suricata
detect-asn1.c
Go to the documentation of this file.
1 /* Copyright (C) 2020 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file detect-asn1.c
20  *
21  * Implements "asn1" keyword
22  */
23 
24 #include "suricata-common.h"
25 #include "debug.h"
26 #include "decode.h"
27 #include "rust.h"
28 
29 #include "detect.h"
30 #include "detect-parse.h"
31 
32 #include "flow.h"
33 #include "detect-asn1.h"
34 
35 #include "util-unittest.h"
36 #include "util-unittest-helper.h"
37 #include "util-byte.h"
38 #include "util-debug.h"
39 
40 static int DetectAsn1Match(DetectEngineThreadCtx *, Packet *,
41  const Signature *, const SigMatchCtx *);
42 static int DetectAsn1Setup (DetectEngineCtx *, Signature *, const char *);
43 #ifdef UNITTESTS
44 static void DetectAsn1RegisterTests(void);
45 #endif
46 static void DetectAsn1Free(DetectEngineCtx *, void *);
47 
48 /**
49  * \brief Registration function for asn1
50  */
52 {
54  sigmatch_table[DETECT_ASN1].Match = DetectAsn1Match;
55  sigmatch_table[DETECT_ASN1].Setup = DetectAsn1Setup;
56  sigmatch_table[DETECT_ASN1].Free = DetectAsn1Free;
57 #ifdef UNITTESTS
58  sigmatch_table[DETECT_ASN1].RegisterTests = DetectAsn1RegisterTests;
59 #endif
60 }
61 
62 /**
63  * \brief This function will decode the asn1 data and inspect the resulting
64  * nodes to detect if any of the specified checks match this data
65  *
66  * \param det_ctx pointer to the detect engine thread context
67  * \param p pointer to the current packet
68  * \param s pointer to the signature
69  * \param ctx pointer to the sigmatch that we will cast into `DetectAsn1Data`
70  *
71  * \retval 1 match
72  * \retval 0 no match
73  */
74 static int DetectAsn1Match(DetectEngineThreadCtx *det_ctx, Packet *p,
75  const Signature *s, const SigMatchCtx *ctx)
76 {
77  uint8_t ret = 0;
78 
79  if (p->payload_len == 0) {
80  /* No error, parser done, no data in bounds to decode */
81  return 0;
82  }
83 
84  const DetectAsn1Data *ad = (const DetectAsn1Data *)ctx;
85 
86  Asn1 *asn1 = rs_asn1_decode(p->payload, p->payload_len, det_ctx->buffer_offset, ad);
87 
88  ret = rs_asn1_checks(asn1, ad);
89 
90  rs_asn1_free(asn1);
91 
92  return ret;
93 }
94 
95 /**
96  * \brief This function is used to parse asn1 options passed via asn1: keyword
97  *
98  * \param asn1str pointer to the user provided asn1 options
99  *
100  * \retval pointer to `DetectAsn1Data` on success
101  * \retval NULL on failure
102  */
103 static DetectAsn1Data *DetectAsn1Parse(const char *asn1str)
104 {
105  DetectAsn1Data *ad = rs_detect_asn1_parse(asn1str);
106 
107  if (ad == NULL) {
108  SCLogError(SC_ERR_INVALID_VALUE, "Malformed asn1 argument: %s",
109  asn1str);
110  }
111 
112  return ad;
113 }
114 
115 /**
116  * \brief this function is used to add the parsed asn1 data into
117  * the current signature
118  *
119  * \param de_ctx pointer to the detection engine context
120  * \param s pointer to the current signature
121  * \param asn1str pointer to the user provided asn1 options
122  *
123  * \retval 0 on success
124  * \retval -1 on failure
125  */
126 static int DetectAsn1Setup(DetectEngineCtx *de_ctx, Signature *s, const char *asn1str)
127 {
128  DetectAsn1Data *ad = NULL;
129  SigMatch *sm = NULL;
130 
131  ad = DetectAsn1Parse(asn1str);
132  if (ad == NULL)
133  goto error;
134 
135  /* Okay so far so good, lets get this into a SigMatch
136  * and put it in the Signature. */
137  sm = SigMatchAlloc();
138  if (sm == NULL)
139  goto error;
140 
141  sm->type = DETECT_ASN1;
142  sm->ctx = (SigMatchCtx *)ad;
143 
145 
146  return 0;
147 
148 error:
149  if (sm != NULL)
150  SCFree(sm);
151  if (ad != NULL)
152  DetectAsn1Free(de_ctx, ad);
153  return -1;
154 }
155 
156 /**
157  * \brief this function will free memory associated with `DetectAsn1Data`
158  *
159  * \param de_ctx pointer to the detection engine context
160  * \param ptr point to `DetectAsn1Data`
161  */
162 static void DetectAsn1Free(DetectEngineCtx *de_ctx, void *ptr)
163 {
164  DetectAsn1Data *ad = (DetectAsn1Data *)ptr;
165  rs_detect_asn1_free(ad);
166 }
167 
168 #ifdef UNITTESTS
169 
170 /**
171  * \test DetectAsn1TestReal01 Ensure that all works together
172  */
173 static int DetectAsn1TestReal01(void)
174 {
175  int result = 0;
176  uint8_t *buf = (uint8_t *) "\x60\x81\x85\x61\x10\x1A\x04""John""\x1A\x01"
177  "P""\x1A\x05""Smith""\xA0\x0A\x1A\x08""Director"
178  "\x42\x01\x33\xA1\x0A\x43\x08""19710917"
179  "\xA2\x12\x61\x10\x1A\x04""Mary""\x1A\x01""T""\x1A\x05"
180  "Smith""\xA3\x42\x31\x1F\x61\x11\x1A\x05""Ralph""\x1A\x01"
181  "T""\x1A\x05""Smith""\xA0\x0A\x43\x08""19571111"
182  "\x31\x1F\x61\x11\x1A\x05""Susan""\x1A\x01""B""\x1A\x05"
183  "Jones""\xA0\x0A\x43\x08""19590717"
184  "\x60\x81\x85\x61\x10\x1A\x04""John""\x1A\x01""P"
185  "\x1A\x05""Smith""\xA0\x0A\x1A\x08""Director"
186  "\x42\x01\x33\xA1\x0A\x43\x08""19710917"
187  "\xA2\x12\x61\x10\x1A\x04""Mary""\x1A\x01""T""\x1A\x05"
188  "Smith""\xA3\x42\x31\x1F\x61\x11\x1A\x05""Ralph""\x1A\x01"
189  "T""\x1A\x05""Smith""\xA0\x0A\x43\x08""19571111""\x31\x1F"
190  "\x61\x11\x1A\x05""Pablo""\x1A\x01""B""\x1A\x05""Jones"
191  "\xA0\x0A\x43\x08""19590717";
192 
193  uint16_t buflen = strlen((char *)buf) - 1;
194 
195  /* Check the start with AA (this is to test the relative_offset keyword) */
196  uint8_t *buf2 = (uint8_t *) "AA\x60\x81\x85\x61\x10\x1A\x04""John""\x1A\x01"
197  "P""\x1A\x05""Smith""\xA0\x0A\x1A\x08""Director"
198  "\x42\x01\x33\xA1\x0A\x43\x08""19710917"
199  "\xA2\x12\x61\x10\x1A\x04""Mary""\x1A\x01""T""\x1A\x05"
200  "Smith""\xA3\x42\x31\x1F\x61\x11\x1A\x05""Ralph""\x1A\x01"
201  "T""\x1A\x05""Smith""\xA0\x0A\x43\x08""19571111"
202  "\x31\x1F\x61\x11\x1A\x05""Susan""\x1A\x01""B""\x1A\x05"
203  "Jones""\xA0\x0A\x43\x08""19590717"
204  "\x60\x81\x85\x61\x10\x1A\x04""John""\x1A\x01""P"
205  "\x1A\x05""Smith""\xA0\x0A\x1A\x08""Director"
206  "\x42\x01\x33\xA1\x0A\x43\x08""19710917"
207  "\xA2\x12\x61\x10\x1A\x04""Mary""\x1A\x01""T""\x1A\x05"
208  "Smith""\xA3\x42\x31\x1F\x61\x11\x1A\x05""Ralph""\x1A\x01"
209  "T""\x1A\x05""Smith""\xA0\x0A\x43\x08""19571111""\x31\x1F"
210  "\x61\x11\x1A\x05""Susan""\x1A\x01""B""\x1A\x05""Jones"
211  "\xA0\x0A\x43\x08""19590717";
212 
213  uint16_t buflen2 = strlen((char *)buf2) - 1;
214 
215  Packet *p[2];
216 
217  p[0] = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);
218  p[1] = UTHBuildPacket((uint8_t *)buf2, buflen2, IPPROTO_TCP);
219 
220  if (p[0] == NULL || p[1] == NULL)
221  goto end;
222 
223  const char *sigs[3];
224  sigs[0]= "alert ip any any -> any any (msg:\"Testing id 1\"; "
225  "content:\"Pablo\"; asn1:absolute_offset 0, "
226  "oversize_length 130; sid:1;)";
227  sigs[1]= "alert ip any any -> any any (msg:\"Testing id 2\"; "
228  "content:\"AA\"; asn1:relative_offset 0, "
229  "oversize_length 130; sid:2;)";
230  sigs[2]= "alert ip any any -> any any (msg:\"Testing id 3\"; "
231  "content:\"lalala\"; asn1: oversize_length 2000; sid:3;)";
232 
233  uint32_t sid[3] = {1, 2, 3};
234 
235  uint32_t results[2][3] = {
236  /* packet 0 match sid 1 */
237  {1, 0, 0},
238  /* packet 1 match sid 2 */
239  {0, 1, 0}};
240  /* None of the packets should match sid 3 */
241 
242  result = UTHGenericTest(p, 2, sigs, sid, (uint32_t *) results, 3);
243 
244  UTHFreePackets(p, 2);
245 end:
246  return result;
247 }
248 
249 /**
250  * \test DetectAsn1TestReal02 Ensure that all works together
251  */
252 static int DetectAsn1TestReal02(void)
253 {
254  int result = 0;
255  uint8_t *buf = (uint8_t *) "\x60\x81\x85\x61\x10\x1A\x04""John""\x1A\x01"
256  "P""\x1A\x05""Smith""\xA0\x0A\x1A\x08""Director"
257  "\x42\x01\x33\xA1\x0A\x43\x08""19710917"
258  "\xA2\x12\x61\x10\x1A\x04""Mary""\x1A\x01""T""\x1A\x05"
259  "Smith""\xA3\x42\x31\x1F\x61\x11\x1A\x05""Ralph""\x1A\x01"
260  "T""\x1A\x05""Smith""\xA0\x0A\x43\x08""19571111"
261  "\x31\x1F\x61\x11\x1A\x05""Susan""\x1A\x01""B""\x1A\x05"
262  "Jones""\xA0\x0A\x43\x08""19590717"
263  "\x60\x81\x85\x61\x10\x1A\x04""John""\x1A\x01""P"
264  "\x1A\x05""Smith""\xA0\x0A\x1A\x08""Director"
265  "\x42\x01\x33\xA1\x0A\x43\x08""19710917"
266  "\xA2\x12\x61\x10\x1A\x04""Mary""\x1A\x01""T""\x1A\x05"
267  "Smith""\xA3\x42\x31\x1F\x61\x11\x1A\x05""Ralph""\x1A\x01"
268  "T""\x1A\x05""Smith""\xA0\x0A\x43\x08""19571111""\x31\x1F"
269  "\x61\x11\x1A\x05""Pablo""\x1A\x01""B""\x1A\x05""Jones"
270  "\xA0\x0A\x43\x08""19590717";
271 
272  uint16_t buflen = strlen((char *)buf) - 1;
273 
274  /* Check the start with AA (this is to test the relative_offset keyword) */
275  uint8_t *buf2 = (uint8_t *) "AA\x60\x81\x85\x61\x10\x1A\x04""John""\x1A\x01"
276  "P""\x1A\x05""Smith""\xA0\x0A\x1A\x08""Director"
277  "\x42\x01\x33\xA1\x0A\x43\x08""19710917"
278  "\xA2\x12\x61\x10\x1A\x04""Mary""\x1A\x01""T""\x1A\x05"
279  "Smith""\xA3\x42\x31\x1F\x61\x11\x1A\x05""Ralph""\x1A\x01"
280  "T""\x1A\x05""Smith""\xA0\x0A\x43\x08""19571111"
281  "\x31\x1F\x61\x11\x1A\x05""Susan""\x1A\x01""B""\x1A\x05"
282  "Jones""\xA0\x0A\x43\x08""19590717"
283  "\x60\x81\x85\x61\x10\x1A\x04""John""\x1A\x01""P"
284  "\x1A\x05""Smith""\xA0\x0A\x1A\x08""Director"
285  "\x42\x01\x33\xA1\x0A\x43\x08""19710917"
286  "\xA2\x12\x61\x10\x1A\x04""Mary""\x1A\x01""T""\x1A\x05"
287  "Smith""\xA3\x42\x31\x1F\x61\x11\x1A\x05""Ralph""\x1A\x01"
288  "T""\x1A\x05""Smith""\xA0\x0A\x43\x08""19571111""\x31\x1F"
289  "\x61\x11\x1A\x05""Susan""\x1A\x01""B""\x1A\x05""Jones"
290  "\xA0\x0A\x43\x08""19590717";
291 
292  uint16_t buflen2 = strlen((char *)buf2) - 1;
293 
294  Packet *p[2];
295 
296  p[0] = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);
297  p[1] = UTHBuildPacket((uint8_t *)buf2, buflen2, IPPROTO_TCP);
298 
299  if (p[0] == NULL || p[1] == NULL)
300  goto end;
301 
302  const char *sigs[3];
303  sigs[0]= "alert ip any any -> any any (msg:\"Testing id 1\"; "
304  "content:\"Pablo\"; asn1:absolute_offset 0, "
305  "oversize_length 140; sid:1;)";
306  sigs[1]= "alert ip any any -> any any (msg:\"Testing id 2\"; "
307  "content:\"AA\"; asn1:relative_offset 0, "
308  "oversize_length 140; sid:2;)";
309  sigs[2]= "alert ip any any -> any any (msg:\"Testing id 3\"; "
310  "content:\"lalala\"; asn1: oversize_length 2000; sid:3;)";
311 
312  uint32_t sid[3] = {1, 2, 3};
313 
314  uint32_t results[2][3] = {
315  {0, 0, 0},
316  {0, 0, 0}};
317  /* None of the packets should match */
318 
319  result = UTHGenericTest(p, 2, sigs, sid, (uint32_t *) results, 3);
320 
321  UTHFreePackets(p, 2);
322 end:
323  return result;
324 }
325 
326 /**
327  * \test DetectAsn1TestReal03 Ensure that all works together
328  */
329 static int DetectAsn1TestReal03(void)
330 {
331  int result = 0;
332  uint8_t buf[261] = "";
333  /* universal class, primitive type, tag_num = 9 (Data type Real) */
334  buf[0] = '\x09';
335  /* length, definite form, 2 octets */
336  buf[1] = '\x82';
337  /* length is the sum of the following octets (257): */
338  buf[2] = '\x01';
339  buf[3] = '\x01';
340 
341  /* Fill the content of the number */
342  uint16_t i = 4;
343  for (; i < 257;i++)
344  buf[i] = '\x05';
345 
346  uint16_t buflen = 261;
347 
348  /* Check the start with AA (this is to test the relative_offset keyword) */
349  uint8_t *buf2 = (uint8_t *) "AA\x03\x01\xFF";
350 
351  uint16_t buflen2 = 5;
352 
353  Packet *p[2] = { NULL, NULL };
354 
355  p[0] = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);
356  p[1] = UTHBuildPacket((uint8_t *)buf2, buflen2, IPPROTO_TCP);
357 
358  if (p[0] == NULL || p[1] == NULL)
359  goto end;
360 
361  const char *sigs[3];
362  /* This should match the first packet */
363  sigs[0]= "alert ip any any -> any any (msg:\"Testing id 1\"; "
364  "asn1:absolute_offset 0, double_overflow; sid:1;)";
365  /* This should match the second packet */
366  sigs[1]= "alert ip any any -> any any (msg:\"Testing id 2\"; "
367  "asn1:relative_offset 2, bitstring_overflow,"
368  "oversize_length 140; sid:2;)";
369  /* This should match no packet */
370  sigs[2]= "alert ip any any -> any any (msg:\"Testing id 3\"; "
371  "asn1: oversize_length 2000; sid:3;)";
372 
373  uint32_t sid[3] = {1, 2, 3};
374 
375  uint32_t results[2][3] = {{1, 0, 0},
376  {0, 1, 0}};
377 
378  result = UTHGenericTest(p, 2, sigs, sid, (uint32_t *) results, 3);
379 
380  UTHFreePackets(p, 2);
381 end:
382  return result;
383 }
384 
385 /**
386  * \test DetectAsn1TestReal04 like the real test 02, but modified the
387  * relative offset to check negative offset values, in this case
388  * start decoding from -7 bytes respect the content match "John"
389  */
390 static int DetectAsn1TestReal04(void)
391 {
392  int result = 0;
393  uint8_t *buf = (uint8_t *) "\x60\x81\x85\x61\x10\x1A\x04""John""\x1A\x01"
394  "P""\x1A\x05""Smith""\xA0\x0A\x1A\x08""Director"
395  "\x42\x01\x33\xA1\x0A\x43\x08""19710917"
396  "\xA2\x12\x61\x10\x1A\x04""Mary""\x1A\x01""T""\x1A\x05"
397  "Smith""\xA3\x42\x31\x1F\x61\x11\x1A\x05""Ralph""\x1A\x01"
398  "T""\x1A\x05""Smith""\xA0\x0A\x43\x08""19571111"
399  "\x31\x1F\x61\x11\x1A\x05""Susan""\x1A\x01""B""\x1A\x05"
400  "Jones""\xA0\x0A\x43\x08""19590717"
401  "\x60\x81\x85\x61\x10\x1A\x04""John""\x1A\x01""P"
402  "\x1A\x05""Smith""\xA0\x0A\x1A\x08""Director"
403  "\x42\x01\x33\xA1\x0A\x43\x08""19710917"
404  "\xA2\x12\x61\x10\x1A\x04""Mary""\x1A\x01""T""\x1A\x05"
405  "Smith""\xA3\x42\x31\x1F\x61\x11\x1A\x05""Ralph""\x1A\x01"
406  "T""\x1A\x05""Smith""\xA0\x0A\x43\x08""19571111""\x31\x1F"
407  "\x61\x11\x1A\x05""Pablo""\x1A\x01""B""\x1A\x05""Jones"
408  "\xA0\x0A\x43\x08""19590717";
409 
410  uint16_t buflen = strlen((char *)buf) - 1;
411 
412  /* Check the start with AA (this is to test the relative_offset keyword) */
413  uint8_t *buf2 = (uint8_t *) "AA\x60\x81\x85\x61\x10\x1A\x04""John""\x1A\x01"
414  "P""\x1A\x05""Smith""\xA0\x0A\x1A\x08""Director"
415  "\x42\x01\x33\xA1\x0A\x43\x08""19710917"
416  "\xA2\x12\x61\x10\x1A\x04""Mary""\x1A\x01""T""\x1A\x05"
417  "Smith""\xA3\x42\x31\x1F\x61\x11\x1A\x05""Ralph""\x1A\x01"
418  "T""\x1A\x05""Smith""\xA0\x0A\x43\x08""19571111"
419  "\x31\x1F\x61\x11\x1A\x05""Susan""\x1A\x01""B""\x1A\x05"
420  "Jones""\xA0\x0A\x43\x08""19590717"
421  "\x60\x81\x85\x61\x10\x1A\x04""John""\x1A\x01""P"
422  "\x1A\x05""Smith""\xA0\x0A\x1A\x08""Director"
423  "\x42\x01\x33\xA1\x0A\x43\x08""19710917"
424  "\xA2\x12\x61\x10\x1A\x04""Mary""\x1A\x01""T""\x1A\x05"
425  "Smith""\xA3\x42\x31\x1F\x61\x11\x1A\x05""Ralph""\x1A\x01"
426  "T""\x1A\x05""Smith""\xA0\x0A\x43\x08""19571111""\x31\x1F"
427  "\x61\x11\x1A\x05""Susan""\x1A\x01""B""\x1A\x05""Jones"
428  "\xA0\x0A\x43\x08""19590717";
429 
430  uint16_t buflen2 = strlen((char *)buf2) - 1;
431 
432  Packet *p[2];
433 
434  p[0] = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);
435  p[1] = UTHBuildPacket((uint8_t *)buf2, buflen2, IPPROTO_TCP);
436 
437  if (p[0] == NULL || p[1] == NULL)
438  goto end;
439 
440  const char *sigs[3];
441  sigs[0]= "alert ip any any -> any any (msg:\"Testing id 1\"; "
442  "content:\"Pablo\"; asn1:absolute_offset 0, "
443  "oversize_length 140; sid:1;)";
444  sigs[1]= "alert ip any any -> any any (msg:\"Testing id 2\"; "
445  "content:\"John\"; asn1:relative_offset -11, "
446  "oversize_length 140; sid:2;)";
447  sigs[2]= "alert ip any any -> any any (msg:\"Testing id 3\"; "
448  "content:\"lalala\"; asn1: oversize_length 2000; sid:3;)";
449 
450  uint32_t sid[3] = {1, 2, 3};
451 
452  uint32_t results[2][3] = {
453  {0, 0, 0},
454  {0, 0, 0}};
455  /* None of the packets should match */
456 
457  result = UTHGenericTest(p, 2, sigs, sid, (uint32_t *) results, 3);
458 
459  UTHFreePackets(p, 2);
460 end:
461  return result;
462 }
463 
464 /**
465  * \brief this function registers unit tests for DetectAsn1
466  */
467 static void DetectAsn1RegisterTests(void)
468 {
469  UtRegisterTest("DetectAsn1TestReal01", DetectAsn1TestReal01);
470  UtRegisterTest("DetectAsn1TestReal02", DetectAsn1TestReal02);
471  UtRegisterTest("DetectAsn1TestReal03", DetectAsn1TestReal03);
472  UtRegisterTest("DetectAsn1TestReal04", DetectAsn1TestReal04);
473 }
474 #endif /* UNITTESTS */
util-byte.h
DetectEngineThreadCtx_::buffer_offset
uint32_t buffer_offset
Definition: detect.h:1041
SC_ERR_INVALID_VALUE
@ SC_ERR_INVALID_VALUE
Definition: util-error.h:160
SigTableElmt_::Free
void(* Free)(DetectEngineCtx *, void *)
Definition: detect.h:1201
SigTableElmt_::name
const char * name
Definition: detect.h:1211
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
Packet_::payload
uint8_t * payload
Definition: decode.h:549
results
struct DetectRfbSecresult_ results[]
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:767
rust.h
UTHBuildPacket
Packet * UTHBuildPacket(uint8_t *payload, uint16_t payload_len, uint8_t ipproto)
UTHBuildPacket is a wrapper that build packets with default ip and port fields.
Definition: util-unittest-helper.c:337
SigTableElmt_::Setup
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1196
Packet_::payload_len
uint16_t payload_len
Definition: decode.h:550
util-unittest.h
DETECT_ASN1
@ DETECT_ASN1
Definition: detect-engine-register.h:190
util-unittest-helper.h
detect-asn1.h
DetectAsn1Register
void DetectAsn1Register(void)
Registration function for asn1.
Definition: detect-asn1.c:51
decode.h
util-debug.h
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:17
DetectEngineThreadCtx_
Definition: detect.h:1010
detect.h
DETECT_SM_LIST_MATCH
@ DETECT_SM_LIST_MATCH
Definition: detect.h:89
SigMatch_::ctx
SigMatchCtx * ctx
Definition: detect.h:323
Packet_
Definition: decode.h:414
SigTableElmt_::Match
int(* Match)(DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *)
Definition: detect.h:1179
SigMatchAlloc
SigMatch * SigMatchAlloc(void)
Definition: detect-parse.c:235
SigMatch_::type
uint8_t type
Definition: detect.h:321
SigMatchCtx_
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
Definition: detect.h:315
suricata-common.h
sigmatch_table
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
Definition: detect-parse.c:73
SCLogError
#define SCLogError(err_code,...)
Macro used to log ERROR messages.
Definition: util-debug.h:257
UTHGenericTest
int UTHGenericTest(Packet **pkt, int numpkts, const char *sigs[], uint32_t sids[], uint32_t *results, int numsigs)
UTHGenericTest: function that perfom a generic check taking care of as maximum common unittest elemen...
Definition: util-unittest-helper.c:604
SCFree
#define SCFree(p)
Definition: util-mem.h:61
detect-parse.h
Signature_
Signature container.
Definition: detect.h:528
SigMatch_
a single match condition for a signature
Definition: detect.h:320
flow.h
SigMatchAppendSMToList
void SigMatchAppendSMToList(Signature *s, SigMatch *new, int list)
Append a SigMatch to the list type.
Definition: detect-parse.c:349
debug.h
SigTableElmt_::RegisterTests
void(* RegisterTests)(void)
Definition: detect.h:1203
UTHFreePackets
void UTHFreePackets(Packet **p, int numpkts)
UTHFreePackets: function to release the allocated data from UTHBuildPacket and the packet itself.
Definition: util-unittest-helper.c:468