Go to the documentation of this file.
59 #define PARSE_REGEX "^\\s*([A-z_]+)\\s*\\s*([A-z_]+)\\s*(?:,\\s*([A-z_]+)\\s+([A-z_]+))?\\s*(?:,\\s*([A-z_]+)\\s+([A-z_]+))?$"
68 static void DetectConfigRegisterTests(
void);
97 static void ConfigApplyTx(
Flow *f,
106 SCLogDebug(
"tx %p txd %p: log_flags %x", tx, txd, txd->config.log_flags);
107 txd->config.log_flags |=
BIT_U8(config->
type);
114 memset(&req, 0,
sizeof(req));
139 switch (config->
type) {
170 bool this_packet =
false;
171 bool this_tx =
false;
172 bool this_flow =
false;
174 switch (config->
scope) {
188 ConfigApplyPacket(p, config);
189 }
else if (this_tx) {
191 ConfigApplyTx(p->
flow, det_ctx->
tx_id, config);
192 }
else if (this_flow) {
217 ConfigApply(det_ctx, p, config);
232 pcre2_match_data *match = NULL;
234 if (
str == NULL || strlen(
str) == 0) {
242 SCLogError(
"config is rather picky at this time");
245 size_t pcre2len =
sizeof(p->
subsys);
246 int res = pcre2_substring_copy_bynumber(match, 1, (PCRE2_UCHAR8 *)p->
subsys, &pcre2len);
248 SCLogError(
"failed to copy subsys substring");
252 pcre2len =
sizeof(p->
state);
253 res = pcre2_substring_copy_bynumber(match, 2, (PCRE2_UCHAR8 *)p->
state, &pcre2len);
259 pcre2len =
sizeof(p->
type);
260 res = pcre2_substring_copy_bynumber(match, 3, (PCRE2_UCHAR8 *)p->
type, &pcre2len);
267 res = pcre2_substring_copy_bynumber(match, 4, (PCRE2_UCHAR8 *)p->
typeval, &pcre2len);
269 SCLogError(
"failed to copy typeval substring");
273 pcre2len =
sizeof(p->
scope);
274 res = pcre2_substring_copy_bynumber(match, 5, (PCRE2_UCHAR8 *)p->
scope, &pcre2len);
281 res = pcre2_substring_copy_bynumber(match, 6, (PCRE2_UCHAR8 *)p->
scopeval, &pcre2len);
283 SCLogError(
"failed to copy scopeval substring");
287 pcre2_match_data_free(match);
290 pcre2_match_data_free(match);
298 if (strcmp(c->
subsys,
"logging") == 0) {
300 }
else if (strcmp(c->
subsys,
"tracking") == 0) {
303 SCLogError(
"invalid subsys '%s': only 'logging' and 'tracking' supported at this time",
309 if (strcmp(c->
state,
"disable") != 0) {
310 SCLogError(
"only 'disable' supported at this time");
315 if (strcmp(c->
type,
"type") != 0) {
316 SCLogError(
"only 'type' supported at this time");
321 if (strcmp(c->
typeval,
"tx") == 0) {
323 }
else if (strcmp(c->
typeval,
"flow") == 0) {
326 SCLogError(
"only 'tx' and 'flow' supported at this time");
331 if (strcmp(c->
scope,
"scope") != 0) {
332 SCLogError(
"only 'scope' supported at this time");
336 if (strcmp(c->
scopeval,
"tx") == 0) {
338 }
else if (strcmp(c->
scopeval,
"flow") == 0) {
340 }
else if (strcmp(c->
scopeval,
"packet") == 0) {
343 SCLogError(
"invalid scope '%s': only 'tx', 'flow' and 'packet' supported at this time",
366 memset(&c, 0,
sizeof(c));
368 if (GetStrings(
str, &c) != 0) {
385 SCLogError(
"disabling flow tracking is only supported in 'pre_flow' hook");
418 static int DetectConfigTest01(
void)
424 "config dns any any -> any any ("
425 "dns.query; content:\"common.domain.com\"; "
426 "config:logging disable, type tx, scope tx; "
433 void DetectConfigRegisterTests(
void)
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
SigTableElmt * sigmatch_table
void DetectConfigRegister(void)
Registers the "config" keyword for detection.
void(* Free)(DetectEngineCtx *, void *)
#define APP_LAYER_TX_SKIP_INSPECT_TC
void AppLayerParserApplyTxConfig(uint8_t ipproto, AppProto alproto, void *state, void *tx, enum ConfigAction mode, AppLayerTxConfig config)
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
#define PARSE_REGEX
Regex for parsing our config keyword options.
main detection engine ctx
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
struct AppLayerTxData AppLayerTxData
int DetectParsePcreExec(DetectParseRegex *parse_regex, pcre2_match_data **match, const char *str, int start_offset, int options)
#define SIGMATCH_SUPPORT_FIREWALL
Signature * DetectEngineAppendSig(DetectEngineCtx *, const char *)
Parse and append a Signature into the Detection Engine Context signature list.
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
struct AppLayerTxConfig AppLayerTxConfig
#define SIG_FLAG_APPLAYER
@ DETECT_SM_LIST_POSTMATCH
#define PASS
Pass the test.
void DetectSetupParseRegexes(const char *parse_str, DetectParseRegex *detect_parse)
SigMatch * SCSigMatchAppendSMToList(DetectEngineCtx *de_ctx, Signature *s, uint16_t type, SigMatchCtx *ctx, const int list)
Append a SigMatch to the list type.
struct SignatureHook_::@95::@97 pkt
union SignatureHook_::@95 t
SignatureInitData * init_data
Data structures and function prototypes for keeping state for the detection engine.
int(* Match)(DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *)
void * AppLayerParserGetTx(uint8_t ipproto, AppProto alproto, void *alstate, uint64_t tx_id)
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
#define FAIL_IF(expr)
Fail a test if expression evaluates to true.
enum SignatureHookType type
@ SIGNATURE_HOOK_PKT_PRE_FLOW
AppLayerTxData * AppLayerParserGetTxData(uint8_t ipproto, AppProto alproto, void *tx)
@ SIGNATURE_HOOK_TYPE_PKT
#define SCLogError(...)
Macro used to log ERROR messages.
DetectEngineCtx * DetectEngineCtxInit(void)
AppProto alproto
application level protocol
#define DEBUG_VALIDATE_BUG_ON(exp)
void(* RegisterTests)(void)
#define APP_LAYER_TX_SKIP_INSPECT_TS