Go to the documentation of this file.
61 #define PARSE_REGEX "^\\s*([A-z_]+)\\s*\\s*([A-z_]+)\\s*(?:,\\s*([A-z_]+)\\s+([A-z_]+))?\\s*(?:,\\s*([A-z_]+)\\s+([A-z_]+))?$"
70 static void DetectConfigRegisterTests(
void);
88 static void ConfigApplyTx(
Flow *f,
98 SCLogDebug(
"tx %p txd %p: log_flags %x", tx, txd, txd->config.log_flags);
107 AppLayerTxConfig req;
108 memset(&req, 0,
sizeof(req));
124 bool this_tx =
false;
125 bool this_flow =
false;
127 switch (config->
scope) {
138 ConfigApplyTx(p->
flow, det_ctx->
tx_id, config);
139 }
else if (this_flow) {
151 ConfigApply(det_ctx, p, config);
172 int ret = 0, res = 0;
178 "filestore can't work with bypass keyword");
187 if (
str == NULL || strlen(
str) == 0) {
201 SCLogError(
"config is rather picky at this time");
204 pcre2len =
sizeof(subsys);
205 res = pcre2_substring_copy_bynumber(parse_regex.
match, 1, (PCRE2_UCHAR8 *)subsys, &pcre2len);
207 SCLogError(
"pcre2_substring_copy_bynumber failed");
211 if (strcmp(subsys,
"logging") != 0) {
212 SCLogError(
"only 'logging' supported at this time");
217 pcre2len =
sizeof(state);
218 res = pcre2_substring_copy_bynumber(parse_regex.
match, 2, (PCRE2_UCHAR8 *)state, &pcre2len);
220 SCLogError(
"pcre2_substring_copy_bynumber failed");
224 if (strcmp(state,
"disable") != 0) {
225 SCLogError(
"only 'disable' supported at this time");
230 pcre2len =
sizeof(
type);
231 res = pcre2_substring_copy_bynumber(parse_regex.
match, 3, (PCRE2_UCHAR8 *)
type, &pcre2len);
233 SCLogError(
"pcre2_substring_copy_bynumber failed");
237 if (strcmp(
type,
"type") != 0) {
238 SCLogError(
"only 'type' supported at this time");
243 pcre2len =
sizeof(typeval);
244 res = pcre2_substring_copy_bynumber(parse_regex.
match, 4, (PCRE2_UCHAR8 *)typeval, &pcre2len);
246 SCLogError(
"pcre2_substring_copy_bynumber failed");
250 if (!(strcmp(typeval,
"tx") == 0 ||strcmp(typeval,
"flow") == 0)) {
251 SCLogError(
"only 'tx' and 'flow' supported at this time");
256 pcre2len =
sizeof(scope);
257 res = pcre2_substring_copy_bynumber(parse_regex.
match, 5, (PCRE2_UCHAR8 *)scope, &pcre2len);
259 SCLogError(
"pcre2_substring_copy_bynumber failed");
263 if (strcmp(scope,
"scope") != 0) {
264 SCLogError(
"only 'scope' supported at this time");
269 pcre2len =
sizeof(scopeval);
270 res = pcre2_substring_copy_bynumber(parse_regex.
match, 6, (PCRE2_UCHAR8 *)scopeval, &pcre2len);
272 SCLogError(
"pcre2_substring_copy_bynumber failed");
276 if (!(strcmp(scopeval,
"tx") == 0 ||strcmp(scopeval,
"flow") == 0)) {
277 SCLogError(
"only 'tx' and 'flow' supported at this time");
286 if (strcmp(typeval,
"tx") == 0) {
289 if (strcmp(scopeval,
"tx") == 0) {
321 static int DetectConfigTest01(
void)
327 "config dns any any -> any any ("
328 "dns.query; content:\"common.domain.com\"; "
329 "config:logging disable, type tx, scope tx; "
336 void DetectConfigRegisterTests(
void)
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
int DetectParsePcreExec(DetectParseRegex *parse_regex, const char *str, int start_offset, int options)
void DetectConfigRegister(void)
Registration function for keyword: filestore.
void(* Free)(DetectEngineCtx *, void *)
void AppLayerParserApplyTxConfig(uint8_t ipproto, AppProto alproto, void *state, void *tx, enum ConfigAction mode, AppLayerTxConfig config)
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
#define PARSE_REGEX
Regex for parsing our flow options.
main detection engine ctx
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
uint32_t AppLayerParserGetOptionFlags(uint8_t protomap, AppProto alproto)
Signature * DetectEngineAppendSig(DetectEngineCtx *, const char *)
Parse and append a Signature into the Detection Engine Context signature list.
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
#define SIG_FLAG_APPLAYER
@ DETECT_SM_LIST_POSTMATCH
#define PASS
Pass the test.
void DetectSetupParseRegexes(const char *parse_str, DetectParseRegex *detect_parse)
#define APP_LAYER_PARSER_OPT_UNIDIR_TXS
Data structures and function prototypes for keeping state for the detection engine.
int(* Match)(DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *)
SigMatch * SigMatchAlloc(void)
void * AppLayerParserGetTx(uint8_t ipproto, AppProto alproto, void *alstate, uint64_t tx_id)
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
struct AppLayerTxData AppLayerTxData
#define FAIL_IF(expr)
Fail a test if expression evaluates to true.
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
AppLayerTxData * AppLayerParserGetTxData(uint8_t ipproto, AppProto alproto, void *tx)
#define SCLogError(...)
Macro used to log ERROR messages.
a single match condition for a signature
DetectEngineCtx * DetectEngineCtxInit(void)
AppProto alproto
application level protocol
void SigMatchAppendSMToList(Signature *s, SigMatch *new, int list)
Append a SigMatch to the list type.
void(* RegisterTests)(void)