suricata
detect-app-layer-event.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2020 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Anoop Saldanha <anoopsaldanha@gmail.com>
22  */
23 
24 #include "suricata-common.h"
25 #include "threads.h"
26 #include "decode.h"
27 
28 #include "app-layer.h"
29 #include "app-layer-protos.h"
30 #include "app-layer-parser.h"
31 #include "app-layer-smtp.h"
32 #include "detect.h"
33 #include "detect-parse.h"
34 #include "detect-engine.h"
35 #include "detect-engine-state.h"
36 #include "detect-app-layer-event.h"
37 
38 #include "flow.h"
39 #include "flow-var.h"
40 #include "flow-util.h"
41 
42 #include "decode-events.h"
43 #include "util-byte.h"
44 #include "util-debug.h"
45 #include "util-unittest.h"
46 #include "util-unittest-helper.h"
47 #include "stream-tcp-util.h"
48 
49 #define MAX_ALPROTO_NAME 50
50 
51 static int DetectAppLayerEventPktMatch(DetectEngineThreadCtx *det_ctx,
52  Packet *p, const Signature *s, const SigMatchCtx *ctx);
53 static int DetectAppLayerEventSetupP1(DetectEngineCtx *, Signature *, const char *);
54 #ifdef UNITTESTS
55 static void DetectAppLayerEventRegisterTests(void);
56 #endif
57 static void DetectAppLayerEventFree(DetectEngineCtx *, void *);
58 static int DetectEngineAptEventInspect(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx,
59  const struct DetectEngineAppInspectionEngine_ *engine, const Signature *s, Flow *f,
60  uint8_t flags, void *alstate, void *tx, uint64_t tx_id);
61 static int g_applayer_events_list_id = 0;
62 
63 /**
64  * \brief Registers the keyword handlers for the "app-layer-event" keyword.
65  */
67 {
68  sigmatch_table[DETECT_AL_APP_LAYER_EVENT].name = "app-layer-event";
69  sigmatch_table[DETECT_AL_APP_LAYER_EVENT].desc = "match on events generated by the App Layer Parsers and the protocol detection engine";
70  sigmatch_table[DETECT_AL_APP_LAYER_EVENT].url = "/rules/app-layer.html#app-layer-event";
72  DetectAppLayerEventPktMatch;
73  sigmatch_table[DETECT_AL_APP_LAYER_EVENT].Setup = DetectAppLayerEventSetupP1;
74  sigmatch_table[DETECT_AL_APP_LAYER_EVENT].Free = DetectAppLayerEventFree;
75 #ifdef UNITTESTS
77  DetectAppLayerEventRegisterTests;
78 #endif
79 
81  DetectEngineAptEventInspect, NULL);
83  DetectEngineAptEventInspect, NULL);
84 
85  g_applayer_events_list_id = DetectBufferTypeGetByName("app-layer-events");
86 }
87 
88 static int DetectEngineAptEventInspect(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx,
89  const struct DetectEngineAppInspectionEngine_ *engine, const Signature *s, Flow *f,
90  uint8_t flags, void *alstate, void *tx, uint64_t tx_id)
91 {
92  int r = 0;
93  const AppProto alproto = f->alproto;
94  AppLayerDecoderEvents *decoder_events =
95  AppLayerParserGetEventsByTx(f->proto, alproto, tx);
96  if (decoder_events == NULL)
97  goto end;
98 
99  SigMatchData *smd = engine->smd;
100  while (1) {
103 
104  if (AppLayerDecoderEventsIsEventSet(decoder_events, aled->event_id)) {
105  KEYWORD_PROFILING_END(det_ctx, smd->type, 1);
106 
107  if (smd->is_last)
108  break;
109  smd++;
110  continue;
111  }
112 
113  KEYWORD_PROFILING_END(det_ctx, smd->type, 0);
114  goto end;
115  }
116 
117  r = 1;
118 
119  end:
120  if (r == 1) {
122  } else {
123  if (AppLayerParserGetStateProgress(f->proto, alproto, tx, flags) ==
125  {
127  } else {
129  }
130  }
131 }
132 
133 
134 static int DetectAppLayerEventPktMatch(DetectEngineThreadCtx *det_ctx,
135  Packet *p, const Signature *s, const SigMatchCtx *ctx)
136 {
137  const DetectAppLayerEventData *aled = (const DetectAppLayerEventData *)ctx;
138 
139  return AppLayerDecoderEventsIsEventSet(p->app_layer_events,
140  aled->event_id);
141 }
142 
143 static DetectAppLayerEventData *DetectAppLayerEventParsePkt(const char *arg,
144  AppLayerEventType *event_type)
145 {
146  int event_id = 0;
147  int r = AppLayerGetPktEventInfo(arg, &event_id);
148  if (r < 0) {
149  SCLogError(SC_ERR_INVALID_SIGNATURE, "app-layer-event keyword "
150  "supplied with packet based event - \"%s\" that isn't "
151  "supported yet.", arg);
152  return NULL;
153  }
154 
156  if (unlikely(aled == NULL))
157  return NULL;
158  aled->event_id = event_id;
159  *event_type = APP_LAYER_EVENT_TYPE_PACKET;
160 
161  return aled;
162 }
163 
164 static bool OutdatedEvent(const char *raw)
165 {
166  if (strcmp(raw, "tls.certificate_missing_element") == 0 ||
167  strcmp(raw, "tls.certificate_unknown_element") == 0 ||
168  strcmp(raw, "tls.certificate_invalid_string") == 0) {
169  return true;
170  }
171  return false;
172 }
173 
174 /** \retval int 0 ok
175  * \retval int -1 error
176  * \retval int -3 non-fatal error: sig will be rejected w/o raising error
177  */
178 static int DetectAppLayerEventParseAppP2(DetectAppLayerEventData *data,
179  uint8_t *ipproto_bitarray,
180  AppLayerEventType *event_type)
181 {
182  int event_id = 0;
183  uint8_t ipproto;
184  char alproto_name[MAX_ALPROTO_NAME];
185  int r = 0;
186 
187  if (OutdatedEvent(data->arg)) {
190  "app-layer-event keyword no longer supports event \"%s\"", data->arg);
191  return -1;
192  } else {
194  "app-layer-event keyword no longer supports event \"%s\"", data->arg);
195  return -3;
196  }
197  }
198 
199  const char *p_idx = strchr(data->arg, '.');
200  if (strlen(data->arg) > MAX_ALPROTO_NAME) {
201  SCLogError(SC_ERR_INVALID_SIGNATURE, "app-layer-event keyword is too long or malformed");
202  return -1;
203  }
204  strlcpy(alproto_name, data->arg, p_idx - data->arg + 1);
205 
206  if (ipproto_bitarray[IPPROTO_TCP / 8] & 1 << (IPPROTO_TCP % 8)) {
207  ipproto = IPPROTO_TCP;
208  } else if (ipproto_bitarray[IPPROTO_UDP / 8] & 1 << (IPPROTO_UDP % 8)) {
209  ipproto = IPPROTO_UDP;
210  } else {
211  SCLogError(SC_ERR_INVALID_SIGNATURE, "protocol %s is disabled", alproto_name);
212  return -1;
213  }
214 
215  if (!data->needs_detctx) {
216  r = AppLayerParserGetEventInfo(ipproto, data->alproto,
217  p_idx + 1, &event_id, event_type);
218  } else {
219  r = DetectEngineGetEventInfo(p_idx + 1, &event_id, event_type);
220  }
221  if (r < 0) {
223  SCLogError(SC_ERR_INVALID_SIGNATURE, "app-layer-event keyword's "
224  "protocol \"%s\" doesn't have event \"%s\" registered",
225  alproto_name, p_idx + 1);
226  return -1;
227  } else {
228  SCLogWarning(SC_ERR_INVALID_SIGNATURE, "app-layer-event keyword's "
229  "protocol \"%s\" doesn't have event \"%s\" registered",
230  alproto_name, p_idx + 1);
231  return -3;
232  }
233  }
234  data->event_id = event_id;
235 
236  return 0;
237 }
238 
239 static AppProto AppLayerEventGetProtoByName(char *alproto_name)
240 {
241  AppProto alproto = AppLayerGetProtoByName(alproto_name);
242  if (alproto == ALPROTO_HTTP) {
243  // app-layer events http refer to http1
244  alproto = ALPROTO_HTTP1;
245  }
246  return alproto;
247 }
248 
249 static DetectAppLayerEventData *DetectAppLayerEventParseAppP1(const char *arg)
250 {
251  /* period index */
252  char alproto_name[MAX_ALPROTO_NAME];
253  bool needs_detctx = false;
254 
255  const char *p_idx = strchr(arg, '.');
256  if (strlen(arg) > MAX_ALPROTO_NAME) {
257  SCLogError(SC_ERR_INVALID_SIGNATURE, "app-layer-event keyword is too long or malformed");
258  return NULL;
259  }
260  /* + 1 for trailing \0 */
261  strlcpy(alproto_name, arg, p_idx - arg + 1);
262 
263  const AppProto alproto = AppLayerEventGetProtoByName(alproto_name);
264  if (alproto == ALPROTO_UNKNOWN) {
265  if (!strcmp(alproto_name, "file")) {
266  needs_detctx = true;
267  } else {
268  SCLogError(SC_ERR_INVALID_SIGNATURE, "app-layer-event keyword "
269  "supplied with unknown protocol \"%s\"",
270  alproto_name);
271  return NULL;
272  }
273  }
274 
275  DetectAppLayerEventData *aled = SCCalloc(1, sizeof(*aled));
276  if (unlikely(aled == NULL))
277  return NULL;
278  aled->alproto = alproto;
279  aled->arg = SCStrdup(arg);
280  if (aled->arg == NULL) {
281  SCFree(aled);
282  return NULL;
283  }
284  aled->needs_detctx = needs_detctx;
285 
286  return aled;
287 }
288 
289 static DetectAppLayerEventData *DetectAppLayerEventParse(const char *arg,
290  AppLayerEventType *event_type)
291 {
292  *event_type = 0;
293 
294  if (arg == NULL) {
295  SCLogError(SC_ERR_INVALID_SIGNATURE, "app-layer-event keyword supplied "
296  "with no arguments. This keyword needs an argument.");
297  return NULL;
298  }
299 
300  while (*arg != '\0' && isspace((unsigned char)*arg))
301  arg++;
302 
303  if (strchr(arg, '.') == NULL) {
304  return DetectAppLayerEventParsePkt(arg, event_type);
305  } else {
306  return DetectAppLayerEventParseAppP1(arg);
307  }
308 }
309 
310 static int DetectAppLayerEventSetupP2(DetectEngineCtx *de_ctx,
311  Signature *s,
312  SigMatch *sm)
313 {
314  AppLayerEventType event_type = 0;
315 
316  int ret = DetectAppLayerEventParseAppP2((DetectAppLayerEventData *)sm->ctx,
317  s->proto.proto, &event_type);
318  if (ret < 0) {
319  /* DetectAppLayerEventParseAppP2 prints errors */
320 
321  /* sm has been removed from lists by DetectAppLayerEventPrepare */
322  SigMatchFree(de_ctx, sm);
323  return ret;
324  }
325  SigMatchAppendSMToList(s, sm, g_applayer_events_list_id);
326  /* We should have set this flag already in SetupP1 */
327  s->flags |= SIG_FLAG_APPLAYER;
328 
329  return 0;
330 }
331 
332 static int DetectAppLayerEventSetupP1(DetectEngineCtx *de_ctx, Signature *s, const char *arg)
333 {
334  AppLayerEventType event_type;
335 
336  DetectAppLayerEventData *data = DetectAppLayerEventParse(arg, &event_type);
337  if (data == NULL)
338  SCReturnInt(-1);
339 
340  SigMatch *sm = SigMatchAlloc();
341  if (sm == NULL)
342  goto error;
343 
345  sm->ctx = (SigMatchCtx *)data;
346 
347  if (event_type == APP_LAYER_EVENT_TYPE_PACKET) {
349  } else {
350  if (DetectSignatureSetAppProto(s, data->alproto) != 0)
351  goto error;
352 
353  SigMatchAppendSMToList(s, sm, g_applayer_events_list_id);
354  }
355 
356  return 0;
357 
358 error:
359  if (data) {
360  DetectAppLayerEventFree(de_ctx, data);
361  }
362  if (sm) {
363  sm->ctx = NULL;
364  SigMatchFree(de_ctx, sm);
365  }
366  return -1;
367 }
368 
369 static void DetectAppLayerEventFree(DetectEngineCtx *de_ctx, void *ptr)
370 {
372  if (data->arg != NULL)
373  SCFree(data->arg);
374 
375  SCFree(ptr);
376 
377  return;
378 }
379 
381 {
382  SigMatch *sm = s->init_data->smlists[g_applayer_events_list_id];
383  SigMatch *smn;
384  s->init_data->smlists[g_applayer_events_list_id] = NULL;
385  s->init_data->smlists_tail[g_applayer_events_list_id] = NULL;
386 
387  while (sm != NULL) {
388  // save it for later use in loop
389  smn = sm->next;
390  /* these will be overwritten in SigMatchAppendSMToList
391  * called by DetectAppLayerEventSetupP2
392  */
393  sm->next = sm->prev = NULL;
394  int ret = DetectAppLayerEventSetupP2(de_ctx, s, sm);
395  if (ret < 0) {
396  // current one was freed, let's free the next ones
397  sm = smn;
398  while(sm) {
399  smn = sm->next;
400  SigMatchFree(de_ctx, sm);
401  sm = smn;
402  }
403  return ret;
404  }
405  sm = smn;
406  }
407 
408  return 0;
409 }
410 
411 /**********************************Unittests***********************************/
412 
413 #ifdef UNITTESTS /* UNITTESTS */
414 #include "stream-tcp-private.h"
415 #include "stream-tcp-reassemble.h"
416 #include "stream-tcp.h"
417 
418 #define APP_LAYER_EVENT_TEST_MAP_EVENT1 0
419 #define APP_LAYER_EVENT_TEST_MAP_EVENT2 1
420 #define APP_LAYER_EVENT_TEST_MAP_EVENT3 2
421 #define APP_LAYER_EVENT_TEST_MAP_EVENT4 3
422 #define APP_LAYER_EVENT_TEST_MAP_EVENT5 4
423 #define APP_LAYER_EVENT_TEST_MAP_EVENT6 5
424 
426  { "event1", APP_LAYER_EVENT_TEST_MAP_EVENT1 },
427  { "event2", APP_LAYER_EVENT_TEST_MAP_EVENT2 },
428  { "event3", APP_LAYER_EVENT_TEST_MAP_EVENT3 },
429  { "event4", APP_LAYER_EVENT_TEST_MAP_EVENT4 },
430  { "event5", APP_LAYER_EVENT_TEST_MAP_EVENT5 },
431  { "event6", APP_LAYER_EVENT_TEST_MAP_EVENT6 },
432 };
433 
434 static int DetectAppLayerEventTestGetEventInfo(const char *event_name,
435  int *event_id,
436  AppLayerEventType *event_type)
437 {
438  *event_id = SCMapEnumNameToValue(event_name, app_layer_event_test_map);
439  if (*event_id == -1) {
440  SCLogError(SC_ERR_INVALID_ENUM_MAP, "event \"%s\" not present in "
441  "app-layer-event's test enum map table.", event_name);
442  /* this should be treated as fatal */
443  return -1;
444  }
445 
446  *event_type = APP_LAYER_EVENT_TYPE_TRANSACTION;
447 
448  return 0;
449 }
450 
451 
452 static int DetectAppLayerEventTest01(void)
453 {
456  DetectAppLayerEventTestGetEventInfo);
457 
458  AppLayerEventType event_type;
459  int result = 0;
460  uint8_t ipproto_bitarray[256 / 8];
461  memset(ipproto_bitarray, 0, sizeof(ipproto_bitarray));
462  ipproto_bitarray[IPPROTO_TCP / 8] |= 1 << (IPPROTO_TCP % 8);
463 
464  DetectAppLayerEventData *aled = DetectAppLayerEventParse("smtp.event1",
465  &event_type);
466  if (aled == NULL)
467  goto end;
468  if (DetectAppLayerEventParseAppP2(aled, ipproto_bitarray, &event_type) < 0) {
469  printf("failure 1\n");
470  goto end;
471  }
472  if (aled->alproto != ALPROTO_SMTP ||
474  printf("test failure. Holding wrong state\n");
475  goto end;
476  }
477 
478  result = 1;
479 
480  end:
482  if (aled != NULL)
483  DetectAppLayerEventFree(NULL, aled);
484  return result;
485 }
486 
487 static int DetectAppLayerEventTest02(void)
488 {
490 
492  DetectAppLayerEventTestGetEventInfo);
494  IPPROTO_TCP, ALPROTO_HTTP1, DetectAppLayerEventTestGetEventInfo);
496  DetectAppLayerEventTestGetEventInfo);
498  DetectAppLayerEventTestGetEventInfo);
499 
500  AppLayerEventType event_type;
501  uint8_t ipproto_bitarray[256 / 8];
502  memset(ipproto_bitarray, 0, sizeof(ipproto_bitarray));
503  ipproto_bitarray[IPPROTO_TCP / 8] |= 1 << (IPPROTO_TCP % 8);
504 
505  DetectAppLayerEventData *aled = DetectAppLayerEventParse("smtp.event1",
506  &event_type);
507  FAIL_IF_NULL(aled);
508  FAIL_IF(DetectAppLayerEventParseAppP2(aled, ipproto_bitarray, &event_type) < 0);
509  FAIL_IF(aled->alproto != ALPROTO_SMTP);
511 
512  aled = DetectAppLayerEventParse("smtp.event4",
513  &event_type);
514  FAIL_IF_NULL(aled);
515  FAIL_IF(DetectAppLayerEventParseAppP2(aled, ipproto_bitarray, &event_type) < 0);
516  FAIL_IF(aled->alproto != ALPROTO_SMTP);
518 
519  aled = DetectAppLayerEventParse("http.event2",
520  &event_type);
521  FAIL_IF_NULL(aled);
522  FAIL_IF(DetectAppLayerEventParseAppP2(aled, ipproto_bitarray, &event_type) < 0);
523  FAIL_IF(aled->alproto != ALPROTO_HTTP1);
525 
526  aled = DetectAppLayerEventParse("smb.event3",
527  &event_type);
528  FAIL_IF_NULL(aled);
529  FAIL_IF(DetectAppLayerEventParseAppP2(aled, ipproto_bitarray, &event_type) < 0);
530  FAIL_IF(aled->alproto != ALPROTO_SMB);
532 
533  aled = DetectAppLayerEventParse("ftp.event5",
534  &event_type);
535  FAIL_IF_NULL(aled);
536  FAIL_IF(DetectAppLayerEventParseAppP2(aled, ipproto_bitarray, &event_type) < 0);
537  FAIL_IF(aled->alproto != ALPROTO_FTP);
539 
541  DetectAppLayerEventFree(NULL, aled);
542  PASS;
543 }
544 
545 static int DetectAppLayerEventTest03(void)
546 {
547  ThreadVars tv;
548  TcpReassemblyThreadCtx *ra_ctx = NULL;
549  Packet *p = NULL;
550  Flow *f = NULL;
551  TcpSession ssn;
552  TcpStream stream_ts, stream_tc;
553  DetectEngineCtx *de_ctx = NULL;
554  DetectEngineThreadCtx *det_ctx = NULL;
555 
556  uint8_t buf_ts[] = "GET /index.html HTTP/1.1\r\n"
557  "Host: 127.0.0.1\r\n"
558  "User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.3) Gecko/20100402 Firefox/3.6.3\r\n"
559  "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n"
560  "Accept-Language: en-us,en;q=0.5\r\n"
561  "Accept-Encoding: gzip,deflate\r\n"
562  "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n"
563  "Keep-Alive: 115\r\n"
564  "Connection: keep-alive\r\n"
565  "\r\n";
566  uint8_t buf_tc[] = "HTTP/1.1 200 OK\r\n"
567  "Date: Fri, 22 Oct 2010 12:31:08 GMT\r\n"
568  "Server: Apache/2.2.15 (Unix) DAV/2\r\n"
569  "Last-Modified: Sat, 20 Nov 2004 20:16:24 GMT\r\n"
570  "ETag: \"ab8486-2c-3e9564c23b600\"\r\n"
571  "Accept-Ranges: bytes\r\n"
572  "Content-Length: 44\r\n"
573  "Keep-Alive: timeout=5, max=100\r\n"
574  "Connection: Keep-Alive\r\n"
575  "Content-Type: text/html\r\n"
576  "\r\n"
577  "<html><body><h1>It works!</h1></body></html>";
578 
579  memset(&tv, 0, sizeof (ThreadVars));
580  memset(&ssn, 0, sizeof(TcpSession));
581  memset(&stream_ts, 0, sizeof(TcpStream));
582  memset(&stream_tc, 0, sizeof(TcpStream));
583 
584  ssn.data_first_seen_dir = STREAM_TOSERVER;
585 
587  FAIL_IF(de_ctx == NULL);
588  de_ctx->flags |= DE_QUIET;
589  de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
590  "(app-layer-event: applayer_mismatch_protocol_both_directions; "
591  "sid:1;)");
592  FAIL_IF(de_ctx->sig_list == NULL);
594  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
595 
596  f = UTHBuildFlow(AF_INET, "1.2.3.4", "1.2.3.5", 200, 220);
597  FAIL_IF(f == NULL);
598  FLOW_INITIALIZE(f);
599  f->protoctx = &ssn;
600  f->proto = IPPROTO_TCP;
601  f->flags |= FLOW_IPV4;
602 
603  p = PacketGetFromAlloc();
604  FAIL_IF(unlikely(p == NULL));
605  p->flow = f;
606  p->src.family = AF_INET;
607  p->dst.family = AF_INET;
608  p->proto = IPPROTO_TCP;
609 
610  StreamTcpUTInit(&ra_ctx);
611 
613  TcpStream *stream = &stream_ts;
614  FAIL_IF(AppLayerHandleTCPData(&tv, ra_ctx, p, f, &ssn, &stream, buf_ts,
615  sizeof(buf_ts), STREAM_TOSERVER | STREAM_START) < 0);
616 
617  SigMatchSignatures(&tv, de_ctx, det_ctx, p);
618 
619  FAIL_IF (PacketAlertCheck(p, 1));
620 
622  stream = &stream_tc;
623  FAIL_IF (AppLayerHandleTCPData(&tv, ra_ctx, p, f, &ssn, &stream, buf_tc,
624  sizeof(buf_tc), STREAM_TOCLIENT | STREAM_START) < 0);
625 
626  SigMatchSignatures(&tv, de_ctx, det_ctx, p);
627 
628  FAIL_IF(PacketAlertCheck(p, 1));
629 
630  StreamTcpUTDeinit(ra_ctx);
631  PASS;
632 }
633 
634 static int DetectAppLayerEventTest04(void)
635 {
636  ThreadVars tv;
637  TcpReassemblyThreadCtx *ra_ctx = NULL;
638  Packet *p = NULL;
639  Flow *f = NULL;
640  TcpSession ssn;
641  TcpStream stream_ts, stream_tc;
642  DetectEngineCtx *de_ctx = NULL;
643  DetectEngineThreadCtx *det_ctx = NULL;
644 
645  uint8_t buf_ts[] = "GET /index.html HTTP/1.1\r\n"
646  "Host: 127.0.0.1\r\n"
647  "User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.3) Gecko/20100402 Firefox/3.6.3\r\n"
648  "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n"
649  "Accept-Language: en-us,en;q=0.5\r\n"
650  "Accept-Encoding: gzip,deflate\r\n"
651  "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n"
652  "Keep-Alive: 115\r\n"
653  "Connection: keep-alive\r\n"
654  "\r\n";
655  uint8_t buf_tc[] = "XTTP/1.1 200 OK\r\n"
656  "Date: Fri, 22 Oct 2010 12:31:08 GMT\r\n"
657  "Server: Apache/2.2.15 (Unix) DAV/2\r\n"
658  "Last-Modified: Sat, 20 Nov 2004 20:16:24 GMT\r\n"
659  "ETag: \"ab8486-2c-3e9564c23b600\"\r\n"
660  "Accept-Ranges: bytes\r\n"
661  "Content-Length: 44\r\n"
662  "Keep-Alive: timeout=5, max=100\r\n"
663  "Connection: Keep-Alive\r\n"
664  "Content-Type: text/html\r\n"
665  "\r\n"
666  "<html><body><h1>It works!</h1></body></html>";
667 
668  memset(&tv, 0, sizeof (ThreadVars));
669  memset(&ssn, 0, sizeof(TcpSession));
670  memset(&stream_ts, 0, sizeof(TcpStream));
671  memset(&stream_tc, 0, sizeof(TcpStream));
672 
673  ssn.data_first_seen_dir = STREAM_TOSERVER;
674 
676  FAIL_IF (de_ctx == NULL);
677  de_ctx->flags |= DE_QUIET;
678  de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
679  "(app-layer-event: applayer_detect_protocol_only_one_direction; "
680  "sid:1;)");
681  FAIL_IF(de_ctx->sig_list == NULL);
683  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
684 
685  f = UTHBuildFlow(AF_INET, "1.2.3.4", "1.2.3.5", 200, 220);
686  FAIL_IF (f == NULL);
687  FLOW_INITIALIZE(f);
688  f->protoctx = &ssn;
689  f->proto = IPPROTO_TCP;
690  f->flags |= FLOW_IPV4;
691 
692  p = PacketGetFromAlloc();
693  FAIL_IF(unlikely(p == NULL));
694  p->flow = f;
695  p->src.family = AF_INET;
696  p->dst.family = AF_INET;
697  p->proto = IPPROTO_TCP;
698 
699  StreamTcpUTInit(&ra_ctx);
700 
702  TcpStream *stream = &stream_ts;
703  FAIL_IF(AppLayerHandleTCPData(&tv, ra_ctx, p, f, &ssn, &stream, buf_ts,
704  sizeof(buf_ts), STREAM_TOSERVER | STREAM_START) < 0);
705  SigMatchSignatures(&tv, de_ctx, det_ctx, p);
706  FAIL_IF (PacketAlertCheck(p, 1));
707 
709  stream = &stream_tc;
710  FAIL_IF (AppLayerHandleTCPData(&tv, ra_ctx, p, f, &ssn, &stream, buf_tc,
711  sizeof(buf_tc), STREAM_TOCLIENT | STREAM_START) < 0);
712  SigMatchSignatures(&tv, de_ctx, det_ctx, p);
713  FAIL_IF (!PacketAlertCheck(p, 1));
714 
715  StreamTcpUTDeinit(ra_ctx);
716  PASS;
717 }
718 
719 static int DetectAppLayerEventTest05(void)
720 {
721  ThreadVars tv;
722  TcpReassemblyThreadCtx *ra_ctx = NULL;
723  Packet *p = NULL;
724  Flow *f = NULL;
725  TcpSession ssn;
726  TcpStream stream_ts, stream_tc;
727  DetectEngineCtx *de_ctx = NULL;
728  DetectEngineThreadCtx *det_ctx = NULL;
729 
730  uint8_t buf_ts[] = "GET /index.html HTTP/1.1\r\n"
731  "Host: 127.0.0.1\r\n"
732  "User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.3) Gecko/20100402 Firefox/3.6.3\r\n"
733  "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n"
734  "Accept-Language: en-us,en;q=0.5\r\n"
735  "Accept-Encoding: gzip,deflate\r\n"
736  "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n"
737  "Keep-Alive: 115\r\n"
738  "Connection: keep-alive\r\n"
739  "\r\n";
740  /* tls */
741  uint8_t buf_tc[] = {
742  0x16, 0x03, 0x01, 0x00, 0x86, 0x10, 0x00, 0x00,
743  0x82, 0x00, 0x80, 0xd3, 0x6f, 0x1f, 0x63, 0x82,
744  0x8d, 0x75, 0x77, 0x8c, 0x91, 0xbc, 0xa1, 0x3d,
745  0xbb, 0xe1, 0xb5, 0xd3, 0x31, 0x92, 0x59, 0x2b,
746  0x2c, 0x43, 0x96, 0xa3, 0xaa, 0x23, 0x92, 0xd0,
747  0x91, 0x2a, 0x5e, 0x10, 0x5b, 0xc8, 0xc1, 0xe2,
748  0xd3, 0x5c, 0x8b, 0x8c, 0x91, 0x9e, 0xc2, 0xf2,
749  0x9c, 0x3c, 0x4f, 0x37, 0x1e, 0x20, 0x5e, 0x33,
750  0xd5, 0xf0, 0xd6, 0xaf, 0x89, 0xf5, 0xcc, 0xb2,
751  0xcf, 0xc1, 0x60, 0x3a, 0x46, 0xd5, 0x4e, 0x2a,
752  0xb6, 0x6a, 0xb9, 0xfc, 0x32, 0x8b, 0xe0, 0x6e,
753  0xa0, 0xed, 0x25, 0xa0, 0xa4, 0x82, 0x81, 0x73,
754  0x90, 0xbf, 0xb5, 0xde, 0xeb, 0x51, 0x8d, 0xde,
755  0x5b, 0x6f, 0x94, 0xee, 0xba, 0xe5, 0x69, 0xfa,
756  0x1a, 0x80, 0x30, 0x54, 0xeb, 0x12, 0x01, 0xb9,
757  0xfe, 0xbf, 0x82, 0x95, 0x01, 0x7b, 0xb0, 0x97,
758  0x14, 0xc2, 0x06, 0x3c, 0x69, 0xfb, 0x1c, 0x66,
759  0x47, 0x17, 0xd9, 0x14, 0x03, 0x01, 0x00, 0x01,
760  0x01, 0x16, 0x03, 0x01, 0x00, 0x30, 0xf6, 0xbc,
761  0x0d, 0x6f, 0xe8, 0xbb, 0xaa, 0xbf, 0x14, 0xeb,
762  0x7b, 0xcc, 0x6c, 0x28, 0xb0, 0xfc, 0xa6, 0x01,
763  0x2a, 0x97, 0x96, 0x17, 0x5e, 0xe8, 0xb4, 0x4e,
764  0x78, 0xc9, 0x04, 0x65, 0x53, 0xb6, 0x93, 0x3d,
765  0xeb, 0x44, 0xee, 0x86, 0xf9, 0x80, 0x49, 0x45,
766  0x21, 0x34, 0xd1, 0xee, 0xc8, 0x9c,
767  };
768 
769  memset(&tv, 0, sizeof (ThreadVars));
770  memset(&ssn, 0, sizeof(TcpSession));
771  memset(&stream_ts, 0, sizeof(TcpStream));
772  memset(&stream_tc, 0, sizeof(TcpStream));
773 
774  ssn.data_first_seen_dir = STREAM_TOSERVER;
775 
777  FAIL_IF (de_ctx == NULL);
778  de_ctx->flags |= DE_QUIET;
779  de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
780  "(app-layer-event: applayer_mismatch_protocol_both_directions; "
781  "sid:1;)");
782  FAIL_IF (de_ctx->sig_list == NULL);
784  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
785 
786  f = UTHBuildFlow(AF_INET, "1.2.3.4", "1.2.3.5", 200, 220);
787  FAIL_IF (f == NULL);
788  FLOW_INITIALIZE(f);
789  f->protoctx = &ssn;
790  f->proto = IPPROTO_TCP;
791  f->flags |= FLOW_IPV4;
792 
793  p = PacketGetFromAlloc();
794  FAIL_IF (unlikely(p == NULL));
795  p->flow = f;
796  p->src.family = AF_INET;
797  p->dst.family = AF_INET;
798  p->proto = IPPROTO_TCP;
799 
800  StreamTcpUTInit(&ra_ctx);
801 
803  TcpStream *stream = &stream_ts;
804  FAIL_IF (AppLayerHandleTCPData(&tv, ra_ctx, p, f, &ssn, &stream, buf_ts,
805  sizeof(buf_ts), STREAM_TOSERVER | STREAM_START) < 0);
806  SigMatchSignatures(&tv, de_ctx, det_ctx, p);
807  FAIL_IF (PacketAlertCheck(p, 1));
808 
810  stream = &stream_tc;
811  FAIL_IF (AppLayerHandleTCPData(&tv, ra_ctx, p, f, &ssn, &stream, buf_tc,
812  sizeof(buf_tc), STREAM_TOCLIENT | STREAM_START) < 0);
813  SigMatchSignatures(&tv, de_ctx, det_ctx, p);
814  FAIL_IF (!PacketAlertCheck(p, 1));
815 
816  StreamTcpUTDeinit(ra_ctx);
817  PASS;
818 }
819 
820 static int DetectAppLayerEventTest06(void)
821 {
822  AppLayerEventType event_type;
823  uint8_t ipproto_bitarray[256 / 8];
824  memset(ipproto_bitarray, 0, sizeof(ipproto_bitarray));
825  ipproto_bitarray[IPPROTO_TCP / 8] |= 1 << (IPPROTO_TCP % 8);
826 
827  DetectAppLayerEventData *aled = DetectAppLayerEventParse("file.test",
828  &event_type);
829 
830  FAIL_IF_NULL(aled);
831 
832  FAIL_IF(DetectAppLayerEventParseAppP2(aled, ipproto_bitarray, &event_type) < 0);
833 
834  FAIL_IF(aled->alproto != ALPROTO_UNKNOWN);
836 
837  DetectAppLayerEventFree(NULL, aled);
838  PASS;
839 }
840 
841 /**
842  * \brief This function registers unit tests for "app-layer-event" keyword.
843  */
844 static void DetectAppLayerEventRegisterTests(void)
845 {
846  UtRegisterTest("DetectAppLayerEventTest01", DetectAppLayerEventTest01);
847  UtRegisterTest("DetectAppLayerEventTest02", DetectAppLayerEventTest02);
848  UtRegisterTest("DetectAppLayerEventTest03", DetectAppLayerEventTest03);
849  UtRegisterTest("DetectAppLayerEventTest04", DetectAppLayerEventTest04);
850  UtRegisterTest("DetectAppLayerEventTest05", DetectAppLayerEventTest05);
851  UtRegisterTest("DetectAppLayerEventTest06", DetectAppLayerEventTest06);
852 }
853 #endif /* UNITTESTS */
util-byte.h
DetectAppLayerEventRegister
void DetectAppLayerEventRegister(void)
Registers the keyword handlers for the "app-layer-event" keyword.
Definition: detect-app-layer-event.c:66
DetectEngineAppInspectionEngine_
Definition: detect.h:398
SigTableElmt_::url
const char * url
Definition: detect.h:1270
DetectSignatureSetAppProto
int DetectSignatureSetAppProto(Signature *s, AppProto alproto)
Definition: detect-parse.c:1490
Packet_::proto
uint8_t proto
Definition: decode.h:449
SigMatch_::prev
struct SigMatch_ * prev
Definition: detect.h:326
TcpStream_
Definition: stream-tcp-private.h:94
detect-engine.h
StreamTcpUTDeinit
void StreamTcpUTDeinit(TcpReassemblyThreadCtx *ra_ctx)
Definition: stream-tcp-util.c:51
FAIL_IF_NULL
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
Definition: util-unittest.h:89
SigTableElmt_::desc
const char * desc
Definition: detect.h:1269
DET_CTX_EVENT_TEST
@ DET_CTX_EVENT_TEST
Definition: detect.h:1277
SigMatchFree
void SigMatchFree(DetectEngineCtx *de_ctx, SigMatch *sm)
free a SigMatch
Definition: detect-parse.c:250
SigTableElmt_::Free
void(* Free)(DetectEngineCtx *, void *)
Definition: detect.h:1257
flow-util.h
SigTableElmt_::name
const char * name
Definition: detect.h:1267
stream-tcp.h
unlikely
#define unlikely(expr)
Definition: util-optimize.h:35
DetectAppLayerEventData_::alproto
AppProto alproto
Definition: detect-app-layer-event.h:28
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
AppLayerParserGetEventsByTx
AppLayerDecoderEvents * AppLayerParserGetEventsByTx(uint8_t ipproto, AppProto alproto, void *tx)
Definition: app-layer-parser.c:871
Flow_::proto
uint8_t proto
Definition: flow.h:375
AppProto
uint16_t AppProto
Definition: app-layer-protos.h:80
PacketAlertCheck
int PacketAlertCheck(Packet *p, uint32_t sid)
Check if a certain sid alerted, this is used in the test functions.
Definition: detect-engine-alert.c:137
AppLayerParserGetStateProgress
int AppLayerParserGetStateProgress(uint8_t ipproto, AppProto alproto, void *alstate, uint8_t flags)
get the progress value for a tx/protocol
Definition: app-layer-parser.c:1095
SigMatchData_::ctx
SigMatchCtx * ctx
Definition: detect.h:333
threads.h
Flow_
Flow data structure.
Definition: flow.h:353
SigInit
Signature * SigInit(DetectEngineCtx *, const char *)
Parses a signature and adds it to the Detection Engine Context.
Definition: detect-parse.c:2115
AppLayerEventType
enum AppLayerEventType_ AppLayerEventType
DETECT_AL_APP_LAYER_EVENT
@ DETECT_AL_APP_LAYER_EVENT
Definition: detect-engine-register.h:176
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:811
AppLayerParserGetStateProgressCompletionStatus
int AppLayerParserGetStateProgressCompletionStatus(AppProto alproto, uint8_t direction)
Definition: app-layer-parser.c:1123
SC_ERR_INVALID_SIGNATURE
@ SC_ERR_INVALID_SIGNATURE
Definition: util-error.h:69
FLOW_PKT_TOSERVER
#define FLOW_PKT_TOSERVER
Definition: flow.h:225
DE_QUIET
#define DE_QUIET
Definition: detect.h:295
MAX_ALPROTO_NAME
#define MAX_ALPROTO_NAME
Definition: detect-app-layer-event.c:49
ALPROTO_FTP
@ ALPROTO_FTP
Definition: app-layer-protos.h:31
stream-tcp-reassemble.h
SigMatchSignatures
void SigMatchSignatures(ThreadVars *tv, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
Definition: detect.c:1790
DetectAppLayerEventPrepare
int DetectAppLayerEventPrepare(DetectEngineCtx *de_ctx, Signature *s)
Definition: detect-app-layer-event.c:380
Packet_::flowflags
uint8_t flowflags
Definition: decode.h:458
SIG_FLAG_TOCLIENT
#define SIG_FLAG_TOCLIENT
Definition: detect.h:237
Flow_::protoctx
void * protoctx
Definition: flow.h:451
SigMatchData_
Data needed for Match()
Definition: detect.h:330
SigTableElmt_::Setup
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1252
KEYWORD_PROFILING_START
#define KEYWORD_PROFILING_START
Definition: util-profiling.h:69
SigMatchData_::type
uint16_t type
Definition: detect.h:331
FLOW_IPV4
#define FLOW_IPV4
Definition: flow.h:98
AppLayerDecoderEvents_
Data structure to store app layer decoder events.
Definition: app-layer-events.h:34
Packet_::app_layer_events
AppLayerDecoderEvents * app_layer_events
Definition: decode.h:594
util-unittest.h
AppLayerGetProtoByName
AppProto AppLayerGetProtoByName(char *alproto_name)
Given a protocol string, returns the corresponding internal protocol id.
Definition: app-layer.c:862
APP_LAYER_EVENT_TYPE_TRANSACTION
@ APP_LAYER_EVENT_TYPE_TRANSACTION
Definition: app-layer-events.h:57
util-unittest-helper.h
SIG_FLAG_APPLAYER
#define SIG_FLAG_APPLAYER
Definition: detect.h:218
DetectBufferTypeGetByName
int DetectBufferTypeGetByName(const char *name)
Definition: detect-engine.c:1077
KEYWORD_PROFILING_END
#define KEYWORD_PROFILING_END(ctx, type, m)
Definition: util-profiling.h:83
strlcpy
size_t strlcpy(char *dst, const char *src, size_t siz)
Definition: util-strlcpyu.c:43
AppLayerParserRestoreParserTable
void AppLayerParserRestoreParserTable(void)
Definition: app-layer-parser.c:1815
APP_LAYER_EVENT_TEST_MAP_EVENT6
#define APP_LAYER_EVENT_TEST_MAP_EVENT6
Definition: detect-app-layer-event.c:423
SignatureInitData_::smlists_tail
struct SigMatch_ ** smlists_tail
Definition: detect.h:544
APP_LAYER_EVENT_TYPE_PACKET
@ APP_LAYER_EVENT_TYPE_PACKET
Definition: app-layer-events.h:58
StreamTcpUTInit
void StreamTcpUTInit(TcpReassemblyThreadCtx **ra_ctx)
Definition: stream-tcp-util.c:44
UTHBuildFlow
Flow * UTHBuildFlow(int family, const char *src, const char *dst, Port sp, Port dp)
Definition: util-unittest-helper.c:521
FLOW_INITIALIZE
#define FLOW_INITIALIZE(f)
Definition: flow-util.h:39
SIG_FLAG_TOSERVER
#define SIG_FLAG_TOSERVER
Definition: detect.h:236
detect-app-layer-event.h
APP_LAYER_EVENT_TEST_MAP_EVENT2
#define APP_LAYER_EVENT_TEST_MAP_EVENT2
Definition: detect-app-layer-event.c:419
decode.h
APP_LAYER_EVENT_TEST_MAP_EVENT4
#define APP_LAYER_EVENT_TEST_MAP_EVENT4
Definition: detect-app-layer-event.c:421
util-debug.h
AppLayerHandleTCPData
int AppLayerHandleTCPData(ThreadVars *tv, TcpReassemblyThreadCtx *ra_ctx, Packet *p, Flow *f, TcpSession *ssn, TcpStream **stream, uint8_t *data, uint32_t data_len, uint8_t flags)
handle TCP data for the app-layer.
Definition: app-layer.c:632
PASS
#define PASS
Pass the test.
Definition: util-unittest.h:105
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:17
DetectAppLayerEventData_::event_id
int event_id
Definition: detect-app-layer-event.h:29
DetectEngineThreadCtx_
Definition: detect.h:1060
ALPROTO_SMTP
@ ALPROTO_SMTP
Definition: app-layer-protos.h:32
DetectAppLayerEventData_::needs_detctx
bool needs_detctx
Definition: detect-app-layer-event.h:32
DetectAppLayerEventData_
Definition: detect-app-layer-event.h:27
detect.h
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:58
DETECT_ENGINE_INSPECT_SIG_MATCH
#define DETECT_ENGINE_INSPECT_SIG_MATCH
Definition: detect-engine-state.h:39
SigMatch_::next
struct SigMatch_ * next
Definition: detect.h:325
SigMatchStrictEnabled
bool SigMatchStrictEnabled(const enum DetectKeywordId id)
Definition: detect-parse.c:298
DETECT_SM_LIST_MATCH
@ DETECT_SM_LIST_MATCH
Definition: detect.h:89
app-layer-parser.h
AppLayerParserBackupParserTable
void AppLayerParserBackupParserTable(void)
Definition: app-layer-parser.c:1807
SigMatch_::ctx
SigMatchCtx * ctx
Definition: detect.h:324
DetectProto_::proto
uint8_t proto[256/8]
Definition: detect-engine-proto.h:37
Signature_::flags
uint32_t flags
Definition: detect.h:549
Packet_
Definition: decode.h:427
stream-tcp-private.h
DetectAppLayerInspectEngineRegister2
void DetectAppLayerInspectEngineRegister2(const char *name, AppProto alproto, uint32_t dir, int progress, InspectEngineFuncPtr2 Callback2, InspectionBufferGetDataPtr GetData)
register inspect engine at start up time
Definition: detect-engine.c:225
AppLayerParserRegisterGetEventInfo
void AppLayerParserRegisterGetEventInfo(uint8_t ipproto, AppProto alproto, int(*StateGetEventInfo)(const char *event_name, int *event_id, AppLayerEventType *event_type))
Definition: app-layer-parser.c:592
Signature_::init_data
SignatureInitData * init_data
Definition: detect.h:619
detect-engine-state.h
Data structures and function prototypes for keeping state for the detection engine.
SigTableElmt_::Match
int(* Match)(DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *)
Definition: detect.h:1235
SignatureInitData_::smlists
struct SigMatch_ ** smlists
Definition: detect.h:542
FLOW_PKT_TOCLIENT
#define FLOW_PKT_TOCLIENT
Definition: flow.h:226
SigMatchAlloc
SigMatch * SigMatchAlloc(void)
Definition: detect-parse.c:235
DETECT_ENGINE_INSPECT_SIG_CANT_MATCH
#define DETECT_ENGINE_INSPECT_SIG_CANT_MATCH
Definition: detect-engine-state.h:40
decode-events.h
SigGroupBuild
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
Definition: detect-engine-build.c:1948
SigMatchCtx_
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
Definition: detect.h:316
DetectEngineAppInspectionEngine_::smd
SigMatchData * smd
Definition: detect.h:415
Packet_::flow
struct Flow_ * flow
Definition: decode.h:464
DetectEngineThreadCtxInit
TmEcode DetectEngineThreadCtxInit(ThreadVars *, void *, void **)
initialize thread specific detection engine context
Definition: detect-engine.c:3142
FAIL_IF
#define FAIL_IF(expr)
Fail a test if expression evaluates to true.
Definition: util-unittest.h:71
DetectEngineGetEventInfo
int DetectEngineGetEventInfo(const char *event_name, int *event_id, AppLayerEventType *event_type)
Definition: detect-engine.c:4642
SCMapEnumNameToValue
int SCMapEnumNameToValue(const char *enum_name, SCEnumCharMap *table)
Maps a string name to an enum value from the supplied table. Please specify the last element of any m...
Definition: util-enum.c:40
flags
uint8_t flags
Definition: decode-gre.h:0
Signature_::proto
DetectProto proto
Definition: detect.h:566
SigMatchData_::is_last
uint8_t is_last
Definition: detect.h:332
suricata-common.h
SigMatch_::type
uint16_t type
Definition: detect.h:322
SCEnumCharMap_
Definition: util-enum.h:27
ALPROTO_HTTP1
@ ALPROTO_HTTP1
Definition: app-layer-protos.h:30
sigmatch_table
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
Definition: detect-parse.c:73
SCLogError
#define SCLogError(err_code,...)
Macro used to log ERROR messages.
Definition: util-debug.h:257
SCStrdup
#define SCStrdup(s)
Definition: util-mem.h:56
DetectEngineCtx_::sig_list
Signature * sig_list
Definition: detect.h:817
DETECT_ENGINE_INSPECT_SIG_NO_MATCH
#define DETECT_ENGINE_INSPECT_SIG_NO_MATCH
Definition: detect-engine-state.h:38
tv
ThreadVars * tv
Definition: fuzz_decodepcapfile.c:29
PacketGetFromAlloc
Packet * PacketGetFromAlloc(void)
Get a malloced packet.
Definition: decode.c:173
APP_LAYER_EVENT_TEST_MAP_EVENT3
#define APP_LAYER_EVENT_TEST_MAP_EVENT3
Definition: detect-app-layer-event.c:420
APP_LAYER_EVENT_TEST_MAP_EVENT1
#define APP_LAYER_EVENT_TEST_MAP_EVENT1
Definition: detect-app-layer-event.c:418
SCLogWarning
#define SCLogWarning(err_code,...)
Macro used to log WARNING messages.
Definition: util-debug.h:244
SCFree
#define SCFree(p)
Definition: util-mem.h:61
Flow_::flags
uint32_t flags
Definition: flow.h:431
detect-parse.h
Signature_
Signature container.
Definition: detect.h:548
SigMatch_
a single match condition for a signature
Definition: detect.h:321
ALPROTO_HTTP
@ ALPROTO_HTTP
Definition: app-layer-protos.h:66
stream-tcp-util.h
ALPROTO_UNKNOWN
@ ALPROTO_UNKNOWN
Definition: app-layer-protos.h:29
DetectEngineCtxInit
DetectEngineCtx * DetectEngineCtxInit(void)
Definition: detect-engine.c:2394
AppLayerGetPktEventInfo
int AppLayerGetPktEventInfo(const char *event_name, int *event_id)
Definition: app-layer-events.c:67
TcpReassemblyThreadCtx_
Definition: stream-tcp-reassemble.h:60
app-layer-protos.h
app_layer_event_test_map
SCEnumCharMap app_layer_event_test_map[]
Definition: detect-app-layer-event.c:425
Address_::family
char family
Definition: decode.h:123
Packet_::dst
Address dst
Definition: decode.h:432
SC_ERR_INVALID_ENUM_MAP
@ SC_ERR_INVALID_ENUM_MAP
Definition: util-error.h:45
ALPROTO_SMB
@ ALPROTO_SMB
Definition: app-layer-protos.h:37
DetectEngineCtx_::flags
uint8_t flags
Definition: detect.h:812
app-layer-smtp.h
TcpSession_
Definition: stream-tcp-private.h:260
TcpSession_::data_first_seen_dir
int8_t data_first_seen_dir
Definition: stream-tcp-private.h:265
flow.h
Flow_::alproto
AppProto alproto
application level protocol
Definition: flow.h:460
SCCalloc
#define SCCalloc(nm, sz)
Definition: util-mem.h:53
SCReturnInt
#define SCReturnInt(x)
Definition: util-debug.h:304
flow-var.h
SigMatchAppendSMToList
void SigMatchAppendSMToList(Signature *s, SigMatch *new, int list)
Append a SigMatch to the list type.
Definition: detect-parse.c:349
Packet_::src
Address src
Definition: decode.h:431
DetectAppLayerEventData_::arg
char * arg
Definition: detect-app-layer-event.h:34
SigTableElmt_::RegisterTests
void(* RegisterTests)(void)
Definition: detect.h:1259
APP_LAYER_EVENT_TEST_MAP_EVENT5
#define APP_LAYER_EVENT_TEST_MAP_EVENT5
Definition: detect-app-layer-event.c:422
app-layer.h
AppLayerParserGetEventInfo
int AppLayerParserGetEventInfo(uint8_t ipproto, AppProto alproto, const char *event_name, int *event_id, AppLayerEventType *event_type)
Definition: app-layer-parser.c:1131