Callbacks¶

Engine init¶

Detection engine init, stage 1: per signature post parsing. Args: DetectEngineCtx *, Signature *.

Detection engine init, stage 1: call back to SignatureIsIPonly for keywords that are compatible to iponly only in certain configs (like flowbits:set).

Detection engine init, stage 4: per SigGroupHead post grouping. Args: DetectEngineCtx *, SigGroupHead *.

Engine deinit¶

Packet runtime¶

Pre detect, first packet in each flow direction only. Args: DetectEngineCtx *, DetectEngineThread *, Flow *, Packet *. Example usage: IP-Only checks.

Pre detect, flowless packets. Args: DetectEngineCtx *, DetectEngineThread *, Packet *. Example usage: IP-only checks for flow less packets.

Pre detect, flow packets. Args: DetectEngineCtx *, DetectEngineThread *, Flow *, Packet *. Example usage: setup det_ctx->sgh.

Post detect, flow packet, both sgh's known. Args: Flow *. Example usage: check if http_client_body is part of sgh, if not disable client body buffering for flow.

Post detect, alert fired on packet. Args: Packet *. Example usage: alert post processing.

Post detect, packets. Args: DetectEngineThreadCtx *, Packet *. Example usage: detection cleanups.

Pre detect, running the detection engines(uri, hcbd and others) during stateful detection. Each engine should be a callback. New engines can be added as a registration against this engine callback API. /* Author - AS */

All real packets, just before returning them to the pool. Useful for pkt sources that need to do something before discarding a packet (Tile comes to mind). Args: Packet *.