suricata
detect-dce-iface.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2022 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Anoop Saldanha <anoopsaldanha@gmail.com>
22  *
23  * Implements dce_iface keyword.
24  */
25 
26 #include "suricata-common.h"
27 
28 #include "detect.h"
29 #include "detect-parse.h"
30 
31 #include "detect-engine.h"
32 #include "detect-engine-mpm.h"
33 #include "detect-engine-state.h"
34 #include "detect-engine-build.h"
35 #include "detect-dce-iface.h"
36 
37 #include "flow.h"
38 #include "flow-var.h"
39 #include "flow-util.h"
40 
41 #include "app-layer.h"
42 #include "queue.h"
43 #include "stream-tcp-reassemble.h"
44 
45 #include "util-debug.h"
46 #include "util-unittest.h"
47 #include "util-unittest-helper.h"
48 #include "stream-tcp.h"
49 
50 #include "rust.h"
51 
52 #define PARSE_REGEX "^\\s*([0-9a-zA-Z]{8}-[0-9a-zA-Z]{4}-[0-9a-zA-Z]{4}-[0-9a-zA-Z]{4}-[0-9a-zA-Z]{12})(?:\\s*,\\s*(<|>|=|!)([0-9]{1,5}))?(?:\\s*,\\s*(any_frag))?\\s*$"
53 
54 static DetectParseRegex parse_regex;
55 
56 static int DetectDceIfaceMatchRust(DetectEngineThreadCtx *det_ctx,
57  Flow *f, uint8_t flags, void *state, void *txv,
58  const Signature *s, const SigMatchCtx *m);
59 static int DetectDceIfaceSetup(DetectEngineCtx *, Signature *, const char *);
60 static void DetectDceIfaceFree(DetectEngineCtx *, void *);
61 #ifdef UNITTESTS
62 static void DetectDceIfaceRegisterTests(void);
63 #endif
64 static int g_dce_generic_list_id = 0;
65 
66 /**
67  * \brief Registers the keyword handlers for the "dce_iface" keyword.
68  */
70 {
71  sigmatch_table[DETECT_DCE_IFACE].name = "dcerpc.iface";
72  sigmatch_table[DETECT_DCE_IFACE].alias = "dce_iface";
73  sigmatch_table[DETECT_DCE_IFACE].AppLayerTxMatch = DetectDceIfaceMatchRust;
74  sigmatch_table[DETECT_DCE_IFACE].Setup = DetectDceIfaceSetup;
75  sigmatch_table[DETECT_DCE_IFACE].Free = DetectDceIfaceFree;
76 #ifdef UNITTESTS
77  sigmatch_table[DETECT_DCE_IFACE].RegisterTests = DetectDceIfaceRegisterTests;
78 #endif
79  DetectSetupParseRegexes(PARSE_REGEX, &parse_regex);
80 
81  g_dce_generic_list_id = DetectBufferTypeRegister("dce_generic");
82 
87 
92 }
93 
94 /**
95  * \brief App layer match function for the "dce_iface" keyword.
96  *
97  * \param t Pointer to the ThreadVars instance.
98  * \param det_ctx Pointer to the DetectEngineThreadCtx.
99  * \param f Pointer to the flow.
100  * \param flags Pointer to the flags indicating the flow direction.
101  * \param state Pointer to the app layer state data.
102  * \param s Pointer to the Signature instance.
103  * \param m Pointer to the SigMatch.
104  *
105  * \retval 1 On Match.
106  * \retval 0 On no match.
107  */
108 static int DetectDceIfaceMatchRust(DetectEngineThreadCtx *det_ctx,
109  Flow *f, uint8_t flags, void *state, void *txv,
110  const Signature *s, const SigMatchCtx *m)
111 {
112  SCEnter();
113 
114  if (f->alproto == ALPROTO_DCERPC) {
115  // TODO check if state is NULL
116  return rs_dcerpc_iface_match(txv, state, (void *)m);
117  }
118 
119  int ret = 0;
120 
121  if (rs_smb_tx_get_dce_iface(f->alstate, txv, (void *)m) != 1) {
122  SCLogDebug("rs_smb_tx_get_dce_iface: didn't match");
123  } else {
124  SCLogDebug("rs_smb_tx_get_dce_iface: matched!");
125  ret = 1;
126  // TODO validate frag
127  }
128  SCReturnInt(ret);
129 }
130 
131 /**
132  * \brief Creates a SigMatch for the "dce_iface" keyword being sent as argument,
133  * and appends it to the Signature(s).
134  *
135  * \param de_ctx Pointer to the detection engine context.
136  * \param s Pointer to signature for the current Signature being parsed
137  * from the rules.
138  * \param arg Pointer to the string holding the keyword value.
139  *
140  * \retval 0 on success, -1 on failure.
141  */
142 
143 static int DetectDceIfaceSetup(DetectEngineCtx *de_ctx, Signature *s, const char *arg)
144 {
145  SCEnter();
146 
148  return -1;
149 
150  void *did = rs_dcerpc_iface_parse(arg);
151  if (did == NULL) {
152  SCLogError("Error parsing dce_iface option in "
153  "signature");
154  return -1;
155  }
156 
157  SigMatch *sm = SigMatchAlloc();
158  if (sm == NULL) {
159  return -1;
160  }
161 
162  sm->type = DETECT_DCE_IFACE;
163  sm->ctx = did;
164 
165  SigMatchAppendSMToList(s, sm, g_dce_generic_list_id);
166  return 0;
167 }
168 
169 static void DetectDceIfaceFree(DetectEngineCtx *de_ctx, void *ptr)
170 {
171  SCEnter();
172  if (ptr != NULL) {
173  rs_dcerpc_iface_free(ptr);
174  }
175  SCReturn;
176 }
177 
178 /************************************Unittests*********************************/
179 
180 #ifdef UNITTESTS
181 
182 /* Disabled because of bug_753. Would be enabled, once we rewrite
183  * dce parser */
184 #if 0
185 
186 /**
187  * \test Test a valid dce_iface entry with a bind, bind_ack and 3 request/responses.
188  */
189 static int DetectDceIfaceTestParse13(void)
190 {
191  int result = 0;
192  Signature *s = NULL;
193  ThreadVars th_v;
194  Packet *p = NULL;
195  Flow f;
196  TcpSession ssn;
197  DetectEngineThreadCtx *det_ctx = NULL;
198  DetectEngineCtx *de_ctx = NULL;
199  DCERPCState *dcerpc_state = NULL;
200  int r = 0;
201 
202  uint8_t dcerpc_bind[] = {
203  0x05, 0x00, 0x0b, 0x03, 0x10, 0x00, 0x00, 0x00,
204  0x48, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
205  0xb8, 0x10, 0xb8, 0x10, 0x00, 0x00, 0x00, 0x00,
206  0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00,
207  0x01, 0xd0, 0x8c, 0x33, 0x44, 0x22, 0xf1, 0x31,
208  0xaa, 0xaa, 0x90, 0x00, 0x38, 0x00, 0x10, 0x03,
209  0x01, 0x00, 0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a,
210  0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00,
211  0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00,
212  };
213 
214  uint8_t dcerpc_bindack[] = {
215  0x05, 0x00, 0x0c, 0x03, 0x10, 0x00, 0x00, 0x00,
216  0x44, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
217  0xb8, 0x10, 0xb8, 0x10, 0x65, 0x8e, 0x00, 0x00,
218  0x0d, 0x00, 0x5c, 0x50, 0x49, 0x50, 0x45, 0x5c,
219  0x77, 0x69, 0x6e, 0x72, 0x65, 0x67, 0x00, 0x6d,
220  0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
221  0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11,
222  0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60,
223  0x02, 0x00, 0x00, 0x00,
224  };
225 
226  uint8_t dcerpc_request1[] = {
227  0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
228  0x24, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
229  0x0c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00,
230  0x2c, 0xfd, 0xb5, 0x00, 0x40, 0xaa, 0x01, 0x00,
231  0x00, 0x00, 0x00, 0x02,
232  };
233 
234  uint8_t dcerpc_response1[] = {
235  0x05, 0x00, 0x02, 0x03, 0x10, 0x00, 0x00, 0x00,
236  0x30, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
237  0x18, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
238  0x00, 0x00, 0x00, 0x00, 0xf6, 0x72, 0x28, 0x9c,
239  0xf0, 0x57, 0xd8, 0x11, 0xb0, 0x05, 0x00, 0x0c,
240  0x29, 0x87, 0xea, 0xe9, 0x00, 0x00, 0x00, 0x00,
241  };
242 
243  uint8_t dcerpc_request2[] = {
244  0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
245  0xa4, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00,
246  0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0f, 0x00,
247  0x00, 0x00, 0x00, 0x00, 0xf6, 0x72, 0x28, 0x9c,
248  0xf0, 0x57, 0xd8, 0x11, 0xb0, 0x05, 0x00, 0x0c,
249  0x29, 0x87, 0xea, 0xe9, 0x5c, 0x00, 0x5c, 0x00,
250  0xa8, 0xb9, 0x14, 0x00, 0x2e, 0x00, 0x00, 0x00,
251  0x00, 0x00, 0x00, 0x00, 0x2e, 0x00, 0x00, 0x00,
252  0x53, 0x00, 0x4f, 0x00, 0x46, 0x00, 0x54, 0x00,
253  0x57, 0x00, 0x41, 0x00, 0x52, 0x00, 0x45, 0x00,
254  0x5c, 0x00, 0x4d, 0x00, 0x69, 0x00, 0x63, 0x00,
255  0x72, 0x00, 0x6f, 0x00, 0x73, 0x00, 0x6f, 0x00,
256  0x66, 0x00, 0x74, 0x00, 0x5c, 0x00, 0x57, 0x00,
257  0x69, 0x00, 0x6e, 0x00, 0x64, 0x00, 0x6f, 0x00,
258  0x77, 0x00, 0x73, 0x00, 0x5c, 0x00, 0x43, 0x00,
259  0x75, 0x00, 0x72, 0x00, 0x72, 0x00, 0x65, 0x00,
260  0x6e, 0x00, 0x74, 0x00, 0x56, 0x00, 0x65, 0x00,
261  0x72, 0x00, 0x73, 0x00, 0x69, 0x00, 0x6f, 0x00,
262  0x6e, 0x00, 0x5c, 0x00, 0x52, 0x00, 0x75, 0x00,
263  0x6e, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
264  0x03, 0x00, 0x00, 0x00,
265  };
266 
267  uint8_t dcerpc_response2[] = {
268  0x05, 0x00, 0x02, 0x03, 0x10, 0x00, 0x00, 0x00,
269  0x30, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00,
270  0x18, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
271  0x00, 0x00, 0x00, 0x00, 0xf7, 0x72, 0x28, 0x9c,
272  0xf0, 0x57, 0xd8, 0x11, 0xb0, 0x05, 0x00, 0x0c,
273  0x29, 0x87, 0xea, 0xe9, 0x00, 0x00, 0x00, 0x00,
274  };
275 
276  uint8_t dcerpc_request3[] = {
277  0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
278  0x70, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00,
279  0x58, 0x00, 0x00, 0x00, 0x00, 0x00, 0x16, 0x00,
280  0x00, 0x00, 0x00, 0x00, 0xf7, 0x72, 0x28, 0x9c,
281  0xf0, 0x57, 0xd8, 0x11, 0xb0, 0x05, 0x00, 0x0c,
282  0x29, 0x87, 0xea, 0xe9, 0x0c, 0x00, 0x0c, 0x00,
283  0x98, 0xda, 0x14, 0x00, 0x06, 0x00, 0x00, 0x00,
284  0x00, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00,
285  0x4f, 0x00, 0x73, 0x00, 0x61, 0x00, 0x33, 0x00,
286  0x32, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
287  0x18, 0x00, 0x00, 0x00, 0x4e, 0x00, 0x54, 0x00,
288  0x4f, 0x00, 0x53, 0x00, 0x41, 0x00, 0x33, 0x00,
289  0x32, 0x00, 0x2e, 0x00, 0x45, 0x00, 0x58, 0x00,
290  0x45, 0x00, 0x00, 0x00, 0x18, 0x00, 0x00, 0x00,
291  };
292 
293  uint8_t dcerpc_response3[] = {
294  0x05, 0x00, 0x02, 0x03, 0x10, 0x00, 0x00, 0x00,
295  0x1c, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00,
296  0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
297  0x00, 0x00, 0x00, 0x00,
298  };
299 
300  uint32_t dcerpc_bind_len = sizeof(dcerpc_bind);
301  uint32_t dcerpc_bindack_len = sizeof(dcerpc_bindack);
302 
303  uint32_t dcerpc_request1_len = sizeof(dcerpc_request1);
304  uint32_t dcerpc_response1_len = sizeof(dcerpc_response1);
305 
306  uint32_t dcerpc_request2_len = sizeof(dcerpc_request2);
307  uint32_t dcerpc_response2_len = sizeof(dcerpc_response2);
308 
309  uint32_t dcerpc_request3_len = sizeof(dcerpc_request3);
310  uint32_t dcerpc_response3_len = sizeof(dcerpc_response3);
311 
313 
314  memset(&th_v, 0, sizeof(th_v));
315  memset(&p, 0, sizeof(p));
316  memset(&f, 0, sizeof(f));
317  memset(&ssn, 0, sizeof(ssn));
318 
319  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
320 
321  FLOW_INITIALIZE(&f);
322  f.protoctx = (void *)&ssn;
323  f.proto = IPPROTO_TCP;
324  p->flow = &f;
329 
330  StreamTcpInitConfig(true);
331 
333  if (de_ctx == NULL)
334  goto end;
335 
336  de_ctx->flags |= DE_QUIET;
337 
338  s = DetectEngineAppendSig(de_ctx,"alert tcp any any -> any any "
339  "(msg:\"DCERPC\"; dce_iface:338cd001-2244-31f1-aaaa-900038001003,=1,any_frag; sid:1;)");
340  if (s == NULL)
341  goto end;
342 
344  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
345 
346  SCLogDebug("chunk 1, bind");
347 
348  r = AppLayerParserParse(alp_tctx, &f, ALPROTO_DCERPC, STREAM_TOSERVER | STREAM_START,
349  dcerpc_bind, dcerpc_bind_len);
350  if (r != 0) {
351  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
352  goto end;
353  }
354 
355  dcerpc_state = f.alstate;
356  if (dcerpc_state == NULL) {
357  SCLogDebug("no dcerpc state: ");
358  goto end;
359  }
360 
363  /* do detect */
364  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
365 
366  if (PacketAlertCheck(p, 1)) {
367  SCLogDebug("sig 1 didn't match after bind request: ");
368  goto end;
369  }
370 
371  SCLogDebug("chunk 2, bind_ack");
372 
373  r = AppLayerParserParse(alp_tctx, &f, ALPROTO_DCERPC, STREAM_TOCLIENT, dcerpc_bindack,
374  dcerpc_bindack_len);
375  if (r != 0) {
376  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
377  goto end;
378  }
379 
382  /* do detect */
383  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
384 
385  if (PacketAlertCheck(p, 1)) {
386  SCLogDebug("sig 1 matched again after bind ack: ");
387  goto end;
388  }
389 
390  SCLogDebug("chunk 3, request 1");
391 
392  /* request1 */
393  r = AppLayerParserParse(alp_tctx, &f, ALPROTO_DCERPC, STREAM_TOSERVER, dcerpc_request1,
394  dcerpc_request1_len);
395  if (r != 0) {
396  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
397  goto end;
398  }
399 
402  /* do detect */
403  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
404 
405  if (!(PacketAlertCheck(p, 1))) {
406  SCLogDebug("sig 1 didn't match after request1: ");
407  goto end;
408  }
409 
410  SCLogDebug("sending response1");
411 
412  /* response1 */
413  r = AppLayerParserParse(alp_tctx, &f, ALPROTO_DCERPC, STREAM_TOCLIENT, dcerpc_response1,
414  dcerpc_response1_len);
415  if (r != 0) {
416  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
417  goto end;
418  }
419 
422  /* do detect */
423  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
424 
425  if (PacketAlertCheck(p, 1)) {
426  SCLogDebug("sig 1 matched after response1, but shouldn't: ");
427  goto end;
428  }
429 
430  SCLogDebug("sending request2");
431 
432  /* request2 */
433  r = AppLayerParserParse(alp_tctx, &f, ALPROTO_DCERPC, STREAM_TOSERVER, dcerpc_request2,
434  dcerpc_request2_len);
435  if (r != 0) {
436  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
437  goto end;
438  }
439 
442  /* do detect */
443  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
444 
445  if (!(PacketAlertCheck(p, 1))) {
446  SCLogDebug("sig 1 didn't match after request2: ");
447  goto end;
448  }
449 
450  /* response2 */
451  r = AppLayerParserParse(alp_tctx, &f, ALPROTO_DCERPC, STREAM_TOCLIENT, dcerpc_response2,
452  dcerpc_response2_len);
453  if (r != 0) {
454  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
455  goto end;
456  }
457 
460  /* do detect */
461  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
462 
463  if (PacketAlertCheck(p, 1)) {
464  SCLogDebug("sig 1 matched after response2, but shouldn't have: ");
465  goto end;
466  }
467 
468  /* request3 */
469  r = AppLayerParserParse(alp_tctx, &f, ALPROTO_DCERPC, STREAM_TOSERVER, dcerpc_request3,
470  dcerpc_request3_len);
471  if (r != 0) {
472  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
473  goto end;
474  }
475 
478  /* do detect */
479  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
480 
481  if (!(PacketAlertCheck(p, 1))) {
482  SCLogDebug("sig 1 didn't match after request3: ");
483  goto end;
484  }
485 
486  /* response3 */
487  r = AppLayerParserParse(alp_tctx, &f, ALPROTO_DCERPC, STREAM_TOCLIENT | STREAM_EOF,
488  dcerpc_response3, dcerpc_response3_len);
489  if (r != 0) {
490  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
491  goto end;
492  }
493 
496  /* do detect */
497  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
498 
499  if (PacketAlertCheck(p, 1)) {
500  SCLogDebug("sig 1 matched after response3, but shouldn't have: ");
501  goto end;
502  }
503 
504  result = 1;
505 
506  end:
507  if (alp_tctx != NULL)
511 
512  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
514 
515  StreamTcpFreeConfig(true);
516  UTHFreePackets(&p, 1);
517  return result;
518 }
519 
520 #endif
521 
522 static void DetectDceIfaceRegisterTests(void)
523 {
524  /* Disabled because of bug_753. Would be enabled, once we rewrite
525  * dce parser */
526 #if 0
527  UtRegisterTest("DetectDceIfaceTestParse13", DetectDceIfaceTestParse13, 1);
528 #endif
529 }
530 #endif /* UNITTESTS */
DetectSignatureSetAppProto
int DetectSignatureSetAppProto(Signature *s, AppProto alproto)
Definition: detect-parse.c:1703
detect-engine.h
detect-dce-iface.h
SigMatchAppendSMToList
void SigMatchAppendSMToList(Signature *s, SigMatch *new, const int list)
Append a SigMatch to the list type.
Definition: detect-parse.c:437
PKT_HAS_FLOW
#define PKT_HAS_FLOW
Definition: decode.h:1000
ALPROTO_DCERPC
@ ALPROTO_DCERPC
Definition: app-layer-protos.h:38
SigTableElmt_::Free
void(* Free)(DetectEngineCtx *, void *)
Definition: detect.h:1274
flow-util.h
DetectParseRegex
Definition: detect-parse.h:62
SigTableElmt_::name
const char * name
Definition: detect.h:1284
stream-tcp.h
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:269
Flow_::proto
uint8_t proto
Definition: flow.h:369
PacketAlertCheck
int PacketAlertCheck(Packet *p, uint32_t sid)
Check if a certain sid alerted, this is used in the test functions.
Definition: detect-engine-alert.c:141
Packet_::flags
uint32_t flags
Definition: decode.h:467
DetectDceIfaceRegister
void DetectDceIfaceRegister(void)
Registers the keyword handlers for the "dce_iface" keyword.
Definition: detect-dce-iface.c:69
Flow_
Flow data structure.
Definition: flow.h:347
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:826
DetectEngineCtxFree
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
Definition: detect-engine.c:2592
SigTableElmt_::AppLayerTxMatch
int(* AppLayerTxMatch)(DetectEngineThreadCtx *, Flow *, uint8_t flags, void *alstate, void *txv, const Signature *, const SigMatchCtx *)
Definition: detect.h:1255
AppLayerParserThreadCtxFree
void AppLayerParserThreadCtxFree(AppLayerParserThreadCtx *tctx)
Destroys the app layer parser thread context obtained using AppLayerParserThreadCtxAlloc().
Definition: app-layer-parser.c:314
FLOW_PKT_TOSERVER
#define FLOW_PKT_TOSERVER
Definition: flow.h:221
rust.h
DE_QUIET
#define DE_QUIET
Definition: detect.h:314
stream-tcp-reassemble.h
UTHBuildPacket
Packet * UTHBuildPacket(uint8_t *payload, uint16_t payload_len, uint8_t ipproto)
UTHBuildPacket is a wrapper that build packets with default ip and port fields.
Definition: util-unittest-helper.c:337
SigMatchSignatures
void SigMatchSignatures(ThreadVars *tv, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
Definition: detect.c:1824
m
SCMutex m
Definition: flow-hash.h:6
SigCleanSignatures
void SigCleanSignatures(DetectEngineCtx *de_ctx)
Definition: detect-engine-build.c:46
DetectEngineAppendSig
Signature * DetectEngineAppendSig(DetectEngineCtx *, const char *)
Parse and append a Signature into the Detection Engine Context signature list.
Definition: detect-parse.c:2569
Packet_::flowflags
uint8_t flowflags
Definition: decode.h:461
SIG_FLAG_TOCLIENT
#define SIG_FLAG_TOCLIENT
Definition: detect.h:256
Flow_::protoctx
void * protoctx
Definition: flow.h:437
SigTableElmt_::Setup
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1269
util-unittest.h
util-unittest-helper.h
StreamTcpInitConfig
void StreamTcpInitConfig(bool)
To initialize the stream global configuration data.
Definition: stream-tcp.c:359
FLOW_INITIALIZE
#define FLOW_INITIALIZE(f)
Definition: flow-util.h:38
SIG_FLAG_TOSERVER
#define SIG_FLAG_TOSERVER
Definition: detect.h:255
util-debug.h
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:17
DetectEngineThreadCtx_
Definition: detect.h:1074
alp_tctx
AppLayerParserThreadCtx * alp_tctx
Definition: fuzz_applayerparserparse.c:22
DetectSetupParseRegexes
void DetectSetupParseRegexes(const char *parse_str, DetectParseRegex *detect_parse)
Definition: detect-parse.c:2747
SCEnter
#define SCEnter(...)
Definition: util-debug.h:271
detect-engine-mpm.h
detect.h
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:57
SigMatch_::ctx
SigMatchCtx * ctx
Definition: detect.h:343
SigGroupCleanup
int SigGroupCleanup(DetectEngineCtx *de_ctx)
Definition: detect-engine-build.c:2042
SCReturn
#define SCReturn
Definition: util-debug.h:273
Packet_
Definition: decode.h:430
detect-engine-build.h
DetectAppLayerInspectEngineRegister2
void DetectAppLayerInspectEngineRegister2(const char *name, AppProto alproto, uint32_t dir, int progress, InspectEngineFuncPtr2 Callback2, InspectionBufferGetDataPtr GetData)
register inspect engine at start up time
Definition: detect-engine.c:216
DETECT_DCE_IFACE
@ DETECT_DCE_IFACE
Definition: detect-engine-register.h:193
detect-engine-state.h
Data structures and function prototypes for keeping state for the detection engine.
queue.h
FLOW_PKT_TOCLIENT
#define FLOW_PKT_TOCLIENT
Definition: flow.h:222
SigMatchAlloc
SigMatch * SigMatchAlloc(void)
Definition: detect-parse.c:322
PARSE_REGEX
#define PARSE_REGEX
Definition: detect-dce-iface.c:52
SigGroupBuild
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
Definition: detect-engine-build.c:1973
AppLayerParserThreadCtxAlloc
AppLayerParserThreadCtx * AppLayerParserThreadCtxAlloc(void)
Gets a new app layer protocol's parser thread context.
Definition: app-layer-parser.c:293
SigMatchCtx_
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
Definition: detect.h:335
Packet_::flow
struct Flow_ * flow
Definition: decode.h:469
DetectEngineThreadCtxInit
TmEcode DetectEngineThreadCtxInit(ThreadVars *, void *, void **)
initialize thread specific detection engine context
Definition: detect-engine.c:3308
DetectBufferTypeRegister
int DetectBufferTypeRegister(const char *name)
Definition: detect-engine.c:1060
StreamTcpFreeConfig
void StreamTcpFreeConfig(bool quiet)
Definition: stream-tcp.c:690
flags
uint8_t flags
Definition: decode-gre.h:0
SigTableElmt_::alias
const char * alias
Definition: detect.h:1285
AppLayerParserParse
int AppLayerParserParse(ThreadVars *tv, AppLayerParserThreadCtx *alp_tctx, Flow *f, AppProto alproto, uint8_t flags, const uint8_t *input, uint32_t input_len)
Definition: app-layer-parser.c:1307
suricata-common.h
DetectEngineThreadCtxDeinit
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *, void *)
Definition: detect-engine.c:3522
SigMatch_::type
uint16_t type
Definition: detect.h:341
sigmatch_table
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
Definition: detect-parse.c:129
DetectEngineInspectGenericList
uint8_t DetectEngineInspectGenericList(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const struct DetectEngineAppInspectionEngine_ *engine, const Signature *s, Flow *f, uint8_t flags, void *alstate, void *txv, uint64_t tx_id)
Do the content inspection & validation for a signature.
Definition: detect-engine.c:2122
SCLogError
#define SCLogError(...)
Macro used to log ERROR messages.
Definition: util-debug.h:261
Flow_::alstate
void * alstate
Definition: flow.h:472
detect-parse.h
Signature_
Signature container.
Definition: detect.h:581
SigMatch_
a single match condition for a signature
Definition: detect.h:340
FLOW_PKT_ESTABLISHED
#define FLOW_PKT_ESTABLISHED
Definition: flow.h:223
DetectEngineCtxInit
DetectEngineCtx * DetectEngineCtxInit(void)
Definition: detect-engine.c:2553
ALPROTO_SMB
@ ALPROTO_SMB
Definition: app-layer-protos.h:37
DetectEngineCtx_::flags
uint8_t flags
Definition: detect.h:828
AppLayerParserThreadCtx_
Definition: app-layer-parser.c:66
TcpSession_
Definition: stream-tcp-private.h:283
flow.h
Flow_::alproto
AppProto alproto
application level protocol
Definition: flow.h:446
SCReturnInt
#define SCReturnInt(x)
Definition: util-debug.h:275
flow-var.h
PKT_STREAM_EST
#define PKT_STREAM_EST
Definition: decode.h:997
SigTableElmt_::RegisterTests
void(* RegisterTests)(void)
Definition: detect.h:1276
app-layer.h
UTHFreePackets
void UTHFreePackets(Packet **p, int numpkts)
UTHFreePackets: function to release the allocated data from UTHBuildPacket and the packet itself.
Definition: util-unittest-helper.c:468