suricata
detect-app-layer-event.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2022 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Anoop Saldanha <anoopsaldanha@gmail.com>
22  */
23 
24 #include "suricata-common.h"
25 #include "threads.h"
26 #include "decode.h"
27 
28 #include "app-layer.h"
29 #include "app-layer-protos.h"
30 #include "app-layer-parser.h"
31 #include "app-layer-smtp.h"
32 #include "detect.h"
33 #include "detect-parse.h"
34 #include "detect-engine.h"
35 #include "detect-engine-state.h"
36 #include "detect-engine-build.h"
37 #include "detect-app-layer-event.h"
38 
39 #include "flow.h"
40 #include "flow-var.h"
41 #include "flow-util.h"
42 
43 #include "decode-events.h"
44 #include "util-byte.h"
45 #include "util-debug.h"
46 #include "util-enum.h"
47 #include "util-profiling.h"
48 #include "util-unittest.h"
49 #include "util-unittest-helper.h"
50 #include "stream-tcp-util.h"
51 
52 #define MAX_ALPROTO_NAME 50
53 
54 typedef struct DetectAppLayerEventData_ {
56  uint8_t event_id;
57 
58  /* it's used to check if there are event set into the detect engine */
60 
61  char *arg;
63 
64 static int DetectAppLayerEventPktMatch(DetectEngineThreadCtx *det_ctx,
65  Packet *p, const Signature *s, const SigMatchCtx *ctx);
66 static int DetectAppLayerEventSetupP1(DetectEngineCtx *, Signature *, const char *);
67 #ifdef UNITTESTS
68 static void DetectAppLayerEventRegisterTests(void);
69 #endif
70 static void DetectAppLayerEventFree(DetectEngineCtx *, void *);
71 static uint8_t DetectEngineAptEventInspect(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx,
72  const struct DetectEngineAppInspectionEngine_ *engine, const Signature *s, Flow *f,
73  uint8_t flags, void *alstate, void *tx, uint64_t tx_id);
74 static int g_applayer_events_list_id = 0;
75 
76 /**
77  * \brief Registers the keyword handlers for the "app-layer-event" keyword.
78  */
80 {
81  sigmatch_table[DETECT_AL_APP_LAYER_EVENT].name = "app-layer-event";
82  sigmatch_table[DETECT_AL_APP_LAYER_EVENT].desc = "match on events generated by the App Layer Parsers and the protocol detection engine";
83  sigmatch_table[DETECT_AL_APP_LAYER_EVENT].url = "/rules/app-layer.html#app-layer-event";
85  DetectAppLayerEventPktMatch;
86  sigmatch_table[DETECT_AL_APP_LAYER_EVENT].Setup = DetectAppLayerEventSetupP1;
87  sigmatch_table[DETECT_AL_APP_LAYER_EVENT].Free = DetectAppLayerEventFree;
88 #ifdef UNITTESTS
90  DetectAppLayerEventRegisterTests;
91 #endif
92 
94  DetectEngineAptEventInspect, NULL);
96  DetectEngineAptEventInspect, NULL);
97 
98  g_applayer_events_list_id = DetectBufferTypeGetByName("app-layer-events");
99 }
100 
101 static uint8_t DetectEngineAptEventInspect(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx,
102  const struct DetectEngineAppInspectionEngine_ *engine, const Signature *s, Flow *f,
103  uint8_t flags, void *alstate, void *tx, uint64_t tx_id)
104 {
105  int r = 0;
106  const AppProto alproto = f->alproto;
107  AppLayerDecoderEvents *decoder_events =
108  AppLayerParserGetEventsByTx(f->proto, alproto, tx);
109  if (decoder_events == NULL)
110  goto end;
111 
112  SigMatchData *smd = engine->smd;
113  while (1) {
116 
117  if (AppLayerDecoderEventsIsEventSet(decoder_events, aled->event_id)) {
118  KEYWORD_PROFILING_END(det_ctx, smd->type, 1);
119 
120  if (smd->is_last)
121  break;
122  smd++;
123  continue;
124  }
125 
126  KEYWORD_PROFILING_END(det_ctx, smd->type, 0);
127  goto end;
128  }
129 
130  r = 1;
131 
132  end:
133  if (r == 1) {
135  } else {
136  if (AppLayerParserGetStateProgress(f->proto, alproto, tx, flags) ==
138  {
140  } else {
142  }
143  }
144 }
145 
146 
147 static int DetectAppLayerEventPktMatch(DetectEngineThreadCtx *det_ctx,
148  Packet *p, const Signature *s, const SigMatchCtx *ctx)
149 {
150  const DetectAppLayerEventData *aled = (const DetectAppLayerEventData *)ctx;
151 
152  return AppLayerDecoderEventsIsEventSet(p->app_layer_events,
153  aled->event_id);
154 }
155 
156 static DetectAppLayerEventData *DetectAppLayerEventParsePkt(const char *arg,
157  AppLayerEventType *event_type)
158 {
159  int event_id = 0;
160  int r = AppLayerGetPktEventInfo(arg, &event_id);
161  if (r < 0 || r > UINT8_MAX) {
162  SCLogError("app-layer-event keyword "
163  "supplied with packet based event - \"%s\" that isn't "
164  "supported yet.",
165  arg);
166  return NULL;
167  }
168 
170  if (unlikely(aled == NULL))
171  return NULL;
172  aled->event_id = (uint8_t)event_id;
173  *event_type = APP_LAYER_EVENT_TYPE_PACKET;
174 
175  return aled;
176 }
177 
178 static bool OutdatedEvent(const char *raw)
179 {
180  if (strcmp(raw, "tls.certificate_missing_element") == 0 ||
181  strcmp(raw, "tls.certificate_unknown_element") == 0 ||
182  strcmp(raw, "tls.certificate_invalid_string") == 0) {
183  return true;
184  }
185  return false;
186 }
187 
188 /** \retval int 0 ok
189  * \retval int -1 error
190  * \retval int -3 non-fatal error: sig will be rejected w/o raising error
191  */
192 static int DetectAppLayerEventParseAppP2(DetectAppLayerEventData *data,
193  uint8_t *ipproto_bitarray,
194  AppLayerEventType *event_type)
195 {
196  int event_id = 0;
197  uint8_t ipproto;
198  char alproto_name[MAX_ALPROTO_NAME];
199  int r = 0;
200 
201  if (OutdatedEvent(data->arg)) {
203  SCLogError("app-layer-event keyword no longer supports event \"%s\"", data->arg);
204  return -1;
205  } else {
206  SCLogWarning("app-layer-event keyword no longer supports event \"%s\"", data->arg);
207  return -3;
208  }
209  }
210 
211  const char *p_idx = strchr(data->arg, '.');
212  if (strlen(data->arg) > MAX_ALPROTO_NAME) {
213  SCLogError("app-layer-event keyword is too long or malformed");
214  return -1;
215  }
216  strlcpy(alproto_name, data->arg, p_idx - data->arg + 1);
217 
218  if (ipproto_bitarray[IPPROTO_TCP / 8] & 1 << (IPPROTO_TCP % 8)) {
219  ipproto = IPPROTO_TCP;
220  } else if (ipproto_bitarray[IPPROTO_UDP / 8] & 1 << (IPPROTO_UDP % 8)) {
221  ipproto = IPPROTO_UDP;
222  } else {
223  SCLogError("protocol %s is disabled", alproto_name);
224  return -1;
225  }
226 
227  if (!data->needs_detctx) {
228  r = AppLayerParserGetEventInfo(ipproto, data->alproto,
229  p_idx + 1, &event_id, event_type);
230  } else {
231  r = DetectEngineGetEventInfo(p_idx + 1, &event_id, event_type);
232  }
233  if (r < 0) {
235  SCLogError("app-layer-event keyword's "
236  "protocol \"%s\" doesn't have event \"%s\" registered",
237  alproto_name, p_idx + 1);
238  return -1;
239  } else {
240  SCLogWarning("app-layer-event keyword's "
241  "protocol \"%s\" doesn't have event \"%s\" registered",
242  alproto_name, p_idx + 1);
243  return -3;
244  }
245  }
246  if (event_id > UINT8_MAX) {
247  SCLogWarning("app-layer-event keyword's id has invalid value");
248  return -4;
249  }
250  data->event_id = (uint8_t)event_id;
251 
252  return 0;
253 }
254 
255 static AppProto AppLayerEventGetProtoByName(char *alproto_name)
256 {
257  AppProto alproto = AppLayerGetProtoByName(alproto_name);
258  if (alproto == ALPROTO_HTTP) {
259  // app-layer events http refer to http1
260  alproto = ALPROTO_HTTP1;
261  }
262  return alproto;
263 }
264 
265 static DetectAppLayerEventData *DetectAppLayerEventParseAppP1(const char *arg)
266 {
267  /* period index */
268  char alproto_name[MAX_ALPROTO_NAME];
269  bool needs_detctx = false;
270 
271  const char *p_idx = strchr(arg, '.');
272  if (strlen(arg) > MAX_ALPROTO_NAME) {
273  SCLogError("app-layer-event keyword is too long or malformed");
274  return NULL;
275  }
276  /* + 1 for trailing \0 */
277  strlcpy(alproto_name, arg, p_idx - arg + 1);
278 
279  const AppProto alproto = AppLayerEventGetProtoByName(alproto_name);
280  if (alproto == ALPROTO_UNKNOWN) {
281  if (!strcmp(alproto_name, "file")) {
282  needs_detctx = true;
283  } else {
284  SCLogError("app-layer-event keyword "
285  "supplied with unknown protocol \"%s\"",
286  alproto_name);
287  return NULL;
288  }
289  }
290 
291  DetectAppLayerEventData *aled = SCCalloc(1, sizeof(*aled));
292  if (unlikely(aled == NULL))
293  return NULL;
294  aled->alproto = alproto;
295  aled->arg = SCStrdup(arg);
296  if (aled->arg == NULL) {
297  SCFree(aled);
298  return NULL;
299  }
300  aled->needs_detctx = needs_detctx;
301 
302  return aled;
303 }
304 
305 static DetectAppLayerEventData *DetectAppLayerEventParse(const char *arg,
306  AppLayerEventType *event_type)
307 {
308  *event_type = 0;
309 
310  if (arg == NULL) {
311  SCLogError("app-layer-event keyword supplied "
312  "with no arguments. This keyword needs an argument.");
313  return NULL;
314  }
315 
316  while (*arg != '\0' && isspace((unsigned char)*arg))
317  arg++;
318 
319  if (strchr(arg, '.') == NULL) {
320  return DetectAppLayerEventParsePkt(arg, event_type);
321  } else {
322  return DetectAppLayerEventParseAppP1(arg);
323  }
324 }
325 
326 static int DetectAppLayerEventSetupP2(DetectEngineCtx *de_ctx,
327  Signature *s,
328  SigMatch *sm)
329 {
330  AppLayerEventType event_type = 0;
331 
332  int ret = DetectAppLayerEventParseAppP2((DetectAppLayerEventData *)sm->ctx,
333  s->proto.proto, &event_type);
334  if (ret < 0) {
335  /* DetectAppLayerEventParseAppP2 prints errors */
336 
337  /* sm has been removed from lists by DetectAppLayerEventPrepare */
338  SigMatchFree(de_ctx, sm);
339  return ret;
340  }
341  SigMatchAppendSMToList(s, sm, g_applayer_events_list_id);
342  /* We should have set this flag already in SetupP1 */
343  s->flags |= SIG_FLAG_APPLAYER;
344 
345  return 0;
346 }
347 
348 static int DetectAppLayerEventSetupP1(DetectEngineCtx *de_ctx, Signature *s, const char *arg)
349 {
350  AppLayerEventType event_type;
351 
352  DetectAppLayerEventData *data = DetectAppLayerEventParse(arg, &event_type);
353  if (data == NULL)
354  SCReturnInt(-1);
355 
356  SigMatch *sm = SigMatchAlloc();
357  if (sm == NULL)
358  goto error;
359 
361  sm->ctx = (SigMatchCtx *)data;
362 
363  if (event_type == APP_LAYER_EVENT_TYPE_PACKET) {
365  } else {
366  if (DetectSignatureSetAppProto(s, data->alproto) != 0)
367  goto error;
368 
369  SigMatchAppendSMToList(s, sm, g_applayer_events_list_id);
370  }
371 
372  return 0;
373 
374 error:
375  if (data) {
376  DetectAppLayerEventFree(de_ctx, data);
377  }
378  if (sm) {
379  sm->ctx = NULL;
380  SigMatchFree(de_ctx, sm);
381  }
382  return -1;
383 }
384 
385 static void DetectAppLayerEventFree(DetectEngineCtx *de_ctx, void *ptr)
386 {
388  if (data->arg != NULL)
389  SCFree(data->arg);
390 
391  SCFree(ptr);
392 
393  return;
394 }
395 
397 {
398  SigMatch *sm = s->init_data->smlists[g_applayer_events_list_id];
399  SigMatch *smn;
400  s->init_data->smlists[g_applayer_events_list_id] = NULL;
401  s->init_data->smlists_tail[g_applayer_events_list_id] = NULL;
402 
403  while (sm != NULL) {
404  // save it for later use in loop
405  smn = sm->next;
406  /* these will be overwritten in SigMatchAppendSMToList
407  * called by DetectAppLayerEventSetupP2
408  */
409  sm->next = sm->prev = NULL;
410  int ret = DetectAppLayerEventSetupP2(de_ctx, s, sm);
411  if (ret < 0) {
412  // current one was freed, let's free the next ones
413  sm = smn;
414  while(sm) {
415  smn = sm->next;
416  SigMatchFree(de_ctx, sm);
417  sm = smn;
418  }
419  return ret;
420  }
421  sm = smn;
422  }
423 
424  return 0;
425 }
426 
427 /**********************************Unittests***********************************/
428 
429 #ifdef UNITTESTS /* UNITTESTS */
430 #include "stream-tcp-private.h"
431 #include "stream-tcp-reassemble.h"
432 #include "stream-tcp.h"
433 #include "detect-engine-alert.h"
434 
435 #define APP_LAYER_EVENT_TEST_MAP_EVENT1 0
436 #define APP_LAYER_EVENT_TEST_MAP_EVENT2 1
437 #define APP_LAYER_EVENT_TEST_MAP_EVENT3 2
438 #define APP_LAYER_EVENT_TEST_MAP_EVENT4 3
439 #define APP_LAYER_EVENT_TEST_MAP_EVENT5 4
440 #define APP_LAYER_EVENT_TEST_MAP_EVENT6 5
441 
443  { "event1", APP_LAYER_EVENT_TEST_MAP_EVENT1 },
444  { "event2", APP_LAYER_EVENT_TEST_MAP_EVENT2 },
445  { "event3", APP_LAYER_EVENT_TEST_MAP_EVENT3 },
446  { "event4", APP_LAYER_EVENT_TEST_MAP_EVENT4 },
447  { "event5", APP_LAYER_EVENT_TEST_MAP_EVENT5 },
448  { "event6", APP_LAYER_EVENT_TEST_MAP_EVENT6 },
449 };
450 
451 static int DetectAppLayerEventTestGetEventInfo(const char *event_name,
452  int *event_id,
453  AppLayerEventType *event_type)
454 {
455  *event_id = SCMapEnumNameToValue(event_name, app_layer_event_test_map);
456  if (*event_id == -1) {
457  SCLogError("event \"%s\" not present in "
458  "app-layer-event's test enum map table.",
459  event_name);
460  /* this should be treated as fatal */
461  return -1;
462  }
463 
464  *event_type = APP_LAYER_EVENT_TYPE_TRANSACTION;
465 
466  return 0;
467 }
468 
469 
470 static int DetectAppLayerEventTest01(void)
471 {
474  DetectAppLayerEventTestGetEventInfo);
475 
476  AppLayerEventType event_type;
477  int result = 0;
478  uint8_t ipproto_bitarray[256 / 8];
479  memset(ipproto_bitarray, 0, sizeof(ipproto_bitarray));
480  ipproto_bitarray[IPPROTO_TCP / 8] |= 1 << (IPPROTO_TCP % 8);
481 
482  DetectAppLayerEventData *aled = DetectAppLayerEventParse("smtp.event1",
483  &event_type);
484  if (aled == NULL)
485  goto end;
486  if (DetectAppLayerEventParseAppP2(aled, ipproto_bitarray, &event_type) < 0) {
487  printf("failure 1\n");
488  goto end;
489  }
490  if (aled->alproto != ALPROTO_SMTP ||
492  printf("test failure. Holding wrong state\n");
493  goto end;
494  }
495 
496  result = 1;
497 
498  end:
500  if (aled != NULL)
501  DetectAppLayerEventFree(NULL, aled);
502  return result;
503 }
504 
505 static int DetectAppLayerEventTest02(void)
506 {
508 
510  DetectAppLayerEventTestGetEventInfo);
512  IPPROTO_TCP, ALPROTO_HTTP1, DetectAppLayerEventTestGetEventInfo);
514  DetectAppLayerEventTestGetEventInfo);
516  DetectAppLayerEventTestGetEventInfo);
517 
518  AppLayerEventType event_type;
519  uint8_t ipproto_bitarray[256 / 8];
520  memset(ipproto_bitarray, 0, sizeof(ipproto_bitarray));
521  ipproto_bitarray[IPPROTO_TCP / 8] |= 1 << (IPPROTO_TCP % 8);
522 
523  DetectAppLayerEventData *aled = DetectAppLayerEventParse("smtp.event1",
524  &event_type);
525  FAIL_IF_NULL(aled);
526  FAIL_IF(DetectAppLayerEventParseAppP2(aled, ipproto_bitarray, &event_type) < 0);
527  FAIL_IF(aled->alproto != ALPROTO_SMTP);
529 
530  aled = DetectAppLayerEventParse("smtp.event4",
531  &event_type);
532  FAIL_IF_NULL(aled);
533  FAIL_IF(DetectAppLayerEventParseAppP2(aled, ipproto_bitarray, &event_type) < 0);
534  FAIL_IF(aled->alproto != ALPROTO_SMTP);
536 
537  aled = DetectAppLayerEventParse("http.event2",
538  &event_type);
539  FAIL_IF_NULL(aled);
540  FAIL_IF(DetectAppLayerEventParseAppP2(aled, ipproto_bitarray, &event_type) < 0);
541  FAIL_IF(aled->alproto != ALPROTO_HTTP1);
543 
544  aled = DetectAppLayerEventParse("smb.event3",
545  &event_type);
546  FAIL_IF_NULL(aled);
547  FAIL_IF(DetectAppLayerEventParseAppP2(aled, ipproto_bitarray, &event_type) < 0);
548  FAIL_IF(aled->alproto != ALPROTO_SMB);
550 
551  aled = DetectAppLayerEventParse("ftp.event5",
552  &event_type);
553  FAIL_IF_NULL(aled);
554  FAIL_IF(DetectAppLayerEventParseAppP2(aled, ipproto_bitarray, &event_type) < 0);
555  FAIL_IF(aled->alproto != ALPROTO_FTP);
557 
559  DetectAppLayerEventFree(NULL, aled);
560  PASS;
561 }
562 
563 static int DetectAppLayerEventTest03(void)
564 {
565  ThreadVars tv;
566  TcpReassemblyThreadCtx *ra_ctx = NULL;
567  Packet *p = NULL;
568  Flow *f = NULL;
569  TcpSession ssn;
570  TcpStream stream_ts, stream_tc;
571  DetectEngineCtx *de_ctx = NULL;
572  DetectEngineThreadCtx *det_ctx = NULL;
573 
574  uint8_t buf_ts[] = "GET /index.html HTTP/1.1\r\n"
575  "Host: 127.0.0.1\r\n"
576  "User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.3) Gecko/20100402 Firefox/3.6.3\r\n"
577  "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n"
578  "Accept-Language: en-us,en;q=0.5\r\n"
579  "Accept-Encoding: gzip,deflate\r\n"
580  "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n"
581  "Keep-Alive: 115\r\n"
582  "Connection: keep-alive\r\n"
583  "\r\n";
584  uint8_t buf_tc[] = "HTTP/1.1 200 OK\r\n"
585  "Date: Fri, 22 Oct 2010 12:31:08 GMT\r\n"
586  "Server: Apache/2.2.15 (Unix) DAV/2\r\n"
587  "Last-Modified: Sat, 20 Nov 2004 20:16:24 GMT\r\n"
588  "ETag: \"ab8486-2c-3e9564c23b600\"\r\n"
589  "Accept-Ranges: bytes\r\n"
590  "Content-Length: 44\r\n"
591  "Keep-Alive: timeout=5, max=100\r\n"
592  "Connection: Keep-Alive\r\n"
593  "Content-Type: text/html\r\n"
594  "\r\n"
595  "<html><body><h1>It works!</h1></body></html>";
596 
597  memset(&tv, 0, sizeof (ThreadVars));
598  memset(&ssn, 0, sizeof(TcpSession));
599  memset(&stream_ts, 0, sizeof(TcpStream));
600  memset(&stream_tc, 0, sizeof(TcpStream));
601 
602  ssn.data_first_seen_dir = STREAM_TOSERVER;
603 
605  FAIL_IF(de_ctx == NULL);
606  de_ctx->flags |= DE_QUIET;
607  de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
608  "(app-layer-event: applayer_mismatch_protocol_both_directions; "
609  "sid:1;)");
610  FAIL_IF(de_ctx->sig_list == NULL);
612  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
613 
614  f = UTHBuildFlow(AF_INET, "1.2.3.4", "1.2.3.5", 200, 220);
615  FAIL_IF(f == NULL);
616  FLOW_INITIALIZE(f);
617  f->protoctx = &ssn;
618  f->proto = IPPROTO_TCP;
619  f->flags |= FLOW_IPV4;
620 
621  p = PacketGetFromAlloc();
622  FAIL_IF(unlikely(p == NULL));
623  p->flow = f;
624  p->src.family = AF_INET;
625  p->dst.family = AF_INET;
626  p->proto = IPPROTO_TCP;
627 
628  StreamTcpUTInit(&ra_ctx);
629 
631  TcpStream *stream = &stream_ts;
632  FAIL_IF(AppLayerHandleTCPData(&tv, ra_ctx, p, f, &ssn, &stream, buf_ts,
633  sizeof(buf_ts), STREAM_TOSERVER | STREAM_START) < 0);
634 
635  SigMatchSignatures(&tv, de_ctx, det_ctx, p);
636 
637  FAIL_IF (PacketAlertCheck(p, 1));
638 
640  stream = &stream_tc;
641  FAIL_IF (AppLayerHandleTCPData(&tv, ra_ctx, p, f, &ssn, &stream, buf_tc,
642  sizeof(buf_tc), STREAM_TOCLIENT | STREAM_START) < 0);
643 
644  SigMatchSignatures(&tv, de_ctx, det_ctx, p);
645 
646  FAIL_IF(PacketAlertCheck(p, 1));
647 
648  StreamTcpUTDeinit(ra_ctx);
649  PASS;
650 }
651 
652 static int DetectAppLayerEventTest04(void)
653 {
654  ThreadVars tv;
655  TcpReassemblyThreadCtx *ra_ctx = NULL;
656  Packet *p = NULL;
657  Flow *f = NULL;
658  TcpSession ssn;
659  TcpStream stream_ts, stream_tc;
660  DetectEngineCtx *de_ctx = NULL;
661  DetectEngineThreadCtx *det_ctx = NULL;
662 
663  uint8_t buf_ts[] = "GET /index.html HTTP/1.1\r\n"
664  "Host: 127.0.0.1\r\n"
665  "User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.3) Gecko/20100402 Firefox/3.6.3\r\n"
666  "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n"
667  "Accept-Language: en-us,en;q=0.5\r\n"
668  "Accept-Encoding: gzip,deflate\r\n"
669  "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n"
670  "Keep-Alive: 115\r\n"
671  "Connection: keep-alive\r\n"
672  "\r\n";
673  uint8_t buf_tc[] = "XTTP/1.1 200 OK\r\n"
674  "Date: Fri, 22 Oct 2010 12:31:08 GMT\r\n"
675  "Server: Apache/2.2.15 (Unix) DAV/2\r\n"
676  "Last-Modified: Sat, 20 Nov 2004 20:16:24 GMT\r\n"
677  "ETag: \"ab8486-2c-3e9564c23b600\"\r\n"
678  "Accept-Ranges: bytes\r\n"
679  "Content-Length: 44\r\n"
680  "Keep-Alive: timeout=5, max=100\r\n"
681  "Connection: Keep-Alive\r\n"
682  "Content-Type: text/html\r\n"
683  "\r\n"
684  "<html><body><h1>It works!</h1></body></html>";
685 
686  memset(&tv, 0, sizeof (ThreadVars));
687  memset(&ssn, 0, sizeof(TcpSession));
688  memset(&stream_ts, 0, sizeof(TcpStream));
689  memset(&stream_tc, 0, sizeof(TcpStream));
690 
691  ssn.data_first_seen_dir = STREAM_TOSERVER;
692 
694  FAIL_IF (de_ctx == NULL);
695  de_ctx->flags |= DE_QUIET;
696  de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
697  "(app-layer-event: applayer_detect_protocol_only_one_direction; "
698  "sid:1;)");
699  FAIL_IF(de_ctx->sig_list == NULL);
701  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
702 
703  f = UTHBuildFlow(AF_INET, "1.2.3.4", "1.2.3.5", 200, 220);
704  FAIL_IF (f == NULL);
705  FLOW_INITIALIZE(f);
706  f->protoctx = &ssn;
707  f->proto = IPPROTO_TCP;
708  f->flags |= FLOW_IPV4;
709 
710  p = PacketGetFromAlloc();
711  FAIL_IF(unlikely(p == NULL));
712  p->flow = f;
713  p->src.family = AF_INET;
714  p->dst.family = AF_INET;
715  p->proto = IPPROTO_TCP;
716 
717  StreamTcpUTInit(&ra_ctx);
718 
720  TcpStream *stream = &stream_ts;
721  FAIL_IF(AppLayerHandleTCPData(&tv, ra_ctx, p, f, &ssn, &stream, buf_ts,
722  sizeof(buf_ts), STREAM_TOSERVER | STREAM_START) < 0);
723  SigMatchSignatures(&tv, de_ctx, det_ctx, p);
724  FAIL_IF (PacketAlertCheck(p, 1));
725 
727  stream = &stream_tc;
728  FAIL_IF (AppLayerHandleTCPData(&tv, ra_ctx, p, f, &ssn, &stream, buf_tc,
729  sizeof(buf_tc), STREAM_TOCLIENT | STREAM_START) < 0);
730  SigMatchSignatures(&tv, de_ctx, det_ctx, p);
731  FAIL_IF (!PacketAlertCheck(p, 1));
732 
733  StreamTcpUTDeinit(ra_ctx);
734  PASS;
735 }
736 
737 static int DetectAppLayerEventTest05(void)
738 {
739  ThreadVars tv;
740  TcpReassemblyThreadCtx *ra_ctx = NULL;
741  Packet *p = NULL;
742  Flow *f = NULL;
743  TcpSession ssn;
744  TcpStream stream_ts, stream_tc;
745  DetectEngineCtx *de_ctx = NULL;
746  DetectEngineThreadCtx *det_ctx = NULL;
747 
748  uint8_t buf_ts[] = "GET /index.html HTTP/1.1\r\n"
749  "Host: 127.0.0.1\r\n"
750  "User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.3) Gecko/20100402 Firefox/3.6.3\r\n"
751  "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n"
752  "Accept-Language: en-us,en;q=0.5\r\n"
753  "Accept-Encoding: gzip,deflate\r\n"
754  "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n"
755  "Keep-Alive: 115\r\n"
756  "Connection: keep-alive\r\n"
757  "\r\n";
758  /* tls */
759  uint8_t buf_tc[] = {
760  0x16, 0x03, 0x01, 0x00, 0x86, 0x10, 0x00, 0x00,
761  0x82, 0x00, 0x80, 0xd3, 0x6f, 0x1f, 0x63, 0x82,
762  0x8d, 0x75, 0x77, 0x8c, 0x91, 0xbc, 0xa1, 0x3d,
763  0xbb, 0xe1, 0xb5, 0xd3, 0x31, 0x92, 0x59, 0x2b,
764  0x2c, 0x43, 0x96, 0xa3, 0xaa, 0x23, 0x92, 0xd0,
765  0x91, 0x2a, 0x5e, 0x10, 0x5b, 0xc8, 0xc1, 0xe2,
766  0xd3, 0x5c, 0x8b, 0x8c, 0x91, 0x9e, 0xc2, 0xf2,
767  0x9c, 0x3c, 0x4f, 0x37, 0x1e, 0x20, 0x5e, 0x33,
768  0xd5, 0xf0, 0xd6, 0xaf, 0x89, 0xf5, 0xcc, 0xb2,
769  0xcf, 0xc1, 0x60, 0x3a, 0x46, 0xd5, 0x4e, 0x2a,
770  0xb6, 0x6a, 0xb9, 0xfc, 0x32, 0x8b, 0xe0, 0x6e,
771  0xa0, 0xed, 0x25, 0xa0, 0xa4, 0x82, 0x81, 0x73,
772  0x90, 0xbf, 0xb5, 0xde, 0xeb, 0x51, 0x8d, 0xde,
773  0x5b, 0x6f, 0x94, 0xee, 0xba, 0xe5, 0x69, 0xfa,
774  0x1a, 0x80, 0x30, 0x54, 0xeb, 0x12, 0x01, 0xb9,
775  0xfe, 0xbf, 0x82, 0x95, 0x01, 0x7b, 0xb0, 0x97,
776  0x14, 0xc2, 0x06, 0x3c, 0x69, 0xfb, 0x1c, 0x66,
777  0x47, 0x17, 0xd9, 0x14, 0x03, 0x01, 0x00, 0x01,
778  0x01, 0x16, 0x03, 0x01, 0x00, 0x30, 0xf6, 0xbc,
779  0x0d, 0x6f, 0xe8, 0xbb, 0xaa, 0xbf, 0x14, 0xeb,
780  0x7b, 0xcc, 0x6c, 0x28, 0xb0, 0xfc, 0xa6, 0x01,
781  0x2a, 0x97, 0x96, 0x17, 0x5e, 0xe8, 0xb4, 0x4e,
782  0x78, 0xc9, 0x04, 0x65, 0x53, 0xb6, 0x93, 0x3d,
783  0xeb, 0x44, 0xee, 0x86, 0xf9, 0x80, 0x49, 0x45,
784  0x21, 0x34, 0xd1, 0xee, 0xc8, 0x9c,
785  };
786 
787  memset(&tv, 0, sizeof (ThreadVars));
788  memset(&ssn, 0, sizeof(TcpSession));
789  memset(&stream_ts, 0, sizeof(TcpStream));
790  memset(&stream_tc, 0, sizeof(TcpStream));
791 
792  ssn.data_first_seen_dir = STREAM_TOSERVER;
793 
795  FAIL_IF (de_ctx == NULL);
796  de_ctx->flags |= DE_QUIET;
797  de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
798  "(app-layer-event: applayer_mismatch_protocol_both_directions; "
799  "sid:1;)");
800  FAIL_IF (de_ctx->sig_list == NULL);
802  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
803 
804  f = UTHBuildFlow(AF_INET, "1.2.3.4", "1.2.3.5", 200, 220);
805  FAIL_IF (f == NULL);
806  FLOW_INITIALIZE(f);
807  f->protoctx = &ssn;
808  f->proto = IPPROTO_TCP;
809  f->flags |= FLOW_IPV4;
810 
811  p = PacketGetFromAlloc();
812  FAIL_IF (unlikely(p == NULL));
813  p->flow = f;
814  p->src.family = AF_INET;
815  p->dst.family = AF_INET;
816  p->proto = IPPROTO_TCP;
817 
818  StreamTcpUTInit(&ra_ctx);
819 
821  TcpStream *stream = &stream_ts;
822  FAIL_IF (AppLayerHandleTCPData(&tv, ra_ctx, p, f, &ssn, &stream, buf_ts,
823  sizeof(buf_ts), STREAM_TOSERVER | STREAM_START) < 0);
824  SigMatchSignatures(&tv, de_ctx, det_ctx, p);
825  FAIL_IF (PacketAlertCheck(p, 1));
826 
828  stream = &stream_tc;
829  FAIL_IF (AppLayerHandleTCPData(&tv, ra_ctx, p, f, &ssn, &stream, buf_tc,
830  sizeof(buf_tc), STREAM_TOCLIENT | STREAM_START) < 0);
831  SigMatchSignatures(&tv, de_ctx, det_ctx, p);
832  FAIL_IF (!PacketAlertCheck(p, 1));
833 
834  StreamTcpUTDeinit(ra_ctx);
835  PASS;
836 }
837 
838 static int DetectAppLayerEventTest06(void)
839 {
840  AppLayerEventType event_type;
841  uint8_t ipproto_bitarray[256 / 8];
842  memset(ipproto_bitarray, 0, sizeof(ipproto_bitarray));
843  ipproto_bitarray[IPPROTO_TCP / 8] |= 1 << (IPPROTO_TCP % 8);
844 
845  DetectAppLayerEventData *aled = DetectAppLayerEventParse("file.test",
846  &event_type);
847 
848  FAIL_IF_NULL(aled);
849 
850  FAIL_IF(DetectAppLayerEventParseAppP2(aled, ipproto_bitarray, &event_type) < 0);
851 
852  FAIL_IF(aled->alproto != ALPROTO_UNKNOWN);
854 
855  DetectAppLayerEventFree(NULL, aled);
856  PASS;
857 }
858 
859 /**
860  * \brief This function registers unit tests for "app-layer-event" keyword.
861  */
862 static void DetectAppLayerEventRegisterTests(void)
863 {
864  UtRegisterTest("DetectAppLayerEventTest01", DetectAppLayerEventTest01);
865  UtRegisterTest("DetectAppLayerEventTest02", DetectAppLayerEventTest02);
866  UtRegisterTest("DetectAppLayerEventTest03", DetectAppLayerEventTest03);
867  UtRegisterTest("DetectAppLayerEventTest04", DetectAppLayerEventTest04);
868  UtRegisterTest("DetectAppLayerEventTest05", DetectAppLayerEventTest05);
869  UtRegisterTest("DetectAppLayerEventTest06", DetectAppLayerEventTest06);
870 }
871 #endif /* UNITTESTS */
util-byte.h
DetectAppLayerEventRegister
void DetectAppLayerEventRegister(void)
Registers the keyword handlers for the "app-layer-event" keyword.
Definition: detect-app-layer-event.c:79
DetectEngineAppInspectionEngine_
Definition: detect.h:390
SigTableElmt_::url
const char * url
Definition: detect.h:1241
DetectSignatureSetAppProto
int DetectSignatureSetAppProto(Signature *s, AppProto alproto)
Definition: detect-parse.c:1498
Packet_::proto
uint8_t proto
Definition: decode.h:450
SigMatch_::prev
struct SigMatch_ * prev
Definition: detect.h:318
TcpStream_
Definition: stream-tcp-private.h:106
detect-engine.h
StreamTcpUTDeinit
void StreamTcpUTDeinit(TcpReassemblyThreadCtx *ra_ctx)
Definition: stream-tcp-util.c:51
FAIL_IF_NULL
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
Definition: util-unittest.h:89
SigTableElmt_::desc
const char * desc
Definition: detect.h:1240
DET_CTX_EVENT_TEST
@ DET_CTX_EVENT_TEST
Definition: detect.h:1248
SigMatchFree
void SigMatchFree(DetectEngineCtx *de_ctx, SigMatch *sm)
free a SigMatch
Definition: detect-parse.c:254
SigTableElmt_::Free
void(* Free)(DetectEngineCtx *, void *)
Definition: detect.h:1228
flow-util.h
SigTableElmt_::name
const char * name
Definition: detect.h:1238
stream-tcp.h
unlikely
#define unlikely(expr)
Definition: util-optimize.h:35
DetectAppLayerEventData_::alproto
AppProto alproto
Definition: detect-app-layer-event.c:55
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
AppLayerParserGetEventsByTx
AppLayerDecoderEvents * AppLayerParserGetEventsByTx(uint8_t ipproto, AppProto alproto, void *tx)
Definition: app-layer-parser.c:874
Flow_::proto
uint8_t proto
Definition: flow.h:379
AppProto
uint16_t AppProto
Definition: app-layer-protos.h:80
PacketAlertCheck
int PacketAlertCheck(Packet *p, uint32_t sid)
Check if a certain sid alerted, this is used in the test functions.
Definition: detect-engine-alert.c:141
AppLayerParserGetStateProgress
int AppLayerParserGetStateProgress(uint8_t ipproto, AppProto alproto, void *alstate, uint8_t flags)
get the progress value for a tx/protocol
Definition: app-layer-parser.c:1122
SigMatchData_::ctx
SigMatchCtx * ctx
Definition: detect.h:325
DetectAppLayerEventData
struct DetectAppLayerEventData_ DetectAppLayerEventData
threads.h
Flow_
Flow data structure.
Definition: flow.h:357
AppLayerEventType
enum AppLayerEventType_ AppLayerEventType
DETECT_AL_APP_LAYER_EVENT
@ DETECT_AL_APP_LAYER_EVENT
Definition: detect-engine-register.h:181
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:785
AppLayerParserGetStateProgressCompletionStatus
int AppLayerParserGetStateProgressCompletionStatus(AppProto alproto, uint8_t direction)
Definition: app-layer-parser.c:1150
FLOW_PKT_TOSERVER
#define FLOW_PKT_TOSERVER
Definition: flow.h:227
DE_QUIET
#define DE_QUIET
Definition: detect.h:287
MAX_ALPROTO_NAME
#define MAX_ALPROTO_NAME
Definition: detect-app-layer-event.c:52
ALPROTO_FTP
@ ALPROTO_FTP
Definition: app-layer-protos.h:31
stream-tcp-reassemble.h
SigMatchSignatures
void SigMatchSignatures(ThreadVars *tv, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
Definition: detect.c:1809
DetectAppLayerEventPrepare
int DetectAppLayerEventPrepare(DetectEngineCtx *de_ctx, Signature *s)
Definition: detect-app-layer-event.c:396
Packet_::flowflags
uint8_t flowflags
Definition: decode.h:459
SIG_FLAG_TOCLIENT
#define SIG_FLAG_TOCLIENT
Definition: detect.h:229
Flow_::protoctx
void * protoctx
Definition: flow.h:447
SigMatchData_
Data needed for Match()
Definition: detect.h:322
SigTableElmt_::Setup
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1223
KEYWORD_PROFILING_START
#define KEYWORD_PROFILING_START
Definition: util-profiling.h:70
SigMatchData_::type
uint16_t type
Definition: detect.h:323
FLOW_IPV4
#define FLOW_IPV4
Definition: flow.h:97
AppLayerDecoderEvents_
Data structure to store app layer decoder events.
Definition: app-layer-events.h:34
Packet_::app_layer_events
AppLayerDecoderEvents * app_layer_events
Definition: decode.h:600
util-unittest.h
AppLayerGetProtoByName
AppProto AppLayerGetProtoByName(char *alproto_name)
Given a protocol string, returns the corresponding internal protocol id.
Definition: app-layer.c:932
APP_LAYER_EVENT_TYPE_TRANSACTION
@ APP_LAYER_EVENT_TYPE_TRANSACTION
Definition: app-layer-events.h:57
util-unittest-helper.h
SIG_FLAG_APPLAYER
#define SIG_FLAG_APPLAYER
Definition: detect.h:207
DetectBufferTypeGetByName
int DetectBufferTypeGetByName(const char *name)
Definition: detect-engine.c:1079
KEYWORD_PROFILING_END
#define KEYWORD_PROFILING_END(ctx, type, m)
Definition: util-profiling.h:84
strlcpy
size_t strlcpy(char *dst, const char *src, size_t siz)
Definition: util-strlcpyu.c:43
AppLayerParserRestoreParserTable
void AppLayerParserRestoreParserTable(void)
Definition: app-layer-parser.c:1943
APP_LAYER_EVENT_TEST_MAP_EVENT6
#define APP_LAYER_EVENT_TEST_MAP_EVENT6
Definition: detect-app-layer-event.c:440
SignatureInitData_::smlists_tail
struct SigMatch_ ** smlists_tail
Definition: detect.h:536
APP_LAYER_EVENT_TYPE_PACKET
@ APP_LAYER_EVENT_TYPE_PACKET
Definition: app-layer-events.h:58
StreamTcpUTInit
void StreamTcpUTInit(TcpReassemblyThreadCtx **ra_ctx)
Definition: stream-tcp-util.c:44
UTHBuildFlow
Flow * UTHBuildFlow(int family, const char *src, const char *dst, Port sp, Port dp)
Definition: util-unittest-helper.c:521
FLOW_INITIALIZE
#define FLOW_INITIALIZE(f)
Definition: flow-util.h:40
SIG_FLAG_TOSERVER
#define SIG_FLAG_TOSERVER
Definition: detect.h:228
detect-app-layer-event.h
APP_LAYER_EVENT_TEST_MAP_EVENT2
#define APP_LAYER_EVENT_TEST_MAP_EVENT2
Definition: detect-app-layer-event.c:436
decode.h
APP_LAYER_EVENT_TEST_MAP_EVENT4
#define APP_LAYER_EVENT_TEST_MAP_EVENT4
Definition: detect-app-layer-event.c:438
util-debug.h
AppLayerHandleTCPData
int AppLayerHandleTCPData(ThreadVars *tv, TcpReassemblyThreadCtx *ra_ctx, Packet *p, Flow *f, TcpSession *ssn, TcpStream **stream, uint8_t *data, uint32_t data_len, uint8_t flags)
handle TCP data for the app-layer.
Definition: app-layer.c:644
PASS
#define PASS
Pass the test.
Definition: util-unittest.h:105
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:17
DetectEngineThreadCtx_
Definition: detect.h:1025
DetectAppLayerEventData_::event_id
uint8_t event_id
Definition: detect-app-layer-event.c:56
ALPROTO_SMTP
@ ALPROTO_SMTP
Definition: app-layer-protos.h:32
DetectAppLayerEventData_::needs_detctx
bool needs_detctx
Definition: detect-app-layer-event.c:59
DetectAppLayerEventData_
Definition: detect-app-layer-event.c:54
detect.h
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:57
DETECT_ENGINE_INSPECT_SIG_MATCH
#define DETECT_ENGINE_INSPECT_SIG_MATCH
Definition: detect-engine-state.h:39
SigMatch_::next
struct SigMatch_ * next
Definition: detect.h:317
SigMatchStrictEnabled
bool SigMatchStrictEnabled(const enum DetectKeywordId id)
Definition: detect-parse.c:302
DETECT_SM_LIST_MATCH
@ DETECT_SM_LIST_MATCH
Definition: detect.h:78
SCLogWarning
#define SCLogWarning(...)
Macro used to log WARNING messages.
Definition: util-debug.h:249
SigInit
Signature * SigInit(DetectEngineCtx *de_ctx, const char *sigstr)
Parses a signature and adds it to the Detection Engine Context.
Definition: detect-parse.c:2129
app-layer-parser.h
AppLayerParserBackupParserTable
void AppLayerParserBackupParserTable(void)
Definition: app-layer-parser.c:1935
SigMatch_::ctx
SigMatchCtx * ctx
Definition: detect.h:316
DetectProto_::proto
uint8_t proto[256/8]
Definition: detect-engine-proto.h:37
util-profiling.h
Signature_::flags
uint32_t flags
Definition: detect.h:541
Packet_
Definition: decode.h:428
detect-engine-build.h
stream-tcp-private.h
DetectAppLayerInspectEngineRegister2
void DetectAppLayerInspectEngineRegister2(const char *name, AppProto alproto, uint32_t dir, int progress, InspectEngineFuncPtr2 Callback2, InspectionBufferGetDataPtr GetData)
register inspect engine at start up time
Definition: detect-engine.c:224
detect-engine-alert.h
AppLayerParserRegisterGetEventInfo
void AppLayerParserRegisterGetEventInfo(uint8_t ipproto, AppProto alproto, int(*StateGetEventInfo)(const char *event_name, int *event_id, AppLayerEventType *event_type))
Definition: app-layer-parser.c:585
Signature_::init_data
SignatureInitData * init_data
Definition: detect.h:611
detect-engine-state.h
Data structures and function prototypes for keeping state for the detection engine.
SigTableElmt_::Match
int(* Match)(DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *)
Definition: detect.h:1206
SignatureInitData_::smlists
struct SigMatch_ ** smlists
Definition: detect.h:534
FLOW_PKT_TOCLIENT
#define FLOW_PKT_TOCLIENT
Definition: flow.h:228
SigMatchAlloc
SigMatch * SigMatchAlloc(void)
Definition: detect-parse.c:239
DETECT_ENGINE_INSPECT_SIG_CANT_MATCH
#define DETECT_ENGINE_INSPECT_SIG_CANT_MATCH
Definition: detect-engine-state.h:40
decode-events.h
SigGroupBuild
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
Definition: detect-engine-build.c:1951
SigMatchCtx_
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
Definition: detect.h:308
DetectEngineAppInspectionEngine_::smd
SigMatchData * smd
Definition: detect.h:407
Packet_::flow
struct Flow_ * flow
Definition: decode.h:465
DetectEngineThreadCtxInit
TmEcode DetectEngineThreadCtxInit(ThreadVars *, void *, void **)
initialize thread specific detection engine context
Definition: detect-engine.c:3153
FAIL_IF
#define FAIL_IF(expr)
Fail a test if expression evaluates to true.
Definition: util-unittest.h:71
DetectEngineGetEventInfo
int DetectEngineGetEventInfo(const char *event_name, int *event_id, AppLayerEventType *event_type)
Definition: detect-engine.c:4658
SCMapEnumNameToValue
int SCMapEnumNameToValue(const char *enum_name, SCEnumCharMap *table)
Maps a string name to an enum value from the supplied table. Please specify the last element of any m...
Definition: util-enum.c:40
flags
uint8_t flags
Definition: decode-gre.h:0
Signature_::proto
DetectProto proto
Definition: detect.h:558
SigMatchData_::is_last
uint8_t is_last
Definition: detect.h:324
suricata-common.h
SigMatch_::type
uint16_t type
Definition: detect.h:314
SCEnumCharMap_
Definition: util-enum.h:27
ALPROTO_HTTP1
@ ALPROTO_HTTP1
Definition: app-layer-protos.h:30
sigmatch_table
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
Definition: detect-parse.c:76
SCStrdup
#define SCStrdup(s)
Definition: util-mem.h:56
DetectEngineCtx_::sig_list
Signature * sig_list
Definition: detect.h:791
DETECT_ENGINE_INSPECT_SIG_NO_MATCH
#define DETECT_ENGINE_INSPECT_SIG_NO_MATCH
Definition: detect-engine-state.h:38
tv
ThreadVars * tv
Definition: fuzz_decodepcapfile.c:32
PacketGetFromAlloc
Packet * PacketGetFromAlloc(void)
Get a malloced packet.
Definition: decode.c:173
APP_LAYER_EVENT_TEST_MAP_EVENT3
#define APP_LAYER_EVENT_TEST_MAP_EVENT3
Definition: detect-app-layer-event.c:437
APP_LAYER_EVENT_TEST_MAP_EVENT1
#define APP_LAYER_EVENT_TEST_MAP_EVENT1
Definition: detect-app-layer-event.c:435
SCLogError
#define SCLogError(...)
Macro used to log ERROR messages.
Definition: util-debug.h:261
SCFree
#define SCFree(p)
Definition: util-mem.h:61
Flow_::flags
uint32_t flags
Definition: flow.h:427
detect-parse.h
Signature_
Signature container.
Definition: detect.h:540
SigMatch_
a single match condition for a signature
Definition: detect.h:313
ALPROTO_HTTP
@ ALPROTO_HTTP
Definition: app-layer-protos.h:66
stream-tcp-util.h
ALPROTO_UNKNOWN
@ ALPROTO_UNKNOWN
Definition: app-layer-protos.h:29
DetectEngineCtxInit
DetectEngineCtx * DetectEngineCtxInit(void)
Definition: detect-engine.c:2403
AppLayerGetPktEventInfo
int AppLayerGetPktEventInfo(const char *event_name, int *event_id)
Definition: app-layer-events.c:68
TcpReassemblyThreadCtx_
Definition: stream-tcp-reassemble.h:59
app-layer-protos.h
app_layer_event_test_map
SCEnumCharMap app_layer_event_test_map[]
Definition: detect-app-layer-event.c:442
Address_::family
char family
Definition: decode.h:115
Packet_::dst
Address dst
Definition: decode.h:433
ALPROTO_SMB
@ ALPROTO_SMB
Definition: app-layer-protos.h:37
DetectEngineCtx_::flags
uint8_t flags
Definition: detect.h:786
app-layer-smtp.h
TcpSession_
Definition: stream-tcp-private.h:272
TcpSession_::data_first_seen_dir
int8_t data_first_seen_dir
Definition: stream-tcp-private.h:277
flow.h
Flow_::alproto
AppProto alproto
application level protocol
Definition: flow.h:456
SCCalloc
#define SCCalloc(nm, sz)
Definition: util-mem.h:53
util-enum.h
SCReturnInt
#define SCReturnInt(x)
Definition: util-debug.h:275
flow-var.h
SigMatchAppendSMToList
void SigMatchAppendSMToList(Signature *s, SigMatch *new, int list)
Append a SigMatch to the list type.
Definition: detect-parse.c:354
Packet_::src
Address src
Definition: decode.h:432
DetectAppLayerEventData_::arg
char * arg
Definition: detect-app-layer-event.c:61
SigTableElmt_::RegisterTests
void(* RegisterTests)(void)
Definition: detect.h:1230
APP_LAYER_EVENT_TEST_MAP_EVENT5
#define APP_LAYER_EVENT_TEST_MAP_EVENT5
Definition: detect-app-layer-event.c:439
app-layer.h
AppLayerParserGetEventInfo
int AppLayerParserGetEventInfo(uint8_t ipproto, AppProto alproto, const char *event_name, int *event_id, AppLayerEventType *event_type)
Definition: app-layer-parser.c:1158