suricata
detect-dce-iface.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2022 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Anoop Saldanha <anoopsaldanha@gmail.com>
22  *
23  * Implements dce_iface keyword.
24  */
25 
26 #include "suricata-common.h"
27 
28 #include "detect.h"
29 #include "detect-parse.h"
30 
31 #include "detect-engine.h"
32 #include "detect-engine-mpm.h"
33 #include "detect-engine-state.h"
34 #include "detect-dce-iface.h"
35 
36 #include "flow.h"
37 #include "flow-var.h"
38 #include "flow-util.h"
39 
40 #include "app-layer.h"
41 #include "queue.h"
42 #include "stream-tcp-reassemble.h"
43 
44 #include "util-debug.h"
45 #include "util-unittest.h"
46 #include "util-unittest-helper.h"
47 #include "stream-tcp.h"
48 
49 #include "rust.h"
50 
51 #define PARSE_REGEX "^\\s*([0-9a-zA-Z]{8}-[0-9a-zA-Z]{4}-[0-9a-zA-Z]{4}-[0-9a-zA-Z]{4}-[0-9a-zA-Z]{12})(?:\\s*,\\s*(<|>|=|!)([0-9]{1,5}))?(?:\\s*,\\s*(any_frag))?\\s*$"
52 
53 static DetectParseRegex parse_regex;
54 
55 static int DetectDceIfaceMatchRust(DetectEngineThreadCtx *det_ctx,
56  Flow *f, uint8_t flags, void *state, void *txv,
57  const Signature *s, const SigMatchCtx *m);
58 static int DetectDceIfaceSetup(DetectEngineCtx *, Signature *, const char *);
59 static void DetectDceIfaceFree(DetectEngineCtx *, void *);
60 #ifdef UNITTESTS
61 static void DetectDceIfaceRegisterTests(void);
62 #endif
63 static int g_dce_generic_list_id = 0;
64 
65 static int InspectDceGeneric(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx,
66  const struct DetectEngineAppInspectionEngine_ *engine, const Signature *s, Flow *f,
67  uint8_t flags, void *alstate, void *txv, uint64_t tx_id);
68 
69 /**
70  * \brief Registers the keyword handlers for the "dce_iface" keyword.
71  */
73 {
74  sigmatch_table[DETECT_DCE_IFACE].name = "dcerpc.iface";
75  sigmatch_table[DETECT_DCE_IFACE].alias = "dce_iface";
76  sigmatch_table[DETECT_DCE_IFACE].AppLayerTxMatch = DetectDceIfaceMatchRust;
77  sigmatch_table[DETECT_DCE_IFACE].Setup = DetectDceIfaceSetup;
78  sigmatch_table[DETECT_DCE_IFACE].Free = DetectDceIfaceFree;
79 #ifdef UNITTESTS
80  sigmatch_table[DETECT_DCE_IFACE].RegisterTests = DetectDceIfaceRegisterTests;
81 #endif
82  DetectSetupParseRegexes(PARSE_REGEX, &parse_regex);
83 
84  g_dce_generic_list_id = DetectBufferTypeRegister("dce_generic");
85 
87  "dce_generic", ALPROTO_DCERPC, SIG_FLAG_TOSERVER, 0, InspectDceGeneric, NULL);
89  "dce_generic", ALPROTO_SMB, SIG_FLAG_TOSERVER, 0, InspectDceGeneric, NULL);
90 
92  "dce_generic", ALPROTO_DCERPC, SIG_FLAG_TOCLIENT, 0, InspectDceGeneric, NULL);
94  "dce_generic", ALPROTO_SMB, SIG_FLAG_TOCLIENT, 0, InspectDceGeneric, NULL);
95 }
96 
97 static int InspectDceGeneric(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx,
98  const struct DetectEngineAppInspectionEngine_ *engine, const Signature *s, Flow *f,
99  uint8_t flags, void *alstate, void *txv, uint64_t tx_id)
100 {
102  de_ctx, det_ctx, s, engine->smd, f, flags, alstate, txv, tx_id);
103 }
104 
105 /**
106  * \brief App layer match function for the "dce_iface" keyword.
107  *
108  * \param t Pointer to the ThreadVars instance.
109  * \param det_ctx Pointer to the DetectEngineThreadCtx.
110  * \param f Pointer to the flow.
111  * \param flags Pointer to the flags indicating the flow direction.
112  * \param state Pointer to the app layer state data.
113  * \param s Pointer to the Signature instance.
114  * \param m Pointer to the SigMatch.
115  *
116  * \retval 1 On Match.
117  * \retval 0 On no match.
118  */
119 static int DetectDceIfaceMatchRust(DetectEngineThreadCtx *det_ctx,
120  Flow *f, uint8_t flags, void *state, void *txv,
121  const Signature *s, const SigMatchCtx *m)
122 {
123  SCEnter();
124 
125  if (f->alproto == ALPROTO_DCERPC) {
126  // TODO check if state is NULL
127  return rs_dcerpc_iface_match(txv, state, (void *)m);
128  }
129 
130  int ret = 0;
131 
132  if (rs_smb_tx_get_dce_iface(f->alstate, txv, (void *)m) != 1) {
133  SCLogDebug("rs_smb_tx_get_dce_iface: didn't match");
134  } else {
135  SCLogDebug("rs_smb_tx_get_dce_iface: matched!");
136  ret = 1;
137  // TODO validate frag
138  }
139  SCReturnInt(ret);
140 }
141 
142 /**
143  * \brief Creates a SigMatch for the "dce_iface" keyword being sent as argument,
144  * and appends it to the Signature(s).
145  *
146  * \param de_ctx Pointer to the detection engine context.
147  * \param s Pointer to signature for the current Signature being parsed
148  * from the rules.
149  * \param arg Pointer to the string holding the keyword value.
150  *
151  * \retval 0 on success, -1 on failure.
152  */
153 
154 static int DetectDceIfaceSetup(DetectEngineCtx *de_ctx, Signature *s, const char *arg)
155 {
156  SCEnter();
157 
158  if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_DCERPC &&
159  s->alproto != ALPROTO_SMB) {
160  SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "rule contains conflicting keywords.");
161  return -1;
162  }
163  void *did = rs_dcerpc_iface_parse(arg);
164  if (did == NULL) {
165  SCLogError(SC_ERR_INVALID_SIGNATURE, "Error parsing dce_iface option in "
166  "signature");
167  return -1;
168  }
169 
170  SigMatch *sm = SigMatchAlloc();
171  if (sm == NULL) {
172  return -1;
173  }
174 
175  sm->type = DETECT_DCE_IFACE;
176  sm->ctx = did;
177 
178  SigMatchAppendSMToList(s, sm, g_dce_generic_list_id);
180  return 0;
181 }
182 
183 static void DetectDceIfaceFree(DetectEngineCtx *de_ctx, void *ptr)
184 {
185  SCEnter();
186  if (ptr != NULL) {
187  rs_dcerpc_iface_free(ptr);
188  }
189  SCReturn;
190 }
191 
192 /************************************Unittests*********************************/
193 
194 #ifdef UNITTESTS
195 
196 /* Disabled because of bug_753. Would be enabled, once we rewrite
197  * dce parser */
198 #if 0
199 
200 /**
201  * \test Test a valid dce_iface entry with a bind, bind_ack and 3 request/responses.
202  */
203 static int DetectDceIfaceTestParse13(void)
204 {
205  int result = 0;
206  Signature *s = NULL;
207  ThreadVars th_v;
208  Packet *p = NULL;
209  Flow f;
210  TcpSession ssn;
211  DetectEngineThreadCtx *det_ctx = NULL;
212  DetectEngineCtx *de_ctx = NULL;
213  DCERPCState *dcerpc_state = NULL;
214  int r = 0;
215 
216  uint8_t dcerpc_bind[] = {
217  0x05, 0x00, 0x0b, 0x03, 0x10, 0x00, 0x00, 0x00,
218  0x48, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
219  0xb8, 0x10, 0xb8, 0x10, 0x00, 0x00, 0x00, 0x00,
220  0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00,
221  0x01, 0xd0, 0x8c, 0x33, 0x44, 0x22, 0xf1, 0x31,
222  0xaa, 0xaa, 0x90, 0x00, 0x38, 0x00, 0x10, 0x03,
223  0x01, 0x00, 0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a,
224  0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00,
225  0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00,
226  };
227 
228  uint8_t dcerpc_bindack[] = {
229  0x05, 0x00, 0x0c, 0x03, 0x10, 0x00, 0x00, 0x00,
230  0x44, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
231  0xb8, 0x10, 0xb8, 0x10, 0x65, 0x8e, 0x00, 0x00,
232  0x0d, 0x00, 0x5c, 0x50, 0x49, 0x50, 0x45, 0x5c,
233  0x77, 0x69, 0x6e, 0x72, 0x65, 0x67, 0x00, 0x6d,
234  0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
235  0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11,
236  0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60,
237  0x02, 0x00, 0x00, 0x00,
238  };
239 
240  uint8_t dcerpc_request1[] = {
241  0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
242  0x24, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
243  0x0c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00,
244  0x2c, 0xfd, 0xb5, 0x00, 0x40, 0xaa, 0x01, 0x00,
245  0x00, 0x00, 0x00, 0x02,
246  };
247 
248  uint8_t dcerpc_response1[] = {
249  0x05, 0x00, 0x02, 0x03, 0x10, 0x00, 0x00, 0x00,
250  0x30, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
251  0x18, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
252  0x00, 0x00, 0x00, 0x00, 0xf6, 0x72, 0x28, 0x9c,
253  0xf0, 0x57, 0xd8, 0x11, 0xb0, 0x05, 0x00, 0x0c,
254  0x29, 0x87, 0xea, 0xe9, 0x00, 0x00, 0x00, 0x00,
255  };
256 
257  uint8_t dcerpc_request2[] = {
258  0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
259  0xa4, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00,
260  0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0f, 0x00,
261  0x00, 0x00, 0x00, 0x00, 0xf6, 0x72, 0x28, 0x9c,
262  0xf0, 0x57, 0xd8, 0x11, 0xb0, 0x05, 0x00, 0x0c,
263  0x29, 0x87, 0xea, 0xe9, 0x5c, 0x00, 0x5c, 0x00,
264  0xa8, 0xb9, 0x14, 0x00, 0x2e, 0x00, 0x00, 0x00,
265  0x00, 0x00, 0x00, 0x00, 0x2e, 0x00, 0x00, 0x00,
266  0x53, 0x00, 0x4f, 0x00, 0x46, 0x00, 0x54, 0x00,
267  0x57, 0x00, 0x41, 0x00, 0x52, 0x00, 0x45, 0x00,
268  0x5c, 0x00, 0x4d, 0x00, 0x69, 0x00, 0x63, 0x00,
269  0x72, 0x00, 0x6f, 0x00, 0x73, 0x00, 0x6f, 0x00,
270  0x66, 0x00, 0x74, 0x00, 0x5c, 0x00, 0x57, 0x00,
271  0x69, 0x00, 0x6e, 0x00, 0x64, 0x00, 0x6f, 0x00,
272  0x77, 0x00, 0x73, 0x00, 0x5c, 0x00, 0x43, 0x00,
273  0x75, 0x00, 0x72, 0x00, 0x72, 0x00, 0x65, 0x00,
274  0x6e, 0x00, 0x74, 0x00, 0x56, 0x00, 0x65, 0x00,
275  0x72, 0x00, 0x73, 0x00, 0x69, 0x00, 0x6f, 0x00,
276  0x6e, 0x00, 0x5c, 0x00, 0x52, 0x00, 0x75, 0x00,
277  0x6e, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
278  0x03, 0x00, 0x00, 0x00,
279  };
280 
281  uint8_t dcerpc_response2[] = {
282  0x05, 0x00, 0x02, 0x03, 0x10, 0x00, 0x00, 0x00,
283  0x30, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00,
284  0x18, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
285  0x00, 0x00, 0x00, 0x00, 0xf7, 0x72, 0x28, 0x9c,
286  0xf0, 0x57, 0xd8, 0x11, 0xb0, 0x05, 0x00, 0x0c,
287  0x29, 0x87, 0xea, 0xe9, 0x00, 0x00, 0x00, 0x00,
288  };
289 
290  uint8_t dcerpc_request3[] = {
291  0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
292  0x70, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00,
293  0x58, 0x00, 0x00, 0x00, 0x00, 0x00, 0x16, 0x00,
294  0x00, 0x00, 0x00, 0x00, 0xf7, 0x72, 0x28, 0x9c,
295  0xf0, 0x57, 0xd8, 0x11, 0xb0, 0x05, 0x00, 0x0c,
296  0x29, 0x87, 0xea, 0xe9, 0x0c, 0x00, 0x0c, 0x00,
297  0x98, 0xda, 0x14, 0x00, 0x06, 0x00, 0x00, 0x00,
298  0x00, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00,
299  0x4f, 0x00, 0x73, 0x00, 0x61, 0x00, 0x33, 0x00,
300  0x32, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
301  0x18, 0x00, 0x00, 0x00, 0x4e, 0x00, 0x54, 0x00,
302  0x4f, 0x00, 0x53, 0x00, 0x41, 0x00, 0x33, 0x00,
303  0x32, 0x00, 0x2e, 0x00, 0x45, 0x00, 0x58, 0x00,
304  0x45, 0x00, 0x00, 0x00, 0x18, 0x00, 0x00, 0x00,
305  };
306 
307  uint8_t dcerpc_response3[] = {
308  0x05, 0x00, 0x02, 0x03, 0x10, 0x00, 0x00, 0x00,
309  0x1c, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00,
310  0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
311  0x00, 0x00, 0x00, 0x00,
312  };
313 
314  uint32_t dcerpc_bind_len = sizeof(dcerpc_bind);
315  uint32_t dcerpc_bindack_len = sizeof(dcerpc_bindack);
316 
317  uint32_t dcerpc_request1_len = sizeof(dcerpc_request1);
318  uint32_t dcerpc_response1_len = sizeof(dcerpc_response1);
319 
320  uint32_t dcerpc_request2_len = sizeof(dcerpc_request2);
321  uint32_t dcerpc_response2_len = sizeof(dcerpc_response2);
322 
323  uint32_t dcerpc_request3_len = sizeof(dcerpc_request3);
324  uint32_t dcerpc_response3_len = sizeof(dcerpc_response3);
325 
327 
328  memset(&th_v, 0, sizeof(th_v));
329  memset(&p, 0, sizeof(p));
330  memset(&f, 0, sizeof(f));
331  memset(&ssn, 0, sizeof(ssn));
332 
333  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
334 
335  FLOW_INITIALIZE(&f);
336  f.protoctx = (void *)&ssn;
337  f.proto = IPPROTO_TCP;
338  p->flow = &f;
343 
344  StreamTcpInitConfig(true);
345 
347  if (de_ctx == NULL)
348  goto end;
349 
350  de_ctx->flags |= DE_QUIET;
351 
352  s = DetectEngineAppendSig(de_ctx,"alert tcp any any -> any any "
353  "(msg:\"DCERPC\"; dce_iface:338cd001-2244-31f1-aaaa-900038001003,=1,any_frag; sid:1;)");
354  if (s == NULL)
355  goto end;
356 
358  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
359 
360  SCLogDebug("chunk 1, bind");
361 
362  r = AppLayerParserParse(alp_tctx, &f, ALPROTO_DCERPC, STREAM_TOSERVER | STREAM_START,
363  dcerpc_bind, dcerpc_bind_len);
364  if (r != 0) {
365  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
366  goto end;
367  }
368 
369  dcerpc_state = f.alstate;
370  if (dcerpc_state == NULL) {
371  SCLogDebug("no dcerpc state: ");
372  goto end;
373  }
374 
377  /* do detect */
378  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
379 
380  if (PacketAlertCheck(p, 1)) {
381  SCLogDebug("sig 1 didn't match after bind request: ");
382  goto end;
383  }
384 
385  SCLogDebug("chunk 2, bind_ack");
386 
387  r = AppLayerParserParse(alp_tctx, &f, ALPROTO_DCERPC, STREAM_TOCLIENT, dcerpc_bindack,
388  dcerpc_bindack_len);
389  if (r != 0) {
390  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
391  goto end;
392  }
393 
396  /* do detect */
397  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
398 
399  if (PacketAlertCheck(p, 1)) {
400  SCLogDebug("sig 1 matched again after bind ack: ");
401  goto end;
402  }
403 
404  SCLogDebug("chunk 3, request 1");
405 
406  /* request1 */
407  r = AppLayerParserParse(alp_tctx, &f, ALPROTO_DCERPC, STREAM_TOSERVER, dcerpc_request1,
408  dcerpc_request1_len);
409  if (r != 0) {
410  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
411  goto end;
412  }
413 
416  /* do detect */
417  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
418 
419  if (!(PacketAlertCheck(p, 1))) {
420  SCLogDebug("sig 1 didn't match after request1: ");
421  goto end;
422  }
423 
424  SCLogDebug("sending response1");
425 
426  /* response1 */
427  r = AppLayerParserParse(alp_tctx, &f, ALPROTO_DCERPC, STREAM_TOCLIENT, dcerpc_response1,
428  dcerpc_response1_len);
429  if (r != 0) {
430  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
431  goto end;
432  }
433 
436  /* do detect */
437  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
438 
439  if (PacketAlertCheck(p, 1)) {
440  SCLogDebug("sig 1 matched after response1, but shouldn't: ");
441  goto end;
442  }
443 
444  SCLogDebug("sending request2");
445 
446  /* request2 */
447  r = AppLayerParserParse(alp_tctx, &f, ALPROTO_DCERPC, STREAM_TOSERVER, dcerpc_request2,
448  dcerpc_request2_len);
449  if (r != 0) {
450  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
451  goto end;
452  }
453 
456  /* do detect */
457  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
458 
459  if (!(PacketAlertCheck(p, 1))) {
460  SCLogDebug("sig 1 didn't match after request2: ");
461  goto end;
462  }
463 
464  /* response2 */
465  r = AppLayerParserParse(alp_tctx, &f, ALPROTO_DCERPC, STREAM_TOCLIENT, dcerpc_response2,
466  dcerpc_response2_len);
467  if (r != 0) {
468  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
469  goto end;
470  }
471 
474  /* do detect */
475  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
476 
477  if (PacketAlertCheck(p, 1)) {
478  SCLogDebug("sig 1 matched after response2, but shouldn't have: ");
479  goto end;
480  }
481 
482  /* request3 */
483  r = AppLayerParserParse(alp_tctx, &f, ALPROTO_DCERPC, STREAM_TOSERVER, dcerpc_request3,
484  dcerpc_request3_len);
485  if (r != 0) {
486  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
487  goto end;
488  }
489 
492  /* do detect */
493  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
494 
495  if (!(PacketAlertCheck(p, 1))) {
496  SCLogDebug("sig 1 didn't match after request3: ");
497  goto end;
498  }
499 
500  /* response3 */
501  r = AppLayerParserParse(alp_tctx, &f, ALPROTO_DCERPC, STREAM_TOCLIENT | STREAM_EOF,
502  dcerpc_response3, dcerpc_response3_len);
503  if (r != 0) {
504  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
505  goto end;
506  }
507 
510  /* do detect */
511  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
512 
513  if (PacketAlertCheck(p, 1)) {
514  SCLogDebug("sig 1 matched after response3, but shouldn't have: ");
515  goto end;
516  }
517 
518  result = 1;
519 
520  end:
521  if (alp_tctx != NULL)
525 
526  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
528 
529  StreamTcpFreeConfig(true);
530  UTHFreePackets(&p, 1);
531  return result;
532 }
533 
534 #endif
535 
536 static void DetectDceIfaceRegisterTests(void)
537 {
538  /* Disabled because of bug_753. Would be enabled, once we rewrite
539  * dce parser */
540 #if 0
541  UtRegisterTest("DetectDceIfaceTestParse13", DetectDceIfaceTestParse13, 1);
542 #endif
543 }
544 #endif /* UNITTESTS */
DetectEngineAppInspectionEngine_
Definition: detect.h:398
detect-engine.h
detect-dce-iface.h
PKT_HAS_FLOW
#define PKT_HAS_FLOW
Definition: decode.h:1175
ALPROTO_DCERPC
@ ALPROTO_DCERPC
Definition: app-layer-protos.h:38
SigTableElmt_::Free
void(* Free)(DetectEngineCtx *, void *)
Definition: detect.h:1257
flow-util.h
DetectEngineInspectGenericList
int DetectEngineInspectGenericList(const DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const Signature *s, const SigMatchData *smd, Flow *f, const uint8_t flags, void *alstate, void *txv, uint64_t tx_id)
Do the content inspection & validation for a signature.
Definition: detect-engine.c:1941
DetectParseRegex
Definition: detect-parse.h:42
SigTableElmt_::name
const char * name
Definition: detect.h:1267
stream-tcp.h
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
Signature_::alproto
AppProto alproto
Definition: detect.h:552
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:298
Flow_::proto
uint8_t proto
Definition: flow.h:375
PacketAlertCheck
int PacketAlertCheck(Packet *p, uint32_t sid)
Check if a certain sid alerted, this is used in the test functions.
Definition: detect-engine-alert.c:137
Packet_::flags
uint32_t flags
Definition: decode.h:462
DetectDceIfaceRegister
void DetectDceIfaceRegister(void)
Registers the keyword handlers for the "dce_iface" keyword.
Definition: detect-dce-iface.c:72
Flow_
Flow data structure.
Definition: flow.h:353
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:811
SC_ERR_INVALID_SIGNATURE
@ SC_ERR_INVALID_SIGNATURE
Definition: util-error.h:69
DetectEngineCtxFree
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
Definition: detect-engine.c:2433
SigTableElmt_::AppLayerTxMatch
int(* AppLayerTxMatch)(DetectEngineThreadCtx *, Flow *, uint8_t flags, void *alstate, void *txv, const Signature *, const SigMatchCtx *)
Definition: detect.h:1238
AppLayerParserThreadCtxFree
void AppLayerParserThreadCtxFree(AppLayerParserThreadCtx *tctx)
Destroys the app layer parser thread context obtained using AppLayerParserThreadCtxAlloc().
Definition: app-layer-parser.c:320
FLOW_PKT_TOSERVER
#define FLOW_PKT_TOSERVER
Definition: flow.h:225
rust.h
DE_QUIET
#define DE_QUIET
Definition: detect.h:295
stream-tcp-reassemble.h
UTHBuildPacket
Packet * UTHBuildPacket(uint8_t *payload, uint16_t payload_len, uint8_t ipproto)
UTHBuildPacket is a wrapper that build packets with default ip and port fields.
Definition: util-unittest-helper.c:337
SigMatchSignatures
void SigMatchSignatures(ThreadVars *tv, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
Definition: detect.c:1790
SignatureInitData_::init_flags
uint32_t init_flags
Definition: detect.h:511
m
SCMutex m
Definition: flow-hash.h:6
SigCleanSignatures
void SigCleanSignatures(DetectEngineCtx *de_ctx)
Definition: detect-engine-build.c:42
Packet_::flowflags
uint8_t flowflags
Definition: decode.h:458
SIG_FLAG_TOCLIENT
#define SIG_FLAG_TOCLIENT
Definition: detect.h:237
Flow_::protoctx
void * protoctx
Definition: flow.h:451
SigTableElmt_::Setup
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1252
util-unittest.h
util-unittest-helper.h
StreamTcpInitConfig
void StreamTcpInitConfig(bool)
To initialize the stream global configuration data.
Definition: stream-tcp.c:357
FLOW_INITIALIZE
#define FLOW_INITIALIZE(f)
Definition: flow-util.h:39
SIG_FLAG_TOSERVER
#define SIG_FLAG_TOSERVER
Definition: detect.h:236
util-debug.h
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:17
DetectEngineThreadCtx_
Definition: detect.h:1060
alp_tctx
AppLayerParserThreadCtx * alp_tctx
Definition: fuzz_applayerparserparse.c:20
DetectSetupParseRegexes
void DetectSetupParseRegexes(const char *parse_str, DetectParseRegex *detect_parse)
Definition: detect-parse.c:2597
SCEnter
#define SCEnter(...)
Definition: util-debug.h:300
detect-engine-mpm.h
detect.h
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:58
SigMatch_::ctx
SigMatchCtx * ctx
Definition: detect.h:324
SigGroupCleanup
int SigGroupCleanup(DetectEngineCtx *de_ctx)
Definition: detect-engine-build.c:2016
SCReturn
#define SCReturn
Definition: util-debug.h:302
Packet_
Definition: decode.h:427
DetectAppLayerInspectEngineRegister2
void DetectAppLayerInspectEngineRegister2(const char *name, AppProto alproto, uint32_t dir, int progress, InspectEngineFuncPtr2 Callback2, InspectionBufferGetDataPtr GetData)
register inspect engine at start up time
Definition: detect-engine.c:225
SIG_FLAG_INIT_DCERPC
#define SIG_FLAG_INIT_DCERPC
Definition: detect.h:266
DETECT_DCE_IFACE
@ DETECT_DCE_IFACE
Definition: detect-engine-register.h:187
Signature_::init_data
SignatureInitData * init_data
Definition: detect.h:619
detect-engine-state.h
Data structures and function prototypes for keeping state for the detection engine.
queue.h
FLOW_PKT_TOCLIENT
#define FLOW_PKT_TOCLIENT
Definition: flow.h:226
SigMatchAlloc
SigMatch * SigMatchAlloc(void)
Definition: detect-parse.c:235
PARSE_REGEX
#define PARSE_REGEX
Definition: detect-dce-iface.c:51
SigGroupBuild
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
Definition: detect-engine-build.c:1948
AppLayerParserThreadCtxAlloc
AppLayerParserThreadCtx * AppLayerParserThreadCtxAlloc(void)
Gets a new app layer protocol's parser thread context.
Definition: app-layer-parser.c:299
SigMatchCtx_
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
Definition: detect.h:316
DetectEngineAppInspectionEngine_::smd
SigMatchData * smd
Definition: detect.h:415
DetectEngineAppendSig
Signature * DetectEngineAppendSig(DetectEngineCtx *de_ctx, const char *sigstr)
Parse and append a Signature into the Detection Engine Context signature list.
Definition: detect-parse.c:2420
Packet_::flow
struct Flow_ * flow
Definition: decode.h:464
DetectEngineThreadCtxInit
TmEcode DetectEngineThreadCtxInit(ThreadVars *, void *, void **)
initialize thread specific detection engine context
Definition: detect-engine.c:3142
DetectBufferTypeRegister
int DetectBufferTypeRegister(const char *name)
Definition: detect-engine.c:1023
StreamTcpFreeConfig
void StreamTcpFreeConfig(bool quiet)
Definition: stream-tcp.c:662
flags
uint8_t flags
Definition: decode-gre.h:0
SigTableElmt_::alias
const char * alias
Definition: detect.h:1268
AppLayerParserParse
int AppLayerParserParse(ThreadVars *tv, AppLayerParserThreadCtx *alp_tctx, Flow *f, AppProto alproto, uint8_t flags, const uint8_t *input, uint32_t input_len)
Definition: app-layer-parser.c:1237
suricata-common.h
DetectEngineThreadCtxDeinit
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *, void *)
Definition: detect-engine.c:3354
SigMatch_::type
uint16_t type
Definition: detect.h:322
sigmatch_table
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
Definition: detect-parse.c:73
SCLogError
#define SCLogError(err_code,...)
Macro used to log ERROR messages.
Definition: util-debug.h:257
Flow_::alstate
void * alstate
Definition: flow.h:486
detect-parse.h
Signature_
Signature container.
Definition: detect.h:548
SigMatch_
a single match condition for a signature
Definition: detect.h:321
ALPROTO_UNKNOWN
@ ALPROTO_UNKNOWN
Definition: app-layer-protos.h:29
FLOW_PKT_ESTABLISHED
#define FLOW_PKT_ESTABLISHED
Definition: flow.h:227
DetectEngineCtxInit
DetectEngineCtx * DetectEngineCtxInit(void)
Definition: detect-engine.c:2394
ALPROTO_SMB
@ ALPROTO_SMB
Definition: app-layer-protos.h:37
DetectEngineCtx_::flags
uint8_t flags
Definition: detect.h:812
AppLayerParserThreadCtx_
Definition: app-layer-parser.c:86
TcpSession_
Definition: stream-tcp-private.h:260
flow.h
Flow_::alproto
AppProto alproto
application level protocol
Definition: flow.h:460
SCReturnInt
#define SCReturnInt(x)
Definition: util-debug.h:304
flow-var.h
SigMatchAppendSMToList
void SigMatchAppendSMToList(Signature *s, SigMatch *new, int list)
Append a SigMatch to the list type.
Definition: detect-parse.c:349
PKT_STREAM_EST
#define PKT_STREAM_EST
Definition: decode.h:1172
SigTableElmt_::RegisterTests
void(* RegisterTests)(void)
Definition: detect.h:1259
app-layer.h
SC_ERR_CONFLICTING_RULE_KEYWORDS
@ SC_ERR_CONFLICTING_RULE_KEYWORDS
Definition: util-error.h:171
UTHFreePackets
void UTHFreePackets(Packet **p, int numpkts)
UTHFreePackets: function to release the allocated data from UTHBuildPacket and the packet itself.
Definition: util-unittest-helper.c:468