suricata
detect.h
Go to the documentation of this file.
1 /* Copyright (C) 2007-2014 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Victor Julien <victor@inliniac.net>
22  */
23 
24 #ifndef __DETECT_H__
25 #define __DETECT_H__
26 
27 #include "suricata-common.h"
28 
29 #include "flow.h"
30 
31 #include "detect-engine-proto.h"
32 #include "detect-reference.h"
33 #include "detect-metadata.h"
34 #include "detect-engine-register.h"
35 #include "packet-queue.h"
36 
37 #include "util-prefilter.h"
38 #include "util-mpm.h"
39 #include "util-spm.h"
40 #include "util-hash.h"
41 #include "util-hashlist.h"
42 #include "util-debug.h"
43 #include "util-error.h"
44 #include "util-radix-tree.h"
45 #include "util-file.h"
46 #include "reputation.h"
47 
48 #include "detect-mark.h"
49 
50 #include "stream.h"
51 
52 #include "util-var-name.h"
53 
54 #include "app-layer-events.h"
55 
56 #define DETECT_MAX_RULE_SIZE 8192
57 
58 #define DETECT_TRANSFORMS_MAX 16
59 
60 /** default rule priority if not set through priority keyword or via
61  * classtype. */
62 #define DETECT_DEFAULT_PRIO 3
63 
64 /* forward declarations for the structures from detect-engine-sigorder.h */
65 struct SCSigOrderFunc_;
67 
68 /*
69  The detection engine groups similar signatures/rules together. Internally a
70  tree of different types of data is created on initialization. This is it's
71  global layout:
72 
73  For TCP/UDP
74 
75  - Flow direction
76  -- Protocol
77  -=- Dst port
78 
79  For the other protocols
80 
81  - Flow direction
82  -- Protocol
83 */
84 
85 /* holds the values for different possible lists in struct Signature.
86  * These codes are access points to particular lists in the array
87  * Signature->sm_lists[DETECT_SM_LIST_MAX]. */
91 
92  /* base64_data keyword uses some hardcoded logic so consider
93  * built-in
94  * TODO convert to inspect engine */
96 
97  /* list for post match actions: flowbit set, flowint increment, etc */
99 
100  DETECT_SM_LIST_TMATCH, /**< post-detection tagging */
101 
102  /* lists for alert thresholding and suppression */
105 
107 
108  /* start of dynamically registered lists */
110 };
111 
112 /* used for Signature->list, which indicates which list
113  * we're adding keywords to in cases of sticky buffers like
114  * file_data */
115 #define DETECT_SM_LIST_NOTSET INT_MAX
116 
117 /*
118  * DETECT ADDRESS
119  */
120 
121 /* a is ... than b */
122 enum {
123  ADDRESS_ER = -1, /**< error e.g. compare ipv4 and ipv6 */
124  ADDRESS_LT, /**< smaller [aaa] [bbb] */
125  ADDRESS_LE, /**< smaller with overlap [aa[bab]bb] */
126  ADDRESS_EQ, /**< exactly equal [abababab] */
127  ADDRESS_ES, /**< within [bb[aaa]bb] and [[abab]bbb] and [bbb[abab]] */
128  ADDRESS_EB, /**< completely overlaps [aa[bbb]aa] and [[baba]aaa] and [aaa[baba]] */
129  ADDRESS_GE, /**< bigger with overlap [bb[aba]aa] */
130  ADDRESS_GT, /**< bigger [bbb] [aaa] */
131 };
132 
133 #define ADDRESS_FLAG_NOT 0x01 /**< address is negated */
134 
135 /** \brief address structure for use in the detection engine.
136  *
137  * Contains the address information and matching information.
138  */
139 typedef struct DetectAddress_ {
140  /** address data for this group */
143 
144  /** flags affecting this address */
145  uint8_t flags;
146 
147  /** ptr to the previous address in the list */
149  /** ptr to the next address in the list */
151 } DetectAddress;
152 
153 /** Address grouping head. IPv4 and IPv6 are split out */
154 typedef struct DetectAddressHead_ {
158 
159 
160 typedef struct DetectMatchAddressIPv4_ {
161  uint32_t ip; /**< address in host order, start of range */
162  uint32_t ip2; /**< address in host order, end of range */
164 
165 typedef struct DetectMatchAddressIPv6_ {
166  uint32_t ip[4];
167  uint32_t ip2[4];
169 
170 /*
171  * DETECT PORT
172  */
173 
174 /* a is ... than b */
175 enum {
176  PORT_ER = -1, /* error e.g. compare ipv4 and ipv6 */
177  PORT_LT, /* smaller [aaa] [bbb] */
178  PORT_LE, /* smaller with overlap [aa[bab]bb] */
179  PORT_EQ, /* exactly equal [abababab] */
180  PORT_ES, /* within [bb[aaa]bb] and [[abab]bbb] and [bbb[abab]] */
181  PORT_EB, /* completely overlaps [aa[bbb]aa] and [[baba]aaa] and [aaa[baba]] */
182  PORT_GE, /* bigger with overlap [bb[aba]aa] */
183  PORT_GT, /* bigger [bbb] [aaa] */
184 };
185 
186 #define PORT_FLAG_ANY 0x01 /**< 'any' special port */
187 #define PORT_FLAG_NOT 0x02 /**< negated port */
188 #define PORT_SIGGROUPHEAD_COPY 0x04 /**< sgh is a ptr copy */
189 
190 /** \brief Port structure for detection engine */
191 typedef struct DetectPort_ {
192  uint16_t port;
193  uint16_t port2;
194 
195  uint8_t flags; /**< flags for this port */
196 
197  /* signatures that belong in this group
198  *
199  * If the PORT_SIGGROUPHEAD_COPY flag is set, we don't own this pointer
200  * (memory is freed elsewhere).
201  */
202  struct SigGroupHead_ *sh;
203 
204  struct DetectPort_ *prev;
205  struct DetectPort_ *next;
206 } DetectPort;
207 
208 /* Signature flags */
209 /** \note: additions should be added to the rule analyzer as well */
210 
211 #define SIG_FLAG_SRC_ANY BIT_U32(0) /**< source is any */
212 #define SIG_FLAG_DST_ANY BIT_U32(1) /**< destination is any */
213 #define SIG_FLAG_SP_ANY BIT_U32(2) /**< source port is any */
214 #define SIG_FLAG_DP_ANY BIT_U32(3) /**< destination port is any */
215 
216 #define SIG_FLAG_NOALERT BIT_U32(4) /**< no alert flag is set */
217 #define SIG_FLAG_DSIZE BIT_U32(5) /**< signature has a dsize setting */
218 #define SIG_FLAG_APPLAYER BIT_U32(6) /**< signature applies to app layer instead of packets */
219 #define SIG_FLAG_IPONLY BIT_U32(7) /**< ip only signature */
220 
221 // vacancy
222 
223 #define SIG_FLAG_REQUIRE_PACKET BIT_U32(9) /**< signature is requiring packet match */
224 #define SIG_FLAG_REQUIRE_STREAM BIT_U32(10) /**< signature is requiring stream match */
225 
226 #define SIG_FLAG_MPM_NEG BIT_U32(11)
227 
228 #define SIG_FLAG_FLUSH BIT_U32(12) /**< detection logic needs stream flush notification */
229 
230 // vacancies
231 
232 #define SIG_FLAG_REQUIRE_FLOWVAR BIT_U32(17) /**< signature can only match if a flowbit, flowvar or flowint is available. */
233 
234 #define SIG_FLAG_FILESTORE BIT_U32(18) /**< signature has filestore keyword */
235 
236 #define SIG_FLAG_TOSERVER BIT_U32(19)
237 #define SIG_FLAG_TOCLIENT BIT_U32(20)
238 
239 #define SIG_FLAG_TLSSTORE BIT_U32(21)
240 
241 #define SIG_FLAG_BYPASS BIT_U32(22)
242 
243 #define SIG_FLAG_PREFILTER BIT_U32(23) /**< sig is part of a prefilter engine */
244 
245 /** Proto detect only signature.
246  * Inspected once per direction when protocol detection is done. */
247 #define SIG_FLAG_PDONLY BIT_U32(24)
248 /** Info for Source and Target identification */
249 #define SIG_FLAG_SRC_IS_TARGET BIT_U32(25)
250 /** Info for Source and Target identification */
251 #define SIG_FLAG_DEST_IS_TARGET BIT_U32(26)
252 
253 #define SIG_FLAG_HAS_TARGET (SIG_FLAG_DEST_IS_TARGET|SIG_FLAG_SRC_IS_TARGET)
254 
255 /* signature init flags */
256 #define SIG_FLAG_INIT_DEONLY BIT_U32(0) /**< decode event only signature */
257 #define SIG_FLAG_INIT_PACKET BIT_U32(1) /**< signature has matches against a packet (as opposed to app layer) */
258 #define SIG_FLAG_INIT_FLOW BIT_U32(2) /**< signature has a flow setting */
259 #define SIG_FLAG_INIT_BIDIREC BIT_U32(3) /**< signature has bidirectional operator */
260 #define SIG_FLAG_INIT_FIRST_IPPROTO_SEEN BIT_U32(4) /** < signature has seen the first ip_proto keyword */
261 #define SIG_FLAG_INIT_HAS_TRANSFORM BIT_U32(5)
262 #define SIG_FLAG_INIT_STATE_MATCH BIT_U32(6) /**< signature has matches that require stateful inspection */
263 #define SIG_FLAG_INIT_NEED_FLUSH BIT_U32(7)
264 #define SIG_FLAG_INIT_PRIO_EXPLICT BIT_U32(8) /**< priority is explicitly set by the priority keyword */
265 
266 /* signature mask flags */
267 /** \note: additions should be added to the rule analyzer as well */
268 #define SIG_MASK_REQUIRE_PAYLOAD BIT_U8(0)
269 #define SIG_MASK_REQUIRE_FLOW BIT_U8(1)
270 #define SIG_MASK_REQUIRE_FLAGS_INITDEINIT BIT_U8(2) /* SYN, FIN, RST */
271 #define SIG_MASK_REQUIRE_FLAGS_UNUSUAL BIT_U8(3) /* URG, ECN, CWR */
272 #define SIG_MASK_REQUIRE_NO_PAYLOAD BIT_U8(4)
273 #define SIG_MASK_REQUIRE_DCERPC BIT_U8(5) /* require either SMB+DCE or raw DCE */
274 // vacancy
275 #define SIG_MASK_REQUIRE_ENGINE_EVENT BIT_U8(7)
276 
277 /* for now a uint8_t is enough */
278 #define SignatureMask uint8_t
279 
280 #define DETECT_ENGINE_THREAD_CTX_STREAM_CONTENT_MATCH 0x0004
281 
282 #define FILE_SIG_NEED_FILE 0x01
283 #define FILE_SIG_NEED_FILENAME 0x02
284 #define FILE_SIG_NEED_MAGIC 0x04 /**< need the start of the file */
285 #define FILE_SIG_NEED_FILECONTENT 0x08
286 #define FILE_SIG_NEED_MD5 0x10
287 #define FILE_SIG_NEED_SHA1 0x20
288 #define FILE_SIG_NEED_SHA256 0x40
289 #define FILE_SIG_NEED_SIZE 0x80
290 
291 /* Detection Engine flags */
292 #define DE_QUIET 0x01 /**< DE is quiet (esp for unittests) */
293 
294 typedef struct IPOnlyCIDRItem_ {
295  /* address data for this item */
296  uint8_t family;
297  /* netmask in CIDR values (ex. /16 /18 /24..) */
298  uint8_t netmask;
299  /* If this host or net is negated for the signum */
300  uint8_t negated;
301 
302  uint32_t ip[4];
303  SigIntId signum; /**< our internal id */
304 
305  /* linked list, the header should be the biggest network */
307 
309 
310 /** \brief Used to start a pointer to SigMatch context
311  * Should never be dereferenced without casting to something else.
312  */
313 typedef struct SigMatchCtx_ {
314  int foo;
315 } SigMatchCtx;
316 
317 /** \brief a single match condition for a signature */
318 typedef struct SigMatch_ {
319  uint8_t type; /**< match type */
320  uint16_t idx; /**< position in the signature */
321  SigMatchCtx *ctx; /**< plugin specific data */
322  struct SigMatch_ *next;
323  struct SigMatch_ *prev;
324 } SigMatch;
325 
326 /** \brief Data needed for Match() */
327 typedef struct SigMatchData_ {
328  uint8_t type; /**< match type */
329  uint8_t is_last; /**< Last element of the list */
330  SigMatchCtx *ctx; /**< plugin specific data */
331 } SigMatchData;
332 
333 struct DetectEngineThreadCtx_;// DetectEngineThreadCtx;
334 
335 /* inspection buffer is a simple structure that is passed between prefilter,
336  * transformation functions and inspection functions.
337  * Initialy setup with 'orig' ptr and len, transformations can then take
338  * then and fill the 'buf'. Multiple transformations can update the buffer,
339  * both growing and shrinking it.
340  * Prefilter and inspection will only deal with 'inspect'. */
341 
342 typedef struct InspectionBuffer {
343  const uint8_t *inspect; /**< active pointer, points either to ::buf or ::orig */
344  uint64_t inspect_offset;
345  uint32_t inspect_len; /**< size of active data. See to ::len or ::orig_len */
346  uint8_t flags; /**< DETECT_CI_FLAGS_* for use with DetectEngineContentInspection */
347 
348  uint32_t len; /**< how much is in use */
349  uint8_t *buf;
350  uint32_t size; /**< size of the memory allocation */
351 
352  uint32_t orig_len;
353  const uint8_t *orig;
355 
356 /* inspection buffers are kept per tx (in det_ctx), but some protocols
357  * need a bit more. A single TX might have multiple buffers, e.g. files in
358  * SMTP or DNS queries. Since all prefilters+transforms run before the
359  * individual rules need the same buffers, we need a place to store the
360  * transformed data. This array of arrays is that place. */
361 
364  uint32_t size; /**< size in number of elements */
365  uint32_t max:31; /**< max id in use in this run */
366  uint32_t init:1; /**< first time used this run. Used for clean logic */
368 
369 typedef struct DetectEngineTransforms {
370  int transforms[DETECT_TRANSFORMS_MAX];
371  int cnt;
373 
374 /** callback for getting the buffer we need to prefilter/inspect */
375 typedef InspectionBuffer *(*InspectionBufferGetDataPtr)(
376  struct DetectEngineThreadCtx_ *det_ctx,
377  const DetectEngineTransforms *transforms,
378  Flow *f, const uint8_t flow_flags,
379  void *txv, const int list_id);
380 
382  struct DetectEngineCtx_ *de_ctx, struct DetectEngineThreadCtx_ *det_ctx,
383  const struct Signature_ *sig, const SigMatchData *smd,
384  Flow *f, uint8_t flags, void *alstate,
385  void *tx, uint64_t tx_id);
386 
388 
389 typedef int (*InspectEngineFuncPtr2)(
390  struct DetectEngineCtx_ *de_ctx, struct DetectEngineThreadCtx_ *det_ctx,
391  const struct DetectEngineAppInspectionEngine_ *engine,
392  const struct Signature_ *s,
393  Flow *f, uint8_t flags, void *alstate, void *txv, uint64_t tx_id);
394 
397  uint8_t dir;
398  uint8_t id; /**< per sig id used in state keeping */
399  uint16_t mpm:1;
400  uint16_t stream:1;
401  uint16_t sm_list:14;
402  int16_t progress;
403 
404  /* \retval 0 No match. Don't discontinue matching yet. We need more data.
405  * 1 Match.
406  * 2 Sig can't match.
407  * 3 Special value used by filestore sigs to indicate disabling
408  * filestore for the tx.
409  */
411 
412  struct {
415  /** pointer to the transforms in the 'DetectBuffer entry for this list */
417  } v2;
418 
420 
423 
424 typedef struct DetectBufferType_ {
425  const char *string;
426  const char *description;
427  int id;
429  _Bool mpm;
430  _Bool packet; /**< compat to packet matches */
432  void (*SetupCallback)(const struct DetectEngineCtx_ *, struct Signature_ *);
433  bool (*ValidateCallback)(const struct Signature_ *, const char **sigerror);
436 
438 
439 /**
440  * \param alert_flags[out] for setting PACKET_ALERT_FLAG_*
441  */
443  struct DetectEngineThreadCtx_ *,
444  const struct DetectEnginePktInspectionEngine *engine,
445  const struct Signature_ *s,
446  Packet *p, uint8_t *alert_flags);
447 
448 /** callback for getting the buffer we need to prefilter/inspect */
449 typedef InspectionBuffer *(*InspectionBufferGetPktDataPtr)(
450  struct DetectEngineThreadCtx_ *det_ctx,
451  const DetectEngineTransforms *transforms,
452  Packet *p, const int list_id);
453 
456  uint16_t mpm:1;
457  uint16_t sm_list:15;
458  struct {
461  /** pointer to the transforms in the 'DetectBuffer entry for this list */
463  } v1;
466 
467 #ifdef UNITTESTS
468 #define sm_lists init_data->smlists
469 #define sm_lists_tail init_data->smlists_tail
470 #endif
471 
472 typedef struct SignatureInitData_ {
473  /** Number of sigmatches. Used for assigning SigMatch::idx */
474  uint16_t sm_cnt;
475 
476  /** option was prefixed with '!'. Only set for sigmatches that
477  * have the SIGMATCH_HANDLE_NEGATION flag set. */
478  bool negated;
479 
480  /* track if we saw any negation in the addresses. If so, we
481  * skip it for ip-only */
484 
485  /* used to hold flags that are used during init */
486  uint32_t init_flags;
487  /* coccinelle: SignatureInitData:init_flags:SIG_FLAG_INIT_ */
488 
489  /* used at init to determine max dsize */
491 
492  /* the fast pattern added from this signature */
494  /* used to speed up init of prefilter */
496 
497  /* SigMatch list used for adding content and friends. E.g. file_data; */
498  int list;
499  bool list_set;
500 
501  int transforms[DETECT_TRANSFORMS_MAX];
503 
504  /** score to influence rule grouping. A higher value leads to a higher
505  * likelyhood of a rulegroup with this sig ending up as a contained
506  * group. */
508 
509  /** address settings for this signature */
511 
513 
515  /* holds all sm lists */
516  struct SigMatch_ **smlists;
517  /* holds all sm lists' tails */
520 
521 /** \brief Signature container */
522 typedef struct Signature_ {
523  uint32_t flags;
524  /* coccinelle: Signature:flags:SIG_FLAG_ */
525 
527 
528  uint16_t dsize_low;
529  uint16_t dsize_high;
530 
532  SigIntId num; /**< signature number, internal id */
533 
534  /** inline -- action */
535  uint8_t action;
536  uint8_t file_flags;
537 
538  /** addresses, ports and proto this sig matches on */
540 
541  /** classification id **/
542  uint16_t class_id;
543 
544  /** ipv4 match arrays */
551  /** ipv6 match arrays */
554 
555  uint32_t id; /**< sid, set by the 'sid' rule keyword */
556  uint32_t gid; /**< generator id */
557  uint32_t rev;
558  int prio;
559 
560  /** port settings for this signature */
561  DetectPort *sp, *dp;
562 
563 #ifdef PROFILING
564  uint16_t profiling_id;
565 #endif
566 
567  /** netblocks and hosts specified at the sid, in CIDR format */
569 
572 
573  /* Matching structures for the built-ins. The others are in
574  * their inspect engines. */
576 
577  /* memory is still owned by the sm_lists/sm_arrays entry */
579 
580  char *msg;
581 
582  /** classification message */
583  char *class_msg;
584  /** Reference */
586  /** Metadata */
588 
589  char *sig_str;
590 
592 
593  /** ptr to the next sig in the list */
594  struct Signature_ *next;
595 } Signature;
596 
600  /* must be last */
602 };
603 
604 /** \brief one time registration of keywords at start up */
606  const char *name;
607  char pname[32]; /**< name used in profiling */
608  int direction; /**< SIG_FLAG_TOSERVER or SIG_FLAG_TOCLIENT */
609  int sm_list;
610  int priority;
611  int id; /**< index into this array and result arrays */
614 
615  int (*PrefilterRegisterWithListId)(struct DetectEngineCtx_ *de_ctx,
616  struct SigGroupHead_ *sgh, MpmCtx *mpm_ctx,
617  const struct DetectBufferMpmRegistery_ *mpm_reg, int list_id);
619 
620  union {
621  /* app-layer matching: use if type == DETECT_BUFFER_MPM_TYPE_APP */
622  struct {
626  } app_v2;
627 
628  /* pkt matching: use if type == DETECT_BUFFER_MPM_TYPE_PKT */
629  struct {
630  int (*PrefilterRegisterWithListId)(struct DetectEngineCtx_ *de_ctx,
631  struct SigGroupHead_ *sgh, MpmCtx *mpm_ctx,
632  const struct DetectBufferMpmRegistery_ *mpm_reg, int list_id);
634  } pkt_v1;
635  };
636 
639 
640 typedef struct DetectReplaceList_ {
642  uint8_t *found;
645 
646 /** only execute flowvar storage if rule matched */
647 #define DETECT_VAR_TYPE_FLOW_POSTMATCH 1
648 #define DETECT_VAR_TYPE_PKT_POSTMATCH 2
649 
650 /** list for flowvar store candidates, to be stored from
651  * post-match function */
652 typedef struct DetectVarList_ {
653  uint32_t idx; /**< flowvar name idx */
654  uint16_t len; /**< data len */
655  uint16_t key_len;
656  int type; /**< type of store candidate POSTMATCH or ALWAYS */
657  uint8_t *key;
658  uint8_t *buffer; /**< alloc'd buffer, may be freed by
659  post-match, post-non-match */
661 } DetectVarList;
662 
664  uint8_t *sig_match_array; /* bit array of sig nums */
665  uint32_t sig_match_size; /* size in bytes of the array */
667 
668 /** \brief IP only rules matching ctx. */
669 typedef struct DetectEngineIPOnlyCtx_ {
670  /* lookup hashes */
671  HashListTable *ht16_src, *ht16_dst;
672  HashListTable *ht24_src, *ht24_dst;
673 
674  /* Lookup trees */
675  SCRadixTree *tree_ipv4src, *tree_ipv4dst;
676  SCRadixTree *tree_ipv6src, *tree_ipv6dst;
677 
678  /* Used to build the radix trees */
680 
681  /* counters */
682  uint32_t a_src_uniq16, a_src_total16;
683  uint32_t a_dst_uniq16, a_dst_total16;
684  uint32_t a_src_uniq24, a_src_total24;
685  uint32_t a_dst_uniq24, a_dst_total24;
686 
687  uint32_t max_idx;
688 
689  uint8_t *sig_init_array; /* bit array of sig nums */
690  uint32_t sig_init_size; /* size in bytes of the array */
691 
692  /* number of sigs in this head */
693  uint32_t sig_cnt;
694  uint32_t *match_array;
696 
697 typedef struct DetectEngineLookupFlow_ {
700  struct SigGroupHead_ *sgh[256];
702 
703 #include "detect-threshold.h"
704 
705 /** \brief threshold ctx */
706 typedef struct ThresholdCtx_ {
707  SCMutex threshold_table_lock; /**< Mutex for hash table */
708 
709  /** to support rate_filter "by_rule" option */
711  uint32_t th_size;
712 } ThresholdCtx;
713 
714 typedef struct SigString_ {
715  char *filename;
716  char *sig_str;
717  char *sig_error;
718  int line;
720 } SigString;
721 
722 /** \brief Signature loader statistics */
723 typedef struct SigFileLoaderStat_ {
724  TAILQ_HEAD(, SigString_) failed_sigs;
730 
732  void *(*InitFunc)(void *);
733  void (*FreeFunc)(void *);
734  void *data;
736  int id;
737  const char *name; /* keyword name, for error printing */
739 
741 {
742  DETECT_PREFILTER_MPM = 0, /**< use only mpm / fast_pattern */
743  DETECT_PREFILTER_AUTO = 1, /**< use mpm + keyword prefilters */
744 };
745 
747 {
749  DETECT_ENGINE_TYPE_DD_STUB = 1, /* delayed detect stub: can be reloaded */
750  DETECT_ENGINE_TYPE_MT_STUB = 2, /* multi-tenant stub: cannot be reloaded */
752 };
753 
754 /* Flow states:
755  * toserver
756  * toclient
757  */
758 #define FLOW_STATES 2
759 
760 /** \brief main detection engine ctx */
761 typedef struct DetectEngineCtx_ {
762  uint8_t flags;
764 
766 
768  uint32_t sig_cnt;
769 
770  /* version of the srep data */
771  uint32_t srep_version;
772 
773  /* reputation for netblocks */
775 
777  uint32_t sig_array_size; /* size in bytes */
778  uint32_t sig_array_len; /* size in array members */
779 
780  uint32_t signum;
781 
782  /** Maximum value of all our sgh's non_mpm_store_cnt setting,
783  * used to alloc det_ctx::non_mpm_id_array */
785 
786  /* used by the signature ordering module */
788 
789  /* hash table used for holding the classification config info */
791  /* hash table used for holding the reference config info */
793 
794  /* main sigs */
796 
797  uint32_t gh_unique, gh_reuse;
798 
799  /* init phase vars */
801 
803 
804  /* hash table used to cull out duplicate sigs */
806 
809 
810  uint16_t mpm_matcher; /**< mpm matcher this ctx uses */
811  uint16_t spm_matcher; /**< spm matcher this ctx uses */
812 
813  /* spm thread context prototype, built as spm matchers are constructed and
814  * later used to construct thread context for each thread. */
816 
817  /* Config options */
818 
821 
822  /* specify the configuration for mpm context factory */
824 
825  /* max flowbit id that is used */
826  uint32_t max_fb_id;
827 
828  uint32_t max_fp_id;
829 
831 
832  /* maximum recursion depth for content inspection */
834 
835  /* conf parameter that limits the length of the http request body inspected */
837  /* conf parameter that limits the length of the http response body inspected */
839 
840  /* array containing all sgh's in use so we can loop
841  * through it in Stage4. */
843  uint32_t sgh_array_cnt;
844  uint32_t sgh_array_size;
845 
850 
851  /* the max local id used amongst all sigs */
853 
854  /** version of the detect engine */
855  uint32_t version;
856 
857  /** sgh for signatures that match against invalid packets. In those cases
858  * we can't lookup by proto, address, port as we don't have these */
860 
861  /* Maximum size of the buffer for decoded base64 data. */
863 
864  /** Store rule file and line so that parsers can use them in errors. */
865  char *rule_file;
868  const char *sigerror;
869 
870  /** list of keywords that need thread local ctxs */
873 
874  struct {
875  uint32_t content_limit;
878  } filedata_config[ALPROTO_MAX];
880 
881 #ifdef PROFILING
888 #endif
889  uint32_t prefilter_maxid;
890 
891  char config_prefix[64];
892 
894 
895  /** how many de_ctx' are referencing this */
896  uint32_t ref_cnt;
897  /** list in master: either active or freelist */
899 
900  /** id of loader thread 'owning' this de_ctx */
902 
903  /** are we useing just mpm or also other prefilters */
905 
907 
910 
911  /** table for storing the string representation with the parsers result */
913 
914  /** table to store metadata keys and values */
916 
919 
920  /* hash table with rule-time buffer registration. Start time registration
921  * is in detect-engine.c::g_buffer_type_hash */
924 
925  /* list with app inspect engines. Both the start-time registered ones and
926  * the rule-time registered ones. */
933 
934  uint32_t prefilter_id;
936 
937  /** time of last ruleset reload */
938  struct timeval last_reload;
939 
940  /** signatures stats */
942 
943  /** per keyword flag indicating if a prefilter has been
944  * set for it. If true, the setup function will have to
945  * run. */
946  bool sm_types_prefilter[DETECT_TBLSIZE];
947  bool sm_types_silent_error[DETECT_TBLSIZE];
948 
950 
951 /* Engine groups profiles (low, medium, high, custom) */
952 enum {
959 };
960 
961 /* Siggroup mpm context profile */
962 enum {
966 };
967 
968 typedef struct HttpReassembledBody_ {
969  const uint8_t *buffer;
971  uint32_t buffer_size; /**< size of the buffer itself */
972  uint32_t buffer_len; /**< data len in the buffer */
974  uint64_t offset; /**< data offset */
976 
977 #define DETECT_FILESTORE_MAX 15
978 
982  uint8_t alproto;
984 
985 /** array of TX inspect rule candidates */
986 typedef struct RuleMatchCandidateTx {
987  SigIntId id; /**< internal signature id */
988  uint32_t *flags; /**< inspect flags ptr */
989  union {
990  struct {
992  uint8_t stream_result;
993  };
994  uint32_t stream_reset;
995  };
996 
997  const Signature *s; /**< ptr to sig */
999 
1000 /**
1001  * Detection engine thread data.
1002  */
1003 typedef struct DetectEngineThreadCtx_ {
1004  /** \note multi-tenant hash lookup code from Detect() *depends*
1005  * on this beeing the first member */
1006  uint32_t tenant_id;
1007 
1008  /** ticker that is incremented once per packet. */
1009  uint64_t ticker;
1010 
1011  /* the thread to which this detection engine thread belongs */
1013 
1015  uint32_t non_pf_id_cnt; // size is cnt * sizeof(uint32_t)
1016 
1020 
1023 
1024  uint32_t (*TenantGetId)(const void *, const Packet *p);
1025 
1026  /* detection engine variables */
1027 
1029 
1030  /** offset into the payload of the last match by:
1031  * content, pcre, etc */
1032  uint32_t buffer_offset;
1033  /* used by pcre match function alone */
1035 
1036  /* counter for the filestore array below -- up here for cache reasons. */
1037  uint16_t filestore_cnt;
1038 
1039  /** id for alert counter */
1040  uint16_t counter_alerts;
1041 #ifdef PROFILING
1046 #endif
1047 
1048  int inspect_list; /**< list we're currently inspecting, DETECT_SM_LIST_* */
1049 
1050  struct {
1052  uint32_t buffers_size; /**< in number of elements */
1053  uint32_t to_clear_idx;
1054  uint32_t *to_clear_queue;
1055  } inspect;
1056 
1057  struct {
1058  /** inspection buffers for more complex case. As we can inspect multiple
1059  * buffers in parallel, we need this extra wrapper struct */
1061  uint32_t buffers_size; /**< in number of elements */
1062  uint32_t to_clear_idx;
1063  uint32_t *to_clear_queue;
1064  } multi_inspect;
1065 
1066  /* used to discontinue any more matching */
1068  uint16_t flags;
1069 
1070  /* bool: if tx_id is set, this is 1, otherwise 0 */
1071  uint16_t tx_id_set;
1072  /** ID of the transaction currently being inspected. */
1073  uint64_t tx_id;
1075 
1076  SC_ATOMIC_DECLARE(int, so_far_used_by_detect);
1077 
1078  /* holds the current recursion depth on content inspection */
1080 
1081  /** array of signature pointers we're going to inspect in the detection
1082  * loop. */
1084  /** size of the array in items (mem size if * sizeof(Signature *)
1085  * Only used during initialization. */
1087  /** size in use */
1089 
1092 
1095 
1096  /** pointer to the current mpm ctx that is stored
1097  * in a rule group head -- can be either a content
1098  * or uricontent ctx. */
1099  MpmThreadCtx mtc; /**< thread ctx for the mpm */
1100  MpmThreadCtx mtcu; /**< thread ctx for uricontent mpm */
1101  MpmThreadCtx mtcs; /**< thread ctx for stream mpm */
1103 
1104  /** SPM thread context used for scanning. This has been cloned from the
1105  * prototype held by DetectEngineCtx. */
1107 
1108  /** ip only rules ctx */
1110 
1111  /* byte jump values */
1112  uint64_t *bj_values;
1113 
1114  /* string to replace */
1116  /* vars to store in post match function */
1118 
1119  /* Array in which the filestore keyword stores file id and tx id. If the
1120  * full signature matches, these are processed by a post-match filestore
1121  * function to finalize the store. */
1122  struct {
1123  uint32_t file_id;
1124  uint64_t tx_id;
1125  } filestore[DETECT_FILESTORE_MAX];
1126 
1128  /** store for keyword contexts that need a per thread storage. Per de_ctx. */
1131  /** store for keyword contexts that need a per thread storage. Global. */
1134 
1135  uint8_t *base64_decoded;
1138 
1140  uint16_t events;
1141 
1142 #ifdef DEBUG
1143  uint64_t pkt_stream_add_cnt;
1144  uint64_t payload_mpm_cnt;
1145  uint64_t payload_mpm_size;
1146  uint64_t stream_mpm_cnt;
1147  uint64_t stream_mpm_size;
1148  uint64_t payload_persig_cnt;
1149  uint64_t payload_persig_size;
1150  uint64_t stream_persig_cnt;
1151  uint64_t stream_persig_size;
1152 #endif
1153 #ifdef PROFILING
1158  int keyword_perf_list; /**< list we're currently inspecting, DETECT_SM_LIST_* */
1160 
1163 #endif
1165 
1166 /** \brief element in sigmatch type table.
1167  */
1168 typedef struct SigTableElmt_ {
1169  /** Packet match function pointer */
1170  int (*Match)(DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *);
1171 
1172  /** AppLayer TX match function pointer */
1173  int (*AppLayerTxMatch)(DetectEngineThreadCtx *, Flow *,
1174  uint8_t flags, void *alstate, void *txv,
1175  const Signature *, const SigMatchCtx *);
1176 
1177  /** File match function pointer */
1178  int (*FileMatch)(DetectEngineThreadCtx *,
1179  Flow *, /**< *LOCKED* flow */
1180  uint8_t flags, File *, const Signature *, const SigMatchCtx *);
1181 
1182  /** InspectionBuffer transformation callback */
1183  void (*Transform)(InspectionBuffer *);
1184 
1185  /** keyword setup function pointer */
1186  int (*Setup)(DetectEngineCtx *, Signature *, const char *);
1187 
1188  _Bool (*SupportsPrefilter)(const Signature *s);
1189  int (*SetupPrefilter)(DetectEngineCtx *de_ctx, struct SigGroupHead_ *sgh);
1190 
1191  void (*Free)(void *);
1192  void (*RegisterTests)(void);
1193 
1194  uint16_t flags;
1195  /* coccinelle: SigTableElmt:flags:SIGMATCH_ */
1196 
1197  /** better keyword to replace the current one */
1198  uint16_t alternative;
1199 
1200  const char *name; /**< keyword name alias */
1201  const char *alias; /**< name alias */
1202  const char *desc;
1203  const char *url;
1204 
1205 } SigTableElmt;
1206 
1207 /* event code */
1208 enum {
1209 #ifdef UNITTESTS
1211 #endif
1226 };
1227 
1228 #define SIG_GROUP_HEAD_HAVERAWSTREAM BIT_U32(0)
1229 #ifdef HAVE_MAGIC
1230 #define SIG_GROUP_HEAD_HAVEFILEMAGIC BIT_U32(20)
1231 #endif
1232 #define SIG_GROUP_HEAD_HAVEFILEMD5 BIT_U32(21)
1233 #define SIG_GROUP_HEAD_HAVEFILESIZE BIT_U32(22)
1234 #define SIG_GROUP_HEAD_HAVEFILESHA1 BIT_U32(23)
1235 #define SIG_GROUP_HEAD_HAVEFILESHA256 BIT_U32(24)
1236 
1246 };
1247 
1248 typedef struct MpmStore_ {
1249  uint8_t *sid_array;
1250  uint32_t sid_array_size;
1251 
1253  enum MpmBuiltinBuffers buffer;
1254  int sm_list;
1256 
1258 
1259 } MpmStore;
1260 
1261 typedef struct PrefilterEngineList_ {
1262  uint16_t id;
1263 
1264  /** App Proto this engine applies to: only used with Tx Engines */
1266  /** Minimal Tx progress we need before running the engine. Only used
1267  * with Tx Engine */
1269 
1270  /** Context for matching. Might be MpmCtx for MPM engines, other ctx'
1271  * for other engines. */
1272  void *pectx;
1273 
1274  void (*Prefilter)(DetectEngineThreadCtx *det_ctx, Packet *p, const void *pectx);
1275  void (*PrefilterTx)(DetectEngineThreadCtx *det_ctx, const void *pectx,
1276  Packet *p, Flow *f, void *tx,
1277  const uint64_t idx, const uint8_t flags);
1278 
1280 
1281  /** Free function for pectx data. If NULL the memory is not freed. */
1282  void (*Free)(void *pectx);
1283 
1284  const char *name;
1285  /* global id for this prefilter */
1286  uint32_t gid;
1288 
1289 typedef struct PrefilterEngine_ {
1290  uint16_t local_id;
1291 
1292  /** App Proto this engine applies to: only used with Tx Engines */
1294  /** Minimal Tx progress we need before running the engine. Only used
1295  * with Tx Engine */
1297 
1298  /** Context for matching. Might be MpmCtx for MPM engines, other ctx'
1299  * for other engines. */
1300  void *pectx;
1301 
1302  union {
1303  void (*Prefilter)(DetectEngineThreadCtx *det_ctx, Packet *p, const void *pectx);
1304  void (*PrefilterTx)(DetectEngineThreadCtx *det_ctx, const void *pectx,
1305  Packet *p, Flow *f, void *tx,
1306  const uint64_t idx, const uint8_t flags);
1307  } cb;
1308 
1309  /* global id for this prefilter */
1310  uint32_t gid;
1311  int is_last;
1312 } PrefilterEngine;
1313 
1314 typedef struct SigGroupHeadInitData_ {
1315  MpmStore mpm_store[MPMB_MAX];
1316 
1317  uint8_t *sig_array; /**< bit array of sig nums (internal id's) */
1318  uint32_t sig_size; /**< size in bytes */
1319 
1320  uint8_t protos[256]; /**< proto(s) this sgh is for */
1321  uint32_t direction; /**< set to SIG_FLAG_TOSERVER, SIG_FLAG_TOCLIENT or both */
1322  int whitelist; /**< try to make this group a unique one */
1323 
1326 
1330 
1331  /* port ptr */
1334 
1335 /** \brief Container for matching data for a signature group */
1336 typedef struct SigGroupHead_ {
1337  uint32_t flags;
1338  /* coccinelle: SigGroupHead:flags:SIG_GROUP_HEAD_ */
1339 
1340  /* number of sigs in this head */
1342 
1343  /* non prefilter list excluding SYN rules */
1346  SignatureNonPrefilterStore *non_pf_other_store_array; // size is non_mpm_store_cnt * sizeof(SignatureNonPrefilterStore)
1347  /* non mpm list including SYN rules */
1348  SignatureNonPrefilterStore *non_pf_syn_store_array; // size is non_mpm_syn_store_cnt * sizeof(SignatureNonPrefilterStore)
1349 
1350  /** the number of signatures in this sgh that have the filestore keyword
1351  * set. */
1352  uint16_t filestore_cnt;
1353 
1354  uint32_t id; /**< unique id used to index sgh_array for stats */
1355 
1359 
1360  /** Array with sig ptrs... size is sig_cnt * sizeof(Signature *) */
1362 
1363  /* ptr to our init data we only use at... init :) */
1365 
1366 } SigGroupHead;
1367 
1368 /** sigmatch has no options, so the parser shouldn't expect any */
1369 #define SIGMATCH_NOOPT BIT_U16(0)
1370 /** sigmatch is compatible with a ip only rule */
1371 #define SIGMATCH_IPONLY_COMPAT BIT_U16(1)
1372 /** sigmatch is compatible with a decode event only rule */
1373 #define SIGMATCH_DEONLY_COMPAT BIT_U16(2)
1374 /**< Flag to indicate that the signature is not built-in */
1375 #define SIGMATCH_NOT_BUILT BIT_U16(3)
1376 /** sigmatch may have options, so the parser should be ready to
1377  * deal with both cases */
1378 #define SIGMATCH_OPTIONAL_OPT BIT_U16(4)
1379 /** input may be wrapped in double quotes. They will be stripped before
1380  * input data is passed to keyword parser */
1381 #define SIGMATCH_QUOTES_OPTIONAL BIT_U16(5)
1382 /** input MUST be wrapped in double quotes. They will be stripped before
1383  * input data is passed to keyword parser. Missing double quotes lead to
1384  * error and signature invalidation. */
1385 #define SIGMATCH_QUOTES_MANDATORY BIT_U16(6)
1386 /** negation parsing is handled by the rule parser. Signature::init_data::negated
1387  * will be set to true or false prior to calling the keyword parser. Exclamation
1388  * mark is stripped from the input to the keyword parser. */
1389 #define SIGMATCH_HANDLE_NEGATION BIT_U16(7)
1390 /** keyword is a content modifier */
1391 #define SIGMATCH_INFO_CONTENT_MODIFIER BIT_U16(8)
1392 /** keyword is a sticky buffer */
1393 #define SIGMATCH_INFO_STICKY_BUFFER BIT_U16(9)
1394 /** keyword is deprecated: used to suggest an alternative */
1395 #define SIGMATCH_INFO_DEPRECATED BIT_U16(10)
1396 /** strict parsing is enabled */
1397 #define SIGMATCH_STRICT_PARSING BIT_U16(11)
1398 
1400 {
1401  TENANT_SELECTOR_UNKNOWN = 0, /**< not set */
1402  TENANT_SELECTOR_DIRECT, /**< method provides direct tenant id */
1403  TENANT_SELECTOR_VLAN, /**< map vlan to tenant id */
1404  TENANT_SELECTOR_LIVEDEV, /**< map livedev to tenant id */
1405 };
1406 
1408  uint32_t tenant_id;
1409 
1410  /* traffic id that maps to the tenant id */
1411  uint32_t traffic_id;
1412 
1415 
1416 typedef struct DetectEngineMasterCtx_ {
1418 
1419  /** enable multi tenant mode */
1421 
1422  /** version, incremented after each 'apply to threads' */
1423  uint32_t version;
1424 
1425  /** list of active detection engines. This list is used to generate the
1426  * threads det_ctx's */
1428 
1429  /** free list, containing detection engines that will be removed but may
1430  * still be referenced by det_ctx's. Freed as soon as all references are
1431  * gone. */
1433 
1434  enum DetectEngineTenantSelectors tenant_selector;
1435 
1436  /** list of tenant mappings. Updated under lock. Used to generate lookup
1437  * structures. */
1439 
1440  /** list of keywords that need thread local ctxs,
1441  * only updated by keyword registration at start up. Not
1442  * covered by the lock. */
1446 
1447 /* Table with all SigMatch registrations */
1449 
1450 /** Remember to add the options in SignatureIsIPOnly() at detect.c otherwise it wont be part of a signature group */
1451 
1452 /* detection api */
1453 TmEcode Detect(ThreadVars *tv, Packet *p, void *data, PacketQueue *pq, PacketQueue *postpq);
1454 
1455 SigMatch *SigMatchAlloc(void);
1456 Signature *SigFindSignatureBySidGid(DetectEngineCtx *, uint32_t, uint32_t);
1458  Packet *, SignatureMask,
1459  uint16_t);
1460 void SigMatchFree(SigMatch *sm);
1461 
1462 void SigRegisterTests(void);
1463 void TmModuleDetectRegister (void);
1464 
1466 
1468 char *DetectLoadCompleteSigPath(const DetectEngineCtx *, const char *sig_file);
1469 int SigLoadSignatures (DetectEngineCtx *, char *, int);
1470 void SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx,
1471  DetectEngineThreadCtx *det_ctx, Packet *p);
1472 
1473 int SignatureIsIPOnly(DetectEngineCtx *de_ctx, const Signature *s);
1474 const SigGroupHead *SigMatchSignaturesGetSgh(const DetectEngineCtx *de_ctx, const Packet *p);
1475 
1477 
1478 
1479 int DetectRegisterThreadCtxFuncs(DetectEngineCtx *, const char *name, void *(*InitFunc)(void *), void *data, void (*FreeFunc)(void *), int);
1481 
1482 void DetectSignatureApplyActions(Packet *p, const Signature *s, const uint8_t);
1483 
1484 void RuleMatchCandidateTxArrayInit(DetectEngineThreadCtx *det_ctx, uint32_t size);
1486 
1488 
1491 
1492 /* events */
1493 void DetectEngineSetEvent(DetectEngineThreadCtx *det_ctx, uint8_t e);
1495 int DetectEngineGetEventInfo(const char *event_name, int *event_id,
1497 
1498 #include "detect-engine-build.h"
1499 #include "detect-engine-register.h"
1500 
1501 #endif /* __DETECT_H__ */
1502 
struct DetectEngineTenantMapping_ DetectEngineTenantMapping
int DetectMetadataHashInit(DetectEngineCtx *de_ctx)
void ** keyword_ctxs_array
Definition: detect.h:1129
uint16_t filestore_cnt
Definition: detect.h:1352
struct DetectEngineTenantMapping_ * next
Definition: detect.h:1413
uint16_t profiling_id
Definition: detect.h:564
struct SCProfileSghData_ * sgh_perf_data
Definition: detect.h:1159
#define SCMutex
DetectReference * references
Definition: detect.h:585
MpmThreadCtx mtcs
Definition: detect.h:1101
enum AppLayerEventType_ AppLayerEventType
const char * description
Definition: detect.h:426
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
Definition: detect.h:1448
SignatureNonPrefilterStore * non_pf_syn_store_array
Definition: detect.h:1348
DetectProto proto
Definition: detect.h:539
uint16_t sm_cnt
Definition: detect.h:474
SigIntId sig_cnt
Definition: detect.h:1341
SignatureInitData * init_data
Definition: detect.h:591
int SigLoadSignatures(DetectEngineCtx *, char *, int)
Load signatures.
SCRadixTree * tree_ipv6src
Definition: detect.h:676
SpmGlobalThreadCtx * spm_global_thread_ctx
Definition: detect.h:815
InspectionBufferGetDataPtr GetData
Definition: detect.h:413
DetectMetadata * metadata
Definition: detect.h:587
SigMatch * dsize_sm
Definition: detect.h:490
DetectEnginePrefilterSetting
Definition: detect.h:740
Signature * SigFindSignatureBySidGid(DetectEngineCtx *, uint32_t, uint32_t)
Find a specific signature by sid and gid.
Signature ** sig_array
Definition: detect.h:776
uint32_t tx_candidates_size
Definition: detect.h:1091
struct DetectAddress_ DetectAddress
address structure for use in the detection engine.
#define SC_ATOMIC_DECLARE(type, name)
wrapper to declare an atomic variable including a (spin) lock to protect it.
Definition: util-atomic.h:56
struct DetectEngineAppInspectionEngine_ DetectEngineAppInspectionEngine
struct DetectAddress_ * prev
Definition: detect.h:148
struct DetectMatchAddressIPv6_ DetectMatchAddressIPv6
#define SignatureMask
Definition: detect.h:278
uint32_t sig_array_len
Definition: detect.h:778
int32_t sgh_mpm_context
Definition: detect.h:1255
InspectionBuffer *(* InspectionBufferGetPktDataPtr)(struct DetectEngineThreadCtx_ *det_ctx, const DetectEngineTransforms *transforms, Packet *p, const int list_id)
Definition: detect.h:449
InspectionBuffer * inspection_buffers
Definition: detect.h:363
uint16_t spm_matcher
Definition: detect.h:811
Signature loader statistics.
Definition: detect.h:723
const Signature * s
Definition: detect.h:997
int32_t byte_extract_max_local_id
Definition: detect.h:852
uint32_t tenant_array_size
Definition: detect.h:1022
uint16_t dsize_high
Definition: detect.h:529
uint32_t buffer_len
Definition: detect.h:972
struct DetectEngineLookupFlow_ DetectEngineLookupFlow
SigMatch * prefilter_sm
Definition: detect.h:495
const char * string
Definition: detect.h:425
uint32_t non_pf_store_cnt
Definition: detect.h:1094
uint16_t discontinue_matching
Definition: detect.h:1067
uint32_t flags
Definition: detect.h:523
uint32_t event_type
uint32_t * match_array
Definition: detect.h:694
char * msg
Definition: detect.h:580
uint32_t max_fb_id
Definition: detect.h:826
int DetectEngineGetEventInfo(const char *event_name, int *event_id, AppLayerEventType *event_type)
int(* InspectionBufferPktInspectFunc)(struct DetectEngineThreadCtx_ *, const struct DetectEnginePktInspectionEngine *engine, const struct Signature_ *s, Packet *p, uint8_t *alert_flags)
Definition: detect.h:442
uint32_t id
Definition: detect.h:555
struct SigGroupHead_ * sh
Definition: detect.h:202
int hcbd_buffer_limit
Definition: detect.h:836
Signature ** match_array
Definition: detect.h:1361
struct DetectAddressHead_ DetectAddressHead
uint32_t sid_array_size
Definition: detect.h:1250
uint64_t * bj_values
Definition: detect.h:1112
uint32_t non_pf_other_store_cnt
Definition: detect.h:1344
uint16_t counter_fnonmpm_list
Definition: detect.h:1044
DetectPort * tcp_whitelist
Definition: detect.h:908
DetectEngineTransforms transforms
Definition: detect.h:618
void DisableDetectFlowFileFlags(Flow *f)
disable file features we don&#39;t need Called if we have no detection engine.
Definition: detect.c:1659
Address ip
Definition: detect.h:141
uint8_t is_last
Definition: detect.h:329
ThreadVars * tv
Definition: detect.h:1012
struct SigMatch_ SigMatch
a single match condition for a signature
HashTable * class_conf_ht
Definition: detect.h:790
struct InspectionBuffer InspectionBuffer
struct DetectEngineThreadCtx_ ** mt_det_ctxs
Definition: detect.h:1018
void SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
Definition: detect.c:1669
uint8_t netmask
Definition: detect.h:298
DetectPort * udp_whitelist
Definition: detect.h:909
struct SignatureInitData_ SignatureInitData
int prio
Definition: detect.h:558
address structure for use in the detection engine.
Definition: detect.h:139
bool sigerror_silent
Definition: detect.h:867
void SigAddressPrepareBidirectionals(DetectEngineCtx *)
struct SigMatch_ * prev
Definition: detect.h:323
struct DetectPort_ * port
Definition: detect.h:1332
uint16_t key_len
Definition: detect.h:655
uint8_t * sig_init_array
Definition: detect.h:689
Signature * sig_list
Definition: detect.h:767
int buffer_type_id
Definition: detect.h:923
int32_t sgh_mpm_context_proto_tcp_packet
Definition: detect.h:846
uint8_t * sid_array
Definition: detect.h:1249
uint32_t match_array_len
Definition: detect.h:1086
uint32_t size
Definition: detect.h:350
IPOnlyCIDRItem * ip_src
Definition: detect.h:679
RuleMatchCandidateTx * tx_candidates
Definition: detect.h:1090
DetectEngineThreadKeywordCtxItem * keyword_list
Definition: detect.h:871
uint32_t sig_array_size
Definition: detect.h:777
IPOnlyCIDRItem * CidrSrc
Definition: detect.h:568
uint32_t non_pf_store_cnt_max
Definition: detect.h:784
SigIntId * non_pf_id_array
Definition: detect.h:1014
int DetectRegisterThreadCtxFuncs(DetectEngineCtx *, const char *name, void *(*InitFunc)(void *), void *data, void(*FreeFunc)(void *), int)
Register Thread keyword context Funcs.
void TmModuleDetectRegister(void)
struct DetectEngineTransforms DetectEngineTransforms
DetectReplaceList * replist
Definition: detect.h:1115
int SignatureIsIPOnly(DetectEngineCtx *de_ctx, const Signature *s)
Test is a initialized signature is IP only.
struct DetectMatchAddressIPv4_ DetectMatchAddressIPv4
Data needed for Match()
Definition: detect.h:327
struct SCProfileKeywordData_ * keyword_perf_data
Definition: detect.h:1156
struct DetectVarList_ DetectVarList
uint16_t len
Definition: detect.h:654
uint32_t content_inspect_window
Definition: detect.h:877
struct SCProfileData_ * rule_perf_data
Definition: detect.h:1154
DetectEngineTransforms transforms
Definition: detect.h:434
uint32_t to_clear_idx
Definition: detect.h:1053
Container for matching data for a signature group.
Definition: detect.h:1336
uint32_t srep_version
Definition: detect.h:771
MpmThreadCtx mtc
Definition: detect.h:1099
element in sigmatch type table.
Definition: detect.h:1168
uint32_t orig_len
Definition: detect.h:352
DetectBufferMpmRegistery * pkt_mpms_list
Definition: detect.h:931
uint32_t buffer_offset
Definition: detect.h:1032
#define TAILQ_HEAD(name, type)
Definition: queue.h:321
struct InspectionBufferMultipleForList InspectionBufferMultipleForList
#define DETECT_FILESTORE_MAX
Definition: detect.h:977
uint32_t non_pf_syn_store_cnt
Definition: detect.h:1345
struct IPOnlyCIDRItem_ IPOnlyCIDRItem
InspectionBuffer * buffers
Definition: detect.h:1051
const char * name
Definition: detect.h:1200
uint16_t AppProto
struct DetectPort_ DetectPort
Port structure for detection engine.
void SigMatchSignaturesBuildMatchArray(DetectEngineThreadCtx *, Packet *, SignatureMask, uint16_t)
Signature container.
Definition: detect.h:522
struct PrefilterEngine_ PrefilterEngine
#define DETECT_TRANSFORMS_MAX
Definition: detect.h:58
PrefilterEngineList * tx_engines
Definition: detect.h:1329
void SigMatchFree(SigMatch *sm)
free a SigMatch
Definition: detect-parse.c:247
int32_t sgh_mpm_context_proto_other_packet
Definition: detect.h:848
uint8_t action
Definition: detect.h:535
HashListTable * mpm_hash_table
Definition: detect.h:802
int sm_list
Definition: detect.h:1254
void DetectEngineSetEvent(DetectEngineThreadCtx *det_ctx, uint8_t e)
uint16_t addr_src_match6_cnt
Definition: detect.h:548
uint32_t * to_clear_queue
Definition: detect.h:1054
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
Definition: detect.h:313
const char * sigerror
Definition: detect.h:868
uint32_t id
Definition: detect.h:1354
uint32_t signum
Definition: detect.h:780
struct SigGroupHead_ * decoder_event_sgh
Definition: detect.h:859
struct DetectEngineTenantMapping_ * tenant_array
Definition: detect.h:1021
int(* InspectEngineFuncPtr)(ThreadVars *tv, struct DetectEngineCtx_ *de_ctx, struct DetectEngineThreadCtx_ *det_ctx, const struct Signature_ *sig, const SigMatchData *smd, Flow *f, uint8_t flags, void *alstate, void *tx, uint64_t tx_id)
Definition: detect.h:381
Signature metadata list.
uint32_t content_inspect_min_size
Definition: detect.h:876
void RuleMatchCandidateTxArrayInit(DetectEngineThreadCtx *det_ctx, uint32_t size)
Definition: detect.c:965
struct DetectEngineMasterCtx_ DetectEngineMasterCtx
struct MpmStore_ MpmStore
DetectMatchAddressIPv6 * addr_dst_match6
Definition: detect.h:552
SigIntId num
Definition: detect.h:532
struct SigMatch_ * next
Definition: detect.h:322
main detection engine ctx
Definition: detect.h:761
void * pectx
Definition: detect.h:1300
struct Signature_ Signature
Signature container.
struct DetectEnginePktInspectionEngine * next
Definition: detect.h:464
uint16_t addr_src_match4_cnt
Definition: detect.h:546
PrefilterEngine * tx_engines
Definition: detect.h:1358
uint32_t max_fp_id
Definition: detect.h:828
MpmBuiltinBuffers
Definition: detect.h:1237
int(* InspectEngineFuncPtr2)(struct DetectEngineCtx_ *de_ctx, struct DetectEngineThreadCtx_ *det_ctx, const struct DetectEngineAppInspectionEngine_ *engine, const struct Signature_ *s, Flow *f, uint8_t flags, void *alstate, void *txv, uint64_t tx_id)
Definition: detect.h:389
SCMutex threshold_table_lock
Definition: detect.h:707
void * DetectThreadCtxGetKeywordThreadCtx(DetectEngineThreadCtx *, int)
Retrieve thread local keyword ctx by id.
DetectPort * udp
Definition: detect.h:699
const uint8_t * orig
Definition: detect.h:353
PrefilterEngine * pkt_engines
Definition: detect.h:1356
struct DetectPort_ * prev
Definition: detect.h:204
bool src_contains_negation
Definition: detect.h:482
HashListTable * buffer_type_hash
Definition: detect.h:922
uint32_t pkt_mpms_list_cnt
Definition: detect.h:932
struct HttpReassembledBody_ HttpReassembledBody
DetectMatchAddressIPv4 * addr_dst_match4
Definition: detect.h:549
uint32_t sgh_array_cnt
Definition: detect.h:843
DetectVarList * varlist
Definition: detect.h:1117
MpmCtx ** pkt_mpms
Definition: detect.h:1325
bool filedata_config_initialized
Definition: detect.h:879
struct DetectAddress_ * next
Definition: detect.h:150
DetectEngineCtx * free_list
Definition: detect.h:1432
void DetectFlowbitsAnalyze(DetectEngineCtx *de_ctx)
uint16_t dst
uint16_t local_id
Definition: detect.h:1290
Data structure to store app layer decoder events.
DetectMatchAddressIPv6 * addr_src_match6
Definition: detect.h:553
struct DetectVarList_ * next
Definition: detect.h:660
SigMatch * SigMatchAlloc(void)
Definition: detect-parse.c:232
uint16_t max_uniq_toserver_groups
Definition: detect.h:820
HashListTable * address_table
Definition: detect.h:912
uint8_t flags
Definition: detect.h:145
struct DetectBufferMpmRegistery_ DetectBufferMpmRegistery
one time registration of keywords at start up
Signature wrapper used by signature ordering module while ordering signatures.
uint8_t flags
Definition: detect.h:346
int32_t sgh_mpm_context_stream
Definition: detect.h:849
struct SCProfileSghDetectCtx_ * profile_sgh_ctx
Definition: detect.h:886
uint8_t * key
Definition: detect.h:657
DetectPort * tcp
Definition: detect.h:698
DetectEngineTenantSelectors
Definition: detect.h:1399
char * rule_file
Definition: detect.h:865
uint8_t flags
Definition: detect.h:762
uint16_t filestore_cnt
Definition: detect.h:1037
uint64_t inspect_offset
Definition: detect.h:344
int direction
Definition: detect.h:1252
MpmCtx ** app_mpms
Definition: detect.h:1324
SCRadixTree * tree_ipv4src
Definition: detect.h:675
uint8_t type
struct DetectEngineAppInspectionEngine_ * next
Definition: detect.h:421
uint16_t counter_alerts
Definition: detect.h:1040
void Prefilter(DetectEngineThreadCtx *det_ctx, const SigGroupHead *sgh, Packet *p, const uint8_t flags)
const uint8_t * buffer
Definition: detect.h:969
DetectMatchAddressIPv4 * addr_src_match4
Definition: detect.h:550
char * filename
Definition: detect.h:715
HashListTable * ht24_src
Definition: detect.h:672
struct DetectEngineCtx_ DetectEngineCtx
main detection engine ctx
MpmCtxFactoryContainer * mpm_ctx_factory_container
Definition: detect.h:830
uint32_t buffer_size
Definition: detect.h:971
bool dst_contains_negation
Definition: detect.h:483
uint16_t mpm_matcher
Definition: detect.h:810
char * DetectLoadCompleteSigPath(const DetectEngineCtx *, const char *sig_file)
Create the path if default-rule-path was specified.
HashListTable * sgh_hash_table
Definition: detect.h:800
struct DetectBufferType_ DetectBufferType
one time registration of keywords at start up
Definition: detect.h:605
struct DetectEngineCtx_ * next
Definition: detect.h:898
struct SCProfilePrefilterData_ * prefilter_perf_data
Definition: detect.h:1161
DetectBufferMpmType
Definition: detect.h:597
struct SCSigOrderFunc_ * sc_sig_order_funcs
Definition: detect.h:787
uint32_t content_limit
Definition: detect.h:875
PrefilterRuleStore pmq
Definition: detect.h:1102
struct DetectEngineThreadCtx_ DetectEngineThreadCtx
struct RuleMatchCandidateTx RuleMatchCandidateTx
const struct DetectFilestoreData_ * filestore_ctx
Definition: detect.h:578
Signature * DetectGetTagSignature(void)
uint32_t profile_match_logging_threshold
Definition: detect.h:887
SigFileLoaderStat sig_stat
Definition: detect.h:941
threshold ctx
Definition: detect.h:706
uint8_t * found
Definition: detect.h:642
uint16_t counter_match_list
Definition: detect.h:1045
uint16_t alternative
Definition: detect.h:1198
uint16_t addr_dst_match6_cnt
Definition: detect.h:547
AppLayerDecoderEvents * DetectEngineGetEvents(DetectEngineThreadCtx *det_ctx)
uint32_t buffer_type_map_elements
Definition: detect.h:918
struct DetectEngineThreadKeywordCtxItem_ * next
Definition: detect.h:735
Address ip2
Definition: detect.h:142
HashTable * mt_det_ctxs_hash
Definition: detect.h:1019
PrefilterEngineList * payload_engines
Definition: detect.h:1328
SigIntId match_array_cnt
Definition: detect.h:1088
DetectEngineAppInspectionEngine * app_inspect_engines
Definition: detect.h:927
AppProto alproto
Definition: detect.h:526
struct DetectBufferMpmRegistery_::@95::@98 pkt_v1
struct SigMatch_ ** smlists_tail
Definition: detect.h:518
DetectAddress * ipv4_head
Definition: detect.h:155
DetectEngineTenantMapping * tenant_mapping_list
Definition: detect.h:1438
PrefilterEngine * payload_engines
Definition: detect.h:1357
uint32_t prefilter_id
Definition: detect.h:934
struct SCProfilePrefilterDetectCtx_ * profile_prefilter_ctx
Definition: detect.h:884
uint16_t max_uniq_toclient_groups
Definition: detect.h:819
HashTable * reference_conf_ht
Definition: detect.h:792
uint32_t flags
Definition: detect.h:1337
uint32_t ref_cnt
Definition: detect.h:896
uint32_t a_src_uniq24
Definition: detect.h:684
struct Signature_ * next
Definition: detect.h:594
PrefilterEngineList * pkt_engines
Definition: detect.h:1327
HashTable * metadata_table
Definition: detect.h:915
uint8_t negated
Definition: detect.h:300
struct SigFileLoaderStat_ SigFileLoaderStat
Signature loader statistics.
uint32_t gid
Definition: detect.h:556
uint8_t type
Definition: detect.h:319
uint8_t * decompressed_buffer
Definition: detect.h:970
uint32_t stream_reset
Definition: detect.h:994
InspectEngineFuncPtr Callback
Definition: detect.h:410
uint32_t a_src_uniq16
Definition: detect.h:682
DetectEngineIPOnlyCtx io_ctx
Definition: detect.h:807
struct DetectReplaceList_ DetectReplaceList
int32_t sgh_mpm_context_proto_udp_packet
Definition: detect.h:847
const char * desc
Definition: detect.h:1202
uint32_t gh_unique
Definition: detect.h:797
struct SigMatch_ ** smlists
Definition: detect.h:516
HashListTable * dup_sig_hash_table
Definition: detect.h:805
uint32_t sgh_array_size
Definition: detect.h:844
char * class_msg
Definition: detect.h:583
uint32_t version
Definition: detect.h:855
uint32_t decompressed_buffer_len
Definition: detect.h:973
const DetectEngineTransforms * transforms
Definition: detect.h:462
uint8_t * buf
Definition: detect.h:349
uint32_t smlists_array_size
Definition: detect.h:514
enum DetectEnginePrefilterSetting prefilter_setting
Definition: detect.h:904
SigMatchCtx * ctx
Definition: detect.h:321
struct DetectEngineThreadKeywordCtxItem_ DetectEngineThreadKeywordCtxItem
uint32_t len
Definition: detect.h:348
struct DetectEngineIPOnlyThreadCtx_ DetectEngineIPOnlyThreadCtx
const char * alias
Definition: detect.h:1201
IP only rules matching ctx.
Definition: detect.h:669
char * sig_error
Definition: detect.h:717
DetectEngineCtx * de_ctx
Definition: detect.h:1127
uint8_t flags
Definition: detect.h:195
TmEcode Detect(ThreadVars *tv, Packet *p, void *data, PacketQueue *pq, PacketQueue *postpq)
Detection engine thread wrapper.
Definition: detect.c:1601
uint32_t direction
Definition: detect.h:1321
uint32_t gid
Definition: detect.h:1310
DetectEngineType
Definition: detect.h:746
const SigGroupHead * SigMatchSignaturesGetSgh(const DetectEngineCtx *de_ctx, const Packet *p)
Get the SigGroupHead for a packet.
Definition: detect.c:177
struct IPOnlyCIDRItem_ * next
Definition: detect.h:306
uint16_t counter_nonmpm_list
Definition: detect.h:1043
DetectBufferType ** buffer_type_map
Definition: detect.h:917
uint64_t raw_stream_progress
Definition: detect.h:1028
uint8_t type
Definition: detect.h:328
char * sig_str
Definition: detect.h:589
void SigRegisterTests(void)
Definition: detect.c:5323
uint32_t idx
Definition: detect.h:653
struct SCProfileKeywordDetectCtx_ * profile_keyword_ctx
Definition: detect.h:883
struct SigGroupHead_ ** sgh_array
Definition: detect.h:842
DetectPort * sp
Definition: detect.h:561
InspectEngineFuncPtr2 Callback
Definition: detect.h:414
struct SigGroupHead_ SigGroupHead
Container for matching data for a signature group.
DetectEnginePktInspectionEngine * pkt_inspect
Definition: detect.h:571
uint16_t addr_dst_match4_cnt
Definition: detect.h:545
#define TAILQ_ENTRY(type)
Definition: queue.h:330
MpmCtx * mpm_ctx
Definition: detect.h:1257
uint16_t port
Definition: detect.h:192
uint16_t tx_id
Structure holding the signature ordering function used by the signature ordering module.
uint32_t pcre_match_start_offset
Definition: detect.h:1034
uint32_t init_flags
Definition: detect.h:486
struct SCProfileKeywordDetectCtx_ ** profile_keyword_ctx_per_list
Definition: detect.h:885
MpmThreadCtx mtcu
Definition: detect.h:1100
DetectEngineThreadKeywordCtxItem * keyword_list
Definition: detect.h:1443
int hsbd_buffer_limit
Definition: detect.h:838
AppProto alproto
Definition: detect.h:1265
struct PrefilterEngineList_ PrefilterEngineList
SRepCIDRTree * srepCIDR_ctx
Definition: detect.h:774
const char * name
Definition: detect.h:1284
DetectEngineAppInspectionEngine * app_inspect
Definition: detect.h:570
ThresholdCtx ths_ctx
Definition: detect.h:808
int failure_fatal
Definition: detect.h:763
void DetectMetadataHashFree(DetectEngineCtx *de_ctx)
struct DetectPort_ * next
Definition: detect.h:205
SigIntId signum
Definition: detect.h:303
uint32_t a_dst_uniq24
Definition: detect.h:685
const char * url
Definition: detect.h:1203
InspectionBufferGetPktDataPtr GetData
Definition: detect.h:633
HashListTable * ht16_src
Definition: detect.h:671
struct DetectContentData_ * cd
Definition: detect.h:641
int line
Definition: detect.h:718
structure for storing potential rule matches
uint8_t family
Definition: detect.h:296
HashListTable * prefilter_hash_table
Definition: detect.h:935
uint32_t rev
Definition: detect.h:557
DetectBufferMpmRegistery * app_mpms_list
Definition: detect.h:928
InspectionBufferGetDataPtr GetData
Definition: detect.h:623
struct DetectEngineIPOnlyCtx_ DetectEngineIPOnlyCtx
IP only rules matching ctx.
InspectionBufferPktInspectFunc Callback
Definition: detect.h:460
uint8_t * buffer
Definition: detect.h:658
uint8_t * base64_decoded
Definition: detect.h:1135
DetectThresholdEntry ** th_entry
Definition: detect.h:710
struct SCProfileKeywordData_ ** keyword_perf_data_per_list
Definition: detect.h:1157
struct SigMatchData_ SigMatchData
Data needed for Match()
uint32_t prefilter_maxid
Definition: detect.h:889
Signature ** match_array
Definition: detect.h:1083
struct PrefilterEngineList_ * next
Definition: detect.h:1279
SignatureMask mask
Definition: detect.h:981
Signature reference list.
int inspection_recursion_counter
Definition: detect.h:1079
uint16_t idx
Definition: detect.h:320
SignatureNonPrefilterStore * non_pf_store_ptr
Definition: detect.h:1093
uint32_t inspect_len
Definition: detect.h:345
uint32_t sig_init_size
Definition: detect.h:690
uint32_t th_size
Definition: detect.h:711
void DetectSignatureApplyActions(Packet *p, const Signature *s, const uint8_t)
Apply action(s) and Set &#39;drop&#39; sig info, if applicable.
Definition: detect.c:1518
struct SCProfileDetectCtx_ * profile_ctx
Definition: detect.h:882
uint8_t sgh_mpm_context
Definition: detect.h:823
const uint8_t * inspect
Definition: detect.h:343
uint32_t * flags
Definition: detect.h:988
DetectEngineIPOnlyThreadCtx io_ctx
Definition: detect.h:1109
void RuleMatchCandidateTxArrayFree(DetectEngineThreadCtx *det_ctx)
Definition: detect.c:978
char * sig_str
Definition: detect.h:716
uint32_t a_dst_uniq16
Definition: detect.h:683
int tx_min_progress
Definition: detect.h:1296
uint8_t stream_result
Definition: detect.h:992
struct SignatureNonPrefilterStore_ SignatureNonPrefilterStore
bool supports_transforms
Definition: detect.h:431
SignatureNonPrefilterStore * non_pf_other_store_array
Definition: detect.h:1346
void(* Free)(void *pectx)
Definition: detect.h:1282
struct SigGroupHeadInitData_ SigGroupHeadInitData
DetectEngineCtx * list
Definition: detect.h:1427
Per thread variable structure.
Definition: threadvars.h:57
SignatureMask mask
Definition: detect.h:531
struct SigMatchCtx_ SigMatchCtx
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
struct DetectEnginePktInspectionEngine DetectEnginePktInspectionEngine
InspectionBufferGetPktDataPtr GetData
Definition: detect.h:459
uint16_t counter_mpm_list
Definition: detect.h:1042
uint8_t file_flags
Definition: detect.h:536
InspectionBufferMultipleForList * buffers
Definition: detect.h:1060
uint16_t port2
Definition: detect.h:193
uint32_t app_mpms_list_cnt
Definition: detect.h:929
uint32_t sig_cnt
Definition: detect.h:768
uint32_t non_pf_id_cnt
Definition: detect.h:1015
void ** global_keyword_ctxs_array
Definition: detect.h:1133
struct DetectReplaceList_ * next
Definition: detect.h:643
uint16_t dsize_low
Definition: detect.h:528
uint16_t flags
Definition: detect.h:1194
Structure for the radix tree.
SpmThreadCtx * spm_thread_ctx
Definition: detect.h:1106
InspectionBuffer *(* InspectionBufferGetDataPtr)(struct DetectEngineThreadCtx_ *det_ctx, const DetectEngineTransforms *transforms, Flow *f, const uint8_t flow_flags, void *txv, const int list_id)
Definition: detect.h:375
AppLayerDecoderEvents * decoder_events
Definition: detect.h:1139
AppProto alproto
Definition: detect.h:1293
struct DetectBufferMpmRegistery_ * next
Definition: detect.h:637
SigMatch * mpm_sm
Definition: detect.h:493
const DetectAddressHead * src
Definition: detect.h:510
const char * name
Definition: detect.h:606
HashListTable * dport_hash_table
Definition: detect.h:906
uint8_t * sig_array
Definition: detect.h:1317
#define FLOW_STATES
Definition: detect.h:758
Flow data structure.
Definition: flow.h:325
DetectEnginePktInspectionEngine * pkt_inspect_engines
Definition: detect.h:930
uint32_t base64_decode_max_len
Definition: detect.h:862
uint32_t mt_det_ctxs_cnt
Definition: detect.h:1017
#define SigIntId
DetectAddress * ipv6_head
Definition: detect.h:156
DetectSigmatchListEnum
Definition: detect.h:88
Port structure for detection engine.
Definition: detect.h:191
uint32_t buffers_size
Definition: detect.h:1052
uint64_t offset
Definition: detect.h:974
a single match condition for a signature
Definition: detect.h:318
const DetectEngineTransforms * transforms
Definition: detect.h:416
uint16_t class_id
Definition: detect.h:542
SigMatchCtx * ctx
Definition: detect.h:330
int inspection_recursion_limit
Definition: detect.h:833
struct SigTableElmt_ SigTableElmt
element in sigmatch type table.
struct ThresholdCtx_ ThresholdCtx
threshold ctx
SigGroupHeadInitData * init
Definition: detect.h:1364