• Home
  • Features
  • Pricing
  • Docs
  • Announcements
  • Sign In

OISF / suricata / 22670973087

04 Mar 2026 01:15PM UTC coverage: 73.661% (+31.4%) from 42.258%
22670973087

Pull #14939

github

web-flow
Merge c9ac53dc3 into 8df4e1001
Pull Request #14939: Stack 8001 v14

38294 of 77534 branches covered (49.39%)

Branch coverage included in aggregate %.

11 of 13 new or added lines in 5 files covered. (84.62%)

14 existing lines in 6 files now uncovered.

265663 of 335110 relevant lines covered (79.28%)

5049209.51 hits per line

Source File
Press 'n' to go to next uncovered line, 'b' for previous

70.46
/src/detect-engine.c
1
/* Copyright (C) 2007-2022 Open Information Security Foundation
2
 *
3
 * You can copy, redistribute or modify this Program under the terms of
4
 * the GNU General Public License version 2 as published by the Free
5
 * Software Foundation.
6
 *
7
 * This program is distributed in the hope that it will be useful,
8
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
9
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
10
 * GNU General Public License for more details.
11
 *
12
 * You should have received a copy of the GNU General Public License
13
 * version 2 along with this program; if not, write to the Free Software
14
 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15
 * 02110-1301, USA.
16
 */
17

18
/**
19
 * \file
20
 *
21
 * \author Victor Julien <victor@inliniac.net>
22
 */
23

24
#include "suricata-common.h"
25
#include "suricata.h"
26
#include "detect.h"
27
#include "flow.h"
28
#include "flow-private.h"
29
#include "flow-util.h"
30
#include "flow-worker.h"
31
#include "conf.h"
32
#include "conf-yaml-loader.h"
33
#include "datasets.h"
34

35
#include "app-layer-parser.h"
36
#include "app-layer-events.h"
37
#include "app-layer-htp.h"
38

39
#include "detect-parse.h"
40
#include "detect-engine-sigorder.h"
41

42
#include "detect-engine-build.h"
43
#include "detect-engine-siggroup.h"
44
#include "detect-engine-address.h"
45
#include "detect-engine-port.h"
46
#include "detect-engine-prefilter.h"
47
#include "detect-engine-mpm.h"
48
#include "detect-engine-iponly.h"
49
#include "detect-engine-tag.h"
50
#include "detect-engine-frame.h"
51

52
#include "detect-engine-file.h"
53

54
#include "detect-engine.h"
55
#include "detect-engine-state.h"
56
#include "detect-engine-payload.h"
57
#include "detect-fast-pattern.h"
58
#include "detect-byte-extract.h"
59
#include "detect-content.h"
60
#include "detect-uricontent.h"
61
#include "detect-tcphdr.h"
62
#include "detect-engine-threshold.h"
63
#include "detect-engine-content-inspection.h"
64

65
#include "detect-engine-loader.h"
66

67
#include "detect-engine-alert.h"
68

69
#include "util-classification-config.h"
70
#include "util-reference-config.h"
71
#include "util-threshold-config.h"
72
#include "util-error.h"
73
#include "util-hash.h"
74
#include "util-byte.h"
75
#include "util-debug.h"
76
#include "util-unittest.h"
77
#include "util-action.h"
78
#include "util-magic.h"
79
#include "util-signal.h"
80
#include "util-spm.h"
81
#include "util-device-private.h"
82
#include "util-var-name.h"
83
#include "util-path.h"
84
#include "util-profiling.h"
85
#include "util-validate.h"
86
#include "util-hash-string.h"
87
#include "util-enum.h"
88
#include "util-conf.h"
89

90
#include "tm-threads.h"
91
#include "runmodes.h"
92

93
#include "reputation.h"
94

95
#define DETECT_ENGINE_DEFAULT_INSPECTION_RECURSION_LIMIT 3000
38,854✔
96

97
static int DetectEngineCtxLoadConf(DetectEngineCtx *);
98

99
static DetectEngineMasterCtx g_master_de_ctx = { SCMUTEX_INITIALIZER,
100
    0, 99, NULL, NULL, TENANT_SELECTOR_UNKNOWN, NULL, NULL, 0};
101

102
static uint32_t TenantIdHash(HashTable *h, void *data, uint16_t data_len);
103
static char TenantIdCompare(void *d1, uint16_t d1_len, void *d2, uint16_t d2_len);
104
static void TenantIdFree(void *d);
105
static uint32_t DetectEngineTenantGetIdFromLivedev(const void *ctx, const Packet *p);
106
static uint32_t DetectEngineTenantGetIdFromVlanId(const void *ctx, const Packet *p);
107
static uint32_t DetectEngineTenantGetIdFromPcap(const void *ctx, const Packet *p);
108

109
static bool DetectEngineMultiTenantEnabledWithLock(void);
110
static DetectEngineAppInspectionEngine *g_app_inspect_engines = NULL;
111
static DetectEnginePktInspectionEngine *g_pkt_inspect_engines = NULL;
112
static DetectEngineFrameInspectionEngine *g_frame_inspect_engines = NULL;
113

114
// clang-format off
115
// rule types documentation tag start: SignatureProperties
116
const struct SignatureProperties signature_properties[SIG_TYPE_MAX] = {
117
    /* SIG_TYPE_NOT_SET */      { SIG_PROP_FLOW_ACTION_PACKET, },
118
    /* SIG_TYPE_IPONLY */       { SIG_PROP_FLOW_ACTION_FLOW, },
119
    /* SIG_TYPE_LIKE_IPONLY */  { SIG_PROP_FLOW_ACTION_FLOW, },
120
    /* SIG_TYPE_PDONLY */       { SIG_PROP_FLOW_ACTION_FLOW, },
121
    /* SIG_TYPE_DEONLY */       { SIG_PROP_FLOW_ACTION_PACKET, },
122
    /* SIG_TYPE_PKT */          { SIG_PROP_FLOW_ACTION_PACKET, },
123
    /* SIG_TYPE_PKT_STREAM */   { SIG_PROP_FLOW_ACTION_FLOW_IF_STATEFUL, },
124
    /* SIG_TYPE_STREAM */       { SIG_PROP_FLOW_ACTION_FLOW_IF_STATEFUL, },
125
    /* SIG_TYPE_APPLAYER */     { SIG_PROP_FLOW_ACTION_FLOW, },
126
    /* SIG_TYPE_APP_TX */       { SIG_PROP_FLOW_ACTION_FLOW, },
127
};
128
// rule types documentation tag end: SignatureProperties
129
// clang-format on
130

131
const char *DetectTableToString(enum DetectTable table)
132
{
×
133
    switch (table) {
×
134
        case DETECT_TABLE_NOT_SET:
×
135
            return "not_set";
×
136
        case DETECT_TABLE_PACKET_PRE_FLOW:
×
137
            return "pre_flow";
×
138
        case DETECT_TABLE_PACKET_PRE_STREAM:
×
139
            return "pre_stream";
×
140
        case DETECT_TABLE_PACKET_FILTER:
×
141
            return "packet_filter";
×
142
        case DETECT_TABLE_PACKET_TD:
×
143
            return "packet_td";
×
144
        case DETECT_TABLE_APP_FILTER:
×
145
            return "app_filter";
×
146
        case DETECT_TABLE_APP_TD:
×
147
            return "app_td";
×
148
        default:
×
149
            return "unknown";
×
150
    }
×
151
}
×
152

153
/** \brief register inspect engine at start up time
154
 *
155
 *  \note errors are fatal */
156
void DetectPktInspectEngineRegister(const char *name,
157
        InspectionBufferGetPktDataPtr GetPktData,
158
        InspectionBufferPktInspectFunc Callback)
159
{
19,737✔
160
    DetectBufferTypeRegister(name);
19,737✔
161
    const int sm_list = DetectBufferTypeGetByName(name);
19,737✔
162
    if (sm_list == -1) {
19,737!
163
        FatalError("failed to register inspect engine %s", name);
×
164
    }
×
165

166
    if ((sm_list < DETECT_SM_LIST_MATCH) || (sm_list >= SHRT_MAX) ||
19,737!
167
        (Callback == NULL))
19,737!
168
    {
×
169
        SCLogError("Invalid arguments");
×
170
        BUG_ON(1);
×
171
    }
×
172

173
    DetectEnginePktInspectionEngine *new_engine = SCCalloc(1, sizeof(*new_engine));
19,737✔
174
    if (unlikely(new_engine == NULL)) {
19,737!
175
        FatalError("failed to register inspect engine %s: %s", name, strerror(errno));
×
176
    }
×
177
    new_engine->sm_list = (uint16_t)sm_list;
19,737✔
178
    new_engine->sm_list_base = (uint16_t)sm_list;
19,737✔
179
    new_engine->v1.Callback = Callback;
19,737✔
180
    new_engine->v1.GetData = GetPktData;
19,737✔
181

182
    if (g_pkt_inspect_engines == NULL) {
19,737✔
183
        g_pkt_inspect_engines = new_engine;
2,193✔
184
    } else {
17,544✔
185
        DetectEnginePktInspectionEngine *t = g_pkt_inspect_engines;
17,544✔
186
        while (t->next != NULL) {
78,948✔
187
            t = t->next;
61,404✔
188
        }
61,404✔
189

190
        t->next = new_engine;
17,544✔
191
    }
17,544✔
192
}
19,737✔
193

194
/** \brief register inspect engine at start up time
195
 *
196
 *  \note errors are fatal */
197
static void AppLayerInspectEngineRegisterInternal(const char *name, AppProto alproto, uint32_t dir,
198
        int progress, InspectEngineFuncPtr Callback, InspectionBufferGetDataPtr GetData,
199
        InspectionSingleBufferGetDataPtr GetDataSingle,
200
        InspectionMultiBufferGetDataPtr GetMultiData)
201
{
1,504,358✔
202
    BUG_ON(progress >= 48);
1,504,358!
203

204
    DetectBufferTypeRegister(name);
1,504,358✔
205
    const int sm_list = DetectBufferTypeGetByName(name);
1,504,358✔
206
    if (sm_list == -1) {
1,504,358!
207
        FatalError("failed to register inspect engine %s", name);
×
208
    }
×
209
    SCLogDebug("name %s id %d", name, sm_list);
1,504,358!
210

211
    if ((alproto == ALPROTO_FAILED) || (!(dir == SIG_FLAG_TOSERVER || dir == SIG_FLAG_TOCLIENT)) ||
1,504,358!
212
            (sm_list < DETECT_SM_LIST_MATCH) || (sm_list >= SHRT_MAX) ||
1,504,358!
213
            (progress < 0 || progress >= SHRT_MAX) || (Callback == NULL)) {
1,504,358!
214
        SCLogError("Invalid arguments");
×
215
        BUG_ON(1);
×
216
    } else if (Callback == DetectEngineInspectBufferGeneric && GetData == NULL) {
1,504,358!
217
        SCLogError("Invalid arguments: must register "
×
218
                   "GetData with DetectEngineInspectBufferGeneric");
×
219
        BUG_ON(1);
×
220
    } else if (Callback == DetectEngineInspectBufferSingle && GetDataSingle == NULL) {
1,504,358!
221
        SCLogError("Invalid arguments: must register "
×
222
                   "GetData with DetectEngineInspectBufferGeneric");
×
223
        BUG_ON(1);
×
224
    } else if (Callback == DetectEngineInspectMultiBufferGeneric && GetMultiData == NULL) {
1,504,358!
225
        SCLogError("Invalid arguments: must register "
×
226
                   "GetData with DetectEngineInspectMultiBufferGeneric");
×
227
        BUG_ON(1);
×
228
    }
×
229

230
    uint8_t direction;
1,504,358✔
231
    if (dir == SIG_FLAG_TOSERVER) {
1,504,358✔
232
        direction = 0;
811,374✔
233
    } else {
811,374✔
234
        direction = 1;
692,984✔
235
    }
692,984✔
236
    // every DNS or HTTP2 can be accessed from DOH2
237
    if (alproto == ALPROTO_HTTP2 || alproto == ALPROTO_DNS) {
1,504,358✔
238
        AppLayerInspectEngineRegisterInternal(
168,861✔
239
                name, ALPROTO_DOH2, dir, progress, Callback, GetData, GetDataSingle, GetMultiData);
168,861✔
240
    }
168,861✔
241

242
    DetectEngineAppInspectionEngine *new_engine =
1,504,358✔
243
            SCCalloc(1, sizeof(DetectEngineAppInspectionEngine));
1,504,358✔
244
    if (unlikely(new_engine == NULL)) {
1,504,358!
245
        exit(EXIT_FAILURE);
×
246
    }
×
247
    new_engine->alproto = alproto;
1,504,358✔
248
    new_engine->dir = direction;
1,504,358✔
249
    new_engine->sm_list = (uint16_t)sm_list;
1,504,358✔
250
    new_engine->sm_list_base = (uint16_t)sm_list;
1,504,358✔
251
    new_engine->progress = (int16_t)progress;
1,504,358✔
252
    new_engine->v2.Callback = Callback;
1,504,358✔
253
    if (Callback == DetectEngineInspectBufferGeneric) {
1,504,358✔
254
        new_engine->v2.GetData = GetData;
289,476✔
255
    } else if (Callback == DetectEngineInspectBufferSingle) {
1,214,882✔
256
        new_engine->v2.GetDataSingle = GetDataSingle;
175,408✔
257
    } else if (Callback == DetectEngineInspectMultiBufferGeneric) {
1,039,474✔
258
        new_engine->v2.GetMultiData = GetMultiData;
203,949✔
259
    }
203,949✔
260

261
    if (g_app_inspect_engines == NULL) {
1,504,358✔
262
        g_app_inspect_engines = new_engine;
2,193✔
263
    } else {
1,502,165✔
264
        DetectEngineAppInspectionEngine *t = g_app_inspect_engines;
1,502,165✔
265
        while (t->next != NULL) {
515,228,987✔
266
            t = t->next;
513,726,822✔
267
        }
513,726,822✔
268

269
        t->next = new_engine;
1,502,165✔
270
    }
1,502,165✔
271
}
1,504,358✔
272

273
void DetectAppLayerInspectEngineRegister(const char *name, AppProto alproto, uint32_t dir,
274
        int progress, InspectEngineFuncPtr Callback, InspectionBufferGetDataPtr GetData)
275
{
993,421✔
276
    /* before adding, check that we don't add a duplicate entry, which will
277
     * propagate all the way into the packet runtime if allowed. */
278
    DetectEngineAppInspectionEngine *t = g_app_inspect_engines;
993,421✔
279
    while (t != NULL) {
279,740,808✔
280
        const uint32_t t_direction = t->dir == 0 ? SIG_FLAG_TOSERVER : SIG_FLAG_TOCLIENT;
278,747,387✔
281
        const int sm_list = DetectBufferTypeGetByName(name);
278,747,387✔
282

283
        if (t->sm_list == sm_list && t->alproto == alproto && t_direction == dir &&
278,747,387!
284
                t->progress == progress && t->v2.Callback == Callback && t->v2.GetData == GetData) {
278,747,387!
285
            DEBUG_VALIDATE_BUG_ON(1);
×
286
            return;
×
287
        }
×
288
        t = t->next;
278,747,387✔
289
    }
278,747,387✔
290

291
    AppLayerInspectEngineRegisterInternal(
993,421✔
292
            name, alproto, dir, progress, Callback, GetData, NULL, NULL);
993,421✔
293
}
993,421✔
294

295
void DetectAppLayerInspectEngineRegisterSingle(const char *name, AppProto alproto, uint32_t dir,
296
        int progress, InspectEngineFuncPtr Callback, InspectionSingleBufferGetDataPtr GetData)
297
{
175,408✔
298
    /* before adding, check that we don't add a duplicate entry, which will
299
     * propagate all the way into the packet runtime if allowed. */
300
    DetectEngineAppInspectionEngine *t = g_app_inspect_engines;
175,408✔
301
    while (t != NULL) {
102,813,791✔
302
        const uint32_t t_direction = t->dir == 0 ? SIG_FLAG_TOSERVER : SIG_FLAG_TOCLIENT;
102,638,383✔
303
        const int sm_list = DetectBufferTypeGetByName(name);
102,638,383✔
304

305
        if (t->sm_list == sm_list && t->alproto == alproto && t_direction == dir &&
102,638,383!
306
                t->progress == progress && t->v2.Callback == Callback &&
102,638,383!
307
                t->v2.GetDataSingle == GetData) {
102,638,383!
308
            DEBUG_VALIDATE_BUG_ON(1);
×
309
            return;
×
310
        }
×
311
        t = t->next;
102,638,383✔
312
    }
102,638,383✔
313

314
    AppLayerInspectEngineRegisterInternal(
175,408✔
315
            name, alproto, dir, progress, Callback, NULL, GetData, NULL);
175,408✔
316
}
175,408✔
317

318
/* copy an inspect engine with transforms to a new list id. */
319
static void DetectAppLayerInspectEngineCopy(
320
        DetectEngineCtx *de_ctx,
321
        int sm_list, int new_list,
322
        const DetectEngineTransforms *transforms)
323
{
63,649✔
324
    const DetectEngineAppInspectionEngine *t = g_app_inspect_engines;
63,649✔
325
    while (t) {
43,850,867✔
326
        if (t->sm_list == sm_list) {
43,787,218✔
327
            DetectEngineAppInspectionEngine *new_engine = SCCalloc(1, sizeof(DetectEngineAppInspectionEngine));
532,214✔
328
            if (unlikely(new_engine == NULL)) {
532,214!
329
                exit(EXIT_FAILURE);
×
330
            }
×
331
            new_engine->alproto = t->alproto;
532,214✔
332
            new_engine->dir = t->dir;
532,214✔
333
            DEBUG_VALIDATE_BUG_ON(new_list < 0 || new_list > UINT16_MAX);
532,214✔
334
            new_engine->sm_list = (uint16_t)new_list; /* use new list id */
532,214✔
335
            DEBUG_VALIDATE_BUG_ON(sm_list < 0 || sm_list > UINT16_MAX);
532,214✔
336
            new_engine->sm_list_base = (uint16_t)sm_list;
532,214✔
337
            new_engine->progress = t->progress;
532,214✔
338
            new_engine->v2 = t->v2;
532,214✔
339
            new_engine->v2.transforms = transforms; /* assign transforms */
532,214✔
340

341
            if (de_ctx->app_inspect_engines == NULL) {
532,214!
342
                de_ctx->app_inspect_engines = new_engine;
×
343
            } else {
532,214✔
344
                DetectEngineAppInspectionEngine *list = de_ctx->app_inspect_engines;
532,214✔
345
                while (list->next != NULL) {
1,047,170,538✔
346
                    list = list->next;
1,046,638,324✔
347
                }
1,046,638,324✔
348

349
                list->next = new_engine;
532,214✔
350
            }
532,214✔
351
        }
532,214✔
352
        t = t->next;
43,787,218✔
353
    }
43,787,218✔
354
}
63,649✔
355

356
/* copy inspect engines from global registrations to de_ctx list */
357
static void DetectAppLayerInspectEngineCopyListToDetectCtx(DetectEngineCtx *de_ctx)
358
{
38,854✔
359
    const DetectEngineAppInspectionEngine *t = g_app_inspect_engines;
38,854✔
360
    DetectEngineAppInspectionEngine *list = de_ctx->app_inspect_engines;
38,854✔
361
    while (t) {
26,763,599✔
362
        DetectEngineAppInspectionEngine *new_engine = SCCalloc(1, sizeof(DetectEngineAppInspectionEngine));
26,724,745✔
363
        if (unlikely(new_engine == NULL)) {
26,724,745!
364
            exit(EXIT_FAILURE);
×
365
        }
×
366
        new_engine->alproto = t->alproto;
26,724,745✔
367
        new_engine->dir = t->dir;
26,724,745✔
368
        new_engine->sm_list = t->sm_list;
26,724,745✔
369
        new_engine->sm_list_base = t->sm_list;
26,724,745✔
370
        new_engine->progress = t->progress;
26,724,745✔
371
        new_engine->v2 = t->v2;
26,724,745✔
372

373
        if (list == NULL) {
26,724,745✔
374
            de_ctx->app_inspect_engines = new_engine;
38,854✔
375
        } else {
26,685,891✔
376
            list->next = new_engine;
26,685,891✔
377
        }
26,685,891✔
378
        list = new_engine;
26,724,745✔
379

380
        t = t->next;
26,724,745✔
381
    }
26,724,745✔
382
}
38,854✔
383

384
/* copy an inspect engine with transforms to a new list id. */
385
static void DetectPktInspectEngineCopy(
386
        DetectEngineCtx *de_ctx,
387
        int sm_list, int new_list,
388
        const DetectEngineTransforms *transforms)
389
{
1,522✔
390
    const DetectEnginePktInspectionEngine *t = g_pkt_inspect_engines;
1,522✔
391
    while (t) {
15,220✔
392
        if (t->sm_list == sm_list) {
13,698✔
393
            DetectEnginePktInspectionEngine *new_engine = SCCalloc(1, sizeof(DetectEnginePktInspectionEngine));
1,522✔
394
            if (unlikely(new_engine == NULL)) {
1,522!
395
                exit(EXIT_FAILURE);
×
396
            }
×
397
            DEBUG_VALIDATE_BUG_ON(new_list < 0 || new_list > UINT16_MAX);
1,522✔
398
            new_engine->sm_list = (uint16_t)new_list; /* use new list id */
1,522✔
399
            DEBUG_VALIDATE_BUG_ON(sm_list < 0 || sm_list > UINT16_MAX);
1,522✔
400
            new_engine->sm_list_base = (uint16_t)sm_list;
1,522✔
401
            new_engine->v1 = t->v1;
1,522✔
402
            new_engine->v1.transforms = transforms; /* assign transforms */
1,522✔
403

404
            if (de_ctx->pkt_inspect_engines == NULL) {
1,522!
405
                de_ctx->pkt_inspect_engines = new_engine;
×
406
            } else {
1,522✔
407
                DetectEnginePktInspectionEngine *list = de_ctx->pkt_inspect_engines;
1,522✔
408
                while (list->next != NULL) {
84,205✔
409
                    list = list->next;
82,683✔
410
                }
82,683✔
411

412
                list->next = new_engine;
1,522✔
413
            }
1,522✔
414
        }
1,522✔
415
        t = t->next;
13,698✔
416
    }
13,698✔
417
}
1,522✔
418

419
/* copy inspect engines from global registrations to de_ctx list */
420
static void DetectPktInspectEngineCopyListToDetectCtx(DetectEngineCtx *de_ctx)
421
{
38,854✔
422
    const DetectEnginePktInspectionEngine *t = g_pkt_inspect_engines;
38,854✔
423
    while (t) {
388,540✔
424
        SCLogDebug("engine %p", t);
349,686!
425
        DetectEnginePktInspectionEngine *new_engine = SCCalloc(1, sizeof(DetectEnginePktInspectionEngine));
349,686✔
426
        if (unlikely(new_engine == NULL)) {
349,686!
427
            exit(EXIT_FAILURE);
×
428
        }
×
429
        new_engine->sm_list = t->sm_list;
349,686✔
430
        new_engine->sm_list_base = t->sm_list;
349,686✔
431
        new_engine->v1 = t->v1;
349,686✔
432

433
        if (de_ctx->pkt_inspect_engines == NULL) {
349,686✔
434
            de_ctx->pkt_inspect_engines = new_engine;
38,854✔
435
        } else {
310,832✔
436
            DetectEnginePktInspectionEngine *list = de_ctx->pkt_inspect_engines;
310,832✔
437
            while (list->next != NULL) {
1,398,744✔
438
                list = list->next;
1,087,912✔
439
            }
1,087,912✔
440

441
            list->next = new_engine;
310,832✔
442
        }
310,832✔
443

444
        t = t->next;
349,686✔
445
    }
349,686✔
446
}
38,854✔
447

448
/** \brief register inspect engine at start up time
449
 *
450
 *  \note errors are fatal */
451
void DetectEngineFrameInspectEngineRegister(DetectEngineCtx *de_ctx, const char *name, int dir,
452
        InspectionBufferFrameInspectFunc Callback, AppProto alproto, uint8_t type)
453
{
7,098✔
454
    const int sm_list = DetectEngineBufferTypeRegister(de_ctx, name);
7,098✔
455
    if (sm_list < 0) {
7,098!
456
        FatalError("failed to register inspect engine %s", name);
×
457
    }
×
458

459
    if ((sm_list < DETECT_SM_LIST_MATCH) || (sm_list >= SHRT_MAX) || (Callback == NULL)) {
7,098!
460
        SCLogError("Invalid arguments");
×
461
        BUG_ON(1);
×
462
    }
×
463

464
    uint8_t direction;
7,098✔
465
    if (dir == SIG_FLAG_TOSERVER) {
7,098✔
466
        direction = 0;
3,549✔
467
    } else {
3,549✔
468
        direction = 1;
3,549✔
469
    }
3,549✔
470

471
    DetectEngineFrameInspectionEngine *new_engine = SCCalloc(1, sizeof(*new_engine));
7,098✔
472
    if (unlikely(new_engine == NULL)) {
7,098!
473
        FatalError("failed to register inspect engine %s: %s", name, strerror(errno));
×
474
    }
×
475
    new_engine->sm_list = (uint16_t)sm_list;
7,098✔
476
    new_engine->sm_list_base = (uint16_t)sm_list;
7,098✔
477
    new_engine->dir = direction;
7,098✔
478
    new_engine->v1.Callback = Callback;
7,098✔
479
    new_engine->alproto = alproto;
7,098✔
480
    new_engine->type = type;
7,098✔
481

482
    if (de_ctx->frame_inspect_engines == NULL) {
7,098✔
483
        de_ctx->frame_inspect_engines = new_engine;
1,750✔
484
    } else {
5,348✔
485
        DetectEngineFrameInspectionEngine *list = de_ctx->frame_inspect_engines;
5,348✔
486
        while (list->next != NULL) {
16,565✔
487
            list = list->next;
11,217✔
488
        }
11,217✔
489

490
        list->next = new_engine;
5,348✔
491
    }
5,348✔
492
}
7,098✔
493

494
/* copy an inspect engine with transforms to a new list id. */
495
static void DetectFrameInspectEngineCopy(DetectEngineCtx *de_ctx, int sm_list, int new_list,
496
        const DetectEngineTransforms *transforms)
497
{
391✔
498
    /* take the list from the detect engine as the buffers can be registered
499
     * dynamically. */
500
    DetectEngineFrameInspectionEngine *t = de_ctx->frame_inspect_engines;
391✔
501
    while (t) {
7,283✔
502
        if (t->sm_list == sm_list) {
6,892✔
503
            DetectEngineFrameInspectionEngine *new_engine =
782✔
504
                    SCCalloc(1, sizeof(DetectEngineFrameInspectionEngine));
782✔
505
            if (unlikely(new_engine == NULL)) {
782!
506
                exit(EXIT_FAILURE);
×
507
            }
×
508
            DEBUG_VALIDATE_BUG_ON(new_list < 0 || new_list > UINT16_MAX);
782✔
509
            new_engine->sm_list = (uint16_t)new_list; /* use new list id */
782✔
510
            DEBUG_VALIDATE_BUG_ON(sm_list < 0 || sm_list > UINT16_MAX);
782✔
511
            new_engine->sm_list_base = (uint16_t)sm_list;
782✔
512
            new_engine->dir = t->dir;
782✔
513
            new_engine->alproto = t->alproto;
782✔
514
            new_engine->type = t->type;
782✔
515
            new_engine->v1 = t->v1;
782✔
516
            new_engine->v1.transforms = transforms; /* assign transforms */
782✔
517

518
            /* append to the list */
519
            DetectEngineFrameInspectionEngine *list = t;
782✔
520
            while (list->next != NULL) {
9,868✔
521
                list = list->next;
9,086✔
522
            }
9,086✔
523

524
            list->next = new_engine;
782✔
525
        }
782✔
526
        t = t->next;
6,892✔
527
    }
6,892✔
528
}
391✔
529

530
/* copy inspect engines from global registrations to de_ctx list */
531
static void DetectFrameInspectEngineCopyListToDetectCtx(DetectEngineCtx *de_ctx)
532
{
38,854✔
533
    const DetectEngineFrameInspectionEngine *t = g_frame_inspect_engines;
38,854✔
534
    while (t) {
38,854!
535
        SCLogDebug("engine %p", t);
×
536
        DetectEngineFrameInspectionEngine *new_engine =
×
537
                SCCalloc(1, sizeof(DetectEngineFrameInspectionEngine));
×
538
        if (unlikely(new_engine == NULL)) {
×
539
            exit(EXIT_FAILURE);
×
540
        }
×
541
        new_engine->sm_list = t->sm_list;
×
542
        new_engine->sm_list_base = t->sm_list;
×
543
        new_engine->dir = t->dir;
×
544
        new_engine->alproto = t->alproto;
×
545
        new_engine->type = t->type;
×
546
        new_engine->v1 = t->v1;
×
547

548
        if (de_ctx->frame_inspect_engines == NULL) {
×
549
            de_ctx->frame_inspect_engines = new_engine;
×
550
        } else {
×
551
            DetectEngineFrameInspectionEngine *list = de_ctx->frame_inspect_engines;
×
552
            while (list->next != NULL) {
×
553
                list = list->next;
×
554
            }
×
555

556
            list->next = new_engine;
×
557
        }
×
558

559
        t = t->next;
×
560
    }
×
561
}
38,854✔
562

563
/** \internal
564
 *  \brief append the stream inspection
565
 *
566
 *  If stream inspection is MPM, then prepend it.
567
 */
568
static void AppendStreamInspectEngine(
569
        Signature *s, SigMatchData *stream, uint8_t direction, uint8_t id)
570
{
5,326✔
571
    bool prepend = false;
5,326✔
572

573
    DetectEngineAppInspectionEngine *new_engine = SCCalloc(1, sizeof(DetectEngineAppInspectionEngine));
5,326✔
574
    if (unlikely(new_engine == NULL)) {
5,326!
575
        exit(EXIT_FAILURE);
×
576
    }
×
577
    if (s->init_data->mpm_sm_list == DETECT_SM_LIST_PMATCH) {
5,326✔
578
        SCLogDebug("stream is mpm");
1,358!
579
        prepend = true;
1,358✔
580
        new_engine->mpm = true;
1,358✔
581
    }
1,358✔
582
    new_engine->alproto = ALPROTO_UNKNOWN; /* all */
5,326✔
583
    new_engine->dir = direction;
5,326✔
584
    new_engine->stream = true;
5,326✔
585
    new_engine->sm_list = DETECT_SM_LIST_PMATCH;
5,326✔
586
    new_engine->sm_list_base = DETECT_SM_LIST_PMATCH;
5,326✔
587
    new_engine->smd = stream;
5,326✔
588
    new_engine->v2.Callback = DetectEngineInspectStream;
5,326✔
589
    new_engine->progress = 0;
5,326✔
590

591
    /* append */
592
    if (s->app_inspect == NULL) {
5,326✔
593
        s->app_inspect = new_engine;
41✔
594
        new_engine->id = DE_STATE_FLAG_BASE; /* id is used as flag in stateful detect */
41✔
595
    } else if (prepend) {
5,285✔
596
        new_engine->next = s->app_inspect;
1,317✔
597
        s->app_inspect = new_engine;
1,317✔
598
        new_engine->id = id;
1,317✔
599

600
    } else {
3,968✔
601
        DetectEngineAppInspectionEngine *a = s->app_inspect;
3,968✔
602
        while (a->next != NULL) {
74,214✔
603
            a = a->next;
70,246✔
604
        }
70,246✔
605

606
        a->next = new_engine;
3,968✔
607
        new_engine->id = id;
3,968✔
608
    }
3,968✔
609
    SCLogDebug("sid %u: engine %p/%u added", s->id, new_engine, new_engine->id);
5,326!
610
}
5,326✔
611

612
static void AppendFrameInspectEngine(DetectEngineCtx *de_ctx,
613
        const DetectEngineFrameInspectionEngine *u, Signature *s, SigMatchData *smd,
614
        const int mpm_list)
615
{
6,720✔
616
    bool prepend = false;
6,720✔
617

618
    if (u->alproto == ALPROTO_UNKNOWN) {
6,720!
619
        /* special case, inspect engine applies to all protocols */
620
    } else if (s->alproto != ALPROTO_UNKNOWN && !AppProtoEquals(s->alproto, u->alproto))
6,720!
621
        return;
×
622

623
    if (s->flags & SIG_FLAG_TOSERVER && !(s->flags & SIG_FLAG_TOCLIENT)) {
6,720✔
624
        if (u->dir == 1)
2,716✔
625
            return;
1,358✔
626
    } else if (s->flags & SIG_FLAG_TOCLIENT && !(s->flags & SIG_FLAG_TOSERVER)) {
4,004!
627
        if (u->dir == 0)
1,546✔
628
            return;
773✔
629
    }
1,546✔
630

631
    DetectEngineFrameInspectionEngine *new_engine =
4,589✔
632
            SCCalloc(1, sizeof(DetectEngineFrameInspectionEngine));
4,589✔
633
    if (unlikely(new_engine == NULL)) {
4,589!
634
        exit(EXIT_FAILURE);
×
635
    }
×
636
    if (mpm_list == u->sm_list) {
4,589✔
637
        SCLogDebug("%s is mpm", DetectEngineBufferTypeGetNameById(de_ctx, u->sm_list));
4,472!
638
        prepend = true;
4,472✔
639
        new_engine->mpm = true;
4,472✔
640
    }
4,472✔
641

642
    new_engine->type = u->type;
4,589✔
643
    new_engine->sm_list = u->sm_list;
4,589✔
644
    new_engine->sm_list_base = u->sm_list_base;
4,589✔
645
    new_engine->smd = smd;
4,589✔
646
    new_engine->v1 = u->v1;
4,589✔
647
    SCLogDebug("sm_list %d new_engine->v1 %p/%p", new_engine->sm_list, new_engine->v1.Callback,
4,589!
648
            new_engine->v1.transforms);
4,589✔
649

650
    if (s->frame_inspect == NULL) {
4,589✔
651
        s->frame_inspect = new_engine;
3,360✔
652
    } else if (prepend) {
3,360✔
653
        new_engine->next = s->frame_inspect;
1,172✔
654
        s->frame_inspect = new_engine;
1,172✔
655
    } else {
1,172✔
656
        DetectEngineFrameInspectionEngine *a = s->frame_inspect;
57✔
657
        while (a->next != NULL) {
57!
658
            a = a->next;
×
659
        }
×
660
        new_engine->next = a->next;
57✔
661
        a->next = new_engine;
57✔
662
    }
57✔
663
}
4,589✔
664

665
static void AppendPacketInspectEngine(DetectEngineCtx *de_ctx,
666
        const DetectEnginePktInspectionEngine *e, Signature *s, SigMatchData *smd,
667
        const int mpm_list)
668
{
963✔
669
    bool prepend = false;
963✔
670

671
    DetectEnginePktInspectionEngine *new_engine =
963✔
672
            SCCalloc(1, sizeof(DetectEnginePktInspectionEngine));
963✔
673
    if (unlikely(new_engine == NULL)) {
963!
674
        exit(EXIT_FAILURE);
×
675
    }
×
676
    if (mpm_list == e->sm_list) {
963✔
677
        SCLogDebug("%s is mpm", DetectEngineBufferTypeGetNameById(de_ctx, e->sm_list));
393!
678
        prepend = true;
393✔
679
        new_engine->mpm = true;
393✔
680
    }
393✔
681

682
    new_engine->sm_list = e->sm_list;
963✔
683
    new_engine->sm_list_base = e->sm_list_base;
963✔
684
    new_engine->smd = smd;
963✔
685
    new_engine->v1 = e->v1;
963✔
686
    SCLogDebug("sm_list %d new_engine->v1 %p/%p/%p", new_engine->sm_list, new_engine->v1.Callback,
963!
687
            new_engine->v1.GetData, new_engine->v1.transforms);
963✔
688

689
    if (s->pkt_inspect == NULL) {
963✔
690
        s->pkt_inspect = new_engine;
881✔
691
    } else if (prepend) {
881!
692
        new_engine->next = s->pkt_inspect;
13✔
693
        s->pkt_inspect = new_engine;
13✔
694
    } else {
69✔
695
        DetectEnginePktInspectionEngine *a = s->pkt_inspect;
69✔
696
        while (a->next != NULL) {
333!
697
            a = a->next;
264✔
698
        }
264✔
699
        new_engine->next = a->next;
69✔
700
        a->next = new_engine;
69✔
701
    }
69✔
702
}
963✔
703

704
static void AppendAppInspectEngine(DetectEngineCtx *de_ctx,
705
        const DetectEngineAppInspectionEngine *t, Signature *s, SigMatchData *smd,
706
        const int mpm_list, const int files_id, uint8_t *last_id, bool *head_is_mpm)
707
{
650,981✔
708
    if (t->alproto == ALPROTO_UNKNOWN) {
650,981✔
709
        /* special case, inspect engine applies to all protocols */
710
    } else if (s->alproto != ALPROTO_UNKNOWN && !AppProtoEquals(s->alproto, t->alproto))
610,949✔
711
        return;
232,467✔
712

713
    if (s->flags & SIG_FLAG_TOSERVER && !(s->flags & SIG_FLAG_TOCLIENT)) {
418,514✔
714
        if (t->dir == 1)
240,419✔
715
            return;
29,989✔
716
    } else if (s->flags & SIG_FLAG_TOCLIENT && !(s->flags & SIG_FLAG_TOSERVER)) {
319,208!
717
        if (t->dir == 0)
55,548✔
718
            return;
22,573✔
719
    }
55,548✔
720
    SCLogDebug("app engine: t %p t->id %u => alproto:%s files:%s", t, t->id,
365,952!
721
            AppProtoToString(t->alproto), BOOL2STR(t->sm_list == files_id));
365,952✔
722

723
    DetectEngineAppInspectionEngine *new_engine =
365,952✔
724
            SCCalloc(1, sizeof(DetectEngineAppInspectionEngine));
365,952✔
725
    if (unlikely(new_engine == NULL)) {
365,952!
726
        exit(EXIT_FAILURE);
×
727
    }
×
728
    bool prepend = false;
365,952✔
729
    if (mpm_list == t->sm_list) {
365,952✔
730
        SCLogDebug("%s is mpm", DetectEngineBufferTypeGetNameById(de_ctx, t->sm_list));
202,738!
731
        prepend = true;
202,738✔
732
        *head_is_mpm = true;
202,738✔
733
        new_engine->mpm = true;
202,738✔
734
    }
202,738✔
735

736
    new_engine->alproto = t->alproto;
365,952✔
737
    new_engine->dir = t->dir;
365,952✔
738
    new_engine->sm_list = t->sm_list;
365,952✔
739
    new_engine->sm_list_base = t->sm_list_base;
365,952✔
740
    new_engine->smd = smd;
365,952✔
741
    new_engine->match_on_null = smd ? DetectContentInspectionMatchOnAbsentBuffer(smd) : false;
365,952✔
742
    new_engine->progress = t->progress;
365,952✔
743
    new_engine->v2 = t->v2;
365,952✔
744
    SCLogDebug("sm_list %d new_engine->v2 %p/%p/%p", new_engine->sm_list, new_engine->v2.Callback,
365,952!
745
            new_engine->v2.GetData, new_engine->v2.transforms);
365,952✔
746

747
    if (s->app_inspect == NULL) {
365,952✔
748
        s->app_inspect = new_engine;
127,734✔
749
        if (new_engine->sm_list == files_id) {
127,734✔
750
            new_engine->id = DE_STATE_ID_FILE_INSPECT;
667✔
751
            SCLogDebug("sid %u: engine %p/%u is FILE ENGINE", s->id, new_engine, new_engine->id);
667!
752
        } else {
127,067✔
753
            new_engine->id = DE_STATE_FLAG_BASE; /* id is used as flag in stateful detect */
127,067✔
754
            SCLogDebug("sid %u: engine %p/%u %s", s->id, new_engine, new_engine->id,
127,067!
755
                    DetectEngineBufferTypeGetNameById(de_ctx, new_engine->sm_list));
127,067✔
756
        }
127,067✔
757

758
        /* prepend engine if forced or if our engine has a lower progress. */
759
    } else if (prepend || (!(*head_is_mpm) && s->app_inspect->progress > new_engine->progress)) {
238,264✔
760
        new_engine->next = s->app_inspect;
135,784✔
761
        s->app_inspect = new_engine;
135,784✔
762
        if (new_engine->sm_list == files_id) {
135,784!
763
            new_engine->id = DE_STATE_ID_FILE_INSPECT;
2✔
764
            SCLogDebug("sid %u: engine %p/%u is FILE ENGINE", s->id, new_engine, new_engine->id);
2!
765
        } else {
135,782✔
766
            new_engine->id = ++(*last_id);
135,782✔
767
            SCLogDebug("sid %u: engine %p/%u %s", s->id, new_engine, new_engine->id,
135,782!
768
                    DetectEngineBufferTypeGetNameById(de_ctx, new_engine->sm_list));
135,782✔
769
        }
135,782✔
770

771
    } else {
135,784✔
772
        DetectEngineAppInspectionEngine *a = s->app_inspect;
102,434✔
773
        while (a->next != NULL) {
405,951✔
774
            if (a->next && a->next->progress > new_engine->progress) {
335,523!
775
                break;
32,006✔
776
            }
32,006✔
777
            a = a->next;
303,517✔
778
        }
303,517✔
779

780
        new_engine->next = a->next;
102,434✔
781
        a->next = new_engine;
102,434✔
782
        if (new_engine->sm_list == files_id) {
102,434✔
783
            new_engine->id = DE_STATE_ID_FILE_INSPECT;
24,600✔
784
            SCLogDebug("sid %u: engine %p/%u is FILE ENGINE", s->id, new_engine, new_engine->id);
24,600!
785
        } else {
81,394✔
786
            new_engine->id = ++(*last_id);
77,834✔
787
            SCLogDebug("sid %u: engine %p/%u %s", s->id, new_engine, new_engine->id,
77,834!
788
                    DetectEngineBufferTypeGetNameById(de_ctx, new_engine->sm_list));
77,834✔
789
        }
77,834✔
790
    }
102,434✔
791

792
    SCLogDebug("sid %u: engine %p/%u added", s->id, new_engine, new_engine->id);
365,952!
793

794
    s->init_data->init_flags |= SIG_FLAG_INIT_STATE_MATCH;
365,952✔
795
}
365,952✔
796

797
/**
798
 *  \note for the file inspect engine, the id DE_STATE_ID_FILE_INSPECT
799
 *        is assigned.
800
 */
801
int DetectEngineAppInspectionEngine2Signature(DetectEngineCtx *de_ctx, Signature *s)
802
{
266,029✔
803
    const int mpm_list = s->init_data->mpm_sm ? s->init_data->mpm_sm_list : -1;
266,029✔
804
    const int files_id = DetectBufferTypeGetByName("files");
266,029✔
805
    bool head_is_mpm = false;
266,029✔
806
    uint8_t last_id = DE_STATE_FLAG_BASE;
266,029✔
807
    SCLogDebug("%u: setup app inspect engines. %u buffers", s->id, s->init_data->buffer_index);
266,029!
808

809
    for (uint32_t x = 0; x < s->init_data->buffer_index; x++) {
440,140✔
810
        SigMatchData *smd = SigMatchList2DataArray(s->init_data->buffers[x].head);
174,111✔
811
        SCLogDebug("smd %p, id %u", smd, s->init_data->buffers[x].id);
174,111!
812

813
        const DetectBufferType *b =
174,111✔
814
                DetectEngineBufferTypeGetById(de_ctx, s->init_data->buffers[x].id);
174,111✔
815
        if (b == NULL)
174,111!
816
            FatalError("unknown buffer");
×
817

818
        if (b->frame) {
174,111✔
819
            for (const DetectEngineFrameInspectionEngine *u = de_ctx->frame_inspect_engines;
3,360✔
820
                    u != NULL; u = u->next) {
25,754✔
821
                if (u->sm_list == s->init_data->buffers[x].id) {
22,394✔
822
                    AppendFrameInspectEngine(de_ctx, u, s, smd, mpm_list);
6,720✔
823
                }
6,720✔
824
            }
22,394✔
825
        } else if (b->packet) {
170,751✔
826
            /* set up pkt inspect engines */
827
            for (const DetectEnginePktInspectionEngine *e = de_ctx->pkt_inspect_engines; e != NULL;
9,935✔
828
                    e = e->next) {
8,972✔
829
                SCLogDebug("e %p sm_list %u", e, e->sm_list);
8,972!
830
                if (e->sm_list == s->init_data->buffers[x].id) {
8,972✔
831
                    AppendPacketInspectEngine(de_ctx, e, s, smd, mpm_list);
963✔
832
                }
963✔
833
            }
8,972✔
834
        } else {
169,818✔
835
            SCLogDebug("app %s id %u parent %u rule %u xforms %u", b->name, b->id, b->parent_id,
169,788!
836
                    s->init_data->buffers[x].id, b->transforms.cnt);
169,788✔
837
            for (const DetectEngineAppInspectionEngine *t = de_ctx->app_inspect_engines; t != NULL;
121,373,912✔
838
                    t = t->next) {
121,204,124✔
839
                if (t->sm_list == s->init_data->buffers[x].id) {
121,204,124✔
840
                    if (s->flags & SIG_FLAG_TXBOTHDIR) {
651,341✔
841
                        // ambiguous keywords have app engines in both directions
842
                        // so we skip the wrong direction for this buffer
843
                        if (s->init_data->buffers[x].only_tc && t->dir == 0) {
1,907✔
844
                            continue;
391✔
845
                        } else if (s->init_data->buffers[x].only_ts && t->dir == 1) {
1,516✔
846
                            continue;
102✔
847
                        }
102✔
848
                    }
1,907✔
849
                    AppendAppInspectEngine(
650,848✔
850
                            de_ctx, t, s, smd, mpm_list, files_id, &last_id, &head_is_mpm);
650,848✔
851
                }
650,848✔
852
            }
121,204,124✔
853
        }
169,788✔
854
    }
174,111✔
855

856
    /* handle rules that have an app-layer hook w/o bringing their own app inspect engine,
857
     * e.g. `alert dns:request_complete ... (sid:1;)`
858
     *
859
     * Here we use a minimal stub inspect engine in which we set:
860
     * - alproto
861
     * - progress
862
     * - sm_list/sm_list_base to get the mapping to the hook name
863
     * - dir based on sig direction
864
     *
865
     * The inspect engine has no callback and is thus considered a straight match.
866
     */
867
    if (s->init_data->buffer_index == 0 && s->init_data->hook.type == SIGNATURE_HOOK_TYPE_APP) {
266,029✔
868
        uint8_t dir = 0;
133✔
869
        BUG_ON((s->flags & (SIG_FLAG_TOSERVER | SIG_FLAG_TOCLIENT)) ==
133!
870
                (SIG_FLAG_TOSERVER | SIG_FLAG_TOCLIENT));
133✔
871
        BUG_ON((s->flags & (SIG_FLAG_TOSERVER | SIG_FLAG_TOCLIENT)) == 0);
133!
872
        if (s->flags & SIG_FLAG_TOSERVER)
133✔
873
            dir = 0;
72✔
874
        else if (s->flags & SIG_FLAG_TOCLIENT)
61!
875
            dir = 1;
61✔
876

877
        DetectEngineAppInspectionEngine t = {
133✔
878
            .alproto = s->init_data->hook.t.app.alproto,
133✔
879
            .progress = (uint16_t)s->init_data->hook.t.app.app_progress,
133✔
880
            .sm_list = (uint16_t)s->init_data->hook.sm_list,
133✔
881
            .sm_list_base = (uint16_t)s->init_data->hook.sm_list,
133✔
882
            .dir = dir,
133✔
883
        };
133✔
884
        AppendAppInspectEngine(de_ctx, &t, s, NULL, mpm_list, files_id, &last_id, &head_is_mpm);
133✔
885
    }
133✔
886

887
    if ((s->init_data->init_flags & SIG_FLAG_INIT_STATE_MATCH) &&
266,029✔
888
            s->init_data->smlists[DETECT_SM_LIST_PMATCH] != NULL)
266,029✔
889
    {
3,554✔
890
        /* if engine is added multiple times, we pass it the same list */
891
        SigMatchData *stream = SigMatchList2DataArray(s->init_data->smlists[DETECT_SM_LIST_PMATCH]);
3,554✔
892
        BUG_ON(stream == NULL);
3,554!
893
        if (s->flags & SIG_FLAG_TOSERVER && !(s->flags & SIG_FLAG_TOCLIENT)) {
3,554✔
894
            AppendStreamInspectEngine(s, stream, 0, last_id + 1);
1,686✔
895
        } else if (s->flags & SIG_FLAG_TOCLIENT && !(s->flags & SIG_FLAG_TOSERVER)) {
2,629!
896
            AppendStreamInspectEngine(s, stream, 1, last_id + 1);
96✔
897
        } else {
1,834✔
898
            AppendStreamInspectEngine(s, stream, 0, last_id + 1);
1,772✔
899
            AppendStreamInspectEngine(s, stream, 1, last_id + 1);
1,772✔
900
        }
1,772✔
901

902
        if (s->init_data->init_flags & SIG_FLAG_INIT_NEED_FLUSH) {
3,554✔
903
            SCLogDebug("set SIG_FLAG_FLUSH on %u", s->id);
468!
904
            s->flags |= SIG_FLAG_FLUSH;
468✔
905
        }
468✔
906
    }
3,554✔
907

908
#ifdef DEBUG
909
    const DetectEngineAppInspectionEngine *iter = s->app_inspect;
910
    while (iter) {
911
        SCLogDebug("%u: engine %s id %u progress %d %s", s->id,
912
                DetectEngineBufferTypeGetNameById(de_ctx, iter->sm_list), iter->id, iter->progress,
913
                iter->sm_list == mpm_list ? "MPM" : "");
914
        iter = iter->next;
915
    }
916
#endif
917
    return 0;
266,029✔
918
}
266,029✔
919

920
/** \brief free app inspect engines for a signature
921
 *
922
 *  For lists that are registered multiple times, like http_header and
923
 *  http_cookie, making the engines owner of the lists is complicated.
924
 *  Multiple engines in a sig may be pointing to the same list. To
925
 *  address this the 'free' code needs to be extra careful about not
926
 *  double freeing, so it takes an approach to first fill an array
927
 *  of the to-free pointers before freeing them.
928
 */
929
void DetectEngineAppInspectionEngineSignatureFree(DetectEngineCtx *de_ctx, Signature *s)
930
{
5,310,727✔
931
    int engines = 0;
5,310,727✔
932

933
    DetectEngineAppInspectionEngine *ie = s->app_inspect;
5,310,727✔
934
    while (ie) {
5,682,001✔
935
        ie = ie->next;
371,274✔
936
        engines++;
371,274✔
937
    }
371,274✔
938
    DetectEnginePktInspectionEngine *e = s->pkt_inspect;
5,310,727✔
939
    while (e) {
5,441,512✔
940
        e = e->next;
130,785✔
941
        engines++;
130,785✔
942
    }
130,785✔
943
    DetectEngineFrameInspectionEngine *u = s->frame_inspect;
5,310,727✔
944
    while (u) {
5,315,316✔
945
        u = u->next;
4,589✔
946
        engines++;
4,589✔
947
    }
4,589✔
948
    if (engines == 0) {
5,310,727✔
949
        BUG_ON(s->pkt_inspect);
5,122,412!
950
        BUG_ON(s->frame_inspect);
5,122,412!
951
        return;
5,122,412✔
952
    }
5,122,412✔
953

954
    SigMatchData *bufs[engines];
188,315✔
955
    memset(&bufs, 0, (engines * sizeof(SigMatchData *)));
188,315✔
956
    int arrays = 0;
188,315✔
957

958
    /* free engines and put smd in the array */
959
    ie = s->app_inspect;
188,315✔
960
    while (ie) {
559,589✔
961
        DetectEngineAppInspectionEngine *next = ie->next;
371,274✔
962

963
        bool skip = false;
371,274✔
964
        for (int i = 0; i < arrays; i++) {
541,959✔
965
            if (bufs[i] == ie->smd) {
368,486✔
966
                skip = true;
197,801✔
967
                break;
197,801✔
968
            }
197,801✔
969
        }
368,486✔
970
        if (!skip) {
371,274✔
971
            bufs[arrays++] = ie->smd;
173,473✔
972
        }
173,473✔
973
        SCFree(ie);
371,274✔
974
        ie = next;
371,274✔
975
    }
371,274✔
976
    e = s->pkt_inspect;
188,315✔
977
    while (e) {
319,100✔
978
        DetectEnginePktInspectionEngine *next = e->next;
130,785✔
979

980
        bool skip = false;
130,785✔
981
        for (int i = 0; i < arrays; i++) {
231,301✔
982
            if (bufs[i] == e->smd) {
112,163✔
983
                skip = true;
11,647✔
984
                break;
11,647✔
985
            }
11,647✔
986
        }
112,163✔
987
        if (!skip) {
130,785✔
988
            bufs[arrays++] = e->smd;
119,138✔
989
        }
119,138✔
990
        SCFree(e);
130,785✔
991
        e = next;
130,785✔
992
    }
130,785✔
993
    u = s->frame_inspect;
188,315✔
994
    while (u) {
192,904✔
995
        DetectEngineFrameInspectionEngine *next = u->next;
4,589✔
996

997
        bool skip = false;
4,589✔
998
        for (int i = 0; i < arrays; i++) {
4,742✔
999
            if (bufs[i] == u->smd) {
1,382✔
1000
                skip = true;
1,229✔
1001
                break;
1,229✔
1002
            }
1,229✔
1003
        }
1,382✔
1004
        if (!skip) {
4,589✔
1005
            bufs[arrays++] = u->smd;
3,360✔
1006
        }
3,360✔
1007
        SCFree(u);
4,589✔
1008
        u = next;
4,589✔
1009
    }
4,589✔
1010

1011
    for (int i = 0; i < engines; i++) {
694,963✔
1012
        if (bufs[i] == NULL)
506,648✔
1013
            continue;
328,985✔
1014
        SigMatchData *smd = bufs[i];
177,663✔
1015
        while (1) {
272,669!
1016
            if (sigmatch_table[smd->type].Free != NULL) {
272,669✔
1017
                sigmatch_table[smd->type].Free(de_ctx, smd->ctx);
272,663✔
1018
            }
272,663✔
1019
            if (smd->is_last)
272,669✔
1020
                break;
177,663✔
1021
            smd++;
95,006✔
1022
        }
95,006✔
1023
        SCFree(bufs[i]);
177,663✔
1024
    }
177,663✔
1025
}
188,315✔
1026

1027
/* code for registering buffers */
1028

1029
#include "util-hash-lookup3.h"
1030

1031
static HashListTable *g_buffer_type_hash = NULL;
1032
static int g_buffer_type_id = DETECT_SM_LIST_DYNAMIC_START;
1033
static int g_buffer_type_reg_closed = 0;
1034

1035
int DetectBufferTypeMaxId(void)
1036
{
×
1037
    return g_buffer_type_id;
×
1038
}
×
1039

1040
static void DetectBufferAddTransformData(DetectBufferType *map)
1041
{
103,445✔
1042
    for (int i = 0; i < map->transforms.cnt; i++) {
237,682✔
1043
        const TransformData *t = &map->transforms.transforms[i];
134,237✔
1044
        if (sigmatch_table[t->transform].TransformId) {
134,237✔
1045
            sigmatch_table[t->transform].TransformId(
62,794✔
1046
                    &map->xform_id[i].id_data, &map->xform_id[i].id_data_len, t->options);
62,794✔
1047
            SCLogDebug("transform identity data: [%p] \"%s\" [%d]", map->xform_id[i].id_data,
62,794!
1048
                    (char *)map->xform_id[i].id_data, map->xform_id[i].id_data_len);
62,794✔
1049
        }
62,794✔
1050
    }
134,237✔
1051
}
103,445✔
1052

1053
static uint32_t DetectBufferTypeHashNameFunc(HashListTable *ht, void *data, uint16_t datalen)
1054
{
407,760,071✔
1055
    const DetectBufferType *map = (DetectBufferType *)data;
407,760,071✔
1056
    uint32_t hash = hashlittle_safe(map->name, strlen(map->name), 0);
407,760,071✔
1057

1058
    // Add the transform data
1059
    // - Collect transform id and position
1060
    // - Collect identity data, if any
1061
    hash += hashlittle_safe((uint8_t *)&map->transforms.cnt, sizeof(map->transforms.cnt), 0);
407,760,071✔
1062
    for (int i = 0; i < map->transforms.cnt; i++) {
407,989,531✔
1063
        const TransformData *t = &map->transforms.transforms[i];
229,460✔
1064
        int tval = t->transform;
229,460✔
1065
        hash += hashlittle_safe((uint8_t *)&tval, sizeof(tval), 0);
229,460✔
1066
        if (map->xform_id[i].id_data) {
229,460✔
1067
            hash += hashlittle_safe(
62,794✔
1068
                    &map->xform_id[i].id_data_len, sizeof(map->xform_id[i].id_data_len), 0);
62,794✔
1069
            hash += hashlittle_safe(map->xform_id[i].id_data, map->xform_id[i].id_data_len, 0);
62,794✔
1070
        }
62,794✔
1071
    }
229,460✔
1072
    hash %= ht->array_size;
407,760,071✔
1073
    SCLogDebug("map->name %s, hash %d", map->name, hash);
407,760,071!
1074
    return hash;
407,760,071✔
1075
}
407,760,071✔
1076

1077
static uint32_t DetectBufferTypeHashIdFunc(HashListTable *ht, void *data, uint16_t datalen)
1078
{
23,147,383✔
1079
    const DetectBufferType *map = (DetectBufferType *)data;
23,147,383✔
1080
    uint32_t hash = map->id;
23,147,383✔
1081
    hash %= ht->array_size;
23,147,383✔
1082
    return hash;
23,147,383✔
1083
}
23,147,383✔
1084

1085
static char DetectBufferTypeCompareNameFunc(void *data1, uint16_t len1, void *data2, uint16_t len2)
1086
{
418,702,719✔
1087
    DetectBufferType *map1 = (DetectBufferType *)data1;
418,702,719✔
1088
    DetectBufferType *map2 = (DetectBufferType *)data2;
418,702,719✔
1089

1090
    char r = (strcmp(map1->name, map2->name) == 0);
418,702,719✔
1091

1092
    // Compare the transforms
1093
    // the transform supports identity, that data will also be added.
1094
    r &= map1->transforms.cnt == map2->transforms.cnt;
418,702,719✔
1095
    if (r && map1->transforms.cnt) {
418,702,719✔
1096
        for (int i = 0; i < map1->transforms.cnt; i++) {
77,043✔
1097
            if (map1->transforms.transforms[i].transform !=
39,160!
1098
                    map2->transforms.transforms[i].transform) {
39,160✔
1099
                r = 0;
×
1100
                break;
×
1101
            }
×
1102

1103
            SCLogDebug("%s: transform ids match; checking specialized data", map1->name);
39,160!
1104
            // Checks
1105
            // - Both NULL: --> ok, continue
1106
            // - One NULL: --> no match, break?
1107
            // - identity data lengths match: --> ok, continue
1108
            // - identity data matches: ok
1109

1110
            // Stop if only one is NULL
1111
            if ((map1->xform_id[i].id_data == NULL) ^ (map2->xform_id[i].id_data == NULL)) {
39,160!
1112
                SCLogDebug("identity data: only one is null");
89!
1113
                r = 0;
89✔
1114
                break;
89✔
1115
            } else if (map1->xform_id[i].id_data == NULL) { /* continue when both are null */
39,071!
1116
                SCLogDebug("identity data: both null");
39,071!
1117
                r = 1;
39,071✔
1118
                continue;
39,071✔
1119
            } else if (map1->xform_id[i].id_data_len != map2->xform_id[i].id_data_len) {
39,071!
1120
                // Stop when id data lengths aren't equal
1121
                SCLogDebug("id data: unequal lengths");
×
1122
                r = 0;
×
1123
                break;
×
1124
            }
×
1125

1126
            // stop if the identity data is different
1127
            r &= memcmp(map1->xform_id[i].id_data, map2->xform_id[i].id_data,
×
1128
                         map1->xform_id[i].id_data_len) == 0;
×
1129
            if (r == 0)
×
1130
                break;
×
1131
            SCLogDebug("identity data: data matches");
×
1132
        }
×
1133
    }
37,972✔
1134
    return r;
418,702,719✔
1135
}
418,702,719✔
1136

1137
static char DetectBufferTypeCompareIdFunc(void *data1, uint16_t len1, void *data2, uint16_t len2)
1138
{
7,511,475✔
1139
    DetectBufferType *map1 = (DetectBufferType *)data1;
7,511,475✔
1140
    DetectBufferType *map2 = (DetectBufferType *)data2;
7,511,475✔
1141
    return map1->id == map2->id;
7,511,475✔
1142
}
7,511,475✔
1143

1144
static void DetectBufferTypeFreeFunc(void *data)
1145
{
16,010,514✔
1146
    DetectBufferType *map = (DetectBufferType *)data;
16,010,514✔
1147

1148
    if (map == NULL) {
16,010,514!
1149
        return;
×
1150
    }
×
1151

1152
    /* Release transformation option memory, if any */
1153
    for (int i = 0; i < map->transforms.cnt; i++) {
16,105,721✔
1154
        if (map->transforms.transforms[i].options == NULL)
95,207✔
1155
            continue;
32,413✔
1156

1157
        if (sigmatch_table[map->transforms.transforms[i].transform].Free == NULL) {
62,794!
1158
            SCLogError("%s allocates transform option memory but has no free routine",
×
1159
                    sigmatch_table[map->transforms.transforms[i].transform].name);
×
1160
            continue;
×
1161
        }
×
1162
        sigmatch_table[map->transforms.transforms[i].transform].Free(NULL, map->transforms.transforms[i].options);
62,794✔
1163
    }
62,794✔
1164

1165
    SCFree(map);
16,010,514✔
1166
}
16,010,514✔
1167

1168
static int DetectBufferTypeInit(void)
1169
{
2,193✔
1170
    BUG_ON(g_buffer_type_hash);
2,193!
1171
    g_buffer_type_hash = HashListTableInit(256, DetectBufferTypeHashNameFunc,
2,193✔
1172
            DetectBufferTypeCompareNameFunc, DetectBufferTypeFreeFunc);
2,193✔
1173
    if (g_buffer_type_hash == NULL)
2,193!
1174
        return -1;
×
1175

1176
    return 0;
2,193✔
1177
}
2,193✔
1178
#if 0
1179
static void DetectBufferTypeFree(void)
1180
{
1181
    if (g_buffer_type_hash == NULL)
1182
        return;
1183

1184
    HashListTableFree(g_buffer_type_hash);
1185
    g_buffer_type_hash = NULL;
1186
}
1187
#endif
1188
static int DetectBufferTypeAdd(const char *string)
1189
{
899,092✔
1190
    BUG_ON(string == NULL || strlen(string) >= 64);
899,092!
1191

1192
    DetectBufferType *map = SCCalloc(1, sizeof(*map));
899,092✔
1193
    if (map == NULL)
899,092!
1194
        return -1;
×
1195

1196
    strlcpy(map->name, string, sizeof(map->name));
899,092✔
1197
    map->id = g_buffer_type_id++;
899,092✔
1198

1199
    BUG_ON(HashListTableAdd(g_buffer_type_hash, (void *)map, 0) != 0);
899,092!
1200
    SCLogDebug("buffer %s registered with id %d", map->name, map->id);
899,092!
1201
    return map->id;
899,092✔
1202
}
899,092✔
1203

1204
static DetectBufferType *DetectBufferTypeLookupByName(const char *string)
1205
{
390,650,786✔
1206
    DetectBufferType map;
390,650,786✔
1207
    memset(&map, 0, sizeof(map));
390,650,786✔
1208
    strlcpy(map.name, string, sizeof(map.name));
390,650,786✔
1209

1210
    DetectBufferType *res = HashListTableLookup(g_buffer_type_hash, &map, 0);
390,650,786✔
1211
    return res;
390,650,786✔
1212
}
390,650,786✔
1213

1214
int DetectBufferTypeRegister(const char *name)
1215
{
3,565,680✔
1216
    BUG_ON(g_buffer_type_reg_closed);
3,565,680!
1217
    if (g_buffer_type_hash == NULL)
3,565,680✔
1218
        DetectBufferTypeInit();
2,193✔
1219

1220
    DetectBufferType *exists = DetectBufferTypeLookupByName(name);
3,565,680✔
1221
    if (!exists) {
3,565,680✔
1222
        return DetectBufferTypeAdd(name);
899,092✔
1223
    } else {
2,666,588✔
1224
        return exists->id;
2,666,588✔
1225
    }
2,666,588✔
1226
}
3,565,680✔
1227

1228
void DetectBufferTypeSupportsMultiInstance(const char *name)
1229
{
109,650✔
1230
    BUG_ON(g_buffer_type_reg_closed);
109,650!
1231
    DetectBufferTypeRegister(name);
109,650✔
1232
    DetectBufferType *exists = DetectBufferTypeLookupByName(name);
109,650✔
1233
    BUG_ON(!exists);
109,650!
1234
    exists->multi_instance = true;
109,650✔
1235
    SCLogDebug("%p %s -- %d supports multi instance", exists, name, exists->id);
109,650!
1236
}
109,650✔
1237

1238
void DetectBufferTypeSupportsFrames(const char *name)
1239
{
×
1240
    BUG_ON(g_buffer_type_reg_closed);
×
1241
    DetectBufferTypeRegister(name);
×
1242
    DetectBufferType *exists = DetectBufferTypeLookupByName(name);
×
1243
    BUG_ON(!exists);
×
1244
    exists->frame = true;
×
1245
    SCLogDebug("%p %s -- %d supports frame inspection", exists, name, exists->id);
×
1246
}
×
1247

1248
void DetectBufferTypeSupportsPacket(const char *name)
1249
{
19,737✔
1250
    BUG_ON(g_buffer_type_reg_closed);
19,737!
1251
    DetectBufferTypeRegister(name);
19,737✔
1252
    DetectBufferType *exists = DetectBufferTypeLookupByName(name);
19,737✔
1253
    BUG_ON(!exists);
19,737!
1254
    exists->packet = true;
19,737✔
1255
    SCLogDebug("%p %s -- %d supports packet inspection", exists, name, exists->id);
19,737!
1256
}
19,737✔
1257

1258
void DetectBufferTypeSupportsMpm(const char *name)
1259
{
833,308✔
1260
    BUG_ON(g_buffer_type_reg_closed);
833,308!
1261
    DetectBufferTypeRegister(name);
833,308✔
1262
    DetectBufferType *exists = DetectBufferTypeLookupByName(name);
833,308✔
1263
    BUG_ON(!exists);
833,308!
1264
    exists->mpm = true;
833,308✔
1265
    SCLogDebug("%p %s -- %d supports mpm", exists, name, exists->id);
833,308!
1266
}
833,308✔
1267

1268
void DetectBufferTypeSupportsTransformations(const char *name)
1269
{
833,308✔
1270
    BUG_ON(g_buffer_type_reg_closed);
833,308!
1271
    DetectBufferTypeRegister(name);
833,308✔
1272
    DetectBufferType *exists = DetectBufferTypeLookupByName(name);
833,308✔
1273
    BUG_ON(!exists);
833,308!
1274
    exists->supports_transforms = true;
833,308✔
1275
    SCLogDebug("%p %s -- %d supports transformations", exists, name, exists->id);
833,308!
1276
}
833,308✔
1277

1278
int DetectBufferTypeGetByName(const char *name)
1279
{
384,885,655✔
1280
    DetectBufferType *exists = DetectBufferTypeLookupByName(name);
384,885,655✔
1281
    if (!exists) {
384,885,655✔
1282
        return -1;
201,484,876✔
1283
    }
201,484,876✔
1284
    return exists->id;
183,400,779✔
1285
}
384,885,655✔
1286

1287
static DetectBufferType *DetectEngineBufferTypeLookupByName(
1288
        const DetectEngineCtx *de_ctx, const char *string)
1289
{
72,082✔
1290
    DetectBufferType map;
72,082✔
1291
    memset(&map, 0, sizeof(map));
72,082✔
1292
    strlcpy(map.name, string, sizeof(map.name));
72,082✔
1293

1294
    DetectBufferType *res = HashListTableLookup(de_ctx->buffer_type_hash_name, &map, 0);
72,082✔
1295
    return res;
72,082✔
1296
}
72,082✔
1297

1298
const DetectBufferType *DetectEngineBufferTypeGetById(const DetectEngineCtx *de_ctx, const int id)
1299
{
7,112,693✔
1300
    DetectBufferType lookup;
7,112,693✔
1301
    memset(&lookup, 0, sizeof(lookup));
7,112,693✔
1302
    lookup.id = id;
7,112,693✔
1303
    const DetectBufferType *res =
7,112,693✔
1304
            HashListTableLookup(de_ctx->buffer_type_hash_id, (void *)&lookup, 0);
7,112,693✔
1305
    return res;
7,112,693✔
1306
}
7,112,693✔
1307

1308
const char *DetectEngineBufferTypeGetNameById(const DetectEngineCtx *de_ctx, const int id)
1309
{
31,016✔
1310
    const DetectBufferType *res = DetectEngineBufferTypeGetById(de_ctx, id);
31,016✔
1311
    return res ? res->name : NULL;
31,016✔
1312
}
31,016✔
1313

1314
static int DetectEngineBufferTypeAdd(DetectEngineCtx *de_ctx, const char *string)
1315
{
3,549✔
1316
    BUG_ON(string == NULL || strlen(string) >= 32);
3,549!
1317

1318
    DetectBufferType *map = SCCalloc(1, sizeof(*map));
3,549✔
1319
    if (map == NULL)
3,549!
1320
        return -1;
×
1321

1322
    strlcpy(map->name, string, sizeof(map->name));
3,549✔
1323
    map->id = de_ctx->buffer_type_id++;
3,549✔
1324

1325
    BUG_ON(HashListTableAdd(de_ctx->buffer_type_hash_name, (void *)map, 0) != 0);
3,549!
1326
    BUG_ON(HashListTableAdd(de_ctx->buffer_type_hash_id, (void *)map, 0) != 0);
3,549!
1327
    SCLogDebug("buffer %s registered with id %d", map->name, map->id);
3,549!
1328
    return map->id;
3,549✔
1329
}
3,549✔
1330

1331
int DetectEngineBufferTypeRegisterWithFrameEngines(DetectEngineCtx *de_ctx, const char *name,
1332
        const int direction, const AppProto alproto, const uint8_t frame_type)
1333
{
36,592✔
1334
    DetectBufferType *exists = DetectEngineBufferTypeLookupByName(de_ctx, name);
36,592✔
1335
    if (exists) {
36,592✔
1336
        return exists->id;
33,043✔
1337
    }
33,043✔
1338

1339
    const int buffer_id = DetectEngineBufferTypeAdd(de_ctx, name);
3,549✔
1340
    if (buffer_id < 0) {
3,549!
1341
        return -1;
×
1342
    }
×
1343

1344
    /* TODO hack we need the map to get the name. Should we return the map at reg? */
1345
    const DetectBufferType *map = DetectEngineBufferTypeGetById(de_ctx, buffer_id);
3,549✔
1346
    BUG_ON(!map);
3,549!
1347

1348
    /* register MPM/inspect engines */
1349
    if (direction & SIG_FLAG_TOSERVER) {
3,549!
1350
        DetectEngineFrameMpmRegister(de_ctx, map->name, SIG_FLAG_TOSERVER, 2,
3,549✔
1351
                PrefilterGenericMpmFrameRegister, alproto, frame_type);
3,549✔
1352
        DetectEngineFrameInspectEngineRegister(de_ctx, map->name, SIG_FLAG_TOSERVER,
3,549✔
1353
                DetectEngineInspectFrameBufferGeneric, alproto, frame_type);
3,549✔
1354
    }
3,549✔
1355
    if (direction & SIG_FLAG_TOCLIENT) {
3,549!
1356
        DetectEngineFrameMpmRegister(de_ctx, map->name, SIG_FLAG_TOCLIENT, 2,
3,549✔
1357
                PrefilterGenericMpmFrameRegister, alproto, frame_type);
3,549✔
1358
        DetectEngineFrameInspectEngineRegister(de_ctx, map->name, SIG_FLAG_TOCLIENT,
3,549✔
1359
                DetectEngineInspectFrameBufferGeneric, alproto, frame_type);
3,549✔
1360
    }
3,549✔
1361

1362
    return buffer_id;
3,549✔
1363
}
3,549✔
1364

1365
int DetectEngineBufferTypeRegister(DetectEngineCtx *de_ctx, const char *name)
1366
{
14,196✔
1367
    DetectBufferType *exists = DetectEngineBufferTypeLookupByName(de_ctx, name);
14,196✔
1368
    if (!exists) {
14,196!
1369
        return DetectEngineBufferTypeAdd(de_ctx, name);
×
1370
    } else {
14,196✔
1371
        return exists->id;
14,196✔
1372
    }
14,196✔
1373
}
14,196✔
1374

1375
void DetectBufferTypeSetDescriptionByName(const char *name, const char *desc)
1376
{
342,076✔
1377
    BUG_ON(desc == NULL || strlen(desc) >= 128);
342,076!
1378

1379
    DetectBufferType *exists = DetectBufferTypeLookupByName(name);
342,076✔
1380
    if (!exists) {
342,076✔
1381
        return;
4,386✔
1382
    }
4,386✔
1383
    strlcpy(exists->description, desc, sizeof(exists->description));
337,690✔
1384
}
337,690✔
1385

1386
const char *DetectEngineBufferTypeGetDescriptionById(const DetectEngineCtx *de_ctx, const int id)
1387
{
985✔
1388
    const DetectBufferType *exists = DetectEngineBufferTypeGetById(de_ctx, id);
985✔
1389
    if (!exists) {
985!
1390
        return NULL;
×
1391
    }
×
1392
    return exists->description;
985✔
1393
}
985✔
1394

1395
void DetectEngineBufferTypeSupportsFrames(DetectEngineCtx *de_ctx, const char *name)
1396
{
7,098✔
1397
    DetectBufferType *exists = DetectEngineBufferTypeLookupByName(de_ctx, name);
7,098✔
1398
    BUG_ON(!exists);
7,098!
1399
    exists->frame = true;
7,098✔
1400
    SCLogDebug("%p %s -- %d supports frame inspection", exists, name, exists->id);
7,098!
1401
}
7,098✔
1402

1403
void DetectEngineBufferTypeSupportsPacket(DetectEngineCtx *de_ctx, const char *name)
1404
{
×
1405
    DetectBufferType *exists = DetectEngineBufferTypeLookupByName(de_ctx, name);
×
1406
    BUG_ON(!exists);
×
1407
    exists->packet = true;
×
1408
    SCLogDebug("%p %s -- %d supports packet inspection", exists, name, exists->id);
×
1409
}
×
1410

1411
void DetectEngineBufferTypeSupportsMpm(DetectEngineCtx *de_ctx, const char *name)
1412
{
7,098✔
1413
    DetectBufferType *exists = DetectEngineBufferTypeLookupByName(de_ctx, name);
7,098✔
1414
    BUG_ON(!exists);
7,098!
1415
    exists->mpm = true;
7,098✔
1416
    SCLogDebug("%p %s -- %d supports mpm", exists, name, exists->id);
7,098!
1417
}
7,098✔
1418

1419
void DetectEngineBufferTypeSupportsTransformations(DetectEngineCtx *de_ctx, const char *name)
1420
{
7,098✔
1421
    DetectBufferType *exists = DetectEngineBufferTypeLookupByName(de_ctx, name);
7,098✔
1422
    BUG_ON(!exists);
7,098!
1423
    exists->supports_transforms = true;
7,098✔
1424
    SCLogDebug("%p %s -- %d supports transformations", exists, name, exists->id);
7,098!
1425
}
7,098✔
1426

1427
bool DetectEngineBufferTypeSupportsMultiInstanceGetById(const DetectEngineCtx *de_ctx, const int id)
1428
{
655,065✔
1429
    const DetectBufferType *map = DetectEngineBufferTypeGetById(de_ctx, id);
655,065✔
1430
    if (map == NULL)
655,065!
1431
        return false;
×
1432
    SCLogDebug("map %p id %d multi_instance? %s", map, id, BOOL2STR(map->multi_instance));
655,065!
1433
    return map->multi_instance;
655,065✔
1434
}
655,065✔
1435

1436
bool DetectEngineBufferTypeSupportsPacketGetById(const DetectEngineCtx *de_ctx, const int id)
1437
{
683,418✔
1438
    const DetectBufferType *map = DetectEngineBufferTypeGetById(de_ctx, id);
683,418✔
1439
    if (map == NULL)
683,418!
1440
        return false;
×
1441
    SCLogDebug("map %p id %d packet? %d", map, id, map->packet);
683,418!
1442
    return map->packet;
683,418✔
1443
}
683,418✔
1444

1445
bool DetectEngineBufferTypeSupportsMpmGetById(const DetectEngineCtx *de_ctx, const int id)
1446
{
1,248,946✔
1447
    const DetectBufferType *map = DetectEngineBufferTypeGetById(de_ctx, id);
1,248,946✔
1448
    if (map == NULL)
1,248,946✔
1449
        return false;
460,033✔
1450
    SCLogDebug("map %p id %d mpm? %d", map, id, map->mpm);
788,913!
1451
    return map->mpm;
788,913✔
1452
}
1,248,946✔
1453

1454
bool DetectEngineBufferTypeSupportsFramesGetById(const DetectEngineCtx *de_ctx, const int id)
1455
{
673,387✔
1456
    const DetectBufferType *map = DetectEngineBufferTypeGetById(de_ctx, id);
673,387✔
1457
    if (map == NULL)
673,387!
1458
        return false;
×
1459
    SCLogDebug("map %p id %d frame? %d", map, id, map->frame);
673,387!
1460
    return map->frame;
673,387✔
1461
}
673,387✔
1462

1463
void DetectBufferTypeRegisterSetupCallback(const char *name,
1464
        void (*SetupCallback)(const DetectEngineCtx *, Signature *, const DetectBufferType *))
1465
{
26,316✔
1466
    BUG_ON(g_buffer_type_reg_closed);
26,316!
1467
    DetectBufferTypeRegister(name);
26,316✔
1468
    DetectBufferType *exists = DetectBufferTypeLookupByName(name);
26,316✔
1469
    BUG_ON(!exists);
26,316!
1470
    exists->SetupCallback = SetupCallback;
26,316✔
1471
}
26,316✔
1472

1473
void DetectEngineBufferRunSetupCallback(const DetectEngineCtx *de_ctx, const int id, Signature *s)
1474
{
1,565,415✔
1475
    const DetectBufferType *map = DetectEngineBufferTypeGetById(de_ctx, id);
1,565,415✔
1476
    if (map && map->SetupCallback) {
1,565,415✔
1477
        map->SetupCallback(de_ctx, s, map);
194,207✔
1478
    }
194,207✔
1479
}
1,565,415✔
1480

1481
void DetectBufferTypeRegisterValidateCallback(
1482
        const char *name, bool (*ValidateCallback)(const Signature *, const char **sigerror,
1483
                                  const DetectBufferType *))
1484
{
35,056✔
1485
    BUG_ON(g_buffer_type_reg_closed);
35,056!
1486
    DetectBufferTypeRegister(name);
35,056✔
1487
    DetectBufferType *exists = DetectBufferTypeLookupByName(name);
35,056✔
1488
    BUG_ON(!exists);
35,056!
1489
    exists->ValidateCallback = ValidateCallback;
35,056✔
1490
}
35,056✔
1491

1492
bool DetectEngineBufferRunValidateCallback(
1493
        const DetectEngineCtx *de_ctx, const int id, const Signature *s, const char **sigerror)
1494
{
708,972✔
1495
    const DetectBufferType *map = DetectEngineBufferTypeGetById(de_ctx, id);
708,972✔
1496
    // only run validation if the buffer is not transformed
1497
    if (map && map->ValidateCallback && map->transforms.cnt == 0) {
708,972!
1498
        return map->ValidateCallback(s, sigerror, map);
213,572✔
1499
    }
213,572✔
1500
    return true;
495,400✔
1501
}
708,972✔
1502

1503
bool DetectBufferIsPresent(const Signature *s, const uint32_t buf_id)
1504
{
3✔
1505
    for (uint32_t i = 0; i < s->init_data->buffer_index; i++) {
3!
1506
        if (buf_id == s->init_data->buffers[i].id) {
×
1507
            return true;
×
1508
        }
×
1509
    }
×
1510
    return false;
3✔
1511
}
3✔
1512

1513
/** \brief Check content byte array compatibility with transforms
1514
 *
1515
 *  The "content" array is presented to the transforms so that each
1516
 *  transform may validate that it's compatible with the transform.
1517
 *
1518
 *  When a transform indicates the byte array is incompatible, none of the
1519
 *  subsequent transforms, if any, are invoked. This means the first validation
1520
 *  failure terminates the loop.
1521
 *
1522
 *  \param de_ctx Detection engine context.
1523
 *  \param sm_list The SM list id.
1524
 *  \param content The byte array being validated
1525
 *  \param namestr returns the name of the transform that is incompatible with
1526
 *  content.
1527
 *
1528
 *  \retval true (false) If any of the transforms indicate the byte array is
1529
 *  (is not) compatible.
1530
 **/
1531
bool DetectEngineBufferTypeValidateTransform(DetectEngineCtx *de_ctx, int sm_list,
1532
        const uint8_t *content, uint16_t content_len, const char **namestr)
1533
{
453,017✔
1534
    const DetectBufferType *dbt = DetectEngineBufferTypeGetById(de_ctx, sm_list);
453,017✔
1535
    BUG_ON(dbt == NULL);
453,017!
1536

1537
    for (int i = 0; i < dbt->transforms.cnt; i++) {
580,537✔
1538
        const TransformData *t = &dbt->transforms.transforms[i];
133,020✔
1539
        if (!sigmatch_table[t->transform].TransformValidate)
133,020✔
1540
            continue;
95,213✔
1541

1542
        if (sigmatch_table[t->transform].TransformValidate(content, content_len, t->options)) {
37,807✔
1543
            continue;
32,307✔
1544
        }
32,307✔
1545

1546
        if (namestr) {
5,500!
1547
            *namestr = sigmatch_table[t->transform].name;
5,500✔
1548
        }
5,500✔
1549

1550
        return false;
5,500✔
1551
    }
37,807✔
1552

1553
    return true;
447,517✔
1554
}
453,017✔
1555

1556
static void DetectBufferTypeSetupDetectEngine(DetectEngineCtx *de_ctx)
1557
{
38,854✔
1558
    const int size = g_buffer_type_id;
38,854✔
1559
    BUG_ON(!(size > 0));
38,854!
1560

1561
    de_ctx->buffer_type_hash_name = HashListTableInit(256, DetectBufferTypeHashNameFunc,
38,854✔
1562
            DetectBufferTypeCompareNameFunc, DetectBufferTypeFreeFunc);
38,854✔
1563
    BUG_ON(de_ctx->buffer_type_hash_name == NULL);
38,854!
1564
    de_ctx->buffer_type_hash_id =
38,854✔
1565
            HashListTableInit(256, DetectBufferTypeHashIdFunc, DetectBufferTypeCompareIdFunc,
38,854✔
1566
                    NULL); // entries owned by buffer_type_hash_name
38,854✔
1567
    BUG_ON(de_ctx->buffer_type_hash_id == NULL);
38,854!
1568
    de_ctx->buffer_type_id = g_buffer_type_id;
38,854✔
1569

1570
    SCLogDebug("DETECT_SM_LIST_DYNAMIC_START %u", DETECT_SM_LIST_DYNAMIC_START);
38,854!
1571
    HashListTableBucket *b = HashListTableGetListHead(g_buffer_type_hash);
38,854✔
1572
    while (b) {
16,004,436✔
1573
        DetectBufferType *map = HashListTableGetListData(b);
15,965,592✔
1574

1575
        DetectBufferType *copy = SCCalloc(1, sizeof(*copy));
15,965,592✔
1576
        BUG_ON(!copy);
15,965,592!
1577
        memcpy(copy, map, sizeof(*copy));
15,965,562✔
1578
        int r = HashListTableAdd(de_ctx->buffer_type_hash_name, (void *)copy, 0);
15,965,562✔
1579
        BUG_ON(r != 0);
15,965,562!
1580
        r = HashListTableAdd(de_ctx->buffer_type_hash_id, (void *)copy, 0);
15,965,583✔
1581
        BUG_ON(r != 0);
15,965,583!
1582

1583
        SCLogDebug("name %s id %d mpm %s packet %s -- %s. "
15,965,582!
1584
                   "Callbacks: Setup %p Validate %p",
15,965,582✔
1585
                map->name, map->id, map->mpm ? "true" : "false", map->packet ? "true" : "false",
15,965,582✔
1586
                map->description, map->SetupCallback, map->ValidateCallback);
15,965,582✔
1587
        b = HashListTableGetListNext(b);
15,965,582✔
1588
    }
15,965,582✔
1589

1590
    PrefilterInit(de_ctx);
38,844✔
1591
    DetectMpmInitializeAppMpms(de_ctx);
38,844✔
1592
    DetectAppLayerInspectEngineCopyListToDetectCtx(de_ctx);
38,844✔
1593
    DetectMpmInitializeFrameMpms(de_ctx);
38,844✔
1594
    DetectFrameInspectEngineCopyListToDetectCtx(de_ctx);
38,844✔
1595
    DetectMpmInitializePktMpms(de_ctx);
38,844✔
1596
    DetectPktInspectEngineCopyListToDetectCtx(de_ctx);
38,844✔
1597
}
38,844✔
1598

1599
static void DetectBufferTypeFreeDetectEngine(DetectEngineCtx *de_ctx)
1600
{
38,798✔
1601
    if (de_ctx) {
38,798!
1602
        if (de_ctx->buffer_type_hash_name)
38,798✔
1603
            HashListTableFree(de_ctx->buffer_type_hash_name);
38,795✔
1604
        if (de_ctx->buffer_type_hash_id)
38,798✔
1605
            HashListTableFree(de_ctx->buffer_type_hash_id);
38,795✔
1606

1607
        DetectEngineAppInspectionEngine *ilist = de_ctx->app_inspect_engines;
38,798✔
1608
        while (ilist) {
27,255,247✔
1609
            DetectEngineAppInspectionEngine *next = ilist->next;
27,216,449✔
1610
            SCFree(ilist);
27,216,449✔
1611
            ilist = next;
27,216,449✔
1612
        }
27,216,449✔
1613
        DetectBufferMpmRegistry *mlist = de_ctx->app_mpms_list;
38,798✔
1614
        while (mlist) {
15,034,822✔
1615
            DetectBufferMpmRegistry *next = mlist->next;
14,996,024✔
1616
            SCFree(mlist);
14,996,024✔
1617
            mlist = next;
14,996,024✔
1618
        }
14,996,024✔
1619
        DetectEnginePktInspectionEngine *plist = de_ctx->pkt_inspect_engines;
38,798✔
1620
        while (plist) {
389,474✔
1621
            DetectEnginePktInspectionEngine *next = plist->next;
350,676✔
1622
            SCFree(plist);
350,676✔
1623
            plist = next;
350,676✔
1624
        }
350,676✔
1625
        DetectBufferMpmRegistry *pmlist = de_ctx->pkt_mpms_list;
38,798✔
1626
        while (pmlist) {
389,474✔
1627
            DetectBufferMpmRegistry *next = pmlist->next;
350,676✔
1628
            SCFree(pmlist);
350,676✔
1629
            pmlist = next;
350,676✔
1630
        }
350,676✔
1631
        DetectEngineFrameInspectionEngine *framelist = de_ctx->frame_inspect_engines;
38,798✔
1632
        while (framelist) {
46,678✔
1633
            DetectEngineFrameInspectionEngine *next = framelist->next;
7,880✔
1634
            SCFree(framelist);
7,880✔
1635
            framelist = next;
7,880✔
1636
        }
7,880✔
1637
        DetectBufferMpmRegistry *framemlist = de_ctx->frame_mpms_list;
38,798✔
1638
        while (framemlist) {
46,678✔
1639
            DetectBufferMpmRegistry *next = framemlist->next;
7,880✔
1640
            SCFree(framemlist);
7,880✔
1641
            framemlist = next;
7,880✔
1642
        }
7,880✔
1643
        PrefilterDeinit(de_ctx);
38,798✔
1644
    }
38,798✔
1645
}
38,798✔
1646

1647
void DetectBufferTypeCloseRegistration(void)
1648
{
2,193✔
1649
    BUG_ON(g_buffer_type_hash == NULL);
2,193!
1650

1651
    g_buffer_type_reg_closed = 1;
2,193✔
1652
}
2,193✔
1653

1654
int DetectEngineBufferTypeGetByIdTransforms(
1655
        DetectEngineCtx *de_ctx, const int id, TransformData *transforms, int transform_cnt)
1656
{
103,445✔
1657
    const DetectBufferType *base_map = DetectEngineBufferTypeGetById(de_ctx, id);
103,445✔
1658
    if (!base_map) {
103,445!
1659
        return -1;
×
1660
    }
×
1661
    if (!base_map->supports_transforms) {
103,445!
1662
        SCLogError("buffer '%s' does not support transformations", base_map->name);
×
1663
        return -1;
×
1664
    }
×
1665

1666
    SCLogDebug("base_map %s", base_map->name);
103,445!
1667

1668
    DetectEngineTransforms t;
103,445✔
1669
    memset(&t, 0, sizeof(t));
103,445✔
1670
    for (int i = 0; i < transform_cnt; i++) {
237,682✔
1671
        t.transforms[i] = transforms[i];
134,237✔
1672
    }
134,237✔
1673
    t.cnt = transform_cnt;
103,445✔
1674

1675
    DetectBufferType lookup_map;
103,445✔
1676
    memset(&lookup_map, 0, sizeof(lookup_map));
103,445✔
1677
    strlcpy(lookup_map.name, base_map->name, sizeof(lookup_map.name));
103,445✔
1678
    lookup_map.transforms = t;
103,445✔
1679

1680
    /* Add transform identity data from transforms */
1681
    if (t.cnt) {
103,445!
1682
        DetectBufferAddTransformData(&lookup_map);
103,445✔
1683
    }
103,445✔
1684
    DetectBufferType *res = HashListTableLookup(de_ctx->buffer_type_hash_name, &lookup_map, 0);
103,445✔
1685

1686
    SCLogDebug("res %p", res);
103,445!
1687
    if (res != NULL) {
103,445✔
1688
        return res->id;
37,883✔
1689
    }
37,883✔
1690

1691
    DetectBufferType *map = SCCalloc(1, sizeof(*map));
65,562✔
1692
    if (map == NULL)
65,562!
1693
        return -1;
×
1694

1695
    strlcpy(map->name, base_map->name, sizeof(map->name));
65,562✔
1696
    map->id = de_ctx->buffer_type_id++;
65,562✔
1697
    map->parent_id = base_map->id;
65,562✔
1698
    map->transforms = t;
65,562✔
1699
    map->mpm = base_map->mpm;
65,562✔
1700
    map->packet = base_map->packet;
65,562✔
1701
    map->frame = base_map->frame;
65,562✔
1702
    map->SetupCallback = base_map->SetupCallback;
65,562✔
1703
    map->ValidateCallback = base_map->ValidateCallback;
65,562✔
1704
    if (map->frame) {
65,562✔
1705
        DetectFrameMpmRegisterByParentId(de_ctx, map->id, map->parent_id, &map->transforms);
391✔
1706
    } else if (map->packet) {
65,171✔
1707
        DetectPktMpmRegisterByParentId(de_ctx,
1,522✔
1708
                map->id, map->parent_id, &map->transforms);
1,522✔
1709
    } else {
63,649✔
1710
        DetectAppLayerMpmRegisterByParentId(de_ctx,
63,649✔
1711
                map->id, map->parent_id, &map->transforms);
63,649✔
1712
    }
63,649✔
1713

1714
    BUG_ON(HashListTableAdd(de_ctx->buffer_type_hash_name, (void *)map, 0) != 0);
65,562!
1715
    BUG_ON(HashListTableAdd(de_ctx->buffer_type_hash_id, (void *)map, 0) != 0);
65,562!
1716
    SCLogDebug("buffer %s registered with id %d, parent %d", map->name, map->id, map->parent_id);
65,562!
1717

1718
    if (map->frame) {
65,562✔
1719
        DetectFrameInspectEngineCopy(de_ctx, map->parent_id, map->id, &map->transforms);
391✔
1720
    } else if (map->packet) {
65,171✔
1721
        DetectPktInspectEngineCopy(de_ctx, map->parent_id, map->id, &map->transforms);
1,522✔
1722
    } else {
63,649✔
1723
        DetectAppLayerInspectEngineCopy(de_ctx, map->parent_id, map->id, &map->transforms);
63,649✔
1724
    }
63,649✔
1725
    return map->id;
65,562✔
1726
}
65,562✔
1727

1728
/* returns false if no match, true if match */
1729
static int DetectEngineInspectRulePacketMatches(
1730
    DetectEngineThreadCtx *det_ctx,
1731
    const DetectEnginePktInspectionEngine *engine,
1732
    const Signature *s,
1733
    Packet *p, uint8_t *_alert_flags)
1734
{
1,423,432✔
1735
    SCEnter();
1,423,432✔
1736

1737
    /* run the packet match functions */
1738
    KEYWORD_PROFILING_SET_LIST(det_ctx, DETECT_SM_LIST_MATCH);
1,423,432✔
1739
    const SigMatchData *smd = s->sm_arrays[DETECT_SM_LIST_MATCH];
1,423,432✔
1740

1741
    SCLogDebug("running match functions, sm %p", smd);
1,423,432!
1742
    while (1) {
1,442,445!
1743
        KEYWORD_PROFILING_START;
1,442,429✔
1744
        if (sigmatch_table[smd->type].Match(det_ctx, p, s, smd->ctx) <= 0) {
1,442,429✔
1745
            KEYWORD_PROFILING_END(det_ctx, smd->type, 0);
305,429✔
1746
            SCLogDebug("no match");
305,429!
1747
            return DETECT_ENGINE_INSPECT_SIG_NO_MATCH;
305,429✔
1748
        }
305,429✔
1749
        KEYWORD_PROFILING_END(det_ctx, smd->type, 1);
1,137,000✔
1750
        if (smd->is_last) {
1,137,000✔
1751
            SCLogDebug("match and is_last");
1,117,987!
1752
            break;
1,117,987✔
1753
        }
1,117,987✔
1754
        smd++;
19,013✔
1755
    }
19,013✔
1756
    return DETECT_ENGINE_INSPECT_SIG_MATCH;
1,118,003✔
1757
}
1,423,432✔
1758

1759
static int DetectEngineInspectRulePayloadMatches(
1760
     DetectEngineThreadCtx *det_ctx,
1761
     const DetectEnginePktInspectionEngine *engine,
1762
     const Signature *s, Packet *p, uint8_t *alert_flags)
1763
{
62,543✔
1764
    SCEnter();
62,543✔
1765

1766
    DetectEngineCtx *de_ctx = det_ctx->de_ctx;
62,543✔
1767

1768
    KEYWORD_PROFILING_SET_LIST(det_ctx, DETECT_SM_LIST_PMATCH);
62,543✔
1769
    /* if we have stream msgs, inspect against those first,
1770
     * but not for a "dsize" signature */
1771
    if (s->flags & SIG_FLAG_REQUIRE_STREAM) {
62,543✔
1772
        int pmatch = 0;
36,410✔
1773
        if (p->flags & PKT_DETECT_HAS_STREAMDATA) {
36,410✔
1774
            pmatch = DetectEngineInspectStreamPayload(de_ctx, det_ctx, s, p->flow, p);
9,923✔
1775
            if (pmatch) {
9,923✔
1776
                *alert_flags |= PACKET_ALERT_FLAG_STREAM_MATCH;
1,198✔
1777
            }
1,198✔
1778
        }
9,923✔
1779
        /* no match? then inspect packet payload */
1780
        if (pmatch == 0) {
36,410✔
1781
            SCLogDebug("no match in stream, fall back to packet payload");
35,212!
1782

1783
            /* skip if we don't have to inspect the packet and segment was
1784
             * added to stream */
1785
            if (!(s->flags & SIG_FLAG_REQUIRE_PACKET) && (p->flags & PKT_STREAM_ADD)) {
35,212✔
1786
                return DETECT_ENGINE_INSPECT_SIG_NO_MATCH;
22,179✔
1787
            }
22,179✔
1788
            if (s->flags & SIG_FLAG_REQUIRE_STREAM_ONLY) {
13,033✔
1789
                SCLogDebug("SIG_FLAG_REQUIRE_STREAM_ONLY, so no match");
4!
1790
                return DETECT_ENGINE_INSPECT_SIG_NO_MATCH;
4✔
1791
            }
4✔
1792
            if (DetectEngineInspectPacketPayload(de_ctx, det_ctx, s, p->flow, p) != 1) {
13,029✔
1793
                return DETECT_ENGINE_INSPECT_SIG_NO_MATCH;
10,974✔
1794
            }
10,974✔
1795
        }
13,029✔
1796
    } else {
44,158✔
1797
        if (DetectEngineInspectPacketPayload(de_ctx, det_ctx, s, p->flow, p) != 1) {
26,133✔
1798
            return DETECT_ENGINE_INSPECT_SIG_NO_MATCH;
21,316✔
1799
        }
21,316✔
1800
    }
26,133✔
1801
    return DETECT_ENGINE_INSPECT_SIG_MATCH;
8,070✔
1802
}
62,543✔
1803

1804
bool DetectEnginePktInspectionRun(ThreadVars *tv,
1805
        DetectEngineThreadCtx *det_ctx, const Signature *s,
1806
        Flow *f, Packet *p,
1807
        uint8_t *alert_flags)
1808
{
2,319,856✔
1809
    SCEnter();
2,319,856✔
1810

1811
    for (DetectEnginePktInspectionEngine *e = s->pkt_inspect; e != NULL; e = e->next) {
3,449,955✔
1812
        if (e->v1.Callback(det_ctx, e, s, p, alert_flags) != DETECT_ENGINE_INSPECT_SIG_MATCH) {
1,493,742✔
1813
            SCLogDebug("sid %u: e %p Callback returned no match", s->id, e);
363,643!
1814
            return false;
363,643✔
1815
        }
363,643✔
1816
        SCLogDebug("sid %u: e %p Callback returned true", s->id, e);
1,130,099!
1817
    }
1,130,099✔
1818

1819
    SCLogDebug("sid %u: returning true", s->id);
1,956,213!
1820
    return true;
1,956,213✔
1821
}
2,319,856✔
1822

1823
/**
1824
 * \param data pointer to SigMatchData. Allowed to be NULL.
1825
 */
1826
static int DetectEnginePktInspectionAppend(Signature *s, InspectionBufferPktInspectFunc Callback,
1827
        SigMatchData *data, const int list_id)
1828
{
129,822✔
1829
    DetectEnginePktInspectionEngine *e = SCCalloc(1, sizeof(*e));
129,822✔
1830
    if (e == NULL)
129,822!
1831
        return -1;
×
1832

1833
    e->mpm = s->init_data->mpm_sm_list == list_id;
129,822✔
1834
    DEBUG_VALIDATE_BUG_ON(list_id < 0 || list_id > UINT16_MAX);
129,822✔
1835
    e->sm_list = (uint16_t)list_id;
129,822✔
1836
    e->sm_list_base = (uint16_t)list_id;
129,822✔
1837
    e->v1.Callback = Callback;
129,822✔
1838
    e->smd = data;
129,822✔
1839

1840
    if (s->pkt_inspect == NULL) {
129,822✔
1841
        s->pkt_inspect = e;
117,763✔
1842
    } else {
117,772✔
1843
        DetectEnginePktInspectionEngine *a = s->pkt_inspect;
12,059✔
1844
        while (a->next != NULL) {
12,199!
1845
            a = a->next;
140✔
1846
        }
140✔
1847
        a->next = e;
12,059✔
1848
    }
12,059✔
1849
    return 0;
129,822✔
1850
}
129,822✔
1851

1852
int DetectEnginePktInspectionSetup(Signature *s)
1853
{
266,029✔
1854
    /* only handle PMATCH here if we're not an app inspect rule */
1855
    if (s->sm_arrays[DETECT_SM_LIST_PMATCH] && (s->init_data->init_flags & SIG_FLAG_INIT_STATE_MATCH) == 0) {
266,029!
1856
        if (DetectEnginePktInspectionAppend(
25,519!
1857
                    s, DetectEngineInspectRulePayloadMatches, NULL, DETECT_SM_LIST_PMATCH) < 0)
25,519✔
1858
            return -1;
×
1859
        SCLogDebug("sid %u: DetectEngineInspectRulePayloadMatches appended", s->id);
25,519!
1860
    }
25,519✔
1861

1862
    if (s->sm_arrays[DETECT_SM_LIST_MATCH]) {
266,029✔
1863
        if (DetectEnginePktInspectionAppend(
104,303!
1864
                    s, DetectEngineInspectRulePacketMatches, NULL, DETECT_SM_LIST_MATCH) < 0)
104,303✔
1865
            return -1;
×
1866
        SCLogDebug("sid %u: DetectEngineInspectRulePacketMatches appended", s->id);
104,303!
1867
    }
104,303✔
1868

1869
    return 0;
266,029✔
1870
}
266,029✔
1871

1872
/* code to control the main thread to do a reload */
1873

1874
enum DetectEngineSyncState {
1875
    IDLE,   /**< ready to start a reload */
1876
    RELOAD, /**< command main thread to do the reload */
1877
};
1878

1879

1880
typedef struct DetectEngineSyncer_ {
1881
    SCMutex m;
1882
    enum DetectEngineSyncState state;
1883
} DetectEngineSyncer;
1884

1885
static DetectEngineSyncer detect_sync = { SCMUTEX_INITIALIZER, IDLE };
1886

1887
/* tell main to start reloading */
1888
int DetectEngineReloadStart(void)
1889
{
8✔
1890
    int r = 0;
8✔
1891
    SCMutexLock(&detect_sync.m);
8✔
1892
    if (detect_sync.state == IDLE) {
8!
1893
        detect_sync.state = RELOAD;
8✔
1894
    } else {
8✔
1895
        r = -1;
×
1896
    }
×
1897
    SCMutexUnlock(&detect_sync.m);
8✔
1898
    return r;
8✔
1899
}
8✔
1900

1901
/* main thread checks this to see if it should start */
1902
int DetectEngineReloadIsStart(void)
1903
{
94,095✔
1904
    int r = 0;
94,095✔
1905
    SCMutexLock(&detect_sync.m);
94,095✔
1906
    if (detect_sync.state == RELOAD) {
94,095!
1907
        r = 1;
8✔
1908
    }
8✔
1909
    SCMutexUnlock(&detect_sync.m);
94,095✔
1910
    return r;
94,095✔
1911
}
94,095✔
1912

1913
/* main thread sets done when it's done */
1914
void DetectEngineReloadSetIdle(void)
1915
{
8✔
1916
    SCMutexLock(&detect_sync.m);
8✔
1917
    detect_sync.state = IDLE;
8✔
1918
    SCMutexUnlock(&detect_sync.m);
8✔
1919
}
8✔
1920

1921
/* caller loops this until it returns 1 */
1922
int DetectEngineReloadIsIdle(void)
1923
{
5,466✔
1924
    int r = 0;
5,466✔
1925
    SCMutexLock(&detect_sync.m);
5,466✔
1926
    if (detect_sync.state == IDLE) {
5,466!
1927
        r = 1;
8✔
1928
    }
8✔
1929
    SCMutexUnlock(&detect_sync.m);
5,466✔
1930
    return r;
5,466✔
1931
}
5,466✔
1932

1933
/** \brief Do the content inspection & validation for a signature
1934
 *
1935
 *  \param de_ctx Detection engine context
1936
 *  \param det_ctx Detection engine thread context
1937
 *  \param s Signature to inspect
1938
 *  \param sm SigMatch to inspect
1939
 *  \param f Flow
1940
 *  \param flags app layer flags
1941
 *  \param state App layer state
1942
 *
1943
 *  \retval 0 no match
1944
 *  \retval 1 match
1945
 */
1946
uint8_t DetectEngineInspectGenericList(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx,
1947
        const struct DetectEngineAppInspectionEngine_ *engine, const Signature *s, Flow *f,
1948
        uint8_t flags, void *alstate, void *txv, uint64_t tx_id)
1949
{
98,069✔
1950
    SigMatchData *smd = engine->smd;
98,069✔
1951
    SCLogDebug("running match functions, sm %p", smd);
98,069!
1952
    if (smd != NULL) {
98,070✔
1953
        while (1) {
98,882!
1954
            int match = 0;
98,881✔
1955
            KEYWORD_PROFILING_START;
98,881✔
1956
            match = sigmatch_table[smd->type].
98,881✔
1957
                AppLayerTxMatch(det_ctx, f, flags, alstate, txv, s, smd->ctx);
98,881✔
1958
            KEYWORD_PROFILING_END(det_ctx, smd->type, (match == 1));
98,881✔
1959
            if (match == 0)
98,881✔
1960
                return DETECT_ENGINE_INSPECT_SIG_NO_MATCH;
72,933✔
1961
            if (match == 2) {
25,948!
1962
                return DETECT_ENGINE_INSPECT_SIG_CANT_MATCH;
×
1963
            }
×
1964

1965
            if (smd->is_last)
25,948✔
1966
                break;
25,136✔
1967
            smd++;
812✔
1968
        }
812✔
1969
    }
98,070✔
1970

1971
    return DETECT_ENGINE_INSPECT_SIG_MATCH;
25,136✔
1972
}
98,069✔
1973

1974
/**
1975
 * \brief Do the content inspection & validation for a signature
1976
 *
1977
 * \param de_ctx Detection engine context
1978
 * \param det_ctx Detection engine thread context
1979
 * \param s Signature to inspect
1980
 * \param f Flow
1981
 * \param flags app layer flags
1982
 * \param state App layer state
1983
 *
1984
 * \retval 0 no match.
1985
 * \retval 1 match.
1986
 * \retval 2 Sig can't match.
1987
 */
1988
uint8_t DetectEngineInspectBufferSingle(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx,
1989
        const DetectEngineAppInspectionEngine *engine, const Signature *s, Flow *f, uint8_t flags,
1990
        void *alstate, void *txv, uint64_t tx_id)
1991
{
1,692✔
1992
    const int list_id = engine->sm_list;
1,692✔
1993
    SCLogDebug("running inspect on %d", list_id);
1,692!
1994

1995
    const bool eof =
1,692✔
1996
            (AppLayerParserGetStateProgress(f->proto, f->alproto, txv, flags) > engine->progress);
1,692✔
1997

1998
    SCLogDebug("list %d mpm? %s transforms %p", engine->sm_list, engine->mpm ? "true" : "false",
1,692!
1999
            engine->v2.transforms);
1,692✔
2000

2001
    /* if prefilter didn't already run, we need to consider transformations */
2002
    const DetectEngineTransforms *transforms = NULL;
1,692✔
2003
    if (!engine->mpm) {
1,692✔
2004
        transforms = engine->v2.transforms;
201✔
2005
    }
201✔
2006

2007
    const InspectionBuffer *buffer = DetectGetSingleData(
1,692✔
2008
            det_ctx, transforms, f, flags, txv, list_id, engine->v2.GetDataSingle);
1,692✔
2009
    if (unlikely(buffer == NULL)) {
1,692✔
2010
        if (eof && engine->match_on_null) {
100!
2011
            return DETECT_ENGINE_INSPECT_SIG_MATCH;
×
2012
        }
×
2013
        return eof ? DETECT_ENGINE_INSPECT_SIG_CANT_MATCH : DETECT_ENGINE_INSPECT_SIG_NO_MATCH;
100!
2014
    }
100✔
2015

2016
    const uint32_t data_len = buffer->inspect_len;
1,592✔
2017
    const uint8_t *data = buffer->inspect;
1,592✔
2018
    const uint64_t offset = buffer->inspect_offset;
1,592✔
2019

2020
    uint8_t ci_flags = eof ? DETECT_CI_FLAGS_END : 0;
1,592✔
2021
    ci_flags |= (offset == 0 ? DETECT_CI_FLAGS_START : 0);
1,592!
2022
    ci_flags |= buffer->flags;
1,592✔
2023

2024
    /* Inspect all the uricontents fetched on each
2025
     * transaction at the app layer */
2026
    const bool match = DetectEngineContentInspection(de_ctx, det_ctx, s, engine->smd, NULL, f, data,
1,592✔
2027
            data_len, offset, ci_flags, DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE);
1,592✔
2028
    if (match) {
1,592✔
2029
        return DETECT_ENGINE_INSPECT_SIG_MATCH;
1,583✔
2030
    } else {
1,583✔
2031
        return eof ? DETECT_ENGINE_INSPECT_SIG_CANT_MATCH : DETECT_ENGINE_INSPECT_SIG_NO_MATCH;
9✔
2032
    }
9✔
2033
}
1,592✔
2034

2035
/**
2036
 * \brief Do the content inspection & validation for a signature
2037
 *
2038
 * \param de_ctx Detection engine context
2039
 * \param det_ctx Detection engine thread context
2040
 * \param s Signature to inspect
2041
 * \param f Flow
2042
 * \param flags app layer flags
2043
 * \param state App layer state
2044
 *
2045
 * \retval 0 no match.
2046
 * \retval 1 match.
2047
 * \retval 2 Sig can't match.
2048
 */
2049
uint8_t DetectEngineInspectBufferGeneric(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx,
2050
        const DetectEngineAppInspectionEngine *engine, const Signature *s, Flow *f, uint8_t flags,
2051
        void *alstate, void *txv, uint64_t tx_id)
2052
{
23,388✔
2053
    const int list_id = engine->sm_list;
23,388✔
2054
    SCLogDebug("running inspect on %d", list_id);
23,388!
2055

2056
    const bool eof = (AppLayerParserGetStateProgress(f->proto, f->alproto, txv, flags) > engine->progress);
23,388✔
2057

2058
    SCLogDebug("list %d mpm? %s transforms %p",
23,388!
2059
            engine->sm_list, engine->mpm ? "true" : "false", engine->v2.transforms);
23,388✔
2060

2061
    /* if prefilter didn't already run, we need to consider transformations */
2062
    const DetectEngineTransforms *transforms = NULL;
23,388✔
2063
    if (!engine->mpm) {
23,388✔
2064
        transforms = engine->v2.transforms;
7,956✔
2065
    }
7,956✔
2066

2067
    const InspectionBuffer *buffer = engine->v2.GetData(det_ctx, transforms,
23,388✔
2068
            f, flags, txv, list_id);
23,388✔
2069
    if (unlikely(buffer == NULL)) {
23,388✔
2070
        if (eof && engine->match_on_null) {
491✔
2071
            return DETECT_ENGINE_INSPECT_SIG_MATCH;
5✔
2072
        }
5✔
2073
        return eof ? DETECT_ENGINE_INSPECT_SIG_CANT_MATCH :
486✔
2074
                     DETECT_ENGINE_INSPECT_SIG_NO_MATCH;
486✔
2075
    }
491✔
2076

2077
    const uint32_t data_len = buffer->inspect_len;
22,897✔
2078
    const uint8_t *data = buffer->inspect;
22,897✔
2079
    const uint64_t offset = buffer->inspect_offset;
22,897✔
2080

2081
    uint8_t ci_flags = eof ? DETECT_CI_FLAGS_END : 0;
22,897✔
2082
    ci_flags |= (offset == 0 ? DETECT_CI_FLAGS_START : 0);
2,147,489,590!
2083
    ci_flags |= buffer->flags;
22,897✔
2084

2085
    /* Inspect all the uricontents fetched on each
2086
     * transaction at the app layer */
2087
    const bool match = DetectEngineContentInspection(de_ctx, det_ctx, s, engine->smd, NULL, f, data,
22,897✔
2088
            data_len, offset, ci_flags, DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE);
22,897✔
2089
    if (match) {
22,897✔
2090
        return DETECT_ENGINE_INSPECT_SIG_MATCH;
11,527✔
2091
    } else {
15,641✔
2092
        return eof ? DETECT_ENGINE_INSPECT_SIG_CANT_MATCH :
11,370✔
2093
                     DETECT_ENGINE_INSPECT_SIG_NO_MATCH;
11,370✔
2094
    }
11,370✔
2095
}
22,897✔
2096

2097
// wrapper for both DetectAppLayerInspectEngineRegister and DetectAppLayerMpmRegister
2098
// with cast of callback function
2099
void DetectAppLayerMultiRegister(const char *name, AppProto alproto, uint32_t dir, int progress,
2100
        InspectionMultiBufferGetDataPtr GetData, int priority)
2101
{
166,668✔
2102
    AppLayerInspectEngineRegisterInternal(name, alproto, dir, progress,
166,668✔
2103
            DetectEngineInspectMultiBufferGeneric, NULL, NULL, GetData);
166,668✔
2104
    DetectAppLayerMpmMultiRegister(
166,668✔
2105
            name, dir, priority, PrefilterMultiGenericMpmRegister, GetData, alproto, progress);
166,668✔
2106
}
166,668✔
2107

2108
InspectionBuffer *DetectGetSingleData(struct DetectEngineThreadCtx_ *det_ctx,
2109
        const DetectEngineTransforms *transforms, Flow *f, const uint8_t flow_flags, void *txv,
2110
        const int list_id, InspectionSingleBufferGetDataPtr GetBuf)
2111
{
8,040✔
2112
    InspectionBuffer *buffer = InspectionBufferGet(det_ctx, list_id);
8,040✔
2113
    if (buffer->inspect == NULL) {
8,040✔
2114
        const uint8_t *b = NULL;
6,543✔
2115
        uint32_t b_len = 0;
6,543✔
2116

2117
        if (!GetBuf(txv, flow_flags, &b, &b_len))
6,543✔
2118
            return NULL;
3,831✔
2119

2120
        InspectionBufferSetupAndApplyTransforms(det_ctx, list_id, buffer, b, b_len, transforms);
2,712✔
2121
    }
2,712✔
2122
    return buffer;
4,209✔
2123
}
8,040✔
2124

2125
InspectionBuffer *DetectGetMultiData(struct DetectEngineThreadCtx_ *det_ctx,
2126
        const DetectEngineTransforms *transforms, Flow *f, const uint8_t flow_flags, void *txv,
2127
        const int list_id, uint32_t index, InspectionMultiBufferGetDataPtr GetBuf)
2128
{
26,203✔
2129
    InspectionBuffer *buffer = InspectionBufferMultipleForListGet(det_ctx, list_id, index);
26,203✔
2130
    if (buffer == NULL) {
26,203!
2131
        return NULL;
×
2132
    }
×
2133
    if (buffer->initialized) {
26,203✔
2134
        return buffer;
3,055✔
2135
    }
3,055✔
2136

2137
    const uint8_t *data = NULL;
23,148✔
2138
    uint32_t data_len = 0;
23,148✔
2139

2140
    if (!GetBuf(det_ctx, txv, flow_flags, index, &data, &data_len)) {
23,148✔
2141
        InspectionBufferSetupMultiEmpty(buffer);
8,654✔
2142
        return NULL;
8,654✔
2143
    }
8,654✔
2144
    InspectionBufferSetupMulti(det_ctx, buffer, transforms, data, data_len);
14,494✔
2145
    buffer->flags = DETECT_CI_FLAGS_SINGLE;
14,494✔
2146
    return buffer;
14,494✔
2147
}
23,148✔
2148

2149
uint8_t DetectEngineInspectMultiBufferGeneric(DetectEngineCtx *de_ctx,
2150
        DetectEngineThreadCtx *det_ctx, const DetectEngineAppInspectionEngine *engine,
2151
        const Signature *s, Flow *f, uint8_t flags, void *alstate, void *txv, uint64_t tx_id)
2152
{
3,191✔
2153
    uint32_t local_id = 0;
3,191✔
2154
    const DetectEngineTransforms *transforms = NULL;
3,191✔
2155
    if (!engine->mpm) {
3,191✔
2156
        transforms = engine->v2.transforms;
1,695✔
2157
    }
1,695✔
2158

2159
    do {
4,838✔
2160
        InspectionBuffer *buffer = DetectGetMultiData(det_ctx, transforms, f, flags, txv,
4,838✔
2161
                engine->sm_list, local_id, engine->v2.GetMultiData);
4,838✔
2162

2163
        if (buffer == NULL || buffer->inspect == NULL)
4,838✔
2164
            break;
569✔
2165

2166
        // The GetData functions set buffer->flags to DETECT_CI_FLAGS_SINGLE
2167
        // This is not meant for streaming buffers
2168
        const bool match = DetectEngineContentInspectionBuffer(de_ctx, det_ctx, s, engine->smd,
4,269✔
2169
                NULL, f, buffer, DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE);
4,269✔
2170
        if (match) {
4,269✔
2171
            return DETECT_ENGINE_INSPECT_SIG_MATCH;
2,622✔
2172
        }
2,622✔
2173
        local_id++;
1,647✔
2174
    } while (1);
1,647!
2175
    if (local_id == 0) {
569✔
2176
        // That means we did not get even one buffer value from the multi-buffer
2177
        const bool eof = (AppLayerParserGetStateProgress(f->proto, f->alproto, txv, flags) >
61✔
2178
                          engine->progress);
61✔
2179
        if (eof && engine->match_on_null) {
61!
2180
            return DETECT_ENGINE_INSPECT_SIG_MATCH;
22✔
2181
        }
22✔
2182
    }
61✔
2183
    return DETECT_ENGINE_INSPECT_SIG_NO_MATCH;
547✔
2184
}
569✔
2185

2186
/**
2187
 * \brief Do the content inspection & validation for a signature
2188
 *
2189
 * \param de_ctx Detection engine context
2190
 * \param det_ctx Detection engine thread context
2191
 * \param s Signature to inspect
2192
 * \param p Packet
2193
 *
2194
 * \retval 0 no match.
2195
 * \retval 1 match.
2196
 */
2197
int DetectEngineInspectPktBufferGeneric(
2198
        DetectEngineThreadCtx *det_ctx,
2199
        const DetectEnginePktInspectionEngine *engine,
2200
        const Signature *s, Packet *p, uint8_t *_alert_flags)
2201
{
7,769✔
2202
    const int list_id = engine->sm_list;
7,769✔
2203
    SCLogDebug("running inspect on %d", list_id);
7,769!
2204

2205
    SCLogDebug("list %d transforms %p",
7,769!
2206
            engine->sm_list, engine->v1.transforms);
7,769✔
2207

2208
    /* if prefilter didn't already run, we need to consider transformations */
2209
    const DetectEngineTransforms *transforms = NULL;
7,769✔
2210
    if (!engine->mpm) {
7,769✔
2211
        transforms = engine->v1.transforms;
5,698✔
2212
    }
5,698✔
2213

2214
    const InspectionBuffer *buffer = engine->v1.GetData(det_ctx, transforms, p,
7,769✔
2215
            list_id);
7,769✔
2216
    if (unlikely(buffer == NULL)) {
7,769!
2217
        return DETECT_ENGINE_INSPECT_SIG_NO_MATCH;
1✔
2218
    }
1✔
2219

2220
    uint8_t ci_flags = DETECT_CI_FLAGS_START|DETECT_CI_FLAGS_END;
7,768✔
2221
    ci_flags |= buffer->flags;
7,768✔
2222

2223
    /* Inspect all the uricontents fetched on each
2224
     * transaction at the app layer */
2225
    const bool match = DetectEngineContentInspection(det_ctx->de_ctx, det_ctx, s, engine->smd, p,
7,768✔
2226
            p->flow, buffer->inspect, buffer->inspect_len, 0, ci_flags,
7,768✔
2227
            DETECT_ENGINE_CONTENT_INSPECTION_MODE_HEADER);
7,768✔
2228
    if (match) {
7,768✔
2229
        return DETECT_ENGINE_INSPECT_SIG_MATCH;
4,028✔
2230
    } else {
4,428✔
2231
        return DETECT_ENGINE_INSPECT_SIG_NO_MATCH;
3,740✔
2232
    }
3,740✔
2233
}
7,768✔
2234

2235
/** \internal
2236
 *  \brief inject a pseudo packet into each detect thread
2237
 *         if the thread should flush its output logs.
2238
 */
2239
void InjectPacketsForFlush(ThreadVars **detect_tvs, int no_of_detect_tvs)
2240
{
×
2241
    /* inject a fake packet if the detect thread that needs it. This function
2242
     * is called when a heartbeat log-flush request has been made
2243
     * and it should process a pseudo packet and flush its output logs
2244
     * to speed the process. */
2245
#if DEBUG
2246
    int count = 0;
2247
#endif
2248
    for (int i = 0; i < no_of_detect_tvs; i++) {
×
2249
        if (detect_tvs[i]) { // && detect_tvs[i]->inq != NULL) {
×
2250
            Packet *p = PacketGetFromAlloc();
×
2251
            if (p != NULL) {
×
2252
                SCLogDebug("Injecting pkt for tv %s[i=%d] %d", detect_tvs[i]->name, i, count++);
×
2253
                p->flags |= PKT_PSEUDO_STREAM_END;
×
2254
                p->flags |= PKT_PSEUDO_LOG_FLUSH;
×
2255
                PKT_SET_SRC(p, PKT_SRC_DETECT_RELOAD_FLUSH);
×
2256
                PacketQueue *q = detect_tvs[i]->stream_pq;
×
2257
                SCMutexLock(&q->mutex_q);
×
2258
                PacketEnqueue(q, p);
×
2259
                SCCondSignal(&q->cond_q);
×
2260
                SCMutexUnlock(&q->mutex_q);
×
2261
            }
×
2262
        }
×
2263
    }
×
2264
    SCLogDebug("leaving: thread notification count = %d", count);
×
2265
}
×
2266

2267
/** \internal
2268
 *  \brief inject a pseudo packet into each detect thread
2269
 *      -that doesn't use the new det_ctx yet
2270
 *      -*or*, if the thread should flush its output logs.
2271
 */
2272
static void InjectPackets(
2273
        ThreadVars **detect_tvs, DetectEngineThreadCtx **new_det_ctx, int no_of_detect_tvs)
2274
{
15✔
2275
    /* inject a fake packet if the detect thread that needs it. This function
2276
     * is called if
2277
     *  - A thread isn't using a DE ctx and should
2278
     *  - Or, it should process a pseudo packet and flush its output logs.
2279
     * to speed the process. */
2280
    for (int i = 0; i < no_of_detect_tvs; i++) {
69!
2281
        if (SC_ATOMIC_GET(new_det_ctx[i]->so_far_used_by_detect) != 1) {
54!
2282
            if (detect_tvs[i]->inq != NULL) {
54!
2283
                Packet *p = PacketGetFromAlloc();
40✔
2284
                if (p != NULL) {
40!
2285
                    p->flags |= PKT_PSEUDO_STREAM_END;
40✔
2286
                    PKT_SET_SRC(p, PKT_SRC_DETECT_RELOAD_FLUSH);
40✔
2287
                    PacketQueue *q = detect_tvs[i]->inq->pq;
40✔
2288
                    SCMutexLock(&q->mutex_q);
40✔
2289
                    PacketEnqueue(q, p);
40✔
2290
                    SCCondSignal(&q->cond_q);
40✔
2291
                    SCMutexUnlock(&q->mutex_q);
40✔
2292
                }
40✔
2293
            }
40✔
2294
        }
54✔
2295
    }
54✔
2296
}
15✔
2297

2298
/** \internal
2299
 *  \brief Update detect threads with new detect engine
2300
 *
2301
 *  Atomically update each detect thread with a new thread context
2302
 *  that is associated to the new detection engine(s).
2303
 *
2304
 *  If called in unix socket mode, it's possible that we don't have
2305
 *  detect threads yet.
2306
 *  NOTE: master MUST be locked before calling this
2307
 *
2308
 *  \retval -1 error
2309
 *  \retval 0 no detection threads
2310
 *  \retval 1 successful reload
2311
 */
2312
static int DetectEngineReloadThreads(DetectEngineCtx *new_de_ctx)
2313
{
35,500✔
2314
    SCEnter();
35,500✔
2315
    uint32_t i = 0;
35,500✔
2316

2317
    /* count detect threads in use */
2318
    uint32_t no_of_detect_tvs = TmThreadCountThreadsByTmmFlags(TM_FLAG_FLOWWORKER_TM);
35,500✔
2319
    /* can be zero in unix socket mode */
2320
    if (no_of_detect_tvs == 0) {
35,500!
2321
        return 0;
35,485✔
2322
    }
35,485✔
2323

2324
    /* prepare swap structures */
2325
    DetectEngineThreadCtx *old_det_ctx[no_of_detect_tvs];
15✔
2326
    DetectEngineThreadCtx *new_det_ctx[no_of_detect_tvs];
15✔
2327
    ThreadVars *detect_tvs[no_of_detect_tvs];
15✔
2328
    memset(old_det_ctx, 0x00, (no_of_detect_tvs * sizeof(DetectEngineThreadCtx *)));
15✔
2329
    memset(new_det_ctx, 0x00, (no_of_detect_tvs * sizeof(DetectEngineThreadCtx *)));
15✔
2330
    memset(detect_tvs, 0x00, (no_of_detect_tvs * sizeof(ThreadVars *)));
15✔
2331

2332
    /* start the process of swapping detect threads ctxs */
2333

2334
    /* get reference to tv's and setup new_det_ctx array */
2335
    SCMutexLock(&tv_root_lock);
15✔
2336
    for (ThreadVars *tv = tv_root[TVT_PPT]; tv != NULL; tv = tv->next) {
85!
2337
        if ((tv->tmm_flags & TM_FLAG_FLOWWORKER_TM) == 0) {
70!
2338
            continue;
16✔
2339
        }
16✔
2340
        for (TmSlot *s = tv->tm_slots; s != NULL; s = s->slot_next) {
82!
2341
            TmModule *tm = TmModuleGetById(s->tm_id);
82✔
2342
            if (!(tm->flags & TM_FLAG_FLOWWORKER_TM)) {
82!
2343
                continue;
28✔
2344
            }
28✔
2345

2346
            if (suricata_ctl_flags != 0) {
54!
2347
                SCMutexUnlock(&tv_root_lock);
×
2348
                goto error;
×
2349
            }
×
2350

2351
            old_det_ctx[i] = FlowWorkerGetDetectCtxPtr(SC_ATOMIC_GET(s->slot_data));
54✔
2352
            detect_tvs[i] = tv;
54✔
2353

2354
            new_det_ctx[i] = DetectEngineThreadCtxInitForReload(tv, new_de_ctx, 1);
54✔
2355
            if (new_det_ctx[i] == NULL) {
54!
2356
                SCLogError("Detect engine thread init "
×
2357
                           "failure in live rule swap.  Let's get out of here");
×
2358
                SCMutexUnlock(&tv_root_lock);
×
2359
                goto error;
×
2360
            }
×
2361
            SCLogDebug("live rule swap created new det_ctx - %p and de_ctx "
54!
2362
                       "- %p\n", new_det_ctx[i], new_de_ctx);
54✔
2363
            i++;
54✔
2364
            break;
54✔
2365
        }
54✔
2366
    }
54✔
2367
    BUG_ON(i != no_of_detect_tvs);
15!
2368

2369
    /* atomically replace the det_ctx data */
2370
    i = 0;
15✔
2371
    for (ThreadVars *tv = tv_root[TVT_PPT]; tv != NULL; tv = tv->next) {
85!
2372
        if ((tv->tmm_flags & TM_FLAG_FLOWWORKER_TM) == 0) {
70!
2373
            continue;
16✔
2374
        }
16✔
2375
        for (TmSlot *s = tv->tm_slots; s != NULL; s = s->slot_next) {
82!
2376
            TmModule *tm = TmModuleGetById(s->tm_id);
82✔
2377
            if (!(tm->flags & TM_FLAG_FLOWWORKER_TM)) {
82!
2378
                continue;
28✔
2379
            }
28✔
2380
            SCLogDebug("swapping new det_ctx - %p with older one - %p",
54!
2381
                       new_det_ctx[i], SC_ATOMIC_GET(s->slot_data));
54✔
2382
            FlowWorkerReplaceDetectCtx(SC_ATOMIC_GET(s->slot_data), new_det_ctx[i++]);
54✔
2383
            break;
54✔
2384
        }
82✔
2385
    }
54✔
2386
    SCMutexUnlock(&tv_root_lock);
15✔
2387

2388
    /* threads now all have new data, however they may not have started using
2389
     * it and may still use the old data */
2390

2391
    SCLogDebug("Live rule swap has swapped %d old det_ctx's with new ones, "
15!
2392
               "along with the new de_ctx", no_of_detect_tvs);
15✔
2393

2394
    InjectPackets(detect_tvs, new_det_ctx, no_of_detect_tvs);
15✔
2395

2396
    /* loop waiting for detect threads to switch to the new det_ctx. Try to
2397
     * wake up capture if needed (break loop). */
2398
    uint32_t threads_done = 0;
15✔
2399
retry:
18✔
2400
    for (i = 0; i < no_of_detect_tvs; i++) {
81!
2401
        if (suricata_ctl_flags != 0) {
63!
2402
            threads_done = no_of_detect_tvs;
×
2403
            break;
×
2404
        }
×
2405
        SleepMsec(1);
63✔
2406
        if (SC_ATOMIC_GET(new_det_ctx[i]->so_far_used_by_detect) == 1) {
63!
2407
            SCLogDebug("new_det_ctx - %p used by detect engine", new_det_ctx[i]);
54!
2408
            threads_done++;
54✔
2409
        } else {
54✔
2410
            TmThreadsCaptureBreakLoop(detect_tvs[i]);
9✔
2411
        }
9✔
2412
    }
63✔
2413
    if (threads_done < no_of_detect_tvs) {
18!
2414
        threads_done = 0;
3✔
2415
        SleepMsec(250);
3✔
2416
        goto retry;
3✔
2417
    }
3✔
2418

2419
    /* this is to make sure that if someone initiated shutdown during a live
2420
     * rule swap, the live rule swap won't clean up the old det_ctx and
2421
     * de_ctx, till all detect threads have stopped working and sitting
2422
     * silently after setting RUNNING_DONE flag and while waiting for
2423
     * THV_DEINIT flag */
2424
    if (i != no_of_detect_tvs) { // not all threads we swapped
15!
2425
        for (ThreadVars *tv = tv_root[TVT_PPT]; tv != NULL; tv = tv->next) {
×
2426
            if ((tv->tmm_flags & TM_FLAG_FLOWWORKER_TM) == 0) {
×
2427
                continue;
×
2428
            }
×
2429

2430
            while (!TmThreadsCheckFlag(tv, THV_RUNNING_DONE)) {
×
2431
                SleepUsec(100);
×
2432
            }
×
2433
        }
×
2434
    }
×
2435

2436
    /* free all the ctxs */
2437
    for (i = 0; i < no_of_detect_tvs; i++) {
69!
2438
        SCLogDebug("Freeing old_det_ctx - %p used by detect",
54!
2439
                   old_det_ctx[i]);
54✔
2440
        DetectEngineThreadCtxDeinit(NULL, old_det_ctx[i]);
54✔
2441
    }
54✔
2442

2443
    SRepReloadComplete();
15✔
2444

2445
    return 1;
15✔
2446

2447
 error:
×
2448
    for (i = 0; i < no_of_detect_tvs; i++) {
×
2449
        if (new_det_ctx[i] != NULL)
×
2450
            DetectEngineThreadCtxDeinit(NULL, new_det_ctx[i]);
×
2451
    }
×
2452
    return -1;
×
2453
}
18✔
2454

2455
bool DetectEngineMpmCachingEnabled(void)
2456
{
1,511✔
2457
    int sgh_mpm_caching = 0;
1,511✔
2458
    if (SCConfGetBool("detect.sgh-mpm-caching", &sgh_mpm_caching) != 1) {
1,511!
2459
        return false;
1,509✔
2460
    }
1,509✔
2461
    return (bool)sgh_mpm_caching;
2✔
2462
}
1,511✔
2463

2464
const char *DetectEngineMpmCachingGetPath(void)
2465
{
1✔
2466
    if (DetectEngineMpmCachingEnabled() == false) {
1!
2467
        return NULL;
×
2468
    }
×
2469

2470
    char yamlpath[] = "detect.sgh-mpm-caching-path";
1✔
2471
    const char *strval = NULL;
1✔
2472
    if (SCConfGet(yamlpath, &strval) == 1 && strval != NULL) {
1!
2473
        return strval;
1✔
2474
    }
1✔
2475

2476
    static bool notified = false;
×
2477
    if (!notified) {
×
2478
        SCLogInfo("%s has no path specified, using %s", yamlpath, SGH_CACHE_DIR);
×
2479
        notified = true;
×
2480
    }
×
2481
    return SGH_CACHE_DIR;
×
2482
}
1✔
2483

2484
void DetectEngineMpmCacheService(uint32_t op_flags)
2485
{
37,247✔
2486
    DetectEngineCtx *de_ctx = DetectEngineGetCurrent();
37,247✔
2487
    if (!de_ctx) {
37,247!
2488
        return;
×
2489
    }
×
2490

2491
    if (!de_ctx->mpm_cfg || !de_ctx->mpm_cfg->cache_dir_path) {
37,247!
2492
        goto error;
37,246✔
2493
    }
37,246✔
2494

2495
    if (mpm_table[de_ctx->mpm_matcher].CacheStatsInit != NULL) {
1!
2496
        de_ctx->mpm_cfg->cache_stats = mpm_table[de_ctx->mpm_matcher].CacheStatsInit();
1✔
2497
        if (de_ctx->mpm_cfg->cache_stats == NULL) {
1!
2498
            goto error;
×
2499
        }
×
2500
    }
1✔
2501

2502
    if (op_flags & DETECT_ENGINE_MPM_CACHE_OP_SAVE) {
1!
2503
        if (mpm_table[de_ctx->mpm_matcher].CacheRuleset != NULL) {
1!
2504
            mpm_table[de_ctx->mpm_matcher].CacheRuleset(de_ctx->mpm_cfg);
1✔
2505
        }
1✔
2506
    }
1✔
2507

2508
    if (op_flags & DETECT_ENGINE_MPM_CACHE_OP_PRUNE) {
1!
2509
        if (mpm_table[de_ctx->mpm_matcher].CachePrune != NULL) {
1!
2510
            mpm_table[de_ctx->mpm_matcher].CachePrune(de_ctx->mpm_cfg);
1✔
2511
        }
1✔
2512
    }
1✔
2513

2514
    if (mpm_table[de_ctx->mpm_matcher].CacheStatsPrint != NULL) {
1!
2515
        mpm_table[de_ctx->mpm_matcher].CacheStatsPrint(de_ctx->mpm_cfg->cache_stats);
1✔
2516
    }
1✔
2517

2518
    if (mpm_table[de_ctx->mpm_matcher].CacheStatsDeinit != NULL) {
1!
2519
        mpm_table[de_ctx->mpm_matcher].CacheStatsDeinit(de_ctx->mpm_cfg->cache_stats);
1✔
2520
        de_ctx->mpm_cfg->cache_stats = NULL;
1✔
2521
    }
1✔
2522

2523
error:
37,247✔
2524
    DetectEngineDeReference(&de_ctx);
37,247✔
2525
}
37,247✔
2526

2527
static DetectEngineCtx *DetectEngineCtxInitReal(
2528
        enum DetectEngineType type, const char *prefix, uint32_t tenant_id)
2529
{
38,857✔
2530
    DetectEngineCtx *de_ctx = SCCalloc(1, sizeof(DetectEngineCtx));
38,857✔
2531
    if (unlikely(de_ctx == NULL))
38,857!
2532
        goto error;
×
2533

2534
    memset(&de_ctx->sig_stat, 0, sizeof(SigFileLoaderStat));
38,857✔
2535
    TAILQ_INIT(&de_ctx->sig_stat.failed_sigs);
38,857!
2536
    de_ctx->sigerror = NULL;
38,857✔
2537
    de_ctx->type = type;
38,857✔
2538
    de_ctx->filemagic_thread_ctx_id = -1;
38,857✔
2539
    de_ctx->tenant_id = tenant_id;
38,857✔
2540

2541
    de_ctx->mpm_matcher = PatternMatchDefaultMatcher();
38,857✔
2542
    de_ctx->spm_matcher = SinglePatternMatchDefaultMatcher();
38,857✔
2543

2544
    if (mpm_table[de_ctx->mpm_matcher].ConfigInit) {
38,857!
2545
        de_ctx->mpm_cfg = mpm_table[de_ctx->mpm_matcher].ConfigInit();
1,510✔
2546
        if (de_ctx->mpm_cfg == NULL) {
1,510!
2547
            goto error;
×
2548
        }
×
2549

2550
        if (DetectEngineMpmCachingEnabled() && mpm_table[de_ctx->mpm_matcher].ConfigCacheDirSet) {
1,510!
2551
            mpm_table[de_ctx->mpm_matcher].ConfigCacheDirSet(
1✔
2552
                    de_ctx->mpm_cfg, DetectEngineMpmCachingGetPath());
1✔
2553

2554
            if (mpm_table[de_ctx->mpm_matcher].CachePrune) {
1!
2555
                if (SCConfGetTime("detect.sgh-mpm-caching-max-age",
1!
2556
                            &de_ctx->mpm_cfg->cache_max_age_seconds) != 1) {
1✔
2557
                    de_ctx->mpm_cfg->cache_max_age_seconds = 7ULL * 24ULL * 60ULL * 60ULL;
1✔
2558
                }
1✔
2559
            }
1✔
2560
        }
1✔
2561
    }
1,510✔
2562

2563
    if (type == DETECT_ENGINE_TYPE_DD_STUB || type == DETECT_ENGINE_TYPE_MT_STUB) {
38,857!
2564
        de_ctx->version = DetectEngineGetVersion();
3✔
2565
        SCLogDebug("stub %u with version %u", type, de_ctx->version);
3!
2566
        return de_ctx;
3✔
2567
    }
3✔
2568

2569
    if (prefix != NULL) {
38,854✔
2570
        strlcpy(de_ctx->config_prefix, prefix, sizeof(de_ctx->config_prefix));
29✔
2571
    }
29✔
2572

2573
    int failure_fatal = 0;
38,854✔
2574
    if (SCConfGetBool("engine.init-failure-fatal", (int *)&failure_fatal) != 1) {
38,854✔
2575
        SCLogDebug("ConfGetBool could not load the value.");
37,132!
2576
    }
37,132✔
2577
    de_ctx->failure_fatal = (failure_fatal == 1);
38,854✔
2578

2579
    SCLogConfig("pattern matchers: MPM: %s, SPM: %s", mpm_table[de_ctx->mpm_matcher].name,
38,854✔
2580
            spm_table[de_ctx->spm_matcher].name);
38,854✔
2581
    de_ctx->spm_global_thread_ctx = SpmInitGlobalThreadCtx(de_ctx->spm_matcher);
38,854✔
2582
    if (de_ctx->spm_global_thread_ctx == NULL) {
38,854!
2583
        SCLogDebug("Unable to alloc SpmGlobalThreadCtx.");
×
2584
        goto error;
×
2585
    }
×
2586

2587
    de_ctx->sm_types_prefilter = SCCalloc(DETECT_TBLSIZE, sizeof(bool));
38,854✔
2588
    if (de_ctx->sm_types_prefilter == NULL) {
38,854!
2589
        goto error;
×
2590
    }
×
2591
    de_ctx->sm_types_silent_error = SCCalloc(DETECT_TBLSIZE, sizeof(bool));
38,854✔
2592
    if (de_ctx->sm_types_silent_error == NULL) {
38,854!
2593
        goto error;
×
2594
    }
×
2595
    if (DetectEngineCtxLoadConf(de_ctx) == -1) {
38,854!
2596
        goto error;
×
2597
    }
×
2598

2599
    SigGroupHeadHashInit(de_ctx);
38,854✔
2600
    MpmStoreInit(de_ctx);
38,854✔
2601
    DetectParseDupSigHashInit(de_ctx);
38,854✔
2602
    DetectAddressMapInit(de_ctx);
38,854✔
2603
    DetectMetadataHashInit(de_ctx);
38,854✔
2604
    DetectBufferTypeSetupDetectEngine(de_ctx);
38,854✔
2605
    DetectEngineInitializeFastPatternList(de_ctx);
38,854✔
2606

2607
    /* init iprep... ignore errors for now */
2608
    (void)SRepInit(de_ctx);
38,854✔
2609

2610
    SCClassSCConfInit(de_ctx);
38,854✔
2611
    if (!SCClassConfLoadClassificationConfigFile(de_ctx, NULL)) {
38,854✔
2612
        if (SCRunmodeGet() == RUNMODE_CONF_TEST)
37,125✔
2613
            goto error;
1✔
2614
    }
37,125✔
2615

2616
    if (ActionInitConfig() < 0) {
38,853!
2617
        goto error;
×
2618
    }
×
2619
    SCReferenceSCConfInit(de_ctx);
38,853✔
2620
    if (SCRConfLoadReferenceConfigFile(de_ctx, NULL) < 0) {
38,853✔
2621
        if (SCRunmodeGet() == RUNMODE_CONF_TEST)
37,124✔
2622
            goto error;
1✔
2623
    }
37,124✔
2624

2625
    de_ctx->version = DetectEngineGetVersion();
38,852✔
2626
    SCLogDebug("dectx with version %u", de_ctx->version);
38,852!
2627
    return de_ctx;
38,852✔
2628
error:
2✔
2629
    if (de_ctx != NULL) {
2!
2630
        DetectEngineCtxFree(de_ctx);
2✔
2631
    }
2✔
2632
    return NULL;
2✔
2633
}
38,853✔
2634

2635
DetectEngineCtx *DetectEngineCtxInitStubForMT(void)
2636
{
3✔
2637
    return DetectEngineCtxInitReal(DETECT_ENGINE_TYPE_MT_STUB, NULL, 0);
3✔
2638
}
3✔
2639

2640
DetectEngineCtx *DetectEngineCtxInitStubForDD(void)
2641
{
×
2642
    return DetectEngineCtxInitReal(DETECT_ENGINE_TYPE_DD_STUB, NULL, 0);
×
2643
}
×
2644

2645
DetectEngineCtx *DetectEngineCtxInit(void)
2646
{
38,825✔
2647
    return DetectEngineCtxInitReal(DETECT_ENGINE_TYPE_NORMAL, NULL, 0);
38,825✔
2648
}
38,825✔
2649

2650
DetectEngineCtx *DetectEngineCtxInitWithPrefix(const char *prefix, uint32_t tenant_id)
2651
{
35,514✔
2652
    if (prefix == NULL || strlen(prefix) == 0)
35,514!
2653
        return DetectEngineCtxInit();
35,485✔
2654
    else
29✔
2655
        return DetectEngineCtxInitReal(DETECT_ENGINE_TYPE_NORMAL, prefix, tenant_id);
29✔
2656
}
35,514✔
2657

2658
static void DetectEngineCtxFreeThreadKeywordData(DetectEngineCtx *de_ctx)
2659
{
38,798✔
2660
    HashListTableFree(de_ctx->keyword_hash);
38,798✔
2661
}
38,798✔
2662

2663
static void DetectEngineCtxFreeFailedSigs(DetectEngineCtx *de_ctx)
2664
{
38,798✔
2665
    SigString *item = NULL;
38,798✔
2666
    SigString *sitem;
38,798✔
2667

2668
    TAILQ_FOREACH_SAFE(item, &de_ctx->sig_stat.failed_sigs, next, sitem) {
4,840,992✔
2669
        SCFree(item->filename);
4,837,741✔
2670
        SCFree(item->sig_str);
4,837,741✔
2671
        if (item->sig_error) {
4,837,741✔
2672
            SCFree(item->sig_error);
12,248✔
2673
        }
12,248✔
2674
        TAILQ_REMOVE(&de_ctx->sig_stat.failed_sigs, item, next);
4,837,741✔
2675
        SCFree(item);
4,837,741✔
2676
    }
4,837,741✔
2677
}
38,798✔
2678

2679
/**
2680
 * \brief Free a DetectEngineCtx::
2681
 *
2682
 * \param de_ctx DetectEngineCtx:: to be freed
2683
 */
2684
void DetectEngineCtxFree(DetectEngineCtx *de_ctx)
2685
{
38,798✔
2686

2687
    if (de_ctx == NULL)
38,798!
2688
        return;
×
2689

2690
#ifdef PROFILE_RULES
2691
    if (de_ctx->profile_ctx != NULL) {
2692
        SCProfilingRuleDestroyCtx(de_ctx->profile_ctx);
2693
        de_ctx->profile_ctx = NULL;
2694
    }
2695
#endif
2696
#ifdef PROFILING
2697
    if (de_ctx->profile_keyword_ctx != NULL) {
2698
        SCProfilingKeywordDestroyCtx(de_ctx);//->profile_keyword_ctx);
2699
//        de_ctx->profile_keyword_ctx = NULL;
2700
    }
2701
    if (de_ctx->profile_sgh_ctx != NULL) {
2702
        SCProfilingSghDestroyCtx(de_ctx);
2703
    }
2704
    SCProfilingPrefilterDestroyCtx(de_ctx);
2705
#endif
2706

2707
    if (mpm_table[de_ctx->mpm_matcher].ConfigDeinit) {
38,798!
2708
        mpm_table[de_ctx->mpm_matcher].ConfigDeinit(&de_ctx->mpm_cfg);
1,510✔
2709
    }
1,510✔
2710
    /* Normally the hashes are freed elsewhere, but
2711
     * to be sure look at them again here.
2712
     */
2713
    SigGroupHeadHashFree(de_ctx);
38,798✔
2714
    MpmStoreFree(de_ctx);
38,798✔
2715
    DetectParseDupSigHashFree(de_ctx);
38,798✔
2716
    SCSigSignatureOrderingModuleCleanup(de_ctx);
38,798✔
2717
    SigCleanSignatures(de_ctx);
38,798✔
2718
    if (de_ctx->sig_array)
38,798✔
2719
        SCFree(de_ctx->sig_array);
38,139✔
2720

2721
    if (de_ctx->filedata_config)
38,798✔
2722
        SCFree(de_ctx->filedata_config);
3,419✔
2723

2724
    DetectEngineFreeFastPatternList(de_ctx);
38,798✔
2725
    SCClassConfDeInitContext(de_ctx);
38,798✔
2726
    SCRConfDeInitContext(de_ctx);
38,798✔
2727

2728
    SigGroupCleanup(de_ctx);
38,798✔
2729

2730
    SpmDestroyGlobalThreadCtx(de_ctx->spm_global_thread_ctx);
38,798✔
2731
    SCFree(de_ctx->sm_types_prefilter);
38,798✔
2732
    SCFree(de_ctx->sm_types_silent_error);
38,798✔
2733

2734
    MpmFactoryDeRegisterAllMpmCtxProfiles(de_ctx);
38,798✔
2735

2736
    DetectEngineCtxFreeThreadKeywordData(de_ctx);
38,798✔
2737
    SRepDestroy(de_ctx);
38,798✔
2738
    DetectEngineCtxFreeFailedSigs(de_ctx);
38,798✔
2739

2740
    DetectAddressMapFree(de_ctx);
38,798✔
2741
    DetectMetadataHashFree(de_ctx);
38,798✔
2742

2743
    /* if we have a config prefix, remove the config from the tree */
2744
    if (strlen(de_ctx->config_prefix) > 0) {
38,798✔
2745
        /* remove config */
2746
        SCConfNode *node = SCConfGetNode(de_ctx->config_prefix);
30✔
2747
        if (node != NULL) {
30!
2748
            SCConfNodeRemove(node); /* frees node */
26✔
2749
        }
26✔
2750
#if 0
2751
        SCConfDump();
2752
#endif
2753
    }
30✔
2754

2755
    DetectPortCleanupList(de_ctx, de_ctx->tcp_priorityports);
38,798✔
2756
    DetectPortCleanupList(de_ctx, de_ctx->udp_priorityports);
38,798✔
2757

2758
    DetectBufferTypeFreeDetectEngine(de_ctx);
38,798✔
2759
    SCClassConfDeinit(de_ctx);
38,798✔
2760
    SCReferenceConfDeinit(de_ctx);
38,798✔
2761

2762
    if (de_ctx->tenant_path) {
38,798✔
2763
        SCFree(de_ctx->tenant_path);
21✔
2764
    }
21✔
2765

2766
    if (de_ctx->requirements) {
38,798✔
2767
        SCDetectRequiresStatusFree(de_ctx->requirements);
738✔
2768
    }
738✔
2769

2770
    if (de_ctx->non_pf_engine_names) {
38,798✔
2771
        HashTableFree(de_ctx->non_pf_engine_names);
22,258✔
2772
    }
22,258✔
2773
    SCFree(de_ctx);
38,798✔
2774
    //DetectAddressGroupPrintMemory();
2775
    //DetectSigGroupPrintMemory();
2776
    //DetectPortPrintMemory();
2777
}
38,798✔
2778

2779
/** \brief  Function that load DetectEngineCtx config for grouping sigs
2780
 *          used by the engine
2781
 *  \retval 0 if no config provided, 1 if config was provided
2782
 *          and loaded successfully
2783
 */
2784
static int DetectEngineCtxLoadConf(DetectEngineCtx *de_ctx)
2785
{
38,854✔
2786
    uint8_t profile = ENGINE_PROFILE_MEDIUM;
38,854✔
2787
    const char *max_uniq_toclient_groups_str = NULL;
38,854✔
2788
    const char *max_uniq_toserver_groups_str = NULL;
38,854✔
2789
    const char *sgh_mpm_context = NULL;
38,854✔
2790
    const char *de_ctx_profile = NULL;
38,854✔
2791

2792
    (void)SCConfGet("detect.profile", &de_ctx_profile);
38,854✔
2793
    (void)SCConfGet("detect.sgh-mpm-context", &sgh_mpm_context);
38,854✔
2794

2795
    SCConfNode *de_ctx_custom = SCConfGetNode("detect-engine");
38,854✔
2796
    SCConfNode *opt = NULL;
38,854✔
2797

2798
    if (de_ctx_custom != NULL) {
38,854!
2799
        TAILQ_FOREACH(opt, &de_ctx_custom->head, next) {
16!
2800
            if (de_ctx_profile == NULL) {
16!
2801
                if (opt->val && strcmp(opt->val, "profile") == 0) {
6!
2802
                    de_ctx_profile = opt->head.tqh_first->val;
6✔
2803
                }
6✔
2804
            }
6✔
2805

2806
            if (sgh_mpm_context == NULL) {
16!
2807
                if (opt->val && strcmp(opt->val, "sgh-mpm-context") == 0) {
16!
2808
                    sgh_mpm_context = opt->head.tqh_first->val;
×
2809
                }
×
2810
            }
16✔
2811
        }
16✔
2812
    }
6✔
2813

2814
    if (de_ctx_profile != NULL) {
38,854✔
2815
        if (strcmp(de_ctx_profile, "low") == 0 ||
1,334!
2816
            strcmp(de_ctx_profile, "lowest") == 0) {        // legacy
1,334!
2817
            profile = ENGINE_PROFILE_LOW;
×
2818
        } else if (strcmp(de_ctx_profile, "medium") == 0) {
1,334✔
2819
            profile = ENGINE_PROFILE_MEDIUM;
1,331✔
2820
        } else if (strcmp(de_ctx_profile, "high") == 0 ||
1,331!
2821
                   strcmp(de_ctx_profile, "highest") == 0) { // legacy
3!
2822
            profile = ENGINE_PROFILE_HIGH;
×
2823
        } else if (strcmp(de_ctx_profile, "custom") == 0) {
3!
2824
            profile = ENGINE_PROFILE_CUSTOM;
3✔
2825
        } else {
3✔
2826
            SCLogError("invalid value for detect.profile: '%s'. "
×
2827
                       "Valid options: low, medium, high and custom.",
×
2828
                    de_ctx_profile);
×
2829
            return -1;
×
2830
        }
×
2831

2832
        SCLogDebug("Profile for detection engine groups is \"%s\"", de_ctx_profile);
1,334!
2833
    } else {
38,357✔
2834
        SCLogDebug("Profile for detection engine groups not provided "
37,520!
2835
                   "at suricata.yaml. Using default (\"medium\").");
37,520✔
2836
    }
37,520✔
2837

2838
    /* detect-engine.sgh-mpm-context option parsing */
2839
    if (sgh_mpm_context == NULL || strcmp(sgh_mpm_context, "auto") == 0) {
38,854!
2840
        /* for now, since we still haven't implemented any intelligence into
2841
         * understanding the patterns and distributing mpm_ctx across sgh */
2842
        if (de_ctx->mpm_matcher == MPM_AC || de_ctx->mpm_matcher == MPM_AC_KS ||
38,854!
2843
                de_ctx->mpm_matcher == MPM_HS) {
38,854!
2844
            de_ctx->sgh_mpm_ctx_cnf = ENGINE_SGH_MPM_FACTORY_CONTEXT_SINGLE;
38,854✔
2845
        } else {
38,854✔
2846
            de_ctx->sgh_mpm_ctx_cnf = ENGINE_SGH_MPM_FACTORY_CONTEXT_FULL;
×
2847
        }
×
2848
    } else {
38,854✔
2849
        if (strcmp(sgh_mpm_context, "single") == 0) {
×
2850
            de_ctx->sgh_mpm_ctx_cnf = ENGINE_SGH_MPM_FACTORY_CONTEXT_SINGLE;
×
2851
        } else if (strcmp(sgh_mpm_context, "full") == 0) {
×
2852
            de_ctx->sgh_mpm_ctx_cnf = ENGINE_SGH_MPM_FACTORY_CONTEXT_FULL;
×
2853
        } else {
×
2854
            SCLogError("You have supplied an "
×
2855
                       "invalid conf value for detect-engine.sgh-mpm-context-"
×
2856
                       "%s",
×
2857
                    sgh_mpm_context);
×
2858
            exit(EXIT_FAILURE);
×
2859
        }
×
2860
    }
×
2861

2862
    if (RunmodeIsUnittests()) {
38,854!
2863
        de_ctx->sgh_mpm_ctx_cnf = ENGINE_SGH_MPM_FACTORY_CONTEXT_FULL;
1,481✔
2864
    }
1,481✔
2865

2866
    /* parse profile custom-values */
2867
    opt = NULL;
38,854✔
2868
    switch (profile) {
38,854✔
2869
        case ENGINE_PROFILE_LOW:
×
2870
            de_ctx->max_uniq_toclient_groups = 15;
×
2871
            de_ctx->max_uniq_toserver_groups = 25;
×
2872
            break;
×
2873

2874
        case ENGINE_PROFILE_HIGH:
×
2875
            de_ctx->max_uniq_toclient_groups = 75;
×
2876
            de_ctx->max_uniq_toserver_groups = 75;
×
2877
            break;
×
2878

2879
        case ENGINE_PROFILE_CUSTOM:
3✔
2880
            (void)SCConfGet("detect.custom-values.toclient-groups", &max_uniq_toclient_groups_str);
3✔
2881
            (void)SCConfGet("detect.custom-values.toserver-groups", &max_uniq_toserver_groups_str);
3✔
2882

2883
            if (de_ctx_custom != NULL) {
3!
2884
                TAILQ_FOREACH(opt, &de_ctx_custom->head, next) {
5!
2885
                    if (opt->val && strcmp(opt->val, "custom-values") == 0) {
5!
2886
                        if (max_uniq_toclient_groups_str == NULL) {
2!
2887
                            max_uniq_toclient_groups_str = (char *)SCConfNodeLookupChildValue(
2✔
2888
                                    opt->head.tqh_first, "toclient-sp-groups");
2✔
2889
                        }
2✔
2890
                        if (max_uniq_toclient_groups_str == NULL) {
2!
2891
                            max_uniq_toclient_groups_str = (char *)SCConfNodeLookupChildValue(
2✔
2892
                                    opt->head.tqh_first, "toclient-groups");
2✔
2893
                        }
2✔
2894
                        if (max_uniq_toserver_groups_str == NULL) {
2!
2895
                            max_uniq_toserver_groups_str = (char *)SCConfNodeLookupChildValue(
2✔
2896
                                    opt->head.tqh_first, "toserver-dp-groups");
2✔
2897
                        }
2✔
2898
                        if (max_uniq_toserver_groups_str == NULL) {
2!
2899
                            max_uniq_toserver_groups_str = (char *)SCConfNodeLookupChildValue(
2✔
2900
                                    opt->head.tqh_first, "toserver-groups");
2✔
2901
                        }
2✔
2902
                    }
2✔
2903
                }
5✔
2904
            }
2✔
2905
            if (max_uniq_toclient_groups_str != NULL) {
3!
2906
                if (StringParseUint16(&de_ctx->max_uniq_toclient_groups, 10,
2!
2907
                            (uint16_t)strlen(max_uniq_toclient_groups_str),
2✔
2908
                            (const char *)max_uniq_toclient_groups_str) <= 0) {
2✔
2909
                    de_ctx->max_uniq_toclient_groups = 20;
1✔
2910

2911
                    SCLogWarning("parsing '%s' for "
1✔
2912
                                 "toclient-groups failed, using %u",
1✔
2913
                            max_uniq_toclient_groups_str, de_ctx->max_uniq_toclient_groups);
1✔
2914
                }
1✔
2915
            } else {
3✔
2916
                de_ctx->max_uniq_toclient_groups = 20;
1✔
2917
            }
1✔
2918
            SCLogConfig("toclient-groups %u", de_ctx->max_uniq_toclient_groups);
3✔
2919

2920
            if (max_uniq_toserver_groups_str != NULL) {
3!
2921
                if (StringParseUint16(&de_ctx->max_uniq_toserver_groups, 10,
3!
2922
                            (uint16_t)strlen(max_uniq_toserver_groups_str),
3✔
2923
                            (const char *)max_uniq_toserver_groups_str) <= 0) {
3✔
2924
                    de_ctx->max_uniq_toserver_groups = 40;
1✔
2925

2926
                    SCLogWarning("parsing '%s' for "
1✔
2927
                                 "toserver-groups failed, using %u",
1✔
2928
                            max_uniq_toserver_groups_str, de_ctx->max_uniq_toserver_groups);
1✔
2929
                }
1✔
2930
            } else {
3✔
2931
                de_ctx->max_uniq_toserver_groups = 40;
×
2932
            }
×
2933
            SCLogConfig("toserver-groups %u", de_ctx->max_uniq_toserver_groups);
3✔
2934
            break;
3✔
2935

2936
        /* Default (or no config provided) is profile medium */
2937
        case ENGINE_PROFILE_MEDIUM:
38,851✔
2938
        case ENGINE_PROFILE_UNKNOWN:
38,851!
2939
        default:
38,851!
2940
            de_ctx->max_uniq_toclient_groups = 20;
38,851✔
2941
            de_ctx->max_uniq_toserver_groups = 40;
38,851✔
2942
            break;
38,851✔
2943
    }
38,854✔
2944

2945
    intmax_t value = 0;
38,854✔
2946
    de_ctx->inspection_recursion_limit = DETECT_ENGINE_DEFAULT_INSPECTION_RECURSION_LIMIT;
38,854✔
2947
    if (SCConfGetInt("detect.inspection-recursion-limit", &value) == 1) {
38,854✔
2948
        if (value >= 0 && value <= INT_MAX) {
35,508!
2949
            de_ctx->inspection_recursion_limit = (int)value;
35,508✔
2950
        }
35,508✔
2951

2952
    /* fall back to old config parsing */
2953
    } else {
38,802✔
2954
        SCConfNode *insp_recursion_limit_node = NULL;
3,346✔
2955
        char *insp_recursion_limit = NULL;
3,346✔
2956

2957
        if (de_ctx_custom != NULL) {
3,346!
2958
            opt = NULL;
6✔
2959
            TAILQ_FOREACH(opt, &de_ctx_custom->head, next) {
16!
2960
                if (opt->val && strcmp(opt->val, "inspection-recursion-limit") != 0)
16!
2961
                    continue;
12✔
2962

2963
                insp_recursion_limit_node = SCConfNodeLookupChild(opt, opt->val);
4✔
2964
                if (insp_recursion_limit_node == NULL) {
4!
2965
                    SCLogError("Error retrieving conf "
×
2966
                               "entry for detect-engine:inspection-recursion-limit");
×
2967
                    break;
×
2968
                }
×
2969
                insp_recursion_limit = insp_recursion_limit_node->val;
4✔
2970
                SCLogDebug("Found detect-engine.inspection-recursion-limit - %s:%s",
4!
2971
                        insp_recursion_limit_node->name, insp_recursion_limit_node->val);
4✔
2972
                break;
4✔
2973
            }
4✔
2974

2975
            if (insp_recursion_limit != NULL) {
6!
2976
                if (StringParseInt32(&de_ctx->inspection_recursion_limit, 10,
3!
2977
                                     0, (const char *)insp_recursion_limit) < 0) {
3✔
2978
                    SCLogWarning("Invalid value for "
×
2979
                                 "detect-engine.inspection-recursion-limit: %s "
×
2980
                                 "resetting to %d",
×
2981
                            insp_recursion_limit, DETECT_ENGINE_DEFAULT_INSPECTION_RECURSION_LIMIT);
×
2982
                    de_ctx->inspection_recursion_limit =
×
2983
                        DETECT_ENGINE_DEFAULT_INSPECTION_RECURSION_LIMIT;
×
2984
                }
×
2985
            }
3✔
2986
        }
6✔
2987
    }
3,346✔
2988

2989
    if (de_ctx->inspection_recursion_limit == 0)
38,854!
2990
        de_ctx->inspection_recursion_limit = -1;
35,487✔
2991

2992
    SCLogDebug("de_ctx->inspection_recursion_limit: %d",
38,854!
2993
               de_ctx->inspection_recursion_limit);
38,854✔
2994

2995
    // default value is 4
2996
    de_ctx->guess_applayer_log_limit = 4;
38,854✔
2997
    if (SCConfGetInt("detect.stream-tx-log-limit", &value) == 1) {
38,854✔
2998
        if (value >= 0 && value <= UINT8_MAX) {
1!
2999
            de_ctx->guess_applayer_log_limit = (uint8_t)value;
1✔
3000
        } else {
1✔
3001
            SCLogWarning("Invalid value for detect-engine.stream-tx-log-limit: must be between 0 "
×
3002
                         "and 255, will default to 4");
×
3003
        }
×
3004
    }
1✔
3005
    int guess_applayer = 0;
38,854✔
3006
    if ((SCConfGetBool("detect.guess-applayer-tx", &guess_applayer)) == 1) {
38,854✔
3007
        if (guess_applayer == 1) {
9!
3008
            de_ctx->guess_applayer = true;
9✔
3009
        }
9✔
3010
    }
9✔
3011

3012
    /* parse port grouping priority settings */
3013

3014
    const char *ports = NULL;
38,854✔
3015
    (void)SCConfGet("detect.grouping.tcp-priority-ports", &ports);
38,854✔
3016
    if (ports) {
38,854!
3017
        SCLogConfig("grouping: tcp-priority-ports %s", ports);
×
3018
    } else {
38,854✔
3019
        (void)SCConfGet("detect.grouping.tcp-whitelist", &ports);
38,854✔
3020
        if (ports) {
38,854!
3021
            SCLogConfig(
×
3022
                    "grouping: tcp-priority-ports from legacy 'tcp-whitelist' setting: %s", ports);
×
3023
        } else {
38,854✔
3024
            ports = "53, 80, 139, 443, 445, 1433, 3306, 3389, 6666, 6667, 8080";
38,854✔
3025
            SCLogConfig("grouping: tcp-priority-ports (default) %s", ports);
38,854✔
3026
        }
38,854✔
3027
    }
38,854✔
3028
    if (DetectPortParse(de_ctx, &de_ctx->tcp_priorityports, ports) != 0) {
38,854!
3029
        SCLogWarning("'%s' is not a valid value "
×
3030
                     "for detect.grouping.tcp-priority-ports",
×
3031
                ports);
×
3032
    }
×
3033
    DetectPort *x = de_ctx->tcp_priorityports;
38,854✔
3034
    for ( ; x != NULL;  x = x->next) {
466,248✔
3035
        if (x->port != x->port2) {
427,394!
3036
            SCLogWarning("'%s' is not a valid value "
×
3037
                         "for detect.grouping.tcp-priority-ports: only single ports allowed",
×
3038
                    ports);
×
3039
            DetectPortCleanupList(de_ctx, de_ctx->tcp_priorityports);
×
3040
            de_ctx->tcp_priorityports = NULL;
×
3041
            break;
×
3042
        }
×
3043
    }
427,394✔
3044

3045
    ports = NULL;
38,854✔
3046
    (void)SCConfGet("detect.grouping.udp-priority-ports", &ports);
38,854✔
3047
    if (ports) {
38,854!
3048
        SCLogConfig("grouping: udp-priority-ports %s", ports);
×
3049
    } else {
38,854✔
3050
        (void)SCConfGet("detect.grouping.udp-whitelist", &ports);
38,854✔
3051
        if (ports) {
38,854!
3052
            SCLogConfig(
×
3053
                    "grouping: udp-priority-ports from legacy 'udp-whitelist' setting: %s", ports);
×
3054
        } else {
38,854✔
3055
            ports = "53, 135, 5060";
38,854✔
3056
            SCLogConfig("grouping: udp-priority-ports (default) %s", ports);
38,854✔
3057
        }
38,854✔
3058
    }
38,854✔
3059
    if (DetectPortParse(de_ctx, &de_ctx->udp_priorityports, ports) != 0) {
38,854!
3060
        SCLogWarning("'%s' is not a valid value "
×
3061
                     "for detect.grouping.udp-priority-ports",
×
3062
                ports);
×
3063
    }
×
3064
    for (x = de_ctx->udp_priorityports; x != NULL; x = x->next) {
155,416✔
3065
        if (x->port != x->port2) {
116,562!
3066
            SCLogWarning("'%s' is not a valid value "
×
3067
                         "for detect.grouping.udp-priority-ports: only single ports allowed",
×
3068
                    ports);
×
3069
            DetectPortCleanupList(de_ctx, de_ctx->udp_priorityports);
×
3070
            de_ctx->udp_priorityports = NULL;
×
3071
            break;
×
3072
        }
×
3073
    }
116,562✔
3074

3075
    de_ctx->prefilter_setting = DETECT_PREFILTER_MPM;
38,854✔
3076
    const char *pf_setting = NULL;
38,854✔
3077
    if (SCConfGet("detect.prefilter.default", &pf_setting) == 1 && pf_setting) {
38,854!
3078
        if (strcasecmp(pf_setting, "mpm") == 0) {
1,318✔
3079
            de_ctx->prefilter_setting = DETECT_PREFILTER_MPM;
1,314✔
3080
        } else if (strcasecmp(pf_setting, "auto") == 0) {
1,314!
3081
            de_ctx->prefilter_setting = DETECT_PREFILTER_AUTO;
4✔
3082
        }
4✔
3083
    }
1,318✔
3084
    switch (de_ctx->prefilter_setting) {
38,854!
3085
        case DETECT_PREFILTER_MPM:
38,850✔
3086
            SCLogConfig("prefilter engines: MPM");
38,850✔
3087
            break;
38,850✔
3088
        case DETECT_PREFILTER_AUTO:
4✔
3089
            SCLogConfig("prefilter engines: MPM and keywords");
4✔
3090
            break;
4✔
3091
    }
38,854✔
3092

3093
    return 0;
38,854✔
3094
}
38,854✔
3095

3096
void DetectEngineResetMaxSigId(DetectEngineCtx *de_ctx)
3097
{
38,849✔
3098
    de_ctx->signum = 0;
38,849✔
3099
}
38,849✔
3100

3101
static int DetectEngineThreadCtxInitGlobalKeywords(DetectEngineThreadCtx *det_ctx)
3102
{
48,437✔
3103
    const DetectEngineMasterCtx *master = &g_master_de_ctx;
48,437✔
3104

3105
    if (master->keyword_id > 0) {
48,437!
3106
        // coverity[suspicious_sizeof : FALSE]
3107
        det_ctx->global_keyword_ctxs_array = (void **)SCCalloc(master->keyword_id, sizeof(void *));
48,437✔
3108
        if (det_ctx->global_keyword_ctxs_array == NULL) {
48,437!
3109
            SCLogError("setting up thread local detect ctx");
×
3110
            return TM_ECODE_FAILED;
×
3111
        }
×
3112
        det_ctx->global_keyword_ctxs_size = master->keyword_id;
48,437✔
3113

3114
        const DetectEngineThreadKeywordCtxItem *item = master->keyword_list;
48,437✔
3115
        while (item) {
290,622✔
3116
            det_ctx->global_keyword_ctxs_array[item->id] = item->InitFunc(item->data);
242,185✔
3117
            if (det_ctx->global_keyword_ctxs_array[item->id] == NULL) {
242,185!
3118
                SCLogError("setting up thread local detect ctx "
×
3119
                           "for keyword \"%s\" failed",
×
3120
                        item->name);
×
3121
                return TM_ECODE_FAILED;
×
3122
            }
×
3123
            item = item->next;
242,185✔
3124
        }
242,185✔
3125
    }
48,437✔
3126
    return TM_ECODE_OK;
48,437✔
3127
}
48,437✔
3128

3129
static void DetectEngineThreadCtxDeinitGlobalKeywords(DetectEngineThreadCtx *det_ctx)
3130
{
48,472✔
3131
    if (det_ctx->global_keyword_ctxs_array == NULL ||
48,472✔
3132
        det_ctx->global_keyword_ctxs_size == 0) {
48,472!
3133
        return;
36✔
3134
    }
36✔
3135

3136
    const DetectEngineMasterCtx *master = &g_master_de_ctx;
48,436✔
3137
    if (master->keyword_id > 0) {
48,436!
3138
        const DetectEngineThreadKeywordCtxItem *item = master->keyword_list;
48,436✔
3139
        while (item) {
290,616✔
3140
            if (det_ctx->global_keyword_ctxs_array[item->id] != NULL)
242,180!
3141
                item->FreeFunc(det_ctx->global_keyword_ctxs_array[item->id]);
242,180✔
3142

3143
            item = item->next;
242,180✔
3144
        }
242,180✔
3145
        det_ctx->global_keyword_ctxs_size = 0;
48,436✔
3146
        SCFree(det_ctx->global_keyword_ctxs_array);
48,436✔
3147
        det_ctx->global_keyword_ctxs_array = NULL;
48,436✔
3148
    }
48,436✔
3149
}
48,436✔
3150

3151
static int DetectEngineThreadCtxInitKeywords(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx)
3152
{
48,437✔
3153
    if (de_ctx->keyword_id > 0) {
48,437✔
3154
        // coverity[suspicious_sizeof : FALSE]
3155
        det_ctx->keyword_ctxs_array = SCCalloc(de_ctx->keyword_id, sizeof(void *));
12,778✔
3156
        if (det_ctx->keyword_ctxs_array == NULL) {
12,778!
3157
            SCLogError("setting up thread local detect ctx");
×
3158
            return TM_ECODE_FAILED;
×
3159
        }
×
3160

3161
        det_ctx->keyword_ctxs_size = de_ctx->keyword_id;
12,778✔
3162

3163
        HashListTableBucket *hb = HashListTableGetListHead(de_ctx->keyword_hash);
12,778✔
3164
        for (; hb != NULL; hb = HashListTableGetListNext(hb)) {
37,956,295✔
3165
            DetectEngineThreadKeywordCtxItem *item = HashListTableGetListData(hb);
37,943,517✔
3166

3167
            det_ctx->keyword_ctxs_array[item->id] = item->InitFunc(item->data);
37,943,517✔
3168
            if (det_ctx->keyword_ctxs_array[item->id] == NULL) {
37,943,517!
3169
                SCLogError("setting up thread local detect ctx "
×
3170
                           "for keyword \"%s\" failed",
×
3171
                        item->name);
×
3172
                return TM_ECODE_FAILED;
×
3173
            }
×
3174
        }
37,943,517✔
3175
    }
12,778✔
3176
    return TM_ECODE_OK;
48,437✔
3177
}
48,437✔
3178

3179
static void DetectEngineThreadCtxDeinitKeywords(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx)
3180
{
48,472✔
3181
    if (de_ctx->keyword_id > 0) {
48,472✔
3182
        HashListTableBucket *hb = HashListTableGetListHead(de_ctx->keyword_hash);
12,778✔
3183
        for (; hb != NULL; hb = HashListTableGetListNext(hb)) {
37,956,295✔
3184
            DetectEngineThreadKeywordCtxItem *item = HashListTableGetListData(hb);
37,943,517✔
3185

3186
            if (det_ctx->keyword_ctxs_array[item->id] != NULL)
37,943,517!
3187
                item->FreeFunc(det_ctx->keyword_ctxs_array[item->id]);
37,943,517✔
3188
        }
37,943,517✔
3189
        det_ctx->keyword_ctxs_size = 0;
12,778✔
3190
        SCFree(det_ctx->keyword_ctxs_array);
12,778✔
3191
        det_ctx->keyword_ctxs_array = NULL;
12,778✔
3192
    }
12,778✔
3193
}
48,472✔
3194

3195
/** NOTE: master MUST be locked before calling this */
3196
static TmEcode DetectEngineThreadCtxInitForMT(ThreadVars *tv, DetectEngineThreadCtx *det_ctx)
3197
{
36✔
3198
    DetectEngineMasterCtx *master = &g_master_de_ctx;
36✔
3199

3200
    DetectEngineTenantMapping *map_array = NULL;
36✔
3201
    uint32_t map_array_size = 0;
36✔
3202
    uint32_t map_cnt = 0;
36✔
3203
    uint32_t max_tenant_id = 0;
36✔
3204
    DetectEngineCtx *list = master->list;
36✔
3205

3206
    DEBUG_VALIDATE_BUG_ON(!SCMutexIsLocked(&master->lock));
36✔
3207

3208
    /* coverity[missing_lock] */
3209
    if (master->tenant_selector == TENANT_SELECTOR_UNKNOWN) {
36!
3210
        SCLogError("no tenant selector set: "
×
3211
                   "set using multi-detect.selector");
×
3212
        return TM_ECODE_FAILED;
×
3213
    }
×
3214

3215
    uint32_t tcnt = 0;
36✔
3216
    while (list) {
148✔
3217
        if (list->tenant_id > max_tenant_id)
112✔
3218
            max_tenant_id = list->tenant_id;
48✔
3219

3220
        list = list->next;
112✔
3221
        tcnt++;
112✔
3222
    }
112✔
3223

3224
    HashTable *mt_det_ctxs_hash =
36✔
3225
            HashTableInit(tcnt * 2, TenantIdHash, TenantIdCompare, TenantIdFree);
36✔
3226
    if (mt_det_ctxs_hash == NULL) {
36!
3227
        goto error;
×
3228
    }
×
3229

3230
    if (tcnt == 0) {
36!
3231
        SCLogInfo("no tenants left, or none registered yet");
×
3232
    } else {
36✔
3233
        max_tenant_id++;
36✔
3234

3235
        DetectEngineTenantMapping *map = master->tenant_mapping_list;
36✔
3236
        while (map) {
84✔
3237
            map_cnt++;
48✔
3238
            map = map->next;
48✔
3239
        }
48✔
3240

3241
        if (map_cnt > 0) {
36!
3242
            map_array_size = map_cnt + 1;
36✔
3243

3244
            map_array = SCCalloc(map_array_size, sizeof(*map_array));
36✔
3245
            if (map_array == NULL)
36!
3246
                goto error;
×
3247

3248
            /* fill the array */
3249
            map_cnt = 0;
36✔
3250
            map = master->tenant_mapping_list;
36✔
3251
            while (map) {
84✔
3252
                if (map_cnt >= map_array_size) {
48!
3253
                    goto error;
×
3254
                }
×
3255
                map_array[map_cnt].traffic_id = map->traffic_id;
48✔
3256
                map_array[map_cnt].tenant_id = map->tenant_id;
48✔
3257
                map_cnt++;
48✔
3258
                map = map->next;
48✔
3259
            }
48✔
3260

3261
        }
36✔
3262

3263
        /* set up hash for tenant lookup */
3264
        list = master->list;
36✔
3265
        while (list) {
148✔
3266
            SCLogDebug("tenant-id %u", list->tenant_id);
112!
3267
            if (list->tenant_id != 0) {
112✔
3268
                DetectEngineThreadCtx *mt_det_ctx = DetectEngineThreadCtxInitForReload(tv, list, 0);
76✔
3269
                if (mt_det_ctx == NULL)
76!
3270
                    goto error;
×
3271
                if (HashTableAdd(mt_det_ctxs_hash, mt_det_ctx, 0) != 0) {
76!
3272
                    goto error;
×
3273
                }
×
3274
            }
76✔
3275
            list = list->next;
112✔
3276
        }
112✔
3277
    }
36✔
3278

3279
    det_ctx->mt_det_ctxs_hash = mt_det_ctxs_hash;
36✔
3280
    mt_det_ctxs_hash = NULL;
36✔
3281

3282
    det_ctx->mt_det_ctxs_cnt = max_tenant_id;
36✔
3283

3284
    det_ctx->tenant_array = map_array;
36✔
3285
    det_ctx->tenant_array_size = map_array_size;
36✔
3286

3287
    switch (master->tenant_selector) {
36!
3288
        case TENANT_SELECTOR_UNKNOWN:
×
3289
            SCLogDebug("TENANT_SELECTOR_UNKNOWN");
×
3290
            break;
×
3291
        case TENANT_SELECTOR_VLAN:
36!
3292
            det_ctx->TenantGetId = DetectEngineTenantGetIdFromVlanId;
36✔
3293
            SCLogDebug("TENANT_SELECTOR_VLAN");
36!
3294
            break;
36✔
3295
        case TENANT_SELECTOR_LIVEDEV:
×
3296
            det_ctx->TenantGetId = DetectEngineTenantGetIdFromLivedev;
×
3297
            SCLogDebug("TENANT_SELECTOR_LIVEDEV");
×
3298
            break;
×
3299
        case TENANT_SELECTOR_DIRECT:
×
3300
            det_ctx->TenantGetId = DetectEngineTenantGetIdFromPcap;
×
3301
            SCLogDebug("TENANT_SELECTOR_DIRECT");
×
3302
            break;
×
3303
    }
36✔
3304

3305
    return TM_ECODE_OK;
36✔
3306
error:
×
3307
    if (map_array != NULL)
×
3308
        SCFree(map_array);
×
3309
    if (mt_det_ctxs_hash != NULL)
×
3310
        HashTableFree(mt_det_ctxs_hash);
×
3311

3312
    return TM_ECODE_FAILED;
×
3313
}
36✔
3314

3315
/** \internal
3316
 *  \brief Helper for DetectThread setup functions
3317
 */
3318
static TmEcode ThreadCtxDoInit (DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx)
3319
{
48,437✔
3320
    PatternMatchThreadPrepare(&det_ctx->mtc, de_ctx->mpm_matcher);
48,437✔
3321

3322
    PmqSetup(&det_ctx->pmq);
48,437✔
3323

3324
    det_ctx->spm_thread_ctx = SpmMakeThreadCtx(de_ctx->spm_global_thread_ctx);
48,437✔
3325
    if (det_ctx->spm_thread_ctx == NULL) {
48,437!
3326
        return TM_ECODE_FAILED;
×
3327
    }
×
3328

3329
    /* DeState */
3330
    if (de_ctx->sig_array_len > 0) {
48,437✔
3331
        det_ctx->match_array_len = de_ctx->sig_array_len;
33,329✔
3332
        det_ctx->match_array = SCCalloc(det_ctx->match_array_len, sizeof(Signature *));
33,329✔
3333
        if (det_ctx->match_array == NULL) {
33,329!
3334
            return TM_ECODE_FAILED;
×
3335
        }
×
3336
        det_ctx->replace = SCCalloc(de_ctx->sig_array_len, sizeof(Signature *));
33,329✔
3337
        if (det_ctx->replace == NULL) {
33,329!
NEW
3338
            return TM_ECODE_FAILED;
×
NEW
3339
        }
×
3340

3341
        RuleMatchCandidateTxArrayInit(det_ctx, de_ctx->sig_array_len);
33,329✔
3342
    }
33,329✔
3343

3344
    /* Alert processing queue */
3345
    AlertQueueInit(det_ctx);
48,437✔
3346

3347
    /* byte_extract storage */
3348
    det_ctx->byte_values = SCMalloc(sizeof(*det_ctx->byte_values) *
48,437✔
3349
                                  (de_ctx->byte_extract_max_local_id + 1));
48,437✔
3350
    if (det_ctx->byte_values == NULL) {
48,437!
3351
        return TM_ECODE_FAILED;
×
3352
    }
×
3353

3354
    /* Allocate space for base64 decoded data. */
3355
    if (de_ctx->base64_decode_max_len) {
48,437✔
3356
        det_ctx->base64_decoded = SCMalloc(de_ctx->base64_decode_max_len);
6,043✔
3357
        if (det_ctx->base64_decoded == NULL) {
6,043!
3358
            return TM_ECODE_FAILED;
×
3359
        }
×
3360
        det_ctx->base64_decoded_len = 0;
6,043✔
3361
    }
6,043✔
3362

3363
    det_ctx->inspect.buffers_size = de_ctx->buffer_type_id;
48,437✔
3364
    det_ctx->inspect.buffers = SCCalloc(det_ctx->inspect.buffers_size, sizeof(InspectionBuffer));
48,437✔
3365
    if (det_ctx->inspect.buffers == NULL) {
48,437!
3366
        return TM_ECODE_FAILED;
×
3367
    }
×
3368
    det_ctx->inspect.to_clear_queue = SCCalloc(det_ctx->inspect.buffers_size, sizeof(uint32_t));
48,437✔
3369
    if (det_ctx->inspect.to_clear_queue == NULL) {
48,437!
3370
        return TM_ECODE_FAILED;
×
3371
    }
×
3372
    det_ctx->inspect.to_clear_idx = 0;
48,437✔
3373

3374
    det_ctx->multi_inspect.buffers_size = de_ctx->buffer_type_id;
48,437✔
3375
    det_ctx->multi_inspect.buffers = SCCalloc(det_ctx->multi_inspect.buffers_size, sizeof(InspectionBufferMultipleForList));
48,437✔
3376
    if (det_ctx->multi_inspect.buffers == NULL) {
48,437!
3377
        return TM_ECODE_FAILED;
×
3378
    }
×
3379
    det_ctx->multi_inspect.to_clear_queue = SCCalloc(det_ctx->multi_inspect.buffers_size, sizeof(uint32_t));
48,437✔
3380
    if (det_ctx->multi_inspect.to_clear_queue == NULL) {
48,437!
3381
        return TM_ECODE_FAILED;
×
3382
    }
×
3383
    det_ctx->multi_inspect.to_clear_idx = 0;
48,437✔
3384

3385

3386
    DetectEngineThreadCtxInitKeywords(de_ctx, det_ctx);
48,437✔
3387
    DetectEngineThreadCtxInitGlobalKeywords(det_ctx);
48,437✔
3388
#ifdef PROFILE_RULES
3389
    SCProfilingRuleThreadSetup(de_ctx->profile_ctx, det_ctx);
3390
#endif
3391
#ifdef PROFILING
3392
    SCProfilingKeywordThreadSetup(de_ctx->profile_keyword_ctx, det_ctx);
3393
    SCProfilingPrefilterThreadSetup(de_ctx->profile_prefilter_ctx, det_ctx);
3394
    SCProfilingSghThreadSetup(de_ctx->profile_sgh_ctx, det_ctx);
3395
#endif
3396
    SC_ATOMIC_INIT(det_ctx->so_far_used_by_detect);
48,437✔
3397

3398
    return TM_ECODE_OK;
48,437✔
3399
}
48,437✔
3400

3401
/** \brief initialize thread specific detection engine context
3402
 *
3403
 *  \note there is a special case when using delayed detect. In this case the
3404
 *        function is called twice per thread. The first time the rules are not
3405
 *        yet loaded. de_ctx->delayed_detect_initialized will be 0. The 2nd
3406
 *        time they will be loaded. de_ctx->delayed_detect_initialized will be 1.
3407
 *        This is needed to do the per thread counter registration before the
3408
 *        packet runtime starts. In delayed detect mode, the first call will
3409
 *        return a NULL ptr through the data ptr.
3410
 *
3411
 *  \param tv ThreadVars for this thread
3412
 *  \param initdata pointer to de_ctx
3413
 *  \param data[out] pointer to store our thread detection ctx
3414
 *
3415
 *  \retval TM_ECODE_OK if all went well
3416
 *  \retval TM_ECODE_FAILED on serious errors
3417
 */
3418
TmEcode DetectEngineThreadCtxInit(ThreadVars *tv, void *initdata, void **data)
3419
{
12,858✔
3420
    DetectEngineThreadCtx *det_ctx = SCCalloc(1, sizeof(DetectEngineThreadCtx));
12,858✔
3421
    if (unlikely(det_ctx == NULL))
12,858!
3422
        return TM_ECODE_FAILED;
×
3423

3424
    det_ctx->tv = tv;
12,858✔
3425
    det_ctx->de_ctx = DetectEngineGetCurrent();
12,858✔
3426
    if (det_ctx->de_ctx == NULL) {
12,858!
3427
#ifdef UNITTESTS
827✔
3428
        if (RunmodeIsUnittests()) {
827✔
3429
            det_ctx->de_ctx = (DetectEngineCtx *)initdata;
827✔
3430
        } else {
827✔
3431
            DetectEngineThreadCtxDeinit(tv, det_ctx);
3432
            return TM_ECODE_FAILED;
3433
        }
3434
#else
3435
        DetectEngineThreadCtxDeinit(tv, det_ctx);
3436
        return TM_ECODE_FAILED;
3437
#endif
3438
    }
827✔
3439

3440
    if (det_ctx->de_ctx->type == DETECT_ENGINE_TYPE_NORMAL ||
12,858✔
3441
        det_ctx->de_ctx->type == DETECT_ENGINE_TYPE_TENANT)
12,858!
3442
    {
12,850✔
3443
        if (ThreadCtxDoInit(det_ctx->de_ctx, det_ctx) != TM_ECODE_OK) {
12,850!
3444
            DetectEngineThreadCtxDeinit(tv, det_ctx);
×
3445
            return TM_ECODE_FAILED;
×
3446
        }
×
3447
    }
12,850✔
3448

3449
    /** alert counter setup */
3450
    det_ctx->counter_alerts = StatsRegisterCounter("detect.alert", &tv->stats);
12,858✔
3451
    det_ctx->counter_alerts_overflow =
12,858✔
3452
            StatsRegisterCounter("detect.alert_queue_overflow", &tv->stats);
12,858✔
3453
    det_ctx->counter_alerts_suppressed =
12,858✔
3454
            StatsRegisterCounter("detect.alerts_suppressed", &tv->stats);
12,858✔
3455

3456
    /* Register counter for Lua rule errors. */
3457
    det_ctx->lua_rule_errors = StatsRegisterCounter("detect.lua.errors", &tv->stats);
12,858✔
3458

3459
    /* Register a counter for Lua blocked function attempts. */
3460
    det_ctx->lua_blocked_function_errors =
12,858✔
3461
            StatsRegisterCounter("detect.lua.blocked_function_errors", &tv->stats);
12,858✔
3462

3463
    /* Register a counter for Lua instruction limit errors. */
3464
    det_ctx->lua_instruction_limit_errors =
12,858✔
3465
            StatsRegisterCounter("detect.lua.instruction_limit_errors", &tv->stats);
12,858✔
3466

3467
    /* Register a counter for Lua memory limit errors. */
3468
    det_ctx->lua_memory_limit_errors =
12,858✔
3469
            StatsRegisterCounter("detect.lua.memory_limit_errors", &tv->stats);
12,858✔
3470

3471
    det_ctx->json_content = NULL;
12,858✔
3472
    det_ctx->json_content_capacity = 0;
12,858✔
3473
    det_ctx->json_content_len = 0;
12,858✔
3474

3475
#ifdef PROFILING
3476
    det_ctx->counter_mpm_list = StatsRegisterAvgCounter("detect.mpm_list", &tv->stats);
3477
    det_ctx->counter_match_list = StatsRegisterAvgCounter("detect.match_list", &tv->stats);
3478
#endif
3479

3480
    if (DetectEngineMultiTenantEnabled()) {
12,858✔
3481
        DetectEngineMasterCtx *master = &g_master_de_ctx;
8✔
3482
        SCMutexLock(&master->lock);
8✔
3483
        if (DetectEngineThreadCtxInitForMT(tv, det_ctx) != TM_ECODE_OK) {
8!
3484
            DetectEngineThreadCtxDeinit(tv, det_ctx);
×
3485
            SCMutexUnlock(&master->lock);
×
3486
            return TM_ECODE_FAILED;
×
3487
        }
×
3488
        SCMutexUnlock(&master->lock);
8✔
3489
    }
8✔
3490

3491
    /* pass thread data back to caller */
3492
    *data = (void *)det_ctx;
12,858✔
3493

3494
    return TM_ECODE_OK;
12,858✔
3495
}
12,858✔
3496

3497
/**
3498
 * \internal
3499
 * \brief initialize a det_ctx for reload cases
3500
 * \param new_de_ctx the new detection engine
3501
 * \param mt flag to indicate if MT should be set up for this det_ctx
3502
 *           this should only be done for the 'root' det_ctx
3503
 *
3504
 * \retval det_ctx detection engine thread ctx or NULL in case of error
3505
 */
3506
DetectEngineThreadCtx *DetectEngineThreadCtxInitForReload(
3507
        ThreadVars *tv, DetectEngineCtx *new_de_ctx, int mt)
3508
{
35,615✔
3509
    DetectEngineThreadCtx *det_ctx = SCCalloc(1, sizeof(DetectEngineThreadCtx));
35,615✔
3510
    if (unlikely(det_ctx == NULL))
35,615!
3511
        return NULL;
×
3512

3513
    det_ctx->tenant_id = new_de_ctx->tenant_id;
35,615✔
3514
    det_ctx->tv = tv;
35,615✔
3515
    det_ctx->de_ctx = DetectEngineReference(new_de_ctx);
35,615✔
3516
    if (det_ctx->de_ctx == NULL) {
35,615!
3517
        SCFree(det_ctx);
×
3518
        return NULL;
×
3519
    }
×
3520

3521
    /* most of the init happens here */
3522
    if (det_ctx->de_ctx->type == DETECT_ENGINE_TYPE_NORMAL ||
35,615!
3523
        det_ctx->de_ctx->type == DETECT_ENGINE_TYPE_TENANT)
35,615!
3524
    {
35,587✔
3525
        if (ThreadCtxDoInit(det_ctx->de_ctx, det_ctx) != TM_ECODE_OK) {
35,587!
3526
            DetectEngineDeReference(&det_ctx->de_ctx);
×
3527
            SCFree(det_ctx);
×
3528
            return NULL;
×
3529
        }
×
3530
    }
35,587✔
3531

3532
    /** alert counter setup */
3533
    det_ctx->counter_alerts = StatsRegisterCounter("detect.alert", &tv->stats);
35,615✔
3534
    det_ctx->counter_alerts_overflow =
35,615✔
3535
            StatsRegisterCounter("detect.alert_queue_overflow", &tv->stats);
35,615✔
3536
    det_ctx->counter_alerts_suppressed =
35,615✔
3537
            StatsRegisterCounter("detect.alerts_suppressed", &tv->stats);
35,615✔
3538
#ifdef PROFILING
3539
    det_ctx->counter_mpm_list = StatsRegisterAvgCounter("detect.mpm_list", &tv->stats);
3540
    det_ctx->counter_match_list = StatsRegisterAvgCounter("detect.match_list", &tv->stats);
3541
#endif
3542

3543
    if (mt && DetectEngineMultiTenantEnabledWithLock()) {
35,615!
3544
        if (DetectEngineThreadCtxInitForMT(tv, det_ctx) != TM_ECODE_OK) {
28!
3545
            DetectEngineDeReference(&det_ctx->de_ctx);
×
3546
            SCFree(det_ctx);
×
3547
            return NULL;
×
3548
        }
×
3549
    }
28✔
3550

3551
    return det_ctx;
35,615✔
3552
}
35,615✔
3553

3554
static void DetectEngineThreadCtxFree(DetectEngineThreadCtx *det_ctx)
3555
{
48,472✔
3556
#if  DEBUG
3557
    SCLogDebug("PACKET PKT_STREAM_ADD: %"PRIu64, det_ctx->pkt_stream_add_cnt);
3558

3559
    SCLogDebug("PAYLOAD MPM %"PRIu64"/%"PRIu64, det_ctx->payload_mpm_cnt, det_ctx->payload_mpm_size);
3560
    SCLogDebug("STREAM  MPM %"PRIu64"/%"PRIu64, det_ctx->stream_mpm_cnt, det_ctx->stream_mpm_size);
3561

3562
    SCLogDebug("PAYLOAD SIG %"PRIu64"/%"PRIu64, det_ctx->payload_persig_cnt, det_ctx->payload_persig_size);
3563
    SCLogDebug("STREAM  SIG %"PRIu64"/%"PRIu64, det_ctx->stream_persig_cnt, det_ctx->stream_persig_size);
3564
#endif
3565

3566
    if (det_ctx->tenant_array != NULL) {
48,472✔
3567
        SCFree(det_ctx->tenant_array);
36✔
3568
        det_ctx->tenant_array = NULL;
36✔
3569
    }
36✔
3570

3571
#ifdef PROFILE_RULES
3572
    SCProfilingRuleThreadCleanup(det_ctx);
3573
#endif
3574
#ifdef PROFILING
3575
    SCProfilingKeywordThreadCleanup(det_ctx);
3576
    SCProfilingPrefilterThreadCleanup(det_ctx);
3577
    SCProfilingSghThreadCleanup(det_ctx);
3578
#endif
3579

3580
    /** \todo get rid of this static */
3581
    if (det_ctx->de_ctx != NULL) {
48,472!
3582
        PatternMatchThreadDestroy(&det_ctx->mtc, det_ctx->de_ctx->mpm_matcher);
48,472✔
3583
    }
48,472✔
3584

3585
    PmqFree(&det_ctx->pmq);
48,472✔
3586

3587
    if (det_ctx->spm_thread_ctx != NULL) {
48,472✔
3588
        SpmDestroyThreadCtx(det_ctx->spm_thread_ctx);
48,436✔
3589
    }
48,436✔
3590
    if (det_ctx->match_array != NULL)
48,472✔
3591
        SCFree(det_ctx->match_array);
33,329✔
3592
    if (det_ctx->replace != NULL)
48,472✔
3593
        SCFree(det_ctx->replace);
33,329✔
3594

3595
    RuleMatchCandidateTxArrayFree(det_ctx);
48,472✔
3596

3597
    AlertQueueFree(det_ctx);
48,472✔
3598

3599
    if (det_ctx->post_rule_work_queue.q)
48,472✔
3600
        SCFree(det_ctx->post_rule_work_queue.q);
18✔
3601

3602
    if (det_ctx->byte_values != NULL)
48,472✔
3603
        SCFree(det_ctx->byte_values);
48,436✔
3604

3605
    /* Decoded base64 data. */
3606
    if (det_ctx->base64_decoded != NULL) {
48,472✔
3607
        SCFree(det_ctx->base64_decoded);
6,043✔
3608
    }
6,043✔
3609

3610
    if (det_ctx->inspect.buffers) {
48,472✔
3611
        for (uint32_t i = 0; i < det_ctx->inspect.buffers_size; i++) {
20,366,115✔
3612
            InspectionBufferFree(&det_ctx->inspect.buffers[i]);
20,317,679✔
3613
        }
20,317,679✔
3614
        SCFree(det_ctx->inspect.buffers);
48,436✔
3615
    }
48,436✔
3616
    if (det_ctx->inspect.to_clear_queue) {
48,472✔
3617
        SCFree(det_ctx->inspect.to_clear_queue);
48,436✔
3618
    }
48,436✔
3619
    if (det_ctx->multi_inspect.buffers) {
48,472✔
3620
        for (uint32_t i = 0; i < det_ctx->multi_inspect.buffers_size; i++) {
20,366,115✔
3621
            InspectionBufferMultipleForList *fb = &det_ctx->multi_inspect.buffers[i];
20,317,679✔
3622
            for (uint32_t x = 0; x < fb->size; x++) {
20,326,178✔
3623
                InspectionBufferFree(&fb->inspection_buffers[x]);
8,499✔
3624
            }
8,499✔
3625
            SCFree(fb->inspection_buffers);
20,317,679✔
3626
        }
20,317,679✔
3627
        SCFree(det_ctx->multi_inspect.buffers);
48,436✔
3628
    }
48,436✔
3629
    if (det_ctx->multi_inspect.to_clear_queue) {
48,472✔
3630
        SCFree(det_ctx->multi_inspect.to_clear_queue);
48,436✔
3631
    }
48,436✔
3632

3633
    DetectEngineThreadCtxDeinitGlobalKeywords(det_ctx);
48,472✔
3634
    if (det_ctx->de_ctx != NULL) {
48,472!
3635
        DetectEngineThreadCtxDeinitKeywords(det_ctx->de_ctx, det_ctx);
48,472✔
3636
#ifdef UNITTESTS
852✔
3637
        if (!RunmodeIsUnittests() || det_ctx->de_ctx->ref_cnt > 0)
852✔
3638
            DetectEngineDeReference(&det_ctx->de_ctx);
25✔
3639
#else
3640
        DetectEngineDeReference(&det_ctx->de_ctx);
47,620✔
3641
#endif
47,620✔
3642
    }
48,472✔
3643

3644
    if (det_ctx->json_content) {
48,472✔
3645
        SCFree(det_ctx->json_content);
11✔
3646
        det_ctx->json_content = NULL;
11✔
3647
        det_ctx->json_content_capacity = 0;
11✔
3648
    }
11✔
3649

3650
    SCAppLayerDecoderEventsFreeEvents(&det_ctx->decoder_events);
48,472✔
3651
    PrefilterPktNonPFStatsDump();
48,472✔
3652
    SCFree(det_ctx);
48,472✔
3653

3654
    ThresholdCacheThreadFree();
48,472✔
3655
}
48,472✔
3656

3657
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *tv, void *data)
3658
{
48,396✔
3659
    DetectEngineThreadCtx *det_ctx = (DetectEngineThreadCtx *)data;
48,396✔
3660

3661
    if (det_ctx == NULL) {
48,396!
3662
        SCLogWarning("argument \"data\" NULL");
×
3663
        return TM_ECODE_OK;
×
3664
    }
×
3665

3666
    if (det_ctx->mt_det_ctxs_hash != NULL) {
48,396✔
3667
        HashTableFree(det_ctx->mt_det_ctxs_hash);
36✔
3668
        det_ctx->mt_det_ctxs_hash = NULL;
36✔
3669
    }
36✔
3670
    DetectEngineThreadCtxFree(det_ctx);
48,396✔
3671

3672
    return TM_ECODE_OK;
48,396✔
3673
}
48,396✔
3674

3675
static uint32_t DetectKeywordCtxHashFunc(HashListTable *ht, void *data, uint16_t datalen)
3676
{
759,523✔
3677
    DetectEngineThreadKeywordCtxItem *ctx = data;
759,523✔
3678
    const char *name = ctx->name;
759,523✔
3679
    uint64_t hash =
759,523✔
3680
            StringHashDjb2((const uint8_t *)name, (uint32_t)strlen(name)) + (ptrdiff_t)ctx->data;
759,523✔
3681
    hash %= ht->array_size;
759,523✔
3682
    return (uint32_t)hash;
759,523✔
3683
}
759,523✔
3684

3685
static char DetectKeywordCtxCompareFunc(void *data1, uint16_t len1, void *data2, uint16_t len2)
3686
{
486,202✔
3687
    DetectEngineThreadKeywordCtxItem *ctx1 = data1;
486,202✔
3688
    DetectEngineThreadKeywordCtxItem *ctx2 = data2;
486,202✔
3689
    const char *name1 = ctx1->name;
486,202✔
3690
    const char *name2 = ctx2->name;
486,202✔
3691
    return (strcmp(name1, name2) == 0 && ctx1->data == ctx2->data);
486,202!
3692
}
486,202✔
3693

3694
static void DetectKeywordCtxFreeFunc(void *ptr)
3695
{
356,408✔
3696
    SCFree(ptr);
356,408✔
3697
}
356,408✔
3698

3699
/** \brief Register Thread keyword context Funcs
3700
 *
3701
 *  \param de_ctx detection engine to register in
3702
 *  \param name keyword name for error printing
3703
 *  \param InitFunc function ptr
3704
 *  \param data keyword init data to pass to Func. Can be NULL.
3705
 *  \param FreeFunc function ptr
3706
 *  \param mode 0 normal (ctx per keyword instance) 1 shared (one ctx per det_ct)
3707
 *
3708
 *  \retval id for retrieval of ctx at runtime
3709
 *  \retval -1 on error
3710
 *
3711
 *  \note make sure "data" remains valid and it free'd elsewhere. It's
3712
 *        recommended to store it in the keywords global ctx so that
3713
 *        it's freed when the de_ctx is freed.
3714
 */
3715
int DetectRegisterThreadCtxFuncs(DetectEngineCtx *de_ctx, const char *name, void *(*InitFunc)(void *), void *data, void (*FreeFunc)(void *), int mode)
3716
{
356,419✔
3717
    BUG_ON(de_ctx == NULL || InitFunc == NULL || FreeFunc == NULL);
356,419!
3718

3719
    if (de_ctx->keyword_hash == NULL) {
356,419✔
3720
        de_ctx->keyword_hash = HashListTableInit(4096, // TODO
7,017✔
3721
                DetectKeywordCtxHashFunc, DetectKeywordCtxCompareFunc, DetectKeywordCtxFreeFunc);
7,017✔
3722
        BUG_ON(de_ctx->keyword_hash == NULL);
7,017!
3723
    }
7,017✔
3724

3725
    if (mode) {
356,419✔
3726
        DetectEngineThreadKeywordCtxItem search = { .data = data, .name = name };
471✔
3727

3728
        DetectEngineThreadKeywordCtxItem *item =
471✔
3729
                HashListTableLookup(de_ctx->keyword_hash, (void *)&search, 0);
471✔
3730
        if (item)
471!
3731
            return item->id;
×
3732

3733
        /* fall through */
3734
    }
471✔
3735

3736
    DetectEngineThreadKeywordCtxItem *item = SCCalloc(1, sizeof(DetectEngineThreadKeywordCtxItem));
356,419✔
3737
    if (unlikely(item == NULL))
356,419!
3738
        return -1;
×
3739

3740
    item->InitFunc = InitFunc;
356,419✔
3741
    item->FreeFunc = FreeFunc;
356,419✔
3742
    item->data = data;
356,419✔
3743
    item->name = name;
356,419✔
3744
    item->id = de_ctx->keyword_id++;
356,419✔
3745

3746
    if (HashListTableAdd(de_ctx->keyword_hash, (void *)item, 0) < 0) {
356,419!
3747
        SCFree(item);
×
3748
        return -1;
×
3749
    }
×
3750
    return item->id;
356,419✔
3751
}
356,419✔
3752

3753
/** \brief Remove Thread keyword context registration
3754
 *
3755
 *  \param de_ctx detection engine to deregister from
3756
 *  \param det_ctx detection engine thread context to deregister from
3757
 *  \param data keyword init data to pass to Func. Can be NULL.
3758
 *  \param name keyword name for error printing
3759
 *
3760
 *  \retval 1 Item unregistered
3761
 *  \retval 0 otherwise
3762
 *
3763
 *  \note make sure "data" remains valid and it free'd elsewhere. It's
3764
 *        recommended to store it in the keywords global ctx so that
3765
 *        it's freed when the de_ctx is freed.
3766
 */
3767
int DetectUnregisterThreadCtxFuncs(DetectEngineCtx *de_ctx, void *data, const char *name)
3768
{
414,789✔
3769
    /* might happen if we call this before a call to *Register* */
3770
    if (de_ctx->keyword_hash == NULL)
414,789✔
3771
        return 1;
12,156✔
3772
    DetectEngineThreadKeywordCtxItem remove = { .data = data, .name = name };
402,633✔
3773
    if (HashListTableRemove(de_ctx->keyword_hash, (void *)&remove, 0) == 0)
402,633!
3774
        return 1;
355,925✔
3775
    return 0;
46,708✔
3776
}
402,633✔
3777
/** \brief Retrieve thread local keyword ctx by id
3778
 *
3779
 *  \param det_ctx detection engine thread ctx to retrieve the ctx from
3780
 *  \param id id of the ctx returned by DetectRegisterThreadCtxInitFunc at
3781
 *            keyword init.
3782
 *
3783
 *  \retval ctx or NULL on error
3784
 */
3785
void *DetectThreadCtxGetKeywordThreadCtx(DetectEngineThreadCtx *det_ctx, int id)
3786
{
16,932✔
3787
    if (id < 0 || id > det_ctx->keyword_ctxs_size || det_ctx->keyword_ctxs_array == NULL)
16,933!
3788
        return NULL;
×
3789

3790
    return det_ctx->keyword_ctxs_array[id];
16,932✔
3791
}
16,932✔
3792

3793

3794
/** \brief Register Thread keyword context Funcs (Global)
3795
 *
3796
 *  IDs stay static over reloads and between tenants
3797
 *
3798
 *  \param name keyword name for error printing
3799
 *  \param InitFunc function ptr
3800
 *  \param FreeFunc function ptr
3801
 *
3802
 *  \retval id for retrieval of ctx at runtime
3803
 *  \retval -1 on error
3804
 */
3805
int DetectRegisterThreadCtxGlobalFuncs(const char *name,
3806
        void *(*InitFunc)(void *), void *data, void (*FreeFunc)(void *))
3807
{
10,965✔
3808
    int id;
10,965✔
3809
    BUG_ON(InitFunc == NULL || FreeFunc == NULL);
10,965!
3810

3811
    DetectEngineMasterCtx *master = &g_master_de_ctx;
10,965✔
3812

3813
    /* if already registered, return existing id */
3814
    DetectEngineThreadKeywordCtxItem *item = master->keyword_list;
10,965✔
3815
    while (item != NULL) {
32,895✔
3816
        if (strcmp(name, item->name) == 0) {
21,930!
3817
            id = item->id;
×
3818
            return id;
×
3819
        }
×
3820

3821
        item = item->next;
21,930✔
3822
    }
21,930✔
3823

3824
    item = SCCalloc(1, sizeof(*item));
10,965✔
3825
    if (unlikely(item == NULL)) {
10,965!
3826
        return -1;
×
3827
    }
×
3828
    item->InitFunc = InitFunc;
10,965✔
3829
    item->FreeFunc = FreeFunc;
10,965✔
3830
    item->name = name;
10,965✔
3831
    item->data = data;
10,965✔
3832

3833
    item->next = master->keyword_list;
10,965✔
3834
    master->keyword_list = item;
10,965✔
3835
    item->id = master->keyword_id++;
10,965✔
3836

3837
    id = item->id;
10,965✔
3838
    return id;
10,965✔
3839
}
10,965✔
3840

3841
/** \brief Retrieve thread local keyword ctx by id
3842
 *
3843
 *  \param det_ctx detection engine thread ctx to retrieve the ctx from
3844
 *  \param id id of the ctx returned by DetectRegisterThreadCtxInitFunc at
3845
 *            keyword init.
3846
 *
3847
 *  \retval ctx or NULL on error
3848
 */
3849
void *DetectThreadCtxGetGlobalKeywordThreadCtx(DetectEngineThreadCtx *det_ctx, int id)
3850
{
16,811✔
3851
    if (id < 0 || id > det_ctx->global_keyword_ctxs_size ||
16,811!
3852
        det_ctx->global_keyword_ctxs_array == NULL) {
16,813!
3853
        return NULL;
×
3854
    }
×
3855

3856
    return det_ctx->global_keyword_ctxs_array[id];
16,811✔
3857
}
16,811✔
3858

3859
/** \brief Check if detection is enabled
3860
 *  \retval bool true or false */
3861
int DetectEngineEnabled(void)
3862
{
15,470✔
3863
    DetectEngineMasterCtx *master = &g_master_de_ctx;
15,470✔
3864
    SCMutexLock(&master->lock);
15,470✔
3865

3866
    if (master->list == NULL) {
15,470✔
3867
        SCMutexUnlock(&master->lock);
1,825✔
3868
        return 0;
1,825✔
3869
    }
1,825✔
3870

3871
    SCMutexUnlock(&master->lock);
13,645✔
3872
    return 1;
13,645✔
3873
}
15,470✔
3874

3875
uint32_t DetectEngineGetVersion(void)
3876
{
38,855✔
3877
    uint32_t version;
38,855✔
3878
    DetectEngineMasterCtx *master = &g_master_de_ctx;
38,855✔
3879
    SCMutexLock(&master->lock);
38,855✔
3880
    version = master->version;
38,855✔
3881
    SCMutexUnlock(&master->lock);
38,855✔
3882
    return version;
38,855✔
3883
}
38,855✔
3884

3885
void DetectEngineBumpVersion(void)
3886
{
37,247✔
3887
    DetectEngineMasterCtx *master = &g_master_de_ctx;
37,247✔
3888
    SCMutexLock(&master->lock);
37,247✔
3889
    master->version++;
37,247✔
3890
    SCLogDebug("master version now %u", master->version);
37,247!
3891
    SCMutexUnlock(&master->lock);
37,247✔
3892
}
37,247✔
3893

3894
DetectEngineCtx *DetectEngineGetCurrent(void)
3895
{
126,237✔
3896
    DetectEngineMasterCtx *master = &g_master_de_ctx;
126,237✔
3897
    SCMutexLock(&master->lock);
126,237✔
3898

3899
    DetectEngineCtx *de_ctx = master->list;
126,237✔
3900
    while (de_ctx) {
126,253✔
3901
        if (de_ctx->type == DETECT_ENGINE_TYPE_NORMAL ||
124,859✔
3902
            de_ctx->type == DETECT_ENGINE_TYPE_DD_STUB ||
124,859!
3903
            de_ctx->type == DETECT_ENGINE_TYPE_MT_STUB)
124,859!
3904
        {
124,843✔
3905
            de_ctx->ref_cnt++;
124,843✔
3906
            SCLogDebug("de_ctx %p ref_cnt %u", de_ctx, de_ctx->ref_cnt);
124,843!
3907
            SCMutexUnlock(&master->lock);
124,843✔
3908
            return de_ctx;
124,843✔
3909
        }
124,843✔
3910
        de_ctx = de_ctx->next;
16✔
3911
    }
16✔
3912

3913
    SCMutexUnlock(&master->lock);
1,394✔
3914
    return NULL;
1,394✔
3915
}
126,237✔
3916

3917
DetectEngineCtx *DetectEngineReference(DetectEngineCtx *de_ctx)
3918
{
35,615✔
3919
    if (de_ctx == NULL)
35,615!
3920
        return NULL;
×
3921
    de_ctx->ref_cnt++;
35,615✔
3922
    return de_ctx;
35,615✔
3923
}
35,615✔
3924

3925
static bool DetectEngineMultiTenantEnabledWithLock(void)
3926
{
86,509✔
3927
    DetectEngineMasterCtx *master = &g_master_de_ctx;
86,509✔
3928
    return master->multi_tenant_enabled;
86,509✔
3929
}
86,509✔
3930

3931
bool DetectEngineMultiTenantEnabled(void)
3932
{
50,970✔
3933
    DetectEngineMasterCtx *master = &g_master_de_ctx;
50,970✔
3934
    SCMutexLock(&master->lock);
50,970✔
3935
    bool enabled = DetectEngineMultiTenantEnabledWithLock();
50,970✔
3936
    SCMutexUnlock(&master->lock);
50,970✔
3937
    return enabled;
50,970✔
3938
}
50,970✔
3939

3940
/** \internal
3941
 *  \brief load a tenant from a yaml file
3942
 *
3943
 *  \param tenant_id the tenant id by which the config is known
3944
 *  \param filename full path of a yaml file
3945
 *  \param loader_id id of loader thread or -1
3946
 *
3947
 *  \retval 0 ok
3948
 *  \retval -1 failed
3949
 */
3950
static int DetectEngineMultiTenantLoadTenant(uint32_t tenant_id, const char *filename, int loader_id)
3951
{
15✔
3952
    DetectEngineCtx *de_ctx = NULL;
15✔
3953
    char prefix[64];
15✔
3954

3955
    snprintf(prefix, sizeof(prefix), "multi-detect.%u", tenant_id);
15✔
3956

3957
    SCStat st;
15✔
3958
    if (SCStatFn(filename, &st) != 0) {
15!
3959
        SCLogError("failed to stat file %s", filename);
×
3960
        goto error;
×
3961
    }
×
3962

3963
    de_ctx = DetectEngineGetByTenantId(tenant_id);
15✔
3964
    if (de_ctx != NULL) {
15!
3965
        SCLogError("tenant %u already registered", tenant_id);
×
3966
        DetectEngineDeReference(&de_ctx);
×
3967
        goto error;
×
3968
    }
×
3969

3970
    SCConfNode *node = SCConfGetNode(prefix);
15✔
3971
    if (node == NULL) {
15!
3972
        SCLogError("failed to properly setup yaml %s", filename);
×
3973
        goto error;
×
3974
    }
×
3975

3976
    de_ctx = DetectEngineCtxInitWithPrefix(prefix, tenant_id);
15✔
3977
    if (de_ctx == NULL) {
15!
3978
        SCLogError("initializing detection engine "
×
3979
                   "context failed.");
×
3980
        goto error;
×
3981
    }
×
3982
    SCLogDebug("de_ctx %p with prefix %s", de_ctx, de_ctx->config_prefix);
15!
3983

3984
    de_ctx->type = DETECT_ENGINE_TYPE_TENANT;
15✔
3985
    de_ctx->tenant_id = tenant_id;
15✔
3986
    de_ctx->loader_id = loader_id;
15✔
3987
    de_ctx->tenant_path = SCStrdup(filename);
15✔
3988
    if (de_ctx->tenant_path == NULL) {
15!
3989
        SCLogError("Failed to duplicate path");
×
3990
        goto error;
×
3991
    }
×
3992

3993
    if (SigLoadSignatures(de_ctx, NULL, false) < 0) {
15!
3994
        SCLogError("Loading signatures failed.");
×
3995
        goto error;
×
3996
    }
×
3997

3998
    DetectEngineAddToMaster(de_ctx);
15✔
3999

4000
    return 0;
15✔
4001

4002
error:
×
4003
    if (de_ctx != NULL) {
×
4004
        DetectEngineCtxFree(de_ctx);
×
4005
    }
×
4006
    return -1;
×
4007
}
15✔
4008

4009
static int DetectEngineMultiTenantReloadTenant(uint32_t tenant_id, const char *filename, int reload_cnt)
4010
{
6✔
4011
    DetectEngineCtx *old_de_ctx = DetectEngineGetByTenantId(tenant_id);
6✔
4012
    if (old_de_ctx == NULL) {
6!
4013
        SCLogError("tenant detect engine not found");
×
4014
        return -1;
×
4015
    }
×
4016

4017
    if (filename == NULL)
6!
4018
        filename = old_de_ctx->tenant_path;
6✔
4019

4020
    char prefix[64];
6✔
4021
    snprintf(prefix, sizeof(prefix), "multi-detect.%u.reload.%d", tenant_id, reload_cnt);
6✔
4022
    reload_cnt++;
6✔
4023
    SCLogDebug("prefix %s", prefix);
6!
4024

4025
    if (SCConfYamlLoadFileWithPrefix(filename, prefix) != 0) {
6!
4026
        SCLogError("failed to load yaml");
×
4027
        goto error;
×
4028
    }
×
4029

4030
    SCConfNode *node = SCConfGetNode(prefix);
6✔
4031
    if (node == NULL) {
6!
4032
        SCLogError("failed to properly setup yaml %s", filename);
×
4033
        goto error;
×
4034
    }
×
4035

4036
    DetectEngineCtx *new_de_ctx = DetectEngineCtxInitWithPrefix(prefix, tenant_id);
6✔
4037
    if (new_de_ctx == NULL) {
6!
4038
        SCLogError("initializing detection engine "
×
4039
                   "context failed.");
×
4040
        goto error;
×
4041
    }
×
4042
    SCLogDebug("de_ctx %p with prefix %s", new_de_ctx, new_de_ctx->config_prefix);
6!
4043

4044
    new_de_ctx->type = DETECT_ENGINE_TYPE_TENANT;
6✔
4045
    new_de_ctx->tenant_id = tenant_id;
6✔
4046
    new_de_ctx->loader_id = old_de_ctx->loader_id;
6✔
4047
    new_de_ctx->tenant_path = SCStrdup(filename);
6✔
4048
    if (new_de_ctx->tenant_path == NULL) {
6!
4049
        SCLogError("Failed to duplicate path");
×
4050
        goto new_de_ctx_error;
×
4051
    }
×
4052

4053
    if (SigLoadSignatures(new_de_ctx, NULL, false) < 0) {
6!
4054
        SCLogError("Loading signatures failed.");
×
4055
        goto new_de_ctx_error;
×
4056
    }
×
4057

4058
    DetectEngineAddToMaster(new_de_ctx);
6✔
4059

4060
    /* move to free list */
4061
    DetectEngineMoveToFreeList(old_de_ctx);
6✔
4062
    DetectEngineDeReference(&old_de_ctx);
6✔
4063
    return 0;
6✔
4064

4065
new_de_ctx_error:
×
4066
    DetectEngineCtxFree(new_de_ctx);
×
4067

4068
error:
×
4069
    DetectEngineDeReference(&old_de_ctx);
×
4070
    return -1;
×
4071
}
×
4072

4073

4074
typedef struct TenantLoaderCtx_ {
4075
    uint32_t tenant_id;
4076
    int reload_cnt; /**< used by reload */
4077
    char *yaml;     /**< heap alloc'd copy of file path for the yaml */
4078
} TenantLoaderCtx;
4079

4080
static void DetectLoaderFreeTenant(void *ctx)
4081
{
21✔
4082
    TenantLoaderCtx *t = (TenantLoaderCtx *)ctx;
21✔
4083
    if (t->yaml != NULL) {
21!
4084
        SCFree(t->yaml);
15✔
4085
    }
15✔
4086
    SCFree(t);
21✔
4087
}
21✔
4088

4089
static int DetectLoaderFuncLoadTenant(void *vctx, int loader_id)
4090
{
15✔
4091
    TenantLoaderCtx *ctx = (TenantLoaderCtx *)vctx;
15✔
4092

4093
    SCLogDebug("loader %d", loader_id);
15!
4094
    if (DetectEngineMultiTenantLoadTenant(ctx->tenant_id, ctx->yaml, loader_id) != 0) {
15!
4095
        return -1;
×
4096
    }
×
4097
    return 0;
15✔
4098
}
15✔
4099

4100
static int DetectLoaderSetupLoadTenant(uint32_t tenant_id, const char *yaml)
4101
{
15✔
4102
    TenantLoaderCtx *t = SCCalloc(1, sizeof(*t));
15✔
4103
    if (t == NULL)
15!
4104
        return -ENOMEM;
×
4105

4106
    t->tenant_id = tenant_id;
15✔
4107
    t->yaml = SCStrdup(yaml);
15✔
4108
    if (t->yaml == NULL) {
15!
4109
        SCFree(t);
×
4110
        return -ENOMEM;
×
4111
    }
×
4112

4113
    return DetectLoaderQueueTask(-1, DetectLoaderFuncLoadTenant, t, DetectLoaderFreeTenant);
15✔
4114
}
15✔
4115

4116
static int DetectLoaderFuncReloadTenant(void *vctx, int loader_id)
4117
{
6✔
4118
    TenantLoaderCtx *ctx = (TenantLoaderCtx *)vctx;
6✔
4119

4120
    SCLogDebug("loader_id %d", loader_id);
6!
4121

4122
    if (DetectEngineMultiTenantReloadTenant(ctx->tenant_id, ctx->yaml, ctx->reload_cnt) != 0) {
6!
4123
        return -1;
×
4124
    }
×
4125
    return 0;
6✔
4126
}
6✔
4127

4128
static int DetectLoaderSetupReloadTenants(const int reload_cnt)
4129
{
3✔
4130
    int ret = 0;
3✔
4131
    DetectEngineMasterCtx *master = &g_master_de_ctx;
3✔
4132
    SCMutexLock(&master->lock);
3✔
4133

4134
    DetectEngineCtx *de_ctx = master->list;
3✔
4135
    while (de_ctx) {
12!
4136
        if (de_ctx->type == DETECT_ENGINE_TYPE_TENANT) {
9!
4137
            TenantLoaderCtx *t = SCCalloc(1, sizeof(*t));
6✔
4138
            if (t == NULL) {
6!
4139
                ret = -1;
×
4140
                goto error;
×
4141
            }
×
4142
            t->tenant_id = de_ctx->tenant_id;
6✔
4143
            t->reload_cnt = reload_cnt;
6✔
4144
            int loader_id = de_ctx->loader_id;
6✔
4145

4146
            int r = DetectLoaderQueueTask(
6✔
4147
                    loader_id, DetectLoaderFuncReloadTenant, t, DetectLoaderFreeTenant);
6✔
4148
            if (r < 0) {
6!
4149
                ret = -2;
×
4150
                goto error;
×
4151
            }
×
4152
        }
6✔
4153

4154
        de_ctx = de_ctx->next;
9✔
4155
    }
9✔
4156
error:
3✔
4157
    SCMutexUnlock(&master->lock);
3✔
4158
    return ret;
3✔
4159
}
3✔
4160

4161
static int DetectLoaderSetupReloadTenant(uint32_t tenant_id, const char *yaml, int reload_cnt)
4162
{
×
4163
    DetectEngineCtx *old_de_ctx = DetectEngineGetByTenantId(tenant_id);
×
4164
    if (old_de_ctx == NULL)
×
4165
        return -ENOENT;
×
4166
    int loader_id = old_de_ctx->loader_id;
×
4167
    DetectEngineDeReference(&old_de_ctx);
×
4168

4169
    TenantLoaderCtx *t = SCCalloc(1, sizeof(*t));
×
4170
    if (t == NULL)
×
4171
        return -ENOMEM;
×
4172

4173
    t->tenant_id = tenant_id;
×
4174
    if (yaml != NULL) {
×
4175
        t->yaml = SCStrdup(yaml);
×
4176
        if (t->yaml == NULL) {
×
4177
            SCFree(t);
×
4178
            return -ENOMEM;
×
4179
        }
×
4180
    }
×
4181
    t->reload_cnt = reload_cnt;
×
4182

4183
    SCLogDebug("loader_id %d", loader_id);
×
4184

4185
    return DetectLoaderQueueTask(
×
4186
            loader_id, DetectLoaderFuncReloadTenant, t, DetectLoaderFreeTenant);
×
4187
}
×
4188

4189
/** \brief Load a tenant and wait for loading to complete
4190
 */
4191
int DetectEngineLoadTenantBlocking(uint32_t tenant_id, const char *yaml)
4192
{
2✔
4193
    int r = DetectLoaderSetupLoadTenant(tenant_id, yaml);
2✔
4194
    if (r < 0)
2!
4195
        return r;
×
4196

4197
    if (DetectLoadersSync() != 0)
2!
4198
        return -1;
×
4199

4200
    return 0;
2✔
4201
}
2✔
4202

4203
/** \brief Reload a tenant and wait for loading to complete
4204
 */
4205
int DetectEngineReloadTenantBlocking(uint32_t tenant_id, const char *yaml, int reload_cnt)
4206
{
×
4207
    int r = DetectLoaderSetupReloadTenant(tenant_id, yaml, reload_cnt);
×
4208
    if (r < 0)
×
4209
        return r;
×
4210

4211
    if (DetectLoadersSync() != 0)
×
4212
        return -1;
×
4213

4214
    return 0;
×
4215
}
×
4216

4217
/** \brief Reload all tenants and wait for loading to complete
4218
 */
4219
int DetectEngineReloadTenantsBlocking(const int reload_cnt)
4220
{
3✔
4221
    int r = DetectLoaderSetupReloadTenants(reload_cnt);
3✔
4222
    if (r < 0)
3!
4223
        return r;
×
4224

4225
    if (DetectLoadersSync() != 0)
3!
4226
        return -1;
×
4227

4228
    return 0;
3✔
4229
}
3✔
4230

4231
static int DetectEngineMultiTenantSetupLoadLivedevMappings(
4232
        const SCConfNode *mappings_root_node, bool failure_fatal)
4233
{
×
4234
    SCConfNode *mapping_node = NULL;
×
4235

4236
    int mapping_cnt = 0;
×
4237
    if (mappings_root_node != NULL) {
×
4238
        TAILQ_FOREACH(mapping_node, &mappings_root_node->head, next) {
×
4239
            SCConfNode *tenant_id_node = SCConfNodeLookupChild(mapping_node, "tenant-id");
×
4240
            if (tenant_id_node == NULL)
×
4241
                goto bad_mapping;
×
4242
            SCConfNode *device_node = SCConfNodeLookupChild(mapping_node, "device");
×
4243
            if (device_node == NULL)
×
4244
                goto bad_mapping;
×
4245

4246
            uint32_t tenant_id = 0;
×
4247
            if (StringParseUint32(&tenant_id, 10, (uint16_t)strlen(tenant_id_node->val),
×
4248
                        tenant_id_node->val) < 0) {
×
4249
                SCLogError("tenant-id  "
×
4250
                           "of %s is invalid",
×
4251
                        tenant_id_node->val);
×
4252
                goto bad_mapping;
×
4253
            }
×
4254

4255
            const char *dev = device_node->val;
×
4256
            LiveDevice *ld = LiveGetDevice(dev);
×
4257
            if (ld == NULL) {
×
4258
                SCLogWarning("device %s not found", dev);
×
4259
                goto bad_mapping;
×
4260
            }
×
4261

4262
            if (ld->tenant_id_set) {
×
4263
                SCLogWarning("device %s already mapped to tenant-id %u", dev, ld->tenant_id);
×
4264
                goto bad_mapping;
×
4265
            }
×
4266

4267
            ld->tenant_id = tenant_id;
×
4268
            ld->tenant_id_set = true;
×
4269

4270
            if (DetectEngineTenantRegisterLivedev(tenant_id, ld->id) != 0) {
×
4271
                goto error;
×
4272
            }
×
4273

4274
            SCLogConfig("device %s connected to tenant-id %u", dev, tenant_id);
×
4275
            mapping_cnt++;
×
4276
            continue;
×
4277

4278
        bad_mapping:
×
4279
            if (failure_fatal)
×
4280
                goto error;
×
4281
        }
×
4282
    }
×
4283
    SCLogConfig("%d device - tenant-id mappings defined", mapping_cnt);
×
4284
    return mapping_cnt;
×
4285

4286
error:
×
4287
    return 0;
×
4288
}
×
4289

4290
static int DetectEngineMultiTenantSetupLoadVlanMappings(
4291
        const SCConfNode *mappings_root_node, bool failure_fatal)
4292
{
4✔
4293
    SCConfNode *mapping_node = NULL;
4✔
4294

4295
    int mapping_cnt = 0;
4✔
4296
    if (mappings_root_node != NULL) {
4!
4297
        TAILQ_FOREACH(mapping_node, &mappings_root_node->head, next) {
13✔
4298
            SCConfNode *tenant_id_node = SCConfNodeLookupChild(mapping_node, "tenant-id");
13✔
4299
            if (tenant_id_node == NULL)
13!
4300
                goto bad_mapping;
×
4301
            SCConfNode *vlan_id_node = SCConfNodeLookupChild(mapping_node, "vlan-id");
13✔
4302
            if (vlan_id_node == NULL)
13!
4303
                goto bad_mapping;
×
4304

4305
            uint32_t tenant_id = 0;
13✔
4306
            if (StringParseUint32(&tenant_id, 10, (uint16_t)strlen(tenant_id_node->val),
13!
4307
                        tenant_id_node->val) < 0) {
13✔
4308
                SCLogError("tenant-id  "
×
4309
                           "of %s is invalid",
×
4310
                        tenant_id_node->val);
×
4311
                goto bad_mapping;
×
4312
            }
×
4313

4314
            uint16_t vlan_id = 0;
13✔
4315
            if (StringParseUint16(
13!
4316
                        &vlan_id, 10, (uint16_t)strlen(vlan_id_node->val), vlan_id_node->val) < 0) {
13✔
4317
                SCLogError("vlan-id  "
×
4318
                           "of %s is invalid",
×
4319
                        vlan_id_node->val);
×
4320
                goto bad_mapping;
×
4321
            }
×
4322
            if (vlan_id == 0 || vlan_id >= 4095) {
13!
4323
                SCLogError("vlan-id  "
×
4324
                           "of %s is invalid. Valid range 1-4094.",
×
4325
                        vlan_id_node->val);
×
4326
                goto bad_mapping;
×
4327
            }
×
4328

4329
            if (DetectEngineTenantRegisterVlanId(tenant_id, vlan_id) != 0) {
13!
4330
                goto error;
×
4331
            }
×
4332
            SCLogConfig("vlan %u connected to tenant-id %u", vlan_id, tenant_id);
13✔
4333
            mapping_cnt++;
13✔
4334
            continue;
13✔
4335

4336
        bad_mapping:
×
4337
            if (failure_fatal)
×
4338
                goto error;
×
4339
        }
×
4340
    }
4✔
4341
    return mapping_cnt;
4✔
4342

4343
error:
×
4344
    return 0;
×
4345
}
4✔
4346

4347
/**
4348
 *  \brief setup multi-detect / multi-tenancy
4349
 *
4350
 *  See if MT is enabled. If so, setup the selector, tenants and mappings.
4351
 *  Tenants and mappings are optional, and can also dynamically be added
4352
 *  and removed from the unix socket.
4353
 */
4354
int DetectEngineMultiTenantSetup(const bool unix_socket)
4355
{
1,800✔
4356
    enum DetectEngineTenantSelectors tenant_selector = TENANT_SELECTOR_UNKNOWN;
1,800✔
4357
    DetectEngineMasterCtx *master = &g_master_de_ctx;
1,800✔
4358
    int failure_fatal = 0;
1,800✔
4359
    (void)SCConfGetBool("engine.init-failure-fatal", &failure_fatal);
1,800✔
4360

4361
    int enabled = 0;
1,800✔
4362
    (void)SCConfGetBool("multi-detect.enabled", &enabled);
1,800✔
4363
    if (enabled == 1) {
1,800✔
4364
        DetectLoadersInit();
4✔
4365
        TmModuleDetectLoaderRegister();
4✔
4366
        DetectLoaderThreadSpawn();
4✔
4367
        TmThreadContinueDetectLoaderThreads();
4✔
4368

4369
        SCMutexLock(&master->lock);
4✔
4370
        master->multi_tenant_enabled = 1;
4✔
4371

4372
        const char *handler = NULL;
4✔
4373
        if (SCConfGet("multi-detect.selector", &handler) == 1) {
4!
4374
            SCLogConfig("multi-tenant selector type %s", handler);
4✔
4375

4376
            if (strcmp(handler, "vlan") == 0) {
4!
4377
                tenant_selector = master->tenant_selector = TENANT_SELECTOR_VLAN;
4✔
4378

4379
                int vlanbool = 0;
4✔
4380
                if ((SCConfGetBool("vlan.use-for-tracking", &vlanbool)) == 1 && vlanbool == 0) {
4!
4381
                    SCLogError("vlan tracking is disabled, "
×
4382
                               "can't use multi-detect selector 'vlan'");
×
4383
                    SCMutexUnlock(&master->lock);
×
4384
                    goto error;
×
4385
                }
×
4386

4387
            } else if (strcmp(handler, "direct") == 0) {
4!
4388
                tenant_selector = master->tenant_selector = TENANT_SELECTOR_DIRECT;
×
4389
            } else if (strcmp(handler, "device") == 0) {
×
4390
                tenant_selector = master->tenant_selector = TENANT_SELECTOR_LIVEDEV;
×
4391
                if (EngineModeIsIPS()) {
×
4392
                    SCLogWarning("multi-tenant 'device' mode not supported for IPS");
×
4393
                    SCMutexUnlock(&master->lock);
×
4394
                    goto error;
×
4395
                }
×
4396

4397
            } else {
×
4398
                SCLogError("unknown value %s "
×
4399
                           "multi-detect.selector",
×
4400
                        handler);
×
4401
                SCMutexUnlock(&master->lock);
×
4402
                goto error;
×
4403
            }
×
4404
        }
4✔
4405
        SCMutexUnlock(&master->lock);
4✔
4406
        SCLogConfig("multi-detect is enabled (multi tenancy). Selector: %s", handler);
4✔
4407

4408
        /* traffic -- tenant mappings */
4409
        SCConfNode *mappings_root_node = SCConfGetNode("multi-detect.mappings");
4✔
4410

4411
        if (tenant_selector == TENANT_SELECTOR_VLAN) {
4!
4412
            int mapping_cnt = DetectEngineMultiTenantSetupLoadVlanMappings(mappings_root_node,
4✔
4413
                    failure_fatal);
4✔
4414
            if (mapping_cnt == 0) {
4!
4415
                /* no mappings are valid when we're in unix socket mode,
4416
                 * they can be added on the fly. Otherwise warn/error
4417
                 * depending on failure_fatal */
4418

4419
                if (unix_socket) {
×
4420
                    SCLogNotice("no tenant traffic mappings defined, "
×
4421
                            "tenants won't be used until mappings are added");
×
4422
                } else {
×
4423
                    if (failure_fatal) {
×
4424
                        SCLogError("no multi-detect mappings defined");
×
4425
                        goto error;
×
4426
                    } else {
×
4427
                        SCLogWarning("no multi-detect mappings defined");
×
4428
                    }
×
4429
                }
×
4430
            }
×
4431
        } else if (tenant_selector == TENANT_SELECTOR_LIVEDEV) {
4!
4432
            int mapping_cnt = DetectEngineMultiTenantSetupLoadLivedevMappings(mappings_root_node,
×
4433
                    failure_fatal);
×
4434
            if (mapping_cnt == 0) {
×
4435
                if (failure_fatal) {
×
4436
                    SCLogError("no multi-detect mappings defined");
×
4437
                    goto error;
×
4438
                } else {
×
4439
                    SCLogWarning("no multi-detect mappings defined");
×
4440
                }
×
4441
            }
×
4442
        }
×
4443

4444
        /* tenants */
4445
        SCConfNode *tenants_root_node = SCConfGetNode("multi-detect.tenants");
4✔
4446
        SCConfNode *tenant_node = NULL;
4✔
4447

4448
        if (tenants_root_node != NULL) {
4!
4449
            const char *path = NULL;
4✔
4450
            SCConfNode *path_node = SCConfGetNode("multi-detect.config-path");
4✔
4451
            if (path_node) {
4!
4452
                path = path_node->val;
3✔
4453
                SCLogConfig("tenants config path: %s", path);
3✔
4454
            }
3✔
4455

4456
            TAILQ_FOREACH(tenant_node, &tenants_root_node->head, next) {
13✔
4457
                SCConfNode *id_node = SCConfNodeLookupChild(tenant_node, "id");
13✔
4458
                if (id_node == NULL) {
13!
4459
                    goto bad_tenant;
×
4460
                }
×
4461
                SCConfNode *yaml_node = SCConfNodeLookupChild(tenant_node, "yaml");
13✔
4462
                if (yaml_node == NULL) {
13!
4463
                    goto bad_tenant;
×
4464
                }
×
4465

4466
                uint32_t tenant_id = 0;
13✔
4467
                if (StringParseUint32(
13!
4468
                            &tenant_id, 10, (uint16_t)strlen(id_node->val), id_node->val) < 0) {
13✔
4469
                    SCLogError("tenant_id  "
×
4470
                               "of %s is invalid",
×
4471
                            id_node->val);
×
4472
                    goto bad_tenant;
×
4473
                }
×
4474
                SCLogDebug("tenant id: %u, %s", tenant_id, yaml_node->val);
13!
4475

4476
                char yaml_path[PATH_MAX] = "";
13✔
4477
                if (path) {
13!
4478
                    if (PathMerge(yaml_path, PATH_MAX, path, yaml_node->val) < 0)
12!
4479
                        goto bad_tenant;
×
4480
                } else {
13✔
4481
                    size_t r = strlcpy(yaml_path, yaml_node->val, sizeof(yaml_path));
1✔
4482
                    if (r >= sizeof(yaml_path))
1!
4483
                        goto bad_tenant;
×
4484
                }
1✔
4485
                SCLogDebug("tenant path: %s", yaml_path);
13!
4486

4487
                /* setup the yaml in this loop so that it's not done by the loader
4488
                 * threads. SCConfYamlLoadFileWithPrefix is not thread safe. */
4489
                char prefix[64];
13✔
4490
                snprintf(prefix, sizeof(prefix), "multi-detect.%u", tenant_id);
13✔
4491
                if (SCConfYamlLoadFileWithPrefix(yaml_path, prefix) != 0) {
13!
4492
                    SCLogError("failed to load yaml %s", yaml_path);
×
4493
                    goto bad_tenant;
×
4494
                }
×
4495

4496
                int r = DetectLoaderSetupLoadTenant(tenant_id, yaml_path);
13✔
4497
                if (r < 0) {
13!
4498
                    /* error logged already */
4499
                    goto bad_tenant;
×
4500
                }
×
4501
                continue;
13✔
4502

4503
            bad_tenant:
13✔
4504
                if (failure_fatal)
×
4505
                    goto error;
×
4506
            }
×
4507
        }
4✔
4508

4509
        /* wait for our loaders to complete their tasks */
4510
        if (DetectLoadersSync() != 0) {
4!
4511
            goto error;
×
4512
        }
×
4513

4514
        VarNameStoreActivate();
4✔
4515

4516
    } else {
1,796✔
4517
        SCLogDebug("multi-detect not enabled (multi tenancy)");
1,796!
4518
    }
1,796✔
4519
    return 0;
1,800✔
4520
error:
×
4521
    return -1;
×
4522
}
1,800✔
4523

4524
static uint32_t DetectEngineTenantGetIdFromVlanId(const void *ctx, const Packet *p)
4525
{
156✔
4526
    const DetectEngineThreadCtx *det_ctx = ctx;
156✔
4527
    uint32_t x = 0;
156✔
4528
    uint32_t vlan_id = 0;
156✔
4529

4530
    if (p->vlan_idx == 0)
156!
4531
        return 0;
62✔
4532

4533
    vlan_id = p->vlan_id[0];
94✔
4534

4535
    if (det_ctx == NULL || det_ctx->tenant_array == NULL || det_ctx->tenant_array_size == 0)
94!
4536
        return 0;
×
4537

4538
    /* not very efficient, but for now we're targeting only limited amounts.
4539
     * Can use hash/tree approach later. */
4540
    for (x = 0; x < det_ctx->tenant_array_size; x++) {
564✔
4541
        if (det_ctx->tenant_array[x].traffic_id == vlan_id)
470!
4542
            return det_ctx->tenant_array[x].tenant_id;
×
4543
    }
470✔
4544

4545
    return 0;
94✔
4546
}
94✔
4547

4548
static uint32_t DetectEngineTenantGetIdFromLivedev(const void *ctx, const Packet *p)
4549
{
×
4550
    const DetectEngineThreadCtx *det_ctx = ctx;
×
4551
    const LiveDevice *ld = p->livedev;
×
4552

4553
    if (ld == NULL || det_ctx == NULL)
×
4554
        return 0;
×
4555

4556
    SCLogDebug("using tenant-id %u for packet on device %s", ld->tenant_id, ld->dev);
×
4557
    return ld->tenant_id;
×
4558
}
×
4559

4560
static int DetectEngineTenantRegisterSelector(
4561
        enum DetectEngineTenantSelectors selector, uint32_t tenant_id, uint32_t traffic_id)
4562
{
13✔
4563
    DetectEngineMasterCtx *master = &g_master_de_ctx;
13✔
4564
    SCMutexLock(&master->lock);
13✔
4565

4566
    if (!(master->tenant_selector == TENANT_SELECTOR_UNKNOWN || master->tenant_selector == selector)) {
13!
4567
        SCLogInfo("conflicting selector already set");
×
4568
        SCMutexUnlock(&master->lock);
×
4569
        return -1;
×
4570
    }
×
4571

4572
    DetectEngineTenantMapping *m = master->tenant_mapping_list;
13✔
4573
    while (m) {
31✔
4574
        if (m->traffic_id == traffic_id) {
18!
4575
            SCLogInfo("traffic id already registered");
×
4576
            SCMutexUnlock(&master->lock);
×
4577
            return -1;
×
4578
        }
×
4579
        m = m->next;
18✔
4580
    }
18✔
4581

4582
    DetectEngineTenantMapping *map = SCCalloc(1, sizeof(*map));
13✔
4583
    if (map == NULL) {
13!
4584
        SCLogInfo("memory fail");
×
4585
        SCMutexUnlock(&master->lock);
×
4586
        return -1;
×
4587
    }
×
4588
    map->traffic_id = traffic_id;
13✔
4589
    map->tenant_id = tenant_id;
13✔
4590

4591
    map->next = master->tenant_mapping_list;
13✔
4592
    master->tenant_mapping_list = map;
13✔
4593

4594
    master->tenant_selector = selector;
13✔
4595

4596
    SCLogDebug("tenant handler %u %u %u registered", selector, tenant_id, traffic_id);
13!
4597
    SCMutexUnlock(&master->lock);
13✔
4598
    return 0;
13✔
4599
}
13✔
4600

4601
static int DetectEngineTenantUnregisterSelector(
4602
        enum DetectEngineTenantSelectors selector, uint32_t tenant_id, uint32_t traffic_id)
4603
{
×
4604
    DetectEngineMasterCtx *master = &g_master_de_ctx;
×
4605
    SCMutexLock(&master->lock);
×
4606

4607
    if (master->tenant_mapping_list == NULL) {
×
4608
        SCMutexUnlock(&master->lock);
×
4609
        return -1;
×
4610
    }
×
4611

4612
    DetectEngineTenantMapping *prev = NULL;
×
4613
    DetectEngineTenantMapping *map = master->tenant_mapping_list;
×
4614
    while (map) {
×
4615
        if (map->traffic_id == traffic_id &&
×
4616
            map->tenant_id == tenant_id)
×
4617
        {
×
4618
            if (prev != NULL)
×
4619
                prev->next = map->next;
×
4620
            else
×
4621
                master->tenant_mapping_list = map->next;
×
4622

4623
            map->next = NULL;
×
4624
            SCFree(map);
×
4625
            SCLogInfo("tenant handler %u %u %u unregistered", selector, tenant_id, traffic_id);
×
4626
            SCMutexUnlock(&master->lock);
×
4627
            return 0;
×
4628
        }
×
4629
        prev = map;
×
4630
        map = map->next;
×
4631
    }
×
4632

4633
    SCMutexUnlock(&master->lock);
×
4634
    return -1;
×
4635
}
×
4636

4637
int DetectEngineTenantRegisterLivedev(uint32_t tenant_id, int device_id)
4638
{
×
4639
    return DetectEngineTenantRegisterSelector(
×
4640
            TENANT_SELECTOR_LIVEDEV, tenant_id, (uint32_t)device_id);
×
4641
}
×
4642

4643
int DetectEngineTenantRegisterVlanId(uint32_t tenant_id, uint16_t vlan_id)
4644
{
13✔
4645
    return DetectEngineTenantRegisterSelector(TENANT_SELECTOR_VLAN, tenant_id, (uint32_t)vlan_id);
13✔
4646
}
13✔
4647

4648
int DetectEngineTenantUnregisterVlanId(uint32_t tenant_id, uint16_t vlan_id)
4649
{
×
4650
    return DetectEngineTenantUnregisterSelector(TENANT_SELECTOR_VLAN, tenant_id, (uint32_t)vlan_id);
×
4651
}
×
4652

4653
int DetectEngineTenantRegisterPcapFile(uint32_t tenant_id)
4654
{
×
4655
    SCLogInfo("registering %u %d 0", TENANT_SELECTOR_DIRECT, tenant_id);
×
4656
    return DetectEngineTenantRegisterSelector(TENANT_SELECTOR_DIRECT, tenant_id, 0);
×
4657
}
×
4658

4659
int DetectEngineTenantUnregisterPcapFile(uint32_t tenant_id)
4660
{
×
4661
    SCLogInfo("unregistering %u %d 0", TENANT_SELECTOR_DIRECT, tenant_id);
×
4662
    return DetectEngineTenantUnregisterSelector(TENANT_SELECTOR_DIRECT, tenant_id, 0);
×
4663
}
×
4664

4665
static uint32_t DetectEngineTenantGetIdFromPcap(const void *ctx, const Packet *p)
4666
{
×
4667
    return p->pcap_v.tenant_id;
×
4668
}
×
4669

4670
DetectEngineCtx *DetectEngineGetByTenantId(uint32_t tenant_id)
4671
{
24✔
4672
    DetectEngineMasterCtx *master = &g_master_de_ctx;
24✔
4673
    SCMutexLock(&master->lock);
24✔
4674

4675
    if (master->list == NULL) {
24!
4676
        SCMutexUnlock(&master->lock);
13✔
4677
        return NULL;
13✔
4678
    }
13✔
4679

4680
    DetectEngineCtx *de_ctx = master->list;
11✔
4681
    while (de_ctx) {
23!
4682
        if (de_ctx->type == DETECT_ENGINE_TYPE_TENANT &&
20!
4683
                de_ctx->tenant_id == tenant_id)
20!
4684
        {
8✔
4685
            de_ctx->ref_cnt++;
8✔
4686
            break;
8✔
4687
        }
8✔
4688

4689
        de_ctx = de_ctx->next;
12✔
4690
    }
12✔
4691

4692
    SCMutexUnlock(&master->lock);
11✔
4693
    return de_ctx;
11✔
4694
}
24✔
4695

4696
void DetectEngineDeReference(DetectEngineCtx **de_ctx)
4697
{
124,980✔
4698
    DEBUG_VALIDATE_BUG_ON((*de_ctx)->ref_cnt == 0);
124,980✔
4699
    (*de_ctx)->ref_cnt--;
124,980✔
4700
    *de_ctx = NULL;
124,980✔
4701
}
124,980✔
4702

4703
static int DetectEngineAddToList(DetectEngineCtx *instance)
4704
{
37,286✔
4705
    DetectEngineMasterCtx *master = &g_master_de_ctx;
37,286✔
4706

4707
    if (instance == NULL)
37,286!
4708
        return -1;
×
4709

4710
    if (master->list == NULL) {
37,286✔
4711
        master->list = instance;
1,772✔
4712
    } else {
37,256✔
4713
        instance->next = master->list;
35,514✔
4714
        master->list = instance;
35,514✔
4715
    }
35,514✔
4716

4717
    return 0;
37,286✔
4718
}
37,286✔
4719

4720
int DetectEngineAddToMaster(DetectEngineCtx *de_ctx)
4721
{
37,286✔
4722
    int r;
37,286✔
4723

4724
    if (de_ctx == NULL)
37,286!
4725
        return -1;
×
4726

4727
    SCLogDebug("adding de_ctx %p to master", de_ctx);
37,286!
4728

4729
    DetectEngineMasterCtx *master = &g_master_de_ctx;
37,286✔
4730
    SCMutexLock(&master->lock);
37,286✔
4731
    r = DetectEngineAddToList(de_ctx);
37,286✔
4732
    SCMutexUnlock(&master->lock);
37,286✔
4733
    return r;
37,286✔
4734
}
37,286✔
4735

4736
static int DetectEngineMoveToFreeListNoLock(DetectEngineMasterCtx *master, DetectEngineCtx *de_ctx)
4737
{
37,280✔
4738
    DetectEngineCtx *instance = master->list;
37,280✔
4739
    if (instance == NULL) {
37,280!
4740
        return -1;
×
4741
    }
×
4742

4743
    /* remove from active list */
4744
    if (instance == de_ctx) {
37,280!
4745
        master->list = instance->next;
1,780✔
4746
    } else {
37,265✔
4747
        DetectEngineCtx *prev = instance;
35,500✔
4748
        instance = instance->next; /* already checked first element */
35,500✔
4749

4750
        while (instance) {
35,506!
4751
            DetectEngineCtx *next = instance->next;
35,506✔
4752

4753
            if (instance == de_ctx) {
35,506!
4754
                prev->next = instance->next;
35,500✔
4755
                break;
35,500✔
4756
            }
35,500✔
4757

4758
            prev = instance;
6✔
4759
            instance = next;
6✔
4760
        }
6✔
4761
        if (instance == NULL) {
35,500!
4762
            return -1;
×
4763
        }
×
4764
    }
35,500✔
4765

4766
    /* instance is now detached from list */
4767
    instance->next = NULL;
37,280✔
4768

4769
    /* add to free list */
4770
    if (master->free_list == NULL) {
37,280✔
4771
        master->free_list = instance;
1,780✔
4772
    } else {
37,263✔
4773
        instance->next = master->free_list;
35,500✔
4774
        master->free_list = instance;
35,500✔
4775
    }
35,500✔
4776
    SCLogDebug("detect engine %p moved to free list (%u refs)", de_ctx, de_ctx->ref_cnt);
37,280!
4777
    return 0;
37,280✔
4778
}
37,280✔
4779

4780
int DetectEngineMoveToFreeList(DetectEngineCtx *de_ctx)
4781
{
37,267✔
4782
    int ret = 0;
37,267✔
4783
    DetectEngineMasterCtx *master = &g_master_de_ctx;
37,267✔
4784
    SCMutexLock(&master->lock);
37,267✔
4785
    ret = DetectEngineMoveToFreeListNoLock(master, de_ctx);
37,267✔
4786
    SCMutexUnlock(&master->lock);
37,267✔
4787
    return ret;
37,267✔
4788
}
37,267✔
4789

4790
void DetectEnginePruneFreeList(void)
4791
{
37,638✔
4792
    DetectEngineMasterCtx *master = &g_master_de_ctx;
37,638✔
4793
    SCMutexLock(&master->lock);
37,638✔
4794

4795
    DetectEngineCtx *prev = NULL;
37,638✔
4796
    DetectEngineCtx *instance = master->free_list;
37,638✔
4797
    while (instance) {
110,402✔
4798
        DetectEngineCtx *next = instance->next;
72,764✔
4799

4800
        SCLogDebug("detect engine %p has %u ref(s)", instance, instance->ref_cnt);
72,764!
4801

4802
        if (instance->ref_cnt == 0) {
72,764!
4803
            if (prev == NULL) {
37,279!
4804
                master->free_list = next;
1,795✔
4805
            } else {
37,279✔
4806
                prev->next = next;
35,484✔
4807
            }
35,484✔
4808

4809
            SCLogDebug("freeing detect engine %p", instance);
37,279!
4810
            DetectEngineCtxFree(instance);
37,279✔
4811
            instance = NULL;
37,279✔
4812
        }
37,279✔
4813

4814
        prev = instance;
72,764✔
4815
        instance = next;
72,764✔
4816
    }
72,764✔
4817
    SCMutexUnlock(&master->lock);
37,638✔
4818
}
37,638✔
4819

4820
void DetectEngineClearMaster(void)
4821
{
2,111✔
4822
    DetectEngineMasterCtx *master = &g_master_de_ctx;
2,111✔
4823
    SCMutexLock(&master->lock);
2,111✔
4824

4825
    DetectEngineCtx *instance = master->list;
2,111✔
4826
    while (instance) {
2,124✔
4827
        DetectEngineCtx *next = instance->next;
13✔
4828
        DEBUG_VALIDATE_BUG_ON(instance->ref_cnt);
13✔
4829
        SCLogDebug("detect engine %p has %u ref(s)", instance, instance->ref_cnt);
13!
4830
        instance->ref_cnt = 0;
13✔
4831
        DetectEngineMoveToFreeListNoLock(master, instance);
13✔
4832
        instance = next;
13✔
4833
    }
13✔
4834
    SCMutexUnlock(&master->lock);
2,111✔
4835
    DetectEnginePruneFreeList();
2,111✔
4836
}
2,111✔
4837

4838
static int reloads = 0;
4839

4840
/** \brief Reload the detection engine
4841
 *
4842
 *  \param filename YAML file to load for the detect config
4843
 *
4844
 *  \retval -1 error
4845
 *  \retval 0 ok
4846
 */
4847
int DetectEngineReload(const SCInstance *suri)
4848
{
35,493✔
4849
    DetectEngineCtx *new_de_ctx = NULL;
35,493✔
4850
    DetectEngineCtx *old_de_ctx = NULL;
35,493✔
4851

4852
    char prefix[128];
35,493✔
4853
    memset(prefix, 0, sizeof(prefix));
35,493✔
4854

4855
    SCLogNotice("rule reload starting");
35,493✔
4856

4857
    if (suri->conf_filename != NULL) {
35,493!
4858
        snprintf(prefix, sizeof(prefix), "detect-engine-reloads.%d", reloads++);
8✔
4859
        SCLogConfig("Reloading %s", suri->conf_filename);
8✔
4860
        if (SCConfYamlLoadFileWithPrefix(suri->conf_filename, prefix) != 0) {
8!
4861
            SCLogError("failed to load yaml %s", suri->conf_filename);
×
4862
            return -1;
×
4863
        }
×
4864

4865
        SCConfNode *node = SCConfGetNode(prefix);
8✔
4866
        if (node == NULL) {
8!
4867
            SCLogError("failed to properly setup yaml %s", suri->conf_filename);
×
4868
            return -1;
×
4869
        }
×
4870

4871
        if (suri->additional_configs) {
8!
4872
            for (int i = 0; suri->additional_configs[i] != NULL; i++) {
×
4873
                SCLogConfig("Reloading %s", suri->additional_configs[i]);
×
4874
                SCConfYamlHandleInclude(node, suri->additional_configs[i]);
×
4875
            }
×
4876
        }
×
4877

4878
#if 0
4879
        SCConfDump();
4880
#endif
4881
    }
8✔
4882

4883
    /* get a reference to the current de_ctx */
4884
    old_de_ctx = DetectEngineGetCurrent();
35,493✔
4885
    if (old_de_ctx == NULL)
35,493!
4886
        return -1;
×
4887
    SCLogDebug("get ref to old_de_ctx %p", old_de_ctx);
35,493!
4888
    DatasetReload();
35,493✔
4889

4890
    /* only reload a regular 'normal' and 'delayed detect stub' detect engines */
4891
    if (!(old_de_ctx->type == DETECT_ENGINE_TYPE_NORMAL ||
35,493!
4892
          old_de_ctx->type == DETECT_ENGINE_TYPE_DD_STUB))
35,493!
4893
    {
×
4894
        DetectEngineDeReference(&old_de_ctx);
×
4895
        SCLogNotice("rule reload complete");
×
4896
        return -1;
×
4897
    }
×
4898

4899
    /* get new detection engine */
4900
    new_de_ctx = DetectEngineCtxInitWithPrefix(prefix, old_de_ctx->tenant_id);
35,493✔
4901
    if (new_de_ctx == NULL) {
35,493!
4902
        SCLogError("initializing detection engine "
×
4903
                   "context failed.");
×
4904
        DetectEngineDeReference(&old_de_ctx);
×
4905
        return -1;
×
4906
    }
×
4907
    if (SigLoadSignatures(new_de_ctx,
35,493!
4908
                          suri->sig_file, suri->sig_file_exclusive) != 0) {
35,493✔
4909
        DetectEngineCtxFree(new_de_ctx);
×
4910
        DetectEngineDeReference(&old_de_ctx);
×
4911
        return -1;
×
4912
    }
×
4913
    SCLogDebug("set up new_de_ctx %p", new_de_ctx);
35,493!
4914

4915
    /* Copy over callbacks. */
4916
    new_de_ctx->RateFilterCallback = old_de_ctx->RateFilterCallback;
35,493✔
4917
    new_de_ctx->rate_filter_callback_arg = old_de_ctx->rate_filter_callback_arg;
35,493✔
4918

4919
    /* add to master */
4920
    DetectEngineAddToMaster(new_de_ctx);
35,493✔
4921

4922
    /* move to old free list */
4923
    DetectEngineMoveToFreeList(old_de_ctx);
35,493✔
4924
    DetectEngineDeReference(&old_de_ctx);
35,493✔
4925

4926
    SCLogDebug("going to reload the threads to use new_de_ctx %p", new_de_ctx);
35,493!
4927

4928
    DetectEngineMasterCtx *master = &g_master_de_ctx;
35,493✔
4929
    SCMutexLock(&master->lock);
35,493✔
4930
    /* update the threads */
4931
    DetectEngineReloadThreads(new_de_ctx);
35,493✔
4932
    SCMutexUnlock(&master->lock);
35,493✔
4933

4934
    SCLogDebug("threads now run new_de_ctx %p", new_de_ctx);
35,493!
4935

4936
    /* walk free list, freeing the old_de_ctx */
4937
    DetectEnginePruneFreeList();
35,493✔
4938

4939
    DatasetPostReloadCleanup();
35,493✔
4940

4941
    DetectEngineBumpVersion();
35,493✔
4942

4943
    SCLogDebug("old_de_ctx should have been freed");
35,493!
4944

4945
    DetectEngineMpmCacheService(DETECT_ENGINE_MPM_CACHE_OP_SAVE | DETECT_ENGINE_MPM_CACHE_OP_PRUNE);
35,493✔
4946

4947
    SCLogNotice("rule reload complete");
35,493✔
4948

4949
#ifdef HAVE_MALLOC_TRIM
35,493✔
4950
    /* The reload process potentially frees up large amounts of memory.
4951
     * Encourage the memory management system to reclaim as much as it
4952
     * can.
4953
     */
4954
    malloc_trim(0);
35,493✔
4955
#endif
35,493✔
4956

4957
    return 0;
35,493✔
4958
}
35,493✔
4959

4960
static uint32_t TenantIdHash(HashTable *h, void *data, uint16_t data_len)
4961
{
76✔
4962
    DetectEngineThreadCtx *det_ctx = (DetectEngineThreadCtx *)data;
76✔
4963
    return det_ctx->tenant_id % h->array_size;
76✔
4964
}
76✔
4965

4966
static char TenantIdCompare(void *d1, uint16_t d1_len, void *d2, uint16_t d2_len)
4967
{
×
4968
    DetectEngineThreadCtx *det1 = (DetectEngineThreadCtx *)d1;
×
4969
    DetectEngineThreadCtx *det2 = (DetectEngineThreadCtx *)d2;
×
4970
    return (det1->tenant_id == det2->tenant_id);
×
4971
}
×
4972

4973
static void TenantIdFree(void *d)
4974
{
76✔
4975
    DetectEngineThreadCtxFree(d);
76✔
4976
}
76✔
4977

4978
int DetectEngineMTApply(void)
4979
{
7✔
4980
    DetectEngineMasterCtx *master = &g_master_de_ctx;
7✔
4981
    SCMutexLock(&master->lock);
7✔
4982

4983
    if (master->tenant_selector == TENANT_SELECTOR_UNKNOWN) {
7!
4984
        SCLogInfo("error, no tenant selector");
×
4985
        SCMutexUnlock(&master->lock);
×
4986
        return -1;
×
4987
    }
×
4988

4989
    DetectEngineCtx *stub_de_ctx = NULL;
7✔
4990
    DetectEngineCtx *list = master->list;
7✔
4991
    for ( ; list != NULL; list = list->next) {
20!
4992
        SCLogDebug("list %p tenant %u", list, list->tenant_id);
20!
4993

4994
        if (list->type == DETECT_ENGINE_TYPE_NORMAL ||
20!
4995
            list->type == DETECT_ENGINE_TYPE_MT_STUB ||
20!
4996
            list->type == DETECT_ENGINE_TYPE_DD_STUB)
20!
4997
        {
7✔
4998
            stub_de_ctx = list;
7✔
4999
            break;
7✔
5000
        }
7✔
5001
    }
20✔
5002
    if (stub_de_ctx == NULL) {
7!
5003
        stub_de_ctx = DetectEngineCtxInitStubForMT();
×
5004
        if (stub_de_ctx == NULL) {
×
5005
            SCMutexUnlock(&master->lock);
×
5006
            return -1;
×
5007
        }
×
5008

5009
        if (master->list == NULL) {
×
5010
            master->list = stub_de_ctx;
×
5011
        } else {
×
5012
            stub_de_ctx->next = master->list;
×
5013
            master->list = stub_de_ctx;
×
5014
        }
×
5015
    }
×
5016

5017
    /* update the threads */
5018
    SCLogDebug("MT reload starting");
7!
5019
    DetectEngineReloadThreads(stub_de_ctx);
7✔
5020
    SCLogDebug("MT reload done");
7!
5021

5022
    SCMutexUnlock(&master->lock);
7✔
5023

5024
    /* walk free list, freeing the old_de_ctx */
5025
    DetectEnginePruneFreeList();
7✔
5026
    // needed for VarNameStoreFree
5027
    DetectEngineBumpVersion();
7✔
5028

5029
    SCLogDebug("old_de_ctx should have been freed");
7!
5030
    return 0;
7✔
5031
}
7✔
5032

5033
static int g_parse_metadata = 0;
5034

5035
void DetectEngineSetParseMetadata(void)
5036
{
3,260✔
5037
    g_parse_metadata = 1;
3,260✔
5038
}
3,260✔
5039

5040
void DetectEngineUnsetParseMetadata(void)
5041
{
1✔
5042
    g_parse_metadata = 0;
1✔
5043
}
1✔
5044

5045
int DetectEngineMustParseMetadata(void)
5046
{
148,381✔
5047
    return g_parse_metadata;
148,381✔
5048
}
148,381✔
5049

5050
const char *DetectSigmatchListEnumToString(enum DetectSigmatchListEnum type)
5051
{
23✔
5052
    switch (type) {
23!
5053
        case DETECT_SM_LIST_MATCH:
×
5054
            return "packet";
×
5055
        case DETECT_SM_LIST_PMATCH:
23!
5056
            return "packet/stream payload";
23✔
5057

5058
        case DETECT_SM_LIST_TMATCH:
×
5059
            return "tag";
×
5060

5061
        case DETECT_SM_LIST_BASE64_DATA:
×
5062
            return "base64_data";
×
5063

5064
        case DETECT_SM_LIST_POSTMATCH:
×
5065
            return "post-match";
×
5066

5067
        case DETECT_SM_LIST_SUPPRESS:
×
5068
            return "suppress";
×
5069
        case DETECT_SM_LIST_THRESHOLD:
×
5070
            return "threshold";
×
5071

5072
        case DETECT_SM_LIST_MAX:
×
5073
            return "max (internal)";
×
5074
    }
23✔
5075
    return "error";
×
5076
}
23✔
5077

5078
/* events api */
5079
void DetectEngineSetEvent(DetectEngineThreadCtx *det_ctx, uint8_t e)
5080
{
2✔
5081
    SCAppLayerDecoderEventsSetEventRaw(&det_ctx->decoder_events, e);
2✔
5082
    det_ctx->events++;
2✔
5083
}
2✔
5084

5085
bool DetectMd5ValidateCallback(
5086
        const Signature *s, const char **sigerror, const DetectBufferType *map)
5087
{
10,868✔
5088
    for (uint32_t x = 0; x < s->init_data->buffer_index; x++) {
17,291✔
5089
        if (s->init_data->buffers[x].id != (uint32_t)map->id)
13,832✔
5090
            continue;
1,839✔
5091
        const SigMatch *sm = s->init_data->buffers[x].head;
11,993✔
5092
        for (; sm != NULL; sm = sm->next) {
21,224✔
5093
            if (sm->type != DETECT_CONTENT)
16,640!
5094
                continue;
4,951✔
5095

5096
            const DetectContentData *cd = (DetectContentData *)sm->ctx;
11,689✔
5097
            if (cd->flags & DETECT_CONTENT_NOCASE) {
11,689!
5098
                *sigerror = "md5-like keyword should not be used together with "
569✔
5099
                            "nocase, since the rule is automatically "
569✔
5100
                            "lowercased anyway which makes nocase redundant.";
569✔
5101
                SCLogWarning("rule %u: buffer %s: %s", s->id, map->name, *sigerror);
569✔
5102
            }
569✔
5103

5104
            if (cd->content_len != SC_MD5_HEX_LEN) {
11,689!
5105
                *sigerror = "Invalid length for md5-like keyword (should "
6,221✔
5106
                            "be 32 characters long). This rule will therefore "
6,221✔
5107
                            "never match.";
6,221✔
5108
                SCLogError("rule %u: buffer %s: %s", s->id, map->name, *sigerror);
6,221✔
5109
                return false;
6,221✔
5110
            }
6,221✔
5111

5112
            for (size_t i = 0; i < cd->content_len; ++i) {
146,756✔
5113
                if (!isxdigit(cd->content[i])) {
142,476!
5114
                    *sigerror =
1,188✔
5115
                            "Invalid md5-like string (should be string of hexadecimal characters)."
1,188✔
5116
                            "This rule will therefore never match.";
1,188✔
5117
                    SCLogWarning("rule %u: buffer %s: %s", s->id, map->name, *sigerror);
1,188✔
5118
                    return false;
1,188✔
5119
                }
1,188✔
5120
            }
142,476✔
5121
        }
5,468✔
5122
    }
11,993✔
5123
    return true;
3,459✔
5124
}
10,868✔
5125

5126
void DetectLowerSetupCallback(
5127
        const DetectEngineCtx *de_ctx, Signature *s, const DetectBufferType *map)
5128
{
17,413✔
5129
    for (uint32_t x = 0; x < s->init_data->buffer_index; x++) {
59,479✔
5130
        if (s->init_data->buffers[x].id != (uint32_t)map->id)
42,066✔
5131
            continue;
5,427✔
5132
        SigMatch *sm = s->init_data->buffers[x].head;
36,639✔
5133
        for (; sm != NULL; sm = sm->next) {
104,689✔
5134
            if (sm->type != DETECT_CONTENT)
68,050!
5135
                continue;
47,270✔
5136

5137
            DetectContentData *cd = (DetectContentData *)sm->ctx;
20,780✔
5138

5139
            bool changed = false;
20,780✔
5140
            uint32_t u;
20,780✔
5141
            for (u = 0; u < cd->content_len; u++) {
985,767✔
5142
                if (isupper(cd->content[u])) {
964,987✔
5143
                    cd->content[u] = u8_tolower(cd->content[u]);
118,586✔
5144
                    changed = true;
118,586✔
5145
                }
118,586✔
5146
            }
964,987✔
5147

5148
            if (changed) {
20,780✔
5149
                SpmDestroyCtx(cd->spm_ctx);
8,716✔
5150
                cd->spm_ctx =
8,716✔
5151
                        SpmInitCtx(cd->content, cd->content_len, 1, de_ctx->spm_global_thread_ctx);
8,716✔
5152
            }
8,716✔
5153
        }
20,780✔
5154
    }
36,639✔
5155
}
17,413✔
5156

5157
void SCDetectEngineRegisterRateFilterCallback(SCDetectRateFilterFunc fn, void *arg)
5158
{
×
5159
    DetectEngineCtx *de_ctx = DetectEngineGetCurrent();
×
5160
    de_ctx->RateFilterCallback = fn;
×
5161
    de_ctx->rate_filter_callback_arg = arg;
×
5162
    DetectEngineDeReference(&de_ctx);
×
5163
}
×
5164

5165
int DetectEngineThreadCtxGetJsonContext(DetectEngineThreadCtx *det_ctx)
5166
{
26✔
5167
    if (det_ctx->json_content_len > SIG_JSON_CONTENT_ARRAY_LEN - 1) {
26!
5168
        SCLogDebug("json content length %u exceeds maximum %u", det_ctx->json_content_len,
×
5169
                SIG_JSON_CONTENT_ARRAY_LEN);
×
5170
        return -1;
×
5171
    }
×
5172
    if (det_ctx->json_content_len >= det_ctx->json_content_capacity) {
26✔
5173
        if (det_ctx->json_content_capacity == 0) {
22✔
5174
            det_ctx->json_content_capacity = 1;
11✔
5175
        } else {
11✔
5176
            det_ctx->json_content_capacity *= 2;
11✔
5177
        }
11✔
5178
        void *tmp = SCRealloc(
22✔
5179
                det_ctx->json_content, det_ctx->json_content_capacity * sizeof(SigJsonContent));
22✔
5180
        if (unlikely(tmp == NULL)) {
22!
5181
            return -1;
×
5182
        }
×
5183
        SCLogDebug("reallocated json content array to %u items", det_ctx->json_content_capacity);
22!
5184
        det_ctx->json_content = tmp;
22✔
5185
    }
22✔
5186
    return 0;
26✔
5187
}
26✔
5188

5189
/*************************************Unittest*********************************/
5190

5191
#ifdef UNITTESTS
5192

5193
static int DetectEngineInitYamlConf(const char *conf)
5194
{
6✔
5195
    SCConfCreateContextBackup();
6✔
5196
    SCConfInit();
6✔
5197
    return SCConfYamlLoadString(conf, strlen(conf));
6✔
5198
}
6✔
5199

5200
static void DetectEngineDeInitYamlConf(void)
5201
{
6✔
5202
    SCConfDeInit();
6✔
5203
    SCConfRestoreContextBackup();
6✔
5204
}
6✔
5205

5206
static int DetectEngineTest01(void)
5207
{
1✔
5208
    const char *conf =
1✔
5209
        "%YAML 1.1\n"
1✔
5210
        "---\n"
1✔
5211
        "detect-engine:\n"
1✔
5212
        "  - profile: medium\n"
1✔
5213
        "  - custom-values:\n"
1✔
5214
        "      toclient_src_groups: 2\n"
1✔
5215
        "      toclient_dst_groups: 2\n"
1✔
5216
        "      toclient_sp_groups: 2\n"
1✔
5217
        "      toclient_dp_groups: 3\n"
1✔
5218
        "      toserver_src_groups: 2\n"
1✔
5219
        "      toserver_dst_groups: 4\n"
1✔
5220
        "      toserver_sp_groups: 2\n"
1✔
5221
        "      toserver_dp_groups: 25\n"
1✔
5222
        "  - inspection-recursion-limit: 0\n";
1✔
5223

5224
    FAIL_IF(DetectEngineInitYamlConf(conf) == -1);
1✔
5225

5226
    DetectEngineCtx *de_ctx = DetectEngineCtxInit();
1✔
5227
    FAIL_IF_NULL(de_ctx);
1✔
5228

5229
    FAIL_IF_NOT(de_ctx->inspection_recursion_limit == -1);
1✔
5230

5231
    DetectEngineCtxFree(de_ctx);
1✔
5232

5233
    DetectEngineDeInitYamlConf();
1✔
5234

5235
    PASS;
1✔
5236
}
1✔
5237

5238
static int DetectEngineTest02(void)
5239
{
1✔
5240
    const char *conf =
1✔
5241
        "%YAML 1.1\n"
1✔
5242
        "---\n"
1✔
5243
        "detect-engine:\n"
1✔
5244
        "  - profile: medium\n"
1✔
5245
        "  - custom-values:\n"
1✔
5246
        "      toclient_src_groups: 2\n"
1✔
5247
        "      toclient_dst_groups: 2\n"
1✔
5248
        "      toclient_sp_groups: 2\n"
1✔
5249
        "      toclient_dp_groups: 3\n"
1✔
5250
        "      toserver_src_groups: 2\n"
1✔
5251
        "      toserver_dst_groups: 4\n"
1✔
5252
        "      toserver_sp_groups: 2\n"
1✔
5253
        "      toserver_dp_groups: 25\n"
1✔
5254
        "  - inspection-recursion-limit:\n";
1✔
5255

5256
    FAIL_IF(DetectEngineInitYamlConf(conf) == -1);
1✔
5257

5258
    DetectEngineCtx *de_ctx = DetectEngineCtxInit();
1✔
5259
    FAIL_IF_NULL(de_ctx);
1✔
5260

5261
    FAIL_IF_NOT(
1✔
5262
            de_ctx->inspection_recursion_limit == DETECT_ENGINE_DEFAULT_INSPECTION_RECURSION_LIMIT);
1✔
5263

5264
    DetectEngineCtxFree(de_ctx);
1✔
5265

5266
    DetectEngineDeInitYamlConf();
1✔
5267

5268
    PASS;
1✔
5269
}
1✔
5270

5271
static int DetectEngineTest03(void)
5272
{
1✔
5273
    const char *conf =
1✔
5274
        "%YAML 1.1\n"
1✔
5275
        "---\n"
1✔
5276
        "detect-engine:\n"
1✔
5277
        "  - profile: medium\n"
1✔
5278
        "  - custom-values:\n"
1✔
5279
        "      toclient_src_groups: 2\n"
1✔
5280
        "      toclient_dst_groups: 2\n"
1✔
5281
        "      toclient_sp_groups: 2\n"
1✔
5282
        "      toclient_dp_groups: 3\n"
1✔
5283
        "      toserver_src_groups: 2\n"
1✔
5284
        "      toserver_dst_groups: 4\n"
1✔
5285
        "      toserver_sp_groups: 2\n"
1✔
5286
        "      toserver_dp_groups: 25\n";
1✔
5287

5288
    FAIL_IF(DetectEngineInitYamlConf(conf) == -1);
1✔
5289

5290
    DetectEngineCtx *de_ctx = DetectEngineCtxInit();
1✔
5291
    FAIL_IF_NULL(de_ctx);
1✔
5292

5293
    FAIL_IF_NOT(
1✔
5294
            de_ctx->inspection_recursion_limit == DETECT_ENGINE_DEFAULT_INSPECTION_RECURSION_LIMIT);
1✔
5295

5296
    DetectEngineCtxFree(de_ctx);
1✔
5297

5298
    DetectEngineDeInitYamlConf();
1✔
5299

5300
    PASS;
1✔
5301
}
1✔
5302

5303
static int DetectEngineTest04(void)
5304
{
1✔
5305
    const char *conf =
1✔
5306
        "%YAML 1.1\n"
1✔
5307
        "---\n"
1✔
5308
        "detect-engine:\n"
1✔
5309
        "  - profile: medium\n"
1✔
5310
        "  - custom-values:\n"
1✔
5311
        "      toclient_src_groups: 2\n"
1✔
5312
        "      toclient_dst_groups: 2\n"
1✔
5313
        "      toclient_sp_groups: 2\n"
1✔
5314
        "      toclient_dp_groups: 3\n"
1✔
5315
        "      toserver_src_groups: 2\n"
1✔
5316
        "      toserver_dst_groups: 4\n"
1✔
5317
        "      toserver_sp_groups: 2\n"
1✔
5318
        "      toserver_dp_groups: 25\n"
1✔
5319
        "  - inspection-recursion-limit: 10\n";
1✔
5320

5321
    FAIL_IF(DetectEngineInitYamlConf(conf) == -1);
1✔
5322

5323
    DetectEngineCtx *de_ctx = DetectEngineCtxInit();
1✔
5324
    FAIL_IF_NULL(de_ctx);
1✔
5325

5326
    FAIL_IF_NOT(de_ctx->inspection_recursion_limit == 10);
1✔
5327

5328
    DetectEngineCtxFree(de_ctx);
1✔
5329

5330
    DetectEngineDeInitYamlConf();
1✔
5331

5332
    PASS;
1✔
5333
}
1✔
5334

5335
static int DetectEngineTest08(void)
5336
{
1✔
5337
    const char *conf =
1✔
5338
        "%YAML 1.1\n"
1✔
5339
        "---\n"
1✔
5340
        "detect-engine:\n"
1✔
5341
        "  - profile: custom\n"
1✔
5342
        "  - custom-values:\n"
1✔
5343
        "      toclient-groups: 23\n"
1✔
5344
        "      toserver-groups: 27\n";
1✔
5345

5346
    FAIL_IF(DetectEngineInitYamlConf(conf) == -1);
1✔
5347

5348
    DetectEngineCtx *de_ctx = DetectEngineCtxInit();
1✔
5349
    FAIL_IF_NULL(de_ctx);
1✔
5350

5351
    FAIL_IF_NOT(de_ctx->max_uniq_toclient_groups == 23);
1✔
5352
    FAIL_IF_NOT(de_ctx->max_uniq_toserver_groups == 27);
1✔
5353

5354
    DetectEngineCtxFree(de_ctx);
1✔
5355

5356
    DetectEngineDeInitYamlConf();
1✔
5357

5358
    PASS;
1✔
5359
}
1✔
5360

5361
/** \test bug 892 bad values */
5362
static int DetectEngineTest09(void)
5363
{
1✔
5364
    const char *conf =
1✔
5365
        "%YAML 1.1\n"
1✔
5366
        "---\n"
1✔
5367
        "detect-engine:\n"
1✔
5368
        "  - profile: custom\n"
1✔
5369
        "  - custom-values:\n"
1✔
5370
        "      toclient-groups: BA\n"
1✔
5371
        "      toserver-groups: BA\n"
1✔
5372
        "  - inspection-recursion-limit: 10\n";
1✔
5373

5374
    FAIL_IF(DetectEngineInitYamlConf(conf) == -1);
1✔
5375

5376
    DetectEngineCtx *de_ctx = DetectEngineCtxInit();
1✔
5377
    FAIL_IF_NULL(de_ctx);
1✔
5378

5379
    FAIL_IF_NOT(de_ctx->max_uniq_toclient_groups == 20);
1✔
5380
    FAIL_IF_NOT(de_ctx->max_uniq_toserver_groups == 40);
1✔
5381

5382
    DetectEngineCtxFree(de_ctx);
1✔
5383

5384
    DetectEngineDeInitYamlConf();
1✔
5385

5386
    PASS;
1✔
5387
}
1✔
5388

5389
#endif
5390

5391
void DetectEngineRegisterTests(void)
5392
{
1✔
5393
#ifdef UNITTESTS
1✔
5394
    UtRegisterTest("DetectEngineTest01", DetectEngineTest01);
1✔
5395
    UtRegisterTest("DetectEngineTest02", DetectEngineTest02);
1✔
5396
    UtRegisterTest("DetectEngineTest03", DetectEngineTest03);
1✔
5397
    UtRegisterTest("DetectEngineTest04", DetectEngineTest04);
1✔
5398
    UtRegisterTest("DetectEngineTest08", DetectEngineTest08);
1✔
5399
    UtRegisterTest("DetectEngineTest09", DetectEngineTest09);
1✔
5400
#endif
1✔
5401
}
1✔
STATUS · Troubleshooting · Open an Issue · Sales · Support · CAREERS · ENTERPRISE · START FREE · SCHEDULE DEMO
ANNOUNCEMENTS · TWITTER · TOS & SLA · Supported CI Services · What's a CI service? · Automated Testing

© 2026 Coveralls, Inc