suricata
detect-app-layer-protocol.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2022 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Anoop Saldanha <anoopsaldanha@gmail.com>
22  */
23 
24 #include "suricata-common.h"
25 #include "detect-engine.h"
26 #include "detect-engine-build.h"
29 #include "detect-parse.h"
31 #include "app-layer.h"
32 #include "app-layer-parser.h"
33 #include "util-debug.h"
34 #include "util-unittest.h"
35 #include "util-unittest-helper.h"
36 
37 #ifdef UNITTESTS
38 static void DetectAppLayerProtocolRegisterTests(void);
39 #endif
40 
43  uint8_t negated;
45 
46 static int DetectAppLayerProtocolPacketMatch(
47  DetectEngineThreadCtx *det_ctx,
48  Packet *p, const Signature *s, const SigMatchCtx *ctx)
49 {
50  SCEnter();
51 
52  bool r = false;
53  const DetectAppLayerProtocolData *data = (const DetectAppLayerProtocolData *)ctx;
54 
55  /* if the sig is PD-only we only match when PD packet flags are set */
56  if (s->type == SIG_TYPE_PDONLY &&
58  SCLogDebug("packet %"PRIu64": flags not set", p->pcap_cnt);
59  SCReturnInt(0);
60  }
61 
62  const Flow *f = p->flow;
63  if (f == NULL) {
64  SCLogDebug("packet %"PRIu64": no flow", p->pcap_cnt);
65  SCReturnInt(0);
66  }
67 
68  /* unknown means protocol detection isn't ready yet */
69 
71  {
72  SCLogDebug("toserver packet %"PRIu64": looking for %u/neg %u, got %u",
73  p->pcap_cnt, data->alproto, data->negated, f->alproto_ts);
74 
75  r = AppProtoEquals(data->alproto, f->alproto_ts);
76 
77  } else if ((f->alproto_tc != ALPROTO_UNKNOWN) && (p->flowflags & FLOW_PKT_TOCLIENT))
78  {
79  SCLogDebug("toclient packet %"PRIu64": looking for %u/neg %u, got %u",
80  p->pcap_cnt, data->alproto, data->negated, f->alproto_tc);
81 
82  r = AppProtoEquals(data->alproto, f->alproto_tc);
83  }
84  else {
85  SCLogDebug("packet %"PRIu64": default case: direction %02x, approtos %u/%u/%u",
86  p->pcap_cnt,
88  f->alproto, f->alproto_ts, f->alproto_tc);
89  }
90  r = r ^ data->negated;
91  if (r) {
92  SCReturnInt(1);
93  }
94  SCReturnInt(0);
95 }
96 
97 static DetectAppLayerProtocolData *DetectAppLayerProtocolParse(const char *arg, bool negate)
98 {
100  AppProto alproto = ALPROTO_UNKNOWN;
101 
102  if (strcmp(arg, "failed") == 0) {
103  alproto = ALPROTO_FAILED;
104  } else {
105  alproto = AppLayerGetProtoByName((char *)arg);
106  if (alproto == ALPROTO_UNKNOWN) {
107  SCLogError("app-layer-protocol "
108  "keyword supplied with unknown protocol \"%s\"",
109  arg);
110  return NULL;
111  }
112  }
113 
114  data = SCMalloc(sizeof(DetectAppLayerProtocolData));
115  if (unlikely(data == NULL))
116  return NULL;
117  data->alproto = alproto;
118  data->negated = negate;
119 
120  return data;
121 }
122 
123 static bool HasConflicts(const DetectAppLayerProtocolData *us,
124  const DetectAppLayerProtocolData *them)
125 {
126  /* mixing negated and non negated is illegal */
127  if (them->negated ^ us->negated)
128  return true;
129  /* multiple non-negated is illegal */
130  if (!us->negated)
131  return true;
132  /* duplicate option */
133  if (us->alproto == them->alproto)
134  return true;
135 
136  /* all good */
137  return false;
138 }
139 
140 static int DetectAppLayerProtocolSetup(DetectEngineCtx *de_ctx,
141  Signature *s, const char *arg)
142 {
143  DetectAppLayerProtocolData *data = NULL;
144  SigMatch *sm = NULL;
145 
146  if (s->alproto != ALPROTO_UNKNOWN) {
147  SCLogError("Either we already "
148  "have the rule match on an app layer protocol set through "
149  "other keywords that match on this protocol, or have "
150  "already seen a non-negated app-layer-protocol.");
151  goto error;
152  }
153 
154  data = DetectAppLayerProtocolParse(arg, s->init_data->negated);
155  if (data == NULL)
156  goto error;
157 
159  for ( ; tsm != NULL; tsm = tsm->next) {
160  if (tsm->type == DETECT_AL_APP_LAYER_PROTOCOL) {
161  const DetectAppLayerProtocolData *them = (const DetectAppLayerProtocolData *)tsm->ctx;
162 
163  if (HasConflicts(data, them)) {
164  SCLogError("can't mix "
165  "positive app-layer-protocol match with negated "
166  "match or match for 'failed'.");
167  goto error;
168  }
169  }
170  }
171 
172  sm = SigMatchAlloc();
173  if (sm == NULL)
174  goto error;
175 
177  sm->ctx = (void *)data;
178 
180  return 0;
181 
182 error:
183  if (data != NULL)
184  SCFree(data);
185  return -1;
186 }
187 
188 static void DetectAppLayerProtocolFree(DetectEngineCtx *de_ctx, void *ptr)
189 {
190  SCFree(ptr);
191  return;
192 }
193 
194 /** \internal
195  * \brief prefilter function for protocol detect matching
196  */
197 static void
198 PrefilterPacketAppProtoMatch(DetectEngineThreadCtx *det_ctx, Packet *p, const void *pectx)
199 {
200  const PrefilterPacketHeaderCtx *ctx = pectx;
201 
202  if (!PrefilterPacketHeaderExtraMatch(ctx, p)) {
203  SCLogDebug("packet %"PRIu64": extra match failed", p->pcap_cnt);
204  SCReturn;
205  }
206 
207  if (p->flow == NULL) {
208  SCLogDebug("packet %"PRIu64": no flow, no alproto", p->pcap_cnt);
209  SCReturn;
210  }
211 
213  SCLogDebug("packet %"PRIu64": flags not set", p->pcap_cnt);
214  SCReturn;
215  }
216 
218  {
219  int r = (ctx->v1.u16[0] == p->flow->alproto_ts) ^ ctx->v1.u8[2];
220  if (r) {
221  PrefilterAddSids(&det_ctx->pmq, ctx->sigs_array, ctx->sigs_cnt);
222  }
223  } else if ((p->flags & PKT_PROTO_DETECT_TC_DONE) && (p->flowflags & FLOW_PKT_TOCLIENT))
224  {
225  int r = (ctx->v1.u16[0] == p->flow->alproto_tc) ^ ctx->v1.u8[2];
226  if (r) {
227  PrefilterAddSids(&det_ctx->pmq, ctx->sigs_array, ctx->sigs_cnt);
228  }
229  }
230 }
231 
232 static void
233 PrefilterPacketAppProtoSet(PrefilterPacketHeaderValue *v, void *smctx)
234 {
235  const DetectAppLayerProtocolData *a = smctx;
236  v->u16[0] = a->alproto;
237  v->u8[2] = (uint8_t)a->negated;
238 }
239 
240 static bool
241 PrefilterPacketAppProtoCompare(PrefilterPacketHeaderValue v, void *smctx)
242 {
243  const DetectAppLayerProtocolData *a = smctx;
244  if (v.u16[0] == a->alproto &&
245  v.u8[2] == (uint8_t)a->negated)
246  return true;
247  return false;
248 }
249 
250 static int PrefilterSetupAppProto(DetectEngineCtx *de_ctx, SigGroupHead *sgh)
251 {
253  PrefilterPacketAppProtoSet,
254  PrefilterPacketAppProtoCompare,
255  PrefilterPacketAppProtoMatch);
256 }
257 
258 static bool PrefilterAppProtoIsPrefilterable(const Signature *s)
259 {
260  if (s->type == SIG_TYPE_PDONLY) {
261  SCLogDebug("prefilter on PD %u", s->id);
262  return true;
263  }
264  return false;
265 }
266 
268 {
269  sigmatch_table[DETECT_AL_APP_LAYER_PROTOCOL].name = "app-layer-protocol";
270  sigmatch_table[DETECT_AL_APP_LAYER_PROTOCOL].desc = "match on the detected app-layer protocol";
271  sigmatch_table[DETECT_AL_APP_LAYER_PROTOCOL].url = "/rules/app-layer.html#app-layer-protocol";
273  DetectAppLayerProtocolPacketMatch;
275  DetectAppLayerProtocolSetup;
277  DetectAppLayerProtocolFree;
278 #ifdef UNITTESTS
280  DetectAppLayerProtocolRegisterTests;
281 #endif
284 
286  PrefilterSetupAppProto;
288  PrefilterAppProtoIsPrefilterable;
289  return;
290 }
291 
292 /**********************************Unittests***********************************/
293 
294 #ifdef UNITTESTS
295 
296 static int DetectAppLayerProtocolTest01(void)
297 {
298  DetectAppLayerProtocolData *data = DetectAppLayerProtocolParse("http", false);
299  FAIL_IF_NULL(data);
300  FAIL_IF(data->alproto != ALPROTO_HTTP);
301  FAIL_IF(data->negated != 0);
302  DetectAppLayerProtocolFree(NULL, data);
303  PASS;
304 }
305 
306 static int DetectAppLayerProtocolTest02(void)
307 {
308  DetectAppLayerProtocolData *data = DetectAppLayerProtocolParse("http", true);
309  FAIL_IF_NULL(data);
310  FAIL_IF(data->alproto != ALPROTO_HTTP);
311  FAIL_IF(data->negated == 0);
312  DetectAppLayerProtocolFree(NULL, data);
313  PASS;
314 }
315 
316 static int DetectAppLayerProtocolTest03(void)
317 {
318  Signature *s = NULL;
319  DetectAppLayerProtocolData *data = NULL;
322  de_ctx->flags |= DE_QUIET;
323 
324  s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "
325  "(app-layer-protocol:http; sid:1;)");
326  FAIL_IF_NULL(s);
327 
329 
332 
334  FAIL_IF(data->alproto != ALPROTO_HTTP);
335  FAIL_IF(data->negated);
337  PASS;
338 }
339 
340 static int DetectAppLayerProtocolTest04(void)
341 {
342  Signature *s = NULL;
343  DetectAppLayerProtocolData *data = NULL;
346  de_ctx->flags |= DE_QUIET;
347 
348  s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "
349  "(app-layer-protocol:!http; sid:1;)");
350  FAIL_IF_NULL(s);
353 
356 
358  FAIL_IF_NULL(data);
359  FAIL_IF(data->alproto != ALPROTO_HTTP);
360  FAIL_IF(data->negated == 0);
361 
363  PASS;
364 }
365 
366 static int DetectAppLayerProtocolTest05(void)
367 {
368  Signature *s = NULL;
369  DetectAppLayerProtocolData *data = NULL;
372  de_ctx->flags |= DE_QUIET;
373 
374  s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "
375  "(app-layer-protocol:!http; app-layer-protocol:!smtp; sid:1;)");
376  FAIL_IF_NULL(s);
379 
382 
384  FAIL_IF_NULL(data);
385  FAIL_IF(data->alproto != ALPROTO_HTTP);
386  FAIL_IF(data->negated == 0);
387 
389  FAIL_IF_NULL(data);
390  FAIL_IF(data->alproto != ALPROTO_SMTP);
391  FAIL_IF(data->negated == 0);
392 
394  PASS;
395 }
396 
397 static int DetectAppLayerProtocolTest06(void)
398 {
399  Signature *s = NULL;
402  de_ctx->flags |= DE_QUIET;
403 
404  s = DetectEngineAppendSig(de_ctx, "alert http any any -> any any "
405  "(app-layer-protocol:smtp; sid:1;)");
406  FAIL_IF_NOT_NULL(s);
408  PASS;
409 }
410 
411 static int DetectAppLayerProtocolTest07(void)
412 {
413  Signature *s = NULL;
416  de_ctx->flags |= DE_QUIET;
417 
418  s = DetectEngineAppendSig(de_ctx, "alert http any any -> any any "
419  "(app-layer-protocol:!smtp; sid:1;)");
420  FAIL_IF_NOT_NULL(s);
422  PASS;
423 }
424 
425 static int DetectAppLayerProtocolTest08(void)
426 {
427  Signature *s = NULL;
430  de_ctx->flags |= DE_QUIET;
431 
432  s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "
433  "(app-layer-protocol:!smtp; app-layer-protocol:http; sid:1;)");
434  FAIL_IF_NOT_NULL(s);
436  PASS;
437 }
438 
439 static int DetectAppLayerProtocolTest09(void)
440 {
441  Signature *s = NULL;
444  de_ctx->flags |= DE_QUIET;
445 
446  s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "
447  "(app-layer-protocol:http; app-layer-protocol:!smtp; sid:1;)");
448  FAIL_IF_NOT_NULL(s);
450  PASS;
451 }
452 
453 static int DetectAppLayerProtocolTest10(void)
454 {
455  Signature *s = NULL;
458  de_ctx->flags |= DE_QUIET;
459 
460  s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "
461  "(app-layer-protocol:smtp; app-layer-protocol:!http; sid:1;)");
462  FAIL_IF_NOT_NULL(s);
464  PASS;
465 }
466 
467 static int DetectAppLayerProtocolTest11(void)
468 {
469  DetectAppLayerProtocolData *data = DetectAppLayerProtocolParse("failed", false);
470  FAIL_IF_NULL(data);
471  FAIL_IF(data->alproto != ALPROTO_FAILED);
472  FAIL_IF(data->negated != 0);
473  DetectAppLayerProtocolFree(NULL, data);
474  PASS;
475 }
476 
477 static int DetectAppLayerProtocolTest12(void)
478 {
479  DetectAppLayerProtocolData *data = DetectAppLayerProtocolParse("failed", true);
480  FAIL_IF_NULL(data);
481  FAIL_IF(data->alproto != ALPROTO_FAILED);
482  FAIL_IF(data->negated == 0);
483  DetectAppLayerProtocolFree(NULL, data);
484  PASS;
485 }
486 
487 static int DetectAppLayerProtocolTest13(void)
488 {
489  Signature *s = NULL;
490  DetectAppLayerProtocolData *data = NULL;
493  de_ctx->flags |= DE_QUIET;
494 
495  s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "
496  "(app-layer-protocol:failed; sid:1;)");
497  FAIL_IF_NULL(s);
498 
500 
503 
505  FAIL_IF(data->alproto != ALPROTO_FAILED);
506  FAIL_IF(data->negated);
508  PASS;
509 }
510 
511 static int DetectAppLayerProtocolTest14(void)
512 {
513  DetectAppLayerProtocolData *data = NULL;
516  de_ctx->flags |= DE_QUIET;
517 
518  Signature *s1 = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "
519  "(app-layer-protocol:http; flowbits:set,blah; sid:1;)");
520  FAIL_IF_NULL(s1);
525  FAIL_IF(data->alproto != ALPROTO_HTTP);
526  FAIL_IF(data->negated);
527 
528  Signature *s2 = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "
529  "(app-layer-protocol:http; flow:to_client; sid:2;)");
530  FAIL_IF_NULL(s2);
535  FAIL_IF(data->alproto != ALPROTO_HTTP);
536  FAIL_IF(data->negated);
537 
538  /* flow:established and other options not supported for PD-only */
539  Signature *s3 = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "
540  "(app-layer-protocol:http; flow:to_client,established; sid:3;)");
541  FAIL_IF_NULL(s3);
546  FAIL_IF(data->alproto != ALPROTO_HTTP);
547  FAIL_IF(data->negated);
548 
552  FAIL_IF(s3->type == SIG_TYPE_PDONLY); // failure now
553 
555  PASS;
556 }
557 
558 
559 static void DetectAppLayerProtocolRegisterTests(void)
560 {
561  UtRegisterTest("DetectAppLayerProtocolTest01",
562  DetectAppLayerProtocolTest01);
563  UtRegisterTest("DetectAppLayerProtocolTest02",
564  DetectAppLayerProtocolTest02);
565  UtRegisterTest("DetectAppLayerProtocolTest03",
566  DetectAppLayerProtocolTest03);
567  UtRegisterTest("DetectAppLayerProtocolTest04",
568  DetectAppLayerProtocolTest04);
569  UtRegisterTest("DetectAppLayerProtocolTest05",
570  DetectAppLayerProtocolTest05);
571  UtRegisterTest("DetectAppLayerProtocolTest06",
572  DetectAppLayerProtocolTest06);
573  UtRegisterTest("DetectAppLayerProtocolTest07",
574  DetectAppLayerProtocolTest07);
575  UtRegisterTest("DetectAppLayerProtocolTest08",
576  DetectAppLayerProtocolTest08);
577  UtRegisterTest("DetectAppLayerProtocolTest09",
578  DetectAppLayerProtocolTest09);
579  UtRegisterTest("DetectAppLayerProtocolTest10",
580  DetectAppLayerProtocolTest10);
581  UtRegisterTest("DetectAppLayerProtocolTest11",
582  DetectAppLayerProtocolTest11);
583  UtRegisterTest("DetectAppLayerProtocolTest12",
584  DetectAppLayerProtocolTest12);
585  UtRegisterTest("DetectAppLayerProtocolTest13",
586  DetectAppLayerProtocolTest13);
587  UtRegisterTest("DetectAppLayerProtocolTest14",
588  DetectAppLayerProtocolTest14);
589 }
590 #endif /* UNITTESTS */
SigTableElmt_::url
const char * url
Definition: detect.h:1287
detect-engine.h
detect-app-layer-protocol.h
FAIL_IF_NULL
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
Definition: util-unittest.h:89
SigMatchAppendSMToList
void SigMatchAppendSMToList(Signature *s, SigMatch *new, const int list)
Append a SigMatch to the list type.
Definition: detect-parse.c:437
SignatureInitData_::smlists
struct SigMatch_ * smlists[DETECT_SM_LIST_MAX]
Definition: detect.h:566
SigTableElmt_::desc
const char * desc
Definition: detect.h:1286
SigTableElmt_::Free
void(* Free)(DetectEngineCtx *, void *)
Definition: detect.h:1274
SigTableElmt_::name
const char * name
Definition: detect.h:1284
SigGroupHead_
Container for matching data for a signature group.
Definition: detect.h:1438
unlikely
#define unlikely(expr)
Definition: util-optimize.h:35
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
Signature_::alproto
AppProto alproto
Definition: detect.h:586
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:269
Packet_::pcap_cnt
uint64_t pcap_cnt
Definition: decode.h:598
SIGMATCH_QUOTES_OPTIONAL
#define SIGMATCH_QUOTES_OPTIONAL
Definition: detect.h:1478
DetectAppLayerProtocolData_
Definition: detect-app-layer-protocol.c:41
AppProto
uint16_t AppProto
Definition: app-layer-protos.h:80
Packet_::flags
uint32_t flags
Definition: decode.h:467
DetectAppLayerProtocolData_::negated
uint8_t negated
Definition: detect-app-layer-protocol.c:43
Flow_
Flow data structure.
Definition: flow.h:347
DetectEngineThreadCtx_::pmq
PrefilterRuleStore pmq
Definition: detect.h:1181
SigTableElmt_::flags
uint16_t flags
Definition: detect.h:1278
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:826
PrefilterPacketHeaderCtx_::sigs_array
SigIntId * sigs_array
Definition: detect-engine-prefilter-common.h:43
DetectEngineCtxFree
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
Definition: detect-engine.c:2592
PrefilterPacketHeaderValue::u8
uint8_t u8[16]
Definition: detect-engine-prefilter-common.h:24
FLOW_PKT_TOSERVER
#define FLOW_PKT_TOSERVER
Definition: flow.h:221
DE_QUIET
#define DE_QUIET
Definition: detect.h:314
PrefilterPacketHeaderCtx_::sigs_cnt
uint32_t sigs_cnt
Definition: detect-engine-prefilter-common.h:42
DetectEngineAppendSig
Signature * DetectEngineAppendSig(DetectEngineCtx *, const char *)
Parse and append a Signature into the Detection Engine Context signature list.
Definition: detect-parse.c:2569
Packet_::flowflags
uint8_t flowflags
Definition: decode.h:461
SigTableElmt_::Setup
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1269
PrefilterPacketHeaderValue::u16
uint16_t u16[8]
Definition: detect-engine-prefilter-common.h:25
detect-engine-prefilter.h
util-unittest.h
AppLayerGetProtoByName
AppProto AppLayerGetProtoByName(char *alproto_name)
Given a protocol string, returns the corresponding internal protocol id.
Definition: app-layer.c:930
util-unittest-helper.h
FAIL_IF_NOT
#define FAIL_IF_NOT(expr)
Fail a test if expression evaluates to false.
Definition: util-unittest.h:82
PKT_PROTO_DETECT_TS_DONE
#define PKT_PROTO_DETECT_TS_DONE
Definition: decode.h:1033
SIG_FLAG_APPLAYER
#define SIG_FLAG_APPLAYER
Definition: detect.h:238
SigTableElmt_::SetupPrefilter
int(* SetupPrefilter)(DetectEngineCtx *de_ctx, struct SigGroupHead_ *sgh)
Definition: detect.h:1272
PrefilterPacketHeaderCtx_
Definition: detect-engine-prefilter-common.h:35
FAIL_IF_NOT_NULL
#define FAIL_IF_NOT_NULL(expr)
Fail a test if expression evaluates to non-NULL.
Definition: util-unittest.h:96
util-debug.h
PASS
#define PASS
Pass the test.
Definition: util-unittest.h:105
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:17
DetectEngineThreadCtx_
Definition: detect.h:1074
ALPROTO_SMTP
@ ALPROTO_SMTP
Definition: app-layer-protos.h:32
SCEnter
#define SCEnter(...)
Definition: util-debug.h:271
SigMatch_::next
struct SigMatch_ * next
Definition: detect.h:344
DETECT_SM_LIST_MATCH
@ DETECT_SM_LIST_MATCH
Definition: detect.h:108
DetectAppLayerProtocolData
struct DetectAppLayerProtocolData_ DetectAppLayerProtocolData
app-layer-parser.h
SigMatch_::ctx
SigMatchCtx * ctx
Definition: detect.h:343
SCReturn
#define SCReturn
Definition: util-debug.h:273
Signature_::flags
uint32_t flags
Definition: detect.h:582
Packet_
Definition: decode.h:430
detect-engine-build.h
DETECT_AL_APP_LAYER_PROTOCOL
@ DETECT_AL_APP_LAYER_PROTOCOL
Definition: detect-engine-register.h:35
SIGMATCH_HANDLE_NEGATION
#define SIGMATCH_HANDLE_NEGATION
Definition: detect.h:1486
Signature_::init_data
SignatureInitData * init_data
Definition: detect.h:653
DetectAppLayerProtocolData_::alproto
AppProto alproto
Definition: detect-app-layer-protocol.c:42
SignatureInitData_::negated
bool negated
Definition: detect.h:528
SigTableElmt_::Match
int(* Match)(DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *)
Definition: detect.h:1252
FLOW_PKT_TOCLIENT
#define FLOW_PKT_TOCLIENT
Definition: flow.h:222
SigMatchAlloc
SigMatch * SigMatchAlloc(void)
Definition: detect-parse.c:322
SigGroupBuild
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
Definition: detect-engine-build.c:1973
PrefilterPacketHeaderCtx_::v1
PrefilterPacketHeaderValue v1
Definition: detect-engine-prefilter-common.h:36
SigMatchCtx_
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
Definition: detect.h:335
Packet_::flow
struct Flow_ * flow
Definition: decode.h:469
FAIL_IF
#define FAIL_IF(expr)
Fail a test if expression evaluates to true.
Definition: util-unittest.h:71
suricata-common.h
SigMatch_::type
uint16_t type
Definition: detect.h:341
sigmatch_table
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
Definition: detect-parse.c:129
PKT_PROTO_DETECT_TC_DONE
#define PKT_PROTO_DETECT_TC_DONE
Definition: decode.h:1034
PrefilterSetupPacketHeader
int PrefilterSetupPacketHeader(DetectEngineCtx *de_ctx, SigGroupHead *sgh, int sm_type, void(*Set)(PrefilterPacketHeaderValue *v, void *), bool(*Compare)(PrefilterPacketHeaderValue v, void *), void(*Match)(DetectEngineThreadCtx *det_ctx, Packet *p, const void *pectx))
Definition: detect-engine-prefilter-common.c:417
SCMalloc
#define SCMalloc(sz)
Definition: util-mem.h:47
SCLogError
#define SCLogError(...)
Macro used to log ERROR messages.
Definition: util-debug.h:261
SCFree
#define SCFree(p)
Definition: util-mem.h:61
Flow_::alproto_ts
AppProto alproto_ts
Definition: flow.h:447
SigTableElmt_::SupportsPrefilter
bool(* SupportsPrefilter)(const Signature *s)
Definition: detect.h:1271
Signature_::id
uint32_t id
Definition: detect.h:616
detect-parse.h
Signature_
Signature container.
Definition: detect.h:581
SigMatch_
a single match condition for a signature
Definition: detect.h:340
ALPROTO_HTTP
@ ALPROTO_HTTP
Definition: app-layer-protos.h:66
ALPROTO_UNKNOWN
@ ALPROTO_UNKNOWN
Definition: app-layer-protos.h:29
ALPROTO_FAILED
@ ALPROTO_FAILED
Definition: app-layer-protos.h:70
DetectEngineCtxInit
DetectEngineCtx * DetectEngineCtxInit(void)
Definition: detect-engine.c:2553
DetectAppLayerProtocolRegister
void DetectAppLayerProtocolRegister(void)
Definition: detect-app-layer-protocol.c:267
PrefilterPacketHeaderValue
Definition: detect-engine-prefilter-common.h:23
DetectEngineCtx_::flags
uint8_t flags
Definition: detect.h:828
detect-engine-prefilter-common.h
Flow_::alproto_tc
AppProto alproto_tc
Definition: flow.h:448
Flow_::alproto
AppProto alproto
application level protocol
Definition: flow.h:446
SCReturnInt
#define SCReturnInt(x)
Definition: util-debug.h:275
Signature_::type
enum SignatureType type
Definition: detect.h:584
SIG_TYPE_PDONLY
@ SIG_TYPE_PDONLY
Definition: detect.h:62
SigTableElmt_::RegisterTests
void(* RegisterTests)(void)
Definition: detect.h:1276
app-layer.h