suricata
detect-bypass.c
Go to the documentation of this file.
1 /* Copyright (C) 2016-2022 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Giuseppe Longo <glongo@stamus-networks.com>
22  *
23  */
24 
25 #include "suricata-common.h"
26 #include "threads.h"
27 #include "app-layer.h"
28 #include "app-layer-parser.h"
29 #include "decode.h"
30 
31 #include "detect.h"
32 #include "detect-parse.h"
33 
34 #include "detect-engine.h"
35 #include "detect-engine-mpm.h"
36 #include "detect-engine-state.h"
37 #include "detect-engine-sigorder.h"
38 #include "detect-bypass.h"
39 
40 #include "flow.h"
41 #include "flow-var.h"
42 #include "flow-util.h"
43 
44 #include "stream-tcp.h"
45 
46 #include "util-debug.h"
47 #include "util-spm-bm.h"
48 #include "util-unittest.h"
49 #include "util-unittest-helper.h"
50 #include "util-device.h"
51 
52 static int DetectBypassMatch(DetectEngineThreadCtx *, Packet *,
53  const Signature *, const SigMatchCtx *);
54 static int DetectBypassSetup(DetectEngineCtx *, Signature *, const char *);
55 
56 /**
57  * \brief Registration function for keyword: bypass
58  */
59 void DetectBypassRegister(void)
60 {
61  sigmatch_table[DETECT_BYPASS].name = "bypass";
62  sigmatch_table[DETECT_BYPASS].desc = "call the bypass callback when the match of a sig is complete";
63  sigmatch_table[DETECT_BYPASS].url = "/rules/bypass-keyword.html";
64  sigmatch_table[DETECT_BYPASS].Match = DetectBypassMatch;
65  sigmatch_table[DETECT_BYPASS].Setup = DetectBypassSetup;
66  sigmatch_table[DETECT_BYPASS].Free = NULL;
67  sigmatch_table[DETECT_BYPASS].flags = SIGMATCH_NOOPT;
68 }
69 
70 static int DetectBypassSetup(DetectEngineCtx *de_ctx, Signature *s, const char *str)
71 {
72  SigMatch *sm = NULL;
73 
74  if (s->flags & SIG_FLAG_FILESTORE) {
75  SCLogError("bypass can't work with filestore keyword");
76  return -1;
77  }
78  s->flags |= SIG_FLAG_BYPASS;
79 
80  sm = SigMatchAlloc();
81  if (sm == NULL)
82  return -1;
83 
84  sm->type = DETECT_BYPASS;
85  sm->ctx = NULL;
86  SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_POSTMATCH);
87 
88  return 0;
89 }
90 
91 static int DetectBypassMatch(DetectEngineThreadCtx *det_ctx, Packet *p,
92  const Signature *s, const SigMatchCtx *ctx)
93 {
94  PacketBypassCallback(p);
95 
96  return 1;
97 }
DETECT_BYPASS
@ DETECT_BYPASS
Definition: detect-engine-register.h:310
SigTableElmt_::url
const char * url
Definition: detect.h:1243
detect-engine.h
SigTableElmt_::desc
const char * desc
Definition: detect.h:1242
SigTableElmt_::Free
void(* Free)(DetectEngineCtx *, void *)
Definition: detect.h:1230
flow-util.h
SigTableElmt_::name
const char * name
Definition: detect.h:1240
PacketBypassCallback
void PacketBypassCallback(Packet *p)
Definition: decode.c:444
stream-tcp.h
threads.h
SigTableElmt_::flags
uint16_t flags
Definition: detect.h:1234
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:787
SigTableElmt_::Setup
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1225
util-unittest.h
util-unittest-helper.h
DETECT_SM_LIST_POSTMATCH
@ DETECT_SM_LIST_POSTMATCH
Definition: detect.h:89
decode.h
util-device.h
util-debug.h
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:17
DetectEngineThreadCtx_
Definition: detect.h:1027
SIG_FLAG_BYPASS
#define SIG_FLAG_BYPASS
Definition: detect.h:235
detect-engine-mpm.h
detect.h
app-layer-parser.h
SigMatch_::ctx
SigMatchCtx * ctx
Definition: detect.h:318
Signature_::flags
uint32_t flags
Definition: detect.h:543
Packet_
Definition: decode.h:428
detect-engine-state.h
Data structures and function prototypes for keeping state for the detection engine.
SigTableElmt_::Match
int(* Match)(DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *)
Definition: detect.h:1208
SigMatchAlloc
SigMatch * SigMatchAlloc(void)
Definition: detect-parse.c:241
SigMatchCtx_
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
Definition: detect.h:310
detect-bypass.h
DetectBypassRegister
void DetectBypassRegister(void)
Registration function for keyword: bypass.
Definition: detect-bypass.c:59
suricata-common.h
SigMatch_::type
uint16_t type
Definition: detect.h:316
sigmatch_table
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
Definition: detect-parse.c:76
util-spm-bm.h
detect-engine-sigorder.h
str
#define str(s)
Definition: suricata-common.h:280
SCLogError
#define SCLogError(...)
Macro used to log ERROR messages.
Definition: util-debug.h:261
detect-parse.h
Signature_
Signature container.
Definition: detect.h:542
SigMatch_
a single match condition for a signature
Definition: detect.h:315
SIGMATCH_NOOPT
#define SIGMATCH_NOOPT
Definition: detect.h:1425
flow.h
flow-var.h
SigMatchAppendSMToList
void SigMatchAppendSMToList(Signature *s, SigMatch *new, int list)
Append a SigMatch to the list type.
Definition: detect-parse.c:356
SIG_FLAG_FILESTORE
#define SIG_FLAG_FILESTORE
Definition: detect.h:228
app-layer.h