suricata
detect.h
Go to the documentation of this file.
1 /* Copyright (C) 2007-2014 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Victor Julien <victor@inliniac.net>
22  */
23 
24 #ifndef __DETECT_H__
25 #define __DETECT_H__
26 
27 #include "suricata-common.h"
28 
29 #include "flow.h"
30 
31 #include "detect-engine-proto.h"
32 #include "detect-reference.h"
33 #include "detect-metadata.h"
34 #include "detect-engine-register.h"
35 #include "packet-queue.h"
36 
37 #include "util-prefilter.h"
38 #include "util-mpm.h"
39 #include "util-spm.h"
40 #include "util-hash.h"
41 #include "util-hashlist.h"
42 #include "util-debug.h"
43 #include "util-error.h"
44 #include "util-radix-tree.h"
45 #include "util-file.h"
46 #include "reputation.h"
47 
48 #include "detect-mark.h"
49 
50 #include "stream.h"
51 
52 #include "util-var-name.h"
53 
54 #include "app-layer-events.h"
55 
56 #define DETECT_MAX_RULE_SIZE 8192
57 
58 #define DETECT_TRANSFORMS_MAX 16
59 
60 /* forward declarations for the structures from detect-engine-sigorder.h */
61 struct SCSigOrderFunc_;
63 
64 /*
65 
66  The detection engine groups similar signatures/rules together. Internally a
67  tree of different types of data is created on initialization. This is it's
68  global layout:
69 
70  For TCP/UDP
71 
72  - Flow direction
73  -- Protocol
74  -=- Src address
75  -==- Dst address
76  -===- Src port
77  -====- Dst port
78 
79  For the other protocols
80 
81  - Flow direction
82  -- Protocol
83  -=- Src address
84  -==- Dst address
85 
86 */
87 
88 /* holds the values for different possible lists in struct Signature.
89  * These codes are access points to particular lists in the array
90  * Signature->sm_lists[DETECT_SM_LIST_MAX]. */
94 
95  /* base64_data keyword uses some hardcoded logic so consider
96  * built-in
97  * TODO convert to inspect engine */
99 
100  /* list for post match actions: flowbit set, flowint increment, etc */
102 
103  DETECT_SM_LIST_TMATCH, /**< post-detection tagging */
104 
105  /* lists for alert thresholding and suppression */
108 
110 
111  /* start of dynamically registered lists */
113 };
114 
115 /* used for Signature->list, which indicates which list
116  * we're adding keywords to in cases of sticky buffers like
117  * file_data */
118 #define DETECT_SM_LIST_NOTSET INT_MAX
119 
120 /*
121  * DETECT ADDRESS
122  */
123 
124 /* a is ... than b */
125 enum {
126  ADDRESS_ER = -1, /**< error e.g. compare ipv4 and ipv6 */
127  ADDRESS_LT, /**< smaller [aaa] [bbb] */
128  ADDRESS_LE, /**< smaller with overlap [aa[bab]bb] */
129  ADDRESS_EQ, /**< exactly equal [abababab] */
130  ADDRESS_ES, /**< within [bb[aaa]bb] and [[abab]bbb] and [bbb[abab]] */
131  ADDRESS_EB, /**< completely overlaps [aa[bbb]aa] and [[baba]aaa] and [aaa[baba]] */
132  ADDRESS_GE, /**< bigger with overlap [bb[aba]aa] */
133  ADDRESS_GT, /**< bigger [bbb] [aaa] */
134 };
135 
136 #define ADDRESS_FLAG_ANY 0x01 /**< address is "any" */
137 #define ADDRESS_FLAG_NOT 0x02 /**< address is negated */
138 
139 /** \brief address structure for use in the detection engine.
140  *
141  * Contains the address information and matching information.
142  */
143 typedef struct DetectAddress_ {
144  /** address data for this group */
147 
148  /** flags affecting this address */
149  uint8_t flags;
150 
151  /** ptr to the previous address in the list */
153  /** ptr to the next address in the list */
155 } DetectAddress;
156 
157 /** Signature grouping head. Here 'any', ipv4 and ipv6 are split out */
158 typedef struct DetectAddressHead_ {
163 
164 
165 #include "detect-threshold.h"
166 
167 typedef struct DetectMatchAddressIPv4_ {
168  uint32_t ip; /**< address in host order, start of range */
169  uint32_t ip2; /**< address in host order, end of range */
171 
172 typedef struct DetectMatchAddressIPv6_ {
173  uint32_t ip[4];
174  uint32_t ip2[4];
176 
177 /*
178  * DETECT PORT
179  */
180 
181 /* a is ... than b */
182 enum {
183  PORT_ER = -1, /* error e.g. compare ipv4 and ipv6 */
184  PORT_LT, /* smaller [aaa] [bbb] */
185  PORT_LE, /* smaller with overlap [aa[bab]bb] */
186  PORT_EQ, /* exactly equal [abababab] */
187  PORT_ES, /* within [bb[aaa]bb] and [[abab]bbb] and [bbb[abab]] */
188  PORT_EB, /* completely overlaps [aa[bbb]aa] and [[baba]aaa] and [aaa[baba]] */
189  PORT_GE, /* bigger with overlap [bb[aba]aa] */
190  PORT_GT, /* bigger [bbb] [aaa] */
191 };
192 
193 #define PORT_FLAG_ANY 0x01 /**< 'any' special port */
194 #define PORT_FLAG_NOT 0x02 /**< negated port */
195 #define PORT_SIGGROUPHEAD_COPY 0x04 /**< sgh is a ptr copy */
196 
197 /** \brief Port structure for detection engine */
198 typedef struct DetectPort_ {
199  uint16_t port;
200  uint16_t port2;
201 
202  uint8_t flags; /**< flags for this port */
203 
204  /* signatures that belong in this group
205  *
206  * If the PORT_SIGGROUPHEAD_COPY flag is set, we don't own this pointer
207  * (memory is freed elsewhere).
208  */
209  struct SigGroupHead_ *sh;
210 
211  struct DetectPort_ *prev;
212  struct DetectPort_ *next;
213 } DetectPort;
214 
215 /* Signature flags */
216 /** \note: additions should be added to the rule analyzer as well */
217 
218 #define SIG_FLAG_SRC_ANY BIT_U32(0) /**< source is any */
219 #define SIG_FLAG_DST_ANY BIT_U32(1) /**< destination is any */
220 #define SIG_FLAG_SP_ANY BIT_U32(2) /**< source port is any */
221 #define SIG_FLAG_DP_ANY BIT_U32(3) /**< destination port is any */
222 
223 #define SIG_FLAG_NOALERT BIT_U32(4) /**< no alert flag is set */
224 #define SIG_FLAG_DSIZE BIT_U32(5) /**< signature has a dsize setting */
225 #define SIG_FLAG_APPLAYER BIT_U32(6) /**< signature applies to app layer instead of packets */
226 #define SIG_FLAG_IPONLY BIT_U32(7) /**< ip only signature */
227 
228 // vacancy
229 
230 #define SIG_FLAG_REQUIRE_PACKET BIT_U32(9) /**< signature is requiring packet match */
231 #define SIG_FLAG_REQUIRE_STREAM BIT_U32(10) /**< signature is requiring stream match */
232 
233 #define SIG_FLAG_MPM_NEG BIT_U32(11)
234 
235 #define SIG_FLAG_FLUSH BIT_U32(12) /**< detection logic needs stream flush notification */
236 
237 // vacancies
238 
239 #define SIG_FLAG_REQUIRE_FLOWVAR BIT_U32(17) /**< signature can only match if a flowbit, flowvar or flowint is available. */
240 
241 #define SIG_FLAG_FILESTORE BIT_U32(18) /**< signature has filestore keyword */
242 
243 #define SIG_FLAG_TOSERVER BIT_U32(19)
244 #define SIG_FLAG_TOCLIENT BIT_U32(20)
245 
246 #define SIG_FLAG_TLSSTORE BIT_U32(21)
247 
248 #define SIG_FLAG_BYPASS BIT_U32(22)
249 
250 #define SIG_FLAG_PREFILTER BIT_U32(23) /**< sig is part of a prefilter engine */
251 
252 /** Proto detect only signature.
253  * Inspected once per direction when protocol detection is done. */
254 #define SIG_FLAG_PDONLY BIT_U32(24)
255 /** Info for Source and Target identification */
256 #define SIG_FLAG_SRC_IS_TARGET BIT_U32(25)
257 /** Info for Source and Target identification */
258 #define SIG_FLAG_DEST_IS_TARGET BIT_U32(26)
259 
260 #define SIG_FLAG_HAS_TARGET (SIG_FLAG_DEST_IS_TARGET|SIG_FLAG_SRC_IS_TARGET)
261 
262 /* signature init flags */
263 #define SIG_FLAG_INIT_DEONLY (1<<0) /**< decode event only signature */
264 #define SIG_FLAG_INIT_PACKET (1<<1) /**< signature has matches against a packet (as opposed to app layer) */
265 #define SIG_FLAG_INIT_FLOW (1<<2) /**< signature has a flow setting */
266 #define SIG_FLAG_INIT_BIDIREC (1<<3) /**< signature has bidirectional operator */
267 #define SIG_FLAG_INIT_FIRST_IPPROTO_SEEN (1<<4) /** < signature has seen the first ip_proto keyword */
268 #define SIG_FLAG_INIT_HAS_TRANSFORM (1<<5)
269 #define SIG_FLAG_INIT_STATE_MATCH (1<<6) /**< signature has matches that require stateful inspection */
270 #define SIG_FLAG_INIT_NEED_FLUSH (1<<7)
271 
272 /* signature mask flags */
273 /** \note: additions should be added to the rule analyzer as well */
274 #define SIG_MASK_REQUIRE_PAYLOAD BIT_U8(0)
275 #define SIG_MASK_REQUIRE_FLOW BIT_U8(1)
276 #define SIG_MASK_REQUIRE_FLAGS_INITDEINIT BIT_U8(2) /* SYN, FIN, RST */
277 #define SIG_MASK_REQUIRE_FLAGS_UNUSUAL BIT_U8(3) /* URG, ECN, CWR */
278 #define SIG_MASK_REQUIRE_NO_PAYLOAD BIT_U8(4)
279 #define SIG_MASK_REQUIRE_DCERPC BIT_U8(5) /* require either SMB+DCE or raw DCE */
280 // vacancy
281 #define SIG_MASK_REQUIRE_ENGINE_EVENT BIT_U8(7)
282 
283 /* for now a uint8_t is enough */
284 #define SignatureMask uint8_t
285 
286 #define DETECT_ENGINE_THREAD_CTX_STREAM_CONTENT_MATCH 0x0004
287 
288 #define FILE_SIG_NEED_FILE 0x01
289 #define FILE_SIG_NEED_FILENAME 0x02
290 #define FILE_SIG_NEED_MAGIC 0x04 /**< need the start of the file */
291 #define FILE_SIG_NEED_FILECONTENT 0x08
292 #define FILE_SIG_NEED_MD5 0x10
293 #define FILE_SIG_NEED_SHA1 0x20
294 #define FILE_SIG_NEED_SHA256 0x40
295 #define FILE_SIG_NEED_SIZE 0x80
296 
297 /* Detection Engine flags */
298 #define DE_QUIET 0x01 /**< DE is quiet (esp for unittests) */
299 
300 typedef struct IPOnlyCIDRItem_ {
301  /* address data for this item */
302  uint8_t family;
303  /* netmask in CIDR values (ex. /16 /18 /24..) */
304  uint8_t netmask;
305  /* If this host or net is negated for the signum */
306  uint8_t negated;
307 
308  uint32_t ip[4];
309  SigIntId signum; /**< our internal id */
310 
311  /* linked list, the header should be the biggest network */
313 
315 
316 /** \brief Used to start a pointer to SigMatch context
317  * Should never be dereferenced without casting to something else.
318  */
319 typedef struct SigMatchCtx_ {
320  int foo;
321 } SigMatchCtx;
322 
323 /** \brief a single match condition for a signature */
324 typedef struct SigMatch_ {
325  uint8_t type; /**< match type */
326  uint16_t idx; /**< position in the signature */
327  SigMatchCtx *ctx; /**< plugin specific data */
328  struct SigMatch_ *next;
329  struct SigMatch_ *prev;
330 } SigMatch;
331 
332 /** \brief Data needed for Match() */
333 typedef struct SigMatchData_ {
334  uint8_t type; /**< match type */
335  uint8_t is_last; /**< Last element of the list */
336  SigMatchCtx *ctx; /**< plugin specific data */
337 } SigMatchData;
338 
339 struct DetectEngineThreadCtx_;// DetectEngineThreadCtx;
340 
341 /* inspection buffer is a simple structure that is passed between prefilter,
342  * transformation functions and inspection functions.
343  * Initialy setup with 'orig' ptr and len, transformations can then take
344  * then and fill the 'buf'. Multiple transformations can update the buffer,
345  * both growing and shrinking it.
346  * Prefilter and inspection will only deal with 'inspect'. */
347 
348 typedef struct InspectionBuffer {
349  const uint8_t *inspect; /**< active pointer, points either to ::buf or ::orig */
350  uint32_t inspect_len; /**< size of active data. See to ::len or ::orig_len */
351  uint64_t inspect_offset;
352 
353  uint8_t *buf;
354  uint32_t len; /**< how much is in use */
355  uint32_t size; /**< size of the memory allocation */
356 
357  const uint8_t *orig;
358  uint32_t orig_len;
360 
361 /* inspection buffers are kept per tx (in det_ctx), but some protocols
362  * need a bit more. A single TX might have multiple buffers, e.g. files in
363  * SMTP or DNS queries. Since all prefilters+transforms run before the
364  * individual rules need the same buffers, we need a place to store the
365  * transformed data. This array of arrays is that place. */
366 
369  uint32_t size; /**< size in number of elements */
370  uint32_t max:31; /**< max id in use in this run */
371  uint32_t init:1; /**< first time used this run. Used for clean logic */
373 
374 typedef struct DetectEngineTransforms {
375  int transforms[DETECT_TRANSFORMS_MAX];
376  int cnt;
378 
379 /** callback for getting the buffer we need to prefilter/inspect */
380 typedef InspectionBuffer *(*InspectionBufferGetDataPtr)(
381  struct DetectEngineThreadCtx_ *det_ctx,
382  const DetectEngineTransforms *transforms,
383  Flow *f, const uint8_t flow_flags,
384  void *txv, const int list_id);
385 
387  struct DetectEngineCtx_ *de_ctx, struct DetectEngineThreadCtx_ *det_ctx,
388  const struct Signature_ *sig, const SigMatchData *smd,
389  Flow *f, uint8_t flags, void *alstate,
390  void *tx, uint64_t tx_id);
391 
393 
394 typedef int (*InspectEngineFuncPtr2)(
395  struct DetectEngineCtx_ *de_ctx, struct DetectEngineThreadCtx_ *det_ctx,
396  const struct DetectEngineAppInspectionEngine_ *engine,
397  const struct Signature_ *s,
398  Flow *f, uint8_t flags, void *alstate, void *txv, uint64_t tx_id);
399 
402  uint8_t dir;
403  uint8_t id; /**< per sig id used in state keeping */
404  uint16_t mpm:1;
405  uint16_t stream:1;
406  uint16_t sm_list:14;
407  int16_t progress;
408 
409  /* \retval 0 No match. Don't discontinue matching yet. We need more data.
410  * 1 Match.
411  * 2 Sig can't match.
412  * 3 Special value used by filestore sigs to indicate disabling
413  * filestore for the tx.
414  */
416 
417  struct {
420  /** pointer to the transforms in the 'DetectBuffer entry for this list */
422  } v2;
423 
425 
428 
429 typedef struct DetectBufferType_ {
430  const char *string;
431  const char *description;
432  int id;
434  _Bool mpm;
435  _Bool packet; /**< compat to packet matches */
437  void (*SetupCallback)(const struct DetectEngineCtx_ *, struct Signature_ *);
438  bool (*ValidateCallback)(const struct Signature_ *, const char **sigerror);
441 
442 #ifdef UNITTESTS
443 #define sm_lists init_data->smlists
444 #define sm_lists_tail init_data->smlists_tail
445 #endif
446 
447 typedef struct SignatureInitData_ {
448  /** Number of sigmatches. Used for assigning SigMatch::idx */
449  uint16_t sm_cnt;
450 
451  /** option was prefixed with '!'. Only set for sigmatches that
452  * have the SIGMATCH_HANDLE_NEGATION flag set. */
453  bool negated;
454 
455  /* used to hold flags that are used during init */
456  uint32_t init_flags;
457  /* coccinelle: SignatureInitData:init_flags:SIG_FLAG_INIT_ */
458 
459  /* used at init to determine max dsize */
461 
462  /* the fast pattern added from this signature */
464  /* used to speed up init of prefilter */
466 
467  /* SigMatch list used for adding content and friends. E.g. file_data; */
468  int list;
469  bool list_set;
470 
471  int transforms[DETECT_TRANSFORMS_MAX];
473 
474  /** score to influence rule grouping. A higher value leads to a higher
475  * likelyhood of a rulegroup with this sig ending up as a contained
476  * group. */
478 
479  /** address settings for this signature */
481 
483 
485  /* holds all sm lists */
486  struct SigMatch_ **smlists;
487  /* holds all sm lists' tails */
490 
491 /** \brief Signature container */
492 typedef struct Signature_ {
493  uint32_t flags;
494  /* coccinelle: Signature:flags:SIG_FLAG_ */
495 
497 
498  uint16_t dsize_low;
499  uint16_t dsize_high;
500 
502  SigIntId num; /**< signature number, internal id */
503 
504  /** inline -- action */
505  uint8_t action;
506  uint8_t file_flags;
507 
508  /** addresses, ports and proto this sig matches on */
510 
511  /** classification id **/
512  uint8_t class;
513 
514  /** ipv4 match arrays */
521  /** ipv6 match arrays */
524 
525  uint32_t id; /**< sid, set by the 'sid' rule keyword */
526  uint32_t gid; /**< generator id */
527  uint32_t rev;
528  int prio;
529 
530  /** port settings for this signature */
531  DetectPort *sp, *dp;
532 
533 #ifdef PROFILING
534  uint16_t profiling_id;
535 #endif
536 
537  /** netblocks and hosts specified at the sid, in CIDR format */
539 
541 
542  /* Matching structures for the built-ins. The others are in
543  * their inspect engines. */
545 
546  /* memory is still owned by the sm_lists/sm_arrays entry */
548 
549  char *msg;
550 
551  /** classification message */
552  char *class_msg;
553  /** Reference */
555  /** Metadata */
557 
558  char *sig_str;
559 
561 
562  /** ptr to the next sig in the list */
563  struct Signature_ *next;
564 } Signature;
565 
566 /** \brief one time registration of keywords at start up */
568  const char *name;
569  char pname[32]; /**< name used in profiling */
570  int direction; /**< SIG_FLAG_TOSERVER or SIG_FLAG_TOCLIENT */
571  int sm_list;
572 
573  int (*PrefilterRegister)(struct DetectEngineCtx_ *de_ctx,
574  struct SigGroupHead_ *sgh, MpmCtx *mpm_ctx);
575 
576  int priority;
577 
578  struct {
579  int (*PrefilterRegisterWithListId)(struct DetectEngineCtx_ *de_ctx,
580  struct SigGroupHead_ *sgh, MpmCtx *mpm_ctx,
581  const struct DetectMpmAppLayerRegistery_ *mpm_reg, int list_id);
586  } v2;
587 
588  int id; /**< index into this array and result arrays */
589 
592 
593 /** \brief structure for storing per detect engine mpm keyword settings
594  */
597  int32_t sgh_mpm_context; /**< mpm factory id */
599 
600 typedef struct DetectReplaceList_ {
602  uint8_t *found;
605 
606 /** only execute flowvar storage if rule matched */
607 #define DETECT_VAR_TYPE_FLOW_POSTMATCH 1
608 #define DETECT_VAR_TYPE_PKT_POSTMATCH 2
609 
610 /** list for flowvar store candidates, to be stored from
611  * post-match function */
612 typedef struct DetectVarList_ {
613  uint32_t idx; /**< flowvar name idx */
614  uint16_t len; /**< data len */
615  uint16_t key_len;
616  int type; /**< type of store candidate POSTMATCH or ALWAYS */
617  uint8_t *key;
618  uint8_t *buffer; /**< alloc'd buffer, may be freed by
619  post-match, post-non-match */
621 } DetectVarList;
622 
624  uint8_t *sig_match_array; /* bit array of sig nums */
625  uint32_t sig_match_size; /* size in bytes of the array */
627 
628 /** \brief IP only rules matching ctx. */
629 typedef struct DetectEngineIPOnlyCtx_ {
630  /* lookup hashes */
631  HashListTable *ht16_src, *ht16_dst;
632  HashListTable *ht24_src, *ht24_dst;
633 
634  /* Lookup trees */
635  SCRadixTree *tree_ipv4src, *tree_ipv4dst;
636  SCRadixTree *tree_ipv6src, *tree_ipv6dst;
637 
638  /* Used to build the radix trees */
640 
641  /* counters */
642  uint32_t a_src_uniq16, a_src_total16;
643  uint32_t a_dst_uniq16, a_dst_total16;
644  uint32_t a_src_uniq24, a_src_total24;
645  uint32_t a_dst_uniq24, a_dst_total24;
646 
647  uint32_t max_idx;
648 
649  uint8_t *sig_init_array; /* bit array of sig nums */
650  uint32_t sig_init_size; /* size in bytes of the array */
651 
652  /* number of sigs in this head */
653  uint32_t sig_cnt;
654  uint32_t *match_array;
656 
657 typedef struct DetectEngineLookupFlow_ {
660  struct SigGroupHead_ *sgh[256];
662 
663 /* Flow status
664  *
665  * to server
666  * to client
667  */
668 #define FLOW_STATES 2
669 
670 /** \brief threshold ctx */
671 typedef struct ThresholdCtx_ {
672  SCMutex threshold_table_lock; /**< Mutex for hash table */
673 
674  /** to support rate_filter "by_rule" option */
676  uint32_t th_size;
677 } ThresholdCtx;
678 
679 typedef struct SigString_ {
680  char *filename;
681  char *sig_str;
682  char *sig_error;
683  int line;
685 } SigString;
686 
687 /** \brief Signature loader statistics */
688 typedef struct SigFileLoaderStat_ {
689  TAILQ_HEAD(, SigString_) failed_sigs;
695 
697  void *(*InitFunc)(void *);
698  void (*FreeFunc)(void *);
699  void *data;
701  int id;
702  const char *name; /* keyword name, for error printing */
704 
706 {
707  DETECT_PREFILTER_MPM = 0, /**< use only mpm / fast_pattern */
708  DETECT_PREFILTER_AUTO = 1, /**< use mpm + keyword prefilters */
709 };
710 
712 {
714  DETECT_ENGINE_TYPE_DD_STUB = 1, /* delayed detect stub: can be reloaded */
715  DETECT_ENGINE_TYPE_MT_STUB = 2, /* multi-tenant stub: cannot be reloaded */
717 };
718 
719 /** \brief main detection engine ctx */
720 typedef struct DetectEngineCtx_ {
721  uint8_t flags;
723 
725 
727  uint32_t sig_cnt;
728 
729  /* version of the srep data */
730  uint32_t srep_version;
731 
732  /* reputation for netblocks */
734 
736  uint32_t sig_array_size; /* size in bytes */
737  uint32_t sig_array_len; /* size in array members */
738 
739  uint32_t signum;
740 
741  /** Maximum value of all our sgh's non_mpm_store_cnt setting,
742  * used to alloc det_ctx::non_mpm_id_array */
744 
745  /* used by the signature ordering module */
747 
748  /* hash table used for holding the classification config info */
750  /* hash table used for holding the reference config info */
752 
753  /* main sigs */
755 
756  uint32_t gh_unique, gh_reuse;
757 
758  /* init phase vars */
760 
762 
763  /* hash table used to cull out duplicate sigs */
765 
768 
769  uint16_t mpm_matcher; /**< mpm matcher this ctx uses */
770  uint16_t spm_matcher; /**< spm matcher this ctx uses */
771 
772  /* spm thread context prototype, built as spm matchers are constructed and
773  * later used to construct thread context for each thread. */
775 
776  /* Config options */
777 
780 
781  /* specify the configuration for mpm context factory */
783 
784  /* max flowbit id that is used */
785  uint32_t max_fb_id;
786 
787  uint32_t max_fp_id;
788 
790 
791  /* maximum recursion depth for content inspection */
793 
794  /* conf parameter that limits the length of the http request body inspected */
796  /* conf parameter that limits the length of the http response body inspected */
798 
799  /* array containing all sgh's in use so we can loop
800  * through it in Stage4. */
802  uint32_t sgh_array_cnt;
803  uint32_t sgh_array_size;
804 
809 
810  /* the max local id used amongst all sigs */
812 
813  /** version of the detect engine */
814  uint32_t version;
815 
816  /** sgh for signatures that match against invalid packets. In those cases
817  * we can't lookup by proto, address, port as we don't have these */
819 
820  /* Maximum size of the buffer for decoded base64 data. */
822 
823  /** Store rule file and line so that parsers can use them in errors. */
824  char *rule_file;
826  const char *sigerror;
827 
828  /** list of keywords that need thread local ctxs */
831 
832  struct {
833  uint32_t content_limit;
836  } filedata_config[ALPROTO_MAX];
838 
839 #ifdef PROFILING
846 #endif
847  uint32_t prefilter_maxid;
848 
849  char config_prefix[64];
850 
852 
853  /** how many de_ctx' are referencing this */
854  uint32_t ref_cnt;
855  /** list in master: either active or freelist */
857 
858  /** id of loader thread 'owning' this de_ctx */
860 
861  /** are we useing just mpm or also other prefilters */
863 
865 
868 
869  /** table for storing the string representation with the parsers result */
871 
872  /** table to store metadata keys and values */
874 
877 
878  /* hash table with rule-time buffer registration. Start time registration
879  * is in detect-engine.c::g_buffer_type_hash */
882 
883  /* list with app inspect engines. Both the start-time registered ones and
884  * the rule-time registered ones. */
888 
889  uint32_t prefilter_id;
891 
892  /** table with mpms and their registration function
893  * \todo we only need this at init, so perhaps this
894  * can move to a DetectEngineCtx 'init' struct */
896 
897  /** time of last ruleset reload */
898  struct timeval last_reload;
899 
900  /** signatures stats */
902 
903  /** per keyword flag indicating if a prefilter has been
904  * set for it. If true, the setup function will have to
905  * run. */
906  bool sm_types_prefilter[DETECT_TBLSIZE];
907 
909 
910 /* Engine groups profiles (low, medium, high, custom) */
911 enum {
918 };
919 
920 /* Siggroup mpm context profile */
921 enum {
925 };
926 
927 typedef struct HttpReassembledBody_ {
928  const uint8_t *buffer;
930  uint32_t buffer_size; /**< size of the buffer itself */
931  uint32_t buffer_len; /**< data len in the buffer */
933  uint64_t offset; /**< data offset */
935 
936 #define DETECT_FILESTORE_MAX 15
937 
941  uint8_t alproto;
943 
944 /** array of TX inspect rule candidates */
945 typedef struct RuleMatchCandidateTx {
946  SigIntId id; /**< internal signature id */
947  uint32_t *flags; /**< inspect flags ptr */
948  union {
949  struct {
951  uint8_t stream_result;
952  };
953  uint32_t stream_reset;
954  };
955 
956  const Signature *s; /**< ptr to sig */
958 
959 /**
960  * Detection engine thread data.
961  */
962 typedef struct DetectEngineThreadCtx_ {
963  /** \note multi-tenant hash lookup code from Detect() *depends*
964  * on this beeing the first member */
965  uint32_t tenant_id;
966 
967  /** ticker that is incremented once per packet. */
968  uint64_t ticker;
969 
970  /* the thread to which this detection engine thread belongs */
972 
974  uint32_t non_pf_id_cnt; // size is cnt * sizeof(uint32_t)
975 
976  uint32_t mt_det_ctxs_cnt;
979 
982 
983  uint32_t (*TenantGetId)(const void *, const Packet *p);
984 
985  /* detection engine variables */
986 
988 
989  /** offset into the payload of the last match by:
990  * content, pcre, etc */
991  uint32_t buffer_offset;
992  /* used by pcre match function alone */
994 
995  /* counter for the filestore array below -- up here for cache reasons. */
996  uint16_t filestore_cnt;
997 
998  /** id for alert counter */
999  uint16_t counter_alerts;
1000 #ifdef PROFILING
1005 #endif
1006 
1007  int inspect_list; /**< list we're currently inspecting, DETECT_SM_LIST_* */
1008 
1009  struct {
1011  uint32_t buffers_size; /**< in number of elements */
1012  uint32_t to_clear_idx;
1013  uint32_t *to_clear_queue;
1014  } inspect;
1015 
1016  struct {
1017  /** inspection buffers for more complex case. As we can inspect multiple
1018  * buffers in parallel, we need this extra wrapper struct */
1020  uint32_t buffers_size; /**< in number of elements */
1021  uint32_t to_clear_idx;
1022  uint32_t *to_clear_queue;
1023  } multi_inspect;
1024 
1025  /* used to discontinue any more matching */
1027  uint16_t flags;
1028 
1029  /* bool: if tx_id is set, this is 1, otherwise 0 */
1030  uint16_t tx_id_set;
1031  /** ID of the transaction currently being inspected. */
1032  uint64_t tx_id;
1034 
1035  SC_ATOMIC_DECLARE(int, so_far_used_by_detect);
1036 
1037  /* holds the current recursion depth on content inspection */
1039 
1040  /** array of signature pointers we're going to inspect in the detection
1041  * loop. */
1043  /** size of the array in items (mem size if * sizeof(Signature *)
1044  * Only used during initialization. */
1046  /** size in use */
1048 
1051 
1054 
1055  /** pointer to the current mpm ctx that is stored
1056  * in a rule group head -- can be either a content
1057  * or uricontent ctx. */
1058  MpmThreadCtx mtc; /**< thread ctx for the mpm */
1059  MpmThreadCtx mtcu; /**< thread ctx for uricontent mpm */
1060  MpmThreadCtx mtcs; /**< thread ctx for stream mpm */
1062 
1063  /** SPM thread context used for scanning. This has been cloned from the
1064  * prototype held by DetectEngineCtx. */
1066 
1067  /** ip only rules ctx */
1069 
1070  /* byte jump values */
1071  uint64_t *bj_values;
1072 
1073  /* string to replace */
1075  /* vars to store in post match function */
1077 
1078  /* Array in which the filestore keyword stores file id and tx id. If the
1079  * full signature matches, these are processed by a post-match filestore
1080  * function to finalize the store. */
1081  struct {
1082  uint32_t file_id;
1083  uint64_t tx_id;
1084  } filestore[DETECT_FILESTORE_MAX];
1085 
1087  /** store for keyword contexts that need a per thread storage. Per de_ctx. */
1090  /** store for keyword contexts that need a per thread storage. Global. */
1093 
1094  uint8_t *base64_decoded;
1097 
1099  uint16_t events;
1100 
1101 #ifdef DEBUG
1102  uint64_t pkt_stream_add_cnt;
1103  uint64_t payload_mpm_cnt;
1104  uint64_t payload_mpm_size;
1105  uint64_t stream_mpm_cnt;
1106  uint64_t stream_mpm_size;
1107  uint64_t payload_persig_cnt;
1108  uint64_t payload_persig_size;
1109  uint64_t stream_persig_cnt;
1110  uint64_t stream_persig_size;
1111 #endif
1112 #ifdef PROFILING
1117  int keyword_perf_list; /**< list we're currently inspecting, DETECT_SM_LIST_* */
1119 
1122 #endif
1124 
1125 /** \brief element in sigmatch type table.
1126  */
1127 typedef struct SigTableElmt_ {
1128  /** Packet match function pointer */
1129  int (*Match)(ThreadVars *, DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *);
1130 
1131  /** AppLayer TX match function pointer */
1132  int (*AppLayerTxMatch)(ThreadVars *, DetectEngineThreadCtx *, Flow *,
1133  uint8_t flags, void *alstate, void *txv,
1134  const Signature *, const SigMatchCtx *);
1135 
1136  /** File match function pointer */
1137  int (*FileMatch)(ThreadVars *, /**< thread local vars */
1138  DetectEngineThreadCtx *,
1139  Flow *, /**< *LOCKED* flow */
1140  uint8_t flags, File *, const Signature *, const SigMatchCtx *);
1141 
1142  /** InspectionBuffer transformation callback */
1143  void (*Transform)(InspectionBuffer *);
1144 
1145  /** keyword setup function pointer */
1146  int (*Setup)(DetectEngineCtx *, Signature *, const char *);
1147 
1148  _Bool (*SupportsPrefilter)(const Signature *s);
1149  int (*SetupPrefilter)(DetectEngineCtx *de_ctx, struct SigGroupHead_ *sgh);
1150 
1151  void (*Free)(void *);
1152  void (*RegisterTests)(void);
1153 
1154  uint16_t flags;
1155  /* coccinelle: SigTableElmt:flags:SIGMATCH_ */
1156 
1157  /** better keyword to replace the current one */
1158  uint16_t alternative;
1159 
1160  const char *name; /**< keyword name alias */
1161  const char *alias; /**< name alias */
1162  const char *desc;
1163  const char *url;
1164 
1165 } SigTableElmt;
1166 
1167 /* event code */
1168 enum {
1169 #ifdef UNITTESTS
1171 #endif
1186 };
1187 
1188 #define SIG_GROUP_HEAD_HAVERAWSTREAM BIT_U32(0)
1189 #ifdef HAVE_MAGIC
1190 #define SIG_GROUP_HEAD_HAVEFILEMAGIC BIT_U32(20)
1191 #endif
1192 #define SIG_GROUP_HEAD_HAVEFILEMD5 BIT_U32(21)
1193 #define SIG_GROUP_HEAD_HAVEFILESIZE BIT_U32(22)
1194 #define SIG_GROUP_HEAD_HAVEFILESHA1 BIT_U32(23)
1195 #define SIG_GROUP_HEAD_HAVEFILESHA256 BIT_U32(24)
1196 
1206 };
1207 
1208 typedef struct MpmStore_ {
1209  uint8_t *sid_array;
1210  uint32_t sid_array_size;
1211 
1213  enum MpmBuiltinBuffers buffer;
1214  int sm_list;
1216 
1218 
1219 } MpmStore;
1220 
1221 typedef struct PrefilterEngineList_ {
1222  uint16_t id;
1223 
1224  /** App Proto this engine applies to: only used with Tx Engines */
1226  /** Minimal Tx progress we need before running the engine. Only used
1227  * with Tx Engine */
1229 
1230  /** Context for matching. Might be MpmCtx for MPM engines, other ctx'
1231  * for other engines. */
1232  void *pectx;
1233 
1234  void (*Prefilter)(DetectEngineThreadCtx *det_ctx, Packet *p, const void *pectx);
1235  void (*PrefilterTx)(DetectEngineThreadCtx *det_ctx, const void *pectx,
1236  Packet *p, Flow *f, void *tx,
1237  const uint64_t idx, const uint8_t flags);
1238 
1240 
1241  /** Free function for pectx data. If NULL the memory is not freed. */
1242  void (*Free)(void *pectx);
1243 
1244  const char *name;
1245  /* global id for this prefilter */
1246  uint32_t gid;
1248 
1249 typedef struct PrefilterEngine_ {
1250  uint16_t local_id;
1251 
1252  /** App Proto this engine applies to: only used with Tx Engines */
1254  /** Minimal Tx progress we need before running the engine. Only used
1255  * with Tx Engine */
1257 
1258  /** Context for matching. Might be MpmCtx for MPM engines, other ctx'
1259  * for other engines. */
1260  void *pectx;
1261 
1262  union {
1263  void (*Prefilter)(DetectEngineThreadCtx *det_ctx, Packet *p, const void *pectx);
1264  void (*PrefilterTx)(DetectEngineThreadCtx *det_ctx, const void *pectx,
1265  Packet *p, Flow *f, void *tx,
1266  const uint64_t idx, const uint8_t flags);
1267  } cb;
1268 
1269  /* global id for this prefilter */
1270  uint32_t gid;
1271  int is_last;
1272 } PrefilterEngine;
1273 
1274 typedef struct SigGroupHeadInitData_ {
1275  MpmStore mpm_store[MPMB_MAX];
1276 
1277  uint8_t *sig_array; /**< bit array of sig nums (internal id's) */
1278  uint32_t sig_size; /**< size in bytes */
1279 
1280  uint8_t protos[256]; /**< proto(s) this sgh is for */
1281  uint32_t direction; /**< set to SIG_FLAG_TOSERVER, SIG_FLAG_TOCLIENT or both */
1282  int whitelist; /**< try to make this group a unique one */
1283 
1285 
1289 
1290  /* port ptr */
1293 
1294 /** \brief Container for matching data for a signature group */
1295 typedef struct SigGroupHead_ {
1296  uint32_t flags;
1297  /* coccinelle: SigGroupHead:flags:SIG_GROUP_HEAD_ */
1298 
1299  /* number of sigs in this head */
1301 
1302  /* non prefilter list excluding SYN rules */
1305  SignatureNonPrefilterStore *non_pf_other_store_array; // size is non_mpm_store_cnt * sizeof(SignatureNonPrefilterStore)
1306  /* non mpm list including SYN rules */
1307  SignatureNonPrefilterStore *non_pf_syn_store_array; // size is non_mpm_syn_store_cnt * sizeof(SignatureNonPrefilterStore)
1308 
1309  /** the number of signatures in this sgh that have the filestore keyword
1310  * set. */
1311  uint16_t filestore_cnt;
1312 
1313  uint32_t id; /**< unique id used to index sgh_array for stats */
1314 
1318 
1319  /** Array with sig ptrs... size is sig_cnt * sizeof(Signature *) */
1321 
1322  /* ptr to our init data we only use at... init :) */
1324 
1325 } SigGroupHead;
1326 
1327 /** sigmatch has no options, so the parser shouldn't expect any */
1328 #define SIGMATCH_NOOPT BIT_U16(0)
1329 /** sigmatch is compatible with a ip only rule */
1330 #define SIGMATCH_IPONLY_COMPAT BIT_U16(1)
1331 /** sigmatch is compatible with a decode event only rule */
1332 #define SIGMATCH_DEONLY_COMPAT BIT_U16(2)
1333 /**< Flag to indicate that the signature is not built-in */
1334 #define SIGMATCH_NOT_BUILT BIT_U16(3)
1335 /** sigmatch may have options, so the parser should be ready to
1336  * deal with both cases */
1337 #define SIGMATCH_OPTIONAL_OPT BIT_U16(4)
1338 /** input may be wrapped in double quotes. They will be stripped before
1339  * input data is passed to keyword parser */
1340 #define SIGMATCH_QUOTES_OPTIONAL BIT_U16(5)
1341 /** input MUST be wrapped in double quotes. They will be stripped before
1342  * input data is passed to keyword parser. Missing double quotes lead to
1343  * error and signature invalidation. */
1344 #define SIGMATCH_QUOTES_MANDATORY BIT_U16(6)
1345 /** negation parsing is handled by the rule parser. Signature::init_data::negated
1346  * will be set to true or false prior to calling the keyword parser. Exclamation
1347  * mark is stripped from the input to the keyword parser. */
1348 #define SIGMATCH_HANDLE_NEGATION BIT_U16(7)
1349 /** keyword is a content modifier */
1350 #define SIGMATCH_INFO_CONTENT_MODIFIER BIT_U16(8)
1351 /** keyword is a sticky buffer */
1352 #define SIGMATCH_INFO_STICKY_BUFFER BIT_U16(9)
1353 
1355 {
1356  TENANT_SELECTOR_UNKNOWN = 0, /**< not set */
1357  TENANT_SELECTOR_DIRECT, /**< method provides direct tenant id */
1358  TENANT_SELECTOR_VLAN, /**< map vlan to tenant id */
1359  TENANT_SELECTOR_LIVEDEV, /**< map livedev to tenant id */
1360 };
1361 
1363  uint32_t tenant_id;
1364 
1365  /* traffic id that maps to the tenant id */
1366  uint32_t traffic_id;
1367 
1370 
1371 typedef struct DetectEngineMasterCtx_ {
1373 
1374  /** enable multi tenant mode */
1376 
1377  /** version, incremented after each 'apply to threads' */
1378  uint32_t version;
1379 
1380  /** list of active detection engines. This list is used to generate the
1381  * threads det_ctx's */
1383 
1384  /** free list, containing detection engines that will be removed but may
1385  * still be referenced by det_ctx's. Freed as soon as all references are
1386  * gone. */
1388 
1389  enum DetectEngineTenantSelectors tenant_selector;
1390 
1391  /** list of tenant mappings. Updated under lock. Used to generate lookup
1392  * structures. */
1394 
1395  /** list of keywords that need thread local ctxs,
1396  * only updated by keyword registration at start up. Not
1397  * covered by the lock. */
1401 
1402 /* Table with all SigMatch registrations */
1404 
1405 /** Remember to add the options in SignatureIsIPOnly() at detect.c otherwise it wont be part of a signature group */
1406 
1407 /* detection api */
1408 TmEcode Detect(ThreadVars *tv, Packet *p, void *data, PacketQueue *pq, PacketQueue *postpq);
1409 
1410 SigMatch *SigMatchAlloc(void);
1411 Signature *SigFindSignatureBySidGid(DetectEngineCtx *, uint32_t, uint32_t);
1413  Packet *, SignatureMask,
1414  uint16_t);
1415 void SigMatchFree(SigMatch *sm);
1416 
1417 void SigRegisterTests(void);
1418 void TmModuleDetectRegister (void);
1419 
1421 
1423 char *DetectLoadCompleteSigPath(const DetectEngineCtx *, const char *sig_file);
1424 int SigLoadSignatures (DetectEngineCtx *, char *, int);
1425 void SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx,
1426  DetectEngineThreadCtx *det_ctx, Packet *p);
1427 
1428 int SignatureIsIPOnly(DetectEngineCtx *de_ctx, const Signature *s);
1429 const SigGroupHead *SigMatchSignaturesGetSgh(const DetectEngineCtx *de_ctx, const Packet *p);
1430 
1432 
1433 
1434 int DetectRegisterThreadCtxFuncs(DetectEngineCtx *, const char *name, void *(*InitFunc)(void *), void *data, void (*FreeFunc)(void *), int);
1436 
1437 void DetectSignatureApplyActions(Packet *p, const Signature *s, const uint8_t);
1438 
1439 void RuleMatchCandidateTxArrayInit(DetectEngineThreadCtx *det_ctx, uint32_t size);
1441 
1443 
1446 
1447 /* events */
1448 void DetectEngineSetEvent(DetectEngineThreadCtx *det_ctx, uint8_t e);
1450 int DetectEngineGetEventInfo(const char *event_name, int *event_id,
1452 
1453 #include "detect-engine-build.h"
1454 #include "detect-engine-register.h"
1455 
1456 #endif /* __DETECT_H__ */
1457 
struct DetectEngineTenantMapping_ DetectEngineTenantMapping
int DetectMetadataHashInit(DetectEngineCtx *de_ctx)
void ** keyword_ctxs_array
Definition: detect.h:1088
uint16_t filestore_cnt
Definition: detect.h:1311
struct DetectEngineTenantMapping_ * next
Definition: detect.h:1368
uint16_t profiling_id
Definition: detect.h:534
struct SCProfileSghData_ * sgh_perf_data
Definition: detect.h:1118
DetectReference * references
Definition: detect.h:554
MpmThreadCtx mtcs
Definition: detect.h:1060
enum AppLayerEventType_ AppLayerEventType
const char * description
Definition: detect.h:431
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
Definition: detect.h:1403
SignatureNonPrefilterStore * non_pf_syn_store_array
Definition: detect.h:1307
DetectProto proto
Definition: detect.h:509
uint16_t sm_cnt
Definition: detect.h:449
SigIntId sig_cnt
Definition: detect.h:1300
SignatureInitData * init_data
Definition: detect.h:560
int SigLoadSignatures(DetectEngineCtx *, char *, int)
Load signatures.
SCRadixTree * tree_ipv6src
Definition: detect.h:636
SpmGlobalThreadCtx * spm_global_thread_ctx
Definition: detect.h:774
InspectionBufferGetDataPtr GetData
Definition: detect.h:418
DetectMetadata * metadata
Definition: detect.h:556
SigMatch * dsize_sm
Definition: detect.h:460
DetectEnginePrefilterSetting
Definition: detect.h:705
Signature * SigFindSignatureBySidGid(DetectEngineCtx *, uint32_t, uint32_t)
Find a specific signature by sid and gid.
Signature ** sig_array
Definition: detect.h:735
uint32_t tx_candidates_size
Definition: detect.h:1050
struct DetectAddress_ DetectAddress
address structure for use in the detection engine.
#define SC_ATOMIC_DECLARE(type, name)
wrapper to declare an atomic variable including a (spin) lock to protect it.
Definition: util-atomic.h:57
struct DetectEngineAppInspectionEngine_ DetectEngineAppInspectionEngine
struct DetectAddress_ * prev
Definition: detect.h:152
struct DetectMatchAddressIPv6_ DetectMatchAddressIPv6
#define SignatureMask
Definition: detect.h:284
uint32_t sig_array_len
Definition: detect.h:737
int32_t sgh_mpm_context
Definition: detect.h:1215
InspectionBuffer * inspection_buffers
Definition: detect.h:368
uint16_t spm_matcher
Definition: detect.h:770
Signature loader statistics.
Definition: detect.h:688
const Signature * s
Definition: detect.h:956
int32_t byte_extract_max_local_id
Definition: detect.h:811
uint32_t tenant_array_size
Definition: detect.h:981
uint16_t dsize_high
Definition: detect.h:499
uint32_t buffer_len
Definition: detect.h:931
struct DetectEngineLookupFlow_ DetectEngineLookupFlow
SigMatch * prefilter_sm
Definition: detect.h:465
const char * string
Definition: detect.h:430
uint32_t non_pf_store_cnt
Definition: detect.h:1053
uint16_t discontinue_matching
Definition: detect.h:1026
uint32_t flags
Definition: detect.h:493
uint32_t event_type
uint32_t * match_array
Definition: detect.h:654
char * msg
Definition: detect.h:549
uint32_t max_fb_id
Definition: detect.h:785
int DetectEngineGetEventInfo(const char *event_name, int *event_id, AppLayerEventType *event_type)
uint32_t id
Definition: detect.h:525
struct SigGroupHead_ * sh
Definition: detect.h:209
int hcbd_buffer_limit
Definition: detect.h:795
Signature ** match_array
Definition: detect.h:1320
struct DetectAddressHead_ DetectAddressHead
uint32_t sid_array_size
Definition: detect.h:1210
uint64_t * bj_values
Definition: detect.h:1071
uint32_t non_pf_other_store_cnt
Definition: detect.h:1303
uint16_t counter_fnonmpm_list
Definition: detect.h:1003
DetectPort * tcp_whitelist
Definition: detect.h:866
void DisableDetectFlowFileFlags(Flow *f)
disable file features we don&#39;t need Called if we have no detection engine.
Definition: detect.c:1742
Address ip
Definition: detect.h:145
uint8_t is_last
Definition: detect.h:335
ThreadVars * tv
Definition: detect.h:971
struct SigMatch_ SigMatch
a single match condition for a signature
HashTable * class_conf_ht
Definition: detect.h:749
struct InspectionBuffer InspectionBuffer
struct DetectEngineThreadCtx_ ** mt_det_ctxs
Definition: detect.h:977
void SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
Definition: detect.c:1752
uint8_t netmask
Definition: detect.h:304
DetectPort * udp_whitelist
Definition: detect.h:867
DetectMpmAppLayerKeyword * app_mpms
Definition: detect.h:895
struct SignatureInitData_ SignatureInitData
int prio
Definition: detect.h:528
address structure for use in the detection engine.
Definition: detect.h:143
void SigAddressPrepareBidirectionals(DetectEngineCtx *)
InspectionBufferGetDataPtr GetData
Definition: detect.h:582
struct SigMatch_ * prev
Definition: detect.h:329
struct DetectPort_ * port
Definition: detect.h:1291
uint16_t key_len
Definition: detect.h:615
uint8_t * sig_init_array
Definition: detect.h:649
Signature * sig_list
Definition: detect.h:726
int buffer_type_id
Definition: detect.h:881
one time registration of keywords at start up
Definition: detect.h:567
int32_t sgh_mpm_context_proto_tcp_packet
Definition: detect.h:805
uint8_t * sid_array
Definition: detect.h:1209
uint32_t match_array_len
Definition: detect.h:1045
uint32_t size
Definition: detect.h:355
IPOnlyCIDRItem * ip_src
Definition: detect.h:639
RuleMatchCandidateTx * tx_candidates
Definition: detect.h:1049
DetectEngineThreadKeywordCtxItem * keyword_list
Definition: detect.h:829
uint32_t sig_array_size
Definition: detect.h:736
IPOnlyCIDRItem * CidrSrc
Definition: detect.h:538
uint32_t non_pf_store_cnt_max
Definition: detect.h:743
SigIntId * non_pf_id_array
Definition: detect.h:973
int DetectRegisterThreadCtxFuncs(DetectEngineCtx *, const char *name, void *(*InitFunc)(void *), void *data, void(*FreeFunc)(void *), int)
Register Thread keyword context Funcs.
void TmModuleDetectRegister(void)
struct DetectEngineTransforms DetectEngineTransforms
DetectReplaceList * replist
Definition: detect.h:1074
int SignatureIsIPOnly(DetectEngineCtx *de_ctx, const Signature *s)
Test is a initialized signature is IP only.
struct DetectMatchAddressIPv4_ DetectMatchAddressIPv4
Data needed for Match()
Definition: detect.h:333
struct SCProfileKeywordData_ * keyword_perf_data
Definition: detect.h:1115
struct DetectVarList_ DetectVarList
uint16_t len
Definition: detect.h:614
uint32_t content_inspect_window
Definition: detect.h:835
struct SCProfileData_ * rule_perf_data
Definition: detect.h:1113
DetectEngineTransforms transforms
Definition: detect.h:439
uint32_t to_clear_idx
Definition: detect.h:1012
Container for matching data for a signature group.
Definition: detect.h:1295
uint32_t srep_version
Definition: detect.h:730
MpmThreadCtx mtc
Definition: detect.h:1058
element in sigmatch type table.
Definition: detect.h:1127
struct DetectMpmAppLayerRegistery_ DetectMpmAppLayerRegistery
one time registration of keywords at start up
uint32_t orig_len
Definition: detect.h:358
uint32_t buffer_offset
Definition: detect.h:991
#define TAILQ_HEAD(name, type)
Definition: queue.h:321
struct InspectionBufferMultipleForList InspectionBufferMultipleForList
#define DETECT_FILESTORE_MAX
Definition: detect.h:936
uint32_t non_pf_syn_store_cnt
Definition: detect.h:1304
struct IPOnlyCIDRItem_ IPOnlyCIDRItem
InspectionBuffer * buffers
Definition: detect.h:1010
const char * name
Definition: detect.h:1160
uint16_t AppProto
struct DetectPort_ DetectPort
Port structure for detection engine.
void SigMatchSignaturesBuildMatchArray(DetectEngineThreadCtx *, Packet *, SignatureMask, uint16_t)
Signature container.
Definition: detect.h:492
struct PrefilterEngine_ PrefilterEngine
#define DETECT_TRANSFORMS_MAX
Definition: detect.h:58
PrefilterEngineList * tx_engines
Definition: detect.h:1288
void SigMatchFree(SigMatch *sm)
free a SigMatch
Definition: detect-parse.c:241
int32_t sgh_mpm_context_proto_other_packet
Definition: detect.h:807
uint8_t action
Definition: detect.h:505
HashListTable * mpm_hash_table
Definition: detect.h:761
int sm_list
Definition: detect.h:1214
void DetectEngineSetEvent(DetectEngineThreadCtx *det_ctx, uint8_t e)
uint16_t addr_src_match6_cnt
Definition: detect.h:518
uint32_t * to_clear_queue
Definition: detect.h:1013
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
Definition: detect.h:319
const char * sigerror
Definition: detect.h:826
uint32_t id
Definition: detect.h:1313
uint32_t signum
Definition: detect.h:739
struct SigGroupHead_ * decoder_event_sgh
Definition: detect.h:818
struct DetectEngineTenantMapping_ * tenant_array
Definition: detect.h:980
int(* InspectEngineFuncPtr)(ThreadVars *tv, struct DetectEngineCtx_ *de_ctx, struct DetectEngineThreadCtx_ *det_ctx, const struct Signature_ *sig, const SigMatchData *smd, Flow *f, uint8_t flags, void *alstate, void *tx, uint64_t tx_id)
Definition: detect.h:386
Signature metadata list.
structure for storing per detect engine mpm keyword settings
Definition: detect.h:595
uint32_t content_inspect_min_size
Definition: detect.h:834
void RuleMatchCandidateTxArrayInit(DetectEngineThreadCtx *det_ctx, uint32_t size)
Definition: detect.c:1048
struct DetectEngineMasterCtx_ DetectEngineMasterCtx
struct MpmStore_ MpmStore
DetectMatchAddressIPv6 * addr_dst_match6
Definition: detect.h:522
SigIntId num
Definition: detect.h:502
struct SigMatch_ * next
Definition: detect.h:328
main detection engine ctx
Definition: detect.h:720
DetectAddress * any_head
Definition: detect.h:159
void * pectx
Definition: detect.h:1260
struct Signature_ Signature
Signature container.
uint16_t addr_src_match4_cnt
Definition: detect.h:516
PrefilterEngine * tx_engines
Definition: detect.h:1317
uint32_t max_fp_id
Definition: detect.h:787
MpmBuiltinBuffers
Definition: detect.h:1197
struct DetectMpmAppLayerRegistery_ * next
Definition: detect.h:590
int(* InspectEngineFuncPtr2)(struct DetectEngineCtx_ *de_ctx, struct DetectEngineThreadCtx_ *det_ctx, const struct DetectEngineAppInspectionEngine_ *engine, const struct Signature_ *s, Flow *f, uint8_t flags, void *alstate, void *txv, uint64_t tx_id)
Definition: detect.h:394
SCMutex threshold_table_lock
Definition: detect.h:672
void * DetectThreadCtxGetKeywordThreadCtx(DetectEngineThreadCtx *, int)
Retrieve thread local keyword ctx by id.
DetectPort * udp
Definition: detect.h:659
const uint8_t * orig
Definition: detect.h:357
PrefilterEngine * pkt_engines
Definition: detect.h:1315
struct DetectPort_ * prev
Definition: detect.h:211
HashListTable * buffer_type_hash
Definition: detect.h:880
struct HttpReassembledBody_ HttpReassembledBody
DetectMatchAddressIPv4 * addr_dst_match4
Definition: detect.h:519
uint32_t sgh_array_cnt
Definition: detect.h:802
DetectVarList * varlist
Definition: detect.h:1076
bool filedata_config_initialized
Definition: detect.h:837
struct DetectAddress_ * next
Definition: detect.h:154
DetectEngineCtx * free_list
Definition: detect.h:1387
void DetectFlowbitsAnalyze(DetectEngineCtx *de_ctx)
uint16_t dst
uint16_t local_id
Definition: detect.h:1250
Data structure to store app layer decoder events.
DetectMatchAddressIPv6 * addr_src_match6
Definition: detect.h:523
struct DetectVarList_ * next
Definition: detect.h:620
SigMatch * SigMatchAlloc(void)
Definition: detect-parse.c:226
uint16_t max_uniq_toserver_groups
Definition: detect.h:779
HashListTable * address_table
Definition: detect.h:870
uint8_t flags
Definition: detect.h:149
Signature wrapper used by signature ordering module while ordering signatures.
int32_t sgh_mpm_context_stream
Definition: detect.h:808
uint16_t type
struct SCProfileSghDetectCtx_ * profile_sgh_ctx
Definition: detect.h:844
uint8_t * key
Definition: detect.h:617
DetectPort * tcp
Definition: detect.h:658
DetectEngineTenantSelectors
Definition: detect.h:1354
char * rule_file
Definition: detect.h:824
uint8_t flags
Definition: detect.h:721
uint16_t filestore_cnt
Definition: detect.h:996
uint64_t inspect_offset
Definition: detect.h:351
int direction
Definition: detect.h:1212
MpmCtx ** app_mpms
Definition: detect.h:1284
SCRadixTree * tree_ipv4src
Definition: detect.h:635
struct DetectEngineAppInspectionEngine_ * next
Definition: detect.h:426
uint16_t counter_alerts
Definition: detect.h:999
void Prefilter(DetectEngineThreadCtx *det_ctx, const SigGroupHead *sgh, Packet *p, const uint8_t flags)
const uint8_t * buffer
Definition: detect.h:928
DetectMatchAddressIPv4 * addr_src_match4
Definition: detect.h:520
char * filename
Definition: detect.h:680
HashListTable * ht24_src
Definition: detect.h:632
struct DetectEngineCtx_ DetectEngineCtx
main detection engine ctx
MpmCtxFactoryContainer * mpm_ctx_factory_container
Definition: detect.h:789
uint32_t buffer_size
Definition: detect.h:930
uint16_t mpm_matcher
Definition: detect.h:769
char * DetectLoadCompleteSigPath(const DetectEngineCtx *, const char *sig_file)
Create the path if default-rule-path was specified.
HashListTable * sgh_hash_table
Definition: detect.h:759
struct DetectBufferType_ DetectBufferType
struct DetectEngineCtx_ * next
Definition: detect.h:856
struct SCProfilePrefilterData_ * prefilter_perf_data
Definition: detect.h:1120
DetectMpmAppLayerRegistery * app_mpms_list
Definition: detect.h:886
struct SCSigOrderFunc_ * sc_sig_order_funcs
Definition: detect.h:746
uint32_t content_limit
Definition: detect.h:833
PrefilterRuleStore pmq
Definition: detect.h:1061
struct DetectEngineThreadCtx_ DetectEngineThreadCtx
struct RuleMatchCandidateTx RuleMatchCandidateTx
const struct DetectFilestoreData_ * filestore_ctx
Definition: detect.h:547
Signature * DetectGetTagSignature(void)
uint32_t profile_match_logging_threshold
Definition: detect.h:845
SigFileLoaderStat sig_stat
Definition: detect.h:901
threshold ctx
Definition: detect.h:671
uint8_t * found
Definition: detect.h:602
uint16_t counter_match_list
Definition: detect.h:1004
uint16_t alternative
Definition: detect.h:1158
uint16_t addr_dst_match6_cnt
Definition: detect.h:517
AppLayerDecoderEvents * DetectEngineGetEvents(DetectEngineThreadCtx *det_ctx)
uint32_t buffer_type_map_elements
Definition: detect.h:876
struct DetectEngineThreadKeywordCtxItem_ * next
Definition: detect.h:700
Address ip2
Definition: detect.h:146
HashTable * mt_det_ctxs_hash
Definition: detect.h:978
PrefilterEngineList * payload_engines
Definition: detect.h:1287
SigIntId match_array_cnt
Definition: detect.h:1047
DetectEngineAppInspectionEngine * app_inspect_engines
Definition: detect.h:885
AppProto alproto
Definition: detect.h:496
struct SigMatch_ ** smlists_tail
Definition: detect.h:488
DetectAddress * ipv4_head
Definition: detect.h:160
DetectEngineTenantMapping * tenant_mapping_list
Definition: detect.h:1393
PrefilterEngine * payload_engines
Definition: detect.h:1316
uint32_t prefilter_id
Definition: detect.h:889
struct SCProfilePrefilterDetectCtx_ * profile_prefilter_ctx
Definition: detect.h:842
uint16_t max_uniq_toclient_groups
Definition: detect.h:778
HashTable * reference_conf_ht
Definition: detect.h:751
uint32_t flags
Definition: detect.h:1296
uint32_t ref_cnt
Definition: detect.h:854
uint32_t a_src_uniq24
Definition: detect.h:644
struct Signature_ * next
Definition: detect.h:563
PrefilterEngineList * pkt_engines
Definition: detect.h:1286
HashTable * metadata_table
Definition: detect.h:873
uint8_t negated
Definition: detect.h:306
struct SigFileLoaderStat_ SigFileLoaderStat
Signature loader statistics.
uint32_t gid
Definition: detect.h:526
uint8_t type
Definition: detect.h:325
uint8_t * decompressed_buffer
Definition: detect.h:929
uint32_t stream_reset
Definition: detect.h:953
InspectEngineFuncPtr Callback
Definition: detect.h:415
uint32_t a_src_uniq16
Definition: detect.h:642
DetectEngineIPOnlyCtx io_ctx
Definition: detect.h:766
struct DetectReplaceList_ DetectReplaceList
int32_t sgh_mpm_context_proto_udp_packet
Definition: detect.h:806
const char * desc
Definition: detect.h:1162
uint32_t gh_unique
Definition: detect.h:756
struct SigMatch_ ** smlists
Definition: detect.h:486
HashListTable * dup_sig_hash_table
Definition: detect.h:764
uint32_t sgh_array_size
Definition: detect.h:803
char * class_msg
Definition: detect.h:552
uint32_t version
Definition: detect.h:814
uint32_t decompressed_buffer_len
Definition: detect.h:932
uint8_t * buf
Definition: detect.h:353
uint32_t smlists_array_size
Definition: detect.h:484
enum DetectEnginePrefilterSetting prefilter_setting
Definition: detect.h:862
SigMatchCtx * ctx
Definition: detect.h:327
struct DetectEngineThreadKeywordCtxItem_ DetectEngineThreadKeywordCtxItem
uint32_t len
Definition: detect.h:354
struct DetectEngineIPOnlyThreadCtx_ DetectEngineIPOnlyThreadCtx
const char * alias
Definition: detect.h:1161
IP only rules matching ctx.
Definition: detect.h:629
char * sig_error
Definition: detect.h:682
DetectEngineCtx * de_ctx
Definition: detect.h:1086
uint8_t flags
Definition: detect.h:202
TmEcode Detect(ThreadVars *tv, Packet *p, void *data, PacketQueue *pq, PacketQueue *postpq)
Detection engine thread wrapper.
Definition: detect.c:1684
uint32_t direction
Definition: detect.h:1281
uint32_t gid
Definition: detect.h:1270
DetectEngineType
Definition: detect.h:711
const SigGroupHead * SigMatchSignaturesGetSgh(const DetectEngineCtx *de_ctx, const Packet *p)
Get the SigGroupHead for a packet.
Definition: detect.c:184
struct IPOnlyCIDRItem_ * next
Definition: detect.h:312
uint16_t counter_nonmpm_list
Definition: detect.h:1002
DetectBufferType ** buffer_type_map
Definition: detect.h:875
uint64_t raw_stream_progress
Definition: detect.h:987
uint8_t type
Definition: detect.h:334
char * sig_str
Definition: detect.h:558
const DetectMpmAppLayerRegistery * reg
Definition: detect.h:596
void SigRegisterTests(void)
Definition: detect.c:5323
uint32_t idx
Definition: detect.h:613
struct SCProfileKeywordDetectCtx_ * profile_keyword_ctx
Definition: detect.h:841
struct SigGroupHead_ ** sgh_array
Definition: detect.h:801
DetectPort * sp
Definition: detect.h:531
InspectEngineFuncPtr2 Callback
Definition: detect.h:419
struct SigGroupHead_ SigGroupHead
Container for matching data for a signature group.
uint16_t addr_dst_match4_cnt
Definition: detect.h:515
#define TAILQ_ENTRY(type)
Definition: queue.h:330
MpmCtx * mpm_ctx
Definition: detect.h:1217
uint16_t port
Definition: detect.h:199
uint16_t tx_id
Structure holding the signature ordering function used by the signature ordering module.
DetectEngineTransforms transforms
Definition: detect.h:585
uint32_t pcre_match_start_offset
Definition: detect.h:993
uint32_t init_flags
Definition: detect.h:456
struct SCProfileKeywordDetectCtx_ ** profile_keyword_ctx_per_list
Definition: detect.h:843
MpmThreadCtx mtcu
Definition: detect.h:1059
DetectEngineThreadKeywordCtxItem * keyword_list
Definition: detect.h:1398
int hsbd_buffer_limit
Definition: detect.h:797
AppProto alproto
Definition: detect.h:1225
struct PrefilterEngineList_ PrefilterEngineList
#define SCMutex
SRepCIDRTree * srepCIDR_ctx
Definition: detect.h:733
const char * name
Definition: detect.h:1244
DetectEngineAppInspectionEngine * app_inspect
Definition: detect.h:540
ThresholdCtx ths_ctx
Definition: detect.h:767
int failure_fatal
Definition: detect.h:722
void DetectMetadataHashFree(DetectEngineCtx *de_ctx)
struct DetectMpmAppLayerRegistery_::@101 v2
struct DetectPort_ * next
Definition: detect.h:212
SigIntId signum
Definition: detect.h:309
uint32_t a_dst_uniq24
Definition: detect.h:645
const char * url
Definition: detect.h:1163
HashListTable * ht16_src
Definition: detect.h:631
struct DetectContentData_ * cd
Definition: detect.h:601
struct in_addr ip_dst
Definition: decode-ipv4.h:308
int line
Definition: detect.h:683
structure for storing potential rule matches
uint8_t family
Definition: detect.h:302
HashListTable * prefilter_hash_table
Definition: detect.h:890
uint32_t rev
Definition: detect.h:527
struct DetectEngineIPOnlyCtx_ DetectEngineIPOnlyCtx
IP only rules matching ctx.
uint8_t * buffer
Definition: detect.h:618
uint8_t * base64_decoded
Definition: detect.h:1094
uint32_t tenant_id
Definition: detect.h:965
DetectThresholdEntry ** th_entry
Definition: detect.h:675
struct SCProfileKeywordData_ ** keyword_perf_data_per_list
Definition: detect.h:1116
struct SigMatchData_ SigMatchData
Data needed for Match()
uint32_t prefilter_maxid
Definition: detect.h:847
Signature ** match_array
Definition: detect.h:1042
struct PrefilterEngineList_ * next
Definition: detect.h:1239
SignatureMask mask
Definition: detect.h:940
Signature reference list.
int inspection_recursion_counter
Definition: detect.h:1038
uint16_t idx
Definition: detect.h:326
SignatureNonPrefilterStore * non_pf_store_ptr
Definition: detect.h:1052
uint32_t inspect_len
Definition: detect.h:350
uint32_t sig_init_size
Definition: detect.h:650
uint32_t th_size
Definition: detect.h:676
void DetectSignatureApplyActions(Packet *p, const Signature *s, const uint8_t)
Apply action(s) and Set &#39;drop&#39; sig info, if applicable.
Definition: detect.c:1600
struct SCProfileDetectCtx_ * profile_ctx
Definition: detect.h:840
uint8_t sgh_mpm_context
Definition: detect.h:782
const uint8_t * inspect
Definition: detect.h:349
struct DetectMpmAppLayerKeyword_ DetectMpmAppLayerKeyword
structure for storing per detect engine mpm keyword settings
uint32_t * flags
Definition: detect.h:947
DetectEngineIPOnlyThreadCtx io_ctx
Definition: detect.h:1068
void RuleMatchCandidateTxArrayFree(DetectEngineThreadCtx *det_ctx)
Definition: detect.c:1061
char * sig_str
Definition: detect.h:681
uint32_t a_dst_uniq16
Definition: detect.h:643
int tx_min_progress
Definition: detect.h:1256
uint8_t stream_result
Definition: detect.h:951
struct SignatureNonPrefilterStore_ SignatureNonPrefilterStore
bool supports_transforms
Definition: detect.h:436
SignatureNonPrefilterStore * non_pf_other_store_array
Definition: detect.h:1305
void(* Free)(void *pectx)
Definition: detect.h:1242
struct SigGroupHeadInitData_ SigGroupHeadInitData
DetectEngineCtx * list
Definition: detect.h:1382
Per thread variable structure.
Definition: threadvars.h:57
SignatureMask mask
Definition: detect.h:501
struct SigMatchCtx_ SigMatchCtx
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
uint16_t counter_mpm_list
Definition: detect.h:1001
uint8_t file_flags
Definition: detect.h:506
InspectionBufferMultipleForList * buffers
Definition: detect.h:1019
uint16_t port2
Definition: detect.h:200
uint32_t app_mpms_list_cnt
Definition: detect.h:887
uint32_t sig_cnt
Definition: detect.h:727
uint32_t non_pf_id_cnt
Definition: detect.h:974
void ** global_keyword_ctxs_array
Definition: detect.h:1092
struct DetectReplaceList_ * next
Definition: detect.h:603
uint16_t dsize_low
Definition: detect.h:498
uint16_t flags
Definition: detect.h:1154
Structure for the radix tree.
SpmThreadCtx * spm_thread_ctx
Definition: detect.h:1065
InspectionBuffer *(* InspectionBufferGetDataPtr)(struct DetectEngineThreadCtx_ *det_ctx, const DetectEngineTransforms *transforms, Flow *f, const uint8_t flow_flags, void *txv, const int list_id)
Definition: detect.h:380
AppLayerDecoderEvents * decoder_events
Definition: detect.h:1098
AppProto alproto
Definition: detect.h:1253
SigMatch * mpm_sm
Definition: detect.h:463
const DetectAddressHead * src
Definition: detect.h:480
HashListTable * dport_hash_table
Definition: detect.h:864
uint8_t * sig_array
Definition: detect.h:1277
#define FLOW_STATES
Definition: detect.h:668
Flow data structure.
Definition: flow.h:327
uint32_t base64_decode_max_len
Definition: detect.h:821
uint32_t mt_det_ctxs_cnt
Definition: detect.h:976
#define SigIntId
DetectAddress * ipv6_head
Definition: detect.h:161
DetectSigmatchListEnum
Definition: detect.h:91
Port structure for detection engine.
Definition: detect.h:198
uint32_t buffers_size
Definition: detect.h:1011
uint64_t offset
Definition: detect.h:933
a single match condition for a signature
Definition: detect.h:324
const DetectEngineTransforms * transforms
Definition: detect.h:421
SigMatchCtx * ctx
Definition: detect.h:336
int inspection_recursion_limit
Definition: detect.h:792
struct SigTableElmt_ SigTableElmt
element in sigmatch type table.
struct ThresholdCtx_ ThresholdCtx
threshold ctx
SigGroupHeadInitData * init
Definition: detect.h:1323