suricata
detect-dce-iface.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2022 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Anoop Saldanha <anoopsaldanha@gmail.com>
22  *
23  * Implements dce_iface keyword.
24  */
25 
26 #include "suricata-common.h"
27 
28 #include "detect.h"
29 #include "detect-parse.h"
30 
31 #include "detect-engine.h"
32 #include "detect-engine-mpm.h"
33 #include "detect-engine-state.h"
34 #include "detect-engine-build.h"
35 #include "detect-dce-iface.h"
36 
37 #include "flow.h"
38 #include "flow-var.h"
39 #include "flow-util.h"
40 
41 #include "app-layer.h"
42 #include "queue.h"
43 #include "stream-tcp-reassemble.h"
44 
45 #include "util-debug.h"
46 #include "util-unittest.h"
47 #include "util-unittest-helper.h"
48 #include "stream-tcp.h"
49 
50 #include "rust.h"
51 
52 #define PARSE_REGEX "^\\s*([0-9a-zA-Z]{8}-[0-9a-zA-Z]{4}-[0-9a-zA-Z]{4}-[0-9a-zA-Z]{4}-[0-9a-zA-Z]{12})(?:\\s*,\\s*(<|>|=|!)([0-9]{1,5}))?(?:\\s*,\\s*(any_frag))?\\s*$"
53 
54 static DetectParseRegex parse_regex;
55 
56 static int DetectDceIfaceMatchRust(DetectEngineThreadCtx *det_ctx,
57  Flow *f, uint8_t flags, void *state, void *txv,
58  const Signature *s, const SigMatchCtx *m);
59 static int DetectDceIfaceSetup(DetectEngineCtx *, Signature *, const char *);
60 static void DetectDceIfaceFree(DetectEngineCtx *, void *);
61 #ifdef UNITTESTS
62 static void DetectDceIfaceRegisterTests(void);
63 #endif
64 static int g_dce_generic_list_id = 0;
65 
66 /**
67  * \brief Registers the keyword handlers for the "dce_iface" keyword.
68  */
70 {
71  sigmatch_table[DETECT_DCE_IFACE].name = "dcerpc.iface";
72  sigmatch_table[DETECT_DCE_IFACE].alias = "dce_iface";
73  sigmatch_table[DETECT_DCE_IFACE].AppLayerTxMatch = DetectDceIfaceMatchRust;
74  sigmatch_table[DETECT_DCE_IFACE].Setup = DetectDceIfaceSetup;
75  sigmatch_table[DETECT_DCE_IFACE].Free = DetectDceIfaceFree;
76 #ifdef UNITTESTS
77  sigmatch_table[DETECT_DCE_IFACE].RegisterTests = DetectDceIfaceRegisterTests;
78 #endif
79  DetectSetupParseRegexes(PARSE_REGEX, &parse_regex);
80 
81  g_dce_generic_list_id = DetectBufferTypeRegister("dce_generic");
82 
87 
92 }
93 
94 /**
95  * \brief App layer match function for the "dce_iface" keyword.
96  *
97  * \param t Pointer to the ThreadVars instance.
98  * \param det_ctx Pointer to the DetectEngineThreadCtx.
99  * \param f Pointer to the flow.
100  * \param flags Pointer to the flags indicating the flow direction.
101  * \param state Pointer to the app layer state data.
102  * \param s Pointer to the Signature instance.
103  * \param m Pointer to the SigMatch.
104  *
105  * \retval 1 On Match.
106  * \retval 0 On no match.
107  */
108 static int DetectDceIfaceMatchRust(DetectEngineThreadCtx *det_ctx,
109  Flow *f, uint8_t flags, void *state, void *txv,
110  const Signature *s, const SigMatchCtx *m)
111 {
112  SCEnter();
113 
114  if (f->alproto == ALPROTO_DCERPC) {
115  // TODO check if state is NULL
116  return rs_dcerpc_iface_match(txv, state, (void *)m);
117  }
118 
119  int ret = 0;
120 
121  if (rs_smb_tx_get_dce_iface(f->alstate, txv, (void *)m) != 1) {
122  SCLogDebug("rs_smb_tx_get_dce_iface: didn't match");
123  } else {
124  SCLogDebug("rs_smb_tx_get_dce_iface: matched!");
125  ret = 1;
126  // TODO validate frag
127  }
128  SCReturnInt(ret);
129 }
130 
131 /**
132  * \brief Creates a SigMatch for the "dce_iface" keyword being sent as argument,
133  * and appends it to the Signature(s).
134  *
135  * \param de_ctx Pointer to the detection engine context.
136  * \param s Pointer to signature for the current Signature being parsed
137  * from the rules.
138  * \param arg Pointer to the string holding the keyword value.
139  *
140  * \retval 0 on success, -1 on failure.
141  */
142 
143 static int DetectDceIfaceSetup(DetectEngineCtx *de_ctx, Signature *s, const char *arg)
144 {
145  SCEnter();
146 
148  return -1;
149 
150  void *did = rs_dcerpc_iface_parse(arg);
151  if (did == NULL) {
152  SCLogError("Error parsing dce_iface option in "
153  "signature");
154  return -1;
155  }
156 
157  if (SigMatchAppendSMToList(de_ctx, s, DETECT_DCE_IFACE, did, g_dce_generic_list_id) == NULL) {
158  DetectDceIfaceFree(de_ctx, did);
159  return -1;
160  }
161  return 0;
162 }
163 
164 static void DetectDceIfaceFree(DetectEngineCtx *de_ctx, void *ptr)
165 {
166  SCEnter();
167  if (ptr != NULL) {
168  rs_dcerpc_iface_free(ptr);
169  }
170  SCReturn;
171 }
172 
173 /************************************Unittests*********************************/
174 
175 #ifdef UNITTESTS
176 
177 /* Disabled because of bug_753. Would be enabled, once we rewrite
178  * dce parser */
179 #if 0
180 
181 /**
182  * \test Test a valid dce_iface entry with a bind, bind_ack and 3 request/responses.
183  */
184 static int DetectDceIfaceTestParse13(void)
185 {
186  int result = 0;
187  Signature *s = NULL;
188  ThreadVars th_v;
189  Packet *p = NULL;
190  Flow f;
191  TcpSession ssn;
192  DetectEngineThreadCtx *det_ctx = NULL;
193  DetectEngineCtx *de_ctx = NULL;
194  DCERPCState *dcerpc_state = NULL;
195  int r = 0;
196 
197  uint8_t dcerpc_bind[] = {
198  0x05, 0x00, 0x0b, 0x03, 0x10, 0x00, 0x00, 0x00,
199  0x48, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
200  0xb8, 0x10, 0xb8, 0x10, 0x00, 0x00, 0x00, 0x00,
201  0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00,
202  0x01, 0xd0, 0x8c, 0x33, 0x44, 0x22, 0xf1, 0x31,
203  0xaa, 0xaa, 0x90, 0x00, 0x38, 0x00, 0x10, 0x03,
204  0x01, 0x00, 0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a,
205  0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00,
206  0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00,
207  };
208 
209  uint8_t dcerpc_bindack[] = {
210  0x05, 0x00, 0x0c, 0x03, 0x10, 0x00, 0x00, 0x00,
211  0x44, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
212  0xb8, 0x10, 0xb8, 0x10, 0x65, 0x8e, 0x00, 0x00,
213  0x0d, 0x00, 0x5c, 0x50, 0x49, 0x50, 0x45, 0x5c,
214  0x77, 0x69, 0x6e, 0x72, 0x65, 0x67, 0x00, 0x6d,
215  0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
216  0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11,
217  0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60,
218  0x02, 0x00, 0x00, 0x00,
219  };
220 
221  uint8_t dcerpc_request1[] = {
222  0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
223  0x24, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
224  0x0c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00,
225  0x2c, 0xfd, 0xb5, 0x00, 0x40, 0xaa, 0x01, 0x00,
226  0x00, 0x00, 0x00, 0x02,
227  };
228 
229  uint8_t dcerpc_response1[] = {
230  0x05, 0x00, 0x02, 0x03, 0x10, 0x00, 0x00, 0x00,
231  0x30, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
232  0x18, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
233  0x00, 0x00, 0x00, 0x00, 0xf6, 0x72, 0x28, 0x9c,
234  0xf0, 0x57, 0xd8, 0x11, 0xb0, 0x05, 0x00, 0x0c,
235  0x29, 0x87, 0xea, 0xe9, 0x00, 0x00, 0x00, 0x00,
236  };
237 
238  uint8_t dcerpc_request2[] = {
239  0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
240  0xa4, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00,
241  0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0f, 0x00,
242  0x00, 0x00, 0x00, 0x00, 0xf6, 0x72, 0x28, 0x9c,
243  0xf0, 0x57, 0xd8, 0x11, 0xb0, 0x05, 0x00, 0x0c,
244  0x29, 0x87, 0xea, 0xe9, 0x5c, 0x00, 0x5c, 0x00,
245  0xa8, 0xb9, 0x14, 0x00, 0x2e, 0x00, 0x00, 0x00,
246  0x00, 0x00, 0x00, 0x00, 0x2e, 0x00, 0x00, 0x00,
247  0x53, 0x00, 0x4f, 0x00, 0x46, 0x00, 0x54, 0x00,
248  0x57, 0x00, 0x41, 0x00, 0x52, 0x00, 0x45, 0x00,
249  0x5c, 0x00, 0x4d, 0x00, 0x69, 0x00, 0x63, 0x00,
250  0x72, 0x00, 0x6f, 0x00, 0x73, 0x00, 0x6f, 0x00,
251  0x66, 0x00, 0x74, 0x00, 0x5c, 0x00, 0x57, 0x00,
252  0x69, 0x00, 0x6e, 0x00, 0x64, 0x00, 0x6f, 0x00,
253  0x77, 0x00, 0x73, 0x00, 0x5c, 0x00, 0x43, 0x00,
254  0x75, 0x00, 0x72, 0x00, 0x72, 0x00, 0x65, 0x00,
255  0x6e, 0x00, 0x74, 0x00, 0x56, 0x00, 0x65, 0x00,
256  0x72, 0x00, 0x73, 0x00, 0x69, 0x00, 0x6f, 0x00,
257  0x6e, 0x00, 0x5c, 0x00, 0x52, 0x00, 0x75, 0x00,
258  0x6e, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
259  0x03, 0x00, 0x00, 0x00,
260  };
261 
262  uint8_t dcerpc_response2[] = {
263  0x05, 0x00, 0x02, 0x03, 0x10, 0x00, 0x00, 0x00,
264  0x30, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00,
265  0x18, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
266  0x00, 0x00, 0x00, 0x00, 0xf7, 0x72, 0x28, 0x9c,
267  0xf0, 0x57, 0xd8, 0x11, 0xb0, 0x05, 0x00, 0x0c,
268  0x29, 0x87, 0xea, 0xe9, 0x00, 0x00, 0x00, 0x00,
269  };
270 
271  uint8_t dcerpc_request3[] = {
272  0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
273  0x70, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00,
274  0x58, 0x00, 0x00, 0x00, 0x00, 0x00, 0x16, 0x00,
275  0x00, 0x00, 0x00, 0x00, 0xf7, 0x72, 0x28, 0x9c,
276  0xf0, 0x57, 0xd8, 0x11, 0xb0, 0x05, 0x00, 0x0c,
277  0x29, 0x87, 0xea, 0xe9, 0x0c, 0x00, 0x0c, 0x00,
278  0x98, 0xda, 0x14, 0x00, 0x06, 0x00, 0x00, 0x00,
279  0x00, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00,
280  0x4f, 0x00, 0x73, 0x00, 0x61, 0x00, 0x33, 0x00,
281  0x32, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
282  0x18, 0x00, 0x00, 0x00, 0x4e, 0x00, 0x54, 0x00,
283  0x4f, 0x00, 0x53, 0x00, 0x41, 0x00, 0x33, 0x00,
284  0x32, 0x00, 0x2e, 0x00, 0x45, 0x00, 0x58, 0x00,
285  0x45, 0x00, 0x00, 0x00, 0x18, 0x00, 0x00, 0x00,
286  };
287 
288  uint8_t dcerpc_response3[] = {
289  0x05, 0x00, 0x02, 0x03, 0x10, 0x00, 0x00, 0x00,
290  0x1c, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00,
291  0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
292  0x00, 0x00, 0x00, 0x00,
293  };
294 
295  uint32_t dcerpc_bind_len = sizeof(dcerpc_bind);
296  uint32_t dcerpc_bindack_len = sizeof(dcerpc_bindack);
297 
298  uint32_t dcerpc_request1_len = sizeof(dcerpc_request1);
299  uint32_t dcerpc_response1_len = sizeof(dcerpc_response1);
300 
301  uint32_t dcerpc_request2_len = sizeof(dcerpc_request2);
302  uint32_t dcerpc_response2_len = sizeof(dcerpc_response2);
303 
304  uint32_t dcerpc_request3_len = sizeof(dcerpc_request3);
305  uint32_t dcerpc_response3_len = sizeof(dcerpc_response3);
306 
308 
309  memset(&th_v, 0, sizeof(th_v));
310  memset(&p, 0, sizeof(p));
311  memset(&f, 0, sizeof(f));
312  memset(&ssn, 0, sizeof(ssn));
313 
314  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
315 
316  FLOW_INITIALIZE(&f);
317  f.protoctx = (void *)&ssn;
318  f.proto = IPPROTO_TCP;
319  p->flow = &f;
324 
325  StreamTcpInitConfig(true);
326 
328  if (de_ctx == NULL)
329  goto end;
330 
331  de_ctx->flags |= DE_QUIET;
332 
333  s = DetectEngineAppendSig(de_ctx,"alert tcp any any -> any any "
334  "(msg:\"DCERPC\"; dce_iface:338cd001-2244-31f1-aaaa-900038001003,=1,any_frag; sid:1;)");
335  if (s == NULL)
336  goto end;
337 
339  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
340 
341  SCLogDebug("chunk 1, bind");
342 
343  r = AppLayerParserParse(alp_tctx, &f, ALPROTO_DCERPC, STREAM_TOSERVER | STREAM_START,
344  dcerpc_bind, dcerpc_bind_len);
345  if (r != 0) {
346  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
347  goto end;
348  }
349 
350  dcerpc_state = f.alstate;
351  if (dcerpc_state == NULL) {
352  SCLogDebug("no dcerpc state: ");
353  goto end;
354  }
355 
358  /* do detect */
359  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
360 
361  if (PacketAlertCheck(p, 1)) {
362  SCLogDebug("sig 1 didn't match after bind request: ");
363  goto end;
364  }
365 
366  SCLogDebug("chunk 2, bind_ack");
367 
368  r = AppLayerParserParse(alp_tctx, &f, ALPROTO_DCERPC, STREAM_TOCLIENT, dcerpc_bindack,
369  dcerpc_bindack_len);
370  if (r != 0) {
371  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
372  goto end;
373  }
374 
377  /* do detect */
378  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
379 
380  if (PacketAlertCheck(p, 1)) {
381  SCLogDebug("sig 1 matched again after bind ack: ");
382  goto end;
383  }
384 
385  SCLogDebug("chunk 3, request 1");
386 
387  /* request1 */
388  r = AppLayerParserParse(alp_tctx, &f, ALPROTO_DCERPC, STREAM_TOSERVER, dcerpc_request1,
389  dcerpc_request1_len);
390  if (r != 0) {
391  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
392  goto end;
393  }
394 
397  /* do detect */
398  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
399 
400  if (!(PacketAlertCheck(p, 1))) {
401  SCLogDebug("sig 1 didn't match after request1: ");
402  goto end;
403  }
404 
405  SCLogDebug("sending response1");
406 
407  /* response1 */
408  r = AppLayerParserParse(alp_tctx, &f, ALPROTO_DCERPC, STREAM_TOCLIENT, dcerpc_response1,
409  dcerpc_response1_len);
410  if (r != 0) {
411  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
412  goto end;
413  }
414 
417  /* do detect */
418  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
419 
420  if (PacketAlertCheck(p, 1)) {
421  SCLogDebug("sig 1 matched after response1, but shouldn't: ");
422  goto end;
423  }
424 
425  SCLogDebug("sending request2");
426 
427  /* request2 */
428  r = AppLayerParserParse(alp_tctx, &f, ALPROTO_DCERPC, STREAM_TOSERVER, dcerpc_request2,
429  dcerpc_request2_len);
430  if (r != 0) {
431  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
432  goto end;
433  }
434 
437  /* do detect */
438  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
439 
440  if (!(PacketAlertCheck(p, 1))) {
441  SCLogDebug("sig 1 didn't match after request2: ");
442  goto end;
443  }
444 
445  /* response2 */
446  r = AppLayerParserParse(alp_tctx, &f, ALPROTO_DCERPC, STREAM_TOCLIENT, dcerpc_response2,
447  dcerpc_response2_len);
448  if (r != 0) {
449  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
450  goto end;
451  }
452 
455  /* do detect */
456  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
457 
458  if (PacketAlertCheck(p, 1)) {
459  SCLogDebug("sig 1 matched after response2, but shouldn't have: ");
460  goto end;
461  }
462 
463  /* request3 */
464  r = AppLayerParserParse(alp_tctx, &f, ALPROTO_DCERPC, STREAM_TOSERVER, dcerpc_request3,
465  dcerpc_request3_len);
466  if (r != 0) {
467  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
468  goto end;
469  }
470 
473  /* do detect */
474  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
475 
476  if (!(PacketAlertCheck(p, 1))) {
477  SCLogDebug("sig 1 didn't match after request3: ");
478  goto end;
479  }
480 
481  /* response3 */
482  r = AppLayerParserParse(alp_tctx, &f, ALPROTO_DCERPC, STREAM_TOCLIENT | STREAM_EOF,
483  dcerpc_response3, dcerpc_response3_len);
484  if (r != 0) {
485  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
486  goto end;
487  }
488 
491  /* do detect */
492  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
493 
494  if (PacketAlertCheck(p, 1)) {
495  SCLogDebug("sig 1 matched after response3, but shouldn't have: ");
496  goto end;
497  }
498 
499  result = 1;
500 
501  end:
502  if (alp_tctx != NULL)
506 
507  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
509 
510  StreamTcpFreeConfig(true);
511  UTHFreePackets(&p, 1);
512  return result;
513 }
514 
515 #endif
516 
517 static void DetectDceIfaceRegisterTests(void)
518 {
519  /* Disabled because of bug_753. Would be enabled, once we rewrite
520  * dce parser */
521 #if 0
522  UtRegisterTest("DetectDceIfaceTestParse13", DetectDceIfaceTestParse13, 1);
523 #endif
524 }
525 #endif /* UNITTESTS */
DetectSignatureSetAppProto
int DetectSignatureSetAppProto(Signature *s, AppProto alproto)
Definition: detect-parse.c:1753
detect-engine.h
detect-dce-iface.h
PKT_HAS_FLOW
#define PKT_HAS_FLOW
Definition: decode.h:1022
ALPROTO_DCERPC
@ ALPROTO_DCERPC
Definition: app-layer-protos.h:38
SigTableElmt_::Free
void(* Free)(DetectEngineCtx *, void *)
Definition: detect.h:1286
flow-util.h
DetectParseRegex
Definition: detect-parse.h:62
SigTableElmt_::name
const char * name
Definition: detect.h:1296
stream-tcp.h
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:269
Flow_::proto
uint8_t proto
Definition: flow.h:373
PacketAlertCheck
int PacketAlertCheck(Packet *p, uint32_t sid)
Check if a certain sid alerted, this is used in the test functions.
Definition: detect-engine-alert.c:141
Packet_::flags
uint32_t flags
Definition: decode.h:474
DetectDceIfaceRegister
void DetectDceIfaceRegister(void)
Registers the keyword handlers for the "dce_iface" keyword.
Definition: detect-dce-iface.c:69
Flow_
Flow data structure.
Definition: flow.h:351
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:839
DetectEngineCtxFree
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
Definition: detect-engine.c:2533
SigTableElmt_::AppLayerTxMatch
int(* AppLayerTxMatch)(DetectEngineThreadCtx *, Flow *, uint8_t flags, void *alstate, void *txv, const Signature *, const SigMatchCtx *)
Definition: detect.h:1267
AppLayerParserThreadCtxFree
void AppLayerParserThreadCtxFree(AppLayerParserThreadCtx *tctx)
Destroys the app layer parser thread context obtained using AppLayerParserThreadCtxAlloc().
Definition: app-layer-parser.c:312
FLOW_PKT_TOSERVER
#define FLOW_PKT_TOSERVER
Definition: flow.h:223
rust.h
DE_QUIET
#define DE_QUIET
Definition: detect.h:324
stream-tcp-reassemble.h
UTHBuildPacket
Packet * UTHBuildPacket(uint8_t *payload, uint16_t payload_len, uint8_t ipproto)
UTHBuildPacket is a wrapper that build packets with default ip and port fields.
Definition: util-unittest-helper.c:340
SigMatchSignatures
void SigMatchSignatures(ThreadVars *tv, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
Definition: detect.c:1897
m
SCMutex m
Definition: flow-hash.h:6
SigCleanSignatures
void SigCleanSignatures(DetectEngineCtx *de_ctx)
Definition: detect-engine-build.c:54
DetectEngineAppendSig
Signature * DetectEngineAppendSig(DetectEngineCtx *, const char *)
Parse and append a Signature into the Detection Engine Context signature list.
Definition: detect-parse.c:2620
Packet_::flowflags
uint8_t flowflags
Definition: decode.h:468
SIG_FLAG_TOCLIENT
#define SIG_FLAG_TOCLIENT
Definition: detect.h:267
Flow_::protoctx
void * protoctx
Definition: flow.h:441
SigTableElmt_::Setup
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1281
util-unittest.h
util-unittest-helper.h
StreamTcpInitConfig
void StreamTcpInitConfig(bool)
To initialize the stream global configuration data.
Definition: stream-tcp.c:463
FLOW_INITIALIZE
#define FLOW_INITIALIZE(f)
Definition: flow-util.h:38
SIG_FLAG_TOSERVER
#define SIG_FLAG_TOSERVER
Definition: detect.h:266
util-debug.h
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:17
DetectEngineThreadCtx_
Definition: detect.h:1095
alp_tctx
AppLayerParserThreadCtx * alp_tctx
Definition: fuzz_applayerparserparse.c:22
DetectSetupParseRegexes
void DetectSetupParseRegexes(const char *parse_str, DetectParseRegex *detect_parse)
Definition: detect-parse.c:2791
SCEnter
#define SCEnter(...)
Definition: util-debug.h:271
detect-engine-mpm.h
detect.h
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:57
SigGroupCleanup
int SigGroupCleanup(DetectEngineCtx *de_ctx)
Definition: detect-engine-build.c:2218
SCReturn
#define SCReturn
Definition: util-debug.h:273
Packet_
Definition: decode.h:437
detect-engine-build.h
DETECT_DCE_IFACE
@ DETECT_DCE_IFACE
Definition: detect-engine-register.h:199
detect-engine-state.h
Data structures and function prototypes for keeping state for the detection engine.
queue.h
FLOW_PKT_TOCLIENT
#define FLOW_PKT_TOCLIENT
Definition: flow.h:224
PARSE_REGEX
#define PARSE_REGEX
Definition: detect-dce-iface.c:52
SigGroupBuild
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
Definition: detect-engine-build.c:2149
AppLayerParserThreadCtxAlloc
AppLayerParserThreadCtx * AppLayerParserThreadCtxAlloc(void)
Gets a new app layer protocol's parser thread context.
Definition: app-layer-parser.c:291
SigMatchCtx_
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
Definition: detect.h:345
Packet_::flow
struct Flow_ * flow
Definition: decode.h:476
DetectEngineThreadCtxInit
TmEcode DetectEngineThreadCtxInit(ThreadVars *, void *, void **)
initialize thread specific detection engine context
Definition: detect-engine.c:3244
DetectBufferTypeRegister
int DetectBufferTypeRegister(const char *name)
Definition: detect-engine.c:1008
StreamTcpFreeConfig
void StreamTcpFreeConfig(bool quiet)
Definition: stream-tcp.c:794
flags
uint8_t flags
Definition: decode-gre.h:0
SigTableElmt_::alias
const char * alias
Definition: detect.h:1297
AppLayerParserParse
int AppLayerParserParse(ThreadVars *tv, AppLayerParserThreadCtx *alp_tctx, Flow *f, AppProto alproto, uint8_t flags, const uint8_t *input, uint32_t input_len)
Definition: app-layer-parser.c:1292
suricata-common.h
DetectEngineThreadCtxDeinit
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *, void *)
Definition: detect-engine.c:3454
sigmatch_table
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
Definition: detect-parse.c:127
DetectEngineInspectGenericList
uint8_t DetectEngineInspectGenericList(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const struct DetectEngineAppInspectionEngine_ *engine, const Signature *s, Flow *f, uint8_t flags, void *alstate, void *txv, uint64_t tx_id)
Do the content inspection & validation for a signature.
Definition: detect-engine.c:2079
SCLogError
#define SCLogError(...)
Macro used to log ERROR messages.
Definition: util-debug.h:261
Flow_::alstate
void * alstate
Definition: flow.h:476
detect-parse.h
Signature_
Signature container.
Definition: detect.h:596
FLOW_PKT_ESTABLISHED
#define FLOW_PKT_ESTABLISHED
Definition: flow.h:225
DetectEngineCtxInit
DetectEngineCtx * DetectEngineCtxInit(void)
Definition: detect-engine.c:2494
ALPROTO_SMB
@ ALPROTO_SMB
Definition: app-layer-protos.h:37
DetectAppLayerInspectEngineRegister
void DetectAppLayerInspectEngineRegister(const char *name, AppProto alproto, uint32_t dir, int progress, InspectEngineFuncPtr Callback, InspectionBufferGetDataPtr GetData)
register inspect engine at start up time
Definition: detect-engine.c:169
SigMatchAppendSMToList
SigMatch * SigMatchAppendSMToList(DetectEngineCtx *de_ctx, Signature *s, uint16_t type, SigMatchCtx *ctx, const int list)
Append a SigMatch to the list type.
Definition: detect-parse.c:447
DetectEngineCtx_::flags
uint8_t flags
Definition: detect.h:841
AppLayerParserThreadCtx_
Definition: app-layer-parser.c:65
TcpSession_
Definition: stream-tcp-private.h:283
flow.h
Flow_::alproto
AppProto alproto
application level protocol
Definition: flow.h:450
SCReturnInt
#define SCReturnInt(x)
Definition: util-debug.h:275
flow-var.h
PKT_STREAM_EST
#define PKT_STREAM_EST
Definition: decode.h:1019
SigTableElmt_::RegisterTests
void(* RegisterTests)(void)
Definition: detect.h:1288
app-layer.h
UTHFreePackets
void UTHFreePackets(Packet **p, int numpkts)
UTHFreePackets: function to release the allocated data from UTHBuildPacket and the packet itself.
Definition: util-unittest-helper.c:431