suricata
detect-app-layer-protocol.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2022 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Anoop Saldanha <anoopsaldanha@gmail.com>
22  */
23 
24 #include "suricata-common.h"
25 #include "detect-engine.h"
26 #include "detect-engine-build.h"
29 #include "detect-parse.h"
31 #include "app-layer.h"
32 #include "app-layer-parser.h"
33 #include "util-debug.h"
34 #include "util-unittest.h"
35 #include "util-unittest-helper.h"
36 
37 #ifdef UNITTESTS
38 static void DetectAppLayerProtocolRegisterTests(void);
39 #endif
40 
41 enum {
48 };
49 
52  uint8_t negated;
53  uint8_t mode;
55 
56 static int DetectAppLayerProtocolPacketMatch(
57  DetectEngineThreadCtx *det_ctx,
58  Packet *p, const Signature *s, const SigMatchCtx *ctx)
59 {
60  SCEnter();
61 
62  bool r = false;
64 
65  /* if the sig is PD-only we only match when PD packet flags are set */
66  if (s->type == SIG_TYPE_PDONLY &&
68  SCLogDebug("packet %"PRIu64": flags not set", p->pcap_cnt);
69  SCReturnInt(0);
70  }
71 
72  const Flow *f = p->flow;
73  if (f == NULL) {
74  SCLogDebug("packet %"PRIu64": no flow", p->pcap_cnt);
75  SCReturnInt(0);
76  }
77 
78  switch (data->mode) {
80  if (p->flowflags & FLOW_PKT_TOSERVER) {
81  r = AppProtoEquals(data->alproto, f->alproto_ts);
82  } else {
83  r = AppProtoEquals(data->alproto, f->alproto_tc);
84  }
85  break;
87  r = AppProtoEquals(data->alproto, f->alproto_orig);
88  break;
90  r = AppProtoEquals(data->alproto, f->alproto);
91  break;
93  r = AppProtoEquals(data->alproto, f->alproto_ts);
94  break;
96  r = AppProtoEquals(data->alproto, f->alproto_tc);
97  break;
99  r = AppProtoEquals(data->alproto, f->alproto_tc) ||
100  AppProtoEquals(data->alproto, f->alproto_ts);
101  break;
102  }
103  r = r ^ data->negated;
104  if (r) {
105  SCReturnInt(1);
106  }
107  SCReturnInt(0);
108 }
109 
110 #define MAX_ALPROTO_NAME 50
111 static DetectAppLayerProtocolData *DetectAppLayerProtocolParse(const char *arg, bool negate)
112 {
114  AppProto alproto = ALPROTO_UNKNOWN;
115 
116  char alproto_copy[MAX_ALPROTO_NAME];
117  char *sep = strchr(arg, ',');
118  char *alproto_name;
119  if (sep && sep - arg < MAX_ALPROTO_NAME) {
120  strlcpy(alproto_copy, arg, sep - arg + 1);
121  alproto_name = alproto_copy;
122  } else {
123  alproto_name = (char *)arg;
124  }
125  if (strcmp(alproto_name, "failed") == 0) {
126  alproto = ALPROTO_FAILED;
127  } else {
128  alproto = AppLayerGetProtoByName(alproto_name);
129  if (alproto == ALPROTO_UNKNOWN) {
130  SCLogError("app-layer-protocol "
131  "keyword supplied with unknown protocol \"%s\"",
132  alproto_name);
133  return NULL;
134  }
135  }
136  uint8_t mode = DETECT_ALPROTO_DIRECTION;
137  if (sep) {
138  if (strcmp(sep + 1, "final") == 0) {
139  mode = DETECT_ALPROTO_FINAL;
140  } else if (strcmp(sep + 1, "original") == 0) {
141  mode = DETECT_ALPROTO_ORIG;
142  } else if (strcmp(sep + 1, "either") == 0) {
143  mode = DETECT_ALPROTO_EITHER;
144  } else if (strcmp(sep + 1, "to_server") == 0) {
146  } else if (strcmp(sep + 1, "to_client") == 0) {
148  } else if (strcmp(sep + 1, "direction") == 0) {
150  } else {
151  SCLogError("app-layer-protocol "
152  "keyword supplied with unknown mode \"%s\"",
153  sep + 1);
154  return NULL;
155  }
156  }
157 
158  data = SCMalloc(sizeof(DetectAppLayerProtocolData));
159  if (unlikely(data == NULL))
160  return NULL;
161  data->alproto = alproto;
162  data->negated = negate;
163  data->mode = mode;
164 
165  return data;
166 }
167 
168 static bool HasConflicts(const DetectAppLayerProtocolData *us,
169  const DetectAppLayerProtocolData *them)
170 {
171  /* mixing negated and non negated is illegal */
172  if ((them->negated ^ us->negated) && them->mode == us->mode)
173  return true;
174  /* multiple non-negated is illegal */
175  if (!us->negated && them->mode == us->mode)
176  return true;
177  /* duplicate option */
178  if (us->alproto == them->alproto && them->mode == us->mode)
179  return true;
180 
181  /* all good */
182  return false;
183 }
184 
185 static int DetectAppLayerProtocolSetup(DetectEngineCtx *de_ctx,
186  Signature *s, const char *arg)
187 {
188  DetectAppLayerProtocolData *data = NULL;
189 
190  if (s->alproto != ALPROTO_UNKNOWN) {
191  SCLogError("Either we already "
192  "have the rule match on an app layer protocol set through "
193  "other keywords that match on this protocol, or have "
194  "already seen a non-negated app-layer-protocol.");
195  goto error;
196  }
197 
198  data = DetectAppLayerProtocolParse(arg, s->init_data->negated);
199  if (data == NULL)
200  goto error;
201 
203  for ( ; tsm != NULL; tsm = tsm->next) {
204  if (tsm->type == DETECT_AL_APP_LAYER_PROTOCOL) {
205  const DetectAppLayerProtocolData *them = (const DetectAppLayerProtocolData *)tsm->ctx;
206 
207  if (HasConflicts(data, them)) {
208  SCLogError("can't mix "
209  "positive app-layer-protocol match with negated "
210  "match or match for 'failed'.");
211  goto error;
212  }
213  }
214  }
215 
217  DETECT_SM_LIST_MATCH) == NULL) {
218  goto error;
219  }
220  return 0;
221 
222 error:
223  if (data != NULL)
224  SCFree(data);
225  return -1;
226 }
227 
228 static void DetectAppLayerProtocolFree(DetectEngineCtx *de_ctx, void *ptr)
229 {
230  SCFree(ptr);
231 }
232 
233 /** \internal
234  * \brief prefilter function for protocol detect matching
235  */
236 static void
237 PrefilterPacketAppProtoMatch(DetectEngineThreadCtx *det_ctx, Packet *p, const void *pectx)
238 {
239  const PrefilterPacketHeaderCtx *ctx = pectx;
240 
241  if (!PrefilterPacketHeaderExtraMatch(ctx, p)) {
242  SCLogDebug("packet %"PRIu64": extra match failed", p->pcap_cnt);
243  SCReturn;
244  }
245 
246  if (p->flow == NULL) {
247  SCLogDebug("packet %"PRIu64": no flow, no alproto", p->pcap_cnt);
248  SCReturn;
249  }
250 
252  SCLogDebug("packet %"PRIu64": flags not set", p->pcap_cnt);
253  SCReturn;
254  }
255 
256  Flow *f = p->flow;
257  AppProto alproto = ALPROTO_UNKNOWN;
258  bool negated = (bool)ctx->v1.u8[2];
259  switch (ctx->v1.u8[3]) {
261  if (p->flowflags & FLOW_PKT_TOSERVER) {
262  alproto = f->alproto_ts;
263  } else {
264  alproto = f->alproto_tc;
265  }
266  break;
267  case DETECT_ALPROTO_ORIG:
268  alproto = f->alproto_orig;
269  break;
271  alproto = f->alproto;
272  break;
274  alproto = f->alproto_ts;
275  break;
277  alproto = f->alproto_tc;
278  break;
280  // check if either protocol toclient or toserver matches
281  // the one in the signature ctx
282  if (AppProtoEquals(ctx->v1.u16[0], f->alproto_tc) ^ negated) {
283  PrefilterAddSids(&det_ctx->pmq, ctx->sigs_array, ctx->sigs_cnt);
284  } else if (AppProtoEquals(ctx->v1.u16[0], f->alproto_ts) ^ negated) {
285  PrefilterAddSids(&det_ctx->pmq, ctx->sigs_array, ctx->sigs_cnt);
286  }
287  // We return right away to avoid calling PrefilterAddSids again
288  return;
289  }
290 
291  if (alproto != ALPROTO_UNKNOWN) {
292  if (AppProtoEquals(ctx->v1.u16[0], alproto) ^ negated) {
293  PrefilterAddSids(&det_ctx->pmq, ctx->sigs_array, ctx->sigs_cnt);
294  }
295  }
296 }
297 
298 static void
299 PrefilterPacketAppProtoSet(PrefilterPacketHeaderValue *v, void *smctx)
300 {
301  const DetectAppLayerProtocolData *a = smctx;
302  v->u16[0] = a->alproto;
303  v->u8[2] = (uint8_t)a->negated;
304  v->u8[3] = a->mode;
305 }
306 
307 static bool
308 PrefilterPacketAppProtoCompare(PrefilterPacketHeaderValue v, void *smctx)
309 {
310  const DetectAppLayerProtocolData *a = smctx;
311  if (v.u16[0] == a->alproto && v.u8[2] == (uint8_t)a->negated && v.u8[3] == a->mode)
312  return true;
313  return false;
314 }
315 
316 static int PrefilterSetupAppProto(DetectEngineCtx *de_ctx, SigGroupHead *sgh)
317 {
319  SIG_MASK_REQUIRE_FLOW, PrefilterPacketAppProtoSet, PrefilterPacketAppProtoCompare,
320  PrefilterPacketAppProtoMatch);
321 }
322 
323 static bool PrefilterAppProtoIsPrefilterable(const Signature *s)
324 {
325  if (s->type == SIG_TYPE_PDONLY) {
326  SCLogDebug("prefilter on PD %u", s->id);
327  return true;
328  }
329  return false;
330 }
331 
333 {
334  sigmatch_table[DETECT_AL_APP_LAYER_PROTOCOL].name = "app-layer-protocol";
335  sigmatch_table[DETECT_AL_APP_LAYER_PROTOCOL].desc = "match on the detected app-layer protocol";
336  sigmatch_table[DETECT_AL_APP_LAYER_PROTOCOL].url = "/rules/app-layer.html#app-layer-protocol";
338  DetectAppLayerProtocolPacketMatch;
340  DetectAppLayerProtocolSetup;
342  DetectAppLayerProtocolFree;
343 #ifdef UNITTESTS
345  DetectAppLayerProtocolRegisterTests;
346 #endif
349 
351  PrefilterSetupAppProto;
353  PrefilterAppProtoIsPrefilterable;
354 }
355 
356 /**********************************Unittests***********************************/
357 
358 #ifdef UNITTESTS
359 
360 static int DetectAppLayerProtocolTest01(void)
361 {
362  DetectAppLayerProtocolData *data = DetectAppLayerProtocolParse("http", false);
363  FAIL_IF_NULL(data);
364  FAIL_IF(data->alproto != ALPROTO_HTTP);
365  FAIL_IF(data->negated != 0);
366  DetectAppLayerProtocolFree(NULL, data);
367  PASS;
368 }
369 
370 static int DetectAppLayerProtocolTest02(void)
371 {
372  DetectAppLayerProtocolData *data = DetectAppLayerProtocolParse("http", true);
373  FAIL_IF_NULL(data);
374  FAIL_IF(data->alproto != ALPROTO_HTTP);
375  FAIL_IF(data->negated == 0);
376  DetectAppLayerProtocolFree(NULL, data);
377  PASS;
378 }
379 
380 static int DetectAppLayerProtocolTest03(void)
381 {
382  Signature *s = NULL;
383  DetectAppLayerProtocolData *data = NULL;
386  de_ctx->flags |= DE_QUIET;
387 
388  s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "
389  "(app-layer-protocol:http; sid:1;)");
390  FAIL_IF_NULL(s);
391 
393 
396 
398  FAIL_IF(data->alproto != ALPROTO_HTTP);
399  FAIL_IF(data->negated);
401  PASS;
402 }
403 
404 static int DetectAppLayerProtocolTest04(void)
405 {
406  Signature *s = NULL;
407  DetectAppLayerProtocolData *data = NULL;
410  de_ctx->flags |= DE_QUIET;
411 
412  s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "
413  "(app-layer-protocol:!http; sid:1;)");
414  FAIL_IF_NULL(s);
417 
420 
422  FAIL_IF_NULL(data);
423  FAIL_IF(data->alproto != ALPROTO_HTTP);
424  FAIL_IF(data->negated == 0);
425 
427  PASS;
428 }
429 
430 static int DetectAppLayerProtocolTest05(void)
431 {
432  Signature *s = NULL;
433  DetectAppLayerProtocolData *data = NULL;
436  de_ctx->flags |= DE_QUIET;
437 
438  s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "
439  "(app-layer-protocol:!http; app-layer-protocol:!smtp; sid:1;)");
440  FAIL_IF_NULL(s);
443 
446 
448  FAIL_IF_NULL(data);
449  FAIL_IF(data->alproto != ALPROTO_HTTP);
450  FAIL_IF(data->negated == 0);
451 
453  FAIL_IF_NULL(data);
454  FAIL_IF(data->alproto != ALPROTO_SMTP);
455  FAIL_IF(data->negated == 0);
456 
458  PASS;
459 }
460 
461 static int DetectAppLayerProtocolTest06(void)
462 {
463  Signature *s = NULL;
466  de_ctx->flags |= DE_QUIET;
467 
468  s = DetectEngineAppendSig(de_ctx, "alert http any any -> any any "
469  "(app-layer-protocol:smtp; sid:1;)");
470  FAIL_IF_NOT_NULL(s);
472  PASS;
473 }
474 
475 static int DetectAppLayerProtocolTest07(void)
476 {
477  Signature *s = NULL;
480  de_ctx->flags |= DE_QUIET;
481 
482  s = DetectEngineAppendSig(de_ctx, "alert http any any -> any any "
483  "(app-layer-protocol:!smtp; sid:1;)");
484  FAIL_IF_NOT_NULL(s);
486  PASS;
487 }
488 
489 static int DetectAppLayerProtocolTest08(void)
490 {
491  Signature *s = NULL;
494  de_ctx->flags |= DE_QUIET;
495 
496  s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "
497  "(app-layer-protocol:!smtp; app-layer-protocol:http; sid:1;)");
498  FAIL_IF_NOT_NULL(s);
500  PASS;
501 }
502 
503 static int DetectAppLayerProtocolTest09(void)
504 {
505  Signature *s = NULL;
508  de_ctx->flags |= DE_QUIET;
509 
510  s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "
511  "(app-layer-protocol:http; app-layer-protocol:!smtp; sid:1;)");
512  FAIL_IF_NOT_NULL(s);
514  PASS;
515 }
516 
517 static int DetectAppLayerProtocolTest10(void)
518 {
519  Signature *s = NULL;
522  de_ctx->flags |= DE_QUIET;
523 
524  s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "
525  "(app-layer-protocol:smtp; app-layer-protocol:!http; sid:1;)");
526  FAIL_IF_NOT_NULL(s);
528  PASS;
529 }
530 
531 static int DetectAppLayerProtocolTest11(void)
532 {
533  DetectAppLayerProtocolData *data = DetectAppLayerProtocolParse("failed", false);
534  FAIL_IF_NULL(data);
535  FAIL_IF(data->alproto != ALPROTO_FAILED);
536  FAIL_IF(data->negated != 0);
537  DetectAppLayerProtocolFree(NULL, data);
538  PASS;
539 }
540 
541 static int DetectAppLayerProtocolTest12(void)
542 {
543  DetectAppLayerProtocolData *data = DetectAppLayerProtocolParse("failed", true);
544  FAIL_IF_NULL(data);
545  FAIL_IF(data->alproto != ALPROTO_FAILED);
546  FAIL_IF(data->negated == 0);
547  DetectAppLayerProtocolFree(NULL, data);
548  PASS;
549 }
550 
551 static int DetectAppLayerProtocolTest13(void)
552 {
553  Signature *s = NULL;
554  DetectAppLayerProtocolData *data = NULL;
557  de_ctx->flags |= DE_QUIET;
558 
559  s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "
560  "(app-layer-protocol:failed; sid:1;)");
561  FAIL_IF_NULL(s);
562 
564 
567 
569  FAIL_IF(data->alproto != ALPROTO_FAILED);
570  FAIL_IF(data->negated);
572  PASS;
573 }
574 
575 static int DetectAppLayerProtocolTest14(void)
576 {
577  DetectAppLayerProtocolData *data = NULL;
580  de_ctx->flags |= DE_QUIET;
581 
582  Signature *s1 = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "
583  "(app-layer-protocol:http; flowbits:set,blah; sid:1;)");
584  FAIL_IF_NULL(s1);
589  FAIL_IF(data->alproto != ALPROTO_HTTP);
590  FAIL_IF(data->negated);
591 
592  Signature *s2 = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "
593  "(app-layer-protocol:http; flow:to_client; sid:2;)");
594  FAIL_IF_NULL(s2);
599  FAIL_IF(data->alproto != ALPROTO_HTTP);
600  FAIL_IF(data->negated);
601 
602  /* flow:established and other options not supported for PD-only */
603  Signature *s3 = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "
604  "(app-layer-protocol:http; flow:to_client,established; sid:3;)");
605  FAIL_IF_NULL(s3);
610  FAIL_IF(data->alproto != ALPROTO_HTTP);
611  FAIL_IF(data->negated);
612 
616  FAIL_IF(s3->type == SIG_TYPE_PDONLY); // failure now
617 
619  PASS;
620 }
621 
622 
623 static void DetectAppLayerProtocolRegisterTests(void)
624 {
625  UtRegisterTest("DetectAppLayerProtocolTest01",
626  DetectAppLayerProtocolTest01);
627  UtRegisterTest("DetectAppLayerProtocolTest02",
628  DetectAppLayerProtocolTest02);
629  UtRegisterTest("DetectAppLayerProtocolTest03",
630  DetectAppLayerProtocolTest03);
631  UtRegisterTest("DetectAppLayerProtocolTest04",
632  DetectAppLayerProtocolTest04);
633  UtRegisterTest("DetectAppLayerProtocolTest05",
634  DetectAppLayerProtocolTest05);
635  UtRegisterTest("DetectAppLayerProtocolTest06",
636  DetectAppLayerProtocolTest06);
637  UtRegisterTest("DetectAppLayerProtocolTest07",
638  DetectAppLayerProtocolTest07);
639  UtRegisterTest("DetectAppLayerProtocolTest08",
640  DetectAppLayerProtocolTest08);
641  UtRegisterTest("DetectAppLayerProtocolTest09",
642  DetectAppLayerProtocolTest09);
643  UtRegisterTest("DetectAppLayerProtocolTest10",
644  DetectAppLayerProtocolTest10);
645  UtRegisterTest("DetectAppLayerProtocolTest11",
646  DetectAppLayerProtocolTest11);
647  UtRegisterTest("DetectAppLayerProtocolTest12",
648  DetectAppLayerProtocolTest12);
649  UtRegisterTest("DetectAppLayerProtocolTest13",
650  DetectAppLayerProtocolTest13);
651  UtRegisterTest("DetectAppLayerProtocolTest14",
652  DetectAppLayerProtocolTest14);
653 }
654 #endif /* UNITTESTS */
SigTableElmt_::url
const char * url
Definition: detect.h:1304
detect-engine.h
detect-app-layer-protocol.h
FAIL_IF_NULL
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
Definition: util-unittest.h:89
SignatureInitData_::smlists
struct SigMatch_ * smlists[DETECT_SM_LIST_MAX]
Definition: detect.h:586
SigTableElmt_::desc
const char * desc
Definition: detect.h:1303
sigmatch_table
SigTableElmt * sigmatch_table
Definition: detect-parse.c:127
SigTableElmt_::Free
void(* Free)(DetectEngineCtx *, void *)
Definition: detect.h:1291
DetectAppLayerProtocolData_::mode
uint8_t mode
Definition: detect-app-layer-protocol.c:53
SigTableElmt_::name
const char * name
Definition: detect.h:1301
SigGroupHead_
Container for matching data for a signature group.
Definition: detect.h:1457
unlikely
#define unlikely(expr)
Definition: util-optimize.h:35
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
Signature_::alproto
AppProto alproto
Definition: detect.h:606
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:269
Packet_::pcap_cnt
uint64_t pcap_cnt
Definition: decode.h:609
SIGMATCH_QUOTES_OPTIONAL
#define SIGMATCH_QUOTES_OPTIONAL
Definition: detect.h:1497
DetectAppLayerProtocolData_
Definition: detect-app-layer-protocol.c:50
AppProto
uint16_t AppProto
Definition: app-layer-protos.h:82
Packet_::flags
uint32_t flags
Definition: decode.h:519
DetectAppLayerProtocolData_::negated
uint8_t negated
Definition: detect-app-layer-protocol.c:52
Flow_
Flow data structure.
Definition: flow.h:360
DetectEngineThreadCtx_::pmq
PrefilterRuleStore pmq
Definition: detect.h:1197
SigTableElmt_::flags
uint16_t flags
Definition: detect.h:1295
ctx
struct Thresholds ctx
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:841
Flow_::alproto_orig
AppProto alproto_orig
Definition: flow.h:465
DetectEngineCtxFree
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
Definition: detect-engine.c:2592
PrefilterPacketHeaderValue::u8
uint8_t u8[16]
Definition: detect-engine-prefilter-common.h:24
FLOW_PKT_TOSERVER
#define FLOW_PKT_TOSERVER
Definition: flow.h:232
DE_QUIET
#define DE_QUIET
Definition: detect.h:323
DetectEngineAppendSig
Signature * DetectEngineAppendSig(DetectEngineCtx *, const char *)
Parse and append a Signature into the Detection Engine Context signature list.
Definition: detect-parse.c:2598
Packet_::flowflags
uint8_t flowflags
Definition: decode.h:513
SigTableElmt_::Setup
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1286
PrefilterPacketHeaderValue::u16
uint16_t u16[8]
Definition: detect-engine-prefilter-common.h:25
detect-engine-prefilter.h
util-unittest.h
AppLayerGetProtoByName
AppProto AppLayerGetProtoByName(char *alproto_name)
Given a protocol string, returns the corresponding internal protocol id.
Definition: app-layer.c:997
util-unittest-helper.h
FAIL_IF_NOT
#define FAIL_IF_NOT(expr)
Fail a test if expression evaluates to false.
Definition: util-unittest.h:82
PKT_PROTO_DETECT_TS_DONE
#define PKT_PROTO_DETECT_TS_DONE
Definition: decode.h:1314
SIG_FLAG_APPLAYER
#define SIG_FLAG_APPLAYER
Definition: detect.h:246
strlcpy
size_t strlcpy(char *dst, const char *src, size_t siz)
Definition: util-strlcpyu.c:43
SigTableElmt_::SetupPrefilter
int(* SetupPrefilter)(DetectEngineCtx *de_ctx, struct SigGroupHead_ *sgh)
Definition: detect.h:1289
MAX_ALPROTO_NAME
#define MAX_ALPROTO_NAME
Definition: detect-app-layer-protocol.c:110
PrefilterPacketHeaderCtx_
Definition: detect-engine-prefilter-common.h:35
FAIL_IF_NOT_NULL
#define FAIL_IF_NOT_NULL(expr)
Fail a test if expression evaluates to non-NULL.
Definition: util-unittest.h:96
util-debug.h
PASS
#define PASS
Pass the test.
Definition: util-unittest.h:105
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:17
DetectEngineThreadCtx_
Definition: detect.h:1090
ALPROTO_SMTP
@ ALPROTO_SMTP
Definition: app-layer-protos.h:32
SIG_MASK_REQUIRE_FLOW
#define SIG_MASK_REQUIRE_FLOW
Definition: detect.h:302
SCEnter
#define SCEnter(...)
Definition: util-debug.h:271
SigMatch_::next
struct SigMatch_ * next
Definition: detect.h:353
DETECT_SM_LIST_MATCH
@ DETECT_SM_LIST_MATCH
Definition: detect.h:114
DetectAppLayerProtocolData
struct DetectAppLayerProtocolData_ DetectAppLayerProtocolData
app-layer-parser.h
SigMatch_::ctx
SigMatchCtx * ctx
Definition: detect.h:352
SCReturn
#define SCReturn
Definition: util-debug.h:273
Signature_::flags
uint32_t flags
Definition: detect.h:602
Packet_
Definition: decode.h:482
detect-engine-build.h
DETECT_AL_APP_LAYER_PROTOCOL
@ DETECT_AL_APP_LAYER_PROTOCOL
Definition: detect-engine-register.h:35
SIGMATCH_HANDLE_NEGATION
#define SIGMATCH_HANDLE_NEGATION
Definition: detect.h:1505
Signature_::init_data
SignatureInitData * init_data
Definition: detect.h:670
PrefilterSetupPacketHeader
int PrefilterSetupPacketHeader(DetectEngineCtx *de_ctx, SigGroupHead *sgh, int sm_type, SignatureMask mask, void(*Set)(PrefilterPacketHeaderValue *v, void *), bool(*Compare)(PrefilterPacketHeaderValue v, void *), void(*Match)(DetectEngineThreadCtx *det_ctx, Packet *p, const void *pectx))
Definition: detect-engine-prefilter-common.c:404
DetectAppLayerProtocolData_::alproto
AppProto alproto
Definition: detect-app-layer-protocol.c:51
SignatureInitData_::negated
bool negated
Definition: detect.h:545
SigTableElmt_::Match
int(* Match)(DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *)
Definition: detect.h:1269
DETECT_ALPROTO_EITHER
@ DETECT_ALPROTO_EITHER
Definition: detect-app-layer-protocol.c:44
DETECT_ALPROTO_DIRECTION
@ DETECT_ALPROTO_DIRECTION
Definition: detect-app-layer-protocol.c:42
SigGroupBuild
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
Definition: detect-engine-build.c:2161
SigMatchCtx_
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
Definition: detect.h:344
DETECT_ALPROTO_TOCLIENT
@ DETECT_ALPROTO_TOCLIENT
Definition: detect-app-layer-protocol.c:46
Packet_::flow
struct Flow_ * flow
Definition: decode.h:521
FAIL_IF
#define FAIL_IF(expr)
Fail a test if expression evaluates to true.
Definition: util-unittest.h:71
suricata-common.h
SigMatch_::type
uint16_t type
Definition: detect.h:350
DETECT_ALPROTO_ORIG
@ DETECT_ALPROTO_ORIG
Definition: detect-app-layer-protocol.c:47
PKT_PROTO_DETECT_TC_DONE
#define PKT_PROTO_DETECT_TC_DONE
Definition: decode.h:1315
SCMalloc
#define SCMalloc(sz)
Definition: util-mem.h:47
DETECT_ALPROTO_FINAL
@ DETECT_ALPROTO_FINAL
Definition: detect-app-layer-protocol.c:43
SCLogError
#define SCLogError(...)
Macro used to log ERROR messages.
Definition: util-debug.h:261
SCFree
#define SCFree(p)
Definition: util-mem.h:61
Flow_::alproto_ts
AppProto alproto_ts
Definition: flow.h:460
SigTableElmt_::SupportsPrefilter
bool(* SupportsPrefilter)(const Signature *s)
Definition: detect.h:1288
Signature_::id
uint32_t id
Definition: detect.h:636
detect-parse.h
Signature_
Signature container.
Definition: detect.h:601
SigMatch_
a single match condition for a signature
Definition: detect.h:349
ALPROTO_HTTP
@ ALPROTO_HTTP
Definition: app-layer-protos.h:68
ALPROTO_UNKNOWN
@ ALPROTO_UNKNOWN
Definition: app-layer-protos.h:29
ALPROTO_FAILED
@ ALPROTO_FAILED
Definition: app-layer-protos.h:72
DetectEngineCtxInit
DetectEngineCtx * DetectEngineCtxInit(void)
Definition: detect-engine.c:2553
DetectAppLayerProtocolRegister
void DetectAppLayerProtocolRegister(void)
Definition: detect-app-layer-protocol.c:332
PrefilterPacketHeaderValue
Definition: detect-engine-prefilter-common.h:23
SigMatchAppendSMToList
SigMatch * SigMatchAppendSMToList(DetectEngineCtx *de_ctx, Signature *s, uint16_t type, SigMatchCtx *ctx, const int list)
Append a SigMatch to the list type.
Definition: detect-parse.c:436
DetectEngineCtx_::flags
uint8_t flags
Definition: detect.h:843
detect-engine-prefilter-common.h
DETECT_ALPROTO_TOSERVER
@ DETECT_ALPROTO_TOSERVER
Definition: detect-app-layer-protocol.c:45
Flow_::alproto_tc
AppProto alproto_tc
Definition: flow.h:461
Flow_::alproto
AppProto alproto
application level protocol
Definition: flow.h:459
SCReturnInt
#define SCReturnInt(x)
Definition: util-debug.h:275
Signature_::type
enum SignatureType type
Definition: detect.h:604
SIG_TYPE_PDONLY
@ SIG_TYPE_PDONLY
Definition: detect.h:68
SigTableElmt_::RegisterTests
void(* RegisterTests)(void)
Definition: detect.h:1293
app-layer.h