suricata
detect-app-layer-protocol.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2022 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Anoop Saldanha <anoopsaldanha@gmail.com>
22  */
23 
24 #include "suricata-common.h"
25 #include "detect-engine.h"
26 #include "detect-engine-build.h"
29 #include "detect-parse.h"
31 #include "app-layer.h"
32 #include "app-layer-parser.h"
33 #include "util-debug.h"
34 #include "util-unittest.h"
35 #include "util-unittest-helper.h"
36 
37 #ifdef UNITTESTS
38 static void DetectAppLayerProtocolRegisterTests(void);
39 #endif
40 
43  uint8_t negated;
45 
46 static int DetectAppLayerProtocolPacketMatch(
47  DetectEngineThreadCtx *det_ctx,
48  Packet *p, const Signature *s, const SigMatchCtx *ctx)
49 {
50  SCEnter();
51 
52  bool r = false;
53  const DetectAppLayerProtocolData *data = (const DetectAppLayerProtocolData *)ctx;
54 
55  /* if the sig is PD-only we only match when PD packet flags are set */
56  if (s->type == SIG_TYPE_PDONLY &&
58  SCLogDebug("packet %"PRIu64": flags not set", p->pcap_cnt);
59  SCReturnInt(0);
60  }
61 
62  const Flow *f = p->flow;
63  if (f == NULL) {
64  SCLogDebug("packet %"PRIu64": no flow", p->pcap_cnt);
65  SCReturnInt(0);
66  }
67 
68  /* unknown means protocol detection isn't ready yet */
69 
71  {
72  SCLogDebug("toserver packet %"PRIu64": looking for %u/neg %u, got %u",
73  p->pcap_cnt, data->alproto, data->negated, f->alproto_ts);
74 
75  r = AppProtoEquals(data->alproto, f->alproto_ts);
76 
77  } else if ((f->alproto_tc != ALPROTO_UNKNOWN) && (p->flowflags & FLOW_PKT_TOCLIENT))
78  {
79  SCLogDebug("toclient packet %"PRIu64": looking for %u/neg %u, got %u",
80  p->pcap_cnt, data->alproto, data->negated, f->alproto_tc);
81 
82  r = AppProtoEquals(data->alproto, f->alproto_tc);
83  }
84  else {
85  SCLogDebug("packet %"PRIu64": default case: direction %02x, approtos %u/%u/%u",
86  p->pcap_cnt,
88  f->alproto, f->alproto_ts, f->alproto_tc);
89  }
90  r = r ^ data->negated;
91  if (r) {
92  SCReturnInt(1);
93  }
94  SCReturnInt(0);
95 }
96 
97 static DetectAppLayerProtocolData *DetectAppLayerProtocolParse(const char *arg, bool negate)
98 {
100  AppProto alproto = ALPROTO_UNKNOWN;
101 
102  if (strcmp(arg, "failed") == 0) {
103  alproto = ALPROTO_FAILED;
104  } else {
105  alproto = AppLayerGetProtoByName((char *)arg);
106  if (alproto == ALPROTO_UNKNOWN) {
107  SCLogError("app-layer-protocol "
108  "keyword supplied with unknown protocol \"%s\"",
109  arg);
110  return NULL;
111  }
112  }
113 
114  data = SCMalloc(sizeof(DetectAppLayerProtocolData));
115  if (unlikely(data == NULL))
116  return NULL;
117  data->alproto = alproto;
118  data->negated = negate;
119 
120  return data;
121 }
122 
123 static bool HasConflicts(const DetectAppLayerProtocolData *us,
124  const DetectAppLayerProtocolData *them)
125 {
126  /* mixing negated and non negated is illegal */
127  if (them->negated ^ us->negated)
128  return true;
129  /* multiple non-negated is illegal */
130  if (!us->negated)
131  return true;
132  /* duplicate option */
133  if (us->alproto == them->alproto)
134  return true;
135 
136  /* all good */
137  return false;
138 }
139 
140 static int DetectAppLayerProtocolSetup(DetectEngineCtx *de_ctx,
141  Signature *s, const char *arg)
142 {
143  DetectAppLayerProtocolData *data = NULL;
144 
145  if (s->alproto != ALPROTO_UNKNOWN) {
146  SCLogError("Either we already "
147  "have the rule match on an app layer protocol set through "
148  "other keywords that match on this protocol, or have "
149  "already seen a non-negated app-layer-protocol.");
150  goto error;
151  }
152 
153  data = DetectAppLayerProtocolParse(arg, s->init_data->negated);
154  if (data == NULL)
155  goto error;
156 
158  for ( ; tsm != NULL; tsm = tsm->next) {
159  if (tsm->type == DETECT_AL_APP_LAYER_PROTOCOL) {
160  const DetectAppLayerProtocolData *them = (const DetectAppLayerProtocolData *)tsm->ctx;
161 
162  if (HasConflicts(data, them)) {
163  SCLogError("can't mix "
164  "positive app-layer-protocol match with negated "
165  "match or match for 'failed'.");
166  goto error;
167  }
168  }
169  }
170 
172  DETECT_SM_LIST_MATCH) == NULL) {
173  goto error;
174  }
175  return 0;
176 
177 error:
178  if (data != NULL)
179  SCFree(data);
180  return -1;
181 }
182 
183 static void DetectAppLayerProtocolFree(DetectEngineCtx *de_ctx, void *ptr)
184 {
185  SCFree(ptr);
186  return;
187 }
188 
189 /** \internal
190  * \brief prefilter function for protocol detect matching
191  */
192 static void
193 PrefilterPacketAppProtoMatch(DetectEngineThreadCtx *det_ctx, Packet *p, const void *pectx)
194 {
195  const PrefilterPacketHeaderCtx *ctx = pectx;
196 
197  if (!PrefilterPacketHeaderExtraMatch(ctx, p)) {
198  SCLogDebug("packet %"PRIu64": extra match failed", p->pcap_cnt);
199  SCReturn;
200  }
201 
202  if (p->flow == NULL) {
203  SCLogDebug("packet %"PRIu64": no flow, no alproto", p->pcap_cnt);
204  SCReturn;
205  }
206 
208  SCLogDebug("packet %"PRIu64": flags not set", p->pcap_cnt);
209  SCReturn;
210  }
211 
213  {
214  int r = (ctx->v1.u16[0] == p->flow->alproto_ts) ^ ctx->v1.u8[2];
215  if (r) {
216  PrefilterAddSids(&det_ctx->pmq, ctx->sigs_array, ctx->sigs_cnt);
217  }
218  } else if ((p->flags & PKT_PROTO_DETECT_TC_DONE) && (p->flowflags & FLOW_PKT_TOCLIENT))
219  {
220  int r = (ctx->v1.u16[0] == p->flow->alproto_tc) ^ ctx->v1.u8[2];
221  if (r) {
222  PrefilterAddSids(&det_ctx->pmq, ctx->sigs_array, ctx->sigs_cnt);
223  }
224  }
225 }
226 
227 static void
228 PrefilterPacketAppProtoSet(PrefilterPacketHeaderValue *v, void *smctx)
229 {
230  const DetectAppLayerProtocolData *a = smctx;
231  v->u16[0] = a->alproto;
232  v->u8[2] = (uint8_t)a->negated;
233 }
234 
235 static bool
236 PrefilterPacketAppProtoCompare(PrefilterPacketHeaderValue v, void *smctx)
237 {
238  const DetectAppLayerProtocolData *a = smctx;
239  if (v.u16[0] == a->alproto &&
240  v.u8[2] == (uint8_t)a->negated)
241  return true;
242  return false;
243 }
244 
245 static int PrefilterSetupAppProto(DetectEngineCtx *de_ctx, SigGroupHead *sgh)
246 {
248  PrefilterPacketAppProtoSet,
249  PrefilterPacketAppProtoCompare,
250  PrefilterPacketAppProtoMatch);
251 }
252 
253 static bool PrefilterAppProtoIsPrefilterable(const Signature *s)
254 {
255  if (s->type == SIG_TYPE_PDONLY) {
256  SCLogDebug("prefilter on PD %u", s->id);
257  return true;
258  }
259  return false;
260 }
261 
263 {
264  sigmatch_table[DETECT_AL_APP_LAYER_PROTOCOL].name = "app-layer-protocol";
265  sigmatch_table[DETECT_AL_APP_LAYER_PROTOCOL].desc = "match on the detected app-layer protocol";
266  sigmatch_table[DETECT_AL_APP_LAYER_PROTOCOL].url = "/rules/app-layer.html#app-layer-protocol";
268  DetectAppLayerProtocolPacketMatch;
270  DetectAppLayerProtocolSetup;
272  DetectAppLayerProtocolFree;
273 #ifdef UNITTESTS
275  DetectAppLayerProtocolRegisterTests;
276 #endif
279 
281  PrefilterSetupAppProto;
283  PrefilterAppProtoIsPrefilterable;
284  return;
285 }
286 
287 /**********************************Unittests***********************************/
288 
289 #ifdef UNITTESTS
290 
291 static int DetectAppLayerProtocolTest01(void)
292 {
293  DetectAppLayerProtocolData *data = DetectAppLayerProtocolParse("http", false);
294  FAIL_IF_NULL(data);
295  FAIL_IF(data->alproto != ALPROTO_HTTP);
296  FAIL_IF(data->negated != 0);
297  DetectAppLayerProtocolFree(NULL, data);
298  PASS;
299 }
300 
301 static int DetectAppLayerProtocolTest02(void)
302 {
303  DetectAppLayerProtocolData *data = DetectAppLayerProtocolParse("http", true);
304  FAIL_IF_NULL(data);
305  FAIL_IF(data->alproto != ALPROTO_HTTP);
306  FAIL_IF(data->negated == 0);
307  DetectAppLayerProtocolFree(NULL, data);
308  PASS;
309 }
310 
311 static int DetectAppLayerProtocolTest03(void)
312 {
313  Signature *s = NULL;
314  DetectAppLayerProtocolData *data = NULL;
317  de_ctx->flags |= DE_QUIET;
318 
319  s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "
320  "(app-layer-protocol:http; sid:1;)");
321  FAIL_IF_NULL(s);
322 
324 
327 
329  FAIL_IF(data->alproto != ALPROTO_HTTP);
330  FAIL_IF(data->negated);
332  PASS;
333 }
334 
335 static int DetectAppLayerProtocolTest04(void)
336 {
337  Signature *s = NULL;
338  DetectAppLayerProtocolData *data = NULL;
341  de_ctx->flags |= DE_QUIET;
342 
343  s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "
344  "(app-layer-protocol:!http; sid:1;)");
345  FAIL_IF_NULL(s);
348 
351 
353  FAIL_IF_NULL(data);
354  FAIL_IF(data->alproto != ALPROTO_HTTP);
355  FAIL_IF(data->negated == 0);
356 
358  PASS;
359 }
360 
361 static int DetectAppLayerProtocolTest05(void)
362 {
363  Signature *s = NULL;
364  DetectAppLayerProtocolData *data = NULL;
367  de_ctx->flags |= DE_QUIET;
368 
369  s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "
370  "(app-layer-protocol:!http; app-layer-protocol:!smtp; sid:1;)");
371  FAIL_IF_NULL(s);
374 
377 
379  FAIL_IF_NULL(data);
380  FAIL_IF(data->alproto != ALPROTO_HTTP);
381  FAIL_IF(data->negated == 0);
382 
384  FAIL_IF_NULL(data);
385  FAIL_IF(data->alproto != ALPROTO_SMTP);
386  FAIL_IF(data->negated == 0);
387 
389  PASS;
390 }
391 
392 static int DetectAppLayerProtocolTest06(void)
393 {
394  Signature *s = NULL;
397  de_ctx->flags |= DE_QUIET;
398 
399  s = DetectEngineAppendSig(de_ctx, "alert http any any -> any any "
400  "(app-layer-protocol:smtp; sid:1;)");
401  FAIL_IF_NOT_NULL(s);
403  PASS;
404 }
405 
406 static int DetectAppLayerProtocolTest07(void)
407 {
408  Signature *s = NULL;
411  de_ctx->flags |= DE_QUIET;
412 
413  s = DetectEngineAppendSig(de_ctx, "alert http any any -> any any "
414  "(app-layer-protocol:!smtp; sid:1;)");
415  FAIL_IF_NOT_NULL(s);
417  PASS;
418 }
419 
420 static int DetectAppLayerProtocolTest08(void)
421 {
422  Signature *s = NULL;
425  de_ctx->flags |= DE_QUIET;
426 
427  s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "
428  "(app-layer-protocol:!smtp; app-layer-protocol:http; sid:1;)");
429  FAIL_IF_NOT_NULL(s);
431  PASS;
432 }
433 
434 static int DetectAppLayerProtocolTest09(void)
435 {
436  Signature *s = NULL;
439  de_ctx->flags |= DE_QUIET;
440 
441  s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "
442  "(app-layer-protocol:http; app-layer-protocol:!smtp; sid:1;)");
443  FAIL_IF_NOT_NULL(s);
445  PASS;
446 }
447 
448 static int DetectAppLayerProtocolTest10(void)
449 {
450  Signature *s = NULL;
453  de_ctx->flags |= DE_QUIET;
454 
455  s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "
456  "(app-layer-protocol:smtp; app-layer-protocol:!http; sid:1;)");
457  FAIL_IF_NOT_NULL(s);
459  PASS;
460 }
461 
462 static int DetectAppLayerProtocolTest11(void)
463 {
464  DetectAppLayerProtocolData *data = DetectAppLayerProtocolParse("failed", false);
465  FAIL_IF_NULL(data);
466  FAIL_IF(data->alproto != ALPROTO_FAILED);
467  FAIL_IF(data->negated != 0);
468  DetectAppLayerProtocolFree(NULL, data);
469  PASS;
470 }
471 
472 static int DetectAppLayerProtocolTest12(void)
473 {
474  DetectAppLayerProtocolData *data = DetectAppLayerProtocolParse("failed", true);
475  FAIL_IF_NULL(data);
476  FAIL_IF(data->alproto != ALPROTO_FAILED);
477  FAIL_IF(data->negated == 0);
478  DetectAppLayerProtocolFree(NULL, data);
479  PASS;
480 }
481 
482 static int DetectAppLayerProtocolTest13(void)
483 {
484  Signature *s = NULL;
485  DetectAppLayerProtocolData *data = NULL;
488  de_ctx->flags |= DE_QUIET;
489 
490  s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "
491  "(app-layer-protocol:failed; sid:1;)");
492  FAIL_IF_NULL(s);
493 
495 
498 
500  FAIL_IF(data->alproto != ALPROTO_FAILED);
501  FAIL_IF(data->negated);
503  PASS;
504 }
505 
506 static int DetectAppLayerProtocolTest14(void)
507 {
508  DetectAppLayerProtocolData *data = NULL;
511  de_ctx->flags |= DE_QUIET;
512 
513  Signature *s1 = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "
514  "(app-layer-protocol:http; flowbits:set,blah; sid:1;)");
515  FAIL_IF_NULL(s1);
520  FAIL_IF(data->alproto != ALPROTO_HTTP);
521  FAIL_IF(data->negated);
522 
523  Signature *s2 = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "
524  "(app-layer-protocol:http; flow:to_client; sid:2;)");
525  FAIL_IF_NULL(s2);
530  FAIL_IF(data->alproto != ALPROTO_HTTP);
531  FAIL_IF(data->negated);
532 
533  /* flow:established and other options not supported for PD-only */
534  Signature *s3 = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "
535  "(app-layer-protocol:http; flow:to_client,established; sid:3;)");
536  FAIL_IF_NULL(s3);
541  FAIL_IF(data->alproto != ALPROTO_HTTP);
542  FAIL_IF(data->negated);
543 
547  FAIL_IF(s3->type == SIG_TYPE_PDONLY); // failure now
548 
550  PASS;
551 }
552 
553 
554 static void DetectAppLayerProtocolRegisterTests(void)
555 {
556  UtRegisterTest("DetectAppLayerProtocolTest01",
557  DetectAppLayerProtocolTest01);
558  UtRegisterTest("DetectAppLayerProtocolTest02",
559  DetectAppLayerProtocolTest02);
560  UtRegisterTest("DetectAppLayerProtocolTest03",
561  DetectAppLayerProtocolTest03);
562  UtRegisterTest("DetectAppLayerProtocolTest04",
563  DetectAppLayerProtocolTest04);
564  UtRegisterTest("DetectAppLayerProtocolTest05",
565  DetectAppLayerProtocolTest05);
566  UtRegisterTest("DetectAppLayerProtocolTest06",
567  DetectAppLayerProtocolTest06);
568  UtRegisterTest("DetectAppLayerProtocolTest07",
569  DetectAppLayerProtocolTest07);
570  UtRegisterTest("DetectAppLayerProtocolTest08",
571  DetectAppLayerProtocolTest08);
572  UtRegisterTest("DetectAppLayerProtocolTest09",
573  DetectAppLayerProtocolTest09);
574  UtRegisterTest("DetectAppLayerProtocolTest10",
575  DetectAppLayerProtocolTest10);
576  UtRegisterTest("DetectAppLayerProtocolTest11",
577  DetectAppLayerProtocolTest11);
578  UtRegisterTest("DetectAppLayerProtocolTest12",
579  DetectAppLayerProtocolTest12);
580  UtRegisterTest("DetectAppLayerProtocolTest13",
581  DetectAppLayerProtocolTest13);
582  UtRegisterTest("DetectAppLayerProtocolTest14",
583  DetectAppLayerProtocolTest14);
584 }
585 #endif /* UNITTESTS */
SigTableElmt_::url
const char * url
Definition: detect.h:1296
detect-engine.h
detect-app-layer-protocol.h
FAIL_IF_NULL
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
Definition: util-unittest.h:89
SignatureInitData_::smlists
struct SigMatch_ * smlists[DETECT_SM_LIST_MAX]
Definition: detect.h:578
SigTableElmt_::desc
const char * desc
Definition: detect.h:1295
SigTableElmt_::Free
void(* Free)(DetectEngineCtx *, void *)
Definition: detect.h:1283
SigTableElmt_::name
const char * name
Definition: detect.h:1293
SigGroupHead_
Container for matching data for a signature group.
Definition: detect.h:1445
unlikely
#define unlikely(expr)
Definition: util-optimize.h:35
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
Signature_::alproto
AppProto alproto
Definition: detect.h:598
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:269
Packet_::pcap_cnt
uint64_t pcap_cnt
Definition: decode.h:608
SIGMATCH_QUOTES_OPTIONAL
#define SIGMATCH_QUOTES_OPTIONAL
Definition: detect.h:1485
DetectAppLayerProtocolData_
Definition: detect-app-layer-protocol.c:41
AppProto
uint16_t AppProto
Definition: app-layer-protos.h:80
Packet_::flags
uint32_t flags
Definition: decode.h:474
DetectAppLayerProtocolData_::negated
uint8_t negated
Definition: detect-app-layer-protocol.c:43
Flow_
Flow data structure.
Definition: flow.h:351
DetectEngineThreadCtx_::pmq
PrefilterRuleStore pmq
Definition: detect.h:1201
SigTableElmt_::flags
uint16_t flags
Definition: detect.h:1287
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:836
PrefilterPacketHeaderCtx_::sigs_array
SigIntId * sigs_array
Definition: detect-engine-prefilter-common.h:43
DetectEngineCtxFree
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
Definition: detect-engine.c:2580
PrefilterPacketHeaderValue::u8
uint8_t u8[16]
Definition: detect-engine-prefilter-common.h:24
FLOW_PKT_TOSERVER
#define FLOW_PKT_TOSERVER
Definition: flow.h:223
DE_QUIET
#define DE_QUIET
Definition: detect.h:321
PrefilterPacketHeaderCtx_::sigs_cnt
uint32_t sigs_cnt
Definition: detect-engine-prefilter-common.h:42
DetectEngineAppendSig
Signature * DetectEngineAppendSig(DetectEngineCtx *, const char *)
Parse and append a Signature into the Detection Engine Context signature list.
Definition: detect-parse.c:2620
Packet_::flowflags
uint8_t flowflags
Definition: decode.h:468
SigTableElmt_::Setup
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1278
PrefilterPacketHeaderValue::u16
uint16_t u16[8]
Definition: detect-engine-prefilter-common.h:25
detect-engine-prefilter.h
util-unittest.h
AppLayerGetProtoByName
AppProto AppLayerGetProtoByName(char *alproto_name)
Given a protocol string, returns the corresponding internal protocol id.
Definition: app-layer.c:998
util-unittest-helper.h
FAIL_IF_NOT
#define FAIL_IF_NOT(expr)
Fail a test if expression evaluates to false.
Definition: util-unittest.h:82
PKT_PROTO_DETECT_TS_DONE
#define PKT_PROTO_DETECT_TS_DONE
Definition: decode.h:1054
SIG_FLAG_APPLAYER
#define SIG_FLAG_APPLAYER
Definition: detect.h:242
SigTableElmt_::SetupPrefilter
int(* SetupPrefilter)(DetectEngineCtx *de_ctx, struct SigGroupHead_ *sgh)
Definition: detect.h:1281
PrefilterPacketHeaderCtx_
Definition: detect-engine-prefilter-common.h:35
FAIL_IF_NOT_NULL
#define FAIL_IF_NOT_NULL(expr)
Fail a test if expression evaluates to non-NULL.
Definition: util-unittest.h:96
util-debug.h
PASS
#define PASS
Pass the test.
Definition: util-unittest.h:105
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:17
DetectEngineThreadCtx_
Definition: detect.h:1092
ALPROTO_SMTP
@ ALPROTO_SMTP
Definition: app-layer-protos.h:32
SCEnter
#define SCEnter(...)
Definition: util-debug.h:271
SigMatch_::next
struct SigMatch_ * next
Definition: detect.h:351
DETECT_SM_LIST_MATCH
@ DETECT_SM_LIST_MATCH
Definition: detect.h:111
DetectAppLayerProtocolData
struct DetectAppLayerProtocolData_ DetectAppLayerProtocolData
app-layer-parser.h
SigMatch_::ctx
SigMatchCtx * ctx
Definition: detect.h:350
SCReturn
#define SCReturn
Definition: util-debug.h:273
Signature_::flags
uint32_t flags
Definition: detect.h:594
Packet_
Definition: decode.h:437
detect-engine-build.h
DETECT_AL_APP_LAYER_PROTOCOL
@ DETECT_AL_APP_LAYER_PROTOCOL
Definition: detect-engine-register.h:35
SIGMATCH_HANDLE_NEGATION
#define SIGMATCH_HANDLE_NEGATION
Definition: detect.h:1493
Signature_::init_data
SignatureInitData * init_data
Definition: detect.h:662
DetectAppLayerProtocolData_::alproto
AppProto alproto
Definition: detect-app-layer-protocol.c:42
SignatureInitData_::negated
bool negated
Definition: detect.h:537
SigTableElmt_::Match
int(* Match)(DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *)
Definition: detect.h:1261
FLOW_PKT_TOCLIENT
#define FLOW_PKT_TOCLIENT
Definition: flow.h:224
SigGroupBuild
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
Definition: detect-engine-build.c:2149
PrefilterPacketHeaderCtx_::v1
PrefilterPacketHeaderValue v1
Definition: detect-engine-prefilter-common.h:36
SigMatchCtx_
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
Definition: detect.h:342
Packet_::flow
struct Flow_ * flow
Definition: decode.h:476
FAIL_IF
#define FAIL_IF(expr)
Fail a test if expression evaluates to true.
Definition: util-unittest.h:71
suricata-common.h
SigMatch_::type
uint16_t type
Definition: detect.h:348
sigmatch_table
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
Definition: detect-parse.c:127
PKT_PROTO_DETECT_TC_DONE
#define PKT_PROTO_DETECT_TC_DONE
Definition: decode.h:1055
PrefilterSetupPacketHeader
int PrefilterSetupPacketHeader(DetectEngineCtx *de_ctx, SigGroupHead *sgh, int sm_type, void(*Set)(PrefilterPacketHeaderValue *v, void *), bool(*Compare)(PrefilterPacketHeaderValue v, void *), void(*Match)(DetectEngineThreadCtx *det_ctx, Packet *p, const void *pectx))
Definition: detect-engine-prefilter-common.c:417
SCMalloc
#define SCMalloc(sz)
Definition: util-mem.h:47
SCLogError
#define SCLogError(...)
Macro used to log ERROR messages.
Definition: util-debug.h:261
SCFree
#define SCFree(p)
Definition: util-mem.h:61
Flow_::alproto_ts
AppProto alproto_ts
Definition: flow.h:451
SigTableElmt_::SupportsPrefilter
bool(* SupportsPrefilter)(const Signature *s)
Definition: detect.h:1280
Signature_::id
uint32_t id
Definition: detect.h:628
detect-parse.h
Signature_
Signature container.
Definition: detect.h:593
SigMatch_
a single match condition for a signature
Definition: detect.h:347
ALPROTO_HTTP
@ ALPROTO_HTTP
Definition: app-layer-protos.h:66
ALPROTO_UNKNOWN
@ ALPROTO_UNKNOWN
Definition: app-layer-protos.h:29
ALPROTO_FAILED
@ ALPROTO_FAILED
Definition: app-layer-protos.h:70
DetectEngineCtxInit
DetectEngineCtx * DetectEngineCtxInit(void)
Definition: detect-engine.c:2541
DetectAppLayerProtocolRegister
void DetectAppLayerProtocolRegister(void)
Definition: detect-app-layer-protocol.c:262
PrefilterPacketHeaderValue
Definition: detect-engine-prefilter-common.h:23
SigMatchAppendSMToList
SigMatch * SigMatchAppendSMToList(DetectEngineCtx *de_ctx, Signature *s, uint16_t type, SigMatchCtx *ctx, const int list)
Append a SigMatch to the list type.
Definition: detect-parse.c:447
DetectEngineCtx_::flags
uint8_t flags
Definition: detect.h:838
detect-engine-prefilter-common.h
Flow_::alproto_tc
AppProto alproto_tc
Definition: flow.h:452
Flow_::alproto
AppProto alproto
application level protocol
Definition: flow.h:450
SCReturnInt
#define SCReturnInt(x)
Definition: util-debug.h:275
Signature_::type
enum SignatureType type
Definition: detect.h:596
SIG_TYPE_PDONLY
@ SIG_TYPE_PDONLY
Definition: detect.h:65
SigTableElmt_::RegisterTests
void(* RegisterTests)(void)
Definition: detect.h:1285
app-layer.h