx */
801 typedef struct DetectEngineCtx_ {
802  uint8_t flags;
804 
806 
808  uint32_t sig_cnt;
809 
810  /* version of the srep data */
811  uint32_t srep_version;
812 
813  /* reputation for netblocks */
815 
817  uint32_t sig_array_size; /* size in bytes */
818  uint32_t sig_array_len; /* size in array members */
819 
820  uint32_t signum;
821 
822  /** Maximum value of all our sgh's non_mpm_store_cnt setting,
823  * used to alloc det_ctx::non_mpm_id_array */
825 
826  /* used by the signature ordering module */
828 
829  /* hash table used for holding the classification config info */
831  /* hash table used for holding the reference config info */
833 
834  /* main sigs */
836 
837  uint32_t gh_unique, gh_reuse;
838 
839  /* init phase vars */
841 
844 
845  /* hash table used to cull out duplicate sigs */
847 
850 
851  uint16_t mpm_matcher; /**< mpm matcher this ctx uses */
852  uint16_t spm_matcher; /**< spm matcher this ctx uses */
853 
854  /* spm thread context prototype, built as spm matchers are constructed and
855  * later used to construct thread context for each thread. */
857 
858  /* Config options */
859 
862 
863  /* specify the configuration for mpm context factory */
865 
866  /* max flowbit id that is used */
867  uint32_t max_fb_id;
868 
869  uint32_t max_fp_id;
870 
872 
873  /* maximum recursion depth for content inspection */
875 
876  /* conf parameter that limits the length of the http request body inspected */
878  /* conf parameter that limits the length of the http response body inspected */
880 
881  /* array containing all sgh's in use so we can loop
882  * through it in Stage4. */
884  uint32_t sgh_array_cnt;
885  uint32_t sgh_array_size;
886 
891 
892  /* the max local id used amongst all sigs */
894 
895  /** version of the detect engine. The version is incremented on reloads */
896  uint32_t version;
897 
898  /** sgh for signatures that match against invalid packets. In those cases
899  * we can't lookup by proto, address, port as we don't have these */
901 
902  /* Maximum size of the buffer for decoded base64 data. */
904 
905  /** Store rule file and line so that parsers can use them in errors. */
906  char *rule_file;
910  const char *sigerror;
911 
912  /** list of keywords that need thread local ctxs */
915 
916  struct {
917  uint32_t content_limit;
922 
923 #ifdef PROFILING
930 #endif
931  uint32_t prefilter_maxid;
932 
933  char config_prefix[64];
934 
935  enum DetectEngineType type;
936 
937  /** how many de_ctx' are referencing this */
938  uint32_t ref_cnt;
939  /** list in master: either active or freelist */
941 
942  /** id of loader thread 'owning' this de_ctx */
944 
945  /** are we using just mpm or also other prefilters */
947 
949 
952 
953  /** table for storing the string representation with the parsers result */
955 
956  /** table to store metadata keys and values */
958 
959  /* hash tables with rule-time buffer registration. Start time registration
960  * is in detect-engine.c::g_buffer_type_hash */
963  uint32_t buffer_type_id;
964 
965  /* list with app inspect engines. Both the start-time registered ones and
966  * the rule-time registered ones. */
976 
977  uint32_t prefilter_id;
979 
980  /** time of last ruleset reload */
981  struct timeval last_reload;
982 
983  /** signatures stats */
985 
986  /** per keyword flag indicating if a prefilter has been
987  * set for it. If true, the setup function will have to
988  * run. */
991 
992  /* list of Fast Pattern registrations. Initially filled using a copy of
993  * `g_fp_support_smlist_list`, then extended at rule loading time if needed */
996 
997 /* Engine groups profiles (low, medium, high, custom) */
998 enum {
1005 };
1006 
1007 /* Siggroup mpm context profile */
1008 enum {
1012 #define ENGINE_SGH_MPM_FACTORY_CONTEXT_START_ID_RANGE (ENGINE_SGH_MPM_FACTORY_CONTEXT_AUTO + 1)
1013 };
1014 
1015 typedef struct HttpReassembledBody_ {
1016  const uint8_t *buffer;
1018  uint32_t buffer_size; /**< size of the buffer itself */
1019  uint32_t buffer_len; /**< data len in the buffer */
1021  uint64_t offset; /**< data offset */
1023 
1024 #define DETECT_FILESTORE_MAX 15
1029  uint8_t alproto;
1031 
1032 /** array of TX inspect rule candidates */
1033 typedef struct RuleMatchCandidateTx {
1034  SigIntId id; /**< internal signature id */
1035  uint32_t *flags; /**< inspect flags ptr */
1036  union {
1037  struct {
1039  uint8_t stream_result;
1040  };
1041  uint32_t stream_reset;
1042  };
1043 
1044  const Signature *s; /**< ptr to sig */
1046 
1047 /**
1048  * Detection engine thread data.
1049  */
1050 typedef struct DetectEngineThreadCtx_ {
1051  /** \note multi-tenant hash lookup code from Detect() *depends*
1052  * on this being the first member */
1053  uint32_t tenant_id;
1054 
1055  /* the thread to which this detection engine thread belongs */
1057 
1058  /** Array of non-prefiltered sigs that need to be evaluated. Updated
1059  * per packet based on the rule group and traffic properties. */
1061  uint32_t non_pf_id_cnt; // size is cnt * sizeof(uint32_t)
1062 
1066 
1069 
1070  uint32_t (*TenantGetId)(const void *, const Packet *p);
1071 
1072  /* detection engine variables */
1073 
1075 
1076  /** offset into the payload of the last match by:
1077  * content, pcre, etc */
1078  uint32_t buffer_offset;
1079  /* used by pcre match function alone */
1081 
1082  /* counter for the filestore array below -- up here for cache reasons. */
1083  uint16_t filestore_cnt;
1084 
1085  /** id for alert counter */
1086  uint16_t counter_alerts;
1087 #ifdef PROFILING
1092 #endif
1093 
1094  int inspect_list; /**< list we're currently inspecting, DETECT_SM_LIST_* */
1095 
1096  struct {
1098  uint32_t buffers_size; /**< in number of elements */
1099  uint32_t to_clear_idx;
1100  uint32_t *to_clear_queue;
1102 
1103  struct {
1104  /** inspection buffers for more complex case. As we can inspect multiple
1105  * buffers in parallel, we need this extra wrapper struct */
1107  uint32_t buffers_size; /**< in number of elements */
1108  uint32_t to_clear_idx;
1109  uint32_t *to_clear_queue;
1111 
1112  /* used to discontinue any more matching */
1114  uint16_t flags; /**< DETECT_ENGINE_THREAD_CTX_* flags */
1115 
1116  /* true if tx_id is set */
1118  /** ID of the transaction currently being inspected. */
1119  uint64_t tx_id;
1120  int64_t frame_id;
1122 
1123  SC_ATOMIC_DECLARE(int, so_far_used_by_detect);
1124 
1125  /* holds the current recursion depth on content inspection */
1127 
1128  /** array of signature pointers we're going to inspect in the detection
1129  * loop. */
1131  /** size of the array in items (mem size if * sizeof(Signature *)
1132  * Only used during initialization. */
1134  /** size in use */
1136 
1139 
1142 
1143  /** pointer to the current mpm ctx that is stored
1144  * in a rule group head -- can be either a content
1145  * or uricontent ctx. */
1146  MpmThreadCtx mtc; /**< thread ctx for the mpm */
1147  MpmThreadCtx mtcu; /**< thread ctx for uricontent mpm */
1148  MpmThreadCtx mtcs; /**< thread ctx for stream mpm */
1150 
1151  /** SPM thread context used for scanning. This has been cloned from the
1152  * prototype held by DetectEngineCtx. */
1154 
1155  /** ip only rules ctx */
1157 
1158  /* byte_* values */
1159  uint64_t *byte_values;
1160 
1161  /* string to replace */
1163  /* vars to store in post match function */
1165 
1166  /* Array in which the filestore keyword stores file id and tx id. If the
1167  * full signature matches, these are processed by a post-match filestore
1168  * function to finalize the store. */
1169  struct {
1170  uint32_t file_id;
1171  uint64_t tx_id;
1173 
1175  /** store for keyword contexts that need a per thread storage. Per de_ctx. */
1178  /** store for keyword contexts that need a per thread storage. Global. */
1181 
1182  uint8_t *base64_decoded;
1185 
1187  uint16_t events;
1188 
1189 #ifdef DEBUG
1190  uint64_t pkt_stream_add_cnt;
1191  uint64_t payload_mpm_cnt;
1192  uint64_t payload_mpm_size;
1193  uint64_t stream_mpm_cnt;
1194  uint64_t stream_mpm_size;
1195  uint64_t payload_persig_cnt;
1196  uint64_t payload_persig_size;
1197  uint64_t stream_persig_cnt;
1198  uint64_t stream_persig_size;
1199 #endif
1200 #ifdef PROFILING
1205  int keyword_perf_list; /**< list we're currently inspecting, DETECT_SM_LIST_* */
1207 
1210 #endif
1212 
1213 /** \brief element in sigmatch type table.
1214  */
1215 typedef struct SigTableElmt_ {
1216  /** Packet match function pointer */
1217  int (*Match)(DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *);
1218 
1219  /** AppLayer TX match function pointer */
1221  uint8_t flags, void *alstate, void *txv,
1222  const Signature *, const SigMatchCtx *);
1223 
1224  /** File match function pointer */
1226  Flow *, /**< *LOCKED* flow */
1227  uint8_t flags, File *, const Signature *, const SigMatchCtx *);
1228 
1229  /** InspectionBuffer transformation callback */
1230  void (*Transform)(InspectionBuffer *, void *context);
1231  bool (*TransformValidate)(const uint8_t *content, uint16_t content_len, void *context);
1232 
1233  /** keyword setup function pointer */
1234  int (*Setup)(DetectEngineCtx *, Signature *, const char *);
1235 
1236  bool (*SupportsPrefilter)(const Signature *s);
1238 
1239  void (*Free)(DetectEngineCtx *, void *);
1240 #ifdef UNITTESTS
1241  void (*RegisterTests)(void);
1242 #endif
1243  uint16_t flags;
1244  /* coccinelle: SigTableElmt:flags:SIGMATCH_ */
1245 
1246  /** better keyword to replace the current one */
1247  uint16_t alternative;
1248 
1249  const char *name; /**< keyword name alias */
1250  const char *alias; /**< name alias */
1251  const char *desc;
1252  const char *url;
1253 
1255 
1256 /* event code */
1257 enum {
1258 #ifdef UNITTESTS
1260 #endif
1275 
1277 };
1278 
1279 #define SIG_GROUP_HEAD_HAVERAWSTREAM BIT_U32(0)
1280 #ifdef HAVE_MAGIC
1281 #define SIG_GROUP_HEAD_HAVEFILEMAGIC BIT_U32(20)
1282 #endif
1283 #define SIG_GROUP_HEAD_HAVEFILEMD5 BIT_U32(21)
1284 #define SIG_GROUP_HEAD_HAVEFILESIZE BIT_U32(22)
1285 #define SIG_GROUP_HEAD_HAVEFILESHA1 BIT_U32(23)
1286 #define SIG_GROUP_HEAD_HAVEFILESHA256 BIT_U32(24)
1297 };
1298 
1299 typedef struct MpmStore_ {
1300  uint8_t *sid_array;
1301  uint32_t sid_array_size;
1302 
1305  int sm_list;
1307 
1309 
1311 
1312 typedef void (*PrefilterFrameFn)(DetectEngineThreadCtx *det_ctx, const void *pectx, Packet *p,
1313  const struct Frames *frames, const struct Frame *frame, const uint32_t idx);
1314 
1315 typedef struct PrefilterEngineList_ {
1316  uint16_t id;
1317 
1318  /** App Proto this engine applies to: only used with Tx Engines */
1320  /** Minimal Tx progress we need before running the engine. Only used
1321  * with Tx Engine */
1323 
1324  uint8_t frame_type;
1325 
1326  /** Context for matching. Might be MpmCtx for MPM engines, other ctx'
1327  * for other engines. */
1328  void *pectx;
1329 
1330  void (*Prefilter)(DetectEngineThreadCtx *det_ctx, Packet *p, const void *pectx);
1331  void (*PrefilterTx)(DetectEngineThreadCtx *det_ctx, const void *pectx,
1332  Packet *p, Flow *f, void *tx,
1333  const uint64_t idx, const uint8_t flags);
1335 
1337 
1338  /** Free function for pectx data. If NULL the memory is not freed. */
1339  void (*Free)(void *pectx);
1340 
1341  const char *name;
1342  /* global id for this prefilter */
1343  uint32_t gid;
1345 
1346 typedef struct PrefilterEngine_ {
1347  uint16_t local_id;
1348 
1349  /** App Proto this engine applies to: only used with Tx Engines */
1351 
1352  union {
1353  /** Minimal Tx progress we need before running the engine. Only used
1354  * with Tx Engine */
1356  uint8_t frame_type;
1357  } ctx;
1358 
1359  /** Context for matching. Might be MpmCtx for MPM engines, other ctx'
1360  * for other engines. */
1361  void *pectx;
1362 
1363  union {
1364  void (*Prefilter)(DetectEngineThreadCtx *det_ctx, Packet *p, const void *pectx);
1365  void (*PrefilterTx)(DetectEngineThreadCtx *det_ctx, const void *pectx,
1366  Packet *p, Flow *f, void *tx,
1367  const uint64_t idx, const uint8_t flags);
1369  } cb;
1370 
1371  /* global id for this prefilter */
1372  uint32_t gid;
1373  bool is_last;
1376 
1377 typedef struct SigGroupHeadInitData_ {
1379 
1380  uint8_t *sig_array; /**< bit array of sig nums (internal id's) */
1381  uint32_t sig_size; /**< size in bytes */
1382 
1383  uint8_t protos[256]; /**< proto(s) this sgh is for */
1384  uint32_t direction; /**< set to SIG_FLAG_TOSERVER, SIG_FLAG_TOCLIENT or both */
1385  int whitelist; /**< try to make this group a unique one */
1386 
1390 
1395 
1396  /** number of sigs in this group */
1398 
1399  /** Array with sig ptrs... size is sig_cnt * sizeof(Signature *) */
1401 
1402  /* port ptr */
1405 
1406 /** \brief Container for matching data for a signature group */
1407 typedef struct SigGroupHead_ {
1408  uint32_t flags;
1409  /* coccinelle: SigGroupHead:flags:SIG_GROUP_HEAD_ */
1410 
1411  /* non prefilter list excluding SYN rules */
1414  SignatureNonPrefilterStore *non_pf_other_store_array; // size is non_mpm_store_cnt * sizeof(SignatureNonPrefilterStore)
1415  /* non mpm list including SYN rules */
1416  SignatureNonPrefilterStore *non_pf_syn_store_array; // size is non_mpm_syn_store_cnt * sizeof(SignatureNonPrefilterStore)
1417 
1418  /** the number of signatures in this sgh that have the filestore keyword
1419  * set. */
1420  uint16_t filestore_cnt;
1421 
1422  uint32_t id; /**< unique id used to index sgh_array for stats */
1423 
1428 
1429  /* ptr to our init data we only use at... init :) */
1431 
1433 
1434 /** sigmatch has no options, so the parser shouldn't expect any */
1435 #define SIGMATCH_NOOPT BIT_U16(0)
1436 /** sigmatch is compatible with a ip only rule */
1437 #define SIGMATCH_IPONLY_COMPAT BIT_U16(1)
1438 /** sigmatch is compatible with a decode event only rule */
1439 #define SIGMATCH_DEONLY_COMPAT BIT_U16(2)
1440 /**< Flag to indicate that the signature is not built-in */
1441 #define SIGMATCH_NOT_BUILT BIT_U16(3)
1442 /** sigmatch may have options, so the parser should be ready to
1443  * deal with both cases */
1444 #define SIGMATCH_OPTIONAL_OPT BIT_U16(4)
1445 /** input may be wrapped in double quotes. They will be stripped before
1446  * input data is passed to keyword parser */
1447 #define SIGMATCH_QUOTES_OPTIONAL BIT_U16(5)
1448 /** input MUST be wrapped in double quotes. They will be stripped before
1449  * input data is passed to keyword parser. Missing double quotes lead to
1450  * error and signature invalidation. */
1451 #define SIGMATCH_QUOTES_MANDATORY BIT_U16(6)
1452 /** negation parsing is handled by the rule parser. Signature::init_data::negated
1453  * will be set to true or false prior to calling the keyword parser. Exclamation
1454  * mark is stripped from the input to the keyword parser. */
1455 #define SIGMATCH_HANDLE_NEGATION BIT_U16(7)
1456 /** keyword is a content modifier */
1457 #define SIGMATCH_INFO_CONTENT_MODIFIER BIT_U16(8)
1458 /** keyword is a sticky buffer */
1459 #define SIGMATCH_INFO_STICKY_BUFFER BIT_U16(9)
1460 /** keyword is deprecated: used to suggest an alternative */
1461 #define SIGMATCH_INFO_DEPRECATED BIT_U16(10)
1462 /** strict parsing is enabled */
1463 #define SIGMATCH_STRICT_PARSING BIT_U16(11)
1466 {
1467  TENANT_SELECTOR_UNKNOWN = 0, /**< not set */
1468  TENANT_SELECTOR_DIRECT, /**< method provides direct tenant id */
1469  TENANT_SELECTOR_VLAN, /**< map vlan to tenant id */
1470  TENANT_SELECTOR_LIVEDEV, /**< map livedev to tenant id */
1471 };
1472 
1474  uint32_t tenant_id;
1475 
1476  /* traffic id that maps to the tenant id */
1477  uint32_t traffic_id;
1478 
1481 
1482 typedef struct DetectEngineMasterCtx_ {
1484 
1485  /** enable multi tenant mode */
1487 
1488  /** version, incremented after each 'apply to threads' */
1489  uint32_t version;
1490 
1491  /** list of active detection engines. This list is used to generate the
1492  * threads det_ctx's */
1494 
1495  /** free list, containing detection engines that will be removed but may
1496  * still be referenced by det_ctx's. Freed as soon as all references are
1497  * gone. */
1499 
1501 
1502  /** list of tenant mappings. Updated under lock. Used to generate lookup
1503  * structures. */
1505 
1506  /** list of keywords that need thread local ctxs,
1507  * only updated by keyword registration at start up. Not
1508  * covered by the lock. */
1512 
1513 /* Table with all SigMatch registrations */
1515 
1516 /** Remember to add the options in SignatureIsIPOnly() at detect.c otherwise it wont be part of a signature group */
1517 
1518 /* detection api */
1519 TmEcode Detect(ThreadVars *tv, Packet *p, void *data);
1520 
1521 SigMatch *SigMatchAlloc(void);
1522 Signature *SigFindSignatureBySidGid(DetectEngineCtx *, uint32_t, uint32_t);
1524  Packet *, SignatureMask,
1525  uint16_t);
1527 
1528 void SigRegisterTests(void);
1530 
1532 
1534 char *DetectLoadCompleteSigPath(const DetectEngineCtx *, const char *sig_file);
1535 int SigLoadSignatures (DetectEngineCtx *, char *, int);
1537  DetectEngineThreadCtx *det_ctx, Packet *p);
1538 
1541 
1543 
1544 
1545 int DetectUnregisterThreadCtxFuncs(DetectEngineCtx *, DetectEngineThreadCtx *,void *data, const char *name);
1546 int DetectRegisterThreadCtxFuncs(DetectEngineCtx *, const char *name, void *(*InitFunc)(void *), void *data, void (*FreeFunc)(void *), int);
1548 
1549 void RuleMatchCandidateTxArrayInit(DetectEngineThreadCtx *det_ctx, uint32_t size);
1551 
1553 
1556 
1557 /* events */
1558 void DetectEngineSetEvent(DetectEngineThreadCtx *det_ctx, uint8_t e);
1560 int DetectEngineGetEventInfo(const char *event_name, int *event_id,
1561  AppLayerEventType *event_type);
1562 
1564 
1565 #include "detect-engine-build.h"
1566 #include "detect-engine-register.h"
1567 
1568 #endif /* __DETECT_H__ */
1569 
DetectEngineThreadCtx_::byte_values
uint64_t * byte_values
Definition: detect.h:1159
DetectEngineCtx_::sgh_hash_table
HashListTable * sgh_hash_table
Definition: detect.h:840
DetectEngineCtx_::pkt_mpms_list_cnt
uint32_t pkt_mpms_list_cnt
Definition: detect.h:972
DetectEngineAppInspectionEngine_::stream
bool stream
Definition: detect.h:403
DetectEngineCtx_::frame_mpms_list_cnt
uint32_t frame_mpms_list_cnt
Definition: detect.h:975
SCFPSupportSMList
struct SCFPSupportSMList_ SCFPSupportSMList
SigFileLoaderStat_::bad_files
int bad_files
Definition: detect.h:765
SigGroupHead_::non_pf_syn_store_cnt
uint32_t non_pf_syn_store_cnt
Definition: detect.h:1413
DetectEngineThreadCtx_::non_pf_store_ptr
SignatureNonPrefilterStore * non_pf_store_ptr
Definition: detect.h:1140
DetectEngineTenantMapping_
Definition: detect.h:1473
DetectAddress_::ip
Address ip
Definition: detect.h:141
SigMatchSignaturesGetSgh
const SigGroupHead * SigMatchSignaturesGetSgh(const DetectEngineCtx *de_ctx, const Packet *p)
Get the SigGroupHead for a packet.
Definition: detect.c:192
PrefilterEngineList_::frame_type
uint8_t frame_type
Definition: detect.h:1324
SCFPSupportSMList_
Definition: detect.h:697
DetectEngineIPOnlyCtx_::a_src_uniq16
uint32_t a_src_uniq16
Definition: detect.h:722
DetectEngineThreadCtx_::keyword_perf_data_per_list
struct SCProfileKeywordData_ ** keyword_perf_data_per_list
Definition: detect.h:1204
DetectEngineCtx_::tenant_id
int tenant_id
Definition: detect.h:805
SigGroupHead_::tx_engines
PrefilterEngine * tx_engines
Definition: detect.h:1426
SigMatchAlloc
SigMatch * SigMatchAlloc(void)
Definition: detect-parse.c:235
DetectEngineAppInspectionEngine_
Definition: detect.h:398
SigTableElmt_::url
const char * url
Definition: detect.h:1252
FILE_DECODER_EVENT_NO_MEM
@ FILE_DECODER_EVENT_NO_MEM
Definition: detect.h:1261
DetectBufferType_::supports_transforms
bool supports_transforms
Definition: detect.h:428
MPMB_UDP_TS
@ MPMB_UDP_TS
Definition: detect.h:1293
SigMatch_::prev
struct SigMatch_ * prev
Definition: detect.h:326
PORT_EB
@ PORT_EB
Definition: detect.h:181
DetectBufferMpmRegistery_::direction
int direction
Definition: detect.h:635
DetectEngineAppInspectionEngine_::mpm
bool mpm
Definition: detect.h:402
SCProfileKeywordData_
Definition: util-profiling-keywords.c:49
DetectBufferType_::mpm
bool mpm
Definition: detect.h:425
RuleMatchCandidateTx::stream_stored
bool stream_stored
Definition: detect.h:1038
ENGINE_PROFILE_LOW
@ ENGINE_PROFILE_LOW
Definition: detect.h:1000
DetectEngineThreadCtx_::buffer_offset
uint32_t buffer_offset
Definition: detect.h:1078
DETECT_SM_LIST_PMATCH
@ DETECT_SM_LIST_PMATCH
Definition: detect.h:90
DetectEngineThreadCtx_::to_clear_idx
uint32_t to_clear_idx
Definition: detect.h:1099
SigMatchFree
void SigMatchFree(DetectEngineCtx *, SigMatch *sm)
free a SigMatch
Definition: detect-parse.c:250
DetectEngineCtx_::class_conf_ht
HashTable * class_conf_ht
Definition: detect.h:830
PrefilterEngine_::Prefilter
void(* Prefilter)(DetectEngineThreadCtx *det_ctx, Packet *p, const void *pectx)
Definition: detect.h:1364
detect-engine-proto.h
DetectEngineIPOnlyCtx_::a_dst_uniq16
uint32_t a_dst_uniq16
Definition: detect.h:723
DetectEngineThreadCtx_::keyword_perf_data
struct SCProfileKeywordData_ * keyword_perf_data
Definition: detect.h:1203
DetectEngineThreadCtx_::match_array_cnt
SigIntId match_array_cnt
Definition: detect.h:1135
DetectVarList_::idx
uint32_t idx
Definition: detect.h:687
MpmStore_::sid_array_size
uint32_t sid_array_size
Definition: detect.h:1301
SigTableElmt_::desc
const char * desc
Definition: detect.h:1251
SignatureInitData_::list_set
bool list_set
Definition: detect.h:524
Signature_::addr_src_match6
DetectMatchAddressIPv6 * addr_src_match6
Definition: detect.h:578
DetectEngineThreadCtx_::SC_ATOMIC_DECLARE
SC_ATOMIC_DECLARE(int, so_far_used_by_detect)
DET_CTX_EVENT_TEST
@ DET_CTX_EVENT_TEST
Definition: detect.h:1259
Signature_::sig_str
char * sig_str
Definition: detect.h:615
MpmStore_::sid_array
uint8_t * sid_array
Definition: detect.h:1300
DetectEngineThreadKeywordCtxItem
struct DetectEngineThreadKeywordCtxItem_ DetectEngineThreadKeywordCtxItem
DetectEngineCtx_::sgh_mpm_context_proto_tcp_packet
int32_t sgh_mpm_context_proto_tcp_packet
Definition: detect.h:887
DetectVarList_::buffer
uint8_t * buffer
Definition: detect.h:692
SigTableElmt_::Free
void(* Free)(DetectEngineCtx *, void *)
Definition: detect.h:1239
IPOnlyCIDRItem
struct IPOnlyCIDRItem_ IPOnlyCIDRItem
util-hashlist.h
DetectEngineCtx_::decoder_event_sgh
struct SigGroupHead_ * decoder_event_sgh
Definition: detect.h:900
DetectEngineCtx_::flow_gh
DetectEngineLookupFlow flow_gh[FLOW_STATES]
Definition: detect.h:835
FILE_DECODER_EVENT_Z_UNKNOWN_ERROR
@ FILE_DECODER_EVENT_Z_UNKNOWN_ERROR
Definition: detect.h:1267
SCFPSupportSMList_::next
struct SCFPSupportSMList_ * next
Definition: detect.h:700
DetectEngineThreadCtx_::counter_match_list
uint16_t counter_match_list
Definition: detect.h:1091
SigString
struct SigString_ SigString
DetectEnginePktInspectionEngine
Definition: detect.h:451
DetectEngineMasterCtx_::tenant_mapping_list
DetectEngineTenantMapping * tenant_mapping_list
Definition: detect.h:1504
Signature_::filestore_ctx
const struct DetectFilestoreData_ * filestore_ctx
Definition: detect.h:604
DetectEngineAppInspectionEngine_::next
struct DetectEngineAppInspectionEngine_ * next
Definition: detect.h:417
DetectEngineGetEventInfo
int DetectEngineGetEventInfo(const char *event_name, int *event_id, AppLayerEventType *event_type)
Definition: detect-engine.c:4627
SignatureIsIPOnly
int SignatureIsIPOnly(DetectEngineCtx *de_ctx, const Signature *s)
Test is a initialized signature is IP only.
Definition: detect-engine-build.c:189
SCFPSupportSMList_::list_id
int list_id
Definition: detect.h:698
SigTableElmt_::name
const char * name
Definition: detect.h:1249
DetectEngineMasterCtx_::list
DetectEngineCtx * list
Definition: detect.h:1493
MpmThreadCtx_
Definition: util-mpm.h:46
Signature_::num
SigIntId num
Definition: detect.h:557
DetectEngineCtx
struct DetectEngineCtx_ DetectEngineCtx
main detection engine ctx
IPOnlyCIDRItem_::netmask
uint8_t netmask
Definition: detect.h:301
DetectEngineCtx_::type
enum DetectEngineType type
Definition: detect.h:935
SigGroupHead_
Container for matching data for a signature group.
Definition: detect.h:1407
detect-mark.h
DetectEngineCtx_::pattern_hash_table
HashListTable * pattern_hash_table
Definition: detect.h:843
DetectEngineThreadCtx_::sgh_perf_data
struct SCProfileSghData_ * sgh_perf_data
Definition: detect.h:1206
ThresholdCtx_::threshold_table_lock
SCMutex threshold_table_lock
Definition: detect.h:747
DetectEngineCtx_::rule_file
char * rule_file
Definition: detect.h:906
ADDRESS_LT
@ ADDRESS_LT
Definition: detect.h:124
DetectEngineTransforms
Definition: detect.h:379
PrefilterEngineList_::id
uint16_t id
Definition: detect.h:1316
FILE_DECODER_EVENT_INVALID_SWF_VERSION
@ FILE_DECODER_EVENT_INVALID_SWF_VERSION
Definition: detect.h:1263
SigGroupHeadInitData_::sig_array
uint8_t * sig_array
Definition: detect.h:1380
SCProfileSghDetectCtx_
Definition: util-profiling-rulegroups.c:59
DetectAddress_
address structure for use in the detection engine.
Definition: detect.h:139
DetectEngineCtx_::max_uniq_toclient_groups
uint16_t max_uniq_toclient_groups
Definition: detect.h:860
DetectEngineThreadCtx_::buffers
InspectionBufferMultipleForList * buffers
Definition: detect.h:1106
SignatureInitData_::prefilter_sm
SigMatch * prefilter_sm
Definition: detect.h:520
PrefilterRuleStore_
structure for storing potential rule matches
Definition: util-prefilter.h:32
SignatureInitData_::src_contains_negation
bool src_contains_negation
Definition: detect.h:507
DetectEngineCtx_::ref_cnt
uint32_t ref_cnt
Definition: detect.h:938
SignatureInitData_::whitelist
int whitelist
Definition: detect.h:531
DetectEngineCtx_::sigerror_silent
bool sigerror_silent
Definition: detect.h:908
Signature_::alproto
AppProto alproto
Definition: detect.h:550
SignatureNonPrefilterStore_::id
SigIntId id
Definition: detect.h:1027
SigString_
Definition: detect.h:754
DetectAddressHead_
Definition: detect.h:154
ADDRESS_EB
@ ADDRESS_EB
Definition: detect.h:128
MPMB_OTHERIP
@ MPMB_OTHERIP
Definition: detect.h:1295
DetectEngineCtx_::max_fp_id
uint32_t max_fp_id
Definition: detect.h:869
DetectEngineCtx_::non_pf_store_cnt_max
uint32_t non_pf_store_cnt_max
Definition: detect.h:824
next
struct HtpBodyChunk_ * next
Definition: app-layer-htp.h:0
DetectEngineFrameInspectionEngine::sm_list_base
uint16_t sm_list_base
Definition: detect.h:482
DetectPort_::port
uint16_t port
Definition: detect.h:192
DetectEngineIPOnlyCtx_::ip_src
IPOnlyCIDRItem * ip_src
Definition: detect.h:719
SigGroupHeadInitData_::port
struct DetectPort_ * port
Definition: detect.h:1403
AppProto
uint16_t AppProto
Definition: app-layer-protos.h:78
ENGINE_PROFILE_MEDIUM
@ ENGINE_PROFILE_MEDIUM
Definition: detect.h:1001
DETECT_SM_LIST_DYNAMIC_START
@ DETECT_SM_LIST_DYNAMIC_START
Definition: detect.h:109
DetectEngineThreadCtx_::prefilter_perf_size
int prefilter_perf_size
Definition: detect.h:1209
IPOnlyCIDRItem_
Definition: detect.h:297
DetectBufferMpmRegistery_::transforms
DetectEngineTransforms transforms
Definition: detect.h:646
SigMatchSignaturesBuildMatchArray
void SigMatchSignaturesBuildMatchArray(DetectEngineThreadCtx *, Packet *, SignatureMask, uint16_t)
DetectEngineThreadCtx_::tx_id
uint64_t tx_id
Definition: detect.h:1119
DetectEngineThreadCtx_::decoder_events
AppLayerDecoderEvents * decoder_events
Definition: detect.h:1186
SigMatchData_::ctx
SigMatchCtx * ctx
Definition: detect.h:333
InspectionBuffer
Definition: detect.h:345
SigLoadSignatures
int SigLoadSignatures(DetectEngineCtx *, char *, int)
Load signatures.
Definition: detect-engine-loader.c:276
DetectVarList_::key_len
uint16_t key_len
Definition: detect.h:689
MpmStore_::sm_list
int sm_list
Definition: detect.h:1305
DetectEngineAppInspectionEngine_::GetData
InspectionBufferGetDataPtr GetData
Definition: detect.h:409
DetectEngineThreadKeywordCtxItem_
Definition: detect.h:771
DETECT_BUFFER_MPM_TYPE_FRAME
@ DETECT_BUFFER_MPM_TYPE_FRAME
Definition: detect.h:626
DetectEngineCtx_::prefilter_maxid
uint32_t prefilter_maxid
Definition: detect.h:931
Frame
Definition: app-layer-frames.h:45
DETECT_TBLSIZE
@ DETECT_TBLSIZE
Definition: detect-engine-register.h:316
Flow_
Flow data structure.
Definition: flow.h:353
SigTableElmt_::FileMatch
int(* FileMatch)(DetectEngineThreadCtx *, Flow *, uint8_t flags, File *, const Signature *, const SigMatchCtx *)
Definition: detect.h:1225
DetectVarList_
Definition: detect.h:686
DETECT_SM_LIST_THRESHOLD
@ DETECT_SM_LIST_THRESHOLD
Definition: detect.h:104
ENGINE_SGH_MPM_FACTORY_CONTEXT_SINGLE
@ ENGINE_SGH_MPM_FACTORY_CONTEXT_SINGLE
Definition: detect.h:1010
DetectReplaceList_::found
uint8_t * found
Definition: detect.h:676
AppLayerEventType
enum AppLayerEventType_ AppLayerEventType
ADDRESS_GT
@ ADDRESS_GT
Definition: detect.h:130
DetectEngineThreadKeywordCtxItem_::data
void * data
Definition: detect.h:774
DetectEngineThreadCtx_::pmq
PrefilterRuleStore pmq
Definition: detect.h:1149
util-hash.h
InspectionBufferGetDataPtr
InspectionBuffer *(* InspectionBufferGetDataPtr)(struct DetectEngineThreadCtx_ *det_ctx, const DetectEngineTransforms *transforms, Flow *f, const uint8_t flow_flags, void *txv, const int list_id)
Definition: detect.h:385
SigGroupHeadInitData_::mpm_store
MpmStore mpm_store[MPMB_MAX]
Definition: detect.h:1378
DetectEngineCtx_::frame_mpms_list
DetectBufferMpmRegistery * frame_mpms_list
Definition: detect.h:974
SigTableElmt_::flags
uint16_t flags
Definition: detect.h:1243
SCRadixTree_
Structure for the radix tree.
Definition: util-radix-tree.h:86
SigFindSignatureBySidGid
Signature * SigFindSignatureBySidGid(DetectEngineCtx *, uint32_t, uint32_t)
Find a specific signature by sid and gid.
Definition: detect-engine-build.c:65
DetectEngineIPOnlyCtx_::tree_ipv6dst
SCRadixTree * tree_ipv6dst
Definition: detect.h:716
DetectBufferMpmRegistery_::app_v2
struct DetectBufferMpmRegistery_::@87::@89 app_v2
DetectEngineIPOnlyCtx_::sig_init_array
uint8_t * sig_init_array
Definition: detect.h:729
DetectEngineCtx_::inspection_recursion_limit
int inspection_recursion_limit
Definition: detect.h:874
PrefilterEngineList_::name
const char * name
Definition: detect.h:1341
DetectVarList_::len
uint16_t len
Definition: detect.h:688
DetectEngineFrameInspectionEngine::transforms
const DetectEngineTransforms * transforms
Definition: detect.h:486
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:801
DetectBufferMpmRegistery_::type
enum DetectBufferMpmType type
Definition: detect.h:640
DetectEnginePktInspectionEngine::smd
SigMatchData * smd
Definition: detect.h:452
SCProfilePrefilterDetectCtx_
Definition: util-profiling-prefilter.c:50
SigMatchSignatures
void SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
Definition: detect.c:1775
DetectEngineThreadCtx_::global_keyword_ctxs_array
void ** global_keyword_ctxs_array
Definition: detect.h:1180
Signature_::CidrSrc
IPOnlyCIDRItem * CidrSrc
Definition: detect.h:593
HttpReassembledBody_::buffer
const uint8_t * buffer
Definition: detect.h:1016
TransformData_::options
void * options
Definition: detect.h:376
packet-queue.h
DetectEngineFrameInspectionEngine::mpm
bool mpm
Definition: detect.h:480
detect-engine-register.h
ThresholdCtx_::th_size
uint32_t th_size
Definition: detect.h:751
PrefilterEngine_::tx_min_progress
uint8_t tx_min_progress
Definition: detect.h:1355
InspectionBuffer::orig
const uint8_t * orig
Definition: detect.h:358
RuleMatchCandidateTxArrayFree
void RuleMatchCandidateTxArrayFree(DetectEngineThreadCtx *det_ctx)
Definition: detect.c:968
DetectEngineThreadCtx_::p
Packet * p
Definition: detect.h:1121
SigTableElmt_::AppLayerTxMatch
int(* AppLayerTxMatch)(DetectEngineThreadCtx *, Flow *, uint8_t flags, void *alstate, void *txv, const Signature *, const SigMatchCtx *)
Definition: detect.h:1220
DetectEngineThreadCtx_::keyword_perf_list
int keyword_perf_list
Definition: detect.h:1205
InspectionBufferGetPktDataPtr
InspectionBuffer *(* InspectionBufferGetPktDataPtr)(struct DetectEngineThreadCtx_ *det_ctx, const DetectEngineTransforms *transforms, Packet *p, const int list_id)
Definition: detect.h:446
DetectEngineCtx_::keyword_id
int keyword_id
Definition: detect.h:914
RuleMatchCandidateTx::id
SigIntId id
Definition: detect.h:1034
Detect
TmEcode Detect(ThreadVars *tv, Packet *p, void *data)
Detection engine thread wrapper.
Definition: detect.c:1707
DetectEngineIPOnlyCtx_::tree_ipv4src
SCRadixTree * tree_ipv4src
Definition: detect.h:715
DetectEngineIPOnlyCtx_::a_dst_total16
uint32_t a_dst_total16
Definition: detect.h:723
ADDRESS_EQ
@ ADDRESS_EQ
Definition: detect.h:126
util-var-name.h
HashTable_
Definition: util-hash.h:35
DetectEngineThreadCtx_::flags
uint16_t flags
Definition: detect.h:1114
DetectEngineTenantMapping_::next
struct DetectEngineTenantMapping_ * next
Definition: detect.h:1479
DetectEngineThreadCtx_::buffers_size
uint32_t buffers_size
Definition: detect.h:1098
DetectEngineCtx_::srep_version
uint32_t srep_version
Definition: detect.h:811
DetectBufferType_::name
char name[32]
Definition: detect.h:421
DetectEngineCtx_::profile_sgh_ctx
struct SCProfileSghDetectCtx_ * profile_sgh_ctx
Definition: detect.h:928
Frames
Definition: app-layer-frames.h:61
DetectPort_::next
struct DetectPort_ * next
Definition: detect.h:205
DetectReplaceList_
Definition: detect.h:674
MPMB_TCP_STREAM_TS
@ MPMB_TCP_STREAM_TS
Definition: detect.h:1291
DetectEngineAppInspectionEngine_::sm_list_base
uint16_t sm_list_base
Definition: detect.h:405
Address_
Definition: decode.h:122
DetectBufferMpmRegistery_
one time registration of keywords at start up
Definition: detect.h:632
DetectThresholdEntry_
Definition: detect-threshold.h:68
InspectionBuffer::size
uint32_t size
Definition: detect.h:355
DetectEngineThreadCtx_::spm_thread_ctx
SpmThreadCtx * spm_thread_ctx
Definition: detect.h:1153
DetectAddressHead
struct DetectAddressHead_ DetectAddressHead
InspectionBuffer::flags
uint8_t flags
Definition: detect.h:349
DetectEngineCtx_::dport_hash_table
HashListTable * dport_hash_table
Definition: detect.h:948
PrefilterEngineList_::Prefilter
void(* Prefilter)(DetectEngineThreadCtx *det_ctx, Packet *p, const void *pectx)
Definition: detect.h:1330
DetectEngineCtx_::gh_reuse
uint32_t gh_reuse
Definition: detect.h:837
DetectEngineIPOnlyCtx_::ht16_dst
HashListTable * ht16_dst
Definition: detect.h:711
Signature_::sm_arrays
SigMatchData * sm_arrays[DETECT_SM_LIST_MAX]
Definition: detect.h:601
SigGroupHead_::payload_engines
PrefilterEngine * payload_engines
Definition: detect.h:1425
DetectEngineCtx_::mpm_ctx_factory_container
MpmCtxFactoryContainer * mpm_ctx_factory_container
Definition: detect.h:871
DetectEngineCtx_::prefilter_setting
enum DetectEnginePrefilterSetting prefilter_setting
Definition: detect.h:946
SignatureInitData_::init_flags
uint32_t init_flags
Definition: detect.h:511
DetectBufferType_
Definition: detect.h:420
DetectEngineCtx_::filedata_config
struct DetectEngineCtx_::@92 filedata_config[ALPROTO_MAX]
DetectPort_::sh
struct SigGroupHead_ * sh
Definition: detect.h:202
DetectContentData_
Definition: detect-content.h:86
DetectEngineSetEvent
void DetectEngineSetEvent(DetectEngineThreadCtx *det_ctx, uint8_t e)
Definition: detect-engine.c:4616
SigFileLoaderStat_::TAILQ_HEAD
TAILQ_HEAD(, SigString_) failed_sigs
DetectEngineCtx_::sigerror_ok
bool sigerror_ok
Definition: detect.h:909
Signature_::profiling_id
uint16_t profiling_id
Definition: detect.h:589
DetectBufferMpmRegistery_::GetData
InspectionBufferGetDataPtr GetData
Definition: detect.h:651
PrefilterEngine_::local_id
uint16_t local_id
Definition: detect.h:1347
DetectBufferMpmRegistery_::GetData
InspectionBufferGetPktDataPtr GetData
Definition: detect.h:661
PrefilterEngineList_::Free
void(* Free)(void *pectx)
Definition: detect.h:1339
RuleMatchCandidateTxArrayInit
void RuleMatchCandidateTxArrayInit(DetectEngineThreadCtx *det_ctx, uint32_t size)
Definition: detect.c:955
ALPROTO_MAX
@ ALPROTO_MAX
Definition: app-layer-protos.h:73
MPMB_MAX
@ MPMB_MAX
Definition: detect.h:1296
SigTableElmt_
element in sigmatch type table.
Definition: detect.h:1215
SigMatchData_
Data needed for Match()
Definition: detect.h:330
InspectionBufferMultipleForList::init
uint32_t init
Definition: detect.h:371
SigTableElmt_::Setup
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1234
DetectEngineCtx_::mpm_matcher
uint16_t mpm_matcher
Definition: detect.h:851
DetectEngineCtx_::sgh_mpm_context_proto_udp_packet
int32_t sgh_mpm_context_proto_udp_packet
Definition: detect.h:888
DetectPort
struct DetectPort_ DetectPort
Port structure for detection engine.
RuleMatchCandidateTx::s
const Signature * s
Definition: detect.h:1044
DetectEngineCtx_::reference_conf_ht
HashTable * reference_conf_ht
Definition: detect.h:832
DetectEngineCtx_::content_inspect_window
uint32_t content_inspect_window
Definition: detect.h:919
DetectEngineThreadCtx_::counter_fnonmpm_list
uint16_t counter_fnonmpm_list
Definition: detect.h:1090
SigMatchData_::type
uint16_t type
Definition: detect.h:331
DetectEngineCtx_::version
uint32_t version
Definition: detect.h:896
DetectMatchAddressIPv4_::ip
uint32_t ip
Definition: detect.h:161
DetectEngineAppInspectionEngine_::v2
struct DetectEngineAppInspectionEngine_::@84 v2
DETECT_TRANSFORMS_MAX
#define DETECT_TRANSFORMS_MAX
Definition: detect.h:58
InspectionBuffer::orig_len
uint32_t orig_len
Definition: detect.h:357
DetectEngineThreadCtx_::varlist
DetectVarList * varlist
Definition: detect.h:1164
Signature_::dsize_low
uint16_t dsize_low
Definition: detect.h:552
DetectPort_::port2
uint16_t port2
Definition: detect.h:193
SignatureNonPrefilterStore_
Definition: detect.h:1026
DetectEngineThreadCtx_::counter_nonmpm_list
uint16_t counter_nonmpm_list
Definition: detect.h:1089
MPMB_TCP_STREAM_TC
@ MPMB_TCP_STREAM_TC
Definition: detect.h:1292
DetectEngineThreadCtx_::events
uint16_t events
Definition: detect.h:1187
AppLayerDecoderEvents_
Data structure to store app layer decoder events.
Definition: app-layer-events.h:34
SigGroupHead
struct SigGroupHead_ SigGroupHead
Container for matching data for a signature group.
DetectMatchAddressIPv6
struct DetectMatchAddressIPv6_ DetectMatchAddressIPv6
PORT_LE
@ PORT_LE
Definition: detect.h:178
DetectEngineThreadCtx_::mtcu
MpmThreadCtx mtcu
Definition: detect.h:1147
TransformData_
Definition: detect.h:374
DetectBufferMpmRegistery_::id
int id
Definition: detect.h:639
FLOW_STATES
#define FLOW_STATES
Definition: detect.h:798
Signature_::frame_inspect
DetectEngineFrameInspectionEngine * frame_inspect
Definition: detect.h:597
DetectBufferMpmRegistery_::frame_v1
struct DetectBufferMpmRegistery_::@87::@91 frame_v1
DetectEnginePktInspectionEngine::transforms
const DetectEngineTransforms * transforms
Definition: detect.h:460
MpmBuiltinBuffers
MpmBuiltinBuffers
Definition: detect.h:1288
DetectPort_::flags
uint8_t flags
Definition: detect.h:195
FILE_DECODER_EVENT_Z_BUF_ERROR
@ FILE_DECODER_EVENT_Z_BUF_ERROR
Definition: detect.h:1266
FILE_DECODER_EVENT_LZMA_FORMAT_ERROR
@ FILE_DECODER_EVENT_LZMA_FORMAT_ERROR
Definition: detect.h:1271
DetectEngineCtx_::app_mpms_list
DetectBufferMpmRegistery * app_mpms_list
Definition: detect.h:968
SigRegisterTests
void SigRegisterTests(void)
Definition: detect.c:5216
DetectThreadCtxGetKeywordThreadCtx
void * DetectThreadCtxGetKeywordThreadCtx(DetectEngineThreadCtx *, int)
Retrieve thread local keyword ctx by id.
Definition: detect-engine.c:3473
FILE_DECODER_EVENT_INVALID_SWF_LENGTH
@ FILE_DECODER_EVENT_INVALID_SWF_LENGTH
Definition: detect.h:1262
DetectEngineFrameInspectionEngine::Callback
InspectionBufferFrameInspectFunc Callback
Definition: detect.h:484
DetectEngineThreadCtx_::mtcs
MpmThreadCtx mtcs
Definition: detect.h:1148
InspectionBufferMultipleForList::size
uint32_t size
Definition: detect.h:369
DetectEngineCtx_::udp_whitelist
DetectPort * udp_whitelist
Definition: detect.h:951
DetectEngineThreadCtx_::mt_det_ctxs_hash
HashTable * mt_det_ctxs_hash
Definition: detect.h:1065
DetectAddress_::prev
struct DetectAddress_ * prev
Definition: detect.h:148
DETECT_PREFILTER_AUTO
@ DETECT_PREFILTER_AUTO
Definition: detect.h:783
DetectEngineThreadCtx_::keyword_ctxs_size
int keyword_ctxs_size
Definition: detect.h:1177
PrefilterEngine_::is_last_for_progress
bool is_last_for_progress
Definition: detect.h:1374
detect-reference.h
TmModuleDetectRegister
void TmModuleDetectRegister(void)
Signature_::gid
uint32_t gid
Definition: detect.h:581
DetectEngineCtx_::prefilter_id
uint32_t prefilter_id
Definition: detect.h:977
DetectEngineCtx_::sgh_array_size
uint32_t sgh_array_size
Definition: detect.h:885
SigGroupHeadInitData_::pkt_mpms
MpmCtx ** pkt_mpms
Definition: detect.h:1388
SigString_::sig_error
char * sig_error
Definition: detect.h:757
DetectMatchAddressIPv6_::ip2
uint32_t ip2[4]
Definition: detect.h:167
DetectEngineAppInspectionEngine_::id
uint8_t id
Definition: detect.h:401
PrefilterEngineList_::next
struct PrefilterEngineList_ * next
Definition: detect.h:1336
SigTableElmt_::SetupPrefilter
int(* SetupPrefilter)(DetectEngineCtx *de_ctx, struct SigGroupHead_ *sgh)
Definition: detect.h:1237
DetectBufferMpmRegistery_::sgh_mpm_context
int sgh_mpm_context
Definition: detect.h:641
Signature_::next
struct Signature_ * next
Definition: detect.h:620
DetectEngineIPOnlyCtx_::a_src_uniq24
uint32_t a_src_uniq24
Definition: detect.h:724
DetectEngineCtx_::sgh_mpm_context_proto_other_packet
int32_t sgh_mpm_context_proto_other_packet
Definition: detect.h:889
DetectVarList
struct DetectVarList_ DetectVarList
DetectEngineAppInspectionEngine_::sm_list
uint16_t sm_list
Definition: detect.h:404
TENANT_SELECTOR_UNKNOWN
@ TENANT_SELECTOR_UNKNOWN
Definition: detect.h:1467
HttpReassembledBody_::buffer_len
uint32_t buffer_len
Definition: detect.h:1019
DetectEngineIPOnlyCtx_::a_dst_total24
uint32_t a_dst_total24
Definition: detect.h:725
SignatureInitData_::smlists_tail
struct SigMatch_ ** smlists_tail
Definition: detect.h:542
ENGINE_SGH_MPM_FACTORY_CONTEXT_AUTO
@ ENGINE_SGH_MPM_FACTORY_CONTEXT_AUTO
Definition: detect.h:1011
DetectEngineTenantMapping_::tenant_id
uint32_t tenant_id
Definition: detect.h:1474
InspectionBufferMultipleForList
Definition: detect.h:367
DetectBufferMpmType
DetectBufferMpmType
Definition: detect.h:623
DETECT_SM_LIST_POSTMATCH
@ DETECT_SM_LIST_POSTMATCH
Definition: detect.h:98
DetectEngineTenantMapping
struct DetectEngineTenantMapping_ DetectEngineTenantMapping
DetectEngineCtx_::prefilter_hash_table
HashListTable * prefilter_hash_table
Definition: detect.h:978
DetectReplaceList
struct DetectReplaceList_ DetectReplaceList
PORT_ER
@ PORT_ER
Definition: detect.h:176
DetectEngineCtx_::sm_types_silent_error
bool sm_types_silent_error[DETECT_TBLSIZE]
Definition: detect.h:990
SigString_::TAILQ_ENTRY
TAILQ_ENTRY(SigString_) next
DetectEngineTenantSelectors
DetectEngineTenantSelectors
Definition: detect.h:1466
InspectionBufferPktInspectFunc
int(* InspectionBufferPktInspectFunc)(struct DetectEngineThreadCtx_ *, const struct DetectEnginePktInspectionEngine *engine, const struct Signature_ *s, Packet *p, uint8_t *alert_flags)
Definition: detect.h:439
DetectBufferType
struct DetectBufferType_ DetectBufferType
DetectEngineThreadCtx_::tx_candidates
RuleMatchCandidateTx * tx_candidates
Definition: detect.h:1137
InspectionBuffer
struct InspectionBuffer InspectionBuffer
DetectUnregisterThreadCtxFuncs
int DetectUnregisterThreadCtxFuncs(DetectEngineCtx *, DetectEngineThreadCtx *, void *data, const char *name)
Remove Thread keyword context registration.
Definition: detect-engine.c:3442
DetectEngineMasterCtx
struct DetectEngineMasterCtx_ DetectEngineMasterCtx
SignatureInitData_::prefilter_list
int prefilter_list
Definition: detect.h:536
Signature_::addr_src_match4
DetectMatchAddressIPv4 * addr_src_match4
Definition: detect.h:575
SigTableElmt_::TransformValidate
bool(* TransformValidate)(const uint8_t *content, uint16_t content_len, void *context)
Definition: detect.h:1231
Signature_::class_id
uint16_t class_id
Definition: detect.h:567
util-debug.h
DETECT_FILESTORE_MAX
#define DETECT_FILESTORE_MAX
Definition: detect.h:1024
PrefilterEngineList_::alproto
AppProto alproto
Definition: detect.h:1319
SignatureInitData
struct SignatureInitData_ SignatureInitData
SigGroupHeadInitData_::sig_cnt
SigIntId sig_cnt
Definition: detect.h:1397
SRepCIDRTree_
Definition: reputation.h:34
util-error.h
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:17
PrefilterEngine_::PrefilterTx
void(* PrefilterTx)(DetectEngineThreadCtx *det_ctx, const void *pectx, Packet *p, Flow *f, void *tx, const uint64_t idx, const uint8_t flags)
Definition: detect.h:1365
DetectEnginePktInspectionEngine::sm_list
uint16_t sm_list
Definition: detect.h:454
DetectEngineThreadCtx_::match_array_len
uint32_t match_array_len
Definition: detect.h:1133
IPOnlyCIDRItem_::negated
uint8_t negated
Definition: detect.h:303
DetectEngineThreadCtx_
Definition: detect.h:1050
PrefilterEngine_
Definition: detect.h:1346
DetectEngineThreadCtx_::filestore
struct DetectEngineThreadCtx_::@99 filestore[DETECT_FILESTORE_MAX]
ENGINE_PROFILE_UNKNOWN
@ ENGINE_PROFILE_UNKNOWN
Definition: detect.h:999
MpmStore_
Definition: detect.h:1299
SigGroupHeadInitData_::tx_engines
PrefilterEngineList * tx_engines
Definition: detect.h:1393
SCProfileKeywordDetectCtx_
Definition: util-profiling-keywords.c:57
SignatureInitData_::mpm_sm
SigMatch * mpm_sm
Definition: detect.h:518
DetectEngineCtx_::srepCIDR_ctx
SRepCIDRTree * srepCIDR_ctx
Definition: detect.h:814
DetectBufferMpmRegistery_::PrefilterRegisterWithListId
int(* PrefilterRegisterWithListId)(struct DetectEngineCtx_ *de_ctx, struct SigGroupHead_ *sgh, MpmCtx *mpm_ctx, const struct DetectBufferMpmRegistery_ *mpm_reg, int list_id)
Definition: detect.h:643
SignatureInitData_::src
const DetectAddressHead * src
Definition: detect.h:534
DetectEngineThreadCtx_::tx_candidates_size
uint32_t tx_candidates_size
Definition: detect.h:1138
DETECT_SM_LIST_BASE64_DATA
@ DETECT_SM_LIST_BASE64_DATA
Definition: detect.h:95
DetectEngineThreadKeywordCtxItem_::id
int id
Definition: detect.h:776
DetectEngineThreadCtx_::buffers
InspectionBuffer * buffers
Definition: detect.h:1097
SigAddressPrepareBidirectionals
void SigAddressPrepareBidirectionals(DetectEngineCtx *)
DetectEngineMasterCtx_::keyword_list
DetectEngineThreadKeywordCtxItem * keyword_list
Definition: detect.h:1509
PrefilterEngineList_::PrefilterFrame
PrefilterFrameFn PrefilterFrame
Definition: detect.h:1334
DetectEngineIPOnlyThreadCtx_::sig_match_array
uint8_t * sig_match_array
Definition: detect.h:704
HttpReassembledBody
struct HttpReassembledBody_ HttpReassembledBody
DetectEngineMasterCtx_::tenant_selector
enum DetectEngineTenantSelectors tenant_selector
Definition: detect.h:1500
PrefilterEngineList_::pectx
void * pectx
Definition: detect.h:1328
DetectEngineCtx_::last_reload
struct timeval last_reload
Definition: detect.h:981
SignatureInitData_::list
int list
Definition: detect.h:523
Signature_::pkt_inspect
DetectEnginePktInspectionEngine * pkt_inspect
Definition: detect.h:596
SCProfileSghData_
Definition: util-profiling-rulegroups.c:45
DetectReplaceList_::next
struct DetectReplaceList_ * next
Definition: detect.h:677
DetectEngineLookupFlow_::sgh
struct SigGroupHead_ * sgh[256]
Definition: detect.h:740
Signature_::references
DetectReference * references
Definition: detect.h:611
PrefilterFrameFn
void(* PrefilterFrameFn)(DetectEngineThreadCtx *det_ctx, const void *pectx, Packet *p, const struct Frames *frames, const struct Frame *frame, const uint32_t idx)
Definition: detect.h:1312
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:58
DetectEngineIPOnlyCtx_::ht24_src
HashListTable * ht24_src
Definition: detect.h:712
DetectEngineIPOnlyCtx_::sig_cnt
uint32_t sig_cnt
Definition: detect.h:733
PrefilterEngineList_::gid
uint32_t gid
Definition: detect.h:1343
DetectEngineFrameInspectionEngine::sm_list
uint16_t sm_list
Definition: detect.h:481
DetectMetadataHead
Definition: detect-metadata.h:39
SCSigSignatureWrapper_
Signature wrapper used by signature ordering module while ordering signatures.
Definition: detect-engine-sigorder.h:45
SigTableElmt
struct SigTableElmt_ SigTableElmt
element in sigmatch type table.
SigMatch
struct SigMatch_ SigMatch
a single match condition for a signature
SigMatch_::next
struct SigMatch_ * next
Definition: detect.h:325
InspectionBuffer::inspect_offset
uint64_t inspect_offset
Definition: detect.h:347
DetectEngineCtx_::frame_inspect_engines
DetectEngineFrameInspectionEngine * frame_inspect_engines
Definition: detect.h:973
PrefilterEngineList
struct PrefilterEngineList_ PrefilterEngineList
DetectEngineMasterCtx_::free_list
DetectEngineCtx * free_list
Definition: detect.h:1498
DetectBufferMpmRegistery_::alproto
AppProto alproto
Definition: detect.h:652
DetectEngineThreadKeywordCtxItem_::next
struct DetectEngineThreadKeywordCtxItem_ * next
Definition: detect.h:775
DetectAddress_::ip2
Address ip2
Definition: detect.h:142
DetectEngineThreadCtx_::non_pf_id_cnt
uint32_t non_pf_id_cnt
Definition: detect.h:1061
DETECT_SM_LIST_MATCH
@ DETECT_SM_LIST_MATCH
Definition: detect.h:89
DetectPort_
Port structure for detection engine.
Definition: detect.h:191
SigGroupHead_::init
SigGroupHeadInitData * init
Definition: detect.h:1430
DetectEngineCtx_::ths_ctx
ThresholdCtx ths_ctx
Definition: detect.h:849
DetectEngineCtx_::sig_cnt
uint32_t sig_cnt
Definition: detect.h:808
InspectionBuffer::buf
uint8_t * buf
Definition: detect.h:354
SigTableElmt_::alternative
uint16_t alternative
Definition: detect.h:1247
Signature_::app_inspect
DetectEngineAppInspectionEngine * app_inspect
Definition: detect.h:595
SigMatch_::ctx
SigMatchCtx * ctx
Definition: detect.h:324
DetectReference_
Signature reference list.
Definition: detect-reference.h:34
DetectBufferType_::ValidateCallback
bool(* ValidateCallback)(const struct Signature_ *, const char **sigerror)
Definition: detect.h:430
PORT_GE
@ PORT_GE
Definition: detect.h:182
SigFileLoaderStat_::bad_sigs_total
int bad_sigs_total
Definition: detect.h:768
SigGroupHeadInitData_::direction
uint32_t direction
Definition: detect.h:1384
DetectLoadCompleteSigPath
char * DetectLoadCompleteSigPath(const DetectEngineCtx *, const char *sig_file)
Create the path if default-rule-path was specified.
Definition: detect-engine-loader.c:60
MpmStore_::direction
int direction
Definition: detect.h:1303
DetectEngineThreadCtx_::base64_decoded_len
int base64_decoded_len
Definition: detect.h:1183
DetectVarList_::next
struct DetectVarList_ * next
Definition: detect.h:694
RuleMatchCandidateTx::stream_result
uint8_t stream_result
Definition: detect.h:1039
Signature_::action
uint8_t action
Definition: detect.h:560
DetectBufferMpmRegistery_::name
const char * name
Definition: detect.h:633
ADDRESS_ES
@ ADDRESS_ES
Definition: detect.h:127
DetectEngineLookupFlow_::udp
DetectPort * udp
Definition: detect.h:739
DetectEngineThreadCtx_::raw_stream_progress
uint64_t raw_stream_progress
Definition: detect.h:1074
DetectEngineCtx_::profile_ctx
struct SCProfileDetectCtx_ * profile_ctx
Definition: detect.h:924
PrefilterEngine_::alproto
AppProto alproto
Definition: detect.h:1350
Signature_::flags
uint32_t flags
Definition: detect.h:547
FILE_DECODER_EVENT_LZMA_UNKNOWN_ERROR
@ FILE_DECODER_EVENT_LZMA_UNKNOWN_ERROR
Definition: detect.h:1274
ThresholdCtx_::th_entry
DetectThresholdEntry ** th_entry
Definition: detect.h:750
stream.h
DetectEngineFrameInspectionEngine::v1
struct DetectEngineFrameInspectionEngine::@86 v1
IPOnlyCIDRItem_::next
struct IPOnlyCIDRItem_ * next
Definition: detect.h:309
DetectEngineCtx_::max_fb_id
uint32_t max_fb_id
Definition: detect.h:867
HttpReassembledBody_
Definition: detect.h:1015
Packet_
Definition: decode.h:420
DetectEngineFrameInspectionEngine::alproto
AppProto alproto
Definition: detect.h:477
DetectEngineCtx_::sgh_mpm_context_stream
int32_t sgh_mpm_context_stream
Definition: detect.h:890
detect-engine-build.h
SignatureNonPrefilterStore
struct SignatureNonPrefilterStore_ SignatureNonPrefilterStore
DetectEngineThreadCtx_::rule_perf_data_size
int rule_perf_data_size
Definition: detect.h:1202
DetectEngineThreadCtx_::frame_id
int64_t frame_id
Definition: detect.h:1120
HttpReassembledBody_::buffer_size
uint32_t buffer_size
Definition: detect.h:1018
DetectEngineAppInspectionEngine_::Callback
InspectEngineFuncPtr2 Callback
Definition: detect.h:410
TransformData
struct TransformData_ TransformData
DetectEngineCtx_::sgh_mpm_ctx_cnf
uint8_t sgh_mpm_ctx_cnf
Definition: detect.h:864
DetectBufferType_::packet
bool packet
Definition: detect.h:426
Signature_::CidrDst
IPOnlyCIDRItem * CidrDst
Definition: detect.h:593
SCSigOrderFunc_
Structure holding the signature ordering function used by the signature ordering module.
Definition: detect-engine-sigorder.h:69
PrefilterEngine
struct PrefilterEngine_ PrefilterEngine
DetectEngineMasterCtx_::multi_tenant_enabled
int multi_tenant_enabled
Definition: detect.h:1486
DetectRegisterThreadCtxFuncs
int DetectRegisterThreadCtxFuncs(DetectEngineCtx *, const char *name, void *(*InitFunc)(void *), void *data, void(*FreeFunc)(void *), int)
Register Thread keyword context Funcs.
Definition: detect-engine.c:3396
PrefilterEngine_::cb
union PrefilterEngine_::@101 cb
DetectEngineThreadCtx_::filestore_cnt
uint16_t filestore_cnt
Definition: detect.h:1083
DetectEngineFrameInspectionEngine
Definition: detect.h:476
SigFileLoaderStat
struct SigFileLoaderStat_ SigFileLoaderStat
Signature loader statistics.
DetectEngineCtx_::hcbd_buffer_limit
int hcbd_buffer_limit
Definition: detect.h:877
DetectEngineCtx_::max_uniq_toserver_groups
uint16_t max_uniq_toserver_groups
Definition: detect.h:861
DETECT_BUFFER_MPM_TYPE_PKT
@ DETECT_BUFFER_MPM_TYPE_PKT
Definition: detect.h:624
util-radix-tree.h
SCProfileData_
Definition: util-profiling-rules.c:44
TmEcode
TmEcode
Definition: tm-threads-common.h:81
DetectEngineIPOnlyCtx_::ht16_src
HashListTable * ht16_src
Definition: detect.h:711
DetectEnginePktInspectionEngine::Callback
InspectionBufferPktInspectFunc Callback
Definition: detect.h:458
DetectEngineCtx_::gh_unique
uint32_t gh_unique
Definition: detect.h:837
PrefilterEngine_::PrefilterFrame
PrefilterFrameFn PrefilterFrame
Definition: detect.h:1368
PrefilterEngine_::frame_type
uint8_t frame_type
Definition: detect.h:1356
Signature_::init_data
SignatureInitData * init_data
Definition: detect.h:617
ENGINE_PROFILE_MAX
@ ENGINE_PROFILE_MAX
Definition: detect.h:1004
ADDRESS_ER
@ ADDRESS_ER
Definition: detect.h:123
DetectEngineCtx_::profile_keyword_ctx
struct SCProfileKeywordDetectCtx_ * profile_keyword_ctx
Definition: detect.h:925
DetectEngineCtx_::sgh_array_cnt
uint32_t sgh_array_cnt
Definition: detect.h:884
SignatureInitData_::negated
bool negated
Definition: detect.h:503
DetectEngineCtx_::sgh_array
struct SigGroupHead_ ** sgh_array
Definition: detect.h:883
SigTableElmt_::Match
int(* Match)(DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *)
Definition: detect.h:1217
reputation.h
MpmStore
struct MpmStore_ MpmStore
ADDRESS_GE
@ ADDRESS_GE
Definition: detect.h:129
SignatureInitData_
Definition: detect.h:497
SignatureInitData_::smlists
struct SigMatch_ ** smlists
Definition: detect.h:540
SCFPSupportSMList_::priority
int priority
Definition: detect.h:699
HashListTable_
Definition: util-hashlist.h:37
DetectEngineCtx_::byte_extract_max_local_id
int32_t byte_extract_max_local_id
Definition: detect.h:893
SignatureInitData_::dst_contains_negation
bool dst_contains_negation
Definition: detect.h:508
DetectEnginePktInspectionEngine::sm_list_base
uint16_t sm_list_base
Definition: detect.h:455
DetectEngineTransforms::transforms
TransformData transforms[DETECT_TRANSFORMS_MAX]
Definition: detect.h:380
DetectEngineCtx_::hsbd_buffer_limit
int hsbd_buffer_limit
Definition: detect.h:879
Signature_::addr_dst_match6_cnt
uint16_t addr_dst_match6_cnt
Definition: detect.h:572
DetectEngineThreadCtx_::rule_perf_data
struct SCProfileData_ * rule_perf_data
Definition: detect.h:1201
DetectEngineThreadCtx
struct DetectEngineThreadCtx_ DetectEngineThreadCtx
SigGroupHead_::frame_engines
PrefilterEngine * frame_engines
Definition: detect.h:1427
SigGroupHeadInitData_::app_mpms
MpmCtx ** app_mpms
Definition: detect.h:1387
HttpReassembledBody_::decompressed_buffer
uint8_t * decompressed_buffer
Definition: detect.h:1017
DetectEngineFrameInspectionEngine::dir
uint8_t dir
Definition: detect.h:478
DetectEngineTransforms
struct DetectEngineTransforms DetectEngineTransforms
Signature_::sp
DetectPort * sp
Definition: detect.h:586
DetectEngineThreadCtx_::mtc
MpmThreadCtx mtc
Definition: detect.h:1146
SigString_::filename
char * filename
Definition: detect.h:755
DETECT_ENGINE_TYPE_TENANT
@ DETECT_ENGINE_TYPE_TENANT
Definition: detect.h:791
HttpReassembledBody_::decompressed_buffer_len
uint32_t decompressed_buffer_len
Definition: detect.h:1020
RuleMatchCandidateTx::flags
uint32_t * flags
Definition: detect.h:1035
DetectEngineCtx_::dup_sig_hash_table
HashListTable * dup_sig_hash_table
Definition: detect.h:846
DetectEngineCtx_::config_prefix
char config_prefix[64]
Definition: detect.h:933
DetectVarList_::type
int type
Definition: detect.h:690
DetectEngineAppInspectionEngine_::alproto
AppProto alproto
Definition: detect.h:399
SigMatchCtx_
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
Definition: detect.h:316
Signature_::class_msg
char * class_msg
Definition: detect.h:609
DetectEngineThreadCtx_::discontinue_matching
uint16_t discontinue_matching
Definition: detect.h:1113
DetectEngineCtx_::sig_array_size
uint32_t sig_array_size
Definition: detect.h:817
ThresholdCtx_
threshold ctx
Definition: detect.h:746
DetectEngineAppInspectionEngine_::smd
SigMatchData * smd
Definition: detect.h:415
SigGroupHeadInitData_::pkt_engines
PrefilterEngineList * pkt_engines
Definition: detect.h:1391
DetectBufferType_::id
int id
Definition: detect.h:423
DetectGetTagSignature
Signature * DetectGetTagSignature(void)
DetectEnginePktInspectionEngine::GetData
InspectionBufferGetPktDataPtr GetData
Definition: detect.h:457
ENGINE_PROFILE_CUSTOM
@ ENGINE_PROFILE_CUSTOM
Definition: detect.h:1003
DETECT_ENGINE_TYPE_NORMAL
@ DETECT_ENGINE_TYPE_NORMAL
Definition: detect.h:788
DetectEngineIPOnlyCtx_::ip_dst
IPOnlyCIDRItem * ip_dst
Definition: detect.h:719
MpmStore_::mpm_ctx
MpmCtx * mpm_ctx
Definition: detect.h:1308
util-file.h
DetectAddressHead_::ipv6_head
DetectAddress * ipv6_head
Definition: detect.h:156
DetectMetadataHashFree
void DetectMetadataHashFree(DetectEngineCtx *de_ctx)
Definition: detect-metadata.c:80
util-prefilter.h
SignatureInitData_::dsize_sm
SigMatch * dsize_sm
Definition: detect.h:515
DetectBufferType_::frame
bool frame
Definition: detect.h:427
FILE_DECODER_EVENT_LZMA_OPTIONS_ERROR
@ FILE_DECODER_EVENT_LZMA_OPTIONS_ERROR
Definition: detect.h:1270
DetectBufferMpmRegistery_::priority
int priority
Definition: detect.h:638
File_
Definition: util-file.h:75
DetectEngineIPOnlyCtx
struct DetectEngineIPOnlyCtx_ DetectEngineIPOnlyCtx
IP only rules matching ctx.
MPMB_TCP_PKT_TC
@ MPMB_TCP_PKT_TC
Definition: detect.h:1290
ADDRESS_LE
@ ADDRESS_LE
Definition: detect.h:125
DetectEngineCtx_::sig_stat
SigFileLoaderStat sig_stat
Definition: detect.h:984
DetectEngineCtx_::address_table
HashListTable * address_table
Definition: detect.h:954
DetectEngineThreadCtx_::to_clear_queue
uint32_t * to_clear_queue
Definition: detect.h:1100
DetectEngineThreadCtx_::inspect_list
int inspect_list
Definition: detect.h:1094
DetectEngineCtx_::profile_prefilter_ctx
struct SCProfilePrefilterDetectCtx_ * profile_prefilter_ctx
Definition: detect.h:926
TENANT_SELECTOR_DIRECT
@ TENANT_SELECTOR_DIRECT
Definition: detect.h:1468
InspectionBufferMultipleForList
struct InspectionBufferMultipleForList InspectionBufferMultipleForList
util-mpm.h
DetectBufferMpmRegistery_::pname
char pname[32]
Definition: detect.h:634
flags
uint8_t flags
Definition: decode-gre.h:0
Signature_::proto
DetectProto proto
Definition: detect.h:564
SigTableElmt_::alias
const char * alias
Definition: detect.h:1250
SigMatchCtx
struct SigMatchCtx_ SigMatchCtx
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
SigGroupHead_::non_pf_other_store_array
SignatureNonPrefilterStore * non_pf_other_store_array
Definition: detect.h:1414
DetectEngineMasterCtx_::keyword_id
int keyword_id
Definition: detect.h:1510
DetectBufferMpmRegistery_::type
uint8_t type
Definition: detect.h:667
SigMatchData_::is_last
uint8_t is_last
Definition: detect.h:332
suricata-common.h
SigMatch_::idx
uint16_t idx
Definition: detect.h:323
DetectEnginePktInspectionEngine::v1
struct DetectEnginePktInspectionEngine::@85 v1
SigString_::line
int line
Definition: detect.h:758
SigGroupHeadInitData_::frame_engines
PrefilterEngineList * frame_engines
Definition: detect.h:1394
SigMatch_::type
uint16_t type
Definition: detect.h:322
DETECT_BUFFER_MPM_TYPE_APP
@ DETECT_BUFFER_MPM_TYPE_APP
Definition: detect.h:625
SigGroupHeadInitData_::payload_engines
PrefilterEngineList * payload_engines
Definition: detect.h:1392
PORT_ES
@ PORT_ES
Definition: detect.h:180
DetectEngineThreadCtx_::tenant_id
uint32_t tenant_id
Definition: detect.h:1053
FILE_DECODER_EVENT_Z_DATA_ERROR
@ FILE_DECODER_EVENT_Z_DATA_ERROR
Definition: detect.h:1264
SigGroupHeadInitData_::match_array
Signature ** match_array
Definition: detect.h:1400
DetectEngineCtx_::buffer_type_hash_name
HashListTable * buffer_type_hash_name
Definition: detect.h:961
DetectEngineCtx_::next
struct DetectEngineCtx_ * next
Definition: detect.h:940
Signature_::dsize_high
uint16_t dsize_high
Definition: detect.h:553
SigGroupHead_::non_pf_other_store_cnt
uint32_t non_pf_other_store_cnt
Definition: detect.h:1412
Signature_::file_flags
uint8_t file_flags
Definition: detect.h:561
DetectBufferMpmRegistery_::tx_min_progress
int tx_min_progress
Definition: detect.h:653
detect-metadata.h
DETECT_ENGINE_TYPE_DD_STUB
@ DETECT_ENGINE_TYPE_DD_STUB
Definition: detect.h:789
TENANT_SELECTOR_VLAN
@ TENANT_SELECTOR_VLAN
Definition: detect.h:1469
DetectEngineIPOnlyCtx_::a_src_total24
uint32_t a_src_total24
Definition: detect.h:724
DetectEngineFrameInspectionEngine::next
struct DetectEngineFrameInspectionEngine * next
Definition: detect.h:489
SigTableElmt_::Transform
void(* Transform)(InspectionBuffer *, void *context)
Definition: detect.h:1230
DetectEngineThreadCtx_::inspection_recursion_counter
int inspection_recursion_counter
Definition: detect.h:1126
DetectEngineThreadCtx_::prefilter_perf_data
struct SCProfilePrefilterData_ * prefilter_perf_data
Definition: detect.h:1208
DetectEnginePrefilterSetting
DetectEnginePrefilterSetting
Definition: detect.h:781
DetectPort_::prev
struct DetectPort_ * prev
Definition: detect.h:204
util-spm.h
DetectEnginePktInspectionEngine::next
struct DetectEnginePktInspectionEngine * next
Definition: detect.h:462
SigGroupHeadInitData_::sig_size
uint32_t sig_size
Definition: detect.h:1381
PrefilterEngineList_
Definition: detect.h:1315
SigFileLoaderStat_::total_files
int total_files
Definition: detect.h:766
DetectEngineIPOnlyCtx_::tree_ipv4dst
SCRadixTree * tree_ipv4dst
Definition: detect.h:715
DetectMatchAddressIPv4_::ip2
uint32_t ip2
Definition: detect.h:162
DetectEngineCtx_::profile_match_logging_threshold
uint32_t profile_match_logging_threshold
Definition: detect.h:929
IPOnlyCIDRItem_::ip
uint32_t ip[4]
Definition: detect.h:305
PrefilterEngine_::gid
uint32_t gid
Definition: detect.h:1372
Signature_::rev
uint32_t rev
Definition: detect.h:582
SignatureInitData_::sm_cnt
uint16_t sm_cnt
Definition: detect.h:499
DetectEngineCtx_::sig_list
Signature * sig_list
Definition: detect.h:807
PrefilterEngineList_::PrefilterTx
void(* PrefilterTx)(DetectEngineThreadCtx *det_ctx, const void *pectx, Packet *p, Flow *f, void *tx, const uint64_t idx, const uint8_t flags)
Definition: detect.h:1331
DETECT_SM_LIST_TMATCH
@ DETECT_SM_LIST_TMATCH
Definition: detect.h:100
DetectEngineCtx_::profile_keyword_ctx_per_list
struct SCProfileKeywordDetectCtx_ ** profile_keyword_ctx_per_list
Definition: detect.h:927
RuleMatchCandidateTx
struct RuleMatchCandidateTx RuleMatchCandidateTx
DetectEngineCtx_::tcp_whitelist
DetectPort * tcp_whitelist
Definition: detect.h:950
DetectEngineCtx_::loader_id
int loader_id
Definition: detect.h:943
TransformData_::transform
int transform
Definition: detect.h:375
DetectEngineCtx_::pkt_inspect_engines
DetectEnginePktInspectionEngine * pkt_inspect_engines
Definition: detect.h:970
tv
ThreadVars * tv
Definition: fuzz_decodepcapfile.c:29
Signature_::prio
int prio
Definition: detect.h:583
DetectEngineThreadCtx_::non_pf_id_array
SigIntId * non_pf_id_array
Definition: detect.h:1060
DetectEngineAppInspectionEngine_::progress
int16_t progress
Definition: detect.h:406
DetectEngineThreadKeywordCtxItem_::FreeFunc
void(* FreeFunc)(void *)
Definition: detect.h:773
FILE_DECODER_EVENT_LZMA_BUF_ERROR
@ FILE_DECODER_EVENT_LZMA_BUF_ERROR
Definition: detect.h:1273
FILE_DECODER_EVENT_LZMA_DATA_ERROR
@ FILE_DECODER_EVENT_LZMA_DATA_ERROR
Definition: detect.h:1272
DetectMatchAddressIPv6_::ip
uint32_t ip[4]
Definition: detect.h:166
app-layer-events.h
DetectEngineIPOnlyCtx_::ht24_dst
HashListTable * ht24_dst
Definition: detect.h:712
SigGroupHeadInitData
struct SigGroupHeadInitData_ SigGroupHeadInitData
DetectAddress
struct DetectAddress_ DetectAddress
address structure for use in the detection engine.
SpmGlobalThreadCtx_
Definition: util-spm.h:49
DetectEngineCtx_::app_mpms_list_cnt
uint32_t app_mpms_list_cnt
Definition: detect.h:969
Signature_::addr_src_match6_cnt
uint16_t addr_src_match6_cnt
Definition: detect.h:573
InspectionBufferFrameInspectFunc
int(* InspectionBufferFrameInspectFunc)(struct DetectEngineThreadCtx_ *, const struct DetectEngineFrameInspectionEngine *engine, const struct Signature_ *s, Packet *p, const struct Frames *frames, const struct Frame *frame, const uint32_t idx)
Definition: detect.h:472
DetectProto_
Definition: detect-engine-proto.h:36
DetectFilestoreData_
Definition: detect-filestore.h:36
SigGroupHeadInitData_
Definition: detect.h:1377
InspectionBuffer::inspect_len
uint32_t inspect_len
Definition: detect.h:348
DetectEngineCtx_::app_inspect_engines
DetectEngineAppInspectionEngine * app_inspect_engines
Definition: detect.h:967
SignatureInitData_::dst
const DetectAddressHead * dst
Definition: detect.h:534
PrefilterEngine_::pectx
void * pectx
Definition: detect.h:1361
DetectEngineThreadCtx_::pcre_match_start_offset
uint32_t pcre_match_start_offset
Definition: detect.h:1080
DetectEngineCtx_::keyword_list
DetectEngineThreadKeywordCtxItem * keyword_list
Definition: detect.h:913
DetectEngineThreadCtx_::global_keyword_ctxs_size
int global_keyword_ctxs_size
Definition: detect.h:1179
Signature_::dp
DetectPort * dp
Definition: detect.h:586
DetectEngineCtx_::sm_types_prefilter
bool sm_types_prefilter[DETECT_TBLSIZE]
Definition: detect.h:989
DetectEngineCtx_::mpm_hash_table
HashListTable * mpm_hash_table
Definition: detect.h:842
InspectionBuffer::inspect
const uint8_t * inspect
Definition: detect.h:346
DumpPatterns
void DumpPatterns(DetectEngineCtx *de_ctx)
Definition: detect-engine-analyzer.c:1070
Signature_::metadata
DetectMetadataHead * metadata
Definition: detect.h:613
DetectEngineThreadCtx_::tv
ThreadVars * tv
Definition: detect.h:1056
MPMB_UDP_TC
@ MPMB_UDP_TC
Definition: detect.h:1294
DetectEngineThreadCtx_::non_pf_store_cnt
uint32_t non_pf_store_cnt
Definition: detect.h:1141
DetectEngineThreadCtx_::counter_alerts
uint16_t counter_alerts
Definition: detect.h:1086
InspectionBuffer::len
uint32_t len
Definition: detect.h:353
SigGroupHead_::flags
uint32_t flags
Definition: detect.h:1408
DetectVarList_::key
uint8_t * key
Definition: detect.h:691
DetectEngineThreadCtx_::keyword_ctxs_array
void ** keyword_ctxs_array
Definition: detect.h:1176
SigFileLoaderStat_::good_sigs_total
int good_sigs_total
Definition: detect.h:767
SigTableElmt_::SupportsPrefilter
bool(* SupportsPrefilter)(const Signature *s)
Definition: detect.h:1236
DetectEngineGetEvents
AppLayerDecoderEvents * DetectEngineGetEvents(DetectEngineThreadCtx *det_ctx)
Definition: detect-engine.c:4622
Signature_::addr_dst_match6
DetectMatchAddressIPv6 * addr_dst_match6
Definition: detect.h:577
DetectEngineMasterCtx_
Definition: detect.h:1482
DetectEngineIPOnlyCtx_::a_src_total16
uint32_t a_src_total16
Definition: detect.h:722
Signature_::id
uint32_t id
Definition: detect.h:580
DetectEngineThreadKeywordCtxItem_::name
const char * name
Definition: detect.h:777
DetectEngineThreadCtx_::base64_decoded_len_max
int base64_decoded_len_max
Definition: detect.h:1184
DetectEngineLookupFlow
struct DetectEngineLookupFlow_ DetectEngineLookupFlow
RuleMatchCandidateTx::stream_reset
uint32_t stream_reset
Definition: detect.h:1041
PORT_GT
@ PORT_GT
Definition: detect.h:183
DisableDetectFlowFileFlags
void DisableDetectFlowFileFlags(Flow *f)
disable file features we don't need Called if we have no detection engine.
Definition: detect.c:1765
DetectBufferType_::transforms
DetectEngineTransforms transforms
Definition: detect.h:431
DetectEngineCtx_::content_limit
uint32_t content_limit
Definition: detect.h:917
DetectEngineType
DetectEngineType
Definition: detect.h:787
HttpReassembledBody_::offset
uint64_t offset
Definition: detect.h:1021
Signature_
Signature container.
Definition: detect.h:546
SCProfileDetectCtx_
Definition: util-profiling-rules.c:55
SigMatch_
a single match condition for a signature
Definition: detect.h:321
SCProfilePrefilterData_
Definition: util-profiling-prefilter.c:43
DetectEngineAppInspectionEngine_::transforms
const DetectEngineTransforms * transforms
Definition: detect.h:412
DETECT_SM_LIST_MAX
@ DETECT_SM_LIST_MAX
Definition: detect.h:106
detect-threshold.h
SigMatchCtx_::foo
int foo
Definition: detect.h:317
DetectBufferType_::parent_id
int parent_id
Definition: detect.h:424
DETECT_PREFILTER_MPM
@ DETECT_PREFILTER_MPM
Definition: detect.h:782
SignatureMask
#define SignatureMask
Definition: detect.h:280
DetectAddress_::next
struct DetectAddress_ * next
Definition: detect.h:150
DetectEngineTenantMapping_::traffic_id
uint32_t traffic_id
Definition: detect.h:1477
DetectBufferMpmRegistery_::pkt_v1
struct DetectBufferMpmRegistery_::@87::@90 pkt_v1
SigGroupHeadInitData_::protos
uint8_t protos[256]
Definition: detect.h:1383
DetectMatchAddressIPv6_
Definition: detect.h:165
MPMB_TCP_PKT_TS
@ MPMB_TCP_PKT_TS
Definition: detect.h:1289
DetectMatchAddressIPv4_
Definition: detect.h:160
DetectEngineCtx_::spm_matcher
uint16_t spm_matcher
Definition: detect.h:852
DetectEngineThreadCtx_::tx_id_set
bool tx_id_set
Definition: detect.h:1117
FILE_DECODER_EVENT_LZMA_MEMLIMIT_ERROR
@ FILE_DECODER_EVENT_LZMA_MEMLIMIT_ERROR
Definition: detect.h:1269
DetectEnginePktInspectionEngine
struct DetectEnginePktInspectionEngine DetectEnginePktInspectionEngine
DetectEngineThreadCtx_::base64_decoded
uint8_t * base64_decoded
Definition: detect.h:1182
Signature_::dsize_mode
uint8_t dsize_mode
Definition: detect.h:554
DetectEngineLookupFlow_
Definition: detect.h:737
DetectEngineCtx_::filedata_config_initialized
bool filedata_config_initialized
Definition: detect.h:921
DetectEngineCtx_::pkt_mpms_list
DetectBufferMpmRegistery * pkt_mpms_list
Definition: detect.h:971
PrefilterEngine_::ctx
union PrefilterEngine_::@100 ctx
DetectEngineCtx_::content_inspect_min_size
uint32_t content_inspect_min_size
Definition: detect.h:918
DetectEngineTransforms::cnt
int cnt
Definition: detect.h:381
PrefilterEngine_::is_last
bool is_last
Definition: detect.h:1373
DetectEngineThreadCtx_::de_ctx
DetectEngineCtx * de_ctx
Definition: detect.h:1174
DetectEngineCtx_::sig_array
Signature ** sig_array
Definition: detect.h:816
SigGroupHead_::non_pf_syn_store_array
SignatureNonPrefilterStore * non_pf_syn_store_array
Definition: detect.h:1416
PrefilterEngineList_::tx_min_progress
uint8_t tx_min_progress
Definition: detect.h:1322
DetectEngineAppInspectionEngine_::dir
uint8_t dir
Definition: detect.h:400
DETECT_BUFFER_MPM_TYPE_SIZE
@ DETECT_BUFFER_MPM_TYPE_SIZE
Definition: detect.h:628
DETECT_ENGINE_TYPE_MT_STUB
@ DETECT_ENGINE_TYPE_MT_STUB
Definition: detect.h:790
SignatureNonPrefilterStore_::mask
SignatureMask mask
Definition: detect.h:1028
DetectEngineCtx_::buffer_type_id
uint32_t buffer_type_id
Definition: detect.h:963
Signature
struct Signature_ Signature
Signature container.
DetectEngineIPOnlyCtx_
IP only rules matching ctx.
Definition: detect.h:709
DetectEngineCtx_::sigerror
const char * sigerror
Definition: detect.h:910
DetectBufferType_::SetupCallback
void(* SetupCallback)(const struct DetectEngineCtx_ *, struct Signature_ *)
Definition: detect.h:429
DetectEngineThreadCtx_::mt_det_ctxs_cnt
uint32_t mt_det_ctxs_cnt
Definition: detect.h:1063
PORT_LT
@ PORT_LT
Definition: detect.h:177
DetectMetadataHashInit
int DetectMetadataHashInit(DetectEngineCtx *de_ctx)
Definition: detect-metadata.c:69
DetectEngineIPOnlyThreadCtx
struct DetectEngineIPOnlyThreadCtx_ DetectEngineIPOnlyThreadCtx
DetectEngineMasterCtx_::lock
SCMutex lock
Definition: detect.h:1483
DetectEnginePktInspectionEngine::mpm
bool mpm
Definition: detect.h:453
DetectEngineCtx_::spm_global_thread_ctx
SpmGlobalThreadCtx * spm_global_thread_ctx
Definition: detect.h:856
DetectFlowbitsAnalyze
int DetectFlowbitsAnalyze(DetectEngineCtx *de_ctx)
Definition: detect-flowbits.c:407
SigGroupHead_::pkt_engines
PrefilterEngine * pkt_engines
Definition: detect.h:1424
DetectEngineCtx_::flags
uint8_t flags
Definition: detect.h:802
ENGINE_PROFILE_HIGH
@ ENGINE_PROFILE_HIGH
Definition: detect.h:1002
SigGroupHeadInitData_::whitelist
int whitelist
Definition: detect.h:1385
DetectEngineThreadCtx_::replist
DetectReplaceList * replist
Definition: detect.h:1162
SignatureInitData_::transforms
DetectEngineTransforms transforms
Definition: detect.h:526
SigString_::sig_str
char * sig_str
Definition: detect.h:756
DetectEngineCtx_::io_ctx
DetectEngineIPOnlyCtx io_ctx
Definition: detect.h:848
DetectEngineThreadCtx_::multi_inspect
struct DetectEngineThreadCtx_::@98 multi_inspect
DetectMatchAddressIPv4
struct DetectMatchAddressIPv4_ DetectMatchAddressIPv4
DetectEngineCtx_::rule_line
int rule_line
Definition: detect.h:907
MpmCtx_
Definition: util-mpm.h:88
DetectBufferMpmRegistery
struct DetectBufferMpmRegistery_ DetectBufferMpmRegistery
one time registration of keywords at start up
Signature_::addr_dst_match4
DetectMatchAddressIPv4 * addr_dst_match4
Definition: detect.h:574
DetectEngineThreadCtx_::inspect
struct DetectEngineThreadCtx_::@97 inspect
Signature_::msg
char * msg
Definition: detect.h:606
flow.h
DetectReplaceList_::cd
struct DetectContentData_ * cd
Definition: detect.h:675
sigmatch_table
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
Definition: detect-parse.c:73
Signature_::addr_src_match4_cnt
uint16_t addr_src_match4_cnt
Definition: detect.h:571
SigIntId
#define SigIntId
Definition: suricata-common.h:296
DetectEngineIPOnlyCtx_::a_dst_uniq24
uint32_t a_dst_uniq24
Definition: detect.h:725
DetectEngineAppInspectionEngine
struct DetectEngineAppInspectionEngine_ DetectEngineAppInspectionEngine
DETECT_EVENT_TOO_MANY_BUFFERS
@ DETECT_EVENT_TOO_MANY_BUFFERS
Definition: detect.h:1276
TENANT_SELECTOR_LIVEDEV
@ TENANT_SELECTOR_LIVEDEV
Definition: detect.h:1470
Signature_::addr_dst_match4_cnt
uint16_t addr_dst_match4_cnt
Definition: detect.h:570
DetectEngineFrameInspectionEngine::type
uint8_t type
Definition: detect.h:479
DetectSigmatchListEnum
DetectSigmatchListEnum
Definition: detect.h:88
FILE_DECODER_EVENT_Z_STREAM_ERROR
@ FILE_DECODER_EVENT_Z_STREAM_ERROR
Definition: detect.h:1265
DetectEngineMasterCtx_::version
uint32_t version
Definition: detect.h:1489
DetectEngineIPOnlyCtx_::sig_init_size
uint32_t sig_init_size
Definition: detect.h:730
DetectEngineCtx_::sig_array_len
uint32_t sig_array_len
Definition: detect.h:818
DetectBufferMpmRegistery_::sm_list
int16_t sm_list
Definition: detect.h:636
DetectEngineCtx_::metadata_table
HashTable * metadata_table
Definition: detect.h:957
SignatureNonPrefilterStore_::alproto
uint8_t alproto
Definition: detect.h:1029
DetectEngineIPOnlyCtx_::tree_ipv6src
SCRadixTree * tree_ipv6src
Definition: detect.h:716
DetectEngineCtx_::signum
uint32_t signum
Definition: detect.h:820
SigGroupHead_::filestore_cnt
uint16_t filestore_cnt
Definition: detect.h:1420
IPOnlyCIDRItem_::signum
SigIntId signum
Definition: detect.h:306
SigFileLoaderStat_
Signature loader statistics.
Definition: detect.h:763
DetectAddress_::flags
uint8_t flags
Definition: detect.h:145
DetectEngineCtx_::buffer_type_hash_id
HashListTable * buffer_type_hash_id
Definition: detect.h:962
DetectEngineCtx_::base64_decode_max_len
uint32_t base64_decode_max_len
Definition: detect.h:903
DetectEngineLookupFlow_::tcp
DetectPort * tcp
Definition: detect.h:738
ThresholdCtx
struct ThresholdCtx_ ThresholdCtx
threshold ctx
DETECT_SM_LIST_SUPPRESS
@ DETECT_SM_LIST_SUPPRESS
Definition: detect.h:103
SCMutex
#define SCMutex
Definition: threads-debug.h:114
DetectEngineCtx_::fp_support_smlist_list
SCFPSupportSMList * fp_support_smlist_list
Definition: detect.h:994
InspectionBufferMultipleForList::inspection_buffers
InspectionBuffer * inspection_buffers
Definition: detect.h:368
MpmStore_::sgh_mpm_context
int32_t sgh_mpm_context
Definition: detect.h:1306
InspectionBufferMultipleForList::max
uint32_t max
Definition: detect.h:370
DetectAddressHead_::ipv4_head
DetectAddress * ipv4_head
Definition: detect.h:155
DetectEngineIPOnlyCtx_::match_array
uint32_t * match_array
Definition: detect.h:734
PORT_EQ
@ PORT_EQ
Definition: detect.h:179
SigGroupHead_::id
uint32_t id
Definition: detect.h:1422
ENGINE_SGH_MPM_FACTORY_CONTEXT_FULL
@ ENGINE_SGH_MPM_FACTORY_CONTEXT_FULL
Definition: detect.h:1009
IPOnlyCIDRItem_::family
uint8_t family
Definition: detect.h:299
DetectEngineThreadCtx_::counter_mpm_list
uint16_t counter_mpm_list
Definition: detect.h:1088
DetectEngineFrameInspectionEngine
struct DetectEngineFrameInspectionEngine DetectEngineFrameInspectionEngine
SigMatchData
struct SigMatchData_ SigMatchData
Data needed for Match()
DetectEngineCtx_::failure_fatal
int failure_fatal
Definition: detect.h:803
MpmStore_::buffer
enum MpmBuiltinBuffers buffer
Definition: detect.h:1304
DetectEngineThreadCtx_::tenant_array_size
uint32_t tenant_array_size
Definition: detect.h:1068
DetectEngineThreadCtx_::tenant_array
struct DetectEngineTenantMapping_ * tenant_array
Definition: detect.h:1067
DetectEngineCtx_::sc_sig_order_funcs
struct SCSigOrderFunc_ * sc_sig_order_funcs
Definition: detect.h:827
MpmCtxFactoryContainer_
Definition: util-mpm.h:124
SigTableElmt_::RegisterTests
void(* RegisterTests)(void)
Definition: detect.h:1241
FILE_DECODER_EVENT_LZMA_DECODER_ERROR
@ FILE_DECODER_EVENT_LZMA_DECODER_ERROR
Definition: detect.h:1268
DetectEngineThreadCtx_::file_id
uint32_t file_id
Definition: detect.h:1170
DetectEngineThreadCtx_::io_ctx
DetectEngineIPOnlyThreadCtx io_ctx
Definition: detect.h:1156
DetectEngineThreadCtx_::mt_det_ctxs
struct DetectEngineThreadCtx_ ** mt_det_ctxs
Definition: detect.h:1064
Signature_::mask
SignatureMask mask
Definition: detect.h:556
DetectBufferMpmRegistery_::next
struct DetectBufferMpmRegistery_ * next
Definition: detect.h:671
RuleMatchCandidateTx
Definition: detect.h:1033
SignatureInitData_::smlists_array_size
uint32_t smlists_array_size
Definition: detect.h:538
DetectEngineThreadCtx_::TenantGetId
uint32_t(* TenantGetId)(const void *, const Packet *p)
Definition: detect.h:1070
InspectEngineFuncPtr2
int(* InspectEngineFuncPtr2)(struct DetectEngineCtx_ *de_ctx, struct DetectEngineThreadCtx_ *det_ctx, const struct DetectEngineAppInspectionEngine_ *engine, const struct Signature_ *s, Flow *f, uint8_t flags, void *alstate, void *txv, uint64_t tx_id)
Definition: detect.h:392
DetectBufferType_::description
char description[128]
Definition: detect.h:422
DetectBufferMpmRegistery_::sm_list_base
int16_t sm_list_base
Definition: detect.h:637
DetectEngineIPOnlyCtx_::max_idx
uint32_t max_idx
Definition: detect.h:727
SigGroupHeadInitData_::frame_mpms
MpmCtx ** frame_mpms
Definition: detect.h:1389
SpmThreadCtx_
Definition: util-spm.h:56
DetectEngineFrameInspectionEngine::smd
SigMatchData * smd
Definition: detect.h:488
DetectEngineIPOnlyThreadCtx_::sig_match_size
uint32_t sig_match_size
Definition: detect.h:705
DetectEngineThreadCtx_::match_array
Signature ** match_array
Definition: detect.h:1130
DetectEngineIPOnlyThreadCtx_
Definition: detect.h:703