suricata
detect-dnp3.c
Go to the documentation of this file.
1 /* Copyright (C) 2015 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 #include "suricata-common.h"
19 
20 #include "stream.h"
21 
22 #include "detect.h"
23 #include "detect-parse.h"
24 #include "detect-dnp3.h"
25 #include "detect-engine.h"
26 #include "detect-engine-mpm.h"
29 
30 #include "app-layer-dnp3.h"
31 
32 static int g_dnp3_match_buffer_id = 0;
33 static int g_dnp3_data_buffer_id = 0;
34 
35 /**
36  * The detection struct.
37  */
38 typedef struct DetectDNP3_ {
39  union {
40  struct {
41  /* Function code for function code detection. */
42  uint8_t function_code;
43  };
44  struct {
45  /* Internal indicator flags for IIN detection. */
46  uint16_t ind_flags;
47  };
48  struct {
49  /* Object info for object detection. */
50  uint8_t obj_group;
51  uint8_t obj_variation;
52  };
53  };
55 
56 /**
57  * Indicator names to value mappings (Snort compatible).
58  */
60  {"device_restart", 0x8000},
61  {"device_trouble", 0x4000},
62  {"local_control", 0x2000},
63  {"need_time", 0x1000},
64  {"class_3_events", 0x0800},
65  {"class_2_events", 0x0400},
66  {"class_1_events", 0x0200},
67  {"all_stations", 0x0100},
68 
69  {"reserved_1", 0x0080},
70  {"reserved_2", 0x0040},
71  {"config_corrupt", 0x0020},
72  {"already_executing", 0x0010},
73  {"event_buffer_overflow", 0x0008},
74  {"parameter_error", 0x0004},
75  {"object_unknown", 0x0002},
76  {"no_func_code_support", 0x0001},
77 
78  {NULL, 0},
79 };
80 
81 /**
82  * Application function code name to code mappings (Snort compatible).
83  */
85  {"confirm", 0},
86  {"read", 1},
87  {"write", 2},
88  {"select", 3},
89  {"operate", 4},
90  {"direct_operate", 5},
91  {"direct_operate_nr", 6},
92  {"immed_freeze", 7},
93  {"immed_freeze_nr", 8},
94  {"freeze_clear", 9},
95  {"freeze_clear_nr", 10},
96  {"freeze_at_time", 11},
97  {"freeze_at_time_nr", 12},
98  {"cold_restart", 13},
99  {"warm_restart", 14},
100  {"initialize_data", 15},
101  {"initialize_appl", 16},
102  {"start_appl", 17},
103  {"stop_appl", 18},
104  {"save_config", 19},
105  {"enable_unsolicited", 20},
106  {"disable_unsolicited", 21},
107  {"assign_class", 22},
108  {"delay_measure", 23},
109  {"record_current_time", 24},
110  {"open_file", 25},
111  {"close_file", 26},
112  {"delete_file", 27},
113  {"get_file_info", 28},
114  {"authenticate_file", 29},
115  {"abort_file", 30},
116  {"activate_config", 31},
117  {"authenticate_req", 32},
118  {"authenticate_err", 33},
119  {"response", 129},
120  {"unsolicited_response", 130},
121  {"authenticate_resp", 131}
122 };
123 
124 #ifdef UNITTESTS
125 static void DetectDNP3FuncRegisterTests(void);
126 static void DetectDNP3IndRegisterTests(void);
127 static void DetectDNP3ObjRegisterTests(void);
128 static void DetectDNP3DataRegisterTests(void);
129 #endif
130 
131 /**
132  * \brief Utility function to trim leading and trailing whitespace
133  * from a string.
134  */
135 static char *TrimString(char *str)
136 {
137  char *end = str + strlen(str) - 1;
138  while (isspace(*str)) {
139  str++;
140  }
141  while (end > str && isspace(*end)) {
142  end--;
143  }
144  *(end + 1) = '\0';
145  return str;
146 }
147 
148 static InspectionBuffer *GetDNP3Data(DetectEngineThreadCtx *det_ctx,
149  const DetectEngineTransforms *transforms,
150  Flow *_f, const uint8_t flow_flags,
151  void *txv, const int list_id)
152 {
153  SCLogDebug("list_id %d", list_id);
154  InspectionBuffer *buffer = InspectionBufferGet(det_ctx, list_id);
155  if (buffer->inspect == NULL) {
156  DNP3Transaction *tx = (DNP3Transaction *)txv;
157  SCLogDebug("tx %p", tx);
158 
159  const uint8_t *data = NULL;
160  uint32_t data_len = 0;
161 
162  if (flow_flags & STREAM_TOSERVER) {
163  data = tx->request_buffer;
164  data_len = tx->request_buffer_len;
165  } else if (flow_flags & STREAM_TOCLIENT) {
166  data = tx->response_buffer;
167  data_len = tx->response_buffer_len;
168  }
169  if (data == NULL || data_len == 0)
170  return NULL;
171 
172  SCLogDebug("tx %p data %p data_len %u", tx, data, data_len);
173  InspectionBufferSetup(buffer, data, data_len);
174  InspectionBufferApplyTransforms(buffer, transforms);
175  }
176  return buffer;
177 }
178 
179 static int DetectEngineInspectDNP3(ThreadVars *tv, DetectEngineCtx *de_ctx,
180  DetectEngineThreadCtx *det_ctx, const Signature *s, const SigMatchData *smd,
181  Flow *f, uint8_t flags, void *alstate, void *txv, uint64_t tx_id)
182 {
183  return DetectEngineInspectGenericList(tv, de_ctx, det_ctx, s, smd,
184  f, flags, alstate, txv, tx_id);
185 }
186 
187 /**
188  * \brief Parse the provided function name or code to its integer
189  * value.
190  *
191  * If the value passed is a number, it will be checked that it falls
192  * within the range of valid function codes. If function name is
193  * passed it will be resolved to its function code.
194  *
195  * \retval The function code as an integer if successul, -1 on
196  * failure.
197  */
198 static int DetectDNP3FuncParseFunctionCode(const char *str, uint8_t *fc)
199 {
200  if (StringParseUint8(fc, 10, strlen(str), str) >= 0) {
201  return 1;
202  }
203 
204  /* Lookup by name. */
205  for (size_t i = 0;
206  i < sizeof(DNP3FunctionNameMap) / sizeof(DNP3Mapping); i++) {
207  if (strcasecmp(str, DNP3FunctionNameMap[i].name) == 0) {
208  *fc = DNP3FunctionNameMap[i].value;
209  return 1;
210  }
211  }
212 
213  return 0;
214 }
215 
216 static int DetectDNP3FuncSetup(DetectEngineCtx *de_ctx, Signature *s, const char *str)
217 {
218  SCEnter();
219  DetectDNP3 *dnp3 = NULL;
220  SigMatch *sm = NULL;
221  uint8_t function_code;
222 
224  return -1;
225 
226  if (!DetectDNP3FuncParseFunctionCode(str, &function_code)) {
228  "Invalid argument \"%s\" supplied to dnp3_func keyword.", str);
229  return -1;
230  }
231 
232  dnp3 = SCCalloc(1, sizeof(DetectDNP3));
233  if (unlikely(dnp3 == NULL)) {
234  goto error;
235  }
237 
238  sm = SigMatchAlloc();
239  if (sm == NULL) {
240  goto error;
241  }
242  sm->type = DETECT_AL_DNP3FUNC;
243  sm->ctx = (void *)dnp3;
244 
245  SigMatchAppendSMToList(s, sm, g_dnp3_match_buffer_id);
246 
247  SCReturnInt(0);
248 error:
249  if (dnp3 != NULL) {
250  SCFree(dnp3);
251  }
252  if (sm != NULL) {
253  SCFree(sm);
254  }
255  SCReturnInt(-1);
256 }
257 
258 static int DetectDNP3IndParseByName(const char *str, uint16_t *flags)
259 {
260  char tmp[strlen(str) + 1];
261  char *p, *last = NULL;
262 
263  strlcpy(tmp, str, sizeof(tmp));
264 
265  for ((p = strtok_r(tmp, ",", &last)); p; (p = strtok_r(NULL, ",", &last))) {
266  p = TrimString(p);
267  int found = 0;
268  int i = 0;
269  while (DNP3IndicatorsMap[i].name != NULL) {
270  if (strcasecmp(p, DNP3IndicatorsMap[i].name) == 0) {
272  found = 1;
273  break;
274  }
275  i++;
276  }
277 
278  if (!found) {
280  "Bad argument \"%s\" supplied to dnp3.ind keyword.", p);
281  return 0;
282  }
283  }
284 
285  return 1;
286 }
287 
288 static int DetectDNP3IndParse(const char *str, uint16_t *flags)
289 {
290  *flags = 0;
291 
292  if (StringParseUint16(flags, 0, strlen(str), str) > 0) {
293  return 1;
294  }
295 
296  /* Parse by name - will log a more specific error message on error. */
297  if (DetectDNP3IndParseByName(str, flags)) {
298  return 1;
299  }
300 
301  return 0;
302 }
303 
304 static int DetectDNP3IndSetup(DetectEngineCtx *de_ctx, Signature *s, const char *str)
305 {
306  SCEnter();
307  DetectDNP3 *detect = NULL;
308  SigMatch *sm = NULL;
309  uint16_t flags;
310 
312  return -1;
313 
314  if (!DetectDNP3IndParse(str, &flags)) {
316  "Invalid argument \"%s\" supplied to dnp3.ind keyword.", str);
317  return -1;
318  }
319 
320  detect = SCCalloc(1, sizeof(DetectDNP3));
321  if (unlikely(detect == NULL)) {
322  goto error;
323  }
324  detect->ind_flags = flags;
325 
326  sm = SigMatchAlloc();
327  if (sm == NULL) {
328  goto error;
329  }
330  sm->type = DETECT_AL_DNP3IND;
331  sm->ctx = (void *)detect;
332  SigMatchAppendSMToList(s, sm, g_dnp3_match_buffer_id);
333 
334  SCReturnInt(0);
335 error:
336  if (detect != NULL) {
337  SCFree(detect);
338  }
339  if (sm != NULL) {
340  SCFree(sm);
341  }
342  SCReturnInt(-1);
343 }
344 
345 /**
346  * \brief Parse the value of string of the dnp3_obj keyword.
347  *
348  * \param str the input string
349  * \param gout pointer to variable to store the parsed group integer
350  * \param vout pointer to variable to store the parsed variation integer
351  *
352  * \retval 1 if parsing successful otherwise 0.
353  */
354 static int DetectDNP3ObjParse(const char *str, uint8_t *group, uint8_t *var)
355 {
356  size_t size = strlen(str) + 1;
357  char groupstr[size], *varstr, *sep;
358  strlcpy(groupstr, str, size);
359 
360  sep = strchr(groupstr, ',');
361  if (sep == NULL) {
362  return 0;
363  }
364  *sep = '\0';
365  varstr = sep + 1;
366 
367  if (StringParseUint8(group, 0, strlen(groupstr), groupstr) < 0) {
368  return 0;
369  }
370 
371  if (StringParseUint8(var, 0, strlen(varstr), varstr) < 0) {
372  return 0;
373  }
374 
375  return 1;
376 }
377 
378 static int DetectDNP3ObjSetup(DetectEngineCtx *de_ctx, Signature *s, const char *str)
379 {
380  SCEnter();
381  uint8_t group;
382  uint8_t variation;
383  DetectDNP3 *detect = NULL;
384  SigMatch *sm = NULL;
385 
387  return -1;
388 
389  if (!DetectDNP3ObjParse(str, &group, &variation)) {
390  goto fail;
391  }
392 
393  detect = SCCalloc(1, sizeof(*detect));
394  if (unlikely(detect == NULL)) {
395  goto fail;
396  }
397  detect->obj_group = group;
398  detect->obj_variation = variation;
399 
400  sm = SigMatchAlloc();
401  if (unlikely(sm == NULL)) {
402  goto fail;
403  }
404  sm->type = DETECT_AL_DNP3OBJ;
405  sm->ctx = (void *)detect;
406  SigMatchAppendSMToList(s, sm, g_dnp3_match_buffer_id);
407 
408  SCReturnInt(1);
409 fail:
410  if (detect != NULL) {
411  SCFree(detect);
412  }
413  if (sm != NULL) {
414  SCFree(sm);
415  }
416  SCReturnInt(0);
417 }
418 
419 static void DetectDNP3Free(DetectEngineCtx *de_ctx, void *ptr)
420 {
421  SCEnter();
422  if (ptr != NULL) {
423  SCFree(ptr);
424  }
425  SCReturn;
426 }
427 
428 static int DetectDNP3FuncMatch(DetectEngineThreadCtx *det_ctx,
429  Flow *f, uint8_t flags, void *state, void *txv, const Signature *s,
430  const SigMatchCtx *ctx)
431 {
432  DNP3Transaction *tx = (DNP3Transaction *)txv;
433  DetectDNP3 *detect = (DetectDNP3 *)ctx;
434  int match = 0;
435 
436  if (flags & STREAM_TOSERVER) {
437  match = detect->function_code == tx->request_ah.function_code;
438  }
439  else if (flags & STREAM_TOCLIENT) {
440  match = detect->function_code == tx->response_ah.function_code;
441  }
442 
443  return match;
444 }
445 
446 static int DetectDNP3ObjMatch(DetectEngineThreadCtx *det_ctx,
447  Flow *f, uint8_t flags, void *state, void *txv, const Signature *s,
448  const SigMatchCtx *ctx)
449 {
450  DNP3Transaction *tx = (DNP3Transaction *)txv;
451  DetectDNP3 *detect = (DetectDNP3 *)ctx;
452  DNP3ObjectList *objects = NULL;
453 
454  if (flags & STREAM_TOSERVER) {
455  objects = &tx->request_objects;
456  }
457  else if (flags & STREAM_TOCLIENT) {
458  objects = &tx->response_objects;
459  }
460 
461  if (objects != NULL) {
462  DNP3Object *object;
463  TAILQ_FOREACH(object, objects, next) {
464  if (object->group == detect->obj_group &&
465  object->variation == detect->obj_variation) {
466  return 1;
467  }
468  }
469  }
470 
471  return 0;
472 }
473 
474 static int DetectDNP3IndMatch(DetectEngineThreadCtx *det_ctx,
475  Flow *f, uint8_t flags, void *state, void *txv, const Signature *s,
476  const SigMatchCtx *ctx)
477 {
478  DNP3Transaction *tx = (DNP3Transaction *)txv;
479  DetectDNP3 *detect = (DetectDNP3 *)ctx;
480 
481  if (flags & STREAM_TOCLIENT) {
482  if ((tx->response_iin.iin1 & (detect->ind_flags >> 8)) ||
483  (tx->response_iin.iin2 & (detect->ind_flags & 0xf))) {
484  return 1;
485  }
486  }
487 
488  return 0;
489 }
490 
491 static void DetectDNP3FuncRegister(void)
492 {
493  SCEnter();
494 
495  sigmatch_table[DETECT_AL_DNP3FUNC].name = "dnp3_func";
496  sigmatch_table[DETECT_AL_DNP3FUNC].alias = "dnp3.func";
497  sigmatch_table[DETECT_AL_DNP3FUNC].desc = "match on the application function code found in DNP3 request and responses";
498  sigmatch_table[DETECT_AL_DNP3FUNC].url = "/rules/dnp3-keywords.html#dnp3-func";
500  sigmatch_table[DETECT_AL_DNP3FUNC].AppLayerTxMatch = DetectDNP3FuncMatch;
501  sigmatch_table[DETECT_AL_DNP3FUNC].Setup = DetectDNP3FuncSetup;
502  sigmatch_table[DETECT_AL_DNP3FUNC].Free = DetectDNP3Free;
503 #ifdef UNITTESTS
505  DetectDNP3FuncRegisterTests;
506 #endif
507  SCReturn;
508 }
509 
510 static void DetectDNP3IndRegister(void)
511 {
512  SCEnter();
513 
514  sigmatch_table[DETECT_AL_DNP3IND].name = "dnp3_ind";
515  sigmatch_table[DETECT_AL_DNP3IND].alias = "dnp3.ind";
516  sigmatch_table[DETECT_AL_DNP3IND].desc = "match on the DNP3 internal indicator flags in the response application header";
517  sigmatch_table[DETECT_AL_DNP3IND].url = "/rules/dnp3-keywords.html#dnp3-ind";
519  sigmatch_table[DETECT_AL_DNP3IND].AppLayerTxMatch = DetectDNP3IndMatch;
520  sigmatch_table[DETECT_AL_DNP3IND].Setup = DetectDNP3IndSetup;
521  sigmatch_table[DETECT_AL_DNP3IND].Free = DetectDNP3Free;
522 #ifdef UNITTESTS
524  DetectDNP3IndRegisterTests;
525 #endif
526  SCReturn;
527 }
528 
529 static void DetectDNP3ObjRegister(void)
530 {
531  SCEnter();
532 
533  sigmatch_table[DETECT_AL_DNP3OBJ].name = "dnp3_obj";
534  sigmatch_table[DETECT_AL_DNP3OBJ].alias = "dnp3.obj";
535  sigmatch_table[DETECT_AL_DNP3OBJ].desc = "match on the DNP3 application data objects";
536  sigmatch_table[DETECT_AL_DNP3OBJ].url = "/rules/dnp3-keywords.html#dnp3-obj";
538  sigmatch_table[DETECT_AL_DNP3OBJ].AppLayerTxMatch = DetectDNP3ObjMatch;
539  sigmatch_table[DETECT_AL_DNP3OBJ].Setup = DetectDNP3ObjSetup;
540  sigmatch_table[DETECT_AL_DNP3OBJ].Free = DetectDNP3Free;
541 #ifdef UNITTESTS
543  DetectDNP3ObjRegisterTests;
544 #endif
545  SCReturn;
546 }
547 
548 static int DetectDNP3DataSetup(DetectEngineCtx *de_ctx, Signature *s, const char *str)
549 {
550  SCEnter();
552  return -1;
553 
554  if (DetectBufferSetActiveList(s, g_dnp3_data_buffer_id) != 0)
555  return -1;
556 
557  SCReturnInt(0);
558 }
559 
560 static void DetectDNP3DataRegister(void)
561 {
562  SCEnter();
563 
564  sigmatch_table[DETECT_AL_DNP3DATA].name = "dnp3.data";
565  sigmatch_table[DETECT_AL_DNP3DATA].alias = "dnp3_data";
566  sigmatch_table[DETECT_AL_DNP3DATA].desc = "make the following content options to match on the re-assembled application buffer";
567  sigmatch_table[DETECT_AL_DNP3DATA].url = "/rules/dnp3-keywords.html#dnp3-data";
568  sigmatch_table[DETECT_AL_DNP3DATA].Setup = DetectDNP3DataSetup;
569 #ifdef UNITTESTS
571  DetectDNP3DataRegisterTests;
572 #endif
574 
578  GetDNP3Data);
580  PrefilterGenericMpmRegister, GetDNP3Data,
581  ALPROTO_DNP3, 0);
582 
586  GetDNP3Data);
588  PrefilterGenericMpmRegister, GetDNP3Data,
589  ALPROTO_DNP3, 0);
590 
591  g_dnp3_data_buffer_id = DetectBufferTypeGetByName("dnp3_data");
592  SCReturn;
593 }
594 
596 {
597  DetectDNP3DataRegister();
598 
599  DetectDNP3FuncRegister();
600  DetectDNP3IndRegister();
601  DetectDNP3ObjRegister();
602 
603  /* Register the list of func, ind and obj. */
606  DetectEngineInspectDNP3);
609  DetectEngineInspectDNP3);
610 
611  g_dnp3_match_buffer_id = DetectBufferTypeRegister("dnp3");
612 
613 }
614 
615 #ifdef UNITTESTS
616 
617 #include "util-unittest.h"
618 #include "util-unittest-helper.h"
619 #include "app-layer-parser.h"
620 #include "detect-engine.h"
621 #include "flow-util.h"
622 #include "stream-tcp.h"
623 
624 static int DetectDNP3FuncParseFunctionCodeTest(void)
625 {
626  uint8_t fc;
627 
628  /* Valid. */
629  FAIL_IF_NOT(DetectDNP3FuncParseFunctionCode("0", &fc));
630  FAIL_IF(fc != 0);
631 
632  FAIL_IF_NOT(DetectDNP3FuncParseFunctionCode("1", &fc));
633  FAIL_IF(fc != 1);
634 
635  FAIL_IF_NOT(DetectDNP3FuncParseFunctionCode("254", &fc));
636  FAIL_IF(fc != 254);
637 
638  FAIL_IF_NOT(DetectDNP3FuncParseFunctionCode("255", &fc));
639  FAIL_IF(fc != 255);
640 
641  FAIL_IF_NOT(DetectDNP3FuncParseFunctionCode("confirm", &fc));
642  FAIL_IF(fc != 0);
643 
644  FAIL_IF_NOT(DetectDNP3FuncParseFunctionCode("CONFIRM", &fc));
645  FAIL_IF(fc != 0);
646 
647  /* Invalid. */
648  FAIL_IF(DetectDNP3FuncParseFunctionCode("", &fc));
649  FAIL_IF(DetectDNP3FuncParseFunctionCode("-1", &fc));
650  FAIL_IF(DetectDNP3FuncParseFunctionCode("-2", &fc));
651  FAIL_IF(DetectDNP3FuncParseFunctionCode("256", &fc));
652  FAIL_IF(DetectDNP3FuncParseFunctionCode("unknown_function_code", &fc));
653 
654  PASS;
655 }
656 
657 static int DetectDNP3FuncTest01(void)
658 {
659  DetectEngineCtx *de_ctx = NULL;
660  DetectDNP3 *dnp3func = NULL;
661 
664 
666  "alert dnp3 any any -> any any "
667  "(msg:\"SURICATA DNP3 Write request\"; "
668  "dnp3_func:2; sid:5000009; rev:1;)");
670 
671  FAIL_IF_NULL(de_ctx->sig_list->sm_lists_tail[g_dnp3_match_buffer_id]);
672  FAIL_IF_NULL(de_ctx->sig_list->sm_lists_tail[g_dnp3_match_buffer_id]->ctx);
673 
674  dnp3func = (DetectDNP3 *)de_ctx->sig_list->sm_lists_tail[g_dnp3_match_buffer_id]->ctx;
675  FAIL_IF(dnp3func->function_code != 2);
676 
677  if (de_ctx != NULL) {
679  }
680  PASS;
681 }
682 
683 static int DetectDNP3IndTestParseAsInteger(void)
684 {
685  uint16_t flags = 0;
686 
687  FAIL_IF(!DetectDNP3IndParse("0", &flags));
688  FAIL_IF(flags != 0);
689  FAIL_IF(!DetectDNP3IndParse("1", &flags));
690  FAIL_IF(flags != 0x0001);
691 
692  FAIL_IF(!DetectDNP3IndParse("0x0", &flags));
693  FAIL_IF(flags != 0);
694  FAIL_IF(!DetectDNP3IndParse("0x0000", &flags));
695  FAIL_IF(flags != 0);
696  FAIL_IF(!DetectDNP3IndParse("0x0001", &flags));
697  FAIL_IF(flags != 0x0001);
698 
699  FAIL_IF(!DetectDNP3IndParse("0x8421", &flags));
700  FAIL_IF(flags != 0x8421);
701 
702  FAIL_IF(DetectDNP3IndParse("a", &flags));
703 
704  PASS;
705 }
706 
707 static int DetectDNP3IndTestParseByName(void)
708 {
709  uint16_t flags = 0;
710 
711  FAIL_IF(!DetectDNP3IndParse("all_stations", &flags));
712  FAIL_IF(!(flags & 0x0100));
713  FAIL_IF(!DetectDNP3IndParse("class_1_events , class_2_events", &flags));
714  FAIL_IF(!(flags & 0x0200));
715  FAIL_IF(!(flags & 0x0400));
716  FAIL_IF((flags & 0xf9ff));
717 
718  FAIL_IF(DetectDNP3IndParse("something", &flags));
719 
720  PASS;
721 }
722 
723 static int DetectDNP3ObjSetupTest(void)
724 {
725  DetectEngineCtx *de_ctx = NULL;
726  DetectDNP3 *detect = NULL;
727 
729  FAIL_IF(de_ctx == NULL);
730 
732  "alert dnp3 any any -> any any "
733  "(msg:\"SURICATA DNP3 Object Test\"; "
734  "dnp3_obj:99,99; sid:1; rev:1;)");
735  FAIL_IF(de_ctx->sig_list == NULL);
736 
737  FAIL_IF(de_ctx->sig_list->sm_lists_tail[g_dnp3_match_buffer_id] == NULL);
738  FAIL_IF(de_ctx->sig_list->sm_lists_tail[g_dnp3_match_buffer_id]->ctx == NULL);
739 
740  detect = (DetectDNP3 *)de_ctx->sig_list->sm_lists_tail[g_dnp3_match_buffer_id]->ctx;
741  FAIL_IF(detect->obj_group != 99);
742  FAIL_IF(detect->obj_variation != 99);
743 
744  if (de_ctx != NULL) {
746  }
747  PASS;
748 }
749 
750 static int DetectDNP3ObjParseTest(void)
751 {
752  uint8_t group, var;
753 
754  FAIL_IF(!DetectDNP3ObjParse("0,0", &group, &var));
755  FAIL_IF(group != 0 || var != 0);
756 
757  FAIL_IF(!DetectDNP3ObjParse("255,255", &group, &var));
758  FAIL_IF(group != 255 || var != 255);
759 
760  FAIL_IF(DetectDNP3ObjParse("-1,-1", &group, &var));
761  FAIL_IF(DetectDNP3ObjParse("256,256", &group, &var));
762  FAIL_IF(DetectDNP3ObjParse("a,1", &group, &var));
763  FAIL_IF(DetectDNP3ObjParse("1,a", &group, &var));
764 
765  PASS;
766 }
767 
768 /**
769  * Test request (to server) content match.
770  */
771 static int DetectDNP3DataTest01(void)
772 {
774  DetectEngineThreadCtx *det_ctx = NULL;
775  DetectEngineCtx *de_ctx = NULL;
776  Flow f;
777  Packet *p;
778  TcpSession tcp;
779  ThreadVars tv;
780 
781  uint8_t request[] = {
782  0x05, 0x64, 0x1a, 0xc4, 0x02, 0x00, 0x01, 0x00,
783  0xa5, 0xe9,
784 
785  0xff, 0xc9, 0x05, 0x0c, 0x01, 0x28, 0x01, 0x00,
786  0x00, 0x00, 0x01, 0x01, 0x01, 0x00, 0x00, 0x00,
787 
788  /* CRC. */
789  0x72, 0xef,
790 
791  0x00, 0x00, 0x00, 0x00, 0x00,
792 
793  /* CRC. */
794  0xff, 0xff,
795  };
796 
797  /* Setup flow. */
798  memset(&f, 0, sizeof(Flow));
799  memset(&tcp, 0, sizeof(TcpSession));
800  memset(&tv, 0, sizeof(ThreadVars));
801  p = UTHBuildPacket(request, sizeof(request), IPPROTO_TCP);
802  FLOW_INITIALIZE(&f);
803  f.alproto = ALPROTO_DNP3;
804  f.protoctx = (void *)&tcp;
805  f.proto = IPPROTO_TCP;
806  f.flags |= FLOW_IPV4;
807  p->flow = &f;
811 
813  FAIL_IF(de_ctx == NULL);
814 
815  /* Either direction - should match. */
817  "alert dnp3 any any -> any any ("
818  "msg:\"DetectDNP3DataTest01\"; "
819  "dnp3_data; "
820  "content:\"|01 01 01 00 00 00 00 00 00 00|\"; "
821  "sid:1; rev:1;)");
822  FAIL_IF(s == NULL);
823 
824  /* To server - should match. */
826  "alert dnp3 any any -> any any ("
827  "msg:\"DetectDNP3DataTest01\"; "
828  "flow:established,to_server; "
829  "dnp3_data; "
830  "content:\"|01 01 01 00 00 00 00 00 00 00|\"; "
831  "sid:2; rev:1;)");
832  FAIL_IF(s == NULL);
833 
834  /* To client - should not match. */
836  "alert dnp3 any any -> any any ("
837  "msg:\"DetectDNP3DataTest01\"; "
838  "flow:established,to_client; "
839  "dnp3_data; "
840  "content:\"|01 01 01 00 00 00 00 00 00 00|\"; "
841  "sid:3; rev:1;)");
842  FAIL_IF(s == NULL);
843 
844  /* The content of a CRC - should not match. */
846  "alert dnp3 any any -> any any ("
847  "msg:\"DetectDNP3DataTest01\"; "
848  "dnp3_data; "
849  "content:\"|72 ef|\"; "
850  "sid:4; rev:1;)");
851  FAIL_IF(s == NULL);
852 
854  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
855 
856  SCMutexLock(&f.m);
857  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DNP3,
858  STREAM_TOSERVER, request, sizeof(request));
859  SCMutexUnlock(&f.m);
860  FAIL_IF(r);
861 
862  FAIL_IF(f.alstate == NULL);
863 
864  SigMatchSignatures(&tv, de_ctx, det_ctx, p);
865  FAIL_IF(!PacketAlertCheck(p, 1));
866  FAIL_IF(!PacketAlertCheck(p, 2));
867  FAIL_IF(PacketAlertCheck(p, 3));
868  FAIL_IF(PacketAlertCheck(p, 4));
869 
870  if (alp_tctx != NULL)
872  if (det_ctx != NULL)
873  DetectEngineThreadCtxDeinit(&tv, det_ctx);
874  if (de_ctx != NULL)
876  if (de_ctx != NULL)
879  FLOW_DESTROY(&f);
880  UTHFreePacket(p);
881  PASS;
882 }
883 
884 /**
885  * Test response (to client) content match.
886  */
887 static int DetectDNP3DataTest02(void)
888 {
890  DetectEngineThreadCtx *det_ctx = NULL;
891  DetectEngineCtx *de_ctx = NULL;
892  Flow f;
893  Packet *p;
894  TcpSession tcp;
895  ThreadVars tv;
896 
897  uint8_t request[] = {
898  /* Link header. */
899  0x05, 0x64, 0x1a, 0xc4, 0x02, 0x00, 0x01, 0x00,
900 
901  /* CRC. */
902  0xa5, 0xe9,
903 
904  /* Transport header. */
905  0xff,
906 
907  /* Application layer. */
908  0xc9, 0x05, 0x0c, 0x01, 0x28, 0x01, 0x00, 0x00,
909  0x00, 0x01, 0x01, 0x01, 0x00, 0x00, 0x00,
910 
911  /* CRC. */
912  0x72, 0xef,
913 
914  /* Application layer. */
915  0x00, 0x00, 0x00, 0x00, 0x00,
916 
917  /* CRC. */
918  0xff, 0xff,
919  };
920 
921  uint8_t response[] = {
922  /* Link header. */
923  0x05, 0x64, 0x1c, 0x44, 0x01, 0x00, 0x02, 0x00,
924 
925  /* CRC. */
926  0xe2, 0x59,
927 
928  /* Transport header. */
929  0xc3,
930 
931  /* Application layyer. */
932  0xc9, 0x81, 0x00, 0x00, 0x0c, 0x01, 0x28, 0x01,
933  0x00, 0x00, 0x00, 0x01, 0x01, 0x01, 0x00,
934 
935  /* CRC. */
936  0x7a, 0x65,
937 
938  /* Application layer. */
939  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
940 
941  /* CRC. */
942  0xff, 0xff
943  };
944 
945  /* Setup flow. */
946  memset(&f, 0, sizeof(Flow));
947  memset(&tcp, 0, sizeof(TcpSession));
948  memset(&tv, 0, sizeof(ThreadVars));
949  p = UTHBuildPacket(response, sizeof(response), IPPROTO_TCP);
950  FLOW_INITIALIZE(&f);
951  f.alproto = ALPROTO_DNP3;
952  f.protoctx = (void *)&tcp;
953  f.proto = IPPROTO_TCP;
954  f.flags |= FLOW_IPV4;
955  p->flow = &f;
959 
961  FAIL_IF(de_ctx == NULL);
962 
963  /* Either direction - should match. */
965  "alert dnp3 any any -> any any ("
966  "msg:\"DetectDNP3DataTest01\"; "
967  "dnp3_data; "
968  "content:\"|01 01 01 00 00 00 00|\"; "
969  "sid:1; rev:1;)");
970  FAIL_IF(s == NULL);
971 
972  /* To server - should not match. */
974  "alert dnp3 any any -> any any ("
975  "msg:\"DetectDNP3DataTest01\"; "
976  "flow:established,to_server; "
977  "dnp3_data; "
978  "content:\"|01 01 01 00 00 00 00|\"; "
979  "sid:2; rev:1;)");
980  FAIL_IF(s == NULL);
981 
982  /* To client - should match. */
984  "alert dnp3 any any -> any any ("
985  "msg:\"DetectDNP3DataTest01\"; "
986  "flow:established,to_client; "
987  "dnp3_data; "
988  "content:\"|01 01 01 00 00 00 00|\"; "
989  "sid:3; rev:1;)");
990  FAIL_IF(s == NULL);
991 
992  /* The content of a CRC - should not match. */
994  "alert dnp3 any any -> any any ("
995  "msg:\"DetectDNP3DataTest01\"; "
996  "dnp3_data; "
997  "content:\"|7a 65|\"; "
998  "sid:4; rev:1;)");
999  FAIL_IF(s == NULL);
1000 
1002  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
1003 
1004  /* Send through the request, then response. */
1005  SCMutexLock(&f.m);
1006  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DNP3,
1007  STREAM_TOSERVER, request, sizeof(request));
1008  SCMutexUnlock(&f.m);
1009  FAIL_IF(r);
1010  FAIL_IF(f.alstate == NULL);
1011 
1012  SCMutexLock(&f.m);
1014  response, sizeof(response));
1015  SCMutexUnlock(&f.m);
1016  FAIL_IF(r);
1017 
1018  SigMatchSignatures(&tv, de_ctx, det_ctx, p);
1019  FAIL_IF(!PacketAlertCheck(p, 1));
1020  FAIL_IF(PacketAlertCheck(p, 2));
1021  FAIL_IF(!PacketAlertCheck(p, 3));
1022  FAIL_IF(PacketAlertCheck(p, 4));
1023 
1024  if (alp_tctx != NULL)
1026  if (det_ctx != NULL)
1027  DetectEngineThreadCtxDeinit(&tv, det_ctx);
1028  if (de_ctx != NULL)
1030  if (de_ctx != NULL)
1033  FLOW_DESTROY(&f);
1034  UTHFreePacket(p);
1035  PASS;
1036 }
1037 
1038 static void DetectDNP3FuncRegisterTests(void)
1039 {
1040  UtRegisterTest("DetectDNP3FuncParseFunctionCodeTest",
1041  DetectDNP3FuncParseFunctionCodeTest);
1042  UtRegisterTest("DetectDNP3FuncTest01", DetectDNP3FuncTest01);
1043 }
1044 
1045 static void DetectDNP3IndRegisterTests(void)
1046 {
1047  UtRegisterTest("DetectDNP3IndTestParseAsInteger",
1048  DetectDNP3IndTestParseAsInteger);
1049  UtRegisterTest("DetectDNP3IndTestParseByName",
1050  DetectDNP3IndTestParseByName);
1051 }
1052 
1053 static void DetectDNP3ObjRegisterTests(void)
1054 {
1055  UtRegisterTest("DetectDNP3ObjParseTest", DetectDNP3ObjParseTest);
1056  UtRegisterTest("DetectDNP3ObjSetupTest", DetectDNP3ObjSetupTest);
1057 }
1058 
1059 void DetectDNP3DataRegisterTests(void)
1060 {
1061  UtRegisterTest("DetectDNP3DataTest01", DetectDNP3DataTest01);
1062  UtRegisterTest("DetectDNP3DataTest02", DetectDNP3DataTest02);
1063 }
1064 #endif
DETECT_AL_DNP3IND
@ DETECT_AL_DNP3IND
Definition: detect-engine-register.h:233
SigTableElmt_::url
const char * url
Definition: detect.h:1214
DetectSignatureSetAppProto
int DetectSignatureSetAppProto(Signature *s, AppProto alproto)
Definition: detect-parse.c:1480
detect-engine.h
StringParseUint16
int StringParseUint16(uint16_t *res, int base, uint16_t len, const char *str)
Definition: util-byte.c:336
FAIL_IF_NULL
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
Definition: util-unittest.h:89
SIGMATCH_INFO_STICKY_BUFFER
#define SIGMATCH_INFO_STICKY_BUFFER
Definition: detect.h:1404
SigTableElmt_::desc
const char * desc
Definition: detect.h:1213
PKT_HAS_FLOW
#define PKT_HAS_FLOW
Definition: decode.h:1109
SigTableElmt_::Free
void(* Free)(DetectEngineCtx *, void *)
Definition: detect.h:1201
flow-util.h
SigTableElmt_::name
const char * name
Definition: detect.h:1211
stream-tcp.h
unlikely
#define unlikely(expr)
Definition: util-optimize.h:35
DetectEngineTransforms
Definition: detect.h:376
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
DetectDNP3Register
void DetectDNP3Register(void)
Definition: detect-dnp3.c:595
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:298
next
struct HtpBodyChunk_ * next
Definition: app-layer-htp.h:0
Flow_::proto
uint8_t proto
Definition: flow.h:365
DNP3Object_
Struct to hold the list of decoded objects.
Definition: app-layer-dnp3.h:191
PacketAlertCheck
int PacketAlertCheck(Packet *p, uint32_t sid)
Check if a certain sid alerted, this is used in the test functions.
Definition: detect-engine-alert.c:138
InspectionBuffer
Definition: detect.h:344
Packet_::flags
uint32_t flags
Definition: decode.h:449
Flow_
Flow data structure.
Definition: flow.h:347
SigInit
Signature * SigInit(DetectEngineCtx *, const char *)
Parses a signature and adds it to the Detection Engine Context.
Definition: detect-parse.c:2056
PrefilterGenericMpmRegister
int PrefilterGenericMpmRegister(DetectEngineCtx *de_ctx, SigGroupHead *sgh, MpmCtx *mpm_ctx, const DetectBufferMpmRegistery *mpm_reg, int list_id)
Definition: detect-engine-prefilter.c:611
SigTableElmt_::flags
uint16_t flags
Definition: detect.h:1205
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:767
SC_ERR_INVALID_SIGNATURE
@ SC_ERR_INVALID_SIGNATURE
Definition: util-error.h:69
DETECT_AL_DNP3FUNC
@ DETECT_AL_DNP3FUNC
Definition: detect-engine-register.h:232
TAILQ_FOREACH
#define TAILQ_FOREACH(var, head, field)
Definition: queue.h:350
DetectEngineCtxFree
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
Definition: detect-engine.c:2093
SigTableElmt_::AppLayerTxMatch
int(* AppLayerTxMatch)(DetectEngineThreadCtx *, Flow *, uint8_t flags, void *alstate, void *txv, const Signature *, const SigMatchCtx *)
Definition: detect.h:1182
DNP3Transaction_::response_buffer
uint8_t * response_buffer
Definition: app-layer-dnp3.h:237
DetectDNP3_
Definition: detect-dnp3.c:38
AppLayerParserThreadCtxFree
void AppLayerParserThreadCtxFree(AppLayerParserThreadCtx *tctx)
Destroys the app layer parser thread context obtained using AppLayerParserThreadCtxAlloc().
Definition: app-layer-parser.c:278
SCMutexLock
#define SCMutexLock(mut)
Definition: threads-debug.h:117
FLOW_PKT_TOSERVER
#define FLOW_PKT_TOSERVER
Definition: flow.h:219
detect-dnp3.h
UTHBuildPacket
Packet * UTHBuildPacket(uint8_t *payload, uint16_t payload_len, uint8_t ipproto)
UTHBuildPacket is a wrapper that build packets with default ip and port fields.
Definition: util-unittest-helper.c:337
Packet_::flowflags
uint8_t flowflags
Definition: decode.h:445
SIG_FLAG_TOCLIENT
#define SIG_FLAG_TOCLIENT
Definition: detect.h:237
Flow_::protoctx
void * protoctx
Definition: flow.h:441
SigMatchData_
Data needed for Match()
Definition: detect.h:329
SigTableElmt_::Setup
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1196
FLOW_IPV4
#define FLOW_IPV4
Definition: flow.h:95
DetectDNP3_::function_code
uint8_t function_code
Definition: detect-dnp3.c:42
detect-engine-prefilter.h
util-unittest.h
InspectionBufferGet
InspectionBuffer * InspectionBufferGet(DetectEngineThreadCtx *det_ctx, const int list_id)
Definition: detect-engine.c:1061
util-unittest-helper.h
FAIL_IF_NOT
#define FAIL_IF_NOT(expr)
Fail a test if expression to true.
Definition: util-unittest.h:82
DetectEngineInspectGenericList
int DetectEngineInspectGenericList(ThreadVars *tv, const DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const Signature *s, const SigMatchData *smd, Flow *f, const uint8_t flags, void *alstate, void *txv, uint64_t tx_id)
Do the content inspection & validation for a signature.
Definition: detect-engine.c:1596
DetectBufferTypeGetByName
int DetectBufferTypeGetByName(const char *name)
Definition: detect-engine.c:880
strlcpy
size_t strlcpy(char *dst, const char *src, size_t siz)
Definition: util-strlcpyu.c:43
DNP3IndicatorsMap
DNP3Mapping DNP3IndicatorsMap[]
Definition: detect-dnp3.c:59
FLOW_INITIALIZE
#define FLOW_INITIALIZE(f)
Definition: flow-util.h:39
SIG_FLAG_TOSERVER
#define SIG_FLAG_TOSERVER
Definition: detect.h:236
PASS
#define PASS
Pass the test.
Definition: util-unittest.h:105
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:17
DNP3Transaction_::response_iin
DNP3InternalInd response_iin
Definition: app-layer-dnp3.h:236
DetectDNP3_::ind_flags
uint16_t ind_flags
Definition: detect-dnp3.c:46
DetectEngineThreadCtx_
Definition: detect.h:1010
ALPROTO_DNP3
@ ALPROTO_DNP3
Definition: app-layer-protos.h:44
app-layer-dnp3.h
SCMutexUnlock
#define SCMutexUnlock(mut)
Definition: threads-debug.h:119
STREAM_TOSERVER
#define STREAM_TOSERVER
Definition: stream.h:31
alp_tctx
AppLayerParserThreadCtx * alp_tctx
Definition: fuzz_applayerparserparse.c:19
SCEnter
#define SCEnter(...)
Definition: util-debug.h:300
detect-engine-mpm.h
detect.h
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:58
Flow_::m
SCMutex m
Definition: flow.h:435
app-layer-parser.h
TRUE
#define TRUE
Definition: suricata-common.h:33
SigMatch_::ctx
SigMatchCtx * ctx
Definition: detect.h:323
SigMatchSignatures
void SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
Definition: detect.c:1688
SigGroupCleanup
int SigGroupCleanup(DetectEngineCtx *de_ctx)
Definition: detect-engine-build.c:1953
SCReturn
#define SCReturn
Definition: util-debug.h:302
stream.h
DetectEngineInspectBufferGeneric
int DetectEngineInspectBufferGeneric(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const DetectEngineAppInspectionEngine *engine, const Signature *s, Flow *f, uint8_t flags, void *alstate, void *txv, uint64_t tx_id)
Do the content inspection & validation for a signature.
Definition: detect-engine.c:1641
Packet_
Definition: decode.h:414
DNP3Object_::group
uint8_t group
Definition: app-layer-dnp3.h:192
StreamTcpFreeConfig
void StreamTcpFreeConfig(char quiet)
Definition: stream-tcp.c:668
DetectAppLayerInspectEngineRegister2
void DetectAppLayerInspectEngineRegister2(const char *name, AppProto alproto, uint32_t dir, int progress, InspectEngineFuncPtr2 Callback2, InspectionBufferGetDataPtr GetData)
register inspect engine at start up time
Definition: detect-engine.c:232
DNP3Transaction_::request_buffer_len
uint32_t request_buffer_len
Definition: app-layer-dnp3.h:224
variation
uint8_t variation
Definition: app-layer-dnp3.h:1
SigTableElmt_::Match
int(* Match)(DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *)
Definition: detect.h:1179
FLOW_PKT_TOCLIENT
#define FLOW_PKT_TOCLIENT
Definition: flow.h:220
SigMatchAlloc
SigMatch * SigMatchAlloc(void)
Definition: detect-parse.c:235
SigGroupBuild
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
Definition: detect-engine-build.c:1888
SigMatch_::type
uint8_t type
Definition: detect.h:321
DNP3Transaction_::request_ah
DNP3ApplicationHeader request_ah
Definition: app-layer-dnp3.h:221
AppLayerParserThreadCtxAlloc
AppLayerParserThreadCtx * AppLayerParserThreadCtxAlloc(void)
Gets a new app layer protocol's parser thread context.
Definition: app-layer-parser.c:252
DetectDNP3_::obj_variation
uint8_t obj_variation
Definition: detect-dnp3.c:51
DNP3Transaction_::response_ah
DNP3ApplicationHeader response_ah
Definition: app-layer-dnp3.h:235
detect-engine-content-inspection.h
SigMatchCtx_
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
Definition: detect.h:315
DetectAppLayerMpmRegister2
void DetectAppLayerMpmRegister2(const char *name, int direction, int priority, int(*PrefilterRegister)(DetectEngineCtx *de_ctx, SigGroupHead *sgh, MpmCtx *mpm_ctx, const DetectBufferMpmRegistery *mpm_reg, int list_id), InspectionBufferGetDataPtr GetData, AppProto alproto, int tx_min_progress)
register a MPM engine
Definition: detect-engine-mpm.c:89
DetectEngineAppendSig
Signature * DetectEngineAppendSig(DetectEngineCtx *de_ctx, const char *sigstr)
Parse and append a Signature into the Detection Engine Context signature list.
Definition: detect-parse.c:2361
Packet_::flow
struct Flow_ * flow
Definition: decode.h:451
DetectEngineThreadCtxInit
TmEcode DetectEngineThreadCtxInit(ThreadVars *, void *, void **)
initialize thread specific detection engine context
Definition: detect-engine.c:2797
FAIL_IF
#define FAIL_IF(expr)
Fail a test if expression evaluates to false.
Definition: util-unittest.h:71
DetectBufferTypeRegister
int DetectBufferTypeRegister(const char *name)
Definition: detect-engine.c:836
flags
uint8_t flags
Definition: decode-gre.h:0
SigTableElmt_::alias
const char * alias
Definition: detect.h:1212
AppLayerParserParse
int AppLayerParserParse(ThreadVars *tv, AppLayerParserThreadCtx *alp_tctx, Flow *f, AppProto alproto, uint8_t flags, const uint8_t *input, uint32_t input_len)
Definition: app-layer-parser.c:1203
group
uint8_t group
Definition: app-layer-dnp3.h:0
suricata-common.h
DetectEngineThreadCtxDeinit
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *, void *)
Definition: detect-engine.c:3005
DetectDNP3_::obj_group
uint8_t obj_group
Definition: detect-dnp3.c:50
InspectionBufferSetup
void InspectionBufferSetup(InspectionBuffer *buffer, const uint8_t *data, const uint32_t data_len)
setup the buffer with our initial data
Definition: detect-engine.c:1120
InspectionBufferApplyTransforms
void InspectionBufferApplyTransforms(InspectionBuffer *buffer, const DetectEngineTransforms *transforms)
Definition: detect-engine.c:1211
sigmatch_table
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
Definition: detect-parse.c:73
STREAM_TOCLIENT
#define STREAM_TOCLIENT
Definition: stream.h:32
SCLogError
#define SCLogError(err_code,...)
Macro used to log ERROR messages.
Definition: util-debug.h:257
DNP3Mapping_::value
uint16_t value
Definition: detect-dnp3.h:26
DetectEngineCtx_::sig_list
Signature * sig_list
Definition: detect.h:773
tv
ThreadVars * tv
Definition: fuzz_decodepcapfile.c:29
DNP3Mapping_
Definition: detect-dnp3.h:24
DETECT_AL_DNP3DATA
@ DETECT_AL_DNP3DATA
Definition: detect-engine-register.h:231
DNP3Transaction_::request_objects
DNP3ObjectList request_objects
Definition: app-layer-dnp3.h:229
InspectionBuffer::inspect
const uint8_t * inspect
Definition: detect.h:345
str
#define str(s)
Definition: suricata-common.h:273
SCFree
#define SCFree(p)
Definition: util-mem.h:61
DNP3Transaction_::request_buffer
uint8_t * request_buffer
Definition: app-layer-dnp3.h:222
UTHFreePacket
void UTHFreePacket(Packet *p)
UTHFreePacket: function to release the allocated data from UTHBuildPacket and the packet itself.
Definition: util-unittest-helper.c:485
Flow_::alstate
void * alstate
Definition: flow.h:476
Flow_::flags
uint32_t flags
Definition: flow.h:421
DNP3Object_::variation
uint8_t variation
Definition: app-layer-dnp3.h:193
detect-parse.h
Signature_
Signature container.
Definition: detect.h:528
SigMatch_
a single match condition for a signature
Definition: detect.h:320
StreamTcpInitConfig
void StreamTcpInitConfig(char)
To initialize the stream global configuration data.
Definition: stream-tcp.c:365
function_code
uint8_t function_code
Definition: app-layer-dnp3.h:1
FLOW_PKT_ESTABLISHED
#define FLOW_PKT_ESTABLISHED
Definition: flow.h:221
StringParseUint8
int StringParseUint8(uint8_t *res, int base, uint16_t len, const char *str)
Definition: util-byte.c:359
DetectEngineCtxInit
DetectEngineCtx * DetectEngineCtxInit(void)
Definition: detect-engine.c:2048
SIGMATCH_NOOPT
#define SIGMATCH_NOOPT
Definition: detect.h:1380
DetectDNP3
struct DetectDNP3_ DetectDNP3
DetectBufferSetActiveList
int DetectBufferSetActiveList(Signature *s, const int list)
Definition: detect-engine.c:992
AppLayerParserThreadCtx_
Definition: app-layer-parser.c:87
TcpSession_
Definition: stream-tcp-private.h:260
DetectAppLayerInspectEngineRegister
void DetectAppLayerInspectEngineRegister(const char *name, AppProto alproto, uint32_t dir, int progress, InspectEngineFuncPtr Callback)
register inspect engine at start up time
Definition: detect-engine.c:171
Flow_::alproto
AppProto alproto
application level protocol
Definition: flow.h:450
DNP3FunctionNameMap
DNP3Mapping DNP3FunctionNameMap[]
Definition: detect-dnp3.c:84
SCCalloc
#define SCCalloc(nm, sz)
Definition: util-mem.h:53
SCReturnInt
#define SCReturnInt(x)
Definition: util-debug.h:304
DNP3Transaction_::response_buffer_len
uint32_t response_buffer_len
Definition: app-layer-dnp3.h:239
SigMatchAppendSMToList
void SigMatchAppendSMToList(Signature *s, SigMatch *new, int list)
Append a SigMatch to the list type.
Definition: detect-parse.c:349
FLOW_DESTROY
#define FLOW_DESTROY(f)
Definition: flow-util.h:130
PKT_STREAM_EST
#define PKT_STREAM_EST
Definition: decode.h:1107
DNP3Transaction_
DNP3 transaction.
Definition: app-layer-dnp3.h:210
SigTableElmt_::RegisterTests
void(* RegisterTests)(void)
Definition: detect.h:1203
DNP3Transaction_::response_objects
DNP3ObjectList response_objects
Definition: app-layer-dnp3.h:244
DETECT_AL_DNP3OBJ
@ DETECT_AL_DNP3OBJ
Definition: detect-engine-register.h:234