suricata
detect-app-layer-event.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2020 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Anoop Saldanha <anoopsaldanha@gmail.com>
22  */
23 
24 #include "suricata-common.h"
25 #include "threads.h"
26 #include "decode.h"
27 
28 #include "app-layer.h"
29 #include "app-layer-protos.h"
30 #include "app-layer-parser.h"
31 #include "app-layer-smtp.h"
32 #include "detect.h"
33 #include "detect-parse.h"
34 #include "detect-engine.h"
35 #include "detect-engine-state.h"
36 #include "detect-app-layer-event.h"
37 
38 #include "flow.h"
39 #include "flow-var.h"
40 #include "flow-util.h"
41 
42 #include "decode-events.h"
43 #include "util-byte.h"
44 #include "util-debug.h"
45 #include "util-unittest.h"
46 #include "util-unittest-helper.h"
47 #include "stream-tcp-util.h"
48 
49 #define MAX_ALPROTO_NAME 50
50 
51 static int DetectAppLayerEventPktMatch(DetectEngineThreadCtx *det_ctx,
52  Packet *p, const Signature *s, const SigMatchCtx *ctx);
53 static int DetectAppLayerEventSetupP1(DetectEngineCtx *, Signature *, const char *);
54 #ifdef UNITTESTS
55 static void DetectAppLayerEventRegisterTests(void);
56 #endif
57 static void DetectAppLayerEventFree(DetectEngineCtx *, void *);
58 static int DetectEngineAptEventInspect(ThreadVars *tv,
60  const Signature *s, const SigMatchData *smd,
61  Flow *f, uint8_t flags, void *alstate,
62  void *tx, uint64_t tx_id);
63 static int g_applayer_events_list_id = 0;
64 
65 /**
66  * \brief Registers the keyword handlers for the "app-layer-event" keyword.
67  */
69 {
70  sigmatch_table[DETECT_AL_APP_LAYER_EVENT].name = "app-layer-event";
71  sigmatch_table[DETECT_AL_APP_LAYER_EVENT].desc = "match on events generated by the App Layer Parsers and the protocol detection engine";
72  sigmatch_table[DETECT_AL_APP_LAYER_EVENT].url = "/rules/app-layer.html#app-layer-event";
74  DetectAppLayerEventPktMatch;
75  sigmatch_table[DETECT_AL_APP_LAYER_EVENT].Setup = DetectAppLayerEventSetupP1;
76  sigmatch_table[DETECT_AL_APP_LAYER_EVENT].Free = DetectAppLayerEventFree;
77 #ifdef UNITTESTS
79  DetectAppLayerEventRegisterTests;
80 #endif
81  DetectAppLayerInspectEngineRegister("app-layer-events",
83  DetectEngineAptEventInspect);
84  DetectAppLayerInspectEngineRegister("app-layer-events",
86  DetectEngineAptEventInspect);
87 
88  g_applayer_events_list_id = DetectBufferTypeGetByName("app-layer-events");
89 }
90 
91 static int DetectEngineAptEventInspect(ThreadVars *tv,
93  const Signature *s, const SigMatchData *smd,
94  Flow *f, uint8_t flags, void *alstate,
95  void *tx, uint64_t tx_id)
96 {
97  int r = 0;
98  const AppProto alproto = f->alproto;
99  AppLayerDecoderEvents *decoder_events =
100  AppLayerParserGetEventsByTx(f->proto, alproto, tx);
101  if (decoder_events == NULL)
102  goto end;
103 
104  while (1) {
107 
108  if (AppLayerDecoderEventsIsEventSet(decoder_events, aled->event_id)) {
109  KEYWORD_PROFILING_END(det_ctx, smd->type, 1);
110 
111  if (smd->is_last)
112  break;
113  smd++;
114  continue;
115  }
116 
117  KEYWORD_PROFILING_END(det_ctx, smd->type, 0);
118  goto end;
119  }
120 
121  r = 1;
122 
123  end:
124  if (r == 1) {
126  } else {
127  if (AppLayerParserGetStateProgress(f->proto, alproto, tx, flags) ==
129  {
131  } else {
133  }
134  }
135 }
136 
137 
138 static int DetectAppLayerEventPktMatch(DetectEngineThreadCtx *det_ctx,
139  Packet *p, const Signature *s, const SigMatchCtx *ctx)
140 {
141  const DetectAppLayerEventData *aled = (const DetectAppLayerEventData *)ctx;
142 
143  return AppLayerDecoderEventsIsEventSet(p->app_layer_events,
144  aled->event_id);
145 }
146 
147 static DetectAppLayerEventData *DetectAppLayerEventParsePkt(const char *arg,
148  AppLayerEventType *event_type)
149 {
150  int event_id = 0;
151  int r = AppLayerGetPktEventInfo(arg, &event_id);
152  if (r < 0) {
153  SCLogError(SC_ERR_INVALID_SIGNATURE, "app-layer-event keyword "
154  "supplied with packet based event - \"%s\" that isn't "
155  "supported yet.", arg);
156  return NULL;
157  }
158 
160  if (unlikely(aled == NULL))
161  return NULL;
162  aled->event_id = event_id;
163  *event_type = APP_LAYER_EVENT_TYPE_PACKET;
164 
165  return aled;
166 }
167 
168 static bool OutdatedEvent(const char *raw)
169 {
170  if (strcmp(raw, "tls.certificate_missing_element") == 0 ||
171  strcmp(raw, "tls.certificate_unknown_element") == 0 ||
172  strcmp(raw, "tls.certificate_invalid_string") == 0) {
173  return true;
174  }
175  return false;
176 }
177 
178 /** \retval int 0 ok
179  * \retval int -1 error
180  * \retval int -3 non-fatal error: sig will be rejected w/o raising error
181  */
182 static int DetectAppLayerEventParseAppP2(DetectAppLayerEventData *data,
183  uint8_t *ipproto_bitarray,
184  AppLayerEventType *event_type)
185 {
186  int event_id = 0;
187  uint8_t ipproto;
188  char alproto_name[MAX_ALPROTO_NAME];
189  int r = 0;
190 
191  if (OutdatedEvent(data->arg)) {
194  "app-layer-event keyword no longer supports event \"%s\"", data->arg);
195  return -1;
196  } else {
198  "app-layer-event keyword no longer supports event \"%s\"", data->arg);
199  return -3;
200  }
201  }
202 
203  const char *p_idx = strchr(data->arg, '.');
204  if (strlen(data->arg) > MAX_ALPROTO_NAME) {
205  SCLogError(SC_ERR_INVALID_SIGNATURE, "app-layer-event keyword is too long or malformed");
206  return -1;
207  }
208  strlcpy(alproto_name, data->arg, p_idx - data->arg + 1);
209 
210  if (ipproto_bitarray[IPPROTO_TCP / 8] & 1 << (IPPROTO_TCP % 8)) {
211  ipproto = IPPROTO_TCP;
212  } else if (ipproto_bitarray[IPPROTO_UDP / 8] & 1 << (IPPROTO_UDP % 8)) {
213  ipproto = IPPROTO_UDP;
214  } else {
215  SCLogError(SC_ERR_INVALID_SIGNATURE, "protocol %s is disabled", alproto_name);
216  return -1;
217  }
218 
219  if (!data->needs_detctx) {
220  r = AppLayerParserGetEventInfo(ipproto, data->alproto,
221  p_idx + 1, &event_id, event_type);
222  } else {
223  r = DetectEngineGetEventInfo(p_idx + 1, &event_id, event_type);
224  }
225  if (r < 0) {
227  SCLogError(SC_ERR_INVALID_SIGNATURE, "app-layer-event keyword's "
228  "protocol \"%s\" doesn't have event \"%s\" registered",
229  alproto_name, p_idx + 1);
230  return -1;
231  } else {
232  SCLogWarning(SC_ERR_INVALID_SIGNATURE, "app-layer-event keyword's "
233  "protocol \"%s\" doesn't have event \"%s\" registered",
234  alproto_name, p_idx + 1);
235  return -3;
236  }
237  }
238  data->event_id = event_id;
239 
240  return 0;
241 }
242 
243 static DetectAppLayerEventData *DetectAppLayerEventParseAppP1(const char *arg)
244 {
245  /* period index */
246  char alproto_name[MAX_ALPROTO_NAME];
247  bool needs_detctx = false;
248 
249  const char *p_idx = strchr(arg, '.');
250  if (strlen(arg) > MAX_ALPROTO_NAME) {
251  SCLogError(SC_ERR_INVALID_SIGNATURE, "app-layer-event keyword is too long or malformed");
252  return NULL;
253  }
254  /* + 1 for trailing \0 */
255  strlcpy(alproto_name, arg, p_idx - arg + 1);
256 
257  const AppProto alproto = AppLayerGetProtoByName(alproto_name);
258  if (alproto == ALPROTO_UNKNOWN) {
259  if (!strcmp(alproto_name, "file")) {
260  needs_detctx = true;
261  } else {
262  SCLogError(SC_ERR_INVALID_SIGNATURE, "app-layer-event keyword "
263  "supplied with unknown protocol \"%s\"",
264  alproto_name);
265  return NULL;
266  }
267  }
268 
269  DetectAppLayerEventData *aled = SCCalloc(1, sizeof(*aled));
270  if (unlikely(aled == NULL))
271  return NULL;
272  aled->alproto = alproto;
273  aled->arg = SCStrdup(arg);
274  if (aled->arg == NULL) {
275  SCFree(aled);
276  return NULL;
277  }
278  aled->needs_detctx = needs_detctx;
279 
280  return aled;
281 }
282 
283 static DetectAppLayerEventData *DetectAppLayerEventParse(const char *arg,
284  AppLayerEventType *event_type)
285 {
286  *event_type = 0;
287 
288  if (arg == NULL) {
289  SCLogError(SC_ERR_INVALID_SIGNATURE, "app-layer-event keyword supplied "
290  "with no arguments. This keyword needs an argument.");
291  return NULL;
292  }
293 
294  while (*arg != '\0' && isspace((unsigned char)*arg))
295  arg++;
296 
297  if (strchr(arg, '.') == NULL) {
298  return DetectAppLayerEventParsePkt(arg, event_type);
299  } else {
300  return DetectAppLayerEventParseAppP1(arg);
301  }
302 }
303 
304 static int DetectAppLayerEventSetupP2(DetectEngineCtx *de_ctx,
305  Signature *s,
306  SigMatch *sm)
307 {
308  AppLayerEventType event_type = 0;
309 
310  int ret = DetectAppLayerEventParseAppP2((DetectAppLayerEventData *)sm->ctx,
311  s->proto.proto, &event_type);
312  if (ret < 0) {
313  /* DetectAppLayerEventParseAppP2 prints errors */
314 
315  /* sm has been removed from lists by DetectAppLayerEventPrepare */
316  SigMatchFree(de_ctx, sm);
317  return ret;
318  }
319  SigMatchAppendSMToList(s, sm, g_applayer_events_list_id);
320  /* We should have set this flag already in SetupP1 */
321  s->flags |= SIG_FLAG_APPLAYER;
322 
323  return 0;
324 }
325 
326 static int DetectAppLayerEventSetupP1(DetectEngineCtx *de_ctx, Signature *s, const char *arg)
327 {
328  AppLayerEventType event_type;
329 
330  DetectAppLayerEventData *data = DetectAppLayerEventParse(arg, &event_type);
331  if (data == NULL)
332  SCReturnInt(-1);
333 
334  SigMatch *sm = SigMatchAlloc();
335  if (sm == NULL)
336  goto error;
337 
339  sm->ctx = (SigMatchCtx *)data;
340 
341  if (event_type == APP_LAYER_EVENT_TYPE_PACKET) {
343  } else {
344  if (DetectSignatureSetAppProto(s, data->alproto) != 0)
345  goto error;
346 
347  SigMatchAppendSMToList(s, sm, g_applayer_events_list_id);
348  }
349 
350  return 0;
351 
352 error:
353  if (data) {
354  DetectAppLayerEventFree(de_ctx, data);
355  }
356  if (sm) {
357  sm->ctx = NULL;
358  SigMatchFree(de_ctx, sm);
359  }
360  return -1;
361 }
362 
363 static void DetectAppLayerEventFree(DetectEngineCtx *de_ctx, void *ptr)
364 {
366  if (data->arg != NULL)
367  SCFree(data->arg);
368 
369  SCFree(ptr);
370 
371  return;
372 }
373 
375 {
376  SigMatch *sm = s->init_data->smlists[g_applayer_events_list_id];
377  SigMatch *smn;
378  s->init_data->smlists[g_applayer_events_list_id] = NULL;
379  s->init_data->smlists_tail[g_applayer_events_list_id] = NULL;
380 
381  while (sm != NULL) {
382  // save it for later use in loop
383  smn = sm->next;
384  /* these will be overwritten in SigMatchAppendSMToList
385  * called by DetectAppLayerEventSetupP2
386  */
387  sm->next = sm->prev = NULL;
388  int ret = DetectAppLayerEventSetupP2(de_ctx, s, sm);
389  if (ret < 0) {
390  // current one was freed, let's free the next ones
391  sm = smn;
392  while(sm) {
393  smn = sm->next;
394  SigMatchFree(de_ctx, sm);
395  sm = smn;
396  }
397  return ret;
398  }
399  sm = smn;
400  }
401 
402  return 0;
403 }
404 
405 /**********************************Unittests***********************************/
406 
407 #ifdef UNITTESTS /* UNITTESTS */
408 #include "stream-tcp-private.h"
409 #include "stream-tcp-reassemble.h"
410 #include "stream-tcp.h"
411 
412 #define APP_LAYER_EVENT_TEST_MAP_EVENT1 0
413 #define APP_LAYER_EVENT_TEST_MAP_EVENT2 1
414 #define APP_LAYER_EVENT_TEST_MAP_EVENT3 2
415 #define APP_LAYER_EVENT_TEST_MAP_EVENT4 3
416 #define APP_LAYER_EVENT_TEST_MAP_EVENT5 4
417 #define APP_LAYER_EVENT_TEST_MAP_EVENT6 5
418 
420  { "event1", APP_LAYER_EVENT_TEST_MAP_EVENT1 },
421  { "event2", APP_LAYER_EVENT_TEST_MAP_EVENT2 },
422  { "event3", APP_LAYER_EVENT_TEST_MAP_EVENT3 },
423  { "event4", APP_LAYER_EVENT_TEST_MAP_EVENT4 },
424  { "event5", APP_LAYER_EVENT_TEST_MAP_EVENT5 },
425  { "event6", APP_LAYER_EVENT_TEST_MAP_EVENT6 },
426 };
427 
428 static int DetectAppLayerEventTestGetEventInfo(const char *event_name,
429  int *event_id,
430  AppLayerEventType *event_type)
431 {
432  *event_id = SCMapEnumNameToValue(event_name, app_layer_event_test_map);
433  if (*event_id == -1) {
434  SCLogError(SC_ERR_INVALID_ENUM_MAP, "event \"%s\" not present in "
435  "app-layer-event's test enum map table.", event_name);
436  /* this should be treated as fatal */
437  return -1;
438  }
439 
440  *event_type = APP_LAYER_EVENT_TYPE_TRANSACTION;
441 
442  return 0;
443 }
444 
445 
446 static int DetectAppLayerEventTest01(void)
447 {
450  DetectAppLayerEventTestGetEventInfo);
451 
452  AppLayerEventType event_type;
453  int result = 0;
454  uint8_t ipproto_bitarray[256 / 8];
455  memset(ipproto_bitarray, 0, sizeof(ipproto_bitarray));
456  ipproto_bitarray[IPPROTO_TCP / 8] |= 1 << (IPPROTO_TCP % 8);
457 
458  DetectAppLayerEventData *aled = DetectAppLayerEventParse("smtp.event1",
459  &event_type);
460  if (aled == NULL)
461  goto end;
462  if (DetectAppLayerEventParseAppP2(aled, ipproto_bitarray, &event_type) < 0) {
463  printf("failure 1\n");
464  goto end;
465  }
466  if (aled->alproto != ALPROTO_SMTP ||
468  printf("test failure. Holding wrong state\n");
469  goto end;
470  }
471 
472  result = 1;
473 
474  end:
476  if (aled != NULL)
477  DetectAppLayerEventFree(NULL, aled);
478  return result;
479 }
480 
481 static int DetectAppLayerEventTest02(void)
482 {
484 
486  DetectAppLayerEventTestGetEventInfo);
488  DetectAppLayerEventTestGetEventInfo);
490  DetectAppLayerEventTestGetEventInfo);
492  DetectAppLayerEventTestGetEventInfo);
493 
494  AppLayerEventType event_type;
495  uint8_t ipproto_bitarray[256 / 8];
496  memset(ipproto_bitarray, 0, sizeof(ipproto_bitarray));
497  ipproto_bitarray[IPPROTO_TCP / 8] |= 1 << (IPPROTO_TCP % 8);
498 
499  DetectAppLayerEventData *aled = DetectAppLayerEventParse("smtp.event1",
500  &event_type);
501  FAIL_IF_NULL(aled);
502  FAIL_IF(DetectAppLayerEventParseAppP2(aled, ipproto_bitarray, &event_type) < 0);
503  FAIL_IF(aled->alproto != ALPROTO_SMTP);
505 
506  aled = DetectAppLayerEventParse("smtp.event4",
507  &event_type);
508  FAIL_IF_NULL(aled);
509  FAIL_IF(DetectAppLayerEventParseAppP2(aled, ipproto_bitarray, &event_type) < 0);
510  FAIL_IF(aled->alproto != ALPROTO_SMTP);
512 
513  aled = DetectAppLayerEventParse("http.event2",
514  &event_type);
515  FAIL_IF_NULL(aled);
516  FAIL_IF(DetectAppLayerEventParseAppP2(aled, ipproto_bitarray, &event_type) < 0);
517  FAIL_IF(aled->alproto != ALPROTO_HTTP);
519 
520  aled = DetectAppLayerEventParse("smb.event3",
521  &event_type);
522  FAIL_IF_NULL(aled);
523  FAIL_IF(DetectAppLayerEventParseAppP2(aled, ipproto_bitarray, &event_type) < 0);
524  FAIL_IF(aled->alproto != ALPROTO_SMB);
526 
527  aled = DetectAppLayerEventParse("ftp.event5",
528  &event_type);
529  FAIL_IF_NULL(aled);
530  FAIL_IF(DetectAppLayerEventParseAppP2(aled, ipproto_bitarray, &event_type) < 0);
531  FAIL_IF(aled->alproto != ALPROTO_FTP);
533 
535  DetectAppLayerEventFree(NULL, aled);
536  PASS;
537 }
538 
539 static int DetectAppLayerEventTest03(void)
540 {
541  ThreadVars tv;
542  TcpReassemblyThreadCtx *ra_ctx = NULL;
543  Packet *p = NULL;
544  Flow *f = NULL;
545  TcpSession ssn;
546  TcpStream stream_ts, stream_tc;
547  DetectEngineCtx *de_ctx = NULL;
548  DetectEngineThreadCtx *det_ctx = NULL;
549 
550  uint8_t buf_ts[] = "GET /index.html HTTP/1.1\r\n"
551  "Host: 127.0.0.1\r\n"
552  "User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.3) Gecko/20100402 Firefox/3.6.3\r\n"
553  "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n"
554  "Accept-Language: en-us,en;q=0.5\r\n"
555  "Accept-Encoding: gzip,deflate\r\n"
556  "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n"
557  "Keep-Alive: 115\r\n"
558  "Connection: keep-alive\r\n"
559  "\r\n";
560  uint8_t buf_tc[] = "HTTP/1.1 200 OK\r\n"
561  "Date: Fri, 22 Oct 2010 12:31:08 GMT\r\n"
562  "Server: Apache/2.2.15 (Unix) DAV/2\r\n"
563  "Last-Modified: Sat, 20 Nov 2004 20:16:24 GMT\r\n"
564  "ETag: \"ab8486-2c-3e9564c23b600\"\r\n"
565  "Accept-Ranges: bytes\r\n"
566  "Content-Length: 44\r\n"
567  "Keep-Alive: timeout=5, max=100\r\n"
568  "Connection: Keep-Alive\r\n"
569  "Content-Type: text/html\r\n"
570  "\r\n"
571  "<html><body><h1>It works!</h1></body></html>";
572 
573  memset(&tv, 0, sizeof (ThreadVars));
574  memset(&ssn, 0, sizeof(TcpSession));
575  memset(&stream_ts, 0, sizeof(TcpStream));
576  memset(&stream_tc, 0, sizeof(TcpStream));
577 
579 
581  FAIL_IF(de_ctx == NULL);
582  de_ctx->flags |= DE_QUIET;
583  de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
584  "(app-layer-event: applayer_mismatch_protocol_both_directions; "
585  "sid:1;)");
586  FAIL_IF(de_ctx->sig_list == NULL);
588  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
589 
590  f = UTHBuildFlow(AF_INET, "1.2.3.4", "1.2.3.5", 200, 220);
591  FAIL_IF(f == NULL);
592  FLOW_INITIALIZE(f);
593  f->protoctx = &ssn;
594  f->proto = IPPROTO_TCP;
595  f->flags |= FLOW_IPV4;
596 
597  p = PacketGetFromAlloc();
598  FAIL_IF(unlikely(p == NULL));
599  p->flow = f;
600  p->src.family = AF_INET;
601  p->dst.family = AF_INET;
602  p->proto = IPPROTO_TCP;
603 
604  StreamTcpUTInit(&ra_ctx);
605 
607  TcpStream *stream = &stream_ts;
608  FAIL_IF(AppLayerHandleTCPData(&tv, ra_ctx, p, f, &ssn, &stream, buf_ts,
609  sizeof(buf_ts), STREAM_TOSERVER | STREAM_START) < 0);
610 
611  SigMatchSignatures(&tv, de_ctx, det_ctx, p);
612 
613  FAIL_IF (PacketAlertCheck(p, 1));
614 
616  stream = &stream_tc;
617  FAIL_IF (AppLayerHandleTCPData(&tv, ra_ctx, p, f, &ssn, &stream, buf_tc,
618  sizeof(buf_tc), STREAM_TOCLIENT | STREAM_START) < 0);
619 
620  SigMatchSignatures(&tv, de_ctx, det_ctx, p);
621 
622  FAIL_IF(PacketAlertCheck(p, 1));
623 
624  StreamTcpUTDeinit(ra_ctx);
625  PASS;
626 }
627 
628 static int DetectAppLayerEventTest04(void)
629 {
630  ThreadVars tv;
631  TcpReassemblyThreadCtx *ra_ctx = NULL;
632  Packet *p = NULL;
633  Flow *f = NULL;
634  TcpSession ssn;
635  TcpStream stream_ts, stream_tc;
636  DetectEngineCtx *de_ctx = NULL;
637  DetectEngineThreadCtx *det_ctx = NULL;
638 
639  uint8_t buf_ts[] = "GET /index.html HTTP/1.1\r\n"
640  "Host: 127.0.0.1\r\n"
641  "User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.3) Gecko/20100402 Firefox/3.6.3\r\n"
642  "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n"
643  "Accept-Language: en-us,en;q=0.5\r\n"
644  "Accept-Encoding: gzip,deflate\r\n"
645  "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n"
646  "Keep-Alive: 115\r\n"
647  "Connection: keep-alive\r\n"
648  "\r\n";
649  uint8_t buf_tc[] = "XTTP/1.1 200 OK\r\n"
650  "Date: Fri, 22 Oct 2010 12:31:08 GMT\r\n"
651  "Server: Apache/2.2.15 (Unix) DAV/2\r\n"
652  "Last-Modified: Sat, 20 Nov 2004 20:16:24 GMT\r\n"
653  "ETag: \"ab8486-2c-3e9564c23b600\"\r\n"
654  "Accept-Ranges: bytes\r\n"
655  "Content-Length: 44\r\n"
656  "Keep-Alive: timeout=5, max=100\r\n"
657  "Connection: Keep-Alive\r\n"
658  "Content-Type: text/html\r\n"
659  "\r\n"
660  "<html><body><h1>It works!</h1></body></html>";
661 
662  memset(&tv, 0, sizeof (ThreadVars));
663  memset(&ssn, 0, sizeof(TcpSession));
664  memset(&stream_ts, 0, sizeof(TcpStream));
665  memset(&stream_tc, 0, sizeof(TcpStream));
666 
668 
670  FAIL_IF (de_ctx == NULL);
671  de_ctx->flags |= DE_QUIET;
672  de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
673  "(app-layer-event: applayer_detect_protocol_only_one_direction; "
674  "sid:1;)");
675  FAIL_IF(de_ctx->sig_list == NULL);
677  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
678 
679  f = UTHBuildFlow(AF_INET, "1.2.3.4", "1.2.3.5", 200, 220);
680  FAIL_IF (f == NULL);
681  FLOW_INITIALIZE(f);
682  f->protoctx = &ssn;
683  f->proto = IPPROTO_TCP;
684  f->flags |= FLOW_IPV4;
685 
686  p = PacketGetFromAlloc();
687  FAIL_IF(unlikely(p == NULL));
688  p->flow = f;
689  p->src.family = AF_INET;
690  p->dst.family = AF_INET;
691  p->proto = IPPROTO_TCP;
692 
693  StreamTcpUTInit(&ra_ctx);
694 
696  TcpStream *stream = &stream_ts;
697  FAIL_IF(AppLayerHandleTCPData(&tv, ra_ctx, p, f, &ssn, &stream, buf_ts,
698  sizeof(buf_ts), STREAM_TOSERVER | STREAM_START) < 0);
699  SigMatchSignatures(&tv, de_ctx, det_ctx, p);
700  FAIL_IF (PacketAlertCheck(p, 1));
701 
703  stream = &stream_tc;
704  FAIL_IF (AppLayerHandleTCPData(&tv, ra_ctx, p, f, &ssn, &stream, buf_tc,
705  sizeof(buf_tc), STREAM_TOCLIENT | STREAM_START) < 0);
706  SigMatchSignatures(&tv, de_ctx, det_ctx, p);
707  FAIL_IF (!PacketAlertCheck(p, 1));
708 
709  StreamTcpUTDeinit(ra_ctx);
710  PASS;
711 }
712 
713 static int DetectAppLayerEventTest05(void)
714 {
715  ThreadVars tv;
716  TcpReassemblyThreadCtx *ra_ctx = NULL;
717  Packet *p = NULL;
718  Flow *f = NULL;
719  TcpSession ssn;
720  TcpStream stream_ts, stream_tc;
721  DetectEngineCtx *de_ctx = NULL;
722  DetectEngineThreadCtx *det_ctx = NULL;
723 
724  uint8_t buf_ts[] = "GET /index.html HTTP/1.1\r\n"
725  "Host: 127.0.0.1\r\n"
726  "User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.3) Gecko/20100402 Firefox/3.6.3\r\n"
727  "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n"
728  "Accept-Language: en-us,en;q=0.5\r\n"
729  "Accept-Encoding: gzip,deflate\r\n"
730  "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n"
731  "Keep-Alive: 115\r\n"
732  "Connection: keep-alive\r\n"
733  "\r\n";
734  /* tls */
735  uint8_t buf_tc[] = {
736  0x16, 0x03, 0x01, 0x00, 0x86, 0x10, 0x00, 0x00,
737  0x82, 0x00, 0x80, 0xd3, 0x6f, 0x1f, 0x63, 0x82,
738  0x8d, 0x75, 0x77, 0x8c, 0x91, 0xbc, 0xa1, 0x3d,
739  0xbb, 0xe1, 0xb5, 0xd3, 0x31, 0x92, 0x59, 0x2b,
740  0x2c, 0x43, 0x96, 0xa3, 0xaa, 0x23, 0x92, 0xd0,
741  0x91, 0x2a, 0x5e, 0x10, 0x5b, 0xc8, 0xc1, 0xe2,
742  0xd3, 0x5c, 0x8b, 0x8c, 0x91, 0x9e, 0xc2, 0xf2,
743  0x9c, 0x3c, 0x4f, 0x37, 0x1e, 0x20, 0x5e, 0x33,
744  0xd5, 0xf0, 0xd6, 0xaf, 0x89, 0xf5, 0xcc, 0xb2,
745  0xcf, 0xc1, 0x60, 0x3a, 0x46, 0xd5, 0x4e, 0x2a,
746  0xb6, 0x6a, 0xb9, 0xfc, 0x32, 0x8b, 0xe0, 0x6e,
747  0xa0, 0xed, 0x25, 0xa0, 0xa4, 0x82, 0x81, 0x73,
748  0x90, 0xbf, 0xb5, 0xde, 0xeb, 0x51, 0x8d, 0xde,
749  0x5b, 0x6f, 0x94, 0xee, 0xba, 0xe5, 0x69, 0xfa,
750  0x1a, 0x80, 0x30, 0x54, 0xeb, 0x12, 0x01, 0xb9,
751  0xfe, 0xbf, 0x82, 0x95, 0x01, 0x7b, 0xb0, 0x97,
752  0x14, 0xc2, 0x06, 0x3c, 0x69, 0xfb, 0x1c, 0x66,
753  0x47, 0x17, 0xd9, 0x14, 0x03, 0x01, 0x00, 0x01,
754  0x01, 0x16, 0x03, 0x01, 0x00, 0x30, 0xf6, 0xbc,
755  0x0d, 0x6f, 0xe8, 0xbb, 0xaa, 0xbf, 0x14, 0xeb,
756  0x7b, 0xcc, 0x6c, 0x28, 0xb0, 0xfc, 0xa6, 0x01,
757  0x2a, 0x97, 0x96, 0x17, 0x5e, 0xe8, 0xb4, 0x4e,
758  0x78, 0xc9, 0x04, 0x65, 0x53, 0xb6, 0x93, 0x3d,
759  0xeb, 0x44, 0xee, 0x86, 0xf9, 0x80, 0x49, 0x45,
760  0x21, 0x34, 0xd1, 0xee, 0xc8, 0x9c,
761  };
762 
763  memset(&tv, 0, sizeof (ThreadVars));
764  memset(&ssn, 0, sizeof(TcpSession));
765  memset(&stream_ts, 0, sizeof(TcpStream));
766  memset(&stream_tc, 0, sizeof(TcpStream));
767 
769 
771  FAIL_IF (de_ctx == NULL);
772  de_ctx->flags |= DE_QUIET;
773  de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
774  "(app-layer-event: applayer_mismatch_protocol_both_directions; "
775  "sid:1;)");
776  FAIL_IF (de_ctx->sig_list == NULL);
778  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
779 
780  f = UTHBuildFlow(AF_INET, "1.2.3.4", "1.2.3.5", 200, 220);
781  FAIL_IF (f == NULL);
782  FLOW_INITIALIZE(f);
783  f->protoctx = &ssn;
784  f->proto = IPPROTO_TCP;
785  f->flags |= FLOW_IPV4;
786 
787  p = PacketGetFromAlloc();
788  FAIL_IF (unlikely(p == NULL));
789  p->flow = f;
790  p->src.family = AF_INET;
791  p->dst.family = AF_INET;
792  p->proto = IPPROTO_TCP;
793 
794  StreamTcpUTInit(&ra_ctx);
795 
797  TcpStream *stream = &stream_ts;
798  FAIL_IF (AppLayerHandleTCPData(&tv, ra_ctx, p, f, &ssn, &stream, buf_ts,
799  sizeof(buf_ts), STREAM_TOSERVER | STREAM_START) < 0);
800  SigMatchSignatures(&tv, de_ctx, det_ctx, p);
801  FAIL_IF (PacketAlertCheck(p, 1));
802 
804  stream = &stream_tc;
805  FAIL_IF (AppLayerHandleTCPData(&tv, ra_ctx, p, f, &ssn, &stream, buf_tc,
806  sizeof(buf_tc), STREAM_TOCLIENT | STREAM_START) < 0);
807  SigMatchSignatures(&tv, de_ctx, det_ctx, p);
808  FAIL_IF (!PacketAlertCheck(p, 1));
809 
810  StreamTcpUTDeinit(ra_ctx);
811  PASS;
812 }
813 
814 static int DetectAppLayerEventTest06(void)
815 {
816  AppLayerEventType event_type;
817  uint8_t ipproto_bitarray[256 / 8];
818  memset(ipproto_bitarray, 0, sizeof(ipproto_bitarray));
819  ipproto_bitarray[IPPROTO_TCP / 8] |= 1 << (IPPROTO_TCP % 8);
820 
821  DetectAppLayerEventData *aled = DetectAppLayerEventParse("file.test",
822  &event_type);
823 
824  FAIL_IF_NULL(aled);
825 
826  FAIL_IF(DetectAppLayerEventParseAppP2(aled, ipproto_bitarray, &event_type) < 0);
827 
828  FAIL_IF(aled->alproto != ALPROTO_UNKNOWN);
830 
831  DetectAppLayerEventFree(NULL, aled);
832  PASS;
833 }
834 
835 /**
836  * \brief This function registers unit tests for "app-layer-event" keyword.
837  */
838 static void DetectAppLayerEventRegisterTests(void)
839 {
840  UtRegisterTest("DetectAppLayerEventTest01", DetectAppLayerEventTest01);
841  UtRegisterTest("DetectAppLayerEventTest02", DetectAppLayerEventTest02);
842  UtRegisterTest("DetectAppLayerEventTest03", DetectAppLayerEventTest03);
843  UtRegisterTest("DetectAppLayerEventTest04", DetectAppLayerEventTest04);
844  UtRegisterTest("DetectAppLayerEventTest05", DetectAppLayerEventTest05);
845  UtRegisterTest("DetectAppLayerEventTest06", DetectAppLayerEventTest06);
846 }
847 #endif /* UNITTESTS */
DET_CTX_EVENT_TEST
@ DET_CTX_EVENT_TEST
Definition: detect.h:1221
util-byte.h
DetectAppLayerEventRegister
void DetectAppLayerEventRegister(void)
Registers the keyword handlers for the "app-layer-event" keyword.
Definition: detect-app-layer-event.c:68
SigTableElmt_::url
const char * url
Definition: detect.h:1214
DetectSignatureSetAppProto
int DetectSignatureSetAppProto(Signature *s, AppProto alproto)
Definition: detect-parse.c:1480
Packet_::proto
uint8_t proto
Definition: decode.h:436
SigMatch_::prev
struct SigMatch_ * prev
Definition: detect.h:325
TcpStream_
Definition: stream-tcp-private.h:94
detect-engine.h
StreamTcpUTDeinit
void StreamTcpUTDeinit(TcpReassemblyThreadCtx *ra_ctx)
Definition: stream-tcp-util.c:51
FAIL_IF_NULL
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
Definition: util-unittest.h:89
SigTableElmt_::desc
const char * desc
Definition: detect.h:1213
SigMatchFree
void SigMatchFree(DetectEngineCtx *de_ctx, SigMatch *sm)
free a SigMatch
Definition: detect-parse.c:250
SigTableElmt_::Free
void(* Free)(DetectEngineCtx *, void *)
Definition: detect.h:1201
flow-util.h
SigTableElmt_::name
const char * name
Definition: detect.h:1211
stream-tcp.h
unlikely
#define unlikely(expr)
Definition: util-optimize.h:35
DetectAppLayerEventData_::alproto
AppProto alproto
Definition: detect-app-layer-event.h:28
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
AppLayerParserGetEventsByTx
AppLayerDecoderEvents * AppLayerParserGetEventsByTx(uint8_t ipproto, AppProto alproto, void *tx)
Definition: app-layer-parser.c:841
Flow_::proto
uint8_t proto
Definition: flow.h:365
AppProto
uint16_t AppProto
Definition: app-layer-protos.h:73
PacketAlertCheck
int PacketAlertCheck(Packet *p, uint32_t sid)
Check if a certain sid alerted, this is used in the test functions.
Definition: detect-engine-alert.c:138
AppLayerParserGetStateProgress
int AppLayerParserGetStateProgress(uint8_t ipproto, AppProto alproto, void *alstate, uint8_t flags)
get the progress value for a tx/protocol
Definition: app-layer-parser.c:1033
SigMatchData_::ctx
SigMatchCtx * ctx
Definition: detect.h:332
threads.h
Flow_
Flow data structure.
Definition: flow.h:347
SigInit
Signature * SigInit(DetectEngineCtx *, const char *)
Parses a signature and adds it to the Detection Engine Context.
Definition: detect-parse.c:2056
AppLayerEventType
enum AppLayerEventType_ AppLayerEventType
DETECT_AL_APP_LAYER_EVENT
@ DETECT_AL_APP_LAYER_EVENT
Definition: detect-engine-register.h:173
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:767
AppLayerParserGetStateProgressCompletionStatus
int AppLayerParserGetStateProgressCompletionStatus(AppProto alproto, uint8_t direction)
Definition: app-layer-parser.c:1066
SC_ERR_INVALID_SIGNATURE
@ SC_ERR_INVALID_SIGNATURE
Definition: util-error.h:69
FLOW_PKT_TOSERVER
#define FLOW_PKT_TOSERVER
Definition: flow.h:219
DE_QUIET
#define DE_QUIET
Definition: detect.h:294
MAX_ALPROTO_NAME
#define MAX_ALPROTO_NAME
Definition: detect-app-layer-event.c:49
ALPROTO_FTP
@ ALPROTO_FTP
Definition: app-layer-protos.h:31
stream-tcp-reassemble.h
DetectAppLayerEventPrepare
int DetectAppLayerEventPrepare(DetectEngineCtx *de_ctx, Signature *s)
Definition: detect-app-layer-event.c:374
Packet_::flowflags
uint8_t flowflags
Definition: decode.h:445
SIG_FLAG_TOCLIENT
#define SIG_FLAG_TOCLIENT
Definition: detect.h:237
Flow_::protoctx
void * protoctx
Definition: flow.h:441
SigMatchData_
Data needed for Match()
Definition: detect.h:329
SigTableElmt_::Setup
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1196
KEYWORD_PROFILING_START
#define KEYWORD_PROFILING_START
Definition: util-profiling.h:69
FLOW_IPV4
#define FLOW_IPV4
Definition: flow.h:95
AppLayerDecoderEvents_
Data structure to store app layer decoder events.
Definition: app-layer-events.h:34
Packet_::app_layer_events
AppLayerDecoderEvents * app_layer_events
Definition: decode.h:576
util-unittest.h
AppLayerGetProtoByName
AppProto AppLayerGetProtoByName(char *alproto_name)
Given a protocol string, returns the corresponding internal protocol id.
Definition: app-layer.c:787
APP_LAYER_EVENT_TYPE_TRANSACTION
@ APP_LAYER_EVENT_TYPE_TRANSACTION
Definition: app-layer-events.h:57
util-unittest-helper.h
STREAM_START
#define STREAM_START
Definition: stream.h:29
SIG_FLAG_APPLAYER
#define SIG_FLAG_APPLAYER
Definition: detect.h:218
DetectBufferTypeGetByName
int DetectBufferTypeGetByName(const char *name)
Definition: detect-engine.c:880
KEYWORD_PROFILING_END
#define KEYWORD_PROFILING_END(ctx, type, m)
Definition: util-profiling.h:83
strlcpy
size_t strlcpy(char *dst, const char *src, size_t siz)
Definition: util-strlcpyu.c:43
AppLayerParserRestoreParserTable
void AppLayerParserRestoreParserTable(void)
Definition: app-layer-parser.c:1763
APP_LAYER_EVENT_TEST_MAP_EVENT6
#define APP_LAYER_EVENT_TEST_MAP_EVENT6
Definition: detect-app-layer-event.c:417
SignatureInitData_::smlists_tail
struct SigMatch_ ** smlists_tail
Definition: detect.h:524
APP_LAYER_EVENT_TYPE_PACKET
@ APP_LAYER_EVENT_TYPE_PACKET
Definition: app-layer-events.h:58
StreamTcpUTInit
void StreamTcpUTInit(TcpReassemblyThreadCtx **ra_ctx)
Definition: stream-tcp-util.c:44
UTHBuildFlow
Flow * UTHBuildFlow(int family, const char *src, const char *dst, Port sp, Port dp)
Definition: util-unittest-helper.c:521
FLOW_INITIALIZE
#define FLOW_INITIALIZE(f)
Definition: flow-util.h:39
SIG_FLAG_TOSERVER
#define SIG_FLAG_TOSERVER
Definition: detect.h:236
detect-app-layer-event.h
APP_LAYER_EVENT_TEST_MAP_EVENT2
#define APP_LAYER_EVENT_TEST_MAP_EVENT2
Definition: detect-app-layer-event.c:413
decode.h
APP_LAYER_EVENT_TEST_MAP_EVENT4
#define APP_LAYER_EVENT_TEST_MAP_EVENT4
Definition: detect-app-layer-event.c:415
util-debug.h
AppLayerHandleTCPData
int AppLayerHandleTCPData(ThreadVars *tv, TcpReassemblyThreadCtx *ra_ctx, Packet *p, Flow *f, TcpSession *ssn, TcpStream **stream, uint8_t *data, uint32_t data_len, uint8_t flags)
handle TCP data for the app-layer.
Definition: app-layer.c:568
PASS
#define PASS
Pass the test.
Definition: util-unittest.h:105
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:17
DetectAppLayerEventData_::event_id
int event_id
Definition: detect-app-layer-event.h:29
DetectEngineThreadCtx_
Definition: detect.h:1010
ALPROTO_SMTP
@ ALPROTO_SMTP
Definition: app-layer-protos.h:32
STREAM_TOSERVER
#define STREAM_TOSERVER
Definition: stream.h:31
DetectAppLayerEventData_::needs_detctx
bool needs_detctx
Definition: detect-app-layer-event.h:32
DetectAppLayerEventData_
Definition: detect-app-layer-event.h:27
detect.h
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:58
DETECT_ENGINE_INSPECT_SIG_MATCH
#define DETECT_ENGINE_INSPECT_SIG_MATCH
Definition: detect-engine-state.h:39
SigMatch_::next
struct SigMatch_ * next
Definition: detect.h:324
SigMatchData_::type
uint8_t type
Definition: detect.h:330
SigMatchStrictEnabled
bool SigMatchStrictEnabled(const enum DetectKeywordId id)
Definition: detect-parse.c:298
DETECT_SM_LIST_MATCH
@ DETECT_SM_LIST_MATCH
Definition: detect.h:89
app-layer-parser.h
AppLayerParserBackupParserTable
void AppLayerParserBackupParserTable(void)
Definition: app-layer-parser.c:1755
SigMatch_::ctx
SigMatchCtx * ctx
Definition: detect.h:323
DetectProto_::proto
uint8_t proto[256/8]
Definition: detect-engine-proto.h:37
SigMatchSignatures
void SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
Definition: detect.c:1688
Signature_::flags
uint32_t flags
Definition: detect.h:529
Packet_
Definition: decode.h:414
stream-tcp-private.h
AppLayerParserRegisterGetEventInfo
void AppLayerParserRegisterGetEventInfo(uint8_t ipproto, AppProto alproto, int(*StateGetEventInfo)(const char *event_name, int *event_id, AppLayerEventType *event_type))
Definition: app-layer-parser.c:550
Signature_::init_data
SignatureInitData * init_data
Definition: detect.h:597
detect-engine-state.h
Data structures and function prototypes for keeping state for the detection engine.
SigTableElmt_::Match
int(* Match)(DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *)
Definition: detect.h:1179
SignatureInitData_::smlists
struct SigMatch_ ** smlists
Definition: detect.h:522
FLOW_PKT_TOCLIENT
#define FLOW_PKT_TOCLIENT
Definition: flow.h:220
SigMatchAlloc
SigMatch * SigMatchAlloc(void)
Definition: detect-parse.c:235
DETECT_ENGINE_INSPECT_SIG_CANT_MATCH
#define DETECT_ENGINE_INSPECT_SIG_CANT_MATCH
Definition: detect-engine-state.h:40
decode-events.h
SigGroupBuild
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
Definition: detect-engine-build.c:1888
SigMatch_::type
uint8_t type
Definition: detect.h:321
SigMatchCtx_
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
Definition: detect.h:315
Packet_::flow
struct Flow_ * flow
Definition: decode.h:451
DetectEngineThreadCtxInit
TmEcode DetectEngineThreadCtxInit(ThreadVars *, void *, void **)
initialize thread specific detection engine context
Definition: detect-engine.c:2797
FAIL_IF
#define FAIL_IF(expr)
Fail a test if expression evaluates to false.
Definition: util-unittest.h:71
DetectEngineGetEventInfo
int DetectEngineGetEventInfo(const char *event_name, int *event_id, AppLayerEventType *event_type)
Definition: detect-engine.c:4277
SCMapEnumNameToValue
int SCMapEnumNameToValue(const char *enum_name, SCEnumCharMap *table)
Maps a string name to an enum value from the supplied table. Please specify the last element of any m...
Definition: util-enum.c:40
flags
uint8_t flags
Definition: decode-gre.h:0
Signature_::proto
DetectProto proto
Definition: detect.h:545
SigMatchData_::is_last
uint8_t is_last
Definition: detect.h:331
suricata-common.h
SCEnumCharMap_
Definition: util-enum.h:27
sigmatch_table
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
Definition: detect-parse.c:73
STREAM_TOCLIENT
#define STREAM_TOCLIENT
Definition: stream.h:32
SCLogError
#define SCLogError(err_code,...)
Macro used to log ERROR messages.
Definition: util-debug.h:257
SCStrdup
#define SCStrdup(s)
Definition: util-mem.h:56
DetectEngineCtx_::sig_list
Signature * sig_list
Definition: detect.h:773
DETECT_ENGINE_INSPECT_SIG_NO_MATCH
#define DETECT_ENGINE_INSPECT_SIG_NO_MATCH
Definition: detect-engine-state.h:38
tv
ThreadVars * tv
Definition: fuzz_decodepcapfile.c:29
PacketGetFromAlloc
Packet * PacketGetFromAlloc(void)
Get a malloced packet.
Definition: decode.c:144
APP_LAYER_EVENT_TEST_MAP_EVENT3
#define APP_LAYER_EVENT_TEST_MAP_EVENT3
Definition: detect-app-layer-event.c:414
APP_LAYER_EVENT_TEST_MAP_EVENT1
#define APP_LAYER_EVENT_TEST_MAP_EVENT1
Definition: detect-app-layer-event.c:412
SCLogWarning
#define SCLogWarning(err_code,...)
Macro used to log WARNING messages.
Definition: util-debug.h:244
SCFree
#define SCFree(p)
Definition: util-mem.h:61
Flow_::flags
uint32_t flags
Definition: flow.h:421
detect-parse.h
Signature_
Signature container.
Definition: detect.h:528
SigMatch_
a single match condition for a signature
Definition: detect.h:320
ALPROTO_HTTP
@ ALPROTO_HTTP
Definition: app-layer-protos.h:30
stream-tcp-util.h
ALPROTO_UNKNOWN
@ ALPROTO_UNKNOWN
Definition: app-layer-protos.h:29
DetectEngineCtxInit
DetectEngineCtx * DetectEngineCtxInit(void)
Definition: detect-engine.c:2048
AppLayerGetPktEventInfo
int AppLayerGetPktEventInfo(const char *event_name, int *event_id)
Definition: app-layer-events.c:67
TcpReassemblyThreadCtx_
Definition: stream-tcp-reassemble.h:60
app-layer-protos.h
app_layer_event_test_map
SCEnumCharMap app_layer_event_test_map[]
Definition: detect-app-layer-event.c:419
Address_::family
char family
Definition: decode.h:117
Packet_::dst
Address dst
Definition: decode.h:419
SC_ERR_INVALID_ENUM_MAP
@ SC_ERR_INVALID_ENUM_MAP
Definition: util-error.h:45
ALPROTO_SMB
@ ALPROTO_SMB
Definition: app-layer-protos.h:37
DetectEngineCtx_::flags
uint8_t flags
Definition: detect.h:768
app-layer-smtp.h
TcpSession_
Definition: stream-tcp-private.h:260
TcpSession_::data_first_seen_dir
int8_t data_first_seen_dir
Definition: stream-tcp-private.h:265
flow.h
DetectAppLayerInspectEngineRegister
void DetectAppLayerInspectEngineRegister(const char *name, AppProto alproto, uint32_t dir, int progress, InspectEngineFuncPtr Callback)
register inspect engine at start up time
Definition: detect-engine.c:171
Flow_::alproto
AppProto alproto
application level protocol
Definition: flow.h:450
SCCalloc
#define SCCalloc(nm, sz)
Definition: util-mem.h:53
SCReturnInt
#define SCReturnInt(x)
Definition: util-debug.h:304
flow-var.h
SigMatchAppendSMToList
void SigMatchAppendSMToList(Signature *s, SigMatch *new, int list)
Append a SigMatch to the list type.
Definition: detect-parse.c:349
Packet_::src
Address src
Definition: decode.h:418
DetectAppLayerEventData_::arg
char * arg
Definition: detect-app-layer-event.h:34
SigTableElmt_::RegisterTests
void(* RegisterTests)(void)
Definition: detect.h:1203
APP_LAYER_EVENT_TEST_MAP_EVENT5
#define APP_LAYER_EVENT_TEST_MAP_EVENT5
Definition: detect-app-layer-event.c:416
app-layer.h
AppLayerParserGetEventInfo
int AppLayerParserGetEventInfo(uint8_t ipproto, AppProto alproto, const char *event_name, int *event_id, AppLayerEventType *event_type)
Definition: app-layer-parser.c:1075