suricata
detect-bypass.c
Go to the documentation of this file.
1 /* Copyright (C) 2016-2022 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Giuseppe Longo <glongo@stamus-networks.com>
22  *
23  */
24 
25 #include "suricata-common.h"
26 #include "threads.h"
27 #include "app-layer.h"
28 #include "app-layer-parser.h"
29 #include "debug.h"
30 #include "decode.h"
31 
32 #include "detect.h"
33 #include "detect-parse.h"
34 
35 #include "detect-engine.h"
36 #include "detect-engine-mpm.h"
37 #include "detect-engine-state.h"
38 #include "detect-engine-sigorder.h"
39 #include "detect-bypass.h"
40 
41 #include "flow.h"
42 #include "flow-var.h"
43 #include "flow-util.h"
44 
45 #include "stream-tcp.h"
46 
47 #include "util-debug.h"
48 #include "util-spm-bm.h"
49 #include "util-unittest.h"
50 #include "util-unittest-helper.h"
51 #include "util-device.h"
52 
53 static int DetectBypassMatch(DetectEngineThreadCtx *, Packet *,
54  const Signature *, const SigMatchCtx *);
55 static int DetectBypassSetup(DetectEngineCtx *, Signature *, const char *);
56 
57 /**
58  * \brief Registration function for keyword: bypass
59  */
61 {
62  sigmatch_table[DETECT_BYPASS].name = "bypass";
63  sigmatch_table[DETECT_BYPASS].desc = "call the bypass callback when the match of a sig is complete";
64  sigmatch_table[DETECT_BYPASS].url = "/rules/bypass-keyword.html";
65  sigmatch_table[DETECT_BYPASS].Match = DetectBypassMatch;
66  sigmatch_table[DETECT_BYPASS].Setup = DetectBypassSetup;
69 }
70 
71 static int DetectBypassSetup(DetectEngineCtx *de_ctx, Signature *s, const char *str)
72 {
73  SigMatch *sm = NULL;
74 
75  if (s->flags & SIG_FLAG_FILESTORE) {
77  "bypass can't work with filestore keyword");
78  return -1;
79  }
80  s->flags |= SIG_FLAG_BYPASS;
81 
82  sm = SigMatchAlloc();
83  if (sm == NULL)
84  return -1;
85 
86  sm->type = DETECT_BYPASS;
87  sm->ctx = NULL;
89 
90  return 0;
91 }
92 
93 static int DetectBypassMatch(DetectEngineThreadCtx *det_ctx, Packet *p,
94  const Signature *s, const SigMatchCtx *ctx)
95 {
97 
98  return 1;
99 }
DETECT_BYPASS
@ DETECT_BYPASS
Definition: detect-engine-register.h:296
SigTableElmt_::url
const char * url
Definition: detect.h:1270
detect-engine.h
SigTableElmt_::desc
const char * desc
Definition: detect.h:1269
SigTableElmt_::Free
void(* Free)(DetectEngineCtx *, void *)
Definition: detect.h:1257
flow-util.h
SigTableElmt_::name
const char * name
Definition: detect.h:1267
PacketBypassCallback
void PacketBypassCallback(Packet *p)
Definition: decode.c:441
stream-tcp.h
threads.h
SigTableElmt_::flags
uint16_t flags
Definition: detect.h:1261
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:811
SigTableElmt_::Setup
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1252
util-unittest.h
util-unittest-helper.h
DETECT_SM_LIST_POSTMATCH
@ DETECT_SM_LIST_POSTMATCH
Definition: detect.h:98
decode.h
util-device.h
util-debug.h
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:17
DetectEngineThreadCtx_
Definition: detect.h:1060
SIG_FLAG_BYPASS
#define SIG_FLAG_BYPASS
Definition: detect.h:241
detect-engine-mpm.h
detect.h
app-layer-parser.h
SigMatch_::ctx
SigMatchCtx * ctx
Definition: detect.h:324
Signature_::flags
uint32_t flags
Definition: detect.h:549
Packet_
Definition: decode.h:427
detect-engine-state.h
Data structures and function prototypes for keeping state for the detection engine.
SigTableElmt_::Match
int(* Match)(DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *)
Definition: detect.h:1235
SigMatchAlloc
SigMatch * SigMatchAlloc(void)
Definition: detect-parse.c:235
SigMatchCtx_
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
Definition: detect.h:316
detect-bypass.h
DetectBypassRegister
void DetectBypassRegister(void)
Registration function for keyword: bypass.
Definition: detect-bypass.c:60
suricata-common.h
SigMatch_::type
uint16_t type
Definition: detect.h:322
sigmatch_table
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
Definition: detect-parse.c:73
SCLogError
#define SCLogError(err_code,...)
Macro used to log ERROR messages.
Definition: util-debug.h:257
util-spm-bm.h
detect-engine-sigorder.h
str
#define str(s)
Definition: suricata-common.h:272
detect-parse.h
Signature_
Signature container.
Definition: detect.h:548
SigMatch_
a single match condition for a signature
Definition: detect.h:321
SIGMATCH_NOOPT
#define SIGMATCH_NOOPT
Definition: detect.h:1453
flow.h
flow-var.h
SigMatchAppendSMToList
void SigMatchAppendSMToList(Signature *s, SigMatch *new, int list)
Append a SigMatch to the list type.
Definition: detect-parse.c:349
SIG_FLAG_FILESTORE
#define SIG_FLAG_FILESTORE
Definition: detect.h:234
debug.h
app-layer.h
SC_ERR_CONFLICTING_RULE_KEYWORDS
@ SC_ERR_CONFLICTING_RULE_KEYWORDS
Definition: util-error.h:171