From ea0067add8006f125bb0fa185d89f9228dad5a5e Mon Sep 17 00:00:00 2001
From: Victor Julien <victor@inliniac.net>
Date: Wed, 20 Apr 2016 17:47:31 +0200
Subject: [PATCH] debug: add various detect engine debug statements

---
 src/detect-engine-state.c | 28 +++++++++++++++++++++++++++-
 1 file changed, 27 insertions(+), 1 deletion(-)

diff --git a/src/detect-engine-state.c b/src/detect-engine-state.c
index 2ba935b580..45449ee1b3 100644
--- a/src/detect-engine-state.c
+++ b/src/detect-engine-state.c
@@ -415,6 +415,7 @@ static void StoreStateTxHandleFiles(DetectEngineThreadCtx *det_ctx, Flow *f,
                                     DetectEngineState *destate, const uint8_t flags,
                                     const uint64_t tx_id, const uint16_t file_no_match)
 {
+    SCLogDebug("tx %u, file_no_match %u", (uint)tx_id, file_no_match);
     DeStateStoreFileNoMatchCnt(destate, file_no_match, flags);
     if (DeStateStoreFilestoreSigsCantMatch(det_ctx->sgh, destate, flags) == 1) {
         FileDisableStoringForTransaction(f, flags & (STREAM_TOCLIENT | STREAM_TOSERVER), tx_id);
@@ -464,6 +465,8 @@ static void StoreStateTx(DetectEngineThreadCtx *det_ctx,
             SCLogDebug("destate created for %"PRIu64, tx_id);
         }
 
+        SCLogDebug("file_no_match %u", file_no_match);
+
         if (check_before_add == 0 || DeStateSearchState(destate, flags, s->num) == 0)
             DeStateSignatureAppend(destate, s, inspect_flags, flags);
         DeStateStoreStateVersion(f, alversion, flags);
@@ -485,6 +488,8 @@ int DeStateDetectStartDetection(ThreadVars *tv, DetectEngineCtx *de_ctx,
     int alert_cnt = 0;
     int check_before_add = 0;
 
+    SCLogDebug("rule %u", s->id);
+
     FLOWLOCK_WRLOCK(f);
     /* TX based matches (inspect engines) */
     if (AppLayerParserProtocolSupportsTxs(f->proto, alproto)) {
@@ -516,18 +521,24 @@ int DeStateDetectStartDetection(ThreadVars *tv, DetectEngineCtx *de_ctx,
         for (; tx_id < total_txs; tx_id++) {
             int total_matches = 0;
             void *tx = AppLayerParserGetTx(f->proto, alproto, alstate, tx_id);
+            SCLogDebug("tx %p", tx);
             if (tx == NULL)
                 continue;
             det_ctx->tx_id = tx_id;
             det_ctx->tx_id_set = 1;
+
             DetectEngineAppInspectionEngine *engine = app_inspection_engine[f->protomap][alproto][direction];
+            SCLogDebug("engine %p", engine);
             inspect_flags = 0;
             while (engine != NULL) {
+                SCLogDebug("engine %p", engine);
+                SCLogDebug("inspect_flags %x", inspect_flags);
                 if (s->sm_lists[engine->sm_list] != NULL) {
                     KEYWORD_PROFILING_SET_LIST(det_ctx, engine->sm_list);
                     int match = engine->Callback(tv, de_ctx, det_ctx, s, f,
                                              flags, alstate,
                                              tx, tx_id);
+                    SCLogDebug("engine %p match %d", engine, match);
                     if (match == DETECT_ENGINE_INSPECT_SIG_MATCH) {
                         inspect_flags |= engine->inspect_flags;
                         engine = engine->next;
@@ -545,6 +556,7 @@ int DeStateDetectStartDetection(ThreadVars *tv, DetectEngineCtx *de_ctx,
                 }
                 engine = engine->next;
             }
+            SCLogDebug("inspect_flags %x", inspect_flags);
             /* all the engines seem to be exhausted at this point.  If we
              * didn't have a match in one of the engines we would have
              * broken off and engine wouldn't be NULL.  Hence the alert. */
@@ -712,6 +724,8 @@ static int DoInspectItem(ThreadVars *tv,
 {
     Signature *s = de_ctx->sig_array[item->sid];
 
+    SCLogDebug("file_no_match %u, sid %u", *file_no_match, s->id);
+
     /* check if a sig in state 'full inspect' needs to be reconsidered
      * as the result of a new file in the existing tx */
     if (item->flags & DE_STATE_FLAG_FULL_INSPECT) {
@@ -719,6 +733,7 @@ static int DoInspectItem(ThreadVars *tv,
             if ((flags & STREAM_TOCLIENT) &&
                     (dir_state_flags & DETECT_ENGINE_STATE_FLAG_FILE_TC_NEW))
             {
+                SCLogDebug("~DE_STATE_FLAG_FILE_TC_INSPECT");
                 item->flags &= ~DE_STATE_FLAG_FILE_TC_INSPECT;
                 item->flags &= ~DE_STATE_FLAG_FULL_INSPECT;
                 item->flags &= ~DE_STATE_FLAG_SIG_CANT_MATCH;
@@ -727,6 +742,7 @@ static int DoInspectItem(ThreadVars *tv,
             if ((flags & STREAM_TOSERVER) &&
                     (dir_state_flags & DETECT_ENGINE_STATE_FLAG_FILE_TS_NEW))
             {
+                SCLogDebug("~DE_STATE_FLAG_FILE_TS_INSPECT");
                 item->flags &= ~DE_STATE_FLAG_FILE_TS_INSPECT;
                 item->flags &= ~DE_STATE_FLAG_FULL_INSPECT;
                 item->flags &= ~DE_STATE_FLAG_SIG_CANT_MATCH;
@@ -736,7 +752,7 @@ static int DoInspectItem(ThreadVars *tv,
         if (item->flags & DE_STATE_FLAG_FULL_INSPECT) {
             if (TxIsLast(inspect_tx_id, total_txs) || inprogress || next_tx_no_progress) {
                 det_ctx->de_state_sig_array[item->sid] = DE_STATE_MATCH_NO_NEW_STATE;
-                SCLogDebug("skip and bypass: tx %u packet %u", (uint)inspect_tx_id, (uint)p->pcap_cnt);
+                SCLogDebug("skip and bypass %u: tx %u packet %u", s->id, (uint)inspect_tx_id, (uint)p->pcap_cnt);
             } else {
                 SCLogDebug("just skip: tx %u packet %u", (uint)inspect_tx_id, (uint)p->pcap_cnt);
 
@@ -758,17 +774,23 @@ static int DoInspectItem(ThreadVars *tv,
 
     /* check if a sig in state 'cant match' needs to be reconsidered
      * as the result of a new file in the existing tx */
+    SCLogDebug("item->flags %x", item->flags);
     if (item->flags & DE_STATE_FLAG_SIG_CANT_MATCH) {
+        SCLogDebug("DE_STATE_FLAG_SIG_CANT_MATCH");
+
         if ((flags & STREAM_TOSERVER) &&
                 (item->flags & DE_STATE_FLAG_FILE_TS_INSPECT) &&
                 (dir_state_flags & DETECT_ENGINE_STATE_FLAG_FILE_TS_NEW))
         {
+            SCLogDebug("unset ~DE_STATE_FLAG_FILE_TS_INSPECT ~DE_STATE_FLAG_SIG_CANT_MATCH");
             item->flags &= ~DE_STATE_FLAG_FILE_TS_INSPECT;
             item->flags &= ~DE_STATE_FLAG_SIG_CANT_MATCH;
+
         } else if ((flags & STREAM_TOCLIENT) &&
                 (item->flags & DE_STATE_FLAG_FILE_TC_INSPECT) &&
                 (dir_state_flags & DETECT_ENGINE_STATE_FLAG_FILE_TC_NEW))
         {
+            SCLogDebug("unset ~DE_STATE_FLAG_FILE_TC_INSPECT ~DE_STATE_FLAG_SIG_CANT_MATCH");
             item->flags &= ~DE_STATE_FLAG_FILE_TC_INSPECT;
             item->flags &= ~DE_STATE_FLAG_SIG_CANT_MATCH;
         } else {
@@ -821,6 +843,7 @@ static int DoInspectItem(ThreadVars *tv,
         if (!(item->flags & engine->inspect_flags) &&
                 s->sm_lists[engine->sm_list] != NULL)
         {
+            SCLogDebug("inspect_flags %x", inspect_flags);
             KEYWORD_PROFILING_SET_LIST(det_ctx, engine->sm_list);
             int match = engine->Callback(tv, de_ctx, det_ctx, s, f,
                     flags, alstate, inspect_tx, inspect_tx_id);
@@ -841,6 +864,7 @@ static int DoInspectItem(ThreadVars *tv,
         }
         engine = engine->next;
     }
+    SCLogDebug("inspect_flags %x", inspect_flags);
     if (total_matches > 0 && (engine == NULL || inspect_flags & DE_STATE_FLAG_SIG_CANT_MATCH)) {
         if (engine == NULL)
             alert = 1;
@@ -1025,6 +1049,8 @@ void DeStateDetectContinueDetection(ThreadVars *tv, DetectEngineCtx *de_ctx,
                 DetectEngineStateDirection *tx_dir_state = &tx_de_state->dir_state[direction];
                 DeStateStore *tx_store = tx_dir_state->head;
 
+                SCLogDebug("tx_dir_state->filestore_cnt %u", tx_dir_state->filestore_cnt);
+
                 /* see if we need to consider the next tx in our decision to add
                  * a sig to the 'no inspect array'. */
                 if (!TxIsLast(inspect_tx_id, total_txs)) {
-- 
2.47.2