suricata
detect-app-layer-event.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2022 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Anoop Saldanha <anoopsaldanha@gmail.com>
22  */
23 
24 #include "suricata-common.h"
25 #include "threads.h"
26 #include "decode.h"
27 
28 #include "app-layer.h"
29 #include "app-layer-protos.h"
30 #include "app-layer-parser.h"
31 #include "app-layer-smtp.h"
32 #include "detect.h"
33 #include "detect-parse.h"
34 #include "detect-engine.h"
35 #include "detect-engine-state.h"
36 #include "detect-engine-build.h"
37 #include "detect-app-layer-event.h"
38 
39 #include "flow.h"
40 #include "flow-var.h"
41 #include "flow-util.h"
42 
43 #include "decode-events.h"
44 #include "util-byte.h"
45 #include "util-debug.h"
46 #include "util-enum.h"
47 #include "util-profiling.h"
48 #include "util-unittest.h"
49 #include "util-unittest-helper.h"
50 #include "stream-tcp-util.h"
51 
52 #define MAX_ALPROTO_NAME 50
53 
54 typedef struct DetectAppLayerEventData_ {
56  uint8_t event_id;
57 
58  /* it's used to check if there are event set into the detect engine */
60 
61  char *arg;
63 
64 static int DetectAppLayerEventPktMatch(DetectEngineThreadCtx *det_ctx,
65  Packet *p, const Signature *s, const SigMatchCtx *ctx);
66 static int DetectAppLayerEventSetupP1(DetectEngineCtx *, Signature *, const char *);
67 #ifdef UNITTESTS
68 static void DetectAppLayerEventRegisterTests(void);
69 #endif
70 static void DetectAppLayerEventFree(DetectEngineCtx *, void *);
71 static uint8_t DetectEngineAptEventInspect(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx,
72  const struct DetectEngineAppInspectionEngine_ *engine, const Signature *s, Flow *f,
73  uint8_t flags, void *alstate, void *tx, uint64_t tx_id);
74 static int g_applayer_events_list_id = 0;
75 
76 /**
77  * \brief Registers the keyword handlers for the "app-layer-event" keyword.
78  */
80 {
81  sigmatch_table[DETECT_AL_APP_LAYER_EVENT].name = "app-layer-event";
82  sigmatch_table[DETECT_AL_APP_LAYER_EVENT].desc = "match on events generated by the App Layer Parsers and the protocol detection engine";
83  sigmatch_table[DETECT_AL_APP_LAYER_EVENT].url = "/rules/app-layer.html#app-layer-event";
85  DetectAppLayerEventPktMatch;
86  sigmatch_table[DETECT_AL_APP_LAYER_EVENT].Setup = DetectAppLayerEventSetupP1;
87  sigmatch_table[DETECT_AL_APP_LAYER_EVENT].Free = DetectAppLayerEventFree;
88 #ifdef UNITTESTS
90  DetectAppLayerEventRegisterTests;
91 #endif
92 
94  DetectEngineAptEventInspect, NULL);
96  DetectEngineAptEventInspect, NULL);
97 
98  g_applayer_events_list_id = DetectBufferTypeGetByName("app-layer-events");
99 }
100 
101 static uint8_t DetectEngineAptEventInspect(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx,
102  const struct DetectEngineAppInspectionEngine_ *engine, const Signature *s, Flow *f,
103  uint8_t flags, void *alstate, void *tx, uint64_t tx_id)
104 {
105  int r = 0;
106  const AppProto alproto = f->alproto;
107  AppLayerDecoderEvents *decoder_events =
108  AppLayerParserGetEventsByTx(f->proto, alproto, tx);
109  if (decoder_events == NULL)
110  goto end;
111 
112  SigMatchData *smd = engine->smd;
113  while (1) {
116 
117  if (AppLayerDecoderEventsIsEventSet(decoder_events, aled->event_id)) {
118  KEYWORD_PROFILING_END(det_ctx, smd->type, 1);
119 
120  if (smd->is_last)
121  break;
122  smd++;
123  continue;
124  }
125 
126  KEYWORD_PROFILING_END(det_ctx, smd->type, 0);
127  goto end;
128  }
129 
130  r = 1;
131 
132  end:
133  if (r == 1) {
135  } else {
136  if (AppLayerParserGetStateProgress(f->proto, alproto, tx, flags) ==
138  {
140  } else {
142  }
143  }
144 }
145 
146 
147 static int DetectAppLayerEventPktMatch(DetectEngineThreadCtx *det_ctx,
148  Packet *p, const Signature *s, const SigMatchCtx *ctx)
149 {
150  const DetectAppLayerEventData *aled = (const DetectAppLayerEventData *)ctx;
151 
152  return AppLayerDecoderEventsIsEventSet(p->app_layer_events,
153  aled->event_id);
154 }
155 
156 static DetectAppLayerEventData *DetectAppLayerEventParsePkt(const char *arg,
157  AppLayerEventType *event_type)
158 {
159  int event_id = 0;
160  int r = AppLayerGetPktEventInfo(arg, &event_id);
161  if (r < 0 || r > UINT8_MAX) {
162  SCLogError(SC_ERR_INVALID_SIGNATURE, "app-layer-event keyword "
163  "supplied with packet based event - \"%s\" that isn't "
164  "supported yet.", arg);
165  return NULL;
166  }
167 
169  if (unlikely(aled == NULL))
170  return NULL;
171  aled->event_id = (uint8_t)event_id;
172  *event_type = APP_LAYER_EVENT_TYPE_PACKET;
173 
174  return aled;
175 }
176 
177 static bool OutdatedEvent(const char *raw)
178 {
179  if (strcmp(raw, "tls.certificate_missing_element") == 0 ||
180  strcmp(raw, "tls.certificate_unknown_element") == 0 ||
181  strcmp(raw, "tls.certificate_invalid_string") == 0) {
182  return true;
183  }
184  return false;
185 }
186 
187 /** \retval int 0 ok
188  * \retval int -1 error
189  * \retval int -3 non-fatal error: sig will be rejected w/o raising error
190  */
191 static int DetectAppLayerEventParseAppP2(DetectAppLayerEventData *data,
192  uint8_t *ipproto_bitarray,
193  AppLayerEventType *event_type)
194 {
195  int event_id = 0;
196  uint8_t ipproto;
197  char alproto_name[MAX_ALPROTO_NAME];
198  int r = 0;
199 
200  if (OutdatedEvent(data->arg)) {
203  "app-layer-event keyword no longer supports event \"%s\"", data->arg);
204  return -1;
205  } else {
207  "app-layer-event keyword no longer supports event \"%s\"", data->arg);
208  return -3;
209  }
210  }
211 
212  const char *p_idx = strchr(data->arg, '.');
213  if (strlen(data->arg) > MAX_ALPROTO_NAME) {
214  SCLogError(SC_ERR_INVALID_SIGNATURE, "app-layer-event keyword is too long or malformed");
215  return -1;
216  }
217  strlcpy(alproto_name, data->arg, p_idx - data->arg + 1);
218 
219  if (ipproto_bitarray[IPPROTO_TCP / 8] & 1 << (IPPROTO_TCP % 8)) {
220  ipproto = IPPROTO_TCP;
221  } else if (ipproto_bitarray[IPPROTO_UDP / 8] & 1 << (IPPROTO_UDP % 8)) {
222  ipproto = IPPROTO_UDP;
223  } else {
224  SCLogError(SC_ERR_INVALID_SIGNATURE, "protocol %s is disabled", alproto_name);
225  return -1;
226  }
227 
228  if (!data->needs_detctx) {
229  r = AppLayerParserGetEventInfo(ipproto, data->alproto,
230  p_idx + 1, &event_id, event_type);
231  } else {
232  r = DetectEngineGetEventInfo(p_idx + 1, &event_id, event_type);
233  }
234  if (r < 0) {
236  SCLogError(SC_ERR_INVALID_SIGNATURE, "app-layer-event keyword's "
237  "protocol \"%s\" doesn't have event \"%s\" registered",
238  alproto_name, p_idx + 1);
239  return -1;
240  } else {
241  SCLogWarning(SC_ERR_INVALID_SIGNATURE, "app-layer-event keyword's "
242  "protocol \"%s\" doesn't have event \"%s\" registered",
243  alproto_name, p_idx + 1);
244  return -3;
245  }
246  }
247  if (event_id > UINT8_MAX) {
248  SCLogWarning(SC_ERR_INVALID_SIGNATURE, "app-layer-event keyword's id has invalid value");
249  return -4;
250  }
251  data->event_id = (uint8_t)event_id;
252 
253  return 0;
254 }
255 
256 static AppProto AppLayerEventGetProtoByName(char *alproto_name)
257 {
258  AppProto alproto = AppLayerGetProtoByName(alproto_name);
259  if (alproto == ALPROTO_HTTP) {
260  // app-layer events http refer to http1
261  alproto = ALPROTO_HTTP1;
262  }
263  return alproto;
264 }
265 
266 static DetectAppLayerEventData *DetectAppLayerEventParseAppP1(const char *arg)
267 {
268  /* period index */
269  char alproto_name[MAX_ALPROTO_NAME];
270  bool needs_detctx = false;
271 
272  const char *p_idx = strchr(arg, '.');
273  if (strlen(arg) > MAX_ALPROTO_NAME) {
274  SCLogError(SC_ERR_INVALID_SIGNATURE, "app-layer-event keyword is too long or malformed");
275  return NULL;
276  }
277  /* + 1 for trailing \0 */
278  strlcpy(alproto_name, arg, p_idx - arg + 1);
279 
280  const AppProto alproto = AppLayerEventGetProtoByName(alproto_name);
281  if (alproto == ALPROTO_UNKNOWN) {
282  if (!strcmp(alproto_name, "file")) {
283  needs_detctx = true;
284  } else {
285  SCLogError(SC_ERR_INVALID_SIGNATURE, "app-layer-event keyword "
286  "supplied with unknown protocol \"%s\"",
287  alproto_name);
288  return NULL;
289  }
290  }
291 
292  DetectAppLayerEventData *aled = SCCalloc(1, sizeof(*aled));
293  if (unlikely(aled == NULL))
294  return NULL;
295  aled->alproto = alproto;
296  aled->arg = SCStrdup(arg);
297  if (aled->arg == NULL) {
298  SCFree(aled);
299  return NULL;
300  }
301  aled->needs_detctx = needs_detctx;
302 
303  return aled;
304 }
305 
306 static DetectAppLayerEventData *DetectAppLayerEventParse(const char *arg,
307  AppLayerEventType *event_type)
308 {
309  *event_type = 0;
310 
311  if (arg == NULL) {
312  SCLogError(SC_ERR_INVALID_SIGNATURE, "app-layer-event keyword supplied "
313  "with no arguments. This keyword needs an argument.");
314  return NULL;
315  }
316 
317  while (*arg != '\0' && isspace((unsigned char)*arg))
318  arg++;
319 
320  if (strchr(arg, '.') == NULL) {
321  return DetectAppLayerEventParsePkt(arg, event_type);
322  } else {
323  return DetectAppLayerEventParseAppP1(arg);
324  }
325 }
326 
327 static int DetectAppLayerEventSetupP2(DetectEngineCtx *de_ctx,
328  Signature *s,
329  SigMatch *sm)
330 {
331  AppLayerEventType event_type = 0;
332 
333  int ret = DetectAppLayerEventParseAppP2((DetectAppLayerEventData *)sm->ctx,
334  s->proto.proto, &event_type);
335  if (ret < 0) {
336  /* DetectAppLayerEventParseAppP2 prints errors */
337 
338  /* sm has been removed from lists by DetectAppLayerEventPrepare */
339  SigMatchFree(de_ctx, sm);
340  return ret;
341  }
342  SigMatchAppendSMToList(s, sm, g_applayer_events_list_id);
343  /* We should have set this flag already in SetupP1 */
344  s->flags |= SIG_FLAG_APPLAYER;
345 
346  return 0;
347 }
348 
349 static int DetectAppLayerEventSetupP1(DetectEngineCtx *de_ctx, Signature *s, const char *arg)
350 {
351  AppLayerEventType event_type;
352 
353  DetectAppLayerEventData *data = DetectAppLayerEventParse(arg, &event_type);
354  if (data == NULL)
355  SCReturnInt(-1);
356 
357  SigMatch *sm = SigMatchAlloc();
358  if (sm == NULL)
359  goto error;
360 
362  sm->ctx = (SigMatchCtx *)data;
363 
364  if (event_type == APP_LAYER_EVENT_TYPE_PACKET) {
366  } else {
367  if (DetectSignatureSetAppProto(s, data->alproto) != 0)
368  goto error;
369 
370  SigMatchAppendSMToList(s, sm, g_applayer_events_list_id);
371  }
372 
373  return 0;
374 
375 error:
376  if (data) {
377  DetectAppLayerEventFree(de_ctx, data);
378  }
379  if (sm) {
380  sm->ctx = NULL;
381  SigMatchFree(de_ctx, sm);
382  }
383  return -1;
384 }
385 
386 static void DetectAppLayerEventFree(DetectEngineCtx *de_ctx, void *ptr)
387 {
389  if (data->arg != NULL)
390  SCFree(data->arg);
391 
392  SCFree(ptr);
393 
394  return;
395 }
396 
398 {
399  SigMatch *sm = s->init_data->smlists[g_applayer_events_list_id];
400  SigMatch *smn;
401  s->init_data->smlists[g_applayer_events_list_id] = NULL;
402  s->init_data->smlists_tail[g_applayer_events_list_id] = NULL;
403 
404  while (sm != NULL) {
405  // save it for later use in loop
406  smn = sm->next;
407  /* these will be overwritten in SigMatchAppendSMToList
408  * called by DetectAppLayerEventSetupP2
409  */
410  sm->next = sm->prev = NULL;
411  int ret = DetectAppLayerEventSetupP2(de_ctx, s, sm);
412  if (ret < 0) {
413  // current one was freed, let's free the next ones
414  sm = smn;
415  while(sm) {
416  smn = sm->next;
417  SigMatchFree(de_ctx, sm);
418  sm = smn;
419  }
420  return ret;
421  }
422  sm = smn;
423  }
424 
425  return 0;
426 }
427 
428 /**********************************Unittests***********************************/
429 
430 #ifdef UNITTESTS /* UNITTESTS */
431 #include "stream-tcp-private.h"
432 #include "stream-tcp-reassemble.h"
433 #include "stream-tcp.h"
434 
435 #define APP_LAYER_EVENT_TEST_MAP_EVENT1 0
436 #define APP_LAYER_EVENT_TEST_MAP_EVENT2 1
437 #define APP_LAYER_EVENT_TEST_MAP_EVENT3 2
438 #define APP_LAYER_EVENT_TEST_MAP_EVENT4 3
439 #define APP_LAYER_EVENT_TEST_MAP_EVENT5 4
440 #define APP_LAYER_EVENT_TEST_MAP_EVENT6 5
441 
443  { "event1", APP_LAYER_EVENT_TEST_MAP_EVENT1 },
444  { "event2", APP_LAYER_EVENT_TEST_MAP_EVENT2 },
445  { "event3", APP_LAYER_EVENT_TEST_MAP_EVENT3 },
446  { "event4", APP_LAYER_EVENT_TEST_MAP_EVENT4 },
447  { "event5", APP_LAYER_EVENT_TEST_MAP_EVENT5 },
448  { "event6", APP_LAYER_EVENT_TEST_MAP_EVENT6 },
449 };
450 
451 static int DetectAppLayerEventTestGetEventInfo(const char *event_name,
452  int *event_id,
453  AppLayerEventType *event_type)
454 {
455  *event_id = SCMapEnumNameToValue(event_name, app_layer_event_test_map);
456  if (*event_id == -1) {
457  SCLogError(SC_ERR_INVALID_ENUM_MAP, "event \"%s\" not present in "
458  "app-layer-event's test enum map table.", event_name);
459  /* this should be treated as fatal */
460  return -1;
461  }
462 
463  *event_type = APP_LAYER_EVENT_TYPE_TRANSACTION;
464 
465  return 0;
466 }
467 
468 
469 static int DetectAppLayerEventTest01(void)
470 {
473  DetectAppLayerEventTestGetEventInfo);
474 
475  AppLayerEventType event_type;
476  int result = 0;
477  uint8_t ipproto_bitarray[256 / 8];
478  memset(ipproto_bitarray, 0, sizeof(ipproto_bitarray));
479  ipproto_bitarray[IPPROTO_TCP / 8] |= 1 << (IPPROTO_TCP % 8);
480 
481  DetectAppLayerEventData *aled = DetectAppLayerEventParse("smtp.event1",
482  &event_type);
483  if (aled == NULL)
484  goto end;
485  if (DetectAppLayerEventParseAppP2(aled, ipproto_bitarray, &event_type) < 0) {
486  printf("failure 1\n");
487  goto end;
488  }
489  if (aled->alproto != ALPROTO_SMTP ||
491  printf("test failure. Holding wrong state\n");
492  goto end;
493  }
494 
495  result = 1;
496 
497  end:
499  if (aled != NULL)
500  DetectAppLayerEventFree(NULL, aled);
501  return result;
502 }
503 
504 static int DetectAppLayerEventTest02(void)
505 {
507 
509  DetectAppLayerEventTestGetEventInfo);
511  IPPROTO_TCP, ALPROTO_HTTP1, DetectAppLayerEventTestGetEventInfo);
513  DetectAppLayerEventTestGetEventInfo);
515  DetectAppLayerEventTestGetEventInfo);
516 
517  AppLayerEventType event_type;
518  uint8_t ipproto_bitarray[256 / 8];
519  memset(ipproto_bitarray, 0, sizeof(ipproto_bitarray));
520  ipproto_bitarray[IPPROTO_TCP / 8] |= 1 << (IPPROTO_TCP % 8);
521 
522  DetectAppLayerEventData *aled = DetectAppLayerEventParse("smtp.event1",
523  &event_type);
524  FAIL_IF_NULL(aled);
525  FAIL_IF(DetectAppLayerEventParseAppP2(aled, ipproto_bitarray, &event_type) < 0);
526  FAIL_IF(aled->alproto != ALPROTO_SMTP);
528 
529  aled = DetectAppLayerEventParse("smtp.event4",
530  &event_type);
531  FAIL_IF_NULL(aled);
532  FAIL_IF(DetectAppLayerEventParseAppP2(aled, ipproto_bitarray, &event_type) < 0);
533  FAIL_IF(aled->alproto != ALPROTO_SMTP);
535 
536  aled = DetectAppLayerEventParse("http.event2",
537  &event_type);
538  FAIL_IF_NULL(aled);
539  FAIL_IF(DetectAppLayerEventParseAppP2(aled, ipproto_bitarray, &event_type) < 0);
540  FAIL_IF(aled->alproto != ALPROTO_HTTP1);
542 
543  aled = DetectAppLayerEventParse("smb.event3",
544  &event_type);
545  FAIL_IF_NULL(aled);
546  FAIL_IF(DetectAppLayerEventParseAppP2(aled, ipproto_bitarray, &event_type) < 0);
547  FAIL_IF(aled->alproto != ALPROTO_SMB);
549 
550  aled = DetectAppLayerEventParse("ftp.event5",
551  &event_type);
552  FAIL_IF_NULL(aled);
553  FAIL_IF(DetectAppLayerEventParseAppP2(aled, ipproto_bitarray, &event_type) < 0);
554  FAIL_IF(aled->alproto != ALPROTO_FTP);
556 
558  DetectAppLayerEventFree(NULL, aled);
559  PASS;
560 }
561 
562 static int DetectAppLayerEventTest03(void)
563 {
564  ThreadVars tv;
565  TcpReassemblyThreadCtx *ra_ctx = NULL;
566  Packet *p = NULL;
567  Flow *f = NULL;
568  TcpSession ssn;
569  TcpStream stream_ts, stream_tc;
570  DetectEngineCtx *de_ctx = NULL;
571  DetectEngineThreadCtx *det_ctx = NULL;
572 
573  uint8_t buf_ts[] = "GET /index.html HTTP/1.1\r\n"
574  "Host: 127.0.0.1\r\n"
575  "User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.3) Gecko/20100402 Firefox/3.6.3\r\n"
576  "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n"
577  "Accept-Language: en-us,en;q=0.5\r\n"
578  "Accept-Encoding: gzip,deflate\r\n"
579  "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n"
580  "Keep-Alive: 115\r\n"
581  "Connection: keep-alive\r\n"
582  "\r\n";
583  uint8_t buf_tc[] = "HTTP/1.1 200 OK\r\n"
584  "Date: Fri, 22 Oct 2010 12:31:08 GMT\r\n"
585  "Server: Apache/2.2.15 (Unix) DAV/2\r\n"
586  "Last-Modified: Sat, 20 Nov 2004 20:16:24 GMT\r\n"
587  "ETag: \"ab8486-2c-3e9564c23b600\"\r\n"
588  "Accept-Ranges: bytes\r\n"
589  "Content-Length: 44\r\n"
590  "Keep-Alive: timeout=5, max=100\r\n"
591  "Connection: Keep-Alive\r\n"
592  "Content-Type: text/html\r\n"
593  "\r\n"
594  "<html><body><h1>It works!</h1></body></html>";
595 
596  memset(&tv, 0, sizeof (ThreadVars));
597  memset(&ssn, 0, sizeof(TcpSession));
598  memset(&stream_ts, 0, sizeof(TcpStream));
599  memset(&stream_tc, 0, sizeof(TcpStream));
600 
601  ssn.data_first_seen_dir = STREAM_TOSERVER;
602 
604  FAIL_IF(de_ctx == NULL);
605  de_ctx->flags |= DE_QUIET;
606  de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
607  "(app-layer-event: applayer_mismatch_protocol_both_directions; "
608  "sid:1;)");
609  FAIL_IF(de_ctx->sig_list == NULL);
611  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
612 
613  f = UTHBuildFlow(AF_INET, "1.2.3.4", "1.2.3.5", 200, 220);
614  FAIL_IF(f == NULL);
615  FLOW_INITIALIZE(f);
616  f->protoctx = &ssn;
617  f->proto = IPPROTO_TCP;
618  f->flags |= FLOW_IPV4;
619 
620  p = PacketGetFromAlloc();
621  FAIL_IF(unlikely(p == NULL));
622  p->flow = f;
623  p->src.family = AF_INET;
624  p->dst.family = AF_INET;
625  p->proto = IPPROTO_TCP;
626 
627  StreamTcpUTInit(&ra_ctx);
628 
630  TcpStream *stream = &stream_ts;
631  FAIL_IF(AppLayerHandleTCPData(&tv, ra_ctx, p, f, &ssn, &stream, buf_ts,
632  sizeof(buf_ts), STREAM_TOSERVER | STREAM_START) < 0);
633 
634  SigMatchSignatures(&tv, de_ctx, det_ctx, p);
635 
636  FAIL_IF (PacketAlertCheck(p, 1));
637 
639  stream = &stream_tc;
640  FAIL_IF (AppLayerHandleTCPData(&tv, ra_ctx, p, f, &ssn, &stream, buf_tc,
641  sizeof(buf_tc), STREAM_TOCLIENT | STREAM_START) < 0);
642 
643  SigMatchSignatures(&tv, de_ctx, det_ctx, p);
644 
645  FAIL_IF(PacketAlertCheck(p, 1));
646 
647  StreamTcpUTDeinit(ra_ctx);
648  PASS;
649 }
650 
651 static int DetectAppLayerEventTest04(void)
652 {
653  ThreadVars tv;
654  TcpReassemblyThreadCtx *ra_ctx = NULL;
655  Packet *p = NULL;
656  Flow *f = NULL;
657  TcpSession ssn;
658  TcpStream stream_ts, stream_tc;
659  DetectEngineCtx *de_ctx = NULL;
660  DetectEngineThreadCtx *det_ctx = NULL;
661 
662  uint8_t buf_ts[] = "GET /index.html HTTP/1.1\r\n"
663  "Host: 127.0.0.1\r\n"
664  "User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.3) Gecko/20100402 Firefox/3.6.3\r\n"
665  "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n"
666  "Accept-Language: en-us,en;q=0.5\r\n"
667  "Accept-Encoding: gzip,deflate\r\n"
668  "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n"
669  "Keep-Alive: 115\r\n"
670  "Connection: keep-alive\r\n"
671  "\r\n";
672  uint8_t buf_tc[] = "XTTP/1.1 200 OK\r\n"
673  "Date: Fri, 22 Oct 2010 12:31:08 GMT\r\n"
674  "Server: Apache/2.2.15 (Unix) DAV/2\r\n"
675  "Last-Modified: Sat, 20 Nov 2004 20:16:24 GMT\r\n"
676  "ETag: \"ab8486-2c-3e9564c23b600\"\r\n"
677  "Accept-Ranges: bytes\r\n"
678  "Content-Length: 44\r\n"
679  "Keep-Alive: timeout=5, max=100\r\n"
680  "Connection: Keep-Alive\r\n"
681  "Content-Type: text/html\r\n"
682  "\r\n"
683  "<html><body><h1>It works!</h1></body></html>";
684 
685  memset(&tv, 0, sizeof (ThreadVars));
686  memset(&ssn, 0, sizeof(TcpSession));
687  memset(&stream_ts, 0, sizeof(TcpStream));
688  memset(&stream_tc, 0, sizeof(TcpStream));
689 
690  ssn.data_first_seen_dir = STREAM_TOSERVER;
691 
693  FAIL_IF (de_ctx == NULL);
694  de_ctx->flags |= DE_QUIET;
695  de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
696  "(app-layer-event: applayer_detect_protocol_only_one_direction; "
697  "sid:1;)");
698  FAIL_IF(de_ctx->sig_list == NULL);
700  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
701 
702  f = UTHBuildFlow(AF_INET, "1.2.3.4", "1.2.3.5", 200, 220);
703  FAIL_IF (f == NULL);
704  FLOW_INITIALIZE(f);
705  f->protoctx = &ssn;
706  f->proto = IPPROTO_TCP;
707  f->flags |= FLOW_IPV4;
708 
709  p = PacketGetFromAlloc();
710  FAIL_IF(unlikely(p == NULL));
711  p->flow = f;
712  p->src.family = AF_INET;
713  p->dst.family = AF_INET;
714  p->proto = IPPROTO_TCP;
715 
716  StreamTcpUTInit(&ra_ctx);
717 
719  TcpStream *stream = &stream_ts;
720  FAIL_IF(AppLayerHandleTCPData(&tv, ra_ctx, p, f, &ssn, &stream, buf_ts,
721  sizeof(buf_ts), STREAM_TOSERVER | STREAM_START) < 0);
722  SigMatchSignatures(&tv, de_ctx, det_ctx, p);
723  FAIL_IF (PacketAlertCheck(p, 1));
724 
726  stream = &stream_tc;
727  FAIL_IF (AppLayerHandleTCPData(&tv, ra_ctx, p, f, &ssn, &stream, buf_tc,
728  sizeof(buf_tc), STREAM_TOCLIENT | STREAM_START) < 0);
729  SigMatchSignatures(&tv, de_ctx, det_ctx, p);
730  FAIL_IF (!PacketAlertCheck(p, 1));
731 
732  StreamTcpUTDeinit(ra_ctx);
733  PASS;
734 }
735 
736 static int DetectAppLayerEventTest05(void)
737 {
738  ThreadVars tv;
739  TcpReassemblyThreadCtx *ra_ctx = NULL;
740  Packet *p = NULL;
741  Flow *f = NULL;
742  TcpSession ssn;
743  TcpStream stream_ts, stream_tc;
744  DetectEngineCtx *de_ctx = NULL;
745  DetectEngineThreadCtx *det_ctx = NULL;
746 
747  uint8_t buf_ts[] = "GET /index.html HTTP/1.1\r\n"
748  "Host: 127.0.0.1\r\n"
749  "User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.3) Gecko/20100402 Firefox/3.6.3\r\n"
750  "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n"
751  "Accept-Language: en-us,en;q=0.5\r\n"
752  "Accept-Encoding: gzip,deflate\r\n"
753  "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n"
754  "Keep-Alive: 115\r\n"
755  "Connection: keep-alive\r\n"
756  "\r\n";
757  /* tls */
758  uint8_t buf_tc[] = {
759  0x16, 0x03, 0x01, 0x00, 0x86, 0x10, 0x00, 0x00,
760  0x82, 0x00, 0x80, 0xd3, 0x6f, 0x1f, 0x63, 0x82,
761  0x8d, 0x75, 0x77, 0x8c, 0x91, 0xbc, 0xa1, 0x3d,
762  0xbb, 0xe1, 0xb5, 0xd3, 0x31, 0x92, 0x59, 0x2b,
763  0x2c, 0x43, 0x96, 0xa3, 0xaa, 0x23, 0x92, 0xd0,
764  0x91, 0x2a, 0x5e, 0x10, 0x5b, 0xc8, 0xc1, 0xe2,
765  0xd3, 0x5c, 0x8b, 0x8c, 0x91, 0x9e, 0xc2, 0xf2,
766  0x9c, 0x3c, 0x4f, 0x37, 0x1e, 0x20, 0x5e, 0x33,
767  0xd5, 0xf0, 0xd6, 0xaf, 0x89, 0xf5, 0xcc, 0xb2,
768  0xcf, 0xc1, 0x60, 0x3a, 0x46, 0xd5, 0x4e, 0x2a,
769  0xb6, 0x6a, 0xb9, 0xfc, 0x32, 0x8b, 0xe0, 0x6e,
770  0xa0, 0xed, 0x25, 0xa0, 0xa4, 0x82, 0x81, 0x73,
771  0x90, 0xbf, 0xb5, 0xde, 0xeb, 0x51, 0x8d, 0xde,
772  0x5b, 0x6f, 0x94, 0xee, 0xba, 0xe5, 0x69, 0xfa,
773  0x1a, 0x80, 0x30, 0x54, 0xeb, 0x12, 0x01, 0xb9,
774  0xfe, 0xbf, 0x82, 0x95, 0x01, 0x7b, 0xb0, 0x97,
775  0x14, 0xc2, 0x06, 0x3c, 0x69, 0xfb, 0x1c, 0x66,
776  0x47, 0x17, 0xd9, 0x14, 0x03, 0x01, 0x00, 0x01,
777  0x01, 0x16, 0x03, 0x01, 0x00, 0x30, 0xf6, 0xbc,
778  0x0d, 0x6f, 0xe8, 0xbb, 0xaa, 0xbf, 0x14, 0xeb,
779  0x7b, 0xcc, 0x6c, 0x28, 0xb0, 0xfc, 0xa6, 0x01,
780  0x2a, 0x97, 0x96, 0x17, 0x5e, 0xe8, 0xb4, 0x4e,
781  0x78, 0xc9, 0x04, 0x65, 0x53, 0xb6, 0x93, 0x3d,
782  0xeb, 0x44, 0xee, 0x86, 0xf9, 0x80, 0x49, 0x45,
783  0x21, 0x34, 0xd1, 0xee, 0xc8, 0x9c,
784  };
785 
786  memset(&tv, 0, sizeof (ThreadVars));
787  memset(&ssn, 0, sizeof(TcpSession));
788  memset(&stream_ts, 0, sizeof(TcpStream));
789  memset(&stream_tc, 0, sizeof(TcpStream));
790 
791  ssn.data_first_seen_dir = STREAM_TOSERVER;
792 
794  FAIL_IF (de_ctx == NULL);
795  de_ctx->flags |= DE_QUIET;
796  de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
797  "(app-layer-event: applayer_mismatch_protocol_both_directions; "
798  "sid:1;)");
799  FAIL_IF (de_ctx->sig_list == NULL);
801  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
802 
803  f = UTHBuildFlow(AF_INET, "1.2.3.4", "1.2.3.5", 200, 220);
804  FAIL_IF (f == NULL);
805  FLOW_INITIALIZE(f);
806  f->protoctx = &ssn;
807  f->proto = IPPROTO_TCP;
808  f->flags |= FLOW_IPV4;
809 
810  p = PacketGetFromAlloc();
811  FAIL_IF (unlikely(p == NULL));
812  p->flow = f;
813  p->src.family = AF_INET;
814  p->dst.family = AF_INET;
815  p->proto = IPPROTO_TCP;
816 
817  StreamTcpUTInit(&ra_ctx);
818 
820  TcpStream *stream = &stream_ts;
821  FAIL_IF (AppLayerHandleTCPData(&tv, ra_ctx, p, f, &ssn, &stream, buf_ts,
822  sizeof(buf_ts), STREAM_TOSERVER | STREAM_START) < 0);
823  SigMatchSignatures(&tv, de_ctx, det_ctx, p);
824  FAIL_IF (PacketAlertCheck(p, 1));
825 
827  stream = &stream_tc;
828  FAIL_IF (AppLayerHandleTCPData(&tv, ra_ctx, p, f, &ssn, &stream, buf_tc,
829  sizeof(buf_tc), STREAM_TOCLIENT | STREAM_START) < 0);
830  SigMatchSignatures(&tv, de_ctx, det_ctx, p);
831  FAIL_IF (!PacketAlertCheck(p, 1));
832 
833  StreamTcpUTDeinit(ra_ctx);
834  PASS;
835 }
836 
837 static int DetectAppLayerEventTest06(void)
838 {
839  AppLayerEventType event_type;
840  uint8_t ipproto_bitarray[256 / 8];
841  memset(ipproto_bitarray, 0, sizeof(ipproto_bitarray));
842  ipproto_bitarray[IPPROTO_TCP / 8] |= 1 << (IPPROTO_TCP % 8);
843 
844  DetectAppLayerEventData *aled = DetectAppLayerEventParse("file.test",
845  &event_type);
846 
847  FAIL_IF_NULL(aled);
848 
849  FAIL_IF(DetectAppLayerEventParseAppP2(aled, ipproto_bitarray, &event_type) < 0);
850 
851  FAIL_IF(aled->alproto != ALPROTO_UNKNOWN);
853 
854  DetectAppLayerEventFree(NULL, aled);
855  PASS;
856 }
857 
858 /**
859  * \brief This function registers unit tests for "app-layer-event" keyword.
860  */
861 static void DetectAppLayerEventRegisterTests(void)
862 {
863  UtRegisterTest("DetectAppLayerEventTest01", DetectAppLayerEventTest01);
864  UtRegisterTest("DetectAppLayerEventTest02", DetectAppLayerEventTest02);
865  UtRegisterTest("DetectAppLayerEventTest03", DetectAppLayerEventTest03);
866  UtRegisterTest("DetectAppLayerEventTest04", DetectAppLayerEventTest04);
867  UtRegisterTest("DetectAppLayerEventTest05", DetectAppLayerEventTest05);
868  UtRegisterTest("DetectAppLayerEventTest06", DetectAppLayerEventTest06);
869 }
870 #endif /* UNITTESTS */
util-byte.h
DetectAppLayerEventRegister
void DetectAppLayerEventRegister(void)
Registers the keyword handlers for the "app-layer-event" keyword.
Definition: detect-app-layer-event.c:79
DetectEngineAppInspectionEngine_
Definition: detect.h:390
SigTableElmt_::url
const char * url
Definition: detect.h:1248
DetectSignatureSetAppProto
int DetectSignatureSetAppProto(Signature *s, AppProto alproto)
Definition: detect-parse.c:1490
Packet_::proto
uint8_t proto
Definition: decode.h:456
SigMatch_::prev
struct SigMatch_ * prev
Definition: detect.h:319
TcpStream_
Definition: stream-tcp-private.h:106
detect-engine.h
StreamTcpUTDeinit
void StreamTcpUTDeinit(TcpReassemblyThreadCtx *ra_ctx)
Definition: stream-tcp-util.c:51
FAIL_IF_NULL
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
Definition: util-unittest.h:89
SigTableElmt_::desc
const char * desc
Definition: detect.h:1247
DET_CTX_EVENT_TEST
@ DET_CTX_EVENT_TEST
Definition: detect.h:1255
SigMatchFree
void SigMatchFree(DetectEngineCtx *de_ctx, SigMatch *sm)
free a SigMatch
Definition: detect-parse.c:250
SigTableElmt_::Free
void(* Free)(DetectEngineCtx *, void *)
Definition: detect.h:1235
flow-util.h
SigTableElmt_::name
const char * name
Definition: detect.h:1245
stream-tcp.h
unlikely
#define unlikely(expr)
Definition: util-optimize.h:35
DetectAppLayerEventData_::alproto
AppProto alproto
Definition: detect-app-layer-event.c:55
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
AppLayerParserGetEventsByTx
AppLayerDecoderEvents * AppLayerParserGetEventsByTx(uint8_t ipproto, AppProto alproto, void *tx)
Definition: app-layer-parser.c:878
Flow_::proto
uint8_t proto
Definition: flow.h:375
AppProto
uint16_t AppProto
Definition: app-layer-protos.h:80
PacketAlertCheck
int PacketAlertCheck(Packet *p, uint32_t sid)
Check if a certain sid alerted, this is used in the test functions.
Definition: detect-engine-alert.c:142
AppLayerParserGetStateProgress
int AppLayerParserGetStateProgress(uint8_t ipproto, AppProto alproto, void *alstate, uint8_t flags)
get the progress value for a tx/protocol
Definition: app-layer-parser.c:1102
SigMatchData_::ctx
SigMatchCtx * ctx
Definition: detect.h:326
DetectAppLayerEventData
struct DetectAppLayerEventData_ DetectAppLayerEventData
threads.h
Flow_
Flow data structure.
Definition: flow.h:353
SigInit
Signature * SigInit(DetectEngineCtx *, const char *)
Parses a signature and adds it to the Detection Engine Context.
Definition: detect-parse.c:2116
AppLayerEventType
enum AppLayerEventType_ AppLayerEventType
DETECT_AL_APP_LAYER_EVENT
@ DETECT_AL_APP_LAYER_EVENT
Definition: detect-engine-register.h:179
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:785
AppLayerParserGetStateProgressCompletionStatus
int AppLayerParserGetStateProgressCompletionStatus(AppProto alproto, uint8_t direction)
Definition: app-layer-parser.c:1130
SC_ERR_INVALID_SIGNATURE
@ SC_ERR_INVALID_SIGNATURE
Definition: util-error.h:69
FLOW_PKT_TOSERVER
#define FLOW_PKT_TOSERVER
Definition: flow.h:223
DE_QUIET
#define DE_QUIET
Definition: detect.h:288
MAX_ALPROTO_NAME
#define MAX_ALPROTO_NAME
Definition: detect-app-layer-event.c:52
ALPROTO_FTP
@ ALPROTO_FTP
Definition: app-layer-protos.h:31
stream-tcp-reassemble.h
SigMatchSignatures
void SigMatchSignatures(ThreadVars *tv, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
Definition: detect.c:1785
DetectAppLayerEventPrepare
int DetectAppLayerEventPrepare(DetectEngineCtx *de_ctx, Signature *s)
Definition: detect-app-layer-event.c:397
Packet_::flowflags
uint8_t flowflags
Definition: decode.h:465
SIG_FLAG_TOCLIENT
#define SIG_FLAG_TOCLIENT
Definition: detect.h:231
Flow_::protoctx
void * protoctx
Definition: flow.h:451
SigMatchData_
Data needed for Match()
Definition: detect.h:323
SigTableElmt_::Setup
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1230
KEYWORD_PROFILING_START
#define KEYWORD_PROFILING_START
Definition: util-profiling.h:67
SigMatchData_::type
uint16_t type
Definition: detect.h:324
FLOW_IPV4
#define FLOW_IPV4
Definition: flow.h:96
AppLayerDecoderEvents_
Data structure to store app layer decoder events.
Definition: app-layer-events.h:34
Packet_::app_layer_events
AppLayerDecoderEvents * app_layer_events
Definition: decode.h:601
util-unittest.h
AppLayerGetProtoByName
AppProto AppLayerGetProtoByName(char *alproto_name)
Given a protocol string, returns the corresponding internal protocol id.
Definition: app-layer.c:921
APP_LAYER_EVENT_TYPE_TRANSACTION
@ APP_LAYER_EVENT_TYPE_TRANSACTION
Definition: app-layer-events.h:57
util-unittest-helper.h
SIG_FLAG_APPLAYER
#define SIG_FLAG_APPLAYER
Definition: detect.h:209
DetectBufferTypeGetByName
int DetectBufferTypeGetByName(const char *name)
Definition: detect-engine.c:1086
KEYWORD_PROFILING_END
#define KEYWORD_PROFILING_END(ctx, type, m)
Definition: util-profiling.h:81
strlcpy
size_t strlcpy(char *dst, const char *src, size_t siz)
Definition: util-strlcpyu.c:43
AppLayerParserRestoreParserTable
void AppLayerParserRestoreParserTable(void)
Definition: app-layer-parser.c:1840
APP_LAYER_EVENT_TEST_MAP_EVENT6
#define APP_LAYER_EVENT_TEST_MAP_EVENT6
Definition: detect-app-layer-event.c:440
SignatureInitData_::smlists_tail
struct SigMatch_ ** smlists_tail
Definition: detect.h:536
APP_LAYER_EVENT_TYPE_PACKET
@ APP_LAYER_EVENT_TYPE_PACKET
Definition: app-layer-events.h:58
StreamTcpUTInit
void StreamTcpUTInit(TcpReassemblyThreadCtx **ra_ctx)
Definition: stream-tcp-util.c:44
UTHBuildFlow
Flow * UTHBuildFlow(int family, const char *src, const char *dst, Port sp, Port dp)
Definition: util-unittest-helper.c:522
FLOW_INITIALIZE
#define FLOW_INITIALIZE(f)
Definition: flow-util.h:38
SIG_FLAG_TOSERVER
#define SIG_FLAG_TOSERVER
Definition: detect.h:230
detect-app-layer-event.h
APP_LAYER_EVENT_TEST_MAP_EVENT2
#define APP_LAYER_EVENT_TEST_MAP_EVENT2
Definition: detect-app-layer-event.c:436
decode.h
APP_LAYER_EVENT_TEST_MAP_EVENT4
#define APP_LAYER_EVENT_TEST_MAP_EVENT4
Definition: detect-app-layer-event.c:438
util-debug.h
AppLayerHandleTCPData
int AppLayerHandleTCPData(ThreadVars *tv, TcpReassemblyThreadCtx *ra_ctx, Packet *p, Flow *f, TcpSession *ssn, TcpStream **stream, uint8_t *data, uint32_t data_len, uint8_t flags)
handle TCP data for the app-layer.
Definition: app-layer.c:638
PASS
#define PASS
Pass the test.
Definition: util-unittest.h:105
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:17
DetectEngineThreadCtx_
Definition: detect.h:1034
DetectAppLayerEventData_::event_id
uint8_t event_id
Definition: detect-app-layer-event.c:56
ALPROTO_SMTP
@ ALPROTO_SMTP
Definition: app-layer-protos.h:32
DetectAppLayerEventData_::needs_detctx
bool needs_detctx
Definition: detect-app-layer-event.c:59
DetectAppLayerEventData_
Definition: detect-app-layer-event.c:54
detect.h
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:56
DETECT_ENGINE_INSPECT_SIG_MATCH
#define DETECT_ENGINE_INSPECT_SIG_MATCH
Definition: detect-engine-state.h:39
SigMatch_::next
struct SigMatch_ * next
Definition: detect.h:318
SigMatchStrictEnabled
bool SigMatchStrictEnabled(const enum DetectKeywordId id)
Definition: detect-parse.c:298
DETECT_SM_LIST_MATCH
@ DETECT_SM_LIST_MATCH
Definition: detect.h:80
app-layer-parser.h
AppLayerParserBackupParserTable
void AppLayerParserBackupParserTable(void)
Definition: app-layer-parser.c:1832
SigMatch_::ctx
SigMatchCtx * ctx
Definition: detect.h:317
DetectProto_::proto
uint8_t proto[256/8]
Definition: detect-engine-proto.h:37
util-profiling.h
Signature_::flags
uint32_t flags
Definition: detect.h:541
Packet_
Definition: decode.h:434
detect-engine-build.h
stream-tcp-private.h
DetectAppLayerInspectEngineRegister2
void DetectAppLayerInspectEngineRegister2(const char *name, AppProto alproto, uint32_t dir, int progress, InspectEngineFuncPtr2 Callback2, InspectionBufferGetDataPtr GetData)
register inspect engine at start up time
Definition: detect-engine.c:227
AppLayerParserRegisterGetEventInfo
void AppLayerParserRegisterGetEventInfo(uint8_t ipproto, AppProto alproto, int(*StateGetEventInfo)(const char *event_name, int *event_id, AppLayerEventType *event_type))
Definition: app-layer-parser.c:599
Signature_::init_data
SignatureInitData * init_data
Definition: detect.h:611
detect-engine-state.h
Data structures and function prototypes for keeping state for the detection engine.
SigTableElmt_::Match
int(* Match)(DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *)
Definition: detect.h:1213
SignatureInitData_::smlists
struct SigMatch_ ** smlists
Definition: detect.h:534
FLOW_PKT_TOCLIENT
#define FLOW_PKT_TOCLIENT
Definition: flow.h:224
SigMatchAlloc
SigMatch * SigMatchAlloc(void)
Definition: detect-parse.c:235
DETECT_ENGINE_INSPECT_SIG_CANT_MATCH
#define DETECT_ENGINE_INSPECT_SIG_CANT_MATCH
Definition: detect-engine-state.h:40
decode-events.h
SigGroupBuild
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
Definition: detect-engine-build.c:1953
SigMatchCtx_
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
Definition: detect.h:309
DetectEngineAppInspectionEngine_::smd
SigMatchData * smd
Definition: detect.h:407
Packet_::flow
struct Flow_ * flow
Definition: decode.h:471
DetectEngineThreadCtxInit
TmEcode DetectEngineThreadCtxInit(ThreadVars *, void *, void **)
initialize thread specific detection engine context
Definition: detect-engine.c:3154
FAIL_IF
#define FAIL_IF(expr)
Fail a test if expression evaluates to true.
Definition: util-unittest.h:71
DetectEngineGetEventInfo
int DetectEngineGetEventInfo(const char *event_name, int *event_id, AppLayerEventType *event_type)
Definition: detect-engine.c:4652
SCMapEnumNameToValue
int SCMapEnumNameToValue(const char *enum_name, SCEnumCharMap *table)
Maps a string name to an enum value from the supplied table. Please specify the last element of any m...
Definition: util-enum.c:40
flags
uint8_t flags
Definition: decode-gre.h:0
Signature_::proto
DetectProto proto
Definition: detect.h:558
SigMatchData_::is_last
uint8_t is_last
Definition: detect.h:325
suricata-common.h
SigMatch_::type
uint16_t type
Definition: detect.h:315
SCEnumCharMap_
Definition: util-enum.h:27
ALPROTO_HTTP1
@ ALPROTO_HTTP1
Definition: app-layer-protos.h:30
sigmatch_table
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
Definition: detect-parse.c:73
SCLogError
#define SCLogError(err_code,...)
Macro used to log ERROR messages.
Definition: util-debug.h:255
SCStrdup
#define SCStrdup(s)
Definition: util-mem.h:56
DetectEngineCtx_::sig_list
Signature * sig_list
Definition: detect.h:791
DETECT_ENGINE_INSPECT_SIG_NO_MATCH
#define DETECT_ENGINE_INSPECT_SIG_NO_MATCH
Definition: detect-engine-state.h:38
tv
ThreadVars * tv
Definition: fuzz_decodepcapfile.c:31
PacketGetFromAlloc
Packet * PacketGetFromAlloc(void)
Get a malloced packet.
Definition: decode.c:176
APP_LAYER_EVENT_TEST_MAP_EVENT3
#define APP_LAYER_EVENT_TEST_MAP_EVENT3
Definition: detect-app-layer-event.c:437
APP_LAYER_EVENT_TEST_MAP_EVENT1
#define APP_LAYER_EVENT_TEST_MAP_EVENT1
Definition: detect-app-layer-event.c:435
SCLogWarning
#define SCLogWarning(err_code,...)
Macro used to log WARNING messages.
Definition: util-debug.h:242
SCFree
#define SCFree(p)
Definition: util-mem.h:61
Flow_::flags
uint32_t flags
Definition: flow.h:431
detect-parse.h
Signature_
Signature container.
Definition: detect.h:540
SigMatch_
a single match condition for a signature
Definition: detect.h:314
ALPROTO_HTTP
@ ALPROTO_HTTP
Definition: app-layer-protos.h:66
stream-tcp-util.h
ALPROTO_UNKNOWN
@ ALPROTO_UNKNOWN
Definition: app-layer-protos.h:29
DetectEngineCtxInit
DetectEngineCtx * DetectEngineCtxInit(void)
Definition: detect-engine.c:2406
AppLayerGetPktEventInfo
int AppLayerGetPktEventInfo(const char *event_name, int *event_id)
Definition: app-layer-events.c:67
TcpReassemblyThreadCtx_
Definition: stream-tcp-reassemble.h:62
app-layer-protos.h
app_layer_event_test_map
SCEnumCharMap app_layer_event_test_map[]
Definition: detect-app-layer-event.c:442
Address_::family
char family
Definition: decode.h:114
Packet_::dst
Address dst
Definition: decode.h:439
SC_ERR_INVALID_ENUM_MAP
@ SC_ERR_INVALID_ENUM_MAP
Definition: util-error.h:45
ALPROTO_SMB
@ ALPROTO_SMB
Definition: app-layer-protos.h:37
DetectEngineCtx_::flags
uint8_t flags
Definition: detect.h:786
app-layer-smtp.h
TcpSession_
Definition: stream-tcp-private.h:271
TcpSession_::data_first_seen_dir
int8_t data_first_seen_dir
Definition: stream-tcp-private.h:276
flow.h
Flow_::alproto
AppProto alproto
application level protocol
Definition: flow.h:460
SCCalloc
#define SCCalloc(nm, sz)
Definition: util-mem.h:53
util-enum.h
SCReturnInt
#define SCReturnInt(x)
Definition: util-debug.h:302
flow-var.h
SigMatchAppendSMToList
void SigMatchAppendSMToList(Signature *s, SigMatch *new, int list)
Append a SigMatch to the list type.
Definition: detect-parse.c:349
Packet_::src
Address src
Definition: decode.h:438
DetectAppLayerEventData_::arg
char * arg
Definition: detect-app-layer-event.c:61
SigTableElmt_::RegisterTests
void(* RegisterTests)(void)
Definition: detect.h:1237
APP_LAYER_EVENT_TEST_MAP_EVENT5
#define APP_LAYER_EVENT_TEST_MAP_EVENT5
Definition: detect-app-layer-event.c:439
app-layer.h
AppLayerParserGetEventInfo
int AppLayerParserGetEventInfo(uint8_t ipproto, AppProto alproto, const char *event_name, int *event_id, AppLayerEventType *event_type)
Definition: app-layer-parser.c:1138