suricata
detect-bypass.c
Go to the documentation of this file.
1 /* Copyright (C) 2016-2022 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Giuseppe Longo <glongo@stamus-networks.com>
22  *
23  */
24 
25 #include "suricata-common.h"
26 #include "threads.h"
27 #include "app-layer.h"
28 #include "app-layer-parser.h"
29 #include "decode.h"
30 
31 #include "detect.h"
32 #include "detect-parse.h"
33 
34 #include "detect-engine.h"
35 #include "detect-engine-mpm.h"
36 #include "detect-engine-state.h"
37 #include "detect-engine-sigorder.h"
38 #include "detect-bypass.h"
39 
40 #include "flow.h"
41 #include "flow-var.h"
42 #include "flow-util.h"
43 
44 #include "stream-tcp.h"
45 
46 #include "util-debug.h"
47 #include "util-spm-bm.h"
48 #include "util-unittest.h"
49 #include "util-unittest-helper.h"
50 #include "util-device.h"
51 
52 static int DetectBypassMatch(DetectEngineThreadCtx *, Packet *,
53  const Signature *, const SigMatchCtx *);
54 static int DetectBypassSetup(DetectEngineCtx *, Signature *, const char *);
55 
56 /**
57  * \brief Registration function for keyword: bypass
58  */
59 void DetectBypassRegister(void)
60 {
61  sigmatch_table[DETECT_BYPASS].name = "bypass";
62  sigmatch_table[DETECT_BYPASS].desc = "call the bypass callback when the match of a sig is complete";
63  sigmatch_table[DETECT_BYPASS].url = "/rules/bypass-keyword.html";
64  sigmatch_table[DETECT_BYPASS].Match = DetectBypassMatch;
65  sigmatch_table[DETECT_BYPASS].Setup = DetectBypassSetup;
66  sigmatch_table[DETECT_BYPASS].Free = NULL;
67  sigmatch_table[DETECT_BYPASS].flags = SIGMATCH_NOOPT;
68 }
69 
70 static int DetectBypassSetup(DetectEngineCtx *de_ctx, Signature *s, const char *str)
71 {
72 
73  if (s->flags & SIG_FLAG_FILESTORE) {
74  SCLogError("bypass can't work with filestore keyword");
75  return -1;
76  }
77  s->flags |= SIG_FLAG_BYPASS;
78 
79  if (SigMatchAppendSMToList(de_ctx, s, DETECT_BYPASS, NULL, DETECT_SM_LIST_POSTMATCH) == NULL) {
80  return -1;
81  }
82 
83  return 0;
84 }
85 
86 static int DetectBypassMatch(DetectEngineThreadCtx *det_ctx, Packet *p,
87  const Signature *s, const SigMatchCtx *ctx)
88 {
89  PacketBypassCallback(p);
90 
91  return 1;
92 }
DETECT_BYPASS
@ DETECT_BYPASS
Definition: detect-engine-register.h:300
SigTableElmt_::url
const char * url
Definition: detect.h:1307
detect-engine.h
SigTableElmt_::desc
const char * desc
Definition: detect.h:1306
sigmatch_table
SigTableElmt * sigmatch_table
Definition: detect-parse.c:127
SigTableElmt_::Free
void(* Free)(DetectEngineCtx *, void *)
Definition: detect.h:1294
flow-util.h
SigTableElmt_::name
const char * name
Definition: detect.h:1304
PacketBypassCallback
void PacketBypassCallback(Packet *p)
Definition: decode.c:504
stream-tcp.h
threads.h
SigTableElmt_::flags
uint16_t flags
Definition: detect.h:1298
ctx
struct Thresholds ctx
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:841
SigTableElmt_::Setup
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1289
util-unittest.h
util-unittest-helper.h
DETECT_SM_LIST_POSTMATCH
@ DETECT_SM_LIST_POSTMATCH
Definition: detect.h:124
decode.h
util-device.h
util-debug.h
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:17
DetectEngineThreadCtx_
Definition: detect.h:1093
SIG_FLAG_BYPASS
#define SIG_FLAG_BYPASS
Definition: detect.h:272
detect-engine-mpm.h
detect.h
app-layer-parser.h
Signature_::flags
uint32_t flags
Definition: detect.h:602
Packet_
Definition: decode.h:473
detect-engine-state.h
Data structures and function prototypes for keeping state for the detection engine.
SigTableElmt_::Match
int(* Match)(DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *)
Definition: detect.h:1272
SigMatchCtx_
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
Definition: detect.h:344
detect-bypass.h
DetectBypassRegister
void DetectBypassRegister(void)
Registration function for keyword: bypass.
Definition: detect-bypass.c:59
suricata-common.h
util-spm-bm.h
detect-engine-sigorder.h
str
#define str(s)
Definition: suricata-common.h:291
SCLogError
#define SCLogError(...)
Macro used to log ERROR messages.
Definition: util-debug.h:261
detect-parse.h
Signature_
Signature container.
Definition: detect.h:601
SIGMATCH_NOOPT
#define SIGMATCH_NOOPT
Definition: detect.h:1488
SigMatchAppendSMToList
SigMatch * SigMatchAppendSMToList(DetectEngineCtx *de_ctx, Signature *s, uint16_t type, SigMatchCtx *ctx, const int list)
Append a SigMatch to the list type.
Definition: detect-parse.c:436
flow.h
flow-var.h
SIG_FLAG_FILESTORE
#define SIG_FLAG_FILESTORE
Definition: detect.h:265
app-layer.h