suricata
detect-app-layer-event.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2020 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Anoop Saldanha <anoopsaldanha@gmail.com>
22  */
23 
24 #include "suricata-common.h"
25 #include "threads.h"
26 #include "decode.h"
27 
28 #include "app-layer.h"
29 #include "app-layer-protos.h"
30 #include "app-layer-parser.h"
31 #include "app-layer-smtp.h"
32 #include "detect.h"
33 #include "detect-parse.h"
34 #include "detect-engine.h"
35 #include "detect-engine-state.h"
36 #include "detect-app-layer-event.h"
37 
38 #include "flow.h"
39 #include "flow-var.h"
40 #include "flow-util.h"
41 
42 #include "decode-events.h"
43 #include "util-byte.h"
44 #include "util-debug.h"
45 #include "util-unittest.h"
46 #include "util-unittest-helper.h"
47 #include "stream-tcp-util.h"
48 
49 #define MAX_ALPROTO_NAME 50
50 
51 static int DetectAppLayerEventPktMatch(DetectEngineThreadCtx *det_ctx,
52  Packet *p, const Signature *s, const SigMatchCtx *ctx);
53 static int DetectAppLayerEventSetupP1(DetectEngineCtx *, Signature *, const char *);
54 static void DetectAppLayerEventRegisterTests(void);
55 static void DetectAppLayerEventFree(DetectEngineCtx *, void *);
56 static int DetectEngineAptEventInspect(ThreadVars *tv,
58  const Signature *s, const SigMatchData *smd,
59  Flow *f, uint8_t flags, void *alstate,
60  void *tx, uint64_t tx_id);
61 static int g_applayer_events_list_id = 0;
62 
63 /**
64  * \brief Registers the keyword handlers for the "app-layer-event" keyword.
65  */
67 {
68  sigmatch_table[DETECT_AL_APP_LAYER_EVENT].name = "app-layer-event";
69  sigmatch_table[DETECT_AL_APP_LAYER_EVENT].desc = "match on events generated by the App Layer Parsers and the protocol detection engine";
70  sigmatch_table[DETECT_AL_APP_LAYER_EVENT].url = "/rules/app-layer.html#app-layer-event";
72  DetectAppLayerEventPktMatch;
73  sigmatch_table[DETECT_AL_APP_LAYER_EVENT].Setup = DetectAppLayerEventSetupP1;
74  sigmatch_table[DETECT_AL_APP_LAYER_EVENT].Free = DetectAppLayerEventFree;
76  DetectAppLayerEventRegisterTests;
77 
78  DetectAppLayerInspectEngineRegister("app-layer-events",
80  DetectEngineAptEventInspect);
81  DetectAppLayerInspectEngineRegister("app-layer-events",
83  DetectEngineAptEventInspect);
84 
85  g_applayer_events_list_id = DetectBufferTypeGetByName("app-layer-events");
86 }
87 
88 static int DetectEngineAptEventInspect(ThreadVars *tv,
90  const Signature *s, const SigMatchData *smd,
91  Flow *f, uint8_t flags, void *alstate,
92  void *tx, uint64_t tx_id)
93 {
94  int r = 0;
95  const AppProto alproto = f->alproto;
96  AppLayerDecoderEvents *decoder_events =
97  AppLayerParserGetEventsByTx(f->proto, alproto, tx);
98  if (decoder_events == NULL)
99  goto end;
100 
101  while (1) {
104 
105  if (AppLayerDecoderEventsIsEventSet(decoder_events, aled->event_id)) {
106  KEYWORD_PROFILING_END(det_ctx, smd->type, 1);
107 
108  if (smd->is_last)
109  break;
110  smd++;
111  continue;
112  }
113 
114  KEYWORD_PROFILING_END(det_ctx, smd->type, 0);
115  goto end;
116  }
117 
118  r = 1;
119 
120  end:
121  if (r == 1) {
123  } else {
124  if (AppLayerParserGetStateProgress(f->proto, alproto, tx, flags) ==
126  {
128  } else {
130  }
131  }
132 }
133 
134 
135 static int DetectAppLayerEventPktMatch(DetectEngineThreadCtx *det_ctx,
136  Packet *p, const Signature *s, const SigMatchCtx *ctx)
137 {
138  const DetectAppLayerEventData *aled = (const DetectAppLayerEventData *)ctx;
139 
140  return AppLayerDecoderEventsIsEventSet(p->app_layer_events,
141  aled->event_id);
142 }
143 
144 static DetectAppLayerEventData *DetectAppLayerEventParsePkt(const char *arg,
145  AppLayerEventType *event_type)
146 {
147  int event_id = 0;
148  int r = AppLayerGetPktEventInfo(arg, &event_id);
149  if (r < 0) {
150  SCLogError(SC_ERR_INVALID_SIGNATURE, "app-layer-event keyword "
151  "supplied with packet based event - \"%s\" that isn't "
152  "supported yet.", arg);
153  return NULL;
154  }
155 
157  if (unlikely(aled == NULL))
158  return NULL;
159  aled->event_id = event_id;
160  *event_type = APP_LAYER_EVENT_TYPE_PACKET;
161 
162  return aled;
163 }
164 
165 /** \retval int 0 ok
166  * \retval int -1 error
167  * \retval int -3 non-fatal error: sig will be rejected w/o raising error
168  */
169 static int DetectAppLayerEventParseAppP2(DetectAppLayerEventData *data,
170  uint8_t *ipproto_bitarray,
171  AppLayerEventType *event_type)
172 {
173  int event_id = 0;
174  uint8_t ipproto;
175  char alproto_name[MAX_ALPROTO_NAME];
176  int r = 0;
177 
178  const char *p_idx = strchr(data->arg, '.');
179  if (strlen(data->arg) > MAX_ALPROTO_NAME) {
180  SCLogError(SC_ERR_INVALID_SIGNATURE, "app-layer-event keyword is too long or malformed");
181  return -1;
182  }
183  strlcpy(alproto_name, data->arg, p_idx - data->arg + 1);
184 
185  if (ipproto_bitarray[IPPROTO_TCP / 8] & 1 << (IPPROTO_TCP % 8)) {
186  ipproto = IPPROTO_TCP;
187  } else if (ipproto_bitarray[IPPROTO_UDP / 8] & 1 << (IPPROTO_UDP % 8)) {
188  ipproto = IPPROTO_UDP;
189  } else {
190  SCLogError(SC_ERR_INVALID_SIGNATURE, "protocol %s is disabled", alproto_name);
191  return -1;
192  }
193 
194  if (!data->needs_detctx) {
195  r = AppLayerParserGetEventInfo(ipproto, data->alproto,
196  p_idx + 1, &event_id, event_type);
197  } else {
198  r = DetectEngineGetEventInfo(p_idx + 1, &event_id, event_type);
199  }
200  if (r < 0) {
202  SCLogError(SC_ERR_INVALID_SIGNATURE, "app-layer-event keyword's "
203  "protocol \"%s\" doesn't have event \"%s\" registered",
204  alproto_name, p_idx + 1);
205  return -1;
206  } else {
207  SCLogWarning(SC_ERR_INVALID_SIGNATURE, "app-layer-event keyword's "
208  "protocol \"%s\" doesn't have event \"%s\" registered",
209  alproto_name, p_idx + 1);
210  return -3;
211  }
212  }
213  data->event_id = event_id;
214 
215  return 0;
216 }
217 
218 static DetectAppLayerEventData *DetectAppLayerEventParseAppP1(const char *arg)
219 {
220  /* period index */
221  char alproto_name[MAX_ALPROTO_NAME];
222  bool needs_detctx = false;
223 
224  const char *p_idx = strchr(arg, '.');
225  if (strlen(arg) > MAX_ALPROTO_NAME) {
226  SCLogError(SC_ERR_INVALID_SIGNATURE, "app-layer-event keyword is too long or malformed");
227  return NULL;
228  }
229  /* + 1 for trailing \0 */
230  strlcpy(alproto_name, arg, p_idx - arg + 1);
231 
232  const AppProto alproto = AppLayerGetProtoByName(alproto_name);
233  if (alproto == ALPROTO_UNKNOWN) {
234  if (!strcmp(alproto_name, "file")) {
235  needs_detctx = true;
236  } else {
237  SCLogError(SC_ERR_INVALID_SIGNATURE, "app-layer-event keyword "
238  "supplied with unknown protocol \"%s\"",
239  alproto_name);
240  return NULL;
241  }
242  }
243 
244  DetectAppLayerEventData *aled = SCCalloc(1, sizeof(*aled));
245  if (unlikely(aled == NULL))
246  return NULL;
247  aled->alproto = alproto;
248  aled->arg = SCStrdup(arg);
249  if (aled->arg == NULL) {
250  SCFree(aled);
251  return NULL;
252  }
253  aled->needs_detctx = needs_detctx;
254 
255  return aled;
256 }
257 
258 static DetectAppLayerEventData *DetectAppLayerEventParse(const char *arg,
259  AppLayerEventType *event_type)
260 {
261  *event_type = 0;
262 
263  if (arg == NULL) {
264  SCLogError(SC_ERR_INVALID_SIGNATURE, "app-layer-event keyword supplied "
265  "with no arguments. This keyword needs an argument.");
266  return NULL;
267  }
268 
269  while (*arg != '\0' && isspace((unsigned char)*arg))
270  arg++;
271 
272  if (strchr(arg, '.') == NULL) {
273  return DetectAppLayerEventParsePkt(arg, event_type);
274  } else {
275  return DetectAppLayerEventParseAppP1(arg);
276  }
277 }
278 
279 static int DetectAppLayerEventSetupP2(DetectEngineCtx *de_ctx,
280  Signature *s,
281  SigMatch *sm)
282 {
283  AppLayerEventType event_type = 0;
284 
285  int ret = DetectAppLayerEventParseAppP2((DetectAppLayerEventData *)sm->ctx,
286  s->proto.proto, &event_type);
287  if (ret < 0) {
288  /* DetectAppLayerEventParseAppP2 prints errors */
289 
290  /* sm has been removed from lists by DetectAppLayerEventPrepare */
291  SigMatchFree(de_ctx, sm);
292  return ret;
293  }
294  SigMatchAppendSMToList(s, sm, g_applayer_events_list_id);
295  /* We should have set this flag already in SetupP1 */
296  s->flags |= SIG_FLAG_APPLAYER;
297 
298  return 0;
299 }
300 
301 static int DetectAppLayerEventSetupP1(DetectEngineCtx *de_ctx, Signature *s, const char *arg)
302 {
303  AppLayerEventType event_type;
304 
305  DetectAppLayerEventData *data = DetectAppLayerEventParse(arg, &event_type);
306  if (data == NULL)
307  SCReturnInt(-1);
308 
309  SigMatch *sm = SigMatchAlloc();
310  if (sm == NULL)
311  goto error;
312 
314  sm->ctx = (SigMatchCtx *)data;
315 
316  if (event_type == APP_LAYER_EVENT_TYPE_PACKET) {
318  } else {
319  if (DetectSignatureSetAppProto(s, data->alproto) != 0)
320  goto error;
321 
322  SigMatchAppendSMToList(s, sm, g_applayer_events_list_id);
323  }
324 
325  return 0;
326 
327 error:
328  if (data) {
329  DetectAppLayerEventFree(de_ctx, data);
330  }
331  if (sm) {
332  sm->ctx = NULL;
333  SigMatchFree(de_ctx, sm);
334  }
335  return -1;
336 }
337 
338 static void DetectAppLayerEventFree(DetectEngineCtx *de_ctx, void *ptr)
339 {
341  if (data->arg != NULL)
342  SCFree(data->arg);
343 
344  SCFree(ptr);
345 
346  return;
347 }
348 
350 {
351  SigMatch *sm = s->init_data->smlists[g_applayer_events_list_id];
352  SigMatch *smn;
353  s->init_data->smlists[g_applayer_events_list_id] = NULL;
354  s->init_data->smlists_tail[g_applayer_events_list_id] = NULL;
355 
356  while (sm != NULL) {
357  // save it for later use in loop
358  smn = sm->next;
359  /* these will be overwritten in SigMatchAppendSMToList
360  * called by DetectAppLayerEventSetupP2
361  */
362  sm->next = sm->prev = NULL;
363  int ret = DetectAppLayerEventSetupP2(de_ctx, s, sm);
364  if (ret < 0) {
365  // current one was freed, let's free the next ones
366  sm = smn;
367  while(sm) {
368  smn = sm->next;
369  SigMatchFree(de_ctx, sm);
370  sm = smn;
371  }
372  return ret;
373  }
374  sm = smn;
375  }
376 
377  return 0;
378 }
379 
380 /**********************************Unittests***********************************/
381 
382 #ifdef UNITTESTS /* UNITTESTS */
383 #include "stream-tcp-private.h"
384 #include "stream-tcp-reassemble.h"
385 #include "stream-tcp.h"
386 
387 #define APP_LAYER_EVENT_TEST_MAP_EVENT1 0
388 #define APP_LAYER_EVENT_TEST_MAP_EVENT2 1
389 #define APP_LAYER_EVENT_TEST_MAP_EVENT3 2
390 #define APP_LAYER_EVENT_TEST_MAP_EVENT4 3
391 #define APP_LAYER_EVENT_TEST_MAP_EVENT5 4
392 #define APP_LAYER_EVENT_TEST_MAP_EVENT6 5
393 
395  { "event1", APP_LAYER_EVENT_TEST_MAP_EVENT1 },
396  { "event2", APP_LAYER_EVENT_TEST_MAP_EVENT2 },
397  { "event3", APP_LAYER_EVENT_TEST_MAP_EVENT3 },
398  { "event4", APP_LAYER_EVENT_TEST_MAP_EVENT4 },
399  { "event5", APP_LAYER_EVENT_TEST_MAP_EVENT5 },
400  { "event6", APP_LAYER_EVENT_TEST_MAP_EVENT6 },
401 };
402 
403 static int DetectAppLayerEventTestGetEventInfo(const char *event_name,
404  int *event_id,
405  AppLayerEventType *event_type)
406 {
407  *event_id = SCMapEnumNameToValue(event_name, app_layer_event_test_map);
408  if (*event_id == -1) {
409  SCLogError(SC_ERR_INVALID_ENUM_MAP, "event \"%s\" not present in "
410  "app-layer-event's test enum map table.", event_name);
411  /* this should be treated as fatal */
412  return -1;
413  }
414 
415  *event_type = APP_LAYER_EVENT_TYPE_TRANSACTION;
416 
417  return 0;
418 }
419 
420 
421 static int DetectAppLayerEventTest01(void)
422 {
425  DetectAppLayerEventTestGetEventInfo);
426 
427  AppLayerEventType event_type;
428  int result = 0;
429  uint8_t ipproto_bitarray[256 / 8];
430  memset(ipproto_bitarray, 0, sizeof(ipproto_bitarray));
431  ipproto_bitarray[IPPROTO_TCP / 8] |= 1 << (IPPROTO_TCP % 8);
432 
433  DetectAppLayerEventData *aled = DetectAppLayerEventParse("smtp.event1",
434  &event_type);
435  if (aled == NULL)
436  goto end;
437  if (DetectAppLayerEventParseAppP2(aled, ipproto_bitarray, &event_type) < 0) {
438  printf("failure 1\n");
439  goto end;
440  }
441  if (aled->alproto != ALPROTO_SMTP ||
443  printf("test failure. Holding wrong state\n");
444  goto end;
445  }
446 
447  result = 1;
448 
449  end:
451  if (aled != NULL)
452  DetectAppLayerEventFree(NULL, aled);
453  return result;
454 }
455 
456 static int DetectAppLayerEventTest02(void)
457 {
459 
461  DetectAppLayerEventTestGetEventInfo);
463  DetectAppLayerEventTestGetEventInfo);
465  DetectAppLayerEventTestGetEventInfo);
467  DetectAppLayerEventTestGetEventInfo);
468 
469  AppLayerEventType event_type;
470  uint8_t ipproto_bitarray[256 / 8];
471  memset(ipproto_bitarray, 0, sizeof(ipproto_bitarray));
472  ipproto_bitarray[IPPROTO_TCP / 8] |= 1 << (IPPROTO_TCP % 8);
473 
474  DetectAppLayerEventData *aled = DetectAppLayerEventParse("smtp.event1",
475  &event_type);
476  FAIL_IF_NULL(aled);
477  FAIL_IF(DetectAppLayerEventParseAppP2(aled, ipproto_bitarray, &event_type) < 0);
478  FAIL_IF(aled->alproto != ALPROTO_SMTP);
480 
481  aled = DetectAppLayerEventParse("smtp.event4",
482  &event_type);
483  FAIL_IF_NULL(aled);
484  FAIL_IF(DetectAppLayerEventParseAppP2(aled, ipproto_bitarray, &event_type) < 0);
485  FAIL_IF(aled->alproto != ALPROTO_SMTP);
487 
488  aled = DetectAppLayerEventParse("http.event2",
489  &event_type);
490  FAIL_IF_NULL(aled);
491  FAIL_IF(DetectAppLayerEventParseAppP2(aled, ipproto_bitarray, &event_type) < 0);
492  FAIL_IF(aled->alproto != ALPROTO_HTTP);
494 
495  aled = DetectAppLayerEventParse("smb.event3",
496  &event_type);
497  FAIL_IF_NULL(aled);
498  FAIL_IF(DetectAppLayerEventParseAppP2(aled, ipproto_bitarray, &event_type) < 0);
499  FAIL_IF(aled->alproto != ALPROTO_SMB);
501 
502  aled = DetectAppLayerEventParse("ftp.event5",
503  &event_type);
504  FAIL_IF_NULL(aled);
505  FAIL_IF(DetectAppLayerEventParseAppP2(aled, ipproto_bitarray, &event_type) < 0);
506  FAIL_IF(aled->alproto != ALPROTO_FTP);
508 
510  DetectAppLayerEventFree(NULL, aled);
511  PASS;
512 }
513 
514 static int DetectAppLayerEventTest03(void)
515 {
516  ThreadVars tv;
517  TcpReassemblyThreadCtx *ra_ctx = NULL;
518  Packet *p = NULL;
519  Flow *f = NULL;
520  TcpSession ssn;
521  TcpStream stream_ts, stream_tc;
522  DetectEngineCtx *de_ctx = NULL;
523  DetectEngineThreadCtx *det_ctx = NULL;
524 
525  uint8_t buf_ts[] = "GET /index.html HTTP/1.1\r\n"
526  "Host: 127.0.0.1\r\n"
527  "User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.3) Gecko/20100402 Firefox/3.6.3\r\n"
528  "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n"
529  "Accept-Language: en-us,en;q=0.5\r\n"
530  "Accept-Encoding: gzip,deflate\r\n"
531  "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n"
532  "Keep-Alive: 115\r\n"
533  "Connection: keep-alive\r\n"
534  "\r\n";
535  uint8_t buf_tc[] = "HTTP/1.1 200 OK\r\n"
536  "Date: Fri, 22 Oct 2010 12:31:08 GMT\r\n"
537  "Server: Apache/2.2.15 (Unix) DAV/2\r\n"
538  "Last-Modified: Sat, 20 Nov 2004 20:16:24 GMT\r\n"
539  "ETag: \"ab8486-2c-3e9564c23b600\"\r\n"
540  "Accept-Ranges: bytes\r\n"
541  "Content-Length: 44\r\n"
542  "Keep-Alive: timeout=5, max=100\r\n"
543  "Connection: Keep-Alive\r\n"
544  "Content-Type: text/html\r\n"
545  "\r\n"
546  "<html><body><h1>It works!</h1></body></html>";
547 
548  memset(&tv, 0, sizeof (ThreadVars));
549  memset(&ssn, 0, sizeof(TcpSession));
550  memset(&stream_ts, 0, sizeof(TcpStream));
551  memset(&stream_tc, 0, sizeof(TcpStream));
552 
554 
556  FAIL_IF(de_ctx == NULL);
557  de_ctx->flags |= DE_QUIET;
558  de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
559  "(app-layer-event: applayer_mismatch_protocol_both_directions; "
560  "sid:1;)");
561  FAIL_IF(de_ctx->sig_list == NULL);
563  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
564 
565  f = UTHBuildFlow(AF_INET, "1.2.3.4", "1.2.3.5", 200, 220);
566  FAIL_IF(f == NULL);
567  FLOW_INITIALIZE(f);
568  f->protoctx = &ssn;
569  f->proto = IPPROTO_TCP;
570  f->flags |= FLOW_IPV4;
571 
572  p = PacketGetFromAlloc();
573  FAIL_IF(unlikely(p == NULL));
574  p->flow = f;
575  p->src.family = AF_INET;
576  p->dst.family = AF_INET;
577  p->proto = IPPROTO_TCP;
578 
579  StreamTcpUTInit(&ra_ctx);
580 
582  TcpStream *stream = &stream_ts;
583  FAIL_IF(AppLayerHandleTCPData(&tv, ra_ctx, p, f, &ssn, &stream, buf_ts,
584  sizeof(buf_ts), STREAM_TOSERVER | STREAM_START) < 0);
585 
586  SigMatchSignatures(&tv, de_ctx, det_ctx, p);
587 
588  FAIL_IF (PacketAlertCheck(p, 1));
589 
591  stream = &stream_tc;
592  FAIL_IF (AppLayerHandleTCPData(&tv, ra_ctx, p, f, &ssn, &stream, buf_tc,
593  sizeof(buf_tc), STREAM_TOCLIENT | STREAM_START) < 0);
594 
595  SigMatchSignatures(&tv, de_ctx, det_ctx, p);
596 
597  FAIL_IF(PacketAlertCheck(p, 1));
598 
599  StreamTcpUTDeinit(ra_ctx);
600  PASS;
601 }
602 
603 static int DetectAppLayerEventTest04(void)
604 {
605  ThreadVars tv;
606  TcpReassemblyThreadCtx *ra_ctx = NULL;
607  Packet *p = NULL;
608  Flow *f = NULL;
609  TcpSession ssn;
610  TcpStream stream_ts, stream_tc;
611  DetectEngineCtx *de_ctx = NULL;
612  DetectEngineThreadCtx *det_ctx = NULL;
613 
614  uint8_t buf_ts[] = "GET /index.html HTTP/1.1\r\n"
615  "Host: 127.0.0.1\r\n"
616  "User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.3) Gecko/20100402 Firefox/3.6.3\r\n"
617  "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n"
618  "Accept-Language: en-us,en;q=0.5\r\n"
619  "Accept-Encoding: gzip,deflate\r\n"
620  "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n"
621  "Keep-Alive: 115\r\n"
622  "Connection: keep-alive\r\n"
623  "\r\n";
624  uint8_t buf_tc[] = "XTTP/1.1 200 OK\r\n"
625  "Date: Fri, 22 Oct 2010 12:31:08 GMT\r\n"
626  "Server: Apache/2.2.15 (Unix) DAV/2\r\n"
627  "Last-Modified: Sat, 20 Nov 2004 20:16:24 GMT\r\n"
628  "ETag: \"ab8486-2c-3e9564c23b600\"\r\n"
629  "Accept-Ranges: bytes\r\n"
630  "Content-Length: 44\r\n"
631  "Keep-Alive: timeout=5, max=100\r\n"
632  "Connection: Keep-Alive\r\n"
633  "Content-Type: text/html\r\n"
634  "\r\n"
635  "<html><body><h1>It works!</h1></body></html>";
636 
637  memset(&tv, 0, sizeof (ThreadVars));
638  memset(&ssn, 0, sizeof(TcpSession));
639  memset(&stream_ts, 0, sizeof(TcpStream));
640  memset(&stream_tc, 0, sizeof(TcpStream));
641 
643 
645  FAIL_IF (de_ctx == NULL);
646  de_ctx->flags |= DE_QUIET;
647  de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
648  "(app-layer-event: applayer_detect_protocol_only_one_direction; "
649  "sid:1;)");
650  FAIL_IF(de_ctx->sig_list == NULL);
652  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
653 
654  f = UTHBuildFlow(AF_INET, "1.2.3.4", "1.2.3.5", 200, 220);
655  FAIL_IF (f == NULL);
656  FLOW_INITIALIZE(f);
657  f->protoctx = &ssn;
658  f->proto = IPPROTO_TCP;
659  f->flags |= FLOW_IPV4;
660 
661  p = PacketGetFromAlloc();
662  FAIL_IF(unlikely(p == NULL));
663  p->flow = f;
664  p->src.family = AF_INET;
665  p->dst.family = AF_INET;
666  p->proto = IPPROTO_TCP;
667 
668  StreamTcpUTInit(&ra_ctx);
669 
671  TcpStream *stream = &stream_ts;
672  FAIL_IF(AppLayerHandleTCPData(&tv, ra_ctx, p, f, &ssn, &stream, buf_ts,
673  sizeof(buf_ts), STREAM_TOSERVER | STREAM_START) < 0);
674  SigMatchSignatures(&tv, de_ctx, det_ctx, p);
675  FAIL_IF (PacketAlertCheck(p, 1));
676 
678  stream = &stream_tc;
679  FAIL_IF (AppLayerHandleTCPData(&tv, ra_ctx, p, f, &ssn, &stream, buf_tc,
680  sizeof(buf_tc), STREAM_TOCLIENT | STREAM_START) < 0);
681  SigMatchSignatures(&tv, de_ctx, det_ctx, p);
682  FAIL_IF (!PacketAlertCheck(p, 1));
683 
684  StreamTcpUTDeinit(ra_ctx);
685  PASS;
686 }
687 
688 static int DetectAppLayerEventTest05(void)
689 {
690  ThreadVars tv;
691  TcpReassemblyThreadCtx *ra_ctx = NULL;
692  Packet *p = NULL;
693  Flow *f = NULL;
694  TcpSession ssn;
695  TcpStream stream_ts, stream_tc;
696  DetectEngineCtx *de_ctx = NULL;
697  DetectEngineThreadCtx *det_ctx = NULL;
698 
699  uint8_t buf_ts[] = "GET /index.html HTTP/1.1\r\n"
700  "Host: 127.0.0.1\r\n"
701  "User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.3) Gecko/20100402 Firefox/3.6.3\r\n"
702  "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n"
703  "Accept-Language: en-us,en;q=0.5\r\n"
704  "Accept-Encoding: gzip,deflate\r\n"
705  "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n"
706  "Keep-Alive: 115\r\n"
707  "Connection: keep-alive\r\n"
708  "\r\n";
709  /* tls */
710  uint8_t buf_tc[] = {
711  0x16, 0x03, 0x01, 0x00, 0x86, 0x10, 0x00, 0x00,
712  0x82, 0x00, 0x80, 0xd3, 0x6f, 0x1f, 0x63, 0x82,
713  0x8d, 0x75, 0x77, 0x8c, 0x91, 0xbc, 0xa1, 0x3d,
714  0xbb, 0xe1, 0xb5, 0xd3, 0x31, 0x92, 0x59, 0x2b,
715  0x2c, 0x43, 0x96, 0xa3, 0xaa, 0x23, 0x92, 0xd0,
716  0x91, 0x2a, 0x5e, 0x10, 0x5b, 0xc8, 0xc1, 0xe2,
717  0xd3, 0x5c, 0x8b, 0x8c, 0x91, 0x9e, 0xc2, 0xf2,
718  0x9c, 0x3c, 0x4f, 0x37, 0x1e, 0x20, 0x5e, 0x33,
719  0xd5, 0xf0, 0xd6, 0xaf, 0x89, 0xf5, 0xcc, 0xb2,
720  0xcf, 0xc1, 0x60, 0x3a, 0x46, 0xd5, 0x4e, 0x2a,
721  0xb6, 0x6a, 0xb9, 0xfc, 0x32, 0x8b, 0xe0, 0x6e,
722  0xa0, 0xed, 0x25, 0xa0, 0xa4, 0x82, 0x81, 0x73,
723  0x90, 0xbf, 0xb5, 0xde, 0xeb, 0x51, 0x8d, 0xde,
724  0x5b, 0x6f, 0x94, 0xee, 0xba, 0xe5, 0x69, 0xfa,
725  0x1a, 0x80, 0x30, 0x54, 0xeb, 0x12, 0x01, 0xb9,
726  0xfe, 0xbf, 0x82, 0x95, 0x01, 0x7b, 0xb0, 0x97,
727  0x14, 0xc2, 0x06, 0x3c, 0x69, 0xfb, 0x1c, 0x66,
728  0x47, 0x17, 0xd9, 0x14, 0x03, 0x01, 0x00, 0x01,
729  0x01, 0x16, 0x03, 0x01, 0x00, 0x30, 0xf6, 0xbc,
730  0x0d, 0x6f, 0xe8, 0xbb, 0xaa, 0xbf, 0x14, 0xeb,
731  0x7b, 0xcc, 0x6c, 0x28, 0xb0, 0xfc, 0xa6, 0x01,
732  0x2a, 0x97, 0x96, 0x17, 0x5e, 0xe8, 0xb4, 0x4e,
733  0x78, 0xc9, 0x04, 0x65, 0x53, 0xb6, 0x93, 0x3d,
734  0xeb, 0x44, 0xee, 0x86, 0xf9, 0x80, 0x49, 0x45,
735  0x21, 0x34, 0xd1, 0xee, 0xc8, 0x9c,
736  };
737 
738  memset(&tv, 0, sizeof (ThreadVars));
739  memset(&ssn, 0, sizeof(TcpSession));
740  memset(&stream_ts, 0, sizeof(TcpStream));
741  memset(&stream_tc, 0, sizeof(TcpStream));
742 
744 
746  FAIL_IF (de_ctx == NULL);
747  de_ctx->flags |= DE_QUIET;
748  de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
749  "(app-layer-event: applayer_mismatch_protocol_both_directions; "
750  "sid:1;)");
751  FAIL_IF (de_ctx->sig_list == NULL);
753  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
754 
755  f = UTHBuildFlow(AF_INET, "1.2.3.4", "1.2.3.5", 200, 220);
756  FAIL_IF (f == NULL);
757  FLOW_INITIALIZE(f);
758  f->protoctx = &ssn;
759  f->proto = IPPROTO_TCP;
760  f->flags |= FLOW_IPV4;
761 
762  p = PacketGetFromAlloc();
763  FAIL_IF (unlikely(p == NULL));
764  p->flow = f;
765  p->src.family = AF_INET;
766  p->dst.family = AF_INET;
767  p->proto = IPPROTO_TCP;
768 
769  StreamTcpUTInit(&ra_ctx);
770 
772  TcpStream *stream = &stream_ts;
773  FAIL_IF (AppLayerHandleTCPData(&tv, ra_ctx, p, f, &ssn, &stream, buf_ts,
774  sizeof(buf_ts), STREAM_TOSERVER | STREAM_START) < 0);
775  SigMatchSignatures(&tv, de_ctx, det_ctx, p);
776  FAIL_IF (PacketAlertCheck(p, 1));
777 
779  stream = &stream_tc;
780  FAIL_IF (AppLayerHandleTCPData(&tv, ra_ctx, p, f, &ssn, &stream, buf_tc,
781  sizeof(buf_tc), STREAM_TOCLIENT | STREAM_START) < 0);
782  SigMatchSignatures(&tv, de_ctx, det_ctx, p);
783  FAIL_IF (!PacketAlertCheck(p, 1));
784 
785  StreamTcpUTDeinit(ra_ctx);
786  PASS;
787 }
788 
789 static int DetectAppLayerEventTest06(void)
790 {
791  AppLayerEventType event_type;
792  uint8_t ipproto_bitarray[256 / 8];
793  memset(ipproto_bitarray, 0, sizeof(ipproto_bitarray));
794  ipproto_bitarray[IPPROTO_TCP / 8] |= 1 << (IPPROTO_TCP % 8);
795 
796  DetectAppLayerEventData *aled = DetectAppLayerEventParse("file.test",
797  &event_type);
798 
799  FAIL_IF_NULL(aled);
800 
801  FAIL_IF(DetectAppLayerEventParseAppP2(aled, ipproto_bitarray, &event_type) < 0);
802 
803  FAIL_IF(aled->alproto != ALPROTO_UNKNOWN);
805 
806  DetectAppLayerEventFree(NULL, aled);
807  PASS;
808 }
809 #endif /* UNITTESTS */
810 
811 /**
812  * \brief This function registers unit tests for "app-layer-event" keyword.
813  */
814 void DetectAppLayerEventRegisterTests(void)
815 {
816 #ifdef UNITTESTS /* UNITTESTS */
817  UtRegisterTest("DetectAppLayerEventTest01", DetectAppLayerEventTest01);
818  UtRegisterTest("DetectAppLayerEventTest02", DetectAppLayerEventTest02);
819  UtRegisterTest("DetectAppLayerEventTest03", DetectAppLayerEventTest03);
820  UtRegisterTest("DetectAppLayerEventTest04", DetectAppLayerEventTest04);
821  UtRegisterTest("DetectAppLayerEventTest05", DetectAppLayerEventTest05);
822  UtRegisterTest("DetectAppLayerEventTest06", DetectAppLayerEventTest06);
823 #endif /* UNITTESTS */
824 
825  return;
826 }
DET_CTX_EVENT_TEST
@ DET_CTX_EVENT_TEST
Definition: detect.h:1219
util-byte.h
DetectAppLayerEventRegister
void DetectAppLayerEventRegister(void)
Registers the keyword handlers for the "app-layer-event" keyword.
Definition: detect-app-layer-event.c:66
SigTableElmt_::url
const char * url
Definition: detect.h:1212
DetectSignatureSetAppProto
int DetectSignatureSetAppProto(Signature *s, AppProto alproto)
Definition: detect-parse.c:1468
Packet_::proto
uint8_t proto
Definition: decode.h:433
SigMatch_::prev
struct SigMatch_ * prev
Definition: detect.h:324
TcpStream_
Definition: stream-tcp-private.h:94
detect-engine.h
StreamTcpUTDeinit
void StreamTcpUTDeinit(TcpReassemblyThreadCtx *ra_ctx)
Definition: stream-tcp-util.c:51
FAIL_IF_NULL
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
Definition: util-unittest.h:89
SigTableElmt_::desc
const char * desc
Definition: detect.h:1211
SigMatchFree
void SigMatchFree(DetectEngineCtx *de_ctx, SigMatch *sm)
free a SigMatch
Definition: detect-parse.c:250
SigTableElmt_::Free
void(* Free)(DetectEngineCtx *, void *)
Definition: detect.h:1200
flow-util.h
SigTableElmt_::name
const char * name
Definition: detect.h:1209
stream-tcp.h
unlikely
#define unlikely(expr)
Definition: util-optimize.h:35
DetectAppLayerEventData_::alproto
AppProto alproto
Definition: detect-app-layer-event.h:28
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
AppLayerParserGetEventsByTx
AppLayerDecoderEvents * AppLayerParserGetEventsByTx(uint8_t ipproto, AppProto alproto, void *tx)
Definition: app-layer-parser.c:847
Flow_::proto
uint8_t proto
Definition: flow.h:361
AppProto
uint16_t AppProto
Definition: app-layer-protos.h:71
PacketAlertCheck
int PacketAlertCheck(Packet *p, uint32_t sid)
Check if a certain sid alerted, this is used in the test functions.
Definition: detect-engine-alert.c:138
AppLayerParserGetStateProgress
int AppLayerParserGetStateProgress(uint8_t ipproto, AppProto alproto, void *alstate, uint8_t flags)
get the progress value for a tx/protocol
Definition: app-layer-parser.c:1013
SigMatchData_::ctx
SigMatchCtx * ctx
Definition: detect.h:331
threads.h
Flow_
Flow data structure.
Definition: flow.h:343
SigInit
Signature * SigInit(DetectEngineCtx *, const char *)
Parses a signature and adds it to the Detection Engine Context.
Definition: detect-parse.c:2033
AppLayerEventType
enum AppLayerEventType_ AppLayerEventType
DETECT_AL_APP_LAYER_EVENT
@ DETECT_AL_APP_LAYER_EVENT
Definition: detect-engine-register.h:168
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:766
AppLayerParserGetStateProgressCompletionStatus
int AppLayerParserGetStateProgressCompletionStatus(AppProto alproto, uint8_t direction)
Definition: app-layer-parser.c:1046
SC_ERR_INVALID_SIGNATURE
@ SC_ERR_INVALID_SIGNATURE
Definition: util-error.h:69
FLOW_PKT_TOSERVER
#define FLOW_PKT_TOSERVER
Definition: flow.h:218
DE_QUIET
#define DE_QUIET
Definition: detect.h:293
MAX_ALPROTO_NAME
#define MAX_ALPROTO_NAME
Definition: detect-app-layer-event.c:49
ALPROTO_FTP
@ ALPROTO_FTP
Definition: app-layer-protos.h:31
stream-tcp-reassemble.h
DetectAppLayerEventPrepare
int DetectAppLayerEventPrepare(DetectEngineCtx *de_ctx, Signature *s)
Definition: detect-app-layer-event.c:349
Packet_::flowflags
uint8_t flowflags
Definition: decode.h:442
SIG_FLAG_TOCLIENT
#define SIG_FLAG_TOCLIENT
Definition: detect.h:237
Flow_::protoctx
void * protoctx
Definition: flow.h:416
SigMatchData_
Data needed for Match()
Definition: detect.h:328
SigTableElmt_::Setup
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1195
KEYWORD_PROFILING_START
#define KEYWORD_PROFILING_START
Definition: util-profiling.h:69
FLOW_IPV4
#define FLOW_IPV4
Definition: flow.h:94
AppLayerDecoderEvents_
Data structure to store app layer decoder events.
Definition: app-layer-events.h:34
Packet_::app_layer_events
AppLayerDecoderEvents * app_layer_events
Definition: decode.h:570
util-unittest.h
AppLayerGetProtoByName
AppProto AppLayerGetProtoByName(char *alproto_name)
Given a protocol string, returns the corresponding internal protocol id.
Definition: app-layer.c:769
APP_LAYER_EVENT_TYPE_TRANSACTION
@ APP_LAYER_EVENT_TYPE_TRANSACTION
Definition: app-layer-events.h:57
util-unittest-helper.h
STREAM_START
#define STREAM_START
Definition: stream.h:29
SIG_FLAG_APPLAYER
#define SIG_FLAG_APPLAYER
Definition: detect.h:218
DetectBufferTypeGetByName
int DetectBufferTypeGetByName(const char *name)
Definition: detect-engine.c:876
KEYWORD_PROFILING_END
#define KEYWORD_PROFILING_END(ctx, type, m)
Definition: util-profiling.h:83
strlcpy
size_t strlcpy(char *dst, const char *src, size_t siz)
Definition: util-strlcpyu.c:43
AppLayerParserRestoreParserTable
void AppLayerParserRestoreParserTable(void)
Definition: app-layer-parser.c:1724
APP_LAYER_EVENT_TEST_MAP_EVENT6
#define APP_LAYER_EVENT_TEST_MAP_EVENT6
Definition: detect-app-layer-event.c:392
SignatureInitData_::smlists_tail
struct SigMatch_ ** smlists_tail
Definition: detect.h:523
APP_LAYER_EVENT_TYPE_PACKET
@ APP_LAYER_EVENT_TYPE_PACKET
Definition: app-layer-events.h:58
StreamTcpUTInit
void StreamTcpUTInit(TcpReassemblyThreadCtx **ra_ctx)
Definition: stream-tcp-util.c:44
UTHBuildFlow
Flow * UTHBuildFlow(int family, const char *src, const char *dst, Port sp, Port dp)
Definition: util-unittest-helper.c:520
FLOW_INITIALIZE
#define FLOW_INITIALIZE(f)
Definition: flow-util.h:39
SIG_FLAG_TOSERVER
#define SIG_FLAG_TOSERVER
Definition: detect.h:236
detect-app-layer-event.h
APP_LAYER_EVENT_TEST_MAP_EVENT2
#define APP_LAYER_EVENT_TEST_MAP_EVENT2
Definition: detect-app-layer-event.c:388
decode.h
APP_LAYER_EVENT_TEST_MAP_EVENT4
#define APP_LAYER_EVENT_TEST_MAP_EVENT4
Definition: detect-app-layer-event.c:390
util-debug.h
AppLayerHandleTCPData
int AppLayerHandleTCPData(ThreadVars *tv, TcpReassemblyThreadCtx *ra_ctx, Packet *p, Flow *f, TcpSession *ssn, TcpStream **stream, uint8_t *data, uint32_t data_len, uint8_t flags)
handle TCP data for the app-layer.
Definition: app-layer.c:570
PASS
#define PASS
Pass the test.
Definition: util-unittest.h:105
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:17
DetectAppLayerEventData_::event_id
int event_id
Definition: detect-app-layer-event.h:29
DetectEngineThreadCtx_
Definition: detect.h:1009
ALPROTO_SMTP
@ ALPROTO_SMTP
Definition: app-layer-protos.h:32
STREAM_TOSERVER
#define STREAM_TOSERVER
Definition: stream.h:31
DetectAppLayerEventData_::needs_detctx
bool needs_detctx
Definition: detect-app-layer-event.h:32
DetectAppLayerEventData_
Definition: detect-app-layer-event.h:27
detect.h
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:58
DETECT_ENGINE_INSPECT_SIG_MATCH
#define DETECT_ENGINE_INSPECT_SIG_MATCH
Definition: detect-engine-state.h:39
SigMatch_::next
struct SigMatch_ * next
Definition: detect.h:323
SigMatchData_::type
uint8_t type
Definition: detect.h:329
SigMatchStrictEnabled
bool SigMatchStrictEnabled(const enum DetectKeywordId id)
Definition: detect-parse.c:298
DETECT_SM_LIST_MATCH
@ DETECT_SM_LIST_MATCH
Definition: detect.h:89
app-layer-parser.h
AppLayerParserBackupParserTable
void AppLayerParserBackupParserTable(void)
Definition: app-layer-parser.c:1716
SigMatch_::ctx
SigMatchCtx * ctx
Definition: detect.h:322
DetectProto_::proto
uint8_t proto[256/8]
Definition: detect-engine-proto.h:37
SigMatchSignatures
void SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
Definition: detect.c:1668
Signature_::flags
uint32_t flags
Definition: detect.h:528
Packet_
Definition: decode.h:411
stream-tcp-private.h
AppLayerParserRegisterGetEventInfo
void AppLayerParserRegisterGetEventInfo(uint8_t ipproto, AppProto alproto, int(*StateGetEventInfo)(const char *event_name, int *event_id, AppLayerEventType *event_type))
Definition: app-layer-parser.c:565
Signature_::init_data
SignatureInitData * init_data
Definition: detect.h:596
detect-engine-state.h
Data structures and function prototypes for keeping state for the detection engine.
SigTableElmt_::Match
int(* Match)(DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *)
Definition: detect.h:1178
SignatureInitData_::smlists
struct SigMatch_ ** smlists
Definition: detect.h:521
FLOW_PKT_TOCLIENT
#define FLOW_PKT_TOCLIENT
Definition: flow.h:219
SigMatchAlloc
SigMatch * SigMatchAlloc(void)
Definition: detect-parse.c:235
DETECT_ENGINE_INSPECT_SIG_CANT_MATCH
#define DETECT_ENGINE_INSPECT_SIG_CANT_MATCH
Definition: detect-engine-state.h:40
decode-events.h
SigGroupBuild
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
Definition: detect-engine-build.c:1876
SigMatch_::type
uint8_t type
Definition: detect.h:320
SigMatchCtx_
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
Definition: detect.h:314
Packet_::flow
struct Flow_ * flow
Definition: decode.h:448
DetectEngineThreadCtxInit
TmEcode DetectEngineThreadCtxInit(ThreadVars *, void *, void **)
initialize thread specific detection engine context
Definition: detect-engine.c:2793
FAIL_IF
#define FAIL_IF(expr)
Fail a test if expression evaluates to false.
Definition: util-unittest.h:71
DetectEngineGetEventInfo
int DetectEngineGetEventInfo(const char *event_name, int *event_id, AppLayerEventType *event_type)
Definition: detect-engine.c:4270
SCMapEnumNameToValue
int SCMapEnumNameToValue(const char *enum_name, SCEnumCharMap *table)
Maps a string name to an enum value from the supplied table. Please specify the last element of any m...
Definition: util-enum.c:40
flags
uint8_t flags
Definition: decode-gre.h:0
Signature_::proto
DetectProto proto
Definition: detect.h:544
SigMatchData_::is_last
uint8_t is_last
Definition: detect.h:330
suricata-common.h
SCEnumCharMap_
Definition: util-enum.h:27
sigmatch_table
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
Definition: detect-parse.c:73
STREAM_TOCLIENT
#define STREAM_TOCLIENT
Definition: stream.h:32
SCLogError
#define SCLogError(err_code,...)
Macro used to log ERROR messages.
Definition: util-debug.h:257
SCStrdup
#define SCStrdup(s)
Definition: util-mem.h:56
DetectEngineCtx_::sig_list
Signature * sig_list
Definition: detect.h:772
DETECT_ENGINE_INSPECT_SIG_NO_MATCH
#define DETECT_ENGINE_INSPECT_SIG_NO_MATCH
Definition: detect-engine-state.h:38
tv
ThreadVars * tv
Definition: fuzz_decodepcapfile.c:29
PacketGetFromAlloc
Packet * PacketGetFromAlloc(void)
Get a malloced packet.
Definition: decode.c:144
APP_LAYER_EVENT_TEST_MAP_EVENT3
#define APP_LAYER_EVENT_TEST_MAP_EVENT3
Definition: detect-app-layer-event.c:389
APP_LAYER_EVENT_TEST_MAP_EVENT1
#define APP_LAYER_EVENT_TEST_MAP_EVENT1
Definition: detect-app-layer-event.c:387
SCLogWarning
#define SCLogWarning(err_code,...)
Macro used to log WARNING messages.
Definition: util-debug.h:244
SCFree
#define SCFree(p)
Definition: util-mem.h:61
Flow_::flags
uint32_t flags
Definition: flow.h:396
detect-parse.h
Signature_
Signature container.
Definition: detect.h:527
SigMatch_
a single match condition for a signature
Definition: detect.h:319
ALPROTO_HTTP
@ ALPROTO_HTTP
Definition: app-layer-protos.h:30
stream-tcp-util.h
ALPROTO_UNKNOWN
@ ALPROTO_UNKNOWN
Definition: app-layer-protos.h:29
DetectEngineCtxInit
DetectEngineCtx * DetectEngineCtxInit(void)
Definition: detect-engine.c:2044
AppLayerGetPktEventInfo
int AppLayerGetPktEventInfo(const char *event_name, int *event_id)
Definition: app-layer-events.c:67
TcpReassemblyThreadCtx_
Definition: stream-tcp-reassemble.h:60
app-layer-protos.h
app_layer_event_test_map
SCEnumCharMap app_layer_event_test_map[]
Definition: detect-app-layer-event.c:394
Address_::family
char family
Definition: decode.h:114
Packet_::dst
Address dst
Definition: decode.h:416
SC_ERR_INVALID_ENUM_MAP
@ SC_ERR_INVALID_ENUM_MAP
Definition: util-error.h:45
ALPROTO_SMB
@ ALPROTO_SMB
Definition: app-layer-protos.h:37
DetectEngineCtx_::flags
uint8_t flags
Definition: detect.h:767
app-layer-smtp.h
TcpSession_
Definition: stream-tcp-private.h:260
TcpSession_::data_first_seen_dir
int8_t data_first_seen_dir
Definition: stream-tcp-private.h:265
flow.h
DetectAppLayerInspectEngineRegister
void DetectAppLayerInspectEngineRegister(const char *name, AppProto alproto, uint32_t dir, int progress, InspectEngineFuncPtr Callback)
register inspect engine at start up time
Definition: detect-engine.c:170
Flow_::alproto
AppProto alproto
application level protocol
Definition: flow.h:425
SCCalloc
#define SCCalloc(nm, sz)
Definition: util-mem.h:53
SCReturnInt
#define SCReturnInt(x)
Definition: util-debug.h:304
flow-var.h
SigMatchAppendSMToList
void SigMatchAppendSMToList(Signature *s, SigMatch *new, int list)
Append a SigMatch to the list type.
Definition: detect-parse.c:349
Packet_::src
Address src
Definition: decode.h:415
DetectAppLayerEventData_::arg
char * arg
Definition: detect-app-layer-event.h:34
SigTableElmt_::RegisterTests
void(* RegisterTests)(void)
Definition: detect.h:1201
APP_LAYER_EVENT_TEST_MAP_EVENT5
#define APP_LAYER_EVENT_TEST_MAP_EVENT5
Definition: detect-app-layer-event.c:391
app-layer.h
AppLayerParserGetEventInfo
int AppLayerParserGetEventInfo(uint8_t ipproto, AppProto alproto, const char *event_name, int *event_id, AppLayerEventType *event_type)
Definition: app-layer-parser.c:1055