自学教程：C++ FLOWLOCK_UNLOCK函数代码示例

/** /internal *  /brief Get a flow from the hash directly. * *  Called in conditions where the spare queue is empty and memcap is reached. * *  Walks the hash until a flow can be freed. Timeouts are disregarded, use_cnt *  is adhered to. "flow_prune_idx" atomic int makes sure we don't start at the *  top each time since that would clear the top of the hash leading to longer *  and longer search times under high pressure (observed). * *  /retval f flow or NULL */static Flow *FlowGetUsedFlow(void){    uint32_t idx = SC_ATOMIC_GET(flow_prune_idx) % flow_config.hash_size;    uint32_t cnt = flow_config.hash_size;    while (cnt--) {        if (++idx >= flow_config.hash_size)            idx = 0;        FlowBucket *fb = &flow_hash[idx];        if (FBLOCK_TRYLOCK(fb) != 0)            continue;        Flow *f = fb->tail;        if (f == NULL) {            FBLOCK_UNLOCK(fb);            continue;        }        if (FLOWLOCK_TRYWRLOCK(f) != 0) {            FBLOCK_UNLOCK(fb);            continue;        }        /** never prune a flow that is used by a packet or stream msg         *  we are currently processing in one of the threads */        if (SC_ATOMIC_GET(f->use_cnt) > 0) {            FBLOCK_UNLOCK(fb);            FLOWLOCK_UNLOCK(f);            continue;        }        /* remove from the hash */        if (f->hprev != NULL)            f->hprev->hnext = f->hnext;        if (f->hnext != NULL)            f->hnext->hprev = f->hprev;        if (fb->head == f)            fb->head = f->hnext;        if (fb->tail == f)            fb->tail = f->hprev;        f->hnext = NULL;        f->hprev = NULL;        f->fb = NULL;        FBLOCK_UNLOCK(fb);        FlowClearMemory(f, f->protomap);        FLOWLOCK_UNLOCK(f);        (void) SC_ATOMIC_ADD(flow_prune_idx, (flow_config.hash_size - cnt));        return f;    }    return NULL;}

/** * /test Test the deallocation of app layer parser memory on occurance of *       error in the parsing process. */static int AppLayerParserTest01(void){    AppLayerParserBackupParserTable();    int result = 0;    Flow *f = NULL;    uint8_t testbuf[] = { 0x11 };    uint32_t testlen = sizeof(testbuf);    TcpSession ssn;    AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();    memset(&ssn, 0, sizeof(ssn));    /* Register the Test protocol state and parser functions */    AppLayerParserRegisterParser(IPPROTO_TCP, ALPROTO_TEST, STREAM_TOSERVER,                      TestProtocolParser);    AppLayerParserRegisterStateFuncs(IPPROTO_TCP, ALPROTO_TEST,                          TestProtocolStateAlloc, TestProtocolStateFree);    f = UTHBuildFlow(AF_INET, "1.2.3.4", "4.3.2.1", 20, 40);    if (f == NULL)        goto end;    f->protoctx = &ssn;    f->alproto = ALPROTO_TEST;    f->proto = IPPROTO_TCP;    StreamTcpInitConfig(TRUE);    FLOWLOCK_WRLOCK(f);    int r = AppLayerParserParse(NULL, alp_tctx, f, ALPROTO_TEST,                                STREAM_TOSERVER | STREAM_EOF, testbuf,                                testlen);    if (r != -1) {        printf("returned %" PRId32 ", expected -1: ", r);        FLOWLOCK_UNLOCK(f);        goto end;    }    FLOWLOCK_UNLOCK(f);    if (!(ssn.flags & STREAMTCP_FLAG_APP_LAYER_DISABLED)) {        printf("flag should have been set, but is not: ");        goto end;    }    result = 1; end:    AppLayerParserRestoreParserTable();    StreamTcpFreeConfig(TRUE);    UTHFreeFlow(f);    return result;}

/** * /brief Check if we need to drop-log this packet * * /param tv    Pointer the current thread variables * /param p     Pointer the packet which is tested * * /retval bool TRUE or FALSE */static int LogDropCondition(ThreadVars *tv, const Packet *p){    if (!EngineModeIsIPS()) {        SCLogDebug("engine is not running in inline mode, so returning");        return FALSE;    }    if (PKT_IS_PSEUDOPKT(p)) {        SCLogDebug("drop log doesn't log pseudo packets");        return FALSE;    }    if (p->flow != NULL) {        int ret = FALSE;        FLOWLOCK_RDLOCK(p->flow);        if (p->flow->flags & FLOW_ACTION_DROP) {            if (PKT_IS_TOSERVER(p) && !(p->flow->flags & FLOW_TOSERVER_DROP_LOGGED))                ret = TRUE;            else if (PKT_IS_TOCLIENT(p) && !(p->flow->flags & FLOW_TOCLIENT_DROP_LOGGED))                ret = TRUE;        }        FLOWLOCK_UNLOCK(p->flow);        return ret;    } else if (PACKET_TEST_ACTION(p, ACTION_DROP)) {        return TRUE;    }    return FALSE;}

static int JsonTlsLogger(ThreadVars *tv, void *thread_data, const Packet *p) {    JsonTlsLogThread *aft = (JsonTlsLogThread *)thread_data;    MemBuffer *buffer = (MemBuffer *)aft->buffer;    OutputTlsCtx *tls_ctx = aft->tlslog_ctx;    if (unlikely(p->flow == NULL)) {        return 0;    }    /* check if we have TLS state or not */    FLOWLOCK_WRLOCK(p->flow);    uint16_t proto = FlowGetAppProtocol(p->flow);    if (proto != ALPROTO_TLS)        goto end;    SSLState *ssl_state = (SSLState *)FlowGetAppState(p->flow);    if (unlikely(ssl_state == NULL)) {        goto end;    }    if (ssl_state->server_connp.cert0_issuerdn == NULL || ssl_state->server_connp.cert0_subject == NULL)        goto end;    json_t *js = CreateJSONHeader((Packet *)p, 0, "tls");//TODO    if (unlikely(js == NULL))        goto end;    json_t *tjs = json_object();    if (tjs == NULL) {        free(js);        goto end;    }    /* reset */    MemBufferReset(buffer);    /* tls.subject */    json_object_set_new(tjs, "subject",                        json_string(ssl_state->server_connp.cert0_subject));    /* tls.issuerdn */    json_object_set_new(tjs, "issuerdn",                        json_string(ssl_state->server_connp.cert0_issuerdn));    if (tls_ctx->flags & LOG_TLS_EXTENDED) {        LogTlsLogExtendedJSON(tjs, ssl_state);    }    json_object_set_new(js, "tls", tjs);    OutputJSONBuffer(js, tls_ctx->file_ctx, buffer);    json_object_clear(js);    json_decref(js);    /* we only log the state once */    ssl_state->flags |= SSL_AL_FLAG_STATE_LOGGED;end:    FLOWLOCK_UNLOCK(p->flow);    return 0;}

/** * /brief Search tags for src and dst. Update entries of the tag, remove if necessary * * /param de_ctx Detect context * /param det_ctx Detect thread context * /param p packet * */void TagHandlePacket(DetectEngineCtx *de_ctx,        DetectEngineThreadCtx *det_ctx, Packet *p){    /* If there's no tag, get out of here */    unsigned int current_tags = SC_ATOMIC_GET(num_tags);    if (current_tags == 0)        return;    /* First update and get session tags */    if (p->flow != NULL) {        FLOWLOCK_WRLOCK(p->flow);        TagHandlePacketFlow(p->flow, p);        FLOWLOCK_UNLOCK(p->flow);    }    Host *src = HostLookupHostFromHash(&p->src);    if (src) {        if (src->tag != NULL) {            TagHandlePacketHost(src,p);        }        HostRelease(src);    }    Host *dst = HostLookupHostFromHash(&p->dst);    if (dst) {        if (dst->tag != NULL) {            TagHandlePacketHost(dst,p);        }        HostRelease(dst);    }}

static TmEcode OutputStreamingLog(ThreadVars *tv, Packet *p, void *thread_data, PacketQueue *pq, PacketQueue *postpq){    BUG_ON(thread_data == NULL);    BUG_ON(list == NULL);    OutputLoggerThreadData *op_thread_data = (OutputLoggerThreadData *)thread_data;    OutputStreamingLogger *logger = list;    OutputLoggerThreadStore *store = op_thread_data->store;    StreamerCallbackData streamer_cbdata = { logger, store, tv, p , 0};    BUG_ON(logger == NULL && store != NULL);    BUG_ON(logger != NULL && store == NULL);    BUG_ON(logger == NULL && store == NULL);    uint8_t flags = 0;    Flow * const f = p->flow;    /* no flow, no streaming */    if (f == NULL) {        SCReturnInt(TM_ECODE_OK);    }    if (p->flowflags & FLOW_PKT_TOCLIENT)        flags |= OUTPUT_STREAMING_FLAG_TOCLIENT;    else        flags |= OUTPUT_STREAMING_FLAG_TOSERVER;    FLOWLOCK_WRLOCK(f);    if (op_thread_data->loggers & (1<<STREAMING_TCP_DATA)) {        TcpSession *ssn = f->protoctx;        if (ssn) {            int close = (ssn->state >= TCP_CLOSED);            close |= ((p->flags & PKT_PSEUDO_STREAM_END) ? 1 : 0);            SCLogDebug("close ? %s", close ? "yes" : "no");            TcpStream *stream = flags & OUTPUT_STREAMING_FLAG_TOSERVER ? &ssn->client : &ssn->server;            streamer_cbdata.type = STREAMING_TCP_DATA;            StreamIterator(p->flow, stream, close, (void *)&streamer_cbdata, flags);        }    }    if (op_thread_data->loggers & (1<<STREAMING_HTTP_BODIES)) {        if (f->alproto == ALPROTO_HTTP && f->alstate != NULL) {            int close = 0;            TcpSession *ssn = f->protoctx;            if (ssn) {                close = (ssn->state >= TCP_CLOSED);                close |= ((p->flags & PKT_PSEUDO_STREAM_END) ? 1 : 0);            }            SCLogDebug("close ? %s", close ? "yes" : "no");            streamer_cbdata.type = STREAMING_HTTP_BODIES;            HttpBodyIterator(f, close, (void *)&streamer_cbdata, flags);        }    }    FLOWLOCK_UNLOCK(f);    return TM_ECODE_OK;}

/** * /brief Check if we need to drop-log this packet * * /param tv    Pointer the current thread variables * /param p     Pointer the packet which is tested * * /retval bool TRUE or FALSE */static int JsonDropLogCondition(ThreadVars *tv, const Packet *p){    if (!EngineModeIsIPS()) {        SCLogDebug("engine is not running in inline mode, so returning");        return FALSE;    }    if (PKT_IS_PSEUDOPKT(p)) {        SCLogDebug("drop log doesn't log pseudo packets");        return FALSE;    }    if (p->flow != NULL) {        int ret = FALSE;        /* for a flow that will be dropped fully, log just once per direction */        FLOWLOCK_RDLOCK(p->flow);        if (p->flow->flags & FLOW_ACTION_DROP) {            if (PKT_IS_TOSERVER(p) && !(p->flow->flags & FLOW_TOSERVER_DROP_LOGGED))                ret = TRUE;            else if (PKT_IS_TOCLIENT(p) && !(p->flow->flags & FLOW_TOCLIENT_DROP_LOGGED))                ret = TRUE;        }        FLOWLOCK_UNLOCK(p->flow);        /* if drop is caused by signature, log anyway */        if (p->alerts.drop.action != 0)            ret = TRUE;        return ret;    } else if (PACKET_TEST_ACTION(p, ACTION_DROP)) {        return TRUE;    }    return FALSE;}

/** * /brief match the specified version on a tls session * * /param t pointer to thread vars * /param det_ctx pointer to the pattern matcher thread * /param p pointer to the current packet * /param m pointer to the sigmatch that we will cast into DetectTlsVersionData * * /retval 0 no match * /retval 1 match */int DetectTlsVersionMatch (ThreadVars *t, DetectEngineThreadCtx *det_ctx, Flow *f, uint8_t flags, void *state, Signature *s, SigMatch *m){    SCEnter();    DetectTlsVersionData *tls_data = (DetectTlsVersionData *)m->ctx;    SSLState *ssl_state = (SSLState *)state;    if (ssl_state == NULL) {        SCLogDebug("no tls state, no match");        SCReturnInt(0);    }    int ret = 0;    FLOWLOCK_RDLOCK(f);    SCLogDebug("looking for tls_data->ver 0x%02X (flags 0x%02X)", tls_data->ver, flags);    if (flags & STREAM_TOCLIENT) {        SCLogDebug("server (toclient) version is 0x%02X", ssl_state->server_connp.version);        if (tls_data->ver == ssl_state->server_connp.version)            ret = 1;    } else if (flags & STREAM_TOSERVER) {        SCLogDebug("client (toserver) version is 0x%02X", ssl_state->client_connp.version);        if (tls_data->ver == ssl_state->client_connp.version)            ret = 1;    }    FLOWLOCK_UNLOCK(f);    SCReturnInt(ret);}

static Flow *TcpReuseReplace(ThreadVars *tv, DecodeThreadVars *dtv,                             FlowBucket *fb, Flow *old_f,                             const uint32_t hash, const Packet *p){    /* tag flow as reused so future lookups won't find it */    old_f->flags |= FLOW_TCP_REUSED;    /* get some settings that we move over to the new flow */    FlowThreadId thread_id = old_f->thread_id;    /* since fb lock is still held this flow won't be found until we are done */    FLOWLOCK_UNLOCK(old_f);    /* Get a new flow. It will be either a locked flow or NULL */    Flow *f = FlowGetNew(tv, dtv, p);    if (f == NULL) {        return NULL;    }    /* flow is locked */    /* put at the start of the list */    f->hnext = fb->head;    fb->head->hprev = f;    fb->head = f;    /* initialize and return */    FlowInit(f, p);    f->flow_hash = hash;    f->fb = fb;    f->thread_id = thread_id;    return f;}

/** * /internal * /brief Forces reassembly for flows that need it. * * When this function is called we're running in virtually dead engine, * so locking the flows is not strictly required. The reasons it is still * done are: * - code consistency * - silence complaining profilers * - allow us to aggressively check using debug valdation assertions * - be robust in case of future changes * - locking overhead if neglectable when no other thread fights us * * /param q The queue to process flows from. */static inline void FlowForceReassemblyForHash(void){    Flow *f;    TcpSession *ssn;    int client_ok = 0;    int server_ok = 0;    uint32_t idx = 0;    for (idx = 0; idx < flow_config.hash_size; idx++) {        FlowBucket *fb = &flow_hash[idx];        PacketPoolWaitForN(9);        FBLOCK_LOCK(fb);        /* get the topmost flow from the QUEUE */        f = fb->head;        /* we need to loop through all the flows in the queue */        while (f != NULL) {            PacketPoolWaitForN(3);            FLOWLOCK_WRLOCK(f);            /* Get the tcp session for the flow */            ssn = (TcpSession *)f->protoctx;            /* /todo Also skip flows that shouldn't be inspected */            if (ssn == NULL) {                FLOWLOCK_UNLOCK(f);                f = f->hnext;                continue;            }            if (FlowForceReassemblyNeedReassembly(f, &server_ok, &client_ok) == 1) {                FlowForceReassemblyForFlow(f, server_ok, client_ok);            }            FLOWLOCK_UNLOCK(f);            /* next flow in the queue */            f = f->hnext;        }        FBLOCK_UNLOCK(fb);    }    return;}

/** * /brief Do the http_method content inspection for a signature. * * /param de_ctx  Detection engine context. * /param det_ctx Detection engine thread context. * /param s       Signature to inspect. * /param f       Flow. * /param flags   App layer flags. * /param state   App layer state. * * /retval 0 No match. * /retval 1 Match. */int DetectEngineInspectHttpMethod(DetectEngineCtx *de_ctx,                                  DetectEngineThreadCtx *det_ctx,                                  Signature *s, Flow *f, uint8_t flags,                                  void *alstate){    SCEnter();    int r = 0;    HtpState *htp_state = NULL;    htp_tx_t *tx = NULL;    int idx;    FLOWLOCK_RDLOCK(f);    htp_state = (HtpState *)alstate;    if (htp_state == NULL) {        SCLogDebug("no HTTP state");        goto end;    }    if (htp_state->connp == NULL || htp_state->connp->conn == NULL) {        SCLogDebug("HTP state has no conn(p)");        goto end;    }    idx = AppLayerTransactionGetInspectId(f);    if (idx == -1) {        goto end;    }    int size = (int)list_size(htp_state->connp->conn->transactions);    for (; idx < size; idx++) {        tx = list_get(htp_state->connp->conn->transactions, idx);        if (tx == NULL || tx->request_method == NULL)            continue;        det_ctx->buffer_offset = 0;        det_ctx->discontinue_matching = 0;        det_ctx->inspection_recursion_counter = 0;        r = DetectEngineContentInspection(de_ctx, det_ctx, s, s->sm_lists[DETECT_SM_LIST_HMDMATCH],                                          f,                                          (uint8_t *)bstr_ptr(tx->request_method),                                          bstr_len(tx->request_method),                                          DETECT_ENGINE_CONTENT_INSPECTION_MODE_HMD, NULL);        //r = DoInspectHttpMethod(de_ctx, det_ctx, s, s->sm_lists[DETECT_SM_LIST_HMDMATCH],        //(uint8_t *)bstr_ptr(tx->request_method),        //bstr_len(tx->request_method));        if (r == 1) {            break;        }    }end:    FLOWLOCK_UNLOCK(f);    SCReturnInt(r);}

static TmEcode LogFileLogWrap(ThreadVars *tv, Packet *p, void *data, PacketQueue *pq, PacketQueue *postpq, int ipver){    SCEnter();    LogFileLogThread *aft = (LogFileLogThread *)data;    uint8_t flags = 0;    /* no flow, no htp state */    if (p->flow == NULL) {        SCReturnInt(TM_ECODE_OK);    }    if (p->flowflags & FLOW_PKT_TOCLIENT)        flags |= STREAM_TOCLIENT;    else        flags |= STREAM_TOSERVER;    int file_close = (p->flags & PKT_PSEUDO_STREAM_END) ? 1 : 0;    int file_trunc = 0;    FLOWLOCK_WRLOCK(p->flow);    file_trunc = StreamTcpReassembleDepthReached(p);    FileContainer *ffc = AppLayerParserGetFiles(IPPROTO_TCP, p->flow->alproto,                                                p->flow->alstate, flags);    SCLogDebug("ffc %p", ffc);    if (ffc != NULL) {        File *ff;        for (ff = ffc->head; ff != NULL; ff = ff->next) {            if (ff->flags & FILE_LOGGED)                continue;            if (FileForceMagic() && ff->magic == NULL) {                FilemagicGlobalLookup(ff);            }            SCLogDebug("ff %p", ff);            if (file_trunc && ff->state < FILE_STATE_CLOSED)                ff->state = FILE_STATE_TRUNCATED;            if (ff->state == FILE_STATE_CLOSED ||                    ff->state == FILE_STATE_TRUNCATED || ff->state == FILE_STATE_ERROR ||                    (file_close == 1 && ff->state < FILE_STATE_CLOSED))            {                LogFileWriteJsonRecord(aft, p, ff, ipver);                ff->flags |= FILE_LOGGED;                aft->file_cnt++;            }        }        FilePrune(ffc);    }    FLOWLOCK_UNLOCK(p->flow);    SCReturnInt(TM_ECODE_OK);}

void FlowAlertSidUnset(Flow *f, uint32_t sid) {    FLOWLOCK_WRLOCK(f);    FlowAlertSid *fb = FlowAlertSidGet(f, sid);    if (fb != NULL) {        FlowAlertSidRemove(f, sid);    }    FLOWLOCK_UNLOCK(f);}

void FlowBitUnset(Flow *f, uint16_t idx) {    FLOWLOCK_WRLOCK(f);    FlowBit *fb = FlowBitGet(f, idx);    if (fb != NULL) {        FlowBitRemove(f, idx);    }    FLOWLOCK_UNLOCK(f);}

/** * /test Test the deallocation of app layer parser memory on occurance of *       error in the parsing process for UDP. */static int AppLayerParserTest02(void){    AppLayerParserBackupParserTable();    int result = 1;    Flow *f = NULL;    uint8_t testbuf[] = { 0x11 };    uint32_t testlen = sizeof(testbuf);    AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();    /* Register the Test protocol state and parser functions */    AppLayerParserRegisterParser(IPPROTO_UDP, ALPROTO_TEST, STREAM_TOSERVER,                      TestProtocolParser);    AppLayerParserRegisterStateFuncs(IPPROTO_UDP, ALPROTO_TEST,                          TestProtocolStateAlloc, TestProtocolStateFree);    f = UTHBuildFlow(AF_INET, "1.2.3.4", "4.3.2.1", 20, 40);    if (f == NULL)        goto end;    f->alproto = ALPROTO_TEST;    f->proto = IPPROTO_UDP;    f->protomap = FlowGetProtoMapping(f->proto);    StreamTcpInitConfig(TRUE);    FLOWLOCK_WRLOCK(f);    int r = AppLayerParserParse(NULL, alp_tctx, f, ALPROTO_TEST,                                STREAM_TOSERVER | STREAM_EOF, testbuf,                                testlen);    if (r != -1) {        printf("returned %" PRId32 ", expected -1: /n", r);        result = 0;        FLOWLOCK_UNLOCK(f);        goto end;    }    FLOWLOCK_UNLOCK(f); end:    AppLayerParserRestoreParserTable();    StreamTcpFreeConfig(TRUE);    UTHFreeFlow(f);    return result;}

void FlowBitSet(Flow *f, uint16_t idx) {    FLOWLOCK_WRLOCK(f);    FlowBit *fb = FlowBitGet(f, idx);    if (fb == NULL) {        FlowBitAdd(f, idx);    }    FLOWLOCK_UNLOCK(f);}

void FlowAlertSidSet(Flow *f, uint32_t sid) {    FLOWLOCK_WRLOCK(f);    FlowAlertSid *fb = FlowAlertSidGet(f, sid);    if (fb == NULL) {        FlowAlertSidAdd(f, sid);    }    FLOWLOCK_UNLOCK(f);}

int FlowBitIsnotset(Flow *f, uint16_t idx) {    int r = 0;    FLOWLOCK_RDLOCK(f);    FlowBit *fb = FlowBitGet(f, idx);    if (fb == NULL) {        r = 1;    }    FLOWLOCK_UNLOCK(f);    return r;}

void FlowBitToggle(Flow *f, uint16_t idx) {    FLOWLOCK_WRLOCK(f);    FlowBit *fb = FlowBitGet(f, idx);    if (fb != NULL) {        FlowBitRemove(f, idx);    } else {        FlowBitAdd(f, idx);    }    FLOWLOCK_UNLOCK(f);}

void FlowAlertSidToggle(Flow *f, uint32_t sid) {    FLOWLOCK_WRLOCK(f);    FlowAlertSid *fb = FlowAlertSidGet(f, sid);    if (fb != NULL) {        FlowAlertSidRemove(f, sid);    } else {        FlowAlertSidAdd(f, sid);    }    FLOWLOCK_UNLOCK(f);}

/** * /brief   This function is used to match urilen rule option with the HTTP *          uricontent. * * /param t pointer to thread vars * /param det_ctx pointer to the pattern matcher thread * /param p pointer to the current packet * /param m pointer to the sigmatch that we will cast into DetectUrilenData * * /retval 0 no match * /retval 1 match */int DetectUrilenMatch (ThreadVars *t, DetectEngineThreadCtx *det_ctx, Flow *f,                       uint8_t flags, void *state, Signature *s, SigMatch *m){    SCEnter();    int ret = 0;    int idx = 0;    DetectUrilenData *urilend = (DetectUrilenData *) m->ctx;    HtpState *htp_state = (HtpState *)state;    if (htp_state == NULL) {        SCLogDebug("no HTP state, no need to match further");        SCReturnInt(ret);    }    FLOWLOCK_RDLOCK(f);    htp_tx_t *tx = NULL;    idx = AppLayerTransactionGetInspectId(f);    if (idx == -1) {        goto end;    }    int size = (int)list_size(htp_state->connp->conn->transactions);    for (; idx < size; idx++)    {        tx = list_get(htp_state->connp->conn->transactions, idx);        if (tx == NULL || tx->request_uri_normalized == NULL)            goto end;        switch (urilend->mode) {            case DETECT_URILEN_EQ:                if (bstr_len(tx->request_uri_normalized) == urilend->urilen1)                    ret = 1;                break;            case DETECT_URILEN_LT:                if (bstr_len(tx->request_uri_normalized) < urilend->urilen1)                    ret = 1;                break;            case DETECT_URILEN_GT:                if (bstr_len(tx->request_uri_normalized) > urilend->urilen1)                    ret = 1;                break;            case DETECT_URILEN_RA:                if (bstr_len(tx->request_uri_normalized) > urilend->urilen1 &&                        bstr_len(tx->request_uri_normalized) < urilend->urilen2)                    ret = 1;                break;        }    }end:    FLOWLOCK_UNLOCK(f);    SCReturnInt(ret);}

int FlowAlertSidIsnotset(Flow *f, uint32_t sid) {    int r = 0;    FLOWLOCK_RDLOCK(f);    FlowAlertSid *fb = FlowAlertSidGet(f, sid);    if (fb == NULL) {        r = 1;    }    FLOWLOCK_UNLOCK(f);    return r;}

/** /internal *  /brief Condition function for TLS logger *  /retval bool true or false -- log now? */static int LogTlsCondition(ThreadVars *tv, const Packet *p){    if (p->flow == NULL) {        return FALSE;    }    if (!(PKT_IS_TCP(p))) {        return FALSE;    }    FLOWLOCK_RDLOCK(p->flow);    uint16_t proto = FlowGetAppProtocol(p->flow);    if (proto != ALPROTO_TLS)        goto dontlog;    SSLState *ssl_state = (SSLState *)FlowGetAppState(p->flow);    if (ssl_state == NULL) {        SCLogDebug("no tls state, so no request logging");        goto dontlog;    }    /* we only log the state once if we don't have to write     * the cert due to tls.store keyword. */    if (!(ssl_state->server_connp.cert_log_flag & SSL_TLS_LOG_PEM) &&        (ssl_state->flags & SSL_AL_FLAG_STATE_LOGGED))        goto dontlog;    if (ssl_state->server_connp.cert0_issuerdn == NULL ||            ssl_state->server_connp.cert0_subject == NULL)        goto dontlog;    /* todo: logic to log once */    FLOWLOCK_UNLOCK(p->flow);    return TRUE;dontlog:    FLOWLOCK_UNLOCK(p->flow);    return FALSE;}

int DetectAppLayerProtocolMatch(ThreadVars *t, DetectEngineThreadCtx *det_ctx,                                Flow *f, uint8_t flags, void *state,                                Signature *s, SigMatch *m){    int r = 0;    DetectAppLayerProtocolData *data = (DetectAppLayerProtocolData *)m->ctx;    FLOWLOCK_RDLOCK(f);    r = (data->negated) ? (f->alproto != data->alproto) :        (f->alproto == data->alproto);    FLOWLOCK_UNLOCK(f);    return r;}

/** *  /brief post-match function for filestore * *  /param t thread local vars *  /param det_ctx pattern matcher thread local data *  /param p packet * *  The match function for filestore records store candidates in the det_ctx. *  When we are sure all parts of the signature matched, we run this function *  to finalize the filestore. */int DetectFilestorePostMatch(ThreadVars *t, DetectEngineThreadCtx *det_ctx, Packet *p, Signature *s){    uint8_t flags = 0;    SCEnter();    if (det_ctx->filestore_cnt == 0) {        SCReturnInt(0);    }    if (s->filestore_sm == NULL || p->flow == NULL) {#ifndef DEBUG        SCReturnInt(0);#else        BUG_ON(1);#endif    }    if (p->flowflags & FLOW_PKT_TOCLIENT)        flags |= STREAM_TOCLIENT;    else        flags |= STREAM_TOSERVER;    if (det_ctx->flow_locked == 0)        FLOWLOCK_WRLOCK(p->flow);    FileContainer *ffc = AppLayerParserGetFiles(p->flow->proto, p->flow->alproto,                                                p->flow->alstate, flags);    /* filestore for single files only */    if (s->filestore_sm->ctx == NULL) {        uint16_t u;        for (u = 0; u < det_ctx->filestore_cnt; u++) {            FileStoreFileById(ffc, det_ctx->filestore[u].file_id);        }    } else {        DetectFilestoreData *filestore = (DetectFilestoreData *)s->filestore_sm->ctx;        uint16_t u;        for (u = 0; u < det_ctx->filestore_cnt; u++) {            FilestorePostMatchWithOptions(p, p->flow, filestore, ffc,                    det_ctx->filestore[u].file_id, det_ctx->filestore[u].tx_id);        }    }    if (det_ctx->flow_locked == 0)        FLOWLOCK_UNLOCK(p->flow);    SCReturnInt(0);}

/** /internal *  /brief Condition function for SSH logger *  /retval bool true or false -- log now? */static int JsonSshCondition(ThreadVars *tv, const Packet *p){    if (p->flow == NULL) {        return FALSE;    }    if (!(PKT_IS_TCP(p))) {        return FALSE;    }    FLOWLOCK_RDLOCK(p->flow);    uint16_t proto = FlowGetAppProtocol(p->flow);    if (proto != ALPROTO_SSH)        goto dontlog;    SshState *ssh_state = (SshState *)FlowGetAppState(p->flow);    if (ssh_state == NULL) {        SCLogDebug("no ssh state, so no logging");        goto dontlog;    }    /* we only log the state once */    if (ssh_state->cli_hdr.flags & SSH_FLAG_STATE_LOGGED)        goto dontlog;    if (ssh_state->cli_hdr.software_version == NULL ||        ssh_state->srv_hdr.software_version == NULL)        goto dontlog;    /* todo: logic to log once */    FLOWLOCK_UNLOCK(p->flow);    return TRUE;dontlog:    FLOWLOCK_UNLOCK(p->flow);    return FALSE;}

int DetectEngineRunHttpUAMpm(DetectEngineThreadCtx *det_ctx, Flow *f,                             HtpState *htp_state, uint8_t flags){    htp_tx_t *tx = NULL;    uint32_t cnt = 0;    int idx;    /* we need to lock because the buffers are not actually true buffers     * but are ones that point to a buffer given by libhtp */    FLOWLOCK_RDLOCK(f);    if (htp_state == NULL) {        SCLogDebug("no HTTP state");        goto end;    }    if (htp_state->connp == NULL || htp_state->connp->conn == NULL) {        SCLogDebug("HTP state has no conn(p)");        goto end;    }    idx = AppLayerTransactionGetInspectId(f);    if (idx == -1) {        goto end;    }    int size = (int)list_size(htp_state->connp->conn->transactions);    for (; idx < size; idx++) {        tx = list_get(htp_state->connp->conn->transactions, idx);        if (tx == NULL)            continue;        htp_header_t *h = (htp_header_t *)table_getc(tx->request_headers,                                                     "User-Agent");        if (h == NULL) {            SCLogDebug("HTTP user agent header not present in this request");            continue;        }        cnt += HttpUAPatternSearch(det_ctx,                                   (uint8_t *)bstr_ptr(h->value),                                   bstr_len(h->value), flags);    } end:    FLOWLOCK_UNLOCK(f);    return cnt;}

/** * /brief This function is used to add a tag to a session (type session) *        or update it if it's already installed. The number of times to *        allow an update is limited by DETECT_TAG_MATCH_LIMIT. This way *        repetitive matches to the same rule are limited of setting tags, *        to avoid DOS attacks * * /param p pointer to the current packet * /param tde pointer to the new DetectTagDataEntry * * /retval 0 if the tde was added succesfuly * /retval 1 if an entry of this sid/gid already exist and was updated */int TagFlowAdd(Packet *p, DetectTagDataEntry *tde) {    uint8_t updated = 0;    uint16_t num_tags = 0;    DetectTagDataEntry *iter = NULL;    if (p->flow == NULL)        return 1;    FLOWLOCK_WRLOCK(p->flow);    if (p->flow->tag_list != NULL) {        iter = p->flow->tag_list;        /* First iterate installed entries searching a duplicated sid/gid */        for (; iter != NULL; iter = iter->next) {            num_tags++;            if (iter->sid == tde->sid && iter->gid == tde->gid) {                iter->cnt_match++;                /* If so, update data, unless the maximum MATCH limit is                 * reached. This prevents possible DOS attacks */                if (iter->cnt_match < DETECT_TAG_MATCH_LIMIT) {                    /* Reset time and counters */                    iter->first_ts = iter->last_ts = tde->first_ts;                    iter->packets = 0;                    iter->bytes = 0;                }                updated = 1;                break;            }        }    }    /* If there was no entry of this rule, prepend the new tde */    if (updated == 0 && num_tags < DETECT_TAG_MAX_TAGS) {        DetectTagDataEntry *new_tde = DetectTagDataCopy(tde);        if (new_tde != NULL) {            new_tde->next = p->flow->tag_list;            p->flow->tag_list = new_tde;            (void) SC_ATOMIC_ADD(num_tags, 1);        }    } else if (num_tags == DETECT_TAG_MAX_TAGS) {        SCLogDebug("Max tags for sessions reached (%"PRIu16")", num_tags);    }    FLOWLOCK_UNLOCK(p->flow);    return updated;}

static int DetectTlsStoreMatch (ThreadVars *t, DetectEngineThreadCtx *det_ctx, Flow *f, uint8_t flags, void *state, Signature *s, SigMatch *m){    SCEnter();    SSLState *ssl_state = (SSLState *)state;    if (ssl_state == NULL) {        SCLogDebug("no tls state, no match");        SCReturnInt(1);    }    FLOWLOCK_WRLOCK(f);    if (s->flags & SIG_FLAG_TLSSTORE) {        ssl_state->server_connp.cert_log_flag |= SSL_TLS_LOG_PEM;    }    FLOWLOCK_UNLOCK(f);    SCReturnInt(1);}