suricata
detect-app-layer-protocol.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2022 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Anoop Saldanha <anoopsaldanha@gmail.com>
22  */
23 
24 #include "suricata-common.h"
25 #include "detect-engine.h"
26 #include "detect-engine-build.h"
29 #include "detect-parse.h"
31 #include "app-layer.h"
32 #include "app-layer-parser.h"
33 #include "util-debug.h"
34 #include "util-unittest.h"
35 #include "util-unittest-helper.h"
36 
37 #ifdef UNITTESTS
38 static void DetectAppLayerProtocolRegisterTests(void);
39 #endif
40 
41 enum {
48 };
49 
52  uint8_t negated;
53  uint8_t mode;
55 
56 static int DetectAppLayerProtocolPacketMatch(
57  DetectEngineThreadCtx *det_ctx,
58  Packet *p, const Signature *s, const SigMatchCtx *ctx)
59 {
60  SCEnter();
61 
62  bool r = false;
64 
65  /* if the sig is PD-only we only match when PD packet flags are set */
66  if (s->type == SIG_TYPE_PDONLY &&
68  SCLogDebug("packet %"PRIu64": flags not set", p->pcap_cnt);
69  SCReturnInt(0);
70  }
71 
72  const Flow *f = p->flow;
73  if (f == NULL) {
74  SCLogDebug("packet %"PRIu64": no flow", p->pcap_cnt);
75  SCReturnInt(0);
76  }
77 
78  switch (data->mode) {
80  if (p->flowflags & FLOW_PKT_TOSERVER) {
81  if (f->alproto_ts == ALPROTO_UNKNOWN)
82  SCReturnInt(0);
83  r = AppProtoEquals(data->alproto, f->alproto_ts);
84  } else {
85  if (f->alproto_tc == ALPROTO_UNKNOWN)
86  SCReturnInt(0);
87  r = AppProtoEquals(data->alproto, f->alproto_tc);
88  }
89  break;
91  if (f->alproto_orig == ALPROTO_UNKNOWN)
92  SCReturnInt(0);
93  r = AppProtoEquals(data->alproto, f->alproto_orig);
94  break;
96  if (f->alproto == ALPROTO_UNKNOWN)
97  SCReturnInt(0);
98  r = AppProtoEquals(data->alproto, f->alproto);
99  break;
101  if (f->alproto_ts == ALPROTO_UNKNOWN)
102  SCReturnInt(0);
103  r = AppProtoEquals(data->alproto, f->alproto_ts);
104  break;
106  if (f->alproto_tc == ALPROTO_UNKNOWN)
107  SCReturnInt(0);
108  r = AppProtoEquals(data->alproto, f->alproto_tc);
109  break;
112  SCReturnInt(0);
113  r = AppProtoEquals(data->alproto, f->alproto_tc) ||
114  AppProtoEquals(data->alproto, f->alproto_ts);
115  break;
116  }
117  r = r ^ data->negated;
118  if (r) {
119  SCReturnInt(1);
120  }
121  SCReturnInt(0);
122 }
123 
124 #define MAX_ALPROTO_NAME 50
125 static DetectAppLayerProtocolData *DetectAppLayerProtocolParse(const char *arg, bool negate)
126 {
128  AppProto alproto = ALPROTO_UNKNOWN;
129 
130  char alproto_copy[MAX_ALPROTO_NAME];
131  char *sep = strchr(arg, ',');
132  char *alproto_name;
133  if (sep && sep - arg < MAX_ALPROTO_NAME) {
134  strlcpy(alproto_copy, arg, sep - arg + 1);
135  alproto_name = alproto_copy;
136  } else {
137  alproto_name = (char *)arg;
138  }
139  if (strcmp(alproto_name, "failed") == 0) {
140  alproto = ALPROTO_FAILED;
141  } else {
142  alproto = AppLayerGetProtoByName(alproto_name);
143  if (alproto == ALPROTO_UNKNOWN) {
144  SCLogError("app-layer-protocol "
145  "keyword supplied with unknown protocol \"%s\"",
146  alproto_name);
147  return NULL;
148  }
149  }
150  uint8_t mode = DETECT_ALPROTO_DIRECTION;
151  if (sep) {
152  if (strcmp(sep + 1, "final") == 0) {
153  mode = DETECT_ALPROTO_FINAL;
154  } else if (strcmp(sep + 1, "original") == 0) {
155  mode = DETECT_ALPROTO_ORIG;
156  } else if (strcmp(sep + 1, "either") == 0) {
157  mode = DETECT_ALPROTO_EITHER;
158  } else if (strcmp(sep + 1, "to_server") == 0) {
160  } else if (strcmp(sep + 1, "to_client") == 0) {
162  } else if (strcmp(sep + 1, "direction") == 0) {
164  } else {
165  SCLogError("app-layer-protocol "
166  "keyword supplied with unknown mode \"%s\"",
167  sep + 1);
168  return NULL;
169  }
170  }
171 
172  data = SCMalloc(sizeof(DetectAppLayerProtocolData));
173  if (unlikely(data == NULL))
174  return NULL;
175  data->alproto = alproto;
176  data->negated = negate;
177  data->mode = mode;
178 
179  return data;
180 }
181 
182 static bool HasConflicts(const DetectAppLayerProtocolData *us,
183  const DetectAppLayerProtocolData *them)
184 {
185  /* mixing negated and non negated is illegal */
186  if ((them->negated ^ us->negated) && them->mode == us->mode)
187  return true;
188  /* multiple non-negated is illegal */
189  if (!us->negated && them->mode == us->mode)
190  return true;
191  /* duplicate option */
192  if (us->alproto == them->alproto && them->mode == us->mode)
193  return true;
194 
195  /* all good */
196  return false;
197 }
198 
199 static int DetectAppLayerProtocolSetup(DetectEngineCtx *de_ctx,
200  Signature *s, const char *arg)
201 {
202  DetectAppLayerProtocolData *data = NULL;
203 
204  if (s->alproto != ALPROTO_UNKNOWN) {
205  SCLogError("Either we already "
206  "have the rule match on an app layer protocol set through "
207  "other keywords that match on this protocol, or have "
208  "already seen a non-negated app-layer-protocol.");
209  goto error;
210  }
211 
212  data = DetectAppLayerProtocolParse(arg, s->init_data->negated);
213  if (data == NULL)
214  goto error;
215 
217  for ( ; tsm != NULL; tsm = tsm->next) {
218  if (tsm->type == DETECT_AL_APP_LAYER_PROTOCOL) {
219  const DetectAppLayerProtocolData *them = (const DetectAppLayerProtocolData *)tsm->ctx;
220 
221  if (HasConflicts(data, them)) {
222  SCLogError("can't mix "
223  "positive app-layer-protocol match with negated "
224  "match or match for 'failed'.");
225  goto error;
226  }
227  }
228  }
229 
231  DETECT_SM_LIST_MATCH) == NULL) {
232  goto error;
233  }
234  return 0;
235 
236 error:
237  if (data != NULL)
238  SCFree(data);
239  return -1;
240 }
241 
242 static void DetectAppLayerProtocolFree(DetectEngineCtx *de_ctx, void *ptr)
243 {
244  SCFree(ptr);
245 }
246 
247 /** \internal
248  * \brief prefilter function for protocol detect matching
249  */
250 static void
251 PrefilterPacketAppProtoMatch(DetectEngineThreadCtx *det_ctx, Packet *p, const void *pectx)
252 {
253  const PrefilterPacketHeaderCtx *ctx = pectx;
254 
255  if (!PrefilterPacketHeaderExtraMatch(ctx, p)) {
256  SCLogDebug("packet %"PRIu64": extra match failed", p->pcap_cnt);
257  SCReturn;
258  }
259 
260  if (p->flow == NULL) {
261  SCLogDebug("packet %"PRIu64": no flow, no alproto", p->pcap_cnt);
262  SCReturn;
263  }
264 
266  SCLogDebug("packet %"PRIu64": flags not set", p->pcap_cnt);
267  SCReturn;
268  }
269 
270  Flow *f = p->flow;
271  AppProto alproto = ALPROTO_UNKNOWN;
272  bool negated = (bool)ctx->v1.u8[2];
273  switch (ctx->v1.u8[3]) {
275  if (p->flowflags & FLOW_PKT_TOSERVER) {
276  alproto = f->alproto_ts;
277  } else {
278  alproto = f->alproto_tc;
279  }
280  break;
281  case DETECT_ALPROTO_ORIG:
282  alproto = f->alproto_orig;
283  break;
285  alproto = f->alproto;
286  break;
288  alproto = f->alproto_ts;
289  break;
291  alproto = f->alproto_tc;
292  break;
294  // check if either protocol toclient or toserver matches
295  // the one in the signature ctx
296  if (f->alproto_tc != ALPROTO_UNKNOWN &&
297  AppProtoEquals(ctx->v1.u16[0], f->alproto_tc) ^ negated) {
298  PrefilterAddSids(&det_ctx->pmq, ctx->sigs_array, ctx->sigs_cnt);
299  } else if (f->alproto_ts != ALPROTO_UNKNOWN &&
300  AppProtoEquals(ctx->v1.u16[0], f->alproto_ts) ^ negated) {
301  PrefilterAddSids(&det_ctx->pmq, ctx->sigs_array, ctx->sigs_cnt);
302  }
303  // We return right away to avoid calling PrefilterAddSids again
304  return;
305  }
306 
307  if (alproto != ALPROTO_UNKNOWN) {
308  if (AppProtoEquals(ctx->v1.u16[0], alproto) ^ negated) {
309  PrefilterAddSids(&det_ctx->pmq, ctx->sigs_array, ctx->sigs_cnt);
310  }
311  }
312 }
313 
314 static void
315 PrefilterPacketAppProtoSet(PrefilterPacketHeaderValue *v, void *smctx)
316 {
317  const DetectAppLayerProtocolData *a = smctx;
318  v->u16[0] = a->alproto;
319  v->u8[2] = (uint8_t)a->negated;
320  v->u8[3] = a->mode;
321 }
322 
323 static bool
324 PrefilterPacketAppProtoCompare(PrefilterPacketHeaderValue v, void *smctx)
325 {
326  const DetectAppLayerProtocolData *a = smctx;
327  if (v.u16[0] == a->alproto && v.u8[2] == (uint8_t)a->negated && v.u8[3] == a->mode)
328  return true;
329  return false;
330 }
331 
332 static int PrefilterSetupAppProto(DetectEngineCtx *de_ctx, SigGroupHead *sgh)
333 {
335  SIG_MASK_REQUIRE_FLOW, PrefilterPacketAppProtoSet, PrefilterPacketAppProtoCompare,
336  PrefilterPacketAppProtoMatch);
337 }
338 
339 static bool PrefilterAppProtoIsPrefilterable(const Signature *s)
340 {
341  if (s->type == SIG_TYPE_PDONLY) {
342  SCLogDebug("prefilter on PD %u", s->id);
343  return true;
344  }
345  return false;
346 }
347 
349 {
350  sigmatch_table[DETECT_AL_APP_LAYER_PROTOCOL].name = "app-layer-protocol";
351  sigmatch_table[DETECT_AL_APP_LAYER_PROTOCOL].desc = "match on the detected app-layer protocol";
352  sigmatch_table[DETECT_AL_APP_LAYER_PROTOCOL].url = "/rules/app-layer.html#app-layer-protocol";
354  DetectAppLayerProtocolPacketMatch;
356  DetectAppLayerProtocolSetup;
358  DetectAppLayerProtocolFree;
359 #ifdef UNITTESTS
361  DetectAppLayerProtocolRegisterTests;
362 #endif
365 
367  PrefilterSetupAppProto;
369  PrefilterAppProtoIsPrefilterable;
370 }
371 
372 /**********************************Unittests***********************************/
373 
374 #ifdef UNITTESTS
375 
376 static int DetectAppLayerProtocolTest01(void)
377 {
378  DetectAppLayerProtocolData *data = DetectAppLayerProtocolParse("http", false);
379  FAIL_IF_NULL(data);
380  FAIL_IF(data->alproto != ALPROTO_HTTP);
381  FAIL_IF(data->negated != 0);
382  DetectAppLayerProtocolFree(NULL, data);
383  PASS;
384 }
385 
386 static int DetectAppLayerProtocolTest02(void)
387 {
388  DetectAppLayerProtocolData *data = DetectAppLayerProtocolParse("http", true);
389  FAIL_IF_NULL(data);
390  FAIL_IF(data->alproto != ALPROTO_HTTP);
391  FAIL_IF(data->negated == 0);
392  DetectAppLayerProtocolFree(NULL, data);
393  PASS;
394 }
395 
396 static int DetectAppLayerProtocolTest03(void)
397 {
398  Signature *s = NULL;
399  DetectAppLayerProtocolData *data = NULL;
402  de_ctx->flags |= DE_QUIET;
403 
404  s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "
405  "(app-layer-protocol:http; sid:1;)");
406  FAIL_IF_NULL(s);
407 
409 
412 
414  FAIL_IF(data->alproto != ALPROTO_HTTP);
415  FAIL_IF(data->negated);
417  PASS;
418 }
419 
420 static int DetectAppLayerProtocolTest04(void)
421 {
422  Signature *s = NULL;
423  DetectAppLayerProtocolData *data = NULL;
426  de_ctx->flags |= DE_QUIET;
427 
428  s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "
429  "(app-layer-protocol:!http; sid:1;)");
430  FAIL_IF_NULL(s);
433 
436 
438  FAIL_IF_NULL(data);
439  FAIL_IF(data->alproto != ALPROTO_HTTP);
440  FAIL_IF(data->negated == 0);
441 
443  PASS;
444 }
445 
446 static int DetectAppLayerProtocolTest05(void)
447 {
448  Signature *s = NULL;
449  DetectAppLayerProtocolData *data = NULL;
452  de_ctx->flags |= DE_QUIET;
453 
454  s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "
455  "(app-layer-protocol:!http; app-layer-protocol:!smtp; sid:1;)");
456  FAIL_IF_NULL(s);
459 
462 
464  FAIL_IF_NULL(data);
465  FAIL_IF(data->alproto != ALPROTO_HTTP);
466  FAIL_IF(data->negated == 0);
467 
469  FAIL_IF_NULL(data);
470  FAIL_IF(data->alproto != ALPROTO_SMTP);
471  FAIL_IF(data->negated == 0);
472 
474  PASS;
475 }
476 
477 static int DetectAppLayerProtocolTest06(void)
478 {
479  Signature *s = NULL;
482  de_ctx->flags |= DE_QUIET;
483 
484  s = DetectEngineAppendSig(de_ctx, "alert http any any -> any any "
485  "(app-layer-protocol:smtp; sid:1;)");
486  FAIL_IF_NOT_NULL(s);
488  PASS;
489 }
490 
491 static int DetectAppLayerProtocolTest07(void)
492 {
493  Signature *s = NULL;
496  de_ctx->flags |= DE_QUIET;
497 
498  s = DetectEngineAppendSig(de_ctx, "alert http any any -> any any "
499  "(app-layer-protocol:!smtp; sid:1;)");
500  FAIL_IF_NOT_NULL(s);
502  PASS;
503 }
504 
505 static int DetectAppLayerProtocolTest08(void)
506 {
507  Signature *s = NULL;
510  de_ctx->flags |= DE_QUIET;
511 
512  s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "
513  "(app-layer-protocol:!smtp; app-layer-protocol:http; sid:1;)");
514  FAIL_IF_NOT_NULL(s);
516  PASS;
517 }
518 
519 static int DetectAppLayerProtocolTest09(void)
520 {
521  Signature *s = NULL;
524  de_ctx->flags |= DE_QUIET;
525 
526  s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "
527  "(app-layer-protocol:http; app-layer-protocol:!smtp; sid:1;)");
528  FAIL_IF_NOT_NULL(s);
530  PASS;
531 }
532 
533 static int DetectAppLayerProtocolTest10(void)
534 {
535  Signature *s = NULL;
538  de_ctx->flags |= DE_QUIET;
539 
540  s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "
541  "(app-layer-protocol:smtp; app-layer-protocol:!http; sid:1;)");
542  FAIL_IF_NOT_NULL(s);
544  PASS;
545 }
546 
547 static int DetectAppLayerProtocolTest11(void)
548 {
549  DetectAppLayerProtocolData *data = DetectAppLayerProtocolParse("failed", false);
550  FAIL_IF_NULL(data);
551  FAIL_IF(data->alproto != ALPROTO_FAILED);
552  FAIL_IF(data->negated != 0);
553  DetectAppLayerProtocolFree(NULL, data);
554  PASS;
555 }
556 
557 static int DetectAppLayerProtocolTest12(void)
558 {
559  DetectAppLayerProtocolData *data = DetectAppLayerProtocolParse("failed", true);
560  FAIL_IF_NULL(data);
561  FAIL_IF(data->alproto != ALPROTO_FAILED);
562  FAIL_IF(data->negated == 0);
563  DetectAppLayerProtocolFree(NULL, data);
564  PASS;
565 }
566 
567 static int DetectAppLayerProtocolTest13(void)
568 {
569  Signature *s = NULL;
570  DetectAppLayerProtocolData *data = NULL;
573  de_ctx->flags |= DE_QUIET;
574 
575  s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "
576  "(app-layer-protocol:failed; sid:1;)");
577  FAIL_IF_NULL(s);
578 
580 
583 
585  FAIL_IF(data->alproto != ALPROTO_FAILED);
586  FAIL_IF(data->negated);
588  PASS;
589 }
590 
591 static int DetectAppLayerProtocolTest14(void)
592 {
593  DetectAppLayerProtocolData *data = NULL;
596  de_ctx->flags |= DE_QUIET;
597 
598  Signature *s1 = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "
599  "(app-layer-protocol:http; flowbits:set,blah; sid:1;)");
600  FAIL_IF_NULL(s1);
605  FAIL_IF(data->alproto != ALPROTO_HTTP);
606  FAIL_IF(data->negated);
607 
608  Signature *s2 = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "
609  "(app-layer-protocol:http; flow:to_client; sid:2;)");
610  FAIL_IF_NULL(s2);
615  FAIL_IF(data->alproto != ALPROTO_HTTP);
616  FAIL_IF(data->negated);
617 
618  /* flow:established and other options not supported for PD-only */
619  Signature *s3 = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "
620  "(app-layer-protocol:http; flow:to_client,established; sid:3;)");
621  FAIL_IF_NULL(s3);
626  FAIL_IF(data->alproto != ALPROTO_HTTP);
627  FAIL_IF(data->negated);
628 
632  FAIL_IF(s3->type == SIG_TYPE_PDONLY); // failure now
633 
635  PASS;
636 }
637 
638 
639 static void DetectAppLayerProtocolRegisterTests(void)
640 {
641  UtRegisterTest("DetectAppLayerProtocolTest01",
642  DetectAppLayerProtocolTest01);
643  UtRegisterTest("DetectAppLayerProtocolTest02",
644  DetectAppLayerProtocolTest02);
645  UtRegisterTest("DetectAppLayerProtocolTest03",
646  DetectAppLayerProtocolTest03);
647  UtRegisterTest("DetectAppLayerProtocolTest04",
648  DetectAppLayerProtocolTest04);
649  UtRegisterTest("DetectAppLayerProtocolTest05",
650  DetectAppLayerProtocolTest05);
651  UtRegisterTest("DetectAppLayerProtocolTest06",
652  DetectAppLayerProtocolTest06);
653  UtRegisterTest("DetectAppLayerProtocolTest07",
654  DetectAppLayerProtocolTest07);
655  UtRegisterTest("DetectAppLayerProtocolTest08",
656  DetectAppLayerProtocolTest08);
657  UtRegisterTest("DetectAppLayerProtocolTest09",
658  DetectAppLayerProtocolTest09);
659  UtRegisterTest("DetectAppLayerProtocolTest10",
660  DetectAppLayerProtocolTest10);
661  UtRegisterTest("DetectAppLayerProtocolTest11",
662  DetectAppLayerProtocolTest11);
663  UtRegisterTest("DetectAppLayerProtocolTest12",
664  DetectAppLayerProtocolTest12);
665  UtRegisterTest("DetectAppLayerProtocolTest13",
666  DetectAppLayerProtocolTest13);
667  UtRegisterTest("DetectAppLayerProtocolTest14",
668  DetectAppLayerProtocolTest14);
669 }
670 #endif /* UNITTESTS */
SigTableElmt_::url
const char * url
Definition: detect.h:1312
detect-engine.h
detect-app-layer-protocol.h
FAIL_IF_NULL
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
Definition: util-unittest.h:89
SignatureInitData_::smlists
struct SigMatch_ * smlists[DETECT_SM_LIST_MAX]
Definition: detect.h:588
SigTableElmt_::desc
const char * desc
Definition: detect.h:1311
sigmatch_table
SigTableElmt * sigmatch_table
Definition: detect-parse.c:128
SigTableElmt_::Free
void(* Free)(DetectEngineCtx *, void *)
Definition: detect.h:1299
DetectAppLayerProtocolData_::mode
uint8_t mode
Definition: detect-app-layer-protocol.c:53
SigTableElmt_::name
const char * name
Definition: detect.h:1309
SigGroupHead_
Container for matching data for a signature group.
Definition: detect.h:1465
unlikely
#define unlikely(expr)
Definition: util-optimize.h:35
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
Signature_::alproto
AppProto alproto
Definition: detect.h:608
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:269
Packet_::pcap_cnt
uint64_t pcap_cnt
Definition: decode.h:595
SIGMATCH_QUOTES_OPTIONAL
#define SIGMATCH_QUOTES_OPTIONAL
Definition: detect.h:1505
DetectAppLayerProtocolData_
Definition: detect-app-layer-protocol.c:50
AppProto
uint16_t AppProto
Definition: app-layer-protos.h:81
Packet_::flags
uint32_t flags
Definition: decode.h:513
DetectAppLayerProtocolData_::negated
uint8_t negated
Definition: detect-app-layer-protocol.c:52
Flow_
Flow data structure.
Definition: flow.h:356
DetectEngineThreadCtx_::pmq
PrefilterRuleStore pmq
Definition: detect.h:1205
SigTableElmt_::flags
uint16_t flags
Definition: detect.h:1303
ctx
struct Thresholds ctx
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:843
Flow_::alproto_orig
AppProto alproto_orig
Definition: flow.h:461
DetectEngineCtxFree
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
Definition: detect-engine.c:2623
PrefilterPacketHeaderValue::u8
uint8_t u8[16]
Definition: detect-engine-prefilter-common.h:24
FLOW_PKT_TOSERVER
#define FLOW_PKT_TOSERVER
Definition: flow.h:232
DE_QUIET
#define DE_QUIET
Definition: detect.h:323
DetectEngineAppendSig
Signature * DetectEngineAppendSig(DetectEngineCtx *, const char *)
Parse and append a Signature into the Detection Engine Context signature list.
Definition: detect-parse.c:2591
Packet_::flowflags
uint8_t flowflags
Definition: decode.h:507
SigTableElmt_::Setup
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1294
PrefilterPacketHeaderValue::u16
uint16_t u16[8]
Definition: detect-engine-prefilter-common.h:25
detect-engine-prefilter.h
util-unittest.h
AppLayerGetProtoByName
AppProto AppLayerGetProtoByName(char *alproto_name)
Given a protocol string, returns the corresponding internal protocol id.
Definition: app-layer.c:999
util-unittest-helper.h
FAIL_IF_NOT
#define FAIL_IF_NOT(expr)
Fail a test if expression evaluates to false.
Definition: util-unittest.h:82
PKT_PROTO_DETECT_TS_DONE
#define PKT_PROTO_DETECT_TS_DONE
Definition: decode.h:1301
SIG_FLAG_APPLAYER
#define SIG_FLAG_APPLAYER
Definition: detect.h:246
strlcpy
size_t strlcpy(char *dst, const char *src, size_t siz)
Definition: util-strlcpyu.c:43
SigTableElmt_::SetupPrefilter
int(* SetupPrefilter)(DetectEngineCtx *de_ctx, struct SigGroupHead_ *sgh)
Definition: detect.h:1297
MAX_ALPROTO_NAME
#define MAX_ALPROTO_NAME
Definition: detect-app-layer-protocol.c:124
PrefilterPacketHeaderCtx_
Definition: detect-engine-prefilter-common.h:35
FAIL_IF_NOT_NULL
#define FAIL_IF_NOT_NULL(expr)
Fail a test if expression evaluates to non-NULL.
Definition: util-unittest.h:96
util-debug.h
PASS
#define PASS
Pass the test.
Definition: util-unittest.h:105
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:17
DetectEngineThreadCtx_
Definition: detect.h:1098
ALPROTO_SMTP
@ ALPROTO_SMTP
Definition: app-layer-protos.h:32
SIG_MASK_REQUIRE_FLOW
#define SIG_MASK_REQUIRE_FLOW
Definition: detect.h:302
SCEnter
#define SCEnter(...)
Definition: util-debug.h:271
SigMatch_::next
struct SigMatch_ * next
Definition: detect.h:353
DETECT_SM_LIST_MATCH
@ DETECT_SM_LIST_MATCH
Definition: detect.h:114
DetectAppLayerProtocolData
struct DetectAppLayerProtocolData_ DetectAppLayerProtocolData
app-layer-parser.h
SigMatch_::ctx
SigMatchCtx * ctx
Definition: detect.h:352
SCReturn
#define SCReturn
Definition: util-debug.h:273
Signature_::flags
uint32_t flags
Definition: detect.h:604
Packet_
Definition: decode.h:476
detect-engine-build.h
DETECT_AL_APP_LAYER_PROTOCOL
@ DETECT_AL_APP_LAYER_PROTOCOL
Definition: detect-engine-register.h:37
SIGMATCH_HANDLE_NEGATION
#define SIGMATCH_HANDLE_NEGATION
Definition: detect.h:1513
Signature_::init_data
SignatureInitData * init_data
Definition: detect.h:672
PrefilterSetupPacketHeader
int PrefilterSetupPacketHeader(DetectEngineCtx *de_ctx, SigGroupHead *sgh, int sm_type, SignatureMask mask, void(*Set)(PrefilterPacketHeaderValue *v, void *), bool(*Compare)(PrefilterPacketHeaderValue v, void *), void(*Match)(DetectEngineThreadCtx *det_ctx, Packet *p, const void *pectx))
Definition: detect-engine-prefilter-common.c:404
DetectAppLayerProtocolData_::alproto
AppProto alproto
Definition: detect-app-layer-protocol.c:51
SignatureInitData_::negated
bool negated
Definition: detect.h:547
SigTableElmt_::Match
int(* Match)(DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *)
Definition: detect.h:1277
DETECT_ALPROTO_EITHER
@ DETECT_ALPROTO_EITHER
Definition: detect-app-layer-protocol.c:44
DETECT_ALPROTO_DIRECTION
@ DETECT_ALPROTO_DIRECTION
Definition: detect-app-layer-protocol.c:42
SigGroupBuild
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
Definition: detect-engine-build.c:2145
SigMatchCtx_
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
Definition: detect.h:344
DETECT_ALPROTO_TOCLIENT
@ DETECT_ALPROTO_TOCLIENT
Definition: detect-app-layer-protocol.c:46
Packet_::flow
struct Flow_ * flow
Definition: decode.h:515
FAIL_IF
#define FAIL_IF(expr)
Fail a test if expression evaluates to true.
Definition: util-unittest.h:71
suricata-common.h
SigMatch_::type
uint16_t type
Definition: detect.h:350
DETECT_ALPROTO_ORIG
@ DETECT_ALPROTO_ORIG
Definition: detect-app-layer-protocol.c:47
PKT_PROTO_DETECT_TC_DONE
#define PKT_PROTO_DETECT_TC_DONE
Definition: decode.h:1302
SCMalloc
#define SCMalloc(sz)
Definition: util-mem.h:47
DETECT_ALPROTO_FINAL
@ DETECT_ALPROTO_FINAL
Definition: detect-app-layer-protocol.c:43
SCLogError
#define SCLogError(...)
Macro used to log ERROR messages.
Definition: util-debug.h:261
SCFree
#define SCFree(p)
Definition: util-mem.h:61
Flow_::alproto_ts
AppProto alproto_ts
Definition: flow.h:456
SigTableElmt_::SupportsPrefilter
bool(* SupportsPrefilter)(const Signature *s)
Definition: detect.h:1296
Signature_::id
uint32_t id
Definition: detect.h:638
detect-parse.h
Signature_
Signature container.
Definition: detect.h:603
SigMatch_
a single match condition for a signature
Definition: detect.h:349
ALPROTO_HTTP
@ ALPROTO_HTTP
Definition: app-layer-protos.h:70
ALPROTO_UNKNOWN
@ ALPROTO_UNKNOWN
Definition: app-layer-protos.h:29
ALPROTO_FAILED
@ ALPROTO_FAILED
Definition: app-layer-protos.h:74
DetectEngineCtxInit
DetectEngineCtx * DetectEngineCtxInit(void)
Definition: detect-engine.c:2584
DetectAppLayerProtocolRegister
void DetectAppLayerProtocolRegister(void)
Definition: detect-app-layer-protocol.c:348
PrefilterPacketHeaderValue
Definition: detect-engine-prefilter-common.h:23
SigMatchAppendSMToList
SigMatch * SigMatchAppendSMToList(DetectEngineCtx *de_ctx, Signature *s, uint16_t type, SigMatchCtx *ctx, const int list)
Append a SigMatch to the list type.
Definition: detect-parse.c:437
DetectEngineCtx_::flags
uint8_t flags
Definition: detect.h:845
detect-engine-prefilter-common.h
DETECT_ALPROTO_TOSERVER
@ DETECT_ALPROTO_TOSERVER
Definition: detect-app-layer-protocol.c:45
Flow_::alproto_tc
AppProto alproto_tc
Definition: flow.h:457
Flow_::alproto
AppProto alproto
application level protocol
Definition: flow.h:455
SCReturnInt
#define SCReturnInt(x)
Definition: util-debug.h:275
Signature_::type
enum SignatureType type
Definition: detect.h:606
SIG_TYPE_PDONLY
@ SIG_TYPE_PDONLY
Definition: detect.h:68
SigTableElmt_::RegisterTests
void(* RegisterTests)(void)
Definition: detect.h:1301
app-layer.h