suricata
detect-app-layer-protocol.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2022 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Anoop Saldanha <anoopsaldanha@gmail.com>
22  */
23 
24 #include "suricata-common.h"
25 #include "detect-engine.h"
26 #include "detect-engine-build.h"
29 #include "detect-parse.h"
31 #include "app-layer.h"
32 #include "app-layer-parser.h"
33 #include "util-debug.h"
34 #include "util-unittest.h"
35 #include "util-unittest-helper.h"
36 
37 #ifdef UNITTESTS
38 static void DetectAppLayerProtocolRegisterTests(void);
39 #endif
40 
43  uint8_t negated;
45 
46 static int DetectAppLayerProtocolPacketMatch(
47  DetectEngineThreadCtx *det_ctx,
48  Packet *p, const Signature *s, const SigMatchCtx *ctx)
49 {
50  SCEnter();
51 
52  bool r = false;
53  const DetectAppLayerProtocolData *data = (const DetectAppLayerProtocolData *)ctx;
54 
55  /* if the sig is PD-only we only match when PD packet flags are set */
56  if ((s->flags & SIG_FLAG_PDONLY) &&
58  {
59  SCLogDebug("packet %"PRIu64": flags not set", p->pcap_cnt);
60  SCReturnInt(0);
61  }
62 
63  const Flow *f = p->flow;
64  if (f == NULL) {
65  SCLogDebug("packet %"PRIu64": no flow", p->pcap_cnt);
66  SCReturnInt(0);
67  }
68 
69  /* unknown means protocol detection isn't ready yet */
70 
72  {
73  SCLogDebug("toserver packet %"PRIu64": looking for %u/neg %u, got %u",
74  p->pcap_cnt, data->alproto, data->negated, f->alproto_ts);
75 
76  r = AppProtoEquals(data->alproto, f->alproto_ts);
77 
78  } else if ((f->alproto_tc != ALPROTO_UNKNOWN) && (p->flowflags & FLOW_PKT_TOCLIENT))
79  {
80  SCLogDebug("toclient packet %"PRIu64": looking for %u/neg %u, got %u",
81  p->pcap_cnt, data->alproto, data->negated, f->alproto_tc);
82 
83  r = AppProtoEquals(data->alproto, f->alproto_tc);
84  }
85  else {
86  SCLogDebug("packet %"PRIu64": default case: direction %02x, approtos %u/%u/%u",
87  p->pcap_cnt,
89  f->alproto, f->alproto_ts, f->alproto_tc);
90  }
91  r = r ^ data->negated;
92  if (r) {
93  SCReturnInt(1);
94  }
95  SCReturnInt(0);
96 }
97 
98 static DetectAppLayerProtocolData *DetectAppLayerProtocolParse(const char *arg, bool negate)
99 {
101  AppProto alproto = ALPROTO_UNKNOWN;
102 
103  if (strcmp(arg, "failed") == 0) {
104  alproto = ALPROTO_FAILED;
105  } else {
106  alproto = AppLayerGetProtoByName((char *)arg);
107  if (alproto == ALPROTO_UNKNOWN) {
108  SCLogError(SC_ERR_INVALID_SIGNATURE, "app-layer-protocol "
109  "keyword supplied with unknown protocol \"%s\"", arg);
110  return NULL;
111  }
112  }
113 
114  data = SCMalloc(sizeof(DetectAppLayerProtocolData));
115  if (unlikely(data == NULL))
116  return NULL;
117  data->alproto = alproto;
118  data->negated = negate;
119 
120  return data;
121 }
122 
123 static bool HasConflicts(const DetectAppLayerProtocolData *us,
124  const DetectAppLayerProtocolData *them)
125 {
126  /* mixing negated and non negated is illegal */
127  if (them->negated ^ us->negated)
128  return true;
129  /* multiple non-negated is illegal */
130  if (!us->negated)
131  return true;
132  /* duplicate option */
133  if (us->alproto == them->alproto)
134  return true;
135 
136  /* all good */
137  return false;
138 }
139 
140 static int DetectAppLayerProtocolSetup(DetectEngineCtx *de_ctx,
141  Signature *s, const char *arg)
142 {
143  DetectAppLayerProtocolData *data = NULL;
144  SigMatch *sm = NULL;
145 
146  if (s->alproto != ALPROTO_UNKNOWN) {
147  SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "Either we already "
148  "have the rule match on an app layer protocol set through "
149  "other keywords that match on this protocol, or have "
150  "already seen a non-negated app-layer-protocol.");
151  goto error;
152  }
153 
154  data = DetectAppLayerProtocolParse(arg, s->init_data->negated);
155  if (data == NULL)
156  goto error;
157 
159  for ( ; tsm != NULL; tsm = tsm->next) {
160  if (tsm->type == DETECT_AL_APP_LAYER_PROTOCOL) {
161  const DetectAppLayerProtocolData *them = (const DetectAppLayerProtocolData *)tsm->ctx;
162 
163  if (HasConflicts(data, them)) {
165  "positive app-layer-protocol match with negated "
166  "match or match for 'failed'.");
167  goto error;
168  }
169  }
170  }
171 
172  sm = SigMatchAlloc();
173  if (sm == NULL)
174  goto error;
175 
177  sm->ctx = (void *)data;
178 
180  return 0;
181 
182 error:
183  if (data != NULL)
184  SCFree(data);
185  return -1;
186 }
187 
188 static void DetectAppLayerProtocolFree(DetectEngineCtx *de_ctx, void *ptr)
189 {
190  SCFree(ptr);
191  return;
192 }
193 
194 /** \internal
195  * \brief prefilter function for protocol detect matching
196  */
197 static void
198 PrefilterPacketAppProtoMatch(DetectEngineThreadCtx *det_ctx, Packet *p, const void *pectx)
199 {
200  const PrefilterPacketHeaderCtx *ctx = pectx;
201 
202  if (!PrefilterPacketHeaderExtraMatch(ctx, p)) {
203  SCLogDebug("packet %"PRIu64": extra match failed", p->pcap_cnt);
204  SCReturn;
205  }
206 
207  if (p->flow == NULL) {
208  SCLogDebug("packet %"PRIu64": no flow, no alproto", p->pcap_cnt);
209  SCReturn;
210  }
211 
213  SCLogDebug("packet %"PRIu64": flags not set", p->pcap_cnt);
214  SCReturn;
215  }
216 
218  {
219  int r = (ctx->v1.u16[0] == p->flow->alproto_ts) ^ ctx->v1.u8[2];
220  if (r) {
221  PrefilterAddSids(&det_ctx->pmq, ctx->sigs_array, ctx->sigs_cnt);
222  }
223  } else if ((p->flags & PKT_PROTO_DETECT_TC_DONE) && (p->flowflags & FLOW_PKT_TOCLIENT))
224  {
225  int r = (ctx->v1.u16[0] == p->flow->alproto_tc) ^ ctx->v1.u8[2];
226  if (r) {
227  PrefilterAddSids(&det_ctx->pmq, ctx->sigs_array, ctx->sigs_cnt);
228  }
229  }
230 }
231 
232 static void
233 PrefilterPacketAppProtoSet(PrefilterPacketHeaderValue *v, void *smctx)
234 {
235  const DetectAppLayerProtocolData *a = smctx;
236  v->u16[0] = a->alproto;
237  v->u8[2] = (uint8_t)a->negated;
238 }
239 
240 static bool
241 PrefilterPacketAppProtoCompare(PrefilterPacketHeaderValue v, void *smctx)
242 {
243  const DetectAppLayerProtocolData *a = smctx;
244  if (v.u16[0] == a->alproto &&
245  v.u8[2] == (uint8_t)a->negated)
246  return true;
247  return false;
248 }
249 
250 static int PrefilterSetupAppProto(DetectEngineCtx *de_ctx, SigGroupHead *sgh)
251 {
253  PrefilterPacketAppProtoSet,
254  PrefilterPacketAppProtoCompare,
255  PrefilterPacketAppProtoMatch);
256 }
257 
258 static bool PrefilterAppProtoIsPrefilterable(const Signature *s)
259 {
260  if (s->flags & SIG_FLAG_PDONLY) {
261  SCLogDebug("prefilter on PD %u", s->id);
262  return true;
263  }
264  return false;
265 }
266 
268 {
269  sigmatch_table[DETECT_AL_APP_LAYER_PROTOCOL].name = "app-layer-protocol";
270  sigmatch_table[DETECT_AL_APP_LAYER_PROTOCOL].desc = "match on the detected app-layer protocol";
271  sigmatch_table[DETECT_AL_APP_LAYER_PROTOCOL].url = "/rules/app-layer.html#app-layer-protocol";
273  DetectAppLayerProtocolPacketMatch;
275  DetectAppLayerProtocolSetup;
277  DetectAppLayerProtocolFree;
278 #ifdef UNITTESTS
280  DetectAppLayerProtocolRegisterTests;
281 #endif
284 
286  PrefilterSetupAppProto;
288  PrefilterAppProtoIsPrefilterable;
289  return;
290 }
291 
292 /**********************************Unittests***********************************/
293 
294 #ifdef UNITTESTS
295 
296 static int DetectAppLayerProtocolTest01(void)
297 {
298  DetectAppLayerProtocolData *data = DetectAppLayerProtocolParse("http", false);
299  FAIL_IF_NULL(data);
300  FAIL_IF(data->alproto != ALPROTO_HTTP);
301  FAIL_IF(data->negated != 0);
302  DetectAppLayerProtocolFree(NULL, data);
303  PASS;
304 }
305 
306 static int DetectAppLayerProtocolTest02(void)
307 {
308  DetectAppLayerProtocolData *data = DetectAppLayerProtocolParse("http", true);
309  FAIL_IF_NULL(data);
310  FAIL_IF(data->alproto != ALPROTO_HTTP);
311  FAIL_IF(data->negated == 0);
312  DetectAppLayerProtocolFree(NULL, data);
313  PASS;
314 }
315 
316 static int DetectAppLayerProtocolTest03(void)
317 {
318  Signature *s = NULL;
319  DetectAppLayerProtocolData *data = NULL;
322  de_ctx->flags |= DE_QUIET;
323 
324  s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "
325  "(app-layer-protocol:http; sid:1;)");
326  FAIL_IF_NULL(s);
327 
329 
330  FAIL_IF_NULL(s->sm_lists[DETECT_SM_LIST_MATCH]);
331  FAIL_IF_NULL(s->sm_lists[DETECT_SM_LIST_MATCH]->ctx);
332 
333  data = (DetectAppLayerProtocolData *)s->sm_lists[DETECT_SM_LIST_MATCH]->ctx;
334  FAIL_IF(data->alproto != ALPROTO_HTTP);
335  FAIL_IF(data->negated);
337  PASS;
338 }
339 
340 static int DetectAppLayerProtocolTest04(void)
341 {
342  Signature *s = NULL;
343  DetectAppLayerProtocolData *data = NULL;
346  de_ctx->flags |= DE_QUIET;
347 
348  s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "
349  "(app-layer-protocol:!http; sid:1;)");
350  FAIL_IF_NULL(s);
353 
354  FAIL_IF_NULL(s->sm_lists[DETECT_SM_LIST_MATCH]);
355  FAIL_IF_NULL(s->sm_lists[DETECT_SM_LIST_MATCH]->ctx);
356 
357  data = (DetectAppLayerProtocolData*)s->sm_lists[DETECT_SM_LIST_MATCH]->ctx;
358  FAIL_IF_NULL(data);
359  FAIL_IF(data->alproto != ALPROTO_HTTP);
360  FAIL_IF(data->negated == 0);
361 
363  PASS;
364 }
365 
366 static int DetectAppLayerProtocolTest05(void)
367 {
368  Signature *s = NULL;
369  DetectAppLayerProtocolData *data = NULL;
372  de_ctx->flags |= DE_QUIET;
373 
374  s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "
375  "(app-layer-protocol:!http; app-layer-protocol:!smtp; sid:1;)");
376  FAIL_IF_NULL(s);
379 
380  FAIL_IF_NULL(s->sm_lists[DETECT_SM_LIST_MATCH]);
381  FAIL_IF_NULL(s->sm_lists[DETECT_SM_LIST_MATCH]->ctx);
382 
383  data = (DetectAppLayerProtocolData*)s->sm_lists[DETECT_SM_LIST_MATCH]->ctx;
384  FAIL_IF_NULL(data);
385  FAIL_IF(data->alproto != ALPROTO_HTTP);
386  FAIL_IF(data->negated == 0);
387 
388  data = (DetectAppLayerProtocolData*)s->sm_lists[DETECT_SM_LIST_MATCH]->next->ctx;
389  FAIL_IF_NULL(data);
390  FAIL_IF(data->alproto != ALPROTO_SMTP);
391  FAIL_IF(data->negated == 0);
392 
394  PASS;
395 }
396 
397 static int DetectAppLayerProtocolTest06(void)
398 {
399  Signature *s = NULL;
402  de_ctx->flags |= DE_QUIET;
403 
404  s = DetectEngineAppendSig(de_ctx, "alert http any any -> any any "
405  "(app-layer-protocol:smtp; sid:1;)");
406  FAIL_IF_NOT_NULL(s);
408  PASS;
409 }
410 
411 static int DetectAppLayerProtocolTest07(void)
412 {
413  Signature *s = NULL;
416  de_ctx->flags |= DE_QUIET;
417 
418  s = DetectEngineAppendSig(de_ctx, "alert http any any -> any any "
419  "(app-layer-protocol:!smtp; sid:1;)");
420  FAIL_IF_NOT_NULL(s);
422  PASS;
423 }
424 
425 static int DetectAppLayerProtocolTest08(void)
426 {
427  Signature *s = NULL;
430  de_ctx->flags |= DE_QUIET;
431 
432  s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "
433  "(app-layer-protocol:!smtp; app-layer-protocol:http; sid:1;)");
434  FAIL_IF_NOT_NULL(s);
436  PASS;
437 }
438 
439 static int DetectAppLayerProtocolTest09(void)
440 {
441  Signature *s = NULL;
444  de_ctx->flags |= DE_QUIET;
445 
446  s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "
447  "(app-layer-protocol:http; app-layer-protocol:!smtp; sid:1;)");
448  FAIL_IF_NOT_NULL(s);
450  PASS;
451 }
452 
453 static int DetectAppLayerProtocolTest10(void)
454 {
455  Signature *s = NULL;
458  de_ctx->flags |= DE_QUIET;
459 
460  s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "
461  "(app-layer-protocol:smtp; app-layer-protocol:!http; sid:1;)");
462  FAIL_IF_NOT_NULL(s);
464  PASS;
465 }
466 
467 static int DetectAppLayerProtocolTest11(void)
468 {
469  DetectAppLayerProtocolData *data = DetectAppLayerProtocolParse("failed", false);
470  FAIL_IF_NULL(data);
471  FAIL_IF(data->alproto != ALPROTO_FAILED);
472  FAIL_IF(data->negated != 0);
473  DetectAppLayerProtocolFree(NULL, data);
474  PASS;
475 }
476 
477 static int DetectAppLayerProtocolTest12(void)
478 {
479  DetectAppLayerProtocolData *data = DetectAppLayerProtocolParse("failed", true);
480  FAIL_IF_NULL(data);
481  FAIL_IF(data->alproto != ALPROTO_FAILED);
482  FAIL_IF(data->negated == 0);
483  DetectAppLayerProtocolFree(NULL, data);
484  PASS;
485 }
486 
487 static int DetectAppLayerProtocolTest13(void)
488 {
489  Signature *s = NULL;
490  DetectAppLayerProtocolData *data = NULL;
493  de_ctx->flags |= DE_QUIET;
494 
495  s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "
496  "(app-layer-protocol:failed; sid:1;)");
497  FAIL_IF_NULL(s);
498 
500 
501  FAIL_IF_NULL(s->sm_lists[DETECT_SM_LIST_MATCH]);
502  FAIL_IF_NULL(s->sm_lists[DETECT_SM_LIST_MATCH]->ctx);
503 
504  data = (DetectAppLayerProtocolData *)s->sm_lists[DETECT_SM_LIST_MATCH]->ctx;
505  FAIL_IF(data->alproto != ALPROTO_FAILED);
506  FAIL_IF(data->negated);
508  PASS;
509 }
510 
511 static int DetectAppLayerProtocolTest14(void)
512 {
513  DetectAppLayerProtocolData *data = NULL;
516  de_ctx->flags |= DE_QUIET;
517 
518  Signature *s1 = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "
519  "(app-layer-protocol:http; flowbits:set,blah; sid:1;)");
520  FAIL_IF_NULL(s1);
522  FAIL_IF_NULL(s1->sm_lists[DETECT_SM_LIST_MATCH]);
523  FAIL_IF_NULL(s1->sm_lists[DETECT_SM_LIST_MATCH]->ctx);
524  data = (DetectAppLayerProtocolData *)s1->sm_lists[DETECT_SM_LIST_MATCH]->ctx;
525  FAIL_IF(data->alproto != ALPROTO_HTTP);
526  FAIL_IF(data->negated);
527 
528  Signature *s2 = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "
529  "(app-layer-protocol:http; flow:to_client; sid:2;)");
530  FAIL_IF_NULL(s2);
532  FAIL_IF_NULL(s2->sm_lists[DETECT_SM_LIST_MATCH]);
533  FAIL_IF_NULL(s2->sm_lists[DETECT_SM_LIST_MATCH]->ctx);
534  data = (DetectAppLayerProtocolData *)s2->sm_lists[DETECT_SM_LIST_MATCH]->ctx;
535  FAIL_IF(data->alproto != ALPROTO_HTTP);
536  FAIL_IF(data->negated);
537 
538  /* flow:established and other options not supported for PD-only */
539  Signature *s3 = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "
540  "(app-layer-protocol:http; flow:to_client,established; sid:3;)");
541  FAIL_IF_NULL(s3);
543  FAIL_IF_NULL(s3->sm_lists[DETECT_SM_LIST_MATCH]);
544  FAIL_IF_NULL(s3->sm_lists[DETECT_SM_LIST_MATCH]->ctx);
545  data = (DetectAppLayerProtocolData *)s3->sm_lists[DETECT_SM_LIST_MATCH]->ctx;
546  FAIL_IF(data->alproto != ALPROTO_HTTP);
547  FAIL_IF(data->negated);
548 
552  FAIL_IF(s3->flags & SIG_FLAG_PDONLY); // failure now
553 
555  PASS;
556 }
557 
558 
559 static void DetectAppLayerProtocolRegisterTests(void)
560 {
561  UtRegisterTest("DetectAppLayerProtocolTest01",
562  DetectAppLayerProtocolTest01);
563  UtRegisterTest("DetectAppLayerProtocolTest02",
564  DetectAppLayerProtocolTest02);
565  UtRegisterTest("DetectAppLayerProtocolTest03",
566  DetectAppLayerProtocolTest03);
567  UtRegisterTest("DetectAppLayerProtocolTest04",
568  DetectAppLayerProtocolTest04);
569  UtRegisterTest("DetectAppLayerProtocolTest05",
570  DetectAppLayerProtocolTest05);
571  UtRegisterTest("DetectAppLayerProtocolTest06",
572  DetectAppLayerProtocolTest06);
573  UtRegisterTest("DetectAppLayerProtocolTest07",
574  DetectAppLayerProtocolTest07);
575  UtRegisterTest("DetectAppLayerProtocolTest08",
576  DetectAppLayerProtocolTest08);
577  UtRegisterTest("DetectAppLayerProtocolTest09",
578  DetectAppLayerProtocolTest09);
579  UtRegisterTest("DetectAppLayerProtocolTest10",
580  DetectAppLayerProtocolTest10);
581  UtRegisterTest("DetectAppLayerProtocolTest11",
582  DetectAppLayerProtocolTest11);
583  UtRegisterTest("DetectAppLayerProtocolTest12",
584  DetectAppLayerProtocolTest12);
585  UtRegisterTest("DetectAppLayerProtocolTest13",
586  DetectAppLayerProtocolTest13);
587  UtRegisterTest("DetectAppLayerProtocolTest14",
588  DetectAppLayerProtocolTest14);
589 }
590 #endif /* UNITTESTS */
SigTableElmt_::url
const char * url
Definition: detect.h:1248
detect-engine.h
detect-app-layer-protocol.h
FAIL_IF_NULL
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
Definition: util-unittest.h:89
SigTableElmt_::desc
const char * desc
Definition: detect.h:1247
SigTableElmt_::Free
void(* Free)(DetectEngineCtx *, void *)
Definition: detect.h:1235
SIG_FLAG_PDONLY
#define SIG_FLAG_PDONLY
Definition: detect.h:241
SigTableElmt_::name
const char * name
Definition: detect.h:1245
SigGroupHead_
Container for matching data for a signature group.
Definition: detect.h:1403
unlikely
#define unlikely(expr)
Definition: util-optimize.h:35
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
Signature_::alproto
AppProto alproto
Definition: detect.h:544
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:296
Packet_::pcap_cnt
uint64_t pcap_cnt
Definition: decode.h:595
SIGMATCH_QUOTES_OPTIONAL
#define SIGMATCH_QUOTES_OPTIONAL
Definition: detect.h:1443
DetectAppLayerProtocolData_
Definition: detect-app-layer-protocol.c:41
AppProto
uint16_t AppProto
Definition: app-layer-protos.h:80
Packet_::flags
uint32_t flags
Definition: decode.h:469
DetectAppLayerProtocolData_::negated
uint8_t negated
Definition: detect-app-layer-protocol.c:43
Flow_
Flow data structure.
Definition: flow.h:353
DetectEngineThreadCtx_::pmq
PrefilterRuleStore pmq
Definition: detect.h:1141
SigTableElmt_::flags
uint16_t flags
Definition: detect.h:1239
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:785
SC_ERR_INVALID_SIGNATURE
@ SC_ERR_INVALID_SIGNATURE
Definition: util-error.h:69
PrefilterPacketHeaderCtx_::sigs_array
SigIntId * sigs_array
Definition: detect-engine-prefilter-common.h:43
DetectEngineCtxFree
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
Definition: detect-engine.c:2445
PrefilterPacketHeaderValue::u8
uint8_t u8[16]
Definition: detect-engine-prefilter-common.h:24
FLOW_PKT_TOSERVER
#define FLOW_PKT_TOSERVER
Definition: flow.h:223
DE_QUIET
#define DE_QUIET
Definition: detect.h:288
PrefilterPacketHeaderCtx_::sigs_cnt
uint32_t sigs_cnt
Definition: detect-engine-prefilter-common.h:42
Packet_::flowflags
uint8_t flowflags
Definition: decode.h:465
SigTableElmt_::Setup
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1230
PrefilterPacketHeaderValue::u16
uint16_t u16[8]
Definition: detect-engine-prefilter-common.h:25
detect-engine-prefilter.h
util-unittest.h
AppLayerGetProtoByName
AppProto AppLayerGetProtoByName(char *alproto_name)
Given a protocol string, returns the corresponding internal protocol id.
Definition: app-layer.c:921
util-unittest-helper.h
FAIL_IF_NOT
#define FAIL_IF_NOT(expr)
Fail a test if expression evaluates to false.
Definition: util-unittest.h:82
PKT_PROTO_DETECT_TS_DONE
#define PKT_PROTO_DETECT_TS_DONE
Definition: decode.h:1202
SIG_FLAG_APPLAYER
#define SIG_FLAG_APPLAYER
Definition: detect.h:209
SigTableElmt_::SetupPrefilter
int(* SetupPrefilter)(DetectEngineCtx *de_ctx, struct SigGroupHead_ *sgh)
Definition: detect.h:1233
Signature_::next
struct Signature_ * next
Definition: detect.h:614
PrefilterPacketHeaderCtx_
Definition: detect-engine-prefilter-common.h:35
FAIL_IF_NOT_NULL
#define FAIL_IF_NOT_NULL(expr)
Fail a test if expression evaluates to non-NULL.
Definition: util-unittest.h:96
util-debug.h
PASS
#define PASS
Pass the test.
Definition: util-unittest.h:105
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:17
DetectEngineThreadCtx_
Definition: detect.h:1034
ALPROTO_SMTP
@ ALPROTO_SMTP
Definition: app-layer-protos.h:32
SCEnter
#define SCEnter(...)
Definition: util-debug.h:298
SigMatch_::next
struct SigMatch_ * next
Definition: detect.h:318
DETECT_SM_LIST_MATCH
@ DETECT_SM_LIST_MATCH
Definition: detect.h:80
DetectAppLayerProtocolData
struct DetectAppLayerProtocolData_ DetectAppLayerProtocolData
app-layer-parser.h
SigMatch_::ctx
SigMatchCtx * ctx
Definition: detect.h:317
SCReturn
#define SCReturn
Definition: util-debug.h:300
Signature_::flags
uint32_t flags
Definition: detect.h:541
Packet_
Definition: decode.h:434
detect-engine-build.h
DETECT_AL_APP_LAYER_PROTOCOL
@ DETECT_AL_APP_LAYER_PROTOCOL
Definition: detect-engine-register.h:35
SIGMATCH_HANDLE_NEGATION
#define SIGMATCH_HANDLE_NEGATION
Definition: detect.h:1451
Signature_::init_data
SignatureInitData * init_data
Definition: detect.h:611
DetectAppLayerProtocolData_::alproto
AppProto alproto
Definition: detect-app-layer-protocol.c:42
SignatureInitData_::negated
bool negated
Definition: detect.h:495
SigTableElmt_::Match
int(* Match)(DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *)
Definition: detect.h:1213
SignatureInitData_::smlists
struct SigMatch_ ** smlists
Definition: detect.h:534
FLOW_PKT_TOCLIENT
#define FLOW_PKT_TOCLIENT
Definition: flow.h:224
SigMatchAlloc
SigMatch * SigMatchAlloc(void)
Definition: detect-parse.c:235
SigGroupBuild
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
Definition: detect-engine-build.c:1953
PrefilterPacketHeaderCtx_::v1
PrefilterPacketHeaderValue v1
Definition: detect-engine-prefilter-common.h:36
SigMatchCtx_
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
Definition: detect.h:309
DetectEngineAppendSig
Signature * DetectEngineAppendSig(DetectEngineCtx *de_ctx, const char *sigstr)
Parse and append a Signature into the Detection Engine Context signature list.
Definition: detect-parse.c:2421
Packet_::flow
struct Flow_ * flow
Definition: decode.h:471
FAIL_IF
#define FAIL_IF(expr)
Fail a test if expression evaluates to true.
Definition: util-unittest.h:71
suricata-common.h
SigMatch_::type
uint16_t type
Definition: detect.h:315
sigmatch_table
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
Definition: detect-parse.c:73
SCLogError
#define SCLogError(err_code,...)
Macro used to log ERROR messages.
Definition: util-debug.h:255
PKT_PROTO_DETECT_TC_DONE
#define PKT_PROTO_DETECT_TC_DONE
Definition: decode.h:1203
PrefilterSetupPacketHeader
int PrefilterSetupPacketHeader(DetectEngineCtx *de_ctx, SigGroupHead *sgh, int sm_type, void(*Set)(PrefilterPacketHeaderValue *v, void *), bool(*Compare)(PrefilterPacketHeaderValue v, void *), void(*Match)(DetectEngineThreadCtx *det_ctx, Packet *p, const void *pectx))
Definition: detect-engine-prefilter-common.c:417
SCMalloc
#define SCMalloc(sz)
Definition: util-mem.h:47
SCFree
#define SCFree(p)
Definition: util-mem.h:61
Flow_::alproto_ts
AppProto alproto_ts
Definition: flow.h:461
SigTableElmt_::SupportsPrefilter
bool(* SupportsPrefilter)(const Signature *s)
Definition: detect.h:1232
Signature_::id
uint32_t id
Definition: detect.h:574
detect-parse.h
Signature_
Signature container.
Definition: detect.h:540
SigMatch_
a single match condition for a signature
Definition: detect.h:314
ALPROTO_HTTP
@ ALPROTO_HTTP
Definition: app-layer-protos.h:66
ALPROTO_UNKNOWN
@ ALPROTO_UNKNOWN
Definition: app-layer-protos.h:29
ALPROTO_FAILED
@ ALPROTO_FAILED
Definition: app-layer-protos.h:70
DetectEngineCtxInit
DetectEngineCtx * DetectEngineCtxInit(void)
Definition: detect-engine.c:2406
DetectAppLayerProtocolRegister
void DetectAppLayerProtocolRegister(void)
Definition: detect-app-layer-protocol.c:267
PrefilterPacketHeaderValue
Definition: detect-engine-prefilter-common.h:23
DetectEngineCtx_::flags
uint8_t flags
Definition: detect.h:786
detect-engine-prefilter-common.h
Flow_::alproto_tc
AppProto alproto_tc
Definition: flow.h:462
Flow_::alproto
AppProto alproto
application level protocol
Definition: flow.h:460
SCReturnInt
#define SCReturnInt(x)
Definition: util-debug.h:302
SigMatchAppendSMToList
void SigMatchAppendSMToList(Signature *s, SigMatch *new, int list)
Append a SigMatch to the list type.
Definition: detect-parse.c:349
SigTableElmt_::RegisterTests
void(* RegisterTests)(void)
Definition: detect.h:1237
app-layer.h
SC_ERR_CONFLICTING_RULE_KEYWORDS
@ SC_ERR_CONFLICTING_RULE_KEYWORDS
Definition: util-error.h:171