suricata
detect-file-data.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2018 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Giuseppe Longo <giuseppelng@gmail.com>
22  * \author Victor Julien <victor@inliniac.net>
23  *
24  */
25 
26 #ifdef UNITTESTS
27 
28 #include "../stream-tcp.h"
29 #include "../detect.h"
30 #include "../detect-isdataat.h"
31 
32 static int DetectEngineSMTPFiledataTest01(void)
33 {
34  uint8_t mimemsg[] = {0x4D, 0x49, 0x4D, 0x45, 0x2D, 0x56, 0x65, 0x72,
35  0x73, 0x69, 0x6F, 0x6E, 0x3A, 0x20, 0x31, 0x2E,
36  0x30, 0x0D, 0x0A, 0x43, 0x6F, 0x6E, 0x74, 0x65,
37  0x6E, 0x74, 0x2D, 0x54, 0x79, 0x70, 0x65, 0x3A,
38  0x20, 0x74, 0x65, 0x78, 0x74, 0x2F, 0x70, 0x6C,
39  0x61, 0x69, 0x6E, 0x3B, 0x20, 0x63, 0x68, 0x61,
40  0x72, 0x73, 0x65, 0x74, 0x3D, 0x55, 0x54, 0x46,
41  0x2D, 0x38, 0x3B, 0x0D, 0x0A, 0x43, 0x6F, 0x6E,
42  0x74, 0x65, 0x6E, 0x74, 0x2D, 0x54, 0x72, 0x61,
43  0x6E, 0x73, 0x66, 0x65, 0x72, 0x2D, 0x45, 0x6E,
44  0x63, 0x6F, 0x64, 0x69, 0x6E, 0x67, 0x3A, 0x20,
45  0x37, 0x62, 0x69, 0x74, 0x0D, 0x0A, 0x43, 0x6F,
46  0x6E, 0x74, 0x65, 0x6E, 0x74, 0x2D, 0x44, 0x69,
47  0x73, 0x70, 0x6F, 0x73, 0x69, 0x74, 0x69, 0x6F,
48  0x6E, 0x3A, 0x20, 0x61, 0x74, 0x74, 0x61, 0x63,
49  0x68, 0x6D, 0x65, 0x6E, 0x74, 0x3B, 0x20, 0x66,
50  0x69, 0x6C, 0x65, 0x6E, 0x61, 0x6D, 0x65, 0x3D,
51  0x22, 0x74, 0x65, 0x73, 0x74, 0x2E, 0x74, 0x78,
52  0x74, 0x22, 0x0D, 0x0A, 0x0D, 0x0A, 0x6d, 0x65,
53  0x73, 0x73, 0x61, 0x67, 0x65,};
54  uint32_t mimemsg_len = sizeof(mimemsg) - 1;
55  TcpSession ssn;
56  Packet *p;
57  ThreadVars th_v;
58  DetectEngineCtx *de_ctx = NULL;
59  DetectEngineThreadCtx *det_ctx = NULL;
60  SMTPState *smtp_state = NULL;
61  Flow f;
62  int result = 0;
63 
65 
66  memset(&th_v, 0, sizeof(th_v));
67  memset(&f, 0, sizeof(f));
68  memset(&ssn, 0, sizeof(ssn));
69 
70  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
71 
72  FLOW_INITIALIZE(&f);
73  f.protoctx = (void *)&ssn;
74  f.proto = IPPROTO_TCP;
75  f.flags |= FLOW_IPV4;
76  f.alstate = SMTPStateAlloc();
77 
78  MimeDecParseState *state = MimeDecInitParser(&f, NULL);
79  ((MimeDecEntity *)state->stack->top->data)->ctnt_flags = CTNT_IS_ATTACHMENT;
80  state->body_begin = 1;
81 
82  if (SMTPProcessDataChunk((uint8_t *)mimemsg, sizeof(mimemsg), state) != 0)
83  goto end;
84 
85  p->flow = &f;
90 
92 
93  de_ctx = DetectEngineCtxInit();
94  if (de_ctx == NULL)
95  goto end;
96 
97  de_ctx->flags |= DE_QUIET;
98 
99  de_ctx->sig_list = SigInit(de_ctx, "alert smtp any any -> any any "
100  "(msg:\"file_data smtp test\"; "
101  "file_data; content:\"message\"; sid:1;)");
102  if (de_ctx->sig_list == NULL) {
103  goto end;
104  }
105 
106  SigGroupBuild(de_ctx);
107  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
108 
109  FLOWLOCK_WRLOCK(&f);
110  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_SMTP,
112  mimemsg,
113  mimemsg_len);
114  if (r != 0) {
115  printf("AppLayerParse for smtp failed. Returned %d", r);
116  FLOWLOCK_UNLOCK(&f);
117  goto end;
118  }
119  FLOWLOCK_UNLOCK(&f);
120 
121  smtp_state = f.alstate;
122  if (smtp_state == NULL) {
123  printf("no smtp state: ");
124  goto end;
125  }
126 
127  /* do detect */
128  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
129 
130  if (!(PacketAlertCheck(p, 1))) {
131  printf("sid 1 didn't match but should have\n");
132  goto end;
133  }
134 
135  result = 1;
136 
137 end:
138  if (alp_tctx != NULL)
139  AppLayerParserThreadCtxFree(alp_tctx);
140  if (de_ctx != NULL)
141  SigGroupCleanup(de_ctx);
142  if (de_ctx != NULL)
143  SigCleanSignatures(de_ctx);
144 
146  FLOW_DESTROY(&f);
147  UTHFreePackets(&p, 1);
148  return result;
149 }
150 
151 static int DetectEngineSMTPFiledataTest02(void)
152 {
153  Signature *s = NULL;
154  DetectEngineCtx *de_ctx = NULL;
155  int result = 0;
156 
157  de_ctx = DetectEngineCtxInit();
158  if (de_ctx == NULL)
159  goto end;
160 
161  de_ctx->flags |= DE_QUIET;
162 
163  s = DetectEngineAppendSig(de_ctx, "alert smtp any any -> any any "
164  "(msg:\"file_data smtp test\"; "
165  "file_data; content:\"message\"; sid:1;)");
166  if (s == NULL)
167  goto end;
168 
169  if (s->flags & SIG_FLAG_TOSERVER)
170  result = 1;
171  else if (s->flags & SIG_FLAG_TOCLIENT)
172  printf("s->flags & SIG_FLAG_TOCLIENT");
173 
174 end:
175  SigCleanSignatures(de_ctx);
176  DetectEngineCtxFree(de_ctx);
177  return result;
178 
179 }
180 
181 static int DetectEngineSMTPFiledataTest03(void)
182 {
183  uint8_t mimemsg1[] = {0x65, 0x76,};
184  uint8_t mimemsg2[] = {0x69, 0x6C,};
185  uint32_t mimemsg1_len = sizeof(mimemsg1) - 1;
186  uint32_t mimemsg2_len = sizeof(mimemsg2) - 1;
187  TcpSession ssn;
188  Packet *p;
189  ThreadVars th_v;
190  DetectEngineCtx *de_ctx = NULL;
191  DetectEngineThreadCtx *det_ctx = NULL;
192  SMTPState *smtp_state = NULL;
193  Flow f;
194  int result = 1;
195 
197 
198  memset(&th_v, 0, sizeof(th_v));
199  memset(&f, 0, sizeof(f));
200  memset(&ssn, 0, sizeof(ssn));
201 
202  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
203 
204  FLOW_INITIALIZE(&f);
205  f.protoctx = (void *)&ssn;
206  f.proto = IPPROTO_TCP;
207  f.flags |= FLOW_IPV4;
208  f.alstate = SMTPStateAlloc();
209 
210  MimeDecParseState *state = MimeDecInitParser(&f, NULL);
211  ((MimeDecEntity *)state->stack->top->data)->ctnt_flags = CTNT_IS_ATTACHMENT;
212  state->body_begin = 1;
213 
214  if (SMTPProcessDataChunk((uint8_t *)mimemsg1, sizeof(mimemsg1), state) != 0)
215  goto end;
216 
217  if (SMTPProcessDataChunk((uint8_t *)mimemsg2, sizeof(mimemsg2), state) != 0)
218  goto end;
219 
220  p->flow = &f;
224  f.alproto = ALPROTO_SMTP;
225 
227 
228  de_ctx = DetectEngineCtxInit();
229  if (de_ctx == NULL)
230  goto end;
231 
232  de_ctx->flags |= DE_QUIET;
233 
234  de_ctx->sig_list = SigInit(de_ctx, "alert smtp any any -> any any "
235  "(msg:\"file_data smtp test\"; "
236  "file_data; content:\"evil\"; sid:1;)");
237  if (de_ctx->sig_list == NULL) {
238  goto end;
239  }
240 
241  SigGroupBuild(de_ctx);
242  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
243 
244  FLOWLOCK_WRLOCK(&f);
245  int r = 0;
246  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_SMTP,
247  STREAM_TOSERVER, mimemsg1, mimemsg1_len);
248  if (r != 0) {
249  printf("AppLayerParse for smtp failed. Returned %d", r);
250  FLOWLOCK_UNLOCK(&f);
251  goto end;
252  }
253  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_SMTP,
254  STREAM_TOSERVER, mimemsg2, mimemsg2_len);
255  if (r != 0) {
256  printf("AppLayerParse for smtp failed. Returned %d", r);
257  FLOWLOCK_UNLOCK(&f);
258  goto end;
259  }
260  FLOWLOCK_UNLOCK(&f);
261 
262  smtp_state = f.alstate;
263  if (smtp_state == NULL) {
264  printf("no smtp state: ");
265  goto end;
266  }
267 
268  /* do detect */
269  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
270 
271  if (PacketAlertCheck(p, 1)) {
272  printf("sid 1 matched but shouldn't have\n");
273  goto end;
274  }
275 
276  result = 0;
277 
278 end:
279  if (alp_tctx != NULL)
280  AppLayerParserThreadCtxFree(alp_tctx);
281  if (de_ctx != NULL)
282  SigGroupCleanup(de_ctx);
283  if (de_ctx != NULL)
284  SigCleanSignatures(de_ctx);
285 
287  FLOW_DESTROY(&f);
288  UTHFreePackets(&p, 1);
289  return result == 0;
290 }
291 
292 static int DetectFiledataParseTest01(void)
293 {
294  DetectEngineCtx *de_ctx = NULL;
295  int result = 0;
296 
297  de_ctx = DetectEngineCtxInit();
298  if (de_ctx == NULL)
299  goto end;
300 
301  de_ctx->flags |= DE_QUIET;
302  de_ctx->sig_list = SigInit(de_ctx,
303  "alert smtp any any -> any any "
304  "(msg:\"test\"; file_data; content:\"abc\"; sid:1;)");
305  if (de_ctx->sig_list == NULL) {
306  printf("sig parse failed: ");
307  goto end;
308  }
309 
310  if (de_ctx->sig_list->sm_lists[DETECT_SM_LIST_PMATCH] != NULL) {
311  printf("content is still in FILEDATA list: ");
312  goto end;
313  }
314 
315  if (de_ctx->sig_list->sm_lists[g_file_data_buffer_id] == NULL) {
316  printf("content not in FILEDATA list: ");
317  goto end;
318  }
319 
320  result = 1;
321 end:
322  SigGroupCleanup(de_ctx);
323  SigCleanSignatures(de_ctx);
324  DetectEngineCtxFree(de_ctx);
325 
326  return result;
327 }
328 
329 static int DetectFiledataParseTest02(void)
330 {
331  DetectEngineCtx *de_ctx = NULL;
332  int result = 0;
333 
334  de_ctx = DetectEngineCtxInit();
335  if (de_ctx == NULL)
336  goto end;
337 
338  de_ctx->flags |= DE_QUIET;
339  de_ctx->sig_list = SigInit(de_ctx,
340  "alert tcp any any -> any any "
341  "(msg:\"test\"; file_data; content:\"abc\"; sid:1;)");
342  if (de_ctx->sig_list == NULL) {
343  printf("sig parse failed: ");
344  goto end;
345  }
346 
347  if (de_ctx->sig_list->sm_lists[DETECT_SM_LIST_PMATCH] != NULL) {
348  printf("content is still in PMATCH list: ");
349  goto end;
350  }
351 
352  if (de_ctx->sig_list->sm_lists[g_file_data_buffer_id] == NULL) {
353  printf("content not in FILEDATA list: ");
354  goto end;
355  }
356 
357  result = 1;
358 end:
359  SigGroupCleanup(de_ctx);
360  SigCleanSignatures(de_ctx);
361  DetectEngineCtxFree(de_ctx);
362 
363  return result;
364 }
365 
366 static int DetectFiledataParseTest03(void)
367 {
368  DetectEngineCtx *de_ctx = NULL;
369  int result = 0;
370 
371  de_ctx = DetectEngineCtxInit();
372  if (de_ctx == NULL)
373  goto end;
374 
375  de_ctx->flags |= DE_QUIET;
376  de_ctx->sig_list = SigInit(de_ctx,
377  "alert tcp any any -> any 25 "
378  "(msg:\"test\"; flow:to_server,established; file_data; content:\"abc\"; sid:1;)");
379  if (de_ctx->sig_list == NULL) {
380  printf("sig parse failed: ");
381  goto end;
382  }
383 
384  if (de_ctx->sig_list->sm_lists[DETECT_SM_LIST_PMATCH] != NULL) {
385  printf("content is still in PMATCH list: ");
386  goto end;
387  }
388 
389  if (de_ctx->sig_list->sm_lists[g_file_data_buffer_id] == NULL) {
390  printf("content not in FILEDATA list: ");
391  goto end;
392  }
393 
394  result = 1;
395 end:
396  SigGroupCleanup(de_ctx);
397  SigCleanSignatures(de_ctx);
398  DetectEngineCtxFree(de_ctx);
399 
400  return result;
401 }
402 
403 /**
404  * \test Test the file_data fails with flow:to_server.
405  */
406 static int DetectFiledataParseTest04(void)
407 {
408  DetectEngineCtx *de_ctx = NULL;
409  int result = 0;
410 
411  de_ctx = DetectEngineCtxInit();
412  if (de_ctx == NULL)
413  goto end;
414 
415  de_ctx->flags |= DE_QUIET;
416  de_ctx->sig_list = SigInit(de_ctx,
417  "alert smtp any any -> any any "
418  "(msg:\"test\"; flow:to_client,established; file_data; content:\"abc\"; sid:1;)");
419  if (de_ctx->sig_list == NULL) {
420  result = 1;
421  }
422 
423 end:
424  SigGroupCleanup(de_ctx);
425  SigCleanSignatures(de_ctx);
426  DetectEngineCtxFree(de_ctx);
427 
428  return result;
429 }
430 
431 /**
432  * \test Test the file_data fails with flow:to_server.
433  */
434 static int DetectFiledataParseTest05(void)
435 {
436  DetectEngineCtx *de_ctx = NULL;
437  int result = 0;
438 
439  de_ctx = DetectEngineCtxInit();
440  if (de_ctx == NULL)
441  goto end;
442 
443  de_ctx->flags |= DE_QUIET;
444  de_ctx->sig_list = SigInit(de_ctx,
445  "alert http any any -> any any "
446  "(msg:\"test\"; flow:to_server,established; file_data; content:\"abc\"; sid:1;)");
447  if (de_ctx->sig_list == NULL) {
448  result = 1;
449  }
450 
451 end:
452  SigGroupCleanup(de_ctx);
453  SigCleanSignatures(de_ctx);
454  DetectEngineCtxFree(de_ctx);
455 
456  return result;
457 }
458 
459 static int DetectFiledataIsdataatParseTest1(void)
460 {
462  FAIL_IF_NULL(de_ctx);
463  de_ctx->flags |= DE_QUIET;
464 
465  Signature *s = DetectEngineAppendSig(de_ctx,
466  "alert tcp any any -> any any ("
467  "file_data; content:\"one\"; "
468  "isdataat:!4,relative; sid:1;)");
469  FAIL_IF_NULL(s);
470 
471  SigMatch *sm = s->init_data->smlists[g_file_data_buffer_id];
472  FAIL_IF_NULL(sm);
474  sm = sm->next;
475  FAIL_IF_NULL(sm);
477 
482 
483  DetectEngineCtxFree(de_ctx);
484  PASS;
485 }
486 
487 static int DetectFiledataIsdataatParseTest2(void)
488 {
490  FAIL_IF_NULL(de_ctx);
491  de_ctx->flags |= DE_QUIET;
492 
493  Signature *s = DetectEngineAppendSig(de_ctx,
494  "alert tcp any any -> any any ("
495  "file_data; "
496  "isdataat:!4,relative; sid:1;)");
497  FAIL_IF_NULL(s);
498 
499  SigMatch *sm = s->init_data->smlists_tail[g_file_data_buffer_id];
500  FAIL_IF_NULL(sm);
502 
507 
508  DetectEngineCtxFree(de_ctx);
509  PASS;
510 }
511 
513 {
514  UtRegisterTest("DetectEngineSMTPFiledataTest01",
515  DetectEngineSMTPFiledataTest01);
516  UtRegisterTest("DetectEngineSMTPFiledataTest02",
517  DetectEngineSMTPFiledataTest02);
518  UtRegisterTest("DetectEngineSMTPFiledataTest03",
519  DetectEngineSMTPFiledataTest03);
520 
521  UtRegisterTest("DetectFiledataParseTest01", DetectFiledataParseTest01);
522  UtRegisterTest("DetectFiledataParseTest02", DetectFiledataParseTest02);
523  UtRegisterTest("DetectFiledataParseTest03", DetectFiledataParseTest03);
524  UtRegisterTest("DetectFiledataParseTest04", DetectFiledataParseTest04);
525  UtRegisterTest("DetectFiledataParseTest05", DetectFiledataParseTest05);
526 
527  UtRegisterTest("DetectFiledataIsdataatParseTest1",
528  DetectFiledataIsdataatParseTest1);
529  UtRegisterTest("DetectFiledataIsdataatParseTest2",
530  DetectFiledataIsdataatParseTest2);
531 }
532 
533 #endif
Signature * DetectEngineAppendSig(DetectEngineCtx *de_ctx, const char *sigstr)
Parse and append a Signature into the Detection Engine Context signature list.
SignatureInitData * init_data
Definition: detect.h:586
struct Flow_ * flow
Definition: decode.h:445
int PacketAlertCheck(Packet *p, uint32_t sid)
Check if a certain sid alerted, this is used in the test functions.
uint32_t flags
Definition: detect.h:518
uint8_t proto
Definition: flow.h:344
#define FLOWLOCK_UNLOCK(fb)
Definition: flow.h:243
#define PASS
Pass the test.
Signature * SigInit(DetectEngineCtx *, const char *)
Parses a signature and adds it to the Detection Engine Context.
Signature * sig_list
Definition: detect.h:762
MimeDecStack * stack
#define FAIL_IF(expr)
Fail a test if expression evaluates to false.
Definition: util-unittest.h:71
void AppLayerParserThreadCtxFree(AppLayerParserThreadCtx *tctx)
Destroys the app layer parser thread context obtained using AppLayerParserThreadCtxAlloc().
#define FLOW_PKT_ESTABLISHED
Definition: flow.h:203
void SigCleanSignatures(DetectEngineCtx *de_ctx)
#define ISDATAAT_RELATIVE
void StreamTcpFreeConfig(char quiet)
Definition: stream-tcp.c:669
#define FLOWLOCK_WRLOCK(fb)
Definition: flow.h:240
TmEcode DetectEngineThreadCtxInit(ThreadVars *, void *, void **)
initialize thread specific detection engine context
#define ISDATAAT_RAWBYTES
Signature container.
Definition: detect.h:517
#define TRUE
void * protoctx
Definition: flow.h:400
struct SigMatch_ * next
Definition: detect.h:317
main detection engine ctx
Definition: detect.h:756
void * alstate
Definition: flow.h:438
#define DE_QUIET
Definition: detect.h:287
This represents the MIME Entity (or also top level message) in a child-sibling tree.
#define SIG_FLAG_TOCLIENT
Definition: detect.h:233
uint8_t flags
Definition: detect.h:757
#define ISDATAAT_NEGATED
#define FLOW_DESTROY(f)
Definition: flow-util.h:119
int SMTPProcessDataChunk(const uint8_t *chunk, uint32_t len, MimeDecParseState *state)
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
#define STREAM_EOF
Definition: stream.h:30
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
void SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
Definition: detect.c:1670
#define SIG_FLAG_TOSERVER
Definition: detect.h:232
void StreamTcpInitConfig(char)
To initialize the stream global configuration data.
Definition: stream-tcp.c:365
uint8_t flowflags
Definition: decode.h:439
Packet * UTHBuildPacket(uint8_t *payload, uint16_t payload_len, uint8_t ipproto)
UTHBuildPacket is a wrapper that build packets with default ip and port fields.
#define FLOW_PKT_TOSERVER
Definition: flow.h:201
struct SigMatch_ ** smlists_tail
Definition: detect.h:513
AppLayerParserThreadCtx * AppLayerParserThreadCtxAlloc(void)
Gets a new app layer protocol&#39;s parser thread context.
int SigGroupCleanup(DetectEngineCtx *de_ctx)
#define CTNT_IS_ATTACHMENT
uint8_t type
Definition: detect.h:314
struct SigMatch_ ** smlists
Definition: detect.h:511
SigMatchCtx * ctx
Definition: detect.h:316
void DetectFiledataRegisterTests(void)
MimeDecStackNode * top
#define PKT_STREAM_EOF
Definition: decode.h:1089
void * SMTPStateAlloc(void)
MimeDecParseState * MimeDecInitParser(void *data, int(*DataChunkProcessorFunc)(const uint8_t *chunk, uint32_t len, MimeDecParseState *state))
Init the parser by allocating memory for the state and top-level entity.
#define STREAM_START
Definition: stream.h:29
#define FLOW_INITIALIZE(f)
Definition: flow-util.h:39
#define STREAM_TOSERVER
Definition: stream.h:31
#define PKT_HAS_FLOW
Definition: decode.h:1090
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
Definition: util-unittest.h:89
Structure contains the current state of the MIME parser.
Per thread variable structure.
Definition: threadvars.h:57
AppProto alproto
application level protocol
Definition: flow.h:409
uint32_t flags
Definition: decode.h:443
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
void UTHFreePackets(Packet **p, int numpkts)
UTHFreePackets: function to release the allocated data from UTHBuildPacket and the packet itself...
Flow data structure.
Definition: flow.h:325
#define FLOW_IPV4
Definition: flow.h:94
uint32_t flags
Definition: flow.h:379
#define PKT_STREAM_EST
Definition: decode.h:1088
a single match condition for a signature
Definition: detect.h:313
#define FAIL_IF_NOT(expr)
Fail a test if expression to true.
Definition: util-unittest.h:82
int AppLayerParserParse(ThreadVars *tv, AppLayerParserThreadCtx *alp_tctx, Flow *f, AppProto alproto, uint8_t flags, uint8_t *input, uint32_t input_len)
DetectEngineCtx * DetectEngineCtxInit(void)
MimeDecEntity * data