suricata
detect-bypass.c
Go to the documentation of this file.
1 /* Copyright (C) 2016-2022 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Giuseppe Longo <glongo@stamus-networks.com>
22  *
23  */
24 
25 #include "suricata-common.h"
26 #include "threads.h"
27 #include "app-layer.h"
28 #include "app-layer-parser.h"
29 #include "decode.h"
30 
31 #include "detect.h"
32 #include "detect-parse.h"
33 
34 #include "detect-engine.h"
35 #include "detect-engine-mpm.h"
36 #include "detect-engine-state.h"
37 #include "detect-engine-sigorder.h"
38 #include "detect-bypass.h"
39 
40 #include "flow.h"
41 #include "flow-var.h"
42 #include "flow-util.h"
43 
44 #include "stream-tcp.h"
45 
46 #include "util-debug.h"
47 #include "util-spm-bm.h"
48 #include "util-unittest.h"
49 #include "util-unittest-helper.h"
50 #include "util-device.h"
51 
52 static int DetectBypassMatch(DetectEngineThreadCtx *, Packet *,
53  const Signature *, const SigMatchCtx *);
54 static int DetectBypassSetup(DetectEngineCtx *, Signature *, const char *);
55 
56 /**
57  * \brief Registration function for keyword: bypass
58  */
60 {
61  sigmatch_table[DETECT_BYPASS].name = "bypass";
62  sigmatch_table[DETECT_BYPASS].desc = "call the bypass callback when the match of a sig is complete";
63  sigmatch_table[DETECT_BYPASS].url = "/rules/bypass-keyword.html";
64  sigmatch_table[DETECT_BYPASS].Match = DetectBypassMatch;
65  sigmatch_table[DETECT_BYPASS].Setup = DetectBypassSetup;
68 }
69 
70 static int DetectBypassSetup(DetectEngineCtx *de_ctx, Signature *s, const char *str)
71 {
72  SigMatch *sm = NULL;
73 
74  if (s->flags & SIG_FLAG_FILESTORE) {
76  "bypass can't work with filestore keyword");
77  return -1;
78  }
79  s->flags |= SIG_FLAG_BYPASS;
80 
81  sm = SigMatchAlloc();
82  if (sm == NULL)
83  return -1;
84 
85  sm->type = DETECT_BYPASS;
86  sm->ctx = NULL;
88 
89  return 0;
90 }
91 
92 static int DetectBypassMatch(DetectEngineThreadCtx *det_ctx, Packet *p,
93  const Signature *s, const SigMatchCtx *ctx)
94 {
96 
97  return 1;
98 }
DETECT_BYPASS
@ DETECT_BYPASS
Definition: detect-engine-register.h:311
SigTableElmt_::url
const char * url
Definition: detect.h:1238
detect-engine.h
SigTableElmt_::desc
const char * desc
Definition: detect.h:1237
SigTableElmt_::Free
void(* Free)(DetectEngineCtx *, void *)
Definition: detect.h:1225
flow-util.h
SigTableElmt_::name
const char * name
Definition: detect.h:1235
PacketBypassCallback
void PacketBypassCallback(Packet *p)
Definition: decode.c:446
stream-tcp.h
threads.h
SigTableElmt_::flags
uint16_t flags
Definition: detect.h:1229
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:784
SigTableElmt_::Setup
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1220
util-unittest.h
util-unittest-helper.h
DETECT_SM_LIST_POSTMATCH
@ DETECT_SM_LIST_POSTMATCH
Definition: detect.h:87
decode.h
util-device.h
util-debug.h
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:17
DetectEngineThreadCtx_
Definition: detect.h:1024
SIG_FLAG_BYPASS
#define SIG_FLAG_BYPASS
Definition: detect.h:233
detect-engine-mpm.h
detect.h
app-layer-parser.h
SigMatch_::ctx
SigMatchCtx * ctx
Definition: detect.h:316
Signature_::flags
uint32_t flags
Definition: detect.h:540
Packet_
Definition: decode.h:425
detect-engine-state.h
Data structures and function prototypes for keeping state for the detection engine.
SigTableElmt_::Match
int(* Match)(DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *)
Definition: detect.h:1203
SigMatchAlloc
SigMatch * SigMatchAlloc(void)
Definition: detect-parse.c:238
SigMatchCtx_
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
Definition: detect.h:308
detect-bypass.h
DetectBypassRegister
void DetectBypassRegister(void)
Registration function for keyword: bypass.
Definition: detect-bypass.c:59
suricata-common.h
SigMatch_::type
uint16_t type
Definition: detect.h:314
sigmatch_table
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
Definition: detect-parse.c:76
SCLogError
#define SCLogError(err_code,...)
Macro used to log ERROR messages.
Definition: util-debug.h:255
util-spm-bm.h
detect-engine-sigorder.h
str
#define str(s)
Definition: suricata-common.h:280
detect-parse.h
Signature_
Signature container.
Definition: detect.h:539
SigMatch_
a single match condition for a signature
Definition: detect.h:313
SIGMATCH_NOOPT
#define SIGMATCH_NOOPT
Definition: detect.h:1421
flow.h
flow-var.h
SigMatchAppendSMToList
void SigMatchAppendSMToList(Signature *s, SigMatch *new, int list)
Append a SigMatch to the list type.
Definition: detect-parse.c:352
SIG_FLAG_FILESTORE
#define SIG_FLAG_FILESTORE
Definition: detect.h:226
app-layer.h
SC_ERR_CONFLICTING_RULE_KEYWORDS
@ SC_ERR_CONFLICTING_RULE_KEYWORDS
Definition: util-error.h:171