suricata
detect-dns-response.c
Go to the documentation of this file.
1/* Copyright (C) 2025 Open Information Security Foundation
2 *
3 * You can copy, redistribute or modify this Program under the terms of
4 * the GNU General Public License version 2 as published by the Free
5 * Software Foundation.
6 *
7 * This program is distributed in the hope that it will be useful,
8 * but WITHOUT ANY WARRANTY; without even the implied warranty of
9 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10 * GNU General Public License for more details.
11 *
12 * You should have received a copy of the GNU General Public License
13 * version 2 along with this program; if not, write to the Free Software
14 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15 * 02110-1301, USA.
16 */
17
18/**
19 * \file
20 *
21 * Detect keyword for DNS response: dns.response.rrname
22 */
23
24#include "detect.h"
25#include "detect-parse.h"
26#include "detect-engine.h"
27#include "detect-engine-buffer.h"
28#include "detect-engine-mpm.h"
29#include "detect-engine-prefilter.h"
30#include "detect-engine-content-inspection.h"
31#include "detect-engine-helper.h"
32#include "detect-dns-response.h"
33#include "util-profiling.h"
34#include "rust.h"
35
36static int detect_buffer_id = 0;
37static int mdns_detect_buffer_id = 0;
38
44
54
55struct DnsResponseGetDataArgs {
56 enum DnsResponseSection response_section; /**< query, answer, authority, additional */
57 uint32_t response_id; /**< index into response resource records */
58 uint32_t local_id; /**< used as index into thread inspect array */
59};
60
61static int DetectSetup(DetectEngineCtx *de_ctx, Signature *s, const char *str)
62{
63 if (SCDetectBufferSetActiveList(de_ctx, s, detect_buffer_id) < 0) {
64 return -1;
65 }
66 if (SCDetectSignatureSetAppProto(s, ALPROTO_DNS) < 0) {
67 return -1;
68 }
69
70 return 0;
71}
72
73static int MdnsDetectSetup(DetectEngineCtx *de_ctx, Signature *s, const char *str)
74{
75 if (SCDetectBufferSetActiveList(de_ctx, s, mdns_detect_buffer_id) < 0) {
76 return -1;
77 }
78 if (SCDetectSignatureSetAppProto(s, ALPROTO_MDNS) < 0) {
79 return -1;
80 }
81
82 return 0;
83}
84
85static InspectionBuffer *GetBuffer(DetectEngineThreadCtx *det_ctx, uint8_t flags,
86 const DetectEngineTransforms *transforms, void *txv, struct DnsResponseGetDataArgs *cbdata,
87 int list_id, bool get_rdata)
88{
89 InspectionBuffer *buffer =
90 InspectionBufferMultipleForListGet(det_ctx, list_id, cbdata->local_id);
91 if (buffer == NULL) {
92 return NULL;
93 }
94 if (buffer->initialized) {
95 return buffer;
96 }
97
98 const uint8_t *data = NULL;
99 uint32_t data_len = 0;
100
101 if (get_rdata) {
102 /* Get rdata values that are formatted as resource names. */
103 switch (cbdata->response_section) {
104 case DNS_RESPONSE_ANSWER:
105 if (!SCDnsTxGetAnswerRdata(txv, cbdata->response_id, &data, &data_len)) {
106 InspectionBufferSetupMultiEmpty(buffer);
107 return NULL;
108 }
109 break;
110 case DNS_RESPONSE_AUTHORITY:
111 if (!SCDnsTxGetAuthorityRdata(txv, cbdata->response_id, &data, &data_len)) {
112 InspectionBufferSetupMultiEmpty(buffer);
113 return NULL;
114 }
115 break;
116 case DNS_RESPONSE_ADDITIONAL:
117 if (!SCDnsTxGetAdditionalRdata(txv, cbdata->response_id, &data, &data_len)) {
118 InspectionBufferSetupMultiEmpty(buffer);
119 return NULL;
120 }
121 break;
122 default:
123 InspectionBufferSetupMultiEmpty(buffer);
124 return NULL;
125 }
126 } else {
127 /* Get name values. */
128 switch (cbdata->response_section) {
129 case DNS_RESPONSE_QUERY:
130 if (!SCDnsTxGetQueryName(
131 det_ctx, txv, STREAM_TOCLIENT, cbdata->response_id, &data, &data_len)) {
132 InspectionBufferSetupMultiEmpty(buffer);
133 return NULL;
134 }
135 break;
136 case DNS_RESPONSE_ANSWER:
137 if (!SCDnsTxGetAnswerName(
138 det_ctx, txv, STREAM_TOCLIENT, cbdata->response_id, &data, &data_len)) {
139 InspectionBufferSetupMultiEmpty(buffer);
140 return NULL;
141 }
142 break;
143 case DNS_RESPONSE_AUTHORITY:
144 if (!SCDnsTxGetAuthorityName(
145 det_ctx, txv, 0, cbdata->response_id, &data, &data_len)) {
146 InspectionBufferSetupMultiEmpty(buffer);
147 return NULL;
148 }
149 break;
150 case DNS_RESPONSE_ADDITIONAL:
151 if (!SCDnsTxGetAdditionalName(
152 det_ctx, txv, 0, cbdata->response_id, &data, &data_len)) {
153 InspectionBufferSetupMultiEmpty(buffer);
154 return NULL;
155 }
156 break;
157 default:
158 InspectionBufferSetupMultiEmpty(buffer);
159 return NULL;
160 }
161 }
162
163 InspectionBufferSetupMulti(det_ctx, buffer, transforms, data, data_len);
164 buffer->flags = DETECT_CI_FLAGS_SINGLE;
165 return buffer;
166}
167
168static inline uint8_t CheckSectionRecords(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx,
169 const struct DetectEngineAppInspectionEngine_ *engine, const Signature *s, Flow *f,
170 uint8_t flags, void *txv, const DetectEngineTransforms *transforms, uint32_t *local_id,
171 enum DnsResponseSection section)
172{
173 uint32_t response_id = 0;
174
175 /* loop through each record in DNS response section inspecting "name" and "rdata" */
176 while (1) {
177 struct DnsResponseGetDataArgs cbdata = { section, response_id, *local_id };
178
179 /* do inspection for resource record "name" */
180 InspectionBuffer *buffer =
181 GetBuffer(det_ctx, flags, transforms, txv, &cbdata, engine->sm_list, false);
182 if (buffer == NULL || buffer->inspect == NULL) {
183 (*local_id)++;
184 break;
185 }
186
187 if (DetectEngineContentInspectionBuffer(de_ctx, det_ctx, s, engine->smd, NULL, f, buffer,
188 DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE)) {
189 return DETECT_ENGINE_INSPECT_SIG_MATCH;
190 }
191
192 (*local_id)++;
193 if (section == DNS_RESPONSE_QUERY) {
194 /* no rdata to inspect for query section, move on to next record */
195 response_id++;
196 continue;
197 }
198
199 /* do inspection for resource record "rdata" */
200 cbdata.local_id = *local_id;
201 buffer = GetBuffer(det_ctx, flags, transforms, txv, &cbdata, engine->sm_list, true);
202 if (buffer == NULL || buffer->inspect == NULL) {
203 (*local_id)++;
204 response_id++;
205 continue;
206 }
207
208 if (DetectEngineContentInspectionBuffer(de_ctx, det_ctx, s, engine->smd, NULL, f, buffer,
209 DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE)) {
210 return DETECT_ENGINE_INSPECT_SIG_MATCH;
211 }
212 (*local_id)++;
213 response_id++;
214 }
215 return DETECT_ENGINE_INSPECT_SIG_NO_MATCH;
216}
217
218static inline void CheckSectionRecordsPrefilter(DetectEngineThreadCtx *det_ctx, const void *pectx,
219 void *txv, const uint8_t flags, uint32_t *local_id, enum DnsResponseSection section)
220{
221 const PrefilterMpm *ctx = (const PrefilterMpm *)pectx;
222 const MpmCtx *mpm_ctx = ctx->mpm_ctx;
223 const int list_id = ctx->list_id;
224 uint32_t response_id = 0;
225
226 while (1) {
227 struct DnsResponseGetDataArgs cbdata = { section, response_id, *local_id };
228
229 /* extract resource record "name" */
230 InspectionBuffer *buffer =
231 GetBuffer(det_ctx, flags, ctx->transforms, txv, &cbdata, list_id, false);
232 if (buffer == NULL) {
233 (*local_id)++;
234 break;
235 }
236
237 if (buffer->inspect_len >= mpm_ctx->minlen) {
238 (void)mpm_table[mpm_ctx->mpm_type].Search(
239 mpm_ctx, &det_ctx->mtc, &det_ctx->pmq, buffer->inspect, buffer->inspect_len);
240 PREFILTER_PROFILING_ADD_BYTES(det_ctx, buffer->inspect_len);
241 }
242
243 (*local_id)++;
244 if (section == DNS_RESPONSE_QUERY) {
245 /* no rdata to inspect for query section, move on to next name entry */
246 response_id++;
247 continue;
248 }
249
250 /* extract resource record "rdata" */
251 cbdata.local_id = *local_id;
252 buffer = GetBuffer(det_ctx, flags, ctx->transforms, txv, &cbdata, list_id, true);
253 if (buffer == NULL) {
254 (*local_id)++;
255 response_id++;
256 continue;
257 }
258
259 if (buffer->inspect_len >= mpm_ctx->minlen) {
260 (void)mpm_table[mpm_ctx->mpm_type].Search(
261 mpm_ctx, &det_ctx->mtc, &det_ctx->pmq, buffer->inspect, buffer->inspect_len);
262 PREFILTER_PROFILING_ADD_BYTES(det_ctx, buffer->inspect_len);
263 }
264 (*local_id)++;
265 response_id++;
266 }
267}
268
269static uint8_t DetectEngineInspectCb(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx,
270 const struct DetectEngineAppInspectionEngine_ *engine, const Signature *s, Flow *f,
271 uint8_t flags, void *alstate, void *txv, uint64_t tx_id)
272{
273 const DetectEngineTransforms *transforms = NULL;
274 if (!engine->mpm) {
275 transforms = engine->v2.transforms;
276 }
277
278 uint32_t local_id = 0;
279 uint8_t ret_match = DETECT_ENGINE_INSPECT_SIG_NO_MATCH;
280
281 /* loop through each possible DNS response section */
282 for (enum DnsResponseSection section = DNS_RESPONSE_QUERY;
283 section < DNS_RESPONSE_MAX && ret_match == DETECT_ENGINE_INSPECT_SIG_NO_MATCH;
284 section++) {
285
286 /* check each record in section inspecting "name" and "rdata" */
287 ret_match = CheckSectionRecords(
288 de_ctx, det_ctx, engine, s, f, flags, txv, transforms, &local_id, section);
289 }
290 return ret_match;
291}
292
293static void DetectDnsResponsePrefilterTx(DetectEngineThreadCtx *det_ctx, const void *pectx,
294 Packet *p, Flow *f, void *txv, const uint64_t idx, const AppLayerTxData *_txd,
295 const uint8_t flags)
296{
297 SCEnter();
298
299 uint32_t local_id = 0;
300 /* loop through each possible DNS response section */
301 for (enum DnsResponseSection section = DNS_RESPONSE_QUERY; section < DNS_RESPONSE_MAX;
302 section++) {
303 /* check each record in section inspecting "name" and "rdata" */
304 CheckSectionRecordsPrefilter(det_ctx, pectx, txv, flags, &local_id, section);
305 }
306}
307
308static void DetectDnsResponsePrefilterMpmFree(void *ptr)
309{
310 SCFree(ptr);
311}
312
313static int DetectDnsResponsePrefilterMpmRegister(DetectEngineCtx *de_ctx, SigGroupHead *sgh,
314 MpmCtx *mpm_ctx, const DetectBufferMpmRegistry *mpm_reg, int list_id)
315{
316 PrefilterMpm *pectx = SCCalloc(1, sizeof(*pectx));
317 if (pectx == NULL) {
318 return -1;
319 }
320 pectx->list_id = list_id;
321 pectx->mpm_ctx = mpm_ctx;
322 pectx->transforms = &mpm_reg->transforms;
323
324 return PrefilterAppendTxEngine(de_ctx, sgh, DetectDnsResponsePrefilterTx,
325 mpm_reg->app_v2.alproto, mpm_reg->app_v2.tx_min_progress, pectx,
326 DetectDnsResponsePrefilterMpmFree, mpm_reg->pname);
327}
328
329static void SCDetectMdnsResponseRrnameRegister(void)
330{
331 static const char *keyword = "mdns.response.rrname";
332 int keyword_id = SCDetectHelperNewKeywordId();
333 sigmatch_table[keyword_id].name = keyword;
334 sigmatch_table[keyword_id].desc = "mDNS response rrname buffer";
335 sigmatch_table[keyword_id].url = "/rules/mdns-keywords.html#mdns-response-rrname";
336 sigmatch_table[keyword_id].Setup = MdnsDetectSetup;
337 sigmatch_table[keyword_id].flags |= SIGMATCH_NOOPT;
338 sigmatch_table[keyword_id].flags |= SIGMATCH_INFO_STICKY_BUFFER;
339
340 /* Register in the TO_SERVER direction, as all mDNS is toserver. */
341 DetectAppLayerInspectEngineRegister(
342 keyword, ALPROTO_MDNS, SIG_FLAG_TOSERVER, 1, DetectEngineInspectCb, NULL);
343 DetectAppLayerMpmRegister(keyword, SIG_FLAG_TOSERVER, 2, DetectDnsResponsePrefilterMpmRegister,
344 NULL, ALPROTO_MDNS, 1);
345
346 DetectBufferTypeSetDescriptionByName(keyword, "mdns response rdata");
347 DetectBufferTypeSupportsMultiInstance(keyword);
348
349 mdns_detect_buffer_id = DetectBufferTypeGetByName(keyword);
350}
351
352void DetectDnsResponseRegister(void)
353{
354 static const char *keyword = "dns.response.rrname";
355 sigmatch_table[DETECT_DNS_RESPONSE].name = keyword;
356 sigmatch_table[DETECT_DNS_RESPONSE].desc = "DNS response sticky buffer";
357 sigmatch_table[DETECT_DNS_RESPONSE].url = "/rules/dns-keywords.html#dns-response-rrname";
358 sigmatch_table[DETECT_DNS_RESPONSE].Setup = DetectSetup;
359 sigmatch_table[DETECT_DNS_RESPONSE].flags |= SIGMATCH_NOOPT;
360 sigmatch_table[DETECT_DNS_RESPONSE].flags |= SIGMATCH_INFO_STICKY_BUFFER;
361
362 /* Register in the TO_CLIENT direction. */
363 DetectAppLayerInspectEngineRegister(
364 keyword, ALPROTO_DNS, SIG_FLAG_TOCLIENT, 1, DetectEngineInspectCb, NULL);
365 DetectAppLayerMpmRegister(keyword, SIG_FLAG_TOCLIENT, 2, DetectDnsResponsePrefilterMpmRegister,
366 NULL, ALPROTO_DNS, 1);
367
368 DetectBufferTypeSetDescriptionByName(keyword, "dns response rrname");
369 DetectBufferTypeSupportsMultiInstance(keyword);
370
371 detect_buffer_id = DetectBufferTypeGetByName(keyword);
372
373 SCDetectMdnsResponseRrnameRegister();
374}
AppLayerTxData
struct AppLayerTxData AppLayerTxData
Definition app-layer-parser.h:42
ALPROTO_MDNS
@ ALPROTO_MDNS
Definition app-layer-protos.h:72
ALPROTO_DNS
@ ALPROTO_DNS
Definition app-layer-protos.h:47
flags
uint8_t flags
Definition decode-gre.h:0
DetectDnsResponseRegister
void DetectDnsResponseRegister(void)
Definition detect-dns-response.c:352
DnsResponseSection
DnsResponseSection
Definition detect-dns-response.c:45
DNS_RESPONSE_MAX
@ DNS_RESPONSE_MAX
Definition detect-dns-response.c:52
DNS_RESPONSE_ADDITIONAL
@ DNS_RESPONSE_ADDITIONAL
Definition detect-dns-response.c:49
DNS_RESPONSE_ANSWER
@ DNS_RESPONSE_ANSWER
Definition detect-dns-response.c:47
DNS_RESPONSE_AUTHORITY
@ DNS_RESPONSE_AUTHORITY
Definition detect-dns-response.c:48
DNS_RESPONSE_QUERY
@ DNS_RESPONSE_QUERY
Definition detect-dns-response.c:46
SCDetectBufferSetActiveList
int SCDetectBufferSetActiveList(DetectEngineCtx *de_ctx, Signature *s, const int list)
Definition detect-engine-buffer.c:29
DetectEngineContentInspectionBuffer
bool DetectEngineContentInspectionBuffer(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const Signature *s, const SigMatchData *smd, Packet *p, Flow *f, const InspectionBuffer *b, const enum DetectContentInspectionType inspection_mode)
wrapper around DetectEngineContentInspectionInternal to return true/false only
Definition detect-engine-content-inspection.c:773
detect-engine-content-inspection.h
DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE
@ DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE
Definition detect-engine-content-inspection.h:36
DETECT_CI_FLAGS_SINGLE
#define DETECT_CI_FLAGS_SINGLE
Definition detect-engine-content-inspection.h:49
SCDetectHelperNewKeywordId
int SCDetectHelperNewKeywordId(void)
Definition detect-engine-helper.c:86
InspectionBufferSetupMultiEmpty
void InspectionBufferSetupMultiEmpty(InspectionBuffer *buffer)
setup the buffer empty
Definition detect-engine-inspect-buffer.c:144
InspectionBufferMultipleForListGet
InspectionBuffer * InspectionBufferMultipleForListGet(DetectEngineThreadCtx *det_ctx, const int list_id, const uint32_t local_id)
for a InspectionBufferMultipleForList get a InspectionBuffer
Definition detect-engine-inspect-buffer.c:76
InspectionBufferSetupMulti
void InspectionBufferSetupMulti(DetectEngineThreadCtx *det_ctx, InspectionBuffer *buffer, const DetectEngineTransforms *transforms, const uint8_t *data, const uint32_t data_len)
setup the buffer with our initial data
Definition detect-engine-inspect-buffer.c:157
DetectAppLayerMpmRegister
void DetectAppLayerMpmRegister(const char *name, int direction, int priority, PrefilterRegisterFunc PrefilterRegister, InspectionBufferGetDataPtr GetData, AppProto alproto, int tx_min_progress)
register an app layer keyword for mpm
Definition detect-engine-mpm.c:152
PrefilterAppendTxEngine
int PrefilterAppendTxEngine(DetectEngineCtx *de_ctx, SigGroupHead *sgh, PrefilterTxFn PrefilterTxFunc, AppProto alproto, int tx_min_progress, void *pectx, void(*FreeFunc)(void *pectx), const char *name)
Definition detect-engine-prefilter.c:352
DETECT_DNS_RESPONSE
@ DETECT_DNS_RESPONSE
Definition detect-engine-register.h:246
DETECT_ENGINE_INSPECT_SIG_MATCH
#define DETECT_ENGINE_INSPECT_SIG_MATCH
Definition detect-engine-state.h:38
DETECT_ENGINE_INSPECT_SIG_NO_MATCH
#define DETECT_ENGINE_INSPECT_SIG_NO_MATCH
Definition detect-engine-state.h:37
DetectBufferTypeSetDescriptionByName
void DetectBufferTypeSetDescriptionByName(const char *name, const char *desc)
Definition detect-engine.c:1374
DetectBufferTypeSupportsMultiInstance
void DetectBufferTypeSupportsMultiInstance(const char *name)
Definition detect-engine.c:1227
DetectAppLayerInspectEngineRegister
void DetectAppLayerInspectEngineRegister(const char *name, AppProto alproto, uint32_t dir, int progress, InspectEngineFuncPtr Callback, InspectionBufferGetDataPtr GetData)
Registers an app inspection engine.
Definition detect-engine.c:272
DetectBufferTypeGetByName
int DetectBufferTypeGetByName(const char *name)
Definition detect-engine.c:1277
SCDetectSignatureSetAppProto
int SCDetectSignatureSetAppProto(Signature *s, AppProto alproto)
Definition detect-parse.c:2229
sigmatch_table
SigTableElmt * sigmatch_table
Definition detect-parse.c:79
SIGMATCH_NOOPT
#define SIGMATCH_NOOPT
Definition detect.h:1651
SIG_FLAG_TOCLIENT
#define SIG_FLAG_TOCLIENT
Definition detect.h:272
SIGMATCH_INFO_STICKY_BUFFER
#define SIGMATCH_INFO_STICKY_BUFFER
Definition detect.h:1676
SIG_FLAG_TOSERVER
#define SIG_FLAG_TOSERVER
Definition detect.h:271
de_ctx
DetectEngineCtx * de_ctx
Definition fuzz_siginit.c:18
ctx
struct Thresholds ctx
DetectBufferMpmRegistry_
one time registration of keywords at start up
Definition detect.h:762
DetectBufferMpmRegistry_::pname
char pname[32]
Definition detect.h:764
DetectBufferMpmRegistry_::transforms
DetectEngineTransforms transforms
Definition detect.h:775
DetectBufferMpmRegistry_::app_v2
struct DetectBufferMpmRegistry_::@98::@100 app_v2
DetectBufferMpmRegistry_::alproto
AppProto alproto
Definition detect.h:785
DetectBufferMpmRegistry_::tx_min_progress
int tx_min_progress
Definition detect.h:786
DetectEngineAppInspectionEngine_
Definition detect.h:416
DetectEngineAppInspectionEngine_::transforms
const DetectEngineTransforms * transforms
Definition detect.h:436
DetectEngineAppInspectionEngine_::mpm
bool mpm
Definition detect.h:420
DetectEngineAppInspectionEngine_::sm_list
uint16_t sm_list
Definition detect.h:424
DetectEngineAppInspectionEngine_::smd
SigMatchData * smd
Definition detect.h:439
DetectEngineAppInspectionEngine_::v2
struct DetectEngineAppInspectionEngine_::@90 v2
DetectEngineCtx_
main detection engine ctx
Definition detect.h:932
DetectEngineThreadCtx_
Definition detect.h:1244
DetectEngineThreadCtx_::mtc
MpmThreadCtx mtc
Definition detect.h:1345
DetectEngineThreadCtx_::pmq
PrefilterRuleStore pmq
Definition detect.h:1349
DnsResponseGetDataArgs::response_section
enum DnsResponseSection response_section
Definition detect-dns-response.c:56
Flow_
Flow data structure.
Definition flow.h:356
MpmCtx_
Definition util-mpm.h:93
MpmCtx_::mpm_type
uint8_t mpm_type
Definition util-mpm.h:95
MpmCtx_::minlen
uint16_t minlen
Definition util-mpm.h:104
MpmTableElmt_::Search
uint32_t(* Search)(const struct MpmCtx_ *, struct MpmThreadCtx_ *, PrefilterRuleStore *, const uint8_t *, uint32_t)
Definition util-mpm.h:178
Packet_
Definition decode.h:501
PrefilterMpm::transforms
const DetectEngineTransforms * transforms
Definition detect-dns-response.c:42
PrefilterMpm::mpm_ctx
const MpmCtx * mpm_ctx
Definition detect-dns-response.c:41
SigGroupHead_
Container for matching data for a signature group.
Definition detect.h:1629
SigTableElmt_::url
const char * url
Definition detect.h:1462
SigTableElmt_::Setup
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition detect.h:1441
SigTableElmt_::flags
uint16_t flags
Definition detect.h:1450
SigTableElmt_::desc
const char * desc
Definition detect.h:1461
SigTableElmt_::name
const char * name
Definition detect.h:1459
Signature_
Signature container.
Definition detect.h:668
str
#define str(s)
Definition suricata-common.h:308
SCEnter
#define SCEnter(...)
Definition util-debug.h:277
SCFree
#define SCFree(p)
Definition util-mem.h:61
SCCalloc
#define SCCalloc(nm, sz)
Definition util-mem.h:53
mpm_table
MpmTableElmt mpm_table[MPM_TABLE_SIZE]
Definition util-mpm.c:47
PREFILTER_PROFILING_ADD_BYTES
#define PREFILTER_PROFILING_ADD_BYTES(det_ctx, bytes)
Definition util-profiling.h:286