suricata
detect-engine-analyzer.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2025 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Eileen Donlon <emdonlo@gmail.com>
22  * \author Victor Julien <victor@inliniac.net>
23  *
24  * Rule analyzers for the detection engine
25  */
26 
27 #include "suricata-common.h"
28 #include "suricata.h"
29 #include "rust.h"
30 #include "action-globals.h"
31 #include "detect.h"
32 #include "detect-parse.h"
33 #include "detect-engine.h"
34 #include "detect-engine-analyzer.h"
35 #include "detect-engine-mpm.h"
36 #include "detect-engine-uint.h"
37 #include "conf.h"
38 #include "detect-content.h"
39 #include "detect-pcre.h"
40 #include "detect-bytejump.h"
41 #include "detect-bytetest.h"
42 #include "detect-isdataat.h"
43 #include "detect-flow.h"
44 #include "detect-ttl.h"
45 #include "detect-tcp-flags.h"
46 #include "detect-tcp-ack.h"
47 #include "detect-ipopts.h"
48 #include "detect-tcp-seq.h"
49 #include "feature.h"
50 #include "util-print.h"
51 #include "util-time.h"
52 #include "util-validate.h"
53 #include "util-conf.h"
54 #include "detect-flowbits.h"
55 #include "detect-flowint.h"
56 #include "detect-xbits.h"
57 #include "util-var-name.h"
58 #include "detect-icmp-id.h"
59 #include "detect-tcp-window.h"
61 #include "app-layer-parser.h"
62 
63 static int rule_warnings_only = 0;
64 
65 /* Details for each buffer being tracked */
66 typedef struct DetectEngineAnalyzerItems {
67  int16_t item_id;
68  bool item_seen;
71  const char *item_name;
72  const char *display_name;
74 
75 typedef struct FpPatternStats_ {
76  uint16_t min;
77  uint16_t max;
78  uint32_t cnt;
79  uint64_t tot;
81 
82 /* Track which items require the item_seen value to be exposed */
84  const char *bufname;
86 };
87 
88 typedef struct EngineAnalysisCtx_ {
89 
92 
94  char *file_prefix;
95  pcre2_code *percent_re;
96 
97  /*
98  * This array contains the map between the `analyzer_items` array listed above and
99  * the item ids returned by DetectBufferTypeGetByName. Iterating signature's sigmatch
100  * array provides list_ids. The map converts those ids into elements of the
101  * analyzer items array.
102  *
103  * Ultimately, the g_buffer_type_hash is searched for each buffer name. The size of that
104  * hashlist is 256, so that's the value we use here.
105  */
106  int16_t analyzer_item_map[256];
108  /*
109  * Certain values must be directly accessible. This array contains items that are directly
110  * accessed when checking if they've been seen or not.
111  */
113 
116 
118  /* request keywords */
119  { 0, false, false, true, "http_uri", "http uri" },
120  { 0, false, false, false, "http_raw_uri", "http raw uri" },
121  { 0, false, true, false, "http_method", "http method" },
122  { 0, false, false, false, "http_request_line", "http request line" },
123  { 0, false, false, false, "http_client_body", "http client body" },
124  { 0, false, false, true, "http_header", "http header" },
125  { 0, false, false, false, "http_raw_header", "http raw header" },
126  { 0, false, false, true, "http_cookie", "http cookie" },
127  { 0, false, false, false, "http_user_agent", "http user agent" },
128  { 0, false, false, false, "http_host", "http host" },
129  { 0, false, false, false, "http_raw_host", "http raw host" },
130  { 0, false, false, false, "http_accept_enc", "http accept enc" },
131  { 0, false, false, false, "http_referer", "http referer" },
132  { 0, false, false, false, "http_content_type", "http content type" },
133  { 0, false, false, false, "http_header_names", "http header names" },
134 
135  /* response keywords not listed above */
136  { 0, false, false, false, "http_stat_msg", "http stat msg" },
137  { 0, false, false, false, "http_stat_code", "http stat code" },
138  { 0, false, true, false, "file_data", "http server body" },
139 
140  /* missing request keywords */
141  { 0, false, false, false, "http_request_line", "http request line" },
142  { 0, false, false, false, "http_accept", "http accept" },
143  { 0, false, false, false, "http_accept_lang", "http accept lang" },
144  { 0, false, false, false, "http_connection", "http connection" },
145  { 0, false, false, false, "http_content_len", "http content len" },
146  { 0, false, false, false, "http_protocol", "http protocol" },
147  { 0, false, false, false, "http_start", "http start" },
148 
149  /* missing response keywords; some of the missing are listed above*/
150  { 0, false, false, false, "http_response_line", "http response line" },
151  { 0, false, false, false, "http.server", "http server" },
152  { 0, false, false, false, "http.location", "http location" },
153 };
154 
155 static void FpPatternStatsAdd(FpPatternStats *fp, int list, uint16_t patlen)
156 {
157  if (list < 0 || list >= DETECT_SM_LIST_MAX)
158  return;
159 
160  FpPatternStats *f = &fp[list];
161 
162  if (f->min == 0)
163  f->min = patlen;
164  else if (patlen < f->min)
165  f->min = patlen;
166 
167  if (patlen > f->max)
168  f->max = patlen;
169 
170  f->cnt++;
171  f->tot += patlen;
172 }
173 
174 void EngineAnalysisFP(const DetectEngineCtx *de_ctx, const Signature *s, const char *line)
175 {
176  int fast_pattern_set = 0;
177  int fast_pattern_only_set = 0;
178  int fast_pattern_chop_set = 0;
179  const DetectContentData *fp_cd = NULL;
180  const SigMatch *mpm_sm = s->init_data->mpm_sm;
181  const int mpm_sm_list = s->init_data->mpm_sm_list;
182 
183  if (mpm_sm != NULL) {
184  fp_cd = (DetectContentData *)mpm_sm->ctx;
185  if (fp_cd->flags & DETECT_CONTENT_FAST_PATTERN) {
186  fast_pattern_set = 1;
188  fast_pattern_only_set = 1;
189  } else if (fp_cd->flags & DETECT_CONTENT_FAST_PATTERN_CHOP) {
190  fast_pattern_chop_set = 1;
191  }
192  }
193  }
194 
195  FILE *fp = de_ctx->ea->rule_engine_analysis_fp;
196  fprintf(fp, "== Sid: %u ==\n", s->id);
197  fprintf(fp, "%s\n", line);
198 
199  fprintf(fp, " Fast Pattern analysis:\n");
200  if (s->init_data->prefilter_sm != NULL) {
201  fprintf(fp, " Prefilter on: %s\n",
203  fprintf(fp, "\n");
204  return;
205  }
206 
207  if (fp_cd == NULL) {
208  fprintf(fp, " No content present\n");
209  fprintf(fp, "\n");
210  return;
211  }
212 
213  fprintf(fp, " Fast pattern matcher: ");
214  int list_type = mpm_sm_list;
215  if (list_type == DETECT_SM_LIST_PMATCH)
216  fprintf(fp, "content\n");
217  else {
218  const char *desc = DetectEngineBufferTypeGetDescriptionById(de_ctx, list_type);
219  const char *name = DetectEngineBufferTypeGetNameById(de_ctx, list_type);
220  if (desc && name) {
221  fprintf(fp, "%s (%s)\n", desc, name);
222  }
223  }
224 
225  int flags_set = 0;
226  fprintf(fp, " Flags:");
227  if (fp_cd->flags & DETECT_CONTENT_OFFSET) {
228  fprintf(fp, " Offset");
229  flags_set = 1;
230  } if (fp_cd->flags & DETECT_CONTENT_DEPTH) {
231  fprintf(fp, " Depth");
232  flags_set = 1;
233  }
234  if (fp_cd->flags & DETECT_CONTENT_WITHIN) {
235  fprintf(fp, " Within");
236  flags_set = 1;
237  }
238  if (fp_cd->flags & DETECT_CONTENT_DISTANCE) {
239  fprintf(fp, " Distance");
240  flags_set = 1;
241  }
242  if (fp_cd->flags & DETECT_CONTENT_NOCASE) {
243  fprintf(fp, " Nocase");
244  flags_set = 1;
245  }
246  if (fp_cd->flags & DETECT_CONTENT_NEGATED) {
247  fprintf(fp, " Negated");
248  flags_set = 1;
249  }
250  if (flags_set == 0)
251  fprintf(fp, " None");
252  fprintf(fp, "\n");
253 
254  fprintf(fp, " Fast pattern set: %s\n", fast_pattern_set ? "yes" : "no");
255  fprintf(fp, " Fast pattern only set: %s\n", fast_pattern_only_set ? "yes" : "no");
256  fprintf(fp, " Fast pattern chop set: %s\n", fast_pattern_chop_set ? "yes" : "no");
257  if (fast_pattern_chop_set) {
258  fprintf(fp, " Fast pattern offset, length: %u, %u\n", fp_cd->fp_chop_offset,
259  fp_cd->fp_chop_len);
260  }
261 
262  uint16_t patlen = fp_cd->content_len;
263  uint8_t *pat = SCMalloc(fp_cd->content_len + 1);
264  if (unlikely(pat == NULL)) {
265  FatalError("Error allocating memory");
266  }
267  memcpy(pat, fp_cd->content, fp_cd->content_len);
268  pat[fp_cd->content_len] = '\0';
269  fprintf(fp, " Original content: ");
270  PrintRawUriFp(fp, pat, patlen);
271  fprintf(fp, "\n");
272 
273  if (fast_pattern_chop_set) {
274  SCFree(pat);
275  patlen = fp_cd->fp_chop_len;
276  pat = SCMalloc(fp_cd->fp_chop_len + 1);
277  if (unlikely(pat == NULL)) {
278  exit(EXIT_FAILURE);
279  }
280  memcpy(pat, fp_cd->content + fp_cd->fp_chop_offset, fp_cd->fp_chop_len);
281  pat[fp_cd->fp_chop_len] = '\0';
282  fprintf(fp, " Final content: ");
283  PrintRawUriFp(fp, pat, patlen);
284  fprintf(fp, "\n");
285 
286  FpPatternStatsAdd(&de_ctx->ea->fp_pattern_stats[0], list_type, patlen);
287  } else {
288  fprintf(fp, " Final content: ");
289  PrintRawUriFp(fp, pat, patlen);
290  fprintf(fp, "\n");
291 
292  FpPatternStatsAdd(&de_ctx->ea->fp_pattern_stats[0], list_type, patlen);
293  }
294  SCFree(pat);
295 
296  fprintf(fp, "\n");
297 }
298 
299 /**
300  * \brief Sets up the fast pattern analyzer according to the config.
301  *
302  * \retval 1 If rule analyzer successfully enabled.
303  * \retval 0 If not enabled.
304  */
305 static int SetupFPAnalyzer(DetectEngineCtx *de_ctx)
306 {
307  int fp_engine_analysis_set = 0;
308 
309  if ((SCConfGetBool("engine-analysis.rules-fast-pattern", &fp_engine_analysis_set)) == 0) {
310  return false;
311  }
312 
313  if (fp_engine_analysis_set == 0)
314  return false;
315 
316  const char *log_dir = SCConfigGetLogDirectory();
317  char *log_path = SCMalloc(PATH_MAX);
318  if (log_path == NULL) {
319  FatalError("Unable to allocate scratch memory for rule filename");
320  }
321  snprintf(log_path, PATH_MAX, "%s/%s%s", log_dir,
322  de_ctx->ea->file_prefix ? de_ctx->ea->file_prefix : "", "rules_fast_pattern.txt");
323 
324  FILE *fp = fopen(log_path, "w");
325  if (fp == NULL) {
326  SCLogError("failed to open %s: %s", log_path, strerror(errno));
327  SCFree(log_path);
328  return false;
329  }
330 
332 
333  SCLogInfo("Engine-Analysis for fast_pattern printed to file - %s",
334  log_path);
335  SCFree(log_path);
336 
337  struct timeval tval;
338  gettimeofday(&tval, NULL);
339  struct tm local_tm;
340  struct tm *tms = SCLocalTime(tval.tv_sec, &local_tm);
341  fprintf(fp, "----------------------------------------------"
342  "---------------------\n");
343  fprintf(fp,
344  "Date: %" PRId32 "/%" PRId32 "/%04d -- "
345  "%02d:%02d:%02d\n",
346  tms->tm_mday, tms->tm_mon + 1, tms->tm_year + 1900, tms->tm_hour, tms->tm_min,
347  tms->tm_sec);
348  fprintf(fp, "----------------------------------------------"
349  "---------------------\n");
350 
351  memset(&de_ctx->ea->fp_pattern_stats[0], 0, sizeof(de_ctx->ea->fp_pattern_stats));
352  return true;
353 }
354 
355 /**
356  * \brief Compiles regex for rule analysis
357  * \retval 1 if successful
358  * \retval 0 if on error
359  */
360 static bool PerCentEncodingSetup(EngineAnalysisCtx *ea_ctx)
361 {
362 #define DETECT_PERCENT_ENCODING_REGEX "%[0-9|a-f|A-F]{2}"
363  int en;
364  PCRE2_SIZE eo = 0;
365  int opts = 0; // PCRE2_NEWLINE_ANY??
366 
367  ea_ctx->percent_re = pcre2_compile((PCRE2_SPTR8)DETECT_PERCENT_ENCODING_REGEX,
368  PCRE2_ZERO_TERMINATED, opts, &en, &eo, NULL);
369  if (ea_ctx->percent_re == NULL) {
370  PCRE2_UCHAR errbuffer[256];
371  pcre2_get_error_message(en, errbuffer, sizeof(errbuffer));
372  SCLogError("Compile of \"%s\" failed at offset %d: %s", DETECT_PERCENT_ENCODING_REGEX,
373  (int)eo, errbuffer);
374  return false;
375  }
376 
377  return true;
378 }
379 /**
380  * \brief Sets up the rule analyzer according to the config
381  * \retval 1 if rule analyzer successfully enabled
382  * \retval 0 if not enabled
383  */
384 static int SetupRuleAnalyzer(DetectEngineCtx *de_ctx)
385 {
386  SCConfNode *conf = SCConfGetNode("engine-analysis");
387  int enabled = 0;
388  if (conf != NULL) {
389  const char *value = SCConfNodeLookupChildValue(conf, "rules");
390  if (value && SCConfValIsTrue(value)) {
391  enabled = 1;
392  } else if (value && strcasecmp(value, "warnings-only") == 0) {
393  enabled = 1;
394  rule_warnings_only = 1;
395  }
396  if (enabled) {
397  const char *log_dir;
398  log_dir = SCConfigGetLogDirectory();
399  char log_path[PATH_MAX];
400  snprintf(log_path, sizeof(log_path), "%s/%s%s", log_dir,
401  de_ctx->ea->file_prefix ? de_ctx->ea->file_prefix : "", "rules_analysis.txt");
402  de_ctx->ea->rule_engine_analysis_fp = fopen(log_path, "w");
403  if (de_ctx->ea->rule_engine_analysis_fp == NULL) {
404  SCLogError("failed to open %s: %s", log_path, strerror(errno));
405  return 0;
406  }
407 
408  SCLogInfo("Engine-Analysis for rules printed to file - %s",
409  log_path);
410 
411  struct timeval tval;
412  gettimeofday(&tval, NULL);
413  struct tm local_tm;
414  struct tm *tms = SCLocalTime(tval.tv_sec, &local_tm);
416  "----------------------------------------------"
417  "---------------------\n");
419  "Date: %" PRId32 "/%" PRId32 "/%04d -- "
420  "%02d:%02d:%02d\n",
421  tms->tm_mday, tms->tm_mon + 1, tms->tm_year + 1900, tms->tm_hour, tms->tm_min,
422  tms->tm_sec);
424  "----------------------------------------------"
425  "---------------------\n");
426 
427  /*compile regex's for rule analysis*/
428  if (!PerCentEncodingSetup(de_ctx->ea)) {
430  "Error compiling regex; can't check for percent encoding in normalized "
431  "http content.\n");
432  }
433  }
434  }
435  else {
436  SCLogInfo("Conf parameter \"engine-analysis.rules\" not found. "
437  "Defaulting to not printing the rules analysis report.");
438  }
439  if (!enabled) {
440  SCLogInfo("Engine-Analysis for rules disabled in conf file.");
441  return 0;
442  }
443  return 1;
444 }
445 
446 static void CleanupFPAnalyzer(DetectEngineCtx *de_ctx)
447 {
448  FILE *fp = de_ctx->ea->rule_engine_analysis_fp;
449  fprintf(fp, "============\n"
450  "Summary:\n============\n");
451 
452  for (int i = 0; i < DETECT_SM_LIST_MAX; i++) {
454  if (f->cnt == 0)
455  continue;
456 
457  fprintf(fp,
458  "%s, smallest pattern %u byte(s), longest pattern %u byte(s), number of patterns "
459  "%u, avg pattern len %.2f byte(s)\n",
460  DetectSigmatchListEnumToString(i), f->min, f->max, f->cnt,
461  (float)((double)f->tot / (float)f->cnt));
462  }
463 
466 }
467 
468 static void CleanupRuleAnalyzer(DetectEngineCtx *de_ctx)
469 {
470  if (de_ctx->ea->fp_engine_analysis_fp != NULL) {
471  fclose(de_ctx->ea->fp_engine_analysis_fp);
473  }
474  if (de_ctx->ea->percent_re != NULL) {
475  pcre2_code_free(de_ctx->ea->percent_re);
476  }
477 }
478 
479 void SetupEngineAnalysis(DetectEngineCtx *de_ctx, bool *fp_analysis, bool *rule_analysis)
480 {
481  *fp_analysis = false;
482  *rule_analysis = false;
483 
484  EngineAnalysisCtx *ea = SCCalloc(1, sizeof(EngineAnalysisCtx));
485  if (ea == NULL) {
486  FatalError("Unable to allocate per-engine analysis context");
487  }
488 
489  ea->file_prefix = NULL;
490  size_t cfg_prefix_len = strlen(de_ctx->config_prefix);
491  if (cfg_prefix_len > 0) {
492  char prefix[sizeof(de_ctx->config_prefix) + 1];
493  snprintf(prefix, sizeof(prefix), "%s.", de_ctx->config_prefix);
494  ea->file_prefix = SCStrdup(prefix);
495  if (ea->file_prefix == NULL) {
496  FatalError("Unable to allocate per-engine analysis context name buffer");
497  }
498  }
499 
500  de_ctx->ea = ea;
501 
502  *fp_analysis = SetupFPAnalyzer(de_ctx);
503  *rule_analysis = SetupRuleAnalyzer(de_ctx);
504 
505  if (!(*fp_analysis || *rule_analysis)) {
506  if (ea->file_prefix)
507  SCFree(ea->file_prefix);
508  if (ea->analyzer_items)
509  SCFree(ea->analyzer_items);
510  SCFree(ea);
511  de_ctx->ea = NULL;
512  }
513 }
514 
516 {
517  if (de_ctx->ea) {
518  CleanupRuleAnalyzer(de_ctx);
519  CleanupFPAnalyzer(de_ctx);
520  if (de_ctx->ea->file_prefix)
522  if (de_ctx->ea->analyzer_items)
524  SCFree(de_ctx->ea);
525  de_ctx->ea = NULL;
526  }
527 }
528 
529 /**
530  * \brief Checks for % encoding in content.
531  * \param Pointer to content
532  * \retval number of matches if content has % encoding
533  * \retval 0 if it doesn't have % encoding
534  * \retval -1 on error
535  */
536 static int PerCentEncodingMatch(EngineAnalysisCtx *ea_ctx, uint8_t *content, uint16_t content_len)
537 {
538  int ret = 0;
539 
540  pcre2_match_data *match = pcre2_match_data_create_from_pattern(ea_ctx->percent_re, NULL);
541  ret = pcre2_match(ea_ctx->percent_re, (PCRE2_SPTR8)content, content_len, 0, 0, match, NULL);
542  if (ret == -1) {
543  return 0;
544  } else if (ret < -1) {
545  SCLogError("Error parsing content - %s; error code is %d", content, ret);
546  ret = -1;
547  }
548  pcre2_match_data_free(match);
549  return ret;
550 }
551 
552 static void EngineAnalysisRulesPrintFP(const DetectEngineCtx *de_ctx, const Signature *s)
553 {
554  const DetectContentData *fp_cd = NULL;
555  const SigMatch *mpm_sm = s->init_data->mpm_sm;
556  const int mpm_sm_list = s->init_data->mpm_sm_list;
557 
558  if (mpm_sm != NULL) {
559  fp_cd = (DetectContentData *)mpm_sm->ctx;
560  }
561 
562  if (fp_cd == NULL) {
563  return;
564  }
565 
566  uint16_t patlen = fp_cd->content_len;
567  uint8_t *pat = SCMalloc(fp_cd->content_len + 1);
568  if (unlikely(pat == NULL)) {
569  FatalError("Error allocating memory");
570  }
571 
572  EngineAnalysisCtx *ea_ctx = de_ctx->ea;
573 
574  memcpy(pat, fp_cd->content, fp_cd->content_len);
575  pat[fp_cd->content_len] = '\0';
576 
578  SCFree(pat);
579  patlen = fp_cd->fp_chop_len;
580  pat = SCMalloc(fp_cd->fp_chop_len + 1);
581  if (unlikely(pat == NULL)) {
582  exit(EXIT_FAILURE);
583  }
584  memcpy(pat, fp_cd->content + fp_cd->fp_chop_offset, fp_cd->fp_chop_len);
585  pat[fp_cd->fp_chop_len] = '\0';
586  fprintf(ea_ctx->rule_engine_analysis_fp, " Fast Pattern \"");
587  PrintRawUriFp(ea_ctx->rule_engine_analysis_fp, pat, patlen);
588  } else {
589  fprintf(ea_ctx->rule_engine_analysis_fp, " Fast Pattern \"");
590  PrintRawUriFp(ea_ctx->rule_engine_analysis_fp, pat, patlen);
591  }
592  SCFree(pat);
593 
594  fprintf(ea_ctx->rule_engine_analysis_fp, "\" on \"");
595 
596  const int list_type = mpm_sm_list;
597  if (list_type == DETECT_SM_LIST_PMATCH) {
598  int payload = 0;
599  int stream = 0;
601  payload = 1;
603  stream = 1;
604  fprintf(ea_ctx->rule_engine_analysis_fp, "%s",
605  payload ? (stream ? "payload and reassembled stream" : "payload")
606  : "reassembled stream");
607  }
608  else {
609  const char *desc = DetectEngineBufferTypeGetDescriptionById(de_ctx, list_type);
610  const char *name = DetectEngineBufferTypeGetNameById(de_ctx, list_type);
611  if (desc && name) {
612  fprintf(ea_ctx->rule_engine_analysis_fp, "%s (%s)", desc, name);
613  } else if (desc || name) {
614  fprintf(ea_ctx->rule_engine_analysis_fp, "%s", desc ? desc : name);
615  }
616 
617  }
618 
619  fprintf(ea_ctx->rule_engine_analysis_fp, "\" ");
620  const DetectBufferType *bt = DetectEngineBufferTypeGetById(de_ctx, list_type);
621  if (bt && bt->transforms.cnt) {
622  fprintf(ea_ctx->rule_engine_analysis_fp, "(with %d transform(s)) ", bt->transforms.cnt);
623  }
624  fprintf(ea_ctx->rule_engine_analysis_fp, "buffer.\n");
625 }
626 
628  const DetectEngineCtx *de_ctx, const char *line, const char *file, int lineno)
629 {
632  if (tmp_fp) {
633  fprintf(tmp_fp, "== Sid: UNKNOWN ==\n");
634  fprintf(tmp_fp, "%s\n", line);
635  fprintf(tmp_fp, " FAILURE: invalid rule.\n");
636  fprintf(tmp_fp, " File: %s.\n", file);
637  fprintf(tmp_fp, " Line: %d.\n", lineno);
638  fprintf(tmp_fp, "\n");
639  }
640 }
641 
642 typedef struct RuleAnalyzer {
643  SCJsonBuilder *js; /* document root */
644 
645  SCJsonBuilder *js_warnings;
646  SCJsonBuilder *js_notes;
648 
649 static void ATTR_FMT_PRINTF(2, 3) AnalyzerNote(RuleAnalyzer *ctx, char *fmt, ...)
650 {
651  va_list ap;
652  char str[1024];
653 
654  va_start(ap, fmt);
655  vsnprintf(str, sizeof(str), fmt, ap);
656  va_end(ap);
657 
658  if (!ctx->js_notes)
659  ctx->js_notes = SCJbNewArray();
660  if (ctx->js_notes)
661  SCJbAppendString(ctx->js_notes, str);
662 }
663 
664 static void ATTR_FMT_PRINTF(2, 3) AnalyzerWarning(RuleAnalyzer *ctx, char *fmt, ...)
665 {
666  va_list ap;
667  char str[1024];
668 
669  va_start(ap, fmt);
670  vsnprintf(str, sizeof(str), fmt, ap);
671  va_end(ap);
672 
673  if (!ctx->js_warnings)
674  ctx->js_warnings = SCJbNewArray();
675  if (ctx->js_warnings)
676  SCJbAppendString(ctx->js_warnings, str);
677 }
678 
679 #define CHECK(pat) if (strlen((pat)) <= len && memcmp((pat), buf, MIN(len, strlen((pat)))) == 0) return true;
680 
681 static bool LooksLikeHTTPMethod(const uint8_t *buf, uint16_t len)
682 {
683  CHECK("GET /");
684  CHECK("POST /");
685  CHECK("HEAD /");
686  CHECK("PUT /");
687  return false;
688 }
689 
690 static bool LooksLikeHTTPUA(const uint8_t *buf, uint16_t len)
691 {
692  CHECK("User-Agent: ");
693  CHECK("\nUser-Agent: ");
694  return false;
695 }
696 
697 static void DumpContent(SCJsonBuilder *js, const DetectContentData *cd)
698 {
699  char pattern_str[1024] = "";
700  DetectContentPatternPrettyPrint(cd->content, cd->content_len, pattern_str, sizeof(pattern_str));
701 
702  SCJbSetString(js, "pattern", pattern_str);
703  SCJbSetUint(js, "length", cd->content_len);
704  SCJbSetBool(js, "nocase", cd->flags & DETECT_CONTENT_NOCASE);
705  SCJbSetBool(js, "negated", cd->flags & DETECT_CONTENT_NEGATED);
706  SCJbSetBool(js, "starts_with", cd->flags & DETECT_CONTENT_STARTS_WITH);
707  SCJbSetBool(js, "ends_with", cd->flags & DETECT_CONTENT_ENDS_WITH);
708  SCJbSetBool(js, "is_mpm", cd->flags & DETECT_CONTENT_MPM);
709  SCJbSetBool(js, "no_double_inspect", cd->flags & DETECT_CONTENT_NO_DOUBLE_INSPECTION_REQUIRED);
710  if (cd->flags & DETECT_CONTENT_OFFSET) {
711  SCJbSetUint(js, "offset", cd->offset);
712  }
713  if (cd->flags & DETECT_CONTENT_DEPTH) {
714  SCJbSetUint(js, "depth", cd->depth);
715  }
716  if (cd->flags & DETECT_CONTENT_DISTANCE) {
717  SCJbSetInt(js, "distance", cd->distance);
718  }
719  if (cd->flags & DETECT_CONTENT_WITHIN) {
720  SCJbSetInt(js, "within", cd->within);
721  }
722  SCJbSetBool(js, "fast_pattern", cd->flags & DETECT_CONTENT_FAST_PATTERN);
723  SCJbSetBool(js, "relative_next", cd->flags & DETECT_CONTENT_RELATIVE_NEXT);
724 }
725 
726 static void DumpPcre(SCJsonBuilder *js, const DetectPcreData *cd)
727 {
728  SCJbSetBool(js, "relative", cd->flags & DETECT_PCRE_RELATIVE);
729  SCJbSetBool(js, "relative_next", cd->flags & DETECT_PCRE_RELATIVE_NEXT);
730  SCJbSetBool(js, "nocase", cd->flags & DETECT_PCRE_CASELESS);
731  SCJbSetBool(js, "negated", cd->flags & DETECT_PCRE_NEGATE);
732 }
733 
734 static void DumpMatches(RuleAnalyzer *ctx, SCJsonBuilder *js, const SigMatchData *smd)
735 {
736  if (smd == NULL)
737  return;
738 
739  SCJbOpenArray(js, "matches");
740  do {
741  SCJbStartObject(js);
742  const char *mname = sigmatch_table[smd->type].name;
743  SCJbSetString(js, "name", mname);
744 
745  switch (smd->type) {
746  case DETECT_CONTENT: {
747  const DetectContentData *cd = (const DetectContentData *)smd->ctx;
748 
749  SCJbOpenObject(js, "content");
750  DumpContent(js, cd);
752  AnalyzerNote(ctx, (char *)"'fast_pattern:only' option is silently ignored and "
753  "is interpreted as regular 'fast_pattern'");
754  }
755  if (LooksLikeHTTPMethod(cd->content, cd->content_len)) {
756  AnalyzerNote(ctx,
757  (char *)"pattern looks like it inspects HTTP, use http.request_line or "
758  "http.method and http.uri instead for improved performance");
759  }
760  if (LooksLikeHTTPUA(cd->content, cd->content_len)) {
761  AnalyzerNote(ctx,
762  (char *)"pattern looks like it inspects HTTP, use http.user_agent "
763  "or http.header for improved performance");
764  }
766  AnalyzerNote(ctx, (char *)"'within' option for pattern w/o previous content "
767  "was converted to 'depth'");
768  }
770  AnalyzerNote(ctx, (char *)"'distance' option for pattern w/o previous content "
771  "was converted to 'offset'");
772  }
773  SCJbClose(js);
774  break;
775  }
776  case DETECT_PCRE: {
777  const DetectPcreData *cd = (const DetectPcreData *)smd->ctx;
778 
779  SCJbOpenObject(js, "pcre");
780  DumpPcre(js, cd);
781  SCJbClose(js);
782  if (cd->flags & DETECT_PCRE_RAWBYTES) {
783  AnalyzerNote(ctx,
784  (char *)"'/B' (rawbytes) option is a no-op and is silently ignored");
785  }
787  AnalyzerNote(ctx, (char *)"pcre with \\X (Unicode extended grapheme cluster) "
788  "may be slow");
789  }
790  break;
791  }
792  case DETECT_BYTEJUMP: {
793  const DetectBytejumpData *cd = (const DetectBytejumpData *)smd->ctx;
794 
795  SCJbOpenObject(js, "byte_jump");
796  SCJbSetUint(js, "nbytes", cd->nbytes);
797  SCJbSetInt(js, "offset", cd->offset);
798  SCJbSetUint(js, "multiplier", cd->multiplier);
799  SCJbSetInt(js, "post_offset", cd->post_offset);
800  switch (cd->base) {
802  SCJbSetString(js, "base", "unset");
803  break;
805  SCJbSetString(js, "base", "oct");
806  break;
808  SCJbSetString(js, "base", "dec");
809  break;
811  SCJbSetString(js, "base", "hex");
812  break;
813  }
814  SCJbOpenArray(js, "flags");
815  if (cd->flags & DETECT_BYTEJUMP_BEGIN)
816  SCJbAppendString(js, "from_beginning");
817  if (cd->flags & DETECT_BYTEJUMP_LITTLE)
818  SCJbAppendString(js, "little_endian");
819  if (cd->flags & DETECT_BYTEJUMP_BIG)
820  SCJbAppendString(js, "big_endian");
821  if (cd->flags & DETECT_BYTEJUMP_STRING)
822  SCJbAppendString(js, "string");
824  SCJbAppendString(js, "relative");
825  if (cd->flags & DETECT_BYTEJUMP_ALIGN)
826  SCJbAppendString(js, "align");
827  if (cd->flags & DETECT_BYTEJUMP_DCE)
828  SCJbAppendString(js, "dce");
830  SCJbAppendString(js, "offset_be");
831  if (cd->flags & DETECT_BYTEJUMP_END)
832  SCJbAppendString(js, "from_end");
833  SCJbClose(js);
834  SCJbClose(js);
835  break;
836  }
837  case DETECT_BYTETEST: {
838  const DetectBytetestData *cd = (const DetectBytetestData *)smd->ctx;
839 
840  SCJbOpenObject(js, "byte_test");
841  SCJbSetUint(js, "nbytes", cd->nbytes);
842  SCJbSetInt(js, "offset", cd->offset);
843  switch (cd->base) {
845  SCJbSetString(js, "base", "unset");
846  break;
848  SCJbSetString(js, "base", "oct");
849  break;
851  SCJbSetString(js, "base", "dec");
852  break;
854  SCJbSetString(js, "base", "hex");
855  break;
856  }
857  SCJbOpenArray(js, "flags");
858  if (cd->flags & DETECT_BYTETEST_LITTLE)
859  SCJbAppendString(js, "little_endian");
860  if (cd->flags & DETECT_BYTETEST_BIG)
861  SCJbAppendString(js, "big_endian");
862  if (cd->flags & DETECT_BYTETEST_STRING)
863  SCJbAppendString(js, "string");
865  SCJbAppendString(js, "relative");
866  if (cd->flags & DETECT_BYTETEST_DCE)
867  SCJbAppendString(js, "dce");
868  SCJbClose(js);
869  SCJbClose(js);
870  break;
871  }
872  case DETECT_ABSENT: {
873  const DetectAbsentData *dad = (const DetectAbsentData *)smd->ctx;
874  SCJbOpenObject(js, "absent");
875  SCJbSetBool(js, "or_else", dad->or_else);
876  SCJbClose(js);
877  break;
878  }
879 
880  case DETECT_IPOPTS: {
881  const DetectIpOptsData *cd = (const DetectIpOptsData *)smd->ctx;
882 
883  SCJbOpenObject(js, "ipopts");
884  const char *flag = IpOptsFlagToString(cd->ipopt);
885  SCJbSetString(js, "option", flag);
886  SCJbClose(js);
887  break;
888  }
889  case DETECT_FLOWBITS: {
890  const DetectFlowbitsData *cd = (const DetectFlowbitsData *)smd->ctx;
891 
892  SCJbOpenObject(js, "flowbits");
893  switch (cd->cmd) {
895  SCJbSetString(js, "cmd", "isset");
896  break;
898  SCJbSetString(js, "cmd", "isnotset");
899  break;
901  SCJbSetString(js, "cmd", "set");
902  break;
904  SCJbSetString(js, "cmd", "unset");
905  break;
906  }
907  bool is_or = false;
908  SCJbOpenArray(js, "names");
909  if (cd->or_list_size == 0) {
910  SCJbAppendString(js, VarNameStoreSetupLookup(cd->idx, VAR_TYPE_FLOW_BIT));
911  } else if (cd->or_list_size > 0) {
912  is_or = true;
913  for (uint8_t i = 0; i < cd->or_list_size; i++) {
914  const char *varname =
916  SCJbAppendString(js, varname);
917  }
918  }
919  SCJbClose(js); // array
920  if (is_or) {
921  SCJbSetString(js, "operator", "or");
922  }
923  SCJbClose(js); // object
924  break;
925  }
926  case DETECT_XBITS: {
927  const DetectXbitsData *xd = (const DetectXbitsData *)smd->ctx;
928 
929  SCJbOpenObject(js, "xbits");
930  switch (xd->cmd) {
932  SCJbSetString(js, "cmd", "isset");
933  break;
935  SCJbSetString(js, "cmd", "isnotset");
936  break;
938  SCJbSetString(js, "cmd", "set");
939  break;
941  SCJbSetString(js, "cmd", "unset");
942  break;
944  SCJbSetString(js, "cmd", "toggle");
945  break;
946  }
947  SCJbSetString(js, "name", VarNameStoreSetupLookup(xd->idx, xd->type));
948  switch (xd->tracker) {
950  SCJbSetString(js, "track", "ip_src");
951  break;
953  SCJbSetString(js, "track", "ip_dst");
954  break;
956  SCJbSetString(js, "track", "ip_pair");
957  break;
959  SCJbSetString(js, "track", "tx");
960  break;
961  }
962  // always log expire value
963  SCJbSetUint(js, "expire", xd->expire);
964  SCJbClose(js); // object
965  break;
966  }
967  case DETECT_FLOWINT: {
968  const DetectFlowintData *cd = (const DetectFlowintData *)smd->ctx;
969 
970  SCJbOpenObject(js, "flowint");
971  switch (cd->modifier) {
973  SCJbSetString(js, "cmd", "set");
974  break;
976  SCJbSetString(js, "cmd", "add");
977  break;
979  SCJbSetString(js, "cmd", "sub");
980  break;
981  case FLOWINT_MODIFIER_LT:
982  SCJbSetString(js, "cmd", "lt");
983  break;
984  case FLOWINT_MODIFIER_LE:
985  SCJbSetString(js, "cmd", "lte");
986  break;
987  case FLOWINT_MODIFIER_EQ:
988  SCJbSetString(js, "cmd", "eq");
989  break;
990  case FLOWINT_MODIFIER_NE:
991  SCJbSetString(js, "cmd", "ne");
992  break;
993  case FLOWINT_MODIFIER_GE:
994  SCJbSetString(js, "cmd", "gte");
995  break;
996  case FLOWINT_MODIFIER_GT:
997  SCJbSetString(js, "cmd", "gt");
998  break;
1000  SCJbSetString(js, "cmd", "isset");
1001  break;
1003  SCJbSetString(js, "cmd", "isnotset");
1004  break;
1005  }
1006  const char *varname = VarNameStoreSetupLookup(cd->idx, VAR_TYPE_FLOW_INT);
1007  if (varname != NULL) {
1008  SCJbSetString(js, "var", varname);
1009  }
1010  if (cd->targettype == FLOWINT_TARGET_VAL) {
1011  SCJbSetUint(js, "value", cd->target.value);
1012  } else if (cd->targettype == FLOWINT_TARGET_VAR) {
1013  if (cd->target.tvar.name != NULL) {
1014  SCJbSetString(js, "target", cd->target.tvar.name);
1015  }
1016  }
1017  SCJbClose(js);
1018  break;
1019  }
1020  case DETECT_ACK: {
1021  const DetectU32Data *cd = (const DetectU32Data *)smd->ctx;
1022  SCJbOpenObject(js, "ack");
1023  SCDetectU32ToJson(js, cd);
1024  SCJbClose(js);
1025  break;
1026  }
1027  case DETECT_SEQ: {
1028  const DetectU32Data *cd = (const DetectU32Data *)smd->ctx;
1029  SCJbOpenObject(js, "seq");
1030  SCDetectU32ToJson(js, cd);
1031  SCJbClose(js);
1032  break;
1033  }
1034  case DETECT_TCPMSS: {
1035  const DetectU16Data *cd = (const DetectU16Data *)smd->ctx;
1036  SCJbOpenObject(js, "tcp_mss");
1037  SCDetectU16ToJson(js, cd);
1038  SCJbClose(js);
1039  break;
1040  }
1041  case DETECT_DSIZE: {
1042  const DetectU16Data *cd = (const DetectU16Data *)smd->ctx;
1043  SCJbOpenObject(js, "dsize");
1044  SCDetectU16ToJson(js, cd);
1045  SCJbClose(js);
1046  break;
1047  }
1048  case DETECT_ICODE: {
1049  const DetectU8Data *cd = (const DetectU8Data *)smd->ctx;
1050  SCJbOpenObject(js, "code");
1051  SCDetectU8ToJson(js, cd);
1052  SCJbClose(js);
1053  break;
1054  }
1055  case DETECT_TTL: {
1056  const DetectU8Data *cd = (const DetectU8Data *)smd->ctx;
1057  SCJbOpenObject(js, "ttl");
1058  SCDetectU8ToJson(js, cd);
1059  SCJbClose(js);
1060  break;
1061  }
1062  case DETECT_ICMP_ID: {
1063  const DetectU16Data *cd = (const DetectU16Data *)smd->ctx;
1064  SCJbOpenObject(js, "id");
1065  SCDetectU16ToJson(js, cd);
1066  SCJbClose(js);
1067  break;
1068  }
1069  case DETECT_WINDOW: {
1070  const DetectU16Data *cd = (const DetectU16Data *)smd->ctx;
1071  SCJbOpenObject(js, "window");
1072  SCDetectU16ToJson(js, cd);
1073  SCJbClose(js);
1074  break;
1075  }
1076  case DETECT_FLOW_AGE: {
1077  const DetectU32Data *cd = (const DetectU32Data *)smd->ctx;
1078  SCJbOpenObject(js, "flow_age");
1079  SCDetectU32ToJson(js, cd);
1080  SCJbClose(js);
1081  break;
1082  }
1083  case DETECT_FLOW_ELEPHANT: {
1084  const uint8_t *dfd = (const uint8_t *)smd->ctx;
1085  SCJbOpenObject(js, "flow_elephant");
1086  switch (*dfd) {
1087  case DETECT_FLOW_TOSERVER:
1088  SCJbSetString(js, "dir", "toserver");
1089  break;
1090  case DETECT_FLOW_TOCLIENT:
1091  SCJbSetString(js, "dir", "toclient");
1092  break;
1093  case DETECT_FLOW_TOEITHER:
1094  SCJbSetString(js, "dir", "either");
1095  break;
1096  case DETECT_FLOW_TOBOTH:
1097  SCJbSetString(js, "dir", "both");
1098  break;
1099  }
1100  SCJbClose(js);
1101  break;
1102  }
1104  const DetectAppLayerProtocolData *ad = (const DetectAppLayerProtocolData *)smd->ctx;
1105  SCJbOpenObject(js, "app_layer_protocol");
1106  AppProto vals[256];
1107  uint16_t n = DetectAppLayerProtocolGetValues(ad, vals, ARRAY_SIZE(vals));
1108  SCJbOpenArray(js, "protocols");
1109  for (uint16_t i = 0; i < n; i++) {
1110  SCJbAppendString(js, AppProtoToString(vals[i]));
1111  }
1112  SCJbClose(js);
1113  SCJbSetString(js, "mode", DetectAppLayerProtocolModeName(ad->mode));
1114  SCJbSetBool(js, "negated", ad->negated);
1115  SCJbClose(js);
1116  break;
1117  }
1118  }
1119  SCJbClose(js);
1120 
1121  if (smd->is_last)
1122  break;
1123  smd++;
1124  } while (1);
1125  SCJbClose(js);
1126 }
1127 
1130 {
1131  SCEnter();
1132 
1133  RuleAnalyzer ctx = { NULL, NULL, NULL };
1134 
1135  ctx.js = SCJbNewObject();
1136  if (ctx.js == NULL)
1137  SCReturn;
1138 
1139  if (s->init_data->firewall_rule) {
1140  JB_SET_STRING(ctx.js, "class", "firewall");
1141  } else {
1142  JB_SET_STRING(ctx.js, "class", "threat detection");
1143  }
1144 
1145  SCJbSetString(ctx.js, "raw", s->sig_str);
1146  SCJbSetUint(ctx.js, "id", s->id);
1147  SCJbSetUint(ctx.js, "gid", s->gid);
1148  SCJbSetUint(ctx.js, "rev", s->rev);
1149  SCJbSetString(ctx.js, "msg", s->msg);
1150 
1151  const char *alproto = AppProtoToString(s->alproto);
1152  SCJbSetString(ctx.js, "app_proto", alproto);
1153 
1154  SCJbOpenArray(ctx.js, "requirements");
1155  if (s->mask & SIG_MASK_REQUIRE_PAYLOAD) {
1156  SCJbAppendString(ctx.js, "payload");
1157  }
1158  if (s->mask & SIG_MASK_REQUIRE_NO_PAYLOAD) {
1159  SCJbAppendString(ctx.js, "no_payload");
1160  }
1161  if (s->mask & SIG_MASK_REQUIRE_FLOW) {
1162  SCJbAppendString(ctx.js, "flow");
1163  }
1165  SCJbAppendString(ctx.js, "tcp_flags_init_deinit");
1166  }
1168  SCJbAppendString(ctx.js, "tcp_flags_unusual");
1169  }
1171  SCJbAppendString(ctx.js, "engine_event");
1172  }
1173  if (s->mask & SIG_MASK_REQUIRE_REAL_PKT) {
1174  SCJbAppendString(ctx.js, "real_pkt");
1175  }
1176  SCJbClose(ctx.js);
1177 
1178  SCJbOpenObject(ctx.js, "match_policy");
1179  SCJbOpenArray(ctx.js, "actions");
1180  if (s->action & ACTION_ALERT) {
1181  SCJbAppendString(ctx.js, "alert");
1182  }
1183  if (s->action & ACTION_DROP) {
1184  SCJbAppendString(ctx.js, "drop");
1185  }
1186  if (s->action & ACTION_REJECT) {
1187  SCJbAppendString(ctx.js, "reject");
1188  }
1189  if (s->action & ACTION_REJECT_DST) {
1190  SCJbAppendString(ctx.js, "reject_dst");
1191  }
1192  if (s->action & ACTION_REJECT_BOTH) {
1193  SCJbAppendString(ctx.js, "reject_both");
1194  }
1195  if (s->action & ACTION_CONFIG) {
1196  SCJbAppendString(ctx.js, "config");
1197  }
1198  if (s->action & ACTION_PASS) {
1199  SCJbAppendString(ctx.js, "pass");
1200  }
1201  if (s->action & ACTION_ACCEPT) {
1202  SCJbAppendString(ctx.js, "accept");
1203  }
1204  SCJbClose(ctx.js);
1205 
1206  if (s->action_scope == ACTION_SCOPE_AUTO) {
1208  switch (flow_action) {
1210  SCJbSetString(ctx.js, "scope", "packet");
1211  break;
1213  SCJbSetString(ctx.js, "scope", "flow");
1214  break;
1216  SCJbSetString(ctx.js, "scope", "flow_if_stateful");
1217  break;
1218  }
1219  } else {
1220  enum ActionScope as = s->action_scope;
1221  switch (as) {
1222  case ACTION_SCOPE_PACKET:
1223  SCJbSetString(ctx.js, "scope", "packet");
1224  break;
1225  case ACTION_SCOPE_FLOW:
1226  SCJbSetString(ctx.js, "scope", "flow");
1227  break;
1228  case ACTION_SCOPE_HOOK:
1229  SCJbSetString(ctx.js, "scope", "hook");
1230  break;
1231  case ACTION_SCOPE_TX:
1232  SCJbSetString(ctx.js, "scope", "tx");
1233  break;
1234  case ACTION_SCOPE_AUTO: /* should be unreachable */
1235  break;
1236  }
1237  }
1238  SCJbClose(ctx.js);
1239 
1240  switch (s->type) {
1241  case SIG_TYPE_NOT_SET:
1242  SCJbSetString(ctx.js, "type", "unset");
1243  break;
1244  case SIG_TYPE_IPONLY:
1245  SCJbSetString(ctx.js, "type", "ip_only");
1246  break;
1247  case SIG_TYPE_LIKE_IPONLY:
1248  SCJbSetString(ctx.js, "type", "like_ip_only");
1249  break;
1250  case SIG_TYPE_PDONLY:
1251  SCJbSetString(ctx.js, "type", "pd_only");
1252  break;
1253  case SIG_TYPE_DEONLY:
1254  SCJbSetString(ctx.js, "type", "de_only");
1255  break;
1256  case SIG_TYPE_PKT:
1257  SCJbSetString(ctx.js, "type", "pkt");
1258  break;
1259  case SIG_TYPE_PKT_STREAM:
1260  SCJbSetString(ctx.js, "type", "pkt_stream");
1261  break;
1262  case SIG_TYPE_STREAM:
1263  SCJbSetString(ctx.js, "type", "stream");
1264  break;
1265  case SIG_TYPE_APPLAYER:
1266  SCJbSetString(ctx.js, "type", "app_layer");
1267  break;
1268  case SIG_TYPE_APP_TX:
1269  SCJbSetString(ctx.js, "type", "app_tx");
1270  break;
1271  case SIG_TYPE_MAX:
1272  SCJbSetString(ctx.js, "type", "error");
1273  break;
1274  }
1275 
1276  // dependencies object and its subfields only logged if we have values
1278  SCJbOpenObject(ctx.js, "dependencies");
1279  SCJbOpenObject(ctx.js, "flowbits");
1280  SCJbOpenObject(ctx.js, "upstream");
1282  SCJbOpenObject(ctx.js, "state_modifying_rules");
1283  SCJbOpenArray(ctx.js, "sids");
1284  for (uint32_t i = 0; i < s->init_data->rule_state_dependant_sids_idx; i++) {
1285  SCJbAppendUint(ctx.js, s->init_data->rule_state_dependant_sids_array[i]);
1286  }
1287  SCJbClose(ctx.js); // sids
1288  SCJbOpenArray(ctx.js, "names");
1289  for (uint32_t i = 0; i < s->init_data->rule_state_flowbits_ids_size - 1; i++) {
1290  if (s->init_data->rule_state_flowbits_ids_array[i] != 0) {
1291  SCJbAppendString(ctx.js,
1294  }
1295  }
1296  SCJbClose(ctx.js); // names
1297  SCJbClose(ctx.js); // state_modifying_rules
1298  }
1299  SCJbClose(ctx.js); // upstream
1300  SCJbClose(ctx.js); // flowbits
1301  SCJbClose(ctx.js); // dependencies
1302  }
1303 
1304  SCJbOpenArray(ctx.js, "flags");
1305  if (s->flags & SIG_FLAG_SRC_ANY) {
1306  SCJbAppendString(ctx.js, "src_any");
1307  }
1308  if (s->flags & SIG_FLAG_DST_ANY) {
1309  SCJbAppendString(ctx.js, "dst_any");
1310  }
1311  if (s->flags & SIG_FLAG_SP_ANY) {
1312  SCJbAppendString(ctx.js, "sp_any");
1313  }
1314  if (s->flags & SIG_FLAG_DP_ANY) {
1315  SCJbAppendString(ctx.js, "dp_any");
1316  }
1317  if ((s->action & ACTION_ALERT) == 0) {
1318  SCJbAppendString(ctx.js, "noalert");
1319  }
1320  if (s->flags & SIG_FLAG_DSIZE) {
1321  SCJbAppendString(ctx.js, "dsize");
1322  }
1323  if (s->flags & SIG_FLAG_APPLAYER) {
1324  SCJbAppendString(ctx.js, "applayer");
1325  }
1326  if (s->flags & SIG_FLAG_REQUIRE_PACKET) {
1327  SCJbAppendString(ctx.js, "need_packet");
1328  }
1329  if (s->flags & SIG_FLAG_REQUIRE_STREAM) {
1330  SCJbAppendString(ctx.js, "need_stream");
1331  }
1332  if (s->flags & SIG_FLAG_MPM_NEG) {
1333  SCJbAppendString(ctx.js, "negated_mpm");
1334  }
1335  if (s->flags & SIG_FLAG_FLUSH) {
1336  SCJbAppendString(ctx.js, "flush");
1337  }
1338  if (s->flags & SIG_FLAG_REQUIRE_FLOWVAR) {
1339  SCJbAppendString(ctx.js, "need_flowvar");
1340  }
1341  if (s->flags & SIG_FLAG_FILESTORE) {
1342  SCJbAppendString(ctx.js, "filestore");
1343  }
1344  if (s->flags & SIG_FLAG_TOSERVER) {
1345  SCJbAppendString(ctx.js, "toserver");
1346  }
1347  if (s->flags & SIG_FLAG_TOCLIENT) {
1348  SCJbAppendString(ctx.js, "toclient");
1349  }
1350  if (s->flags & SIG_FLAG_TLSSTORE) {
1351  SCJbAppendString(ctx.js, "tlsstore");
1352  }
1353  if (s->flags & SIG_FLAG_BYPASS) {
1354  SCJbAppendString(ctx.js, "bypass");
1355  }
1356  if (s->flags & SIG_FLAG_PREFILTER) {
1357  SCJbAppendString(ctx.js, "prefilter");
1358  }
1359  if (s->flags & SIG_FLAG_SRC_IS_TARGET) {
1360  SCJbAppendString(ctx.js, "src_is_target");
1361  }
1362  if (s->flags & SIG_FLAG_DEST_IS_TARGET) {
1363  SCJbAppendString(ctx.js, "dst_is_target");
1364  }
1365  SCJbClose(ctx.js);
1366 
1367  const DetectEnginePktInspectionEngine *pkt_mpm = NULL;
1368  const DetectEngineAppInspectionEngine *app_mpm = NULL;
1369 
1370  SCJbOpenArray(ctx.js, "pkt_engines");
1372  for ( ; pkt != NULL; pkt = pkt->next) {
1374  if (name == NULL) {
1375  switch (pkt->sm_list) {
1376  case DETECT_SM_LIST_PMATCH:
1377  name = "payload";
1378  break;
1379  case DETECT_SM_LIST_MATCH:
1380  name = "packet";
1381  break;
1382  default:
1383  name = "unknown";
1384  break;
1385  }
1386  }
1387  SCJbStartObject(ctx.js);
1388  SCJbSetString(ctx.js, "name", name);
1389  SCJbSetBool(ctx.js, "is_mpm", pkt->mpm);
1390  if (pkt->v1.transforms != NULL) {
1391  SCJbOpenArray(ctx.js, "transforms");
1392  for (int t = 0; t < pkt->v1.transforms->cnt; t++) {
1393  SCJbStartObject(ctx.js);
1394  SCJbSetString(ctx.js, "name",
1396  SCJbClose(ctx.js);
1397  }
1398  SCJbClose(ctx.js);
1399  }
1400  DumpMatches(&ctx, ctx.js, pkt->smd);
1401  SCJbClose(ctx.js);
1402  if (pkt->mpm) {
1403  pkt_mpm = pkt;
1404  }
1405  }
1406  SCJbClose(ctx.js);
1407  SCJbOpenArray(ctx.js, "frame_engines");
1409  for (; frame != NULL; frame = frame->next) {
1410  const char *name = DetectEngineBufferTypeGetNameById(de_ctx, frame->sm_list);
1411  SCJbStartObject(ctx.js);
1412  SCJbSetString(ctx.js, "name", name);
1413  SCJbSetBool(ctx.js, "is_mpm", frame->mpm);
1414  if (frame->v1.transforms != NULL) {
1415  SCJbOpenArray(ctx.js, "transforms");
1416  for (int t = 0; t < frame->v1.transforms->cnt; t++) {
1417  SCJbStartObject(ctx.js);
1418  SCJbSetString(ctx.js, "name",
1420  SCJbClose(ctx.js);
1421  }
1422  SCJbClose(ctx.js);
1423  }
1424  DumpMatches(&ctx, ctx.js, frame->smd);
1425  SCJbClose(ctx.js);
1426  }
1427  SCJbClose(ctx.js);
1428 
1430  bool has_stream = false;
1431  bool has_client_body_mpm = false;
1432  bool has_file_data_mpm = false;
1433 
1434  SCJbOpenArray(ctx.js, "engines");
1436  for ( ; app != NULL; app = app->next) {
1438  if (name == NULL) {
1439  switch (app->sm_list) {
1440  case DETECT_SM_LIST_PMATCH:
1441  name = "stream";
1442  break;
1443  default:
1444  name = "unknown";
1445  break;
1446  }
1447  }
1448 
1449  if (app->sm_list == DETECT_SM_LIST_PMATCH && !app->mpm) {
1450  has_stream = true;
1451  } else if (app->mpm && strcmp(name, "http_client_body") == 0) {
1452  has_client_body_mpm = true;
1453  } else if (app->mpm && strcmp(name, "file_data") == 0) {
1454  has_file_data_mpm = true;
1455  }
1456 
1457  SCJbStartObject(ctx.js);
1458  SCJbSetString(ctx.js, "name", name);
1459  const char *direction = app->dir == 0 ? "toserver" : "toclient";
1460  SCJbSetString(ctx.js, "direction", direction);
1461  SCJbSetBool(ctx.js, "is_mpm", app->mpm);
1462  SCJbSetString(ctx.js, "app_proto", AppProtoToString(app->alproto));
1463  SCJbSetUint(ctx.js, "progress", app->progress);
1464  if (app->sub_state)
1465  SCJbSetString(ctx.js, "sub_state",
1467 
1468  if (app->v2.transforms != NULL) {
1469  SCJbOpenArray(ctx.js, "transforms");
1470  for (int t = 0; t < app->v2.transforms->cnt; t++) {
1471  SCJbStartObject(ctx.js);
1472  SCJbSetString(ctx.js, "name",
1474  SCJbClose(ctx.js);
1475  }
1476  SCJbClose(ctx.js);
1477  }
1478  DumpMatches(&ctx, ctx.js, app->smd);
1479  SCJbClose(ctx.js);
1480  if (app->mpm) {
1481  app_mpm = app;
1482  }
1483  }
1484  SCJbClose(ctx.js);
1485 
1486  if (has_stream && has_client_body_mpm)
1487  AnalyzerNote(&ctx, (char *)"mpm in http_client_body combined with stream match leads to stream buffering");
1488  if (has_stream && has_file_data_mpm)
1489  AnalyzerNote(&ctx, (char *)"mpm in file_data combined with stream match leads to stream buffering");
1490  }
1491 
1492  SCJbOpenObject(ctx.js, "lists");
1493  for (int i = 0; i < DETECT_SM_LIST_MAX; i++) {
1494  if (s->sm_arrays[i] != NULL) {
1495  SCJbOpenObject(ctx.js, DetectListToHumanString(i));
1496  DumpMatches(&ctx, ctx.js, s->sm_arrays[i]);
1497  SCJbClose(ctx.js);
1498  }
1499  }
1500  SCJbClose(ctx.js);
1501 
1502  if (pkt_mpm || app_mpm) {
1503  SCJbOpenObject(ctx.js, "mpm");
1504 
1505  int mpm_list = pkt_mpm ? DETECT_SM_LIST_PMATCH : app_mpm->sm_list;
1506  const char *name;
1507  if (mpm_list < DETECT_SM_LIST_DYNAMIC_START)
1508  name = DetectListToHumanString(mpm_list);
1509  else
1511  SCJbSetString(ctx.js, "buffer", name);
1512 
1513  SigMatchData *smd = pkt_mpm ? pkt_mpm->smd : app_mpm->smd;
1514  if (smd == NULL) {
1516  smd = s->sm_arrays[mpm_list];
1517  }
1518  do {
1519  switch (smd->type) {
1520  case DETECT_CONTENT: {
1521  const DetectContentData *cd = (const DetectContentData *)smd->ctx;
1522  if (cd->flags & DETECT_CONTENT_MPM) {
1523  DumpContent(ctx.js, cd);
1524  }
1525  break;
1526  }
1527  }
1528 
1529  if (smd->is_last)
1530  break;
1531  smd++;
1532  } while (1);
1533  SCJbClose(ctx.js);
1534  } else if (s->init_data->prefilter_sm) {
1535  SCJbOpenObject(ctx.js, "prefilter");
1536  int prefilter_list = SigMatchListSMBelongsTo(s, s->init_data->prefilter_sm);
1537  const char *name;
1538  if (prefilter_list < DETECT_SM_LIST_DYNAMIC_START)
1539  name = DetectListToHumanString(prefilter_list);
1540  else
1541  name = DetectEngineBufferTypeGetNameById(de_ctx, prefilter_list);
1542  SCJbSetString(ctx.js, "buffer", name);
1543  const char *mname = sigmatch_table[s->init_data->prefilter_sm->type].name;
1544  SCJbSetString(ctx.js, "name", mname);
1545  SCJbClose(ctx.js);
1546  }
1547 
1548  if (ctx.js_warnings) {
1549  SCJbClose(ctx.js_warnings);
1550  SCJbSetObject(ctx.js, "warnings", ctx.js_warnings);
1551  SCJbFree(ctx.js_warnings);
1552  ctx.js_warnings = NULL;
1553  }
1554  if (ctx.js_notes) {
1555  SCJbClose(ctx.js_notes);
1556  SCJbSetObject(ctx.js, "notes", ctx.js_notes);
1557  SCJbFree(ctx.js_notes);
1558  ctx.js_notes = NULL;
1559  }
1560  SCJbClose(ctx.js);
1561 
1562  const char *filename = "rules.json";
1563  const char *log_dir = SCConfigGetLogDirectory();
1564  char json_path[PATH_MAX] = "";
1565  snprintf(json_path, sizeof(json_path), "%s/%s%s", log_dir,
1566  de_ctx->ea->file_prefix ? de_ctx->ea->file_prefix : "", filename);
1567 
1569  FILE *fp = fopen(json_path, "a");
1570  if (fp != NULL) {
1571  fwrite(SCJbPtr(ctx.js), SCJbLen(ctx.js), 1, fp);
1572  fprintf(fp, "\n");
1573  fclose(fp);
1574  }
1576  SCJbFree(ctx.js);
1577  SCReturn;
1578 }
1579 
1581 {
1582  if (de_ctx->pattern_hash_table == NULL)
1583  return;
1584 
1585  SCJsonBuilder *root_jb = SCJbNewObject();
1586  if (root_jb == NULL) {
1587  return;
1588  }
1589  SCJsonBuilder **arrays = SCCalloc(de_ctx->buffer_type_id, sizeof(SCJsonBuilder *));
1590  if (arrays == NULL) {
1591  SCJbFree(root_jb);
1592  return;
1593  }
1594 
1595  SCJbOpenArray(root_jb, "buffers");
1596 
1598  htb != NULL; htb = HashListTableGetListNext(htb)) {
1599  char str[1024] = "";
1601  DetectContentPatternPrettyPrint(p->cd->content, p->cd->content_len, str, sizeof(str));
1602 
1603  SCJsonBuilder *jb = arrays[p->sm_list];
1604  if (arrays[p->sm_list] == NULL) {
1605  jb = arrays[p->sm_list] = SCJbNewObject();
1606  const char *name;
1607  if (p->sm_list < DETECT_SM_LIST_DYNAMIC_START)
1608  name = DetectListToHumanString(p->sm_list);
1609  else
1611  SCJbSetString(jb, "name", name);
1612  SCJbSetUint(jb, "list_id", p->sm_list);
1613 
1614  SCJbOpenArray(jb, "patterns");
1615  }
1616 
1617  SCJbStartObject(jb);
1618  SCJbSetString(jb, "pattern", str);
1619  SCJbSetUint(jb, "patlen", p->cd->content_len);
1620  SCJbSetUint(jb, "cnt", p->cnt);
1621  SCJbSetUint(jb, "mpm", p->mpm);
1622  SCJbOpenObject(jb, "flags");
1623  SCJbSetBool(jb, "nocase", p->cd->flags & DETECT_CONTENT_NOCASE);
1624  SCJbSetBool(jb, "negated", p->cd->flags & DETECT_CONTENT_NEGATED);
1625  SCJbSetBool(jb, "depth", p->cd->flags & DETECT_CONTENT_DEPTH);
1626  SCJbSetBool(jb, "offset", p->cd->flags & DETECT_CONTENT_OFFSET);
1627  SCJbSetBool(jb, "endswith", p->cd->flags & DETECT_CONTENT_ENDS_WITH);
1628  SCJbClose(jb);
1629  SCJbClose(jb);
1630  }
1631 
1632  for (uint32_t i = 0; i < de_ctx->buffer_type_id; i++) {
1633  SCJsonBuilder *jb = arrays[i];
1634  if (jb == NULL)
1635  continue;
1636 
1637  SCJbClose(jb); // array
1638  SCJbClose(jb); // object
1639 
1640  SCJbAppendObject(root_jb, jb);
1641  SCJbFree(jb);
1642  }
1643  SCJbClose(root_jb);
1644  SCJbClose(root_jb);
1645 
1646  const char *filename = "patterns.json";
1647  const char *log_dir = SCConfigGetLogDirectory();
1648  char json_path[PATH_MAX] = "";
1649  snprintf(json_path, sizeof(json_path), "%s/%s%s", log_dir,
1650  de_ctx->ea->file_prefix ? de_ctx->ea->file_prefix : "", filename);
1651 
1653  FILE *fp = fopen(json_path, "a");
1654  if (fp != NULL) {
1655  fwrite(SCJbPtr(root_jb), SCJbLen(root_jb), 1, fp);
1656  fprintf(fp, "\n");
1657  fclose(fp);
1658  }
1660  SCJbFree(root_jb);
1661  SCFree(arrays);
1662 
1664  de_ctx->pattern_hash_table = NULL;
1665 }
1666 
1667 static void EngineAnalysisItemsReset(EngineAnalysisCtx *ea_ctx)
1668 {
1669  for (size_t i = 0; i < ARRAY_SIZE(analyzer_items); i++) {
1670  ea_ctx->analyzer_items[i].item_seen = false;
1671  }
1672 }
1673 
1674 static void EngineAnalysisItemsInit(EngineAnalysisCtx *ea_ctx)
1675 {
1676  if (ea_ctx->analyzer_initialized) {
1677  EngineAnalysisItemsReset(ea_ctx);
1678  return;
1679  }
1680 
1681  ea_ctx->exposed_item_seen_list[0].bufname = "http_method";
1682  ea_ctx->exposed_item_seen_list[1].bufname = "file_data";
1683  ea_ctx->analyzer_items = SCCalloc(1, sizeof(analyzer_items));
1684  if (!ea_ctx->analyzer_items) {
1685  FatalError("Unable to allocate analysis scratch pad");
1686  }
1687  memset(ea_ctx->analyzer_item_map, -1, sizeof(ea_ctx->analyzer_item_map));
1688 
1689  for (size_t i = 0; i < ARRAY_SIZE(analyzer_items); i++) {
1690  ea_ctx->analyzer_items[i] = analyzer_items[i];
1691  DetectEngineAnalyzerItems *analyzer_item = &ea_ctx->analyzer_items[i];
1692 
1693  int item_id = DetectBufferTypeGetByName(analyzer_item->item_name);
1694  DEBUG_VALIDATE_BUG_ON(item_id < 0 || item_id > UINT16_MAX);
1695  analyzer_item->item_id = (uint16_t)item_id;
1696  if (analyzer_item->item_id == -1) {
1697  /* Mismatch between the analyzer_items array and what's supported */
1698  FatalError("unable to initialize engine-analysis table: detect buffer \"%s\" not "
1699  "recognized.",
1700  analyzer_item->item_name);
1701  }
1702  analyzer_item->item_seen = false;
1703 
1704  if (analyzer_item->export_item_seen) {
1705  for (size_t k = 0; k < ARRAY_SIZE(ea_ctx->exposed_item_seen_list); k++) {
1706  if (0 ==
1707  strcmp(ea_ctx->exposed_item_seen_list[k].bufname, analyzer_item->item_name))
1708  ea_ctx->exposed_item_seen_list[k].item_seen_ptr = &analyzer_item->item_seen;
1709  }
1710  }
1711  ea_ctx->analyzer_item_map[analyzer_item->item_id] = (int16_t)i;
1712  }
1713 
1714  ea_ctx->analyzer_initialized = true;
1715 }
1716 
1717 /**
1718  * \brief Prints analysis of loaded rules.
1719  *
1720  * Warns if potential rule issues are detected. For example,
1721  * warns if a rule uses a construct that may perform poorly,
1722  * e.g. pcre without content or with http_method content only;
1723  * warns if a rule uses a construct that may not be consistent with intent,
1724  * e.g. client side ports only, http and content without any http_* modifiers, etc.
1725  *
1726  * \param s Pointer to the signature.
1727  */
1729  const Signature *s, const char *line)
1730 {
1731  uint32_t rule_bidirectional = 0;
1732  uint32_t rule_pcre = 0;
1733  uint32_t rule_pcre_http = 0;
1734  uint32_t rule_content = 0;
1735  uint32_t rule_flow = 0;
1736  uint32_t rule_flags = 0;
1737  uint32_t rule_flow_toserver = 0;
1738  uint32_t rule_flow_toclient = 0;
1739  uint32_t rule_flow_nostream = 0;
1740  uint32_t rule_ipv4_only = 0;
1741  uint32_t rule_ipv6_only = 0;
1742  uint32_t rule_flowbits = 0;
1743  uint32_t rule_flowint = 0;
1744  uint32_t rule_content_http = 0;
1745  uint32_t rule_content_offset_depth = 0;
1746  int32_t list_id = 0;
1747  uint32_t rule_warning = 0;
1748  uint32_t stream_buf = 0;
1749  uint32_t packet_buf = 0;
1750  uint32_t file_store = 0;
1751  uint32_t warn_pcre_no_content = 0;
1752  uint32_t warn_pcre_http_content = 0;
1753  uint32_t warn_pcre_http = 0;
1754  uint32_t warn_content_http_content = 0;
1755  uint32_t warn_content_http = 0;
1756  uint32_t warn_tcp_no_flow = 0;
1757  uint32_t warn_client_ports = 0;
1758  uint32_t warn_direction = 0;
1759  uint32_t warn_method_toclient = 0;
1760  uint32_t warn_method_serverbody = 0;
1761  uint32_t warn_pcre_method = 0;
1762  uint32_t warn_encoding_norm_http_buf = 0;
1763  uint32_t warn_file_store_not_present = 0;
1764  uint32_t warn_offset_depth_pkt_stream = 0;
1765  uint32_t warn_offset_depth_alproto = 0;
1766  uint32_t warn_non_alproto_fp_for_alproto_sig = 0;
1767  uint32_t warn_no_direction = 0;
1768  uint32_t warn_both_direction = 0;
1769 
1770  EngineAnalysisItemsInit(de_ctx->ea);
1771 
1772  bool *http_method_item_seen_ptr = de_ctx->ea->exposed_item_seen_list[0].item_seen_ptr;
1773  bool *http_server_body_item_seen_ptr = de_ctx->ea->exposed_item_seen_list[1].item_seen_ptr;
1774 
1776  rule_bidirectional = 1;
1777  }
1778 
1779  if (s->flags & SIG_FLAG_REQUIRE_PACKET) {
1780  packet_buf += 1;
1781  }
1782  if (s->flags & SIG_FLAG_FILESTORE) {
1783  file_store += 1;
1784  }
1785  if (s->flags & SIG_FLAG_REQUIRE_STREAM) {
1786  stream_buf += 1;
1787  }
1788 
1789  if (s->proto && s->proto->flags & DETECT_PROTO_IPV4) {
1790  rule_ipv4_only += 1;
1791  }
1792  if (s->proto && s->proto->flags & DETECT_PROTO_IPV6) {
1793  rule_ipv6_only += 1;
1794  }
1795 
1796  for (list_id = 0; list_id < DETECT_SM_LIST_MAX; list_id++) {
1797  SigMatch *sm = NULL;
1798  for (sm = s->init_data->smlists[list_id]; sm != NULL; sm = sm->next) {
1799  int16_t item_slot = de_ctx->ea->analyzer_item_map[list_id];
1800  if (sm->type == DETECT_PCRE) {
1801  if (item_slot == -1) {
1802  rule_pcre++;
1803  continue;
1804  }
1805 
1806  rule_pcre_http++;
1807  de_ctx->ea->analyzer_items[item_slot].item_seen = true;
1808  } else if (sm->type == DETECT_CONTENT) {
1809  if (item_slot == -1) {
1810  rule_content++;
1811  if (list_id == DETECT_SM_LIST_PMATCH) {
1814  rule_content_offset_depth++;
1815  }
1816  }
1817  continue;
1818  }
1819 
1820  rule_content_http++;
1821  de_ctx->ea->analyzer_items[item_slot].item_seen = true;
1822 
1823  if (de_ctx->ea->analyzer_items[item_slot].check_encoding_match) {
1825  if (cd != NULL &&
1826  PerCentEncodingMatch(de_ctx->ea, cd->content, cd->content_len) > 0) {
1827  warn_encoding_norm_http_buf += 1;
1828  }
1829  }
1830  }
1831  else if (sm->type == DETECT_FLOW) {
1832  rule_flow += 1;
1833  if ((s->flags & SIG_FLAG_TOSERVER) && !(s->flags & SIG_FLAG_TOCLIENT)) {
1834  rule_flow_toserver = 1;
1835  }
1836  else if ((s->flags & SIG_FLAG_TOCLIENT) && !(s->flags & SIG_FLAG_TOSERVER)) {
1837  rule_flow_toclient = 1;
1838  }
1839  DetectFlowData *fd = (DetectFlowData *)sm->ctx;
1840  if (fd != NULL) {
1841  if (fd->flags & DETECT_FLOW_FLAG_NOSTREAM)
1842  rule_flow_nostream = 1;
1843  }
1844  }
1845  else if (sm->type == DETECT_FLOWBITS) {
1846  if (list_id == DETECT_SM_LIST_MATCH) {
1847  rule_flowbits += 1;
1848  }
1849  }
1850  else if (sm->type == DETECT_FLOWINT) {
1851  if (list_id == DETECT_SM_LIST_MATCH) {
1852  rule_flowint += 1;
1853  }
1854  }
1855  else if (sm->type == DETECT_FLAGS) {
1856  if (sm->ctx != NULL) {
1857  rule_flags = 1;
1858  }
1859  }
1860  } /* for (sm = s->init_data->smlists[list_id]; sm != NULL; sm = sm->next) */
1861 
1862  } /* for ( ; list_id < DETECT_SM_LIST_MAX; list_id++) */
1863 
1864  if (file_store && !SCRequiresFeature("output::file-store")) {
1865  rule_warning += 1;
1866  warn_file_store_not_present = 1;
1867  }
1868 
1869  if (rule_pcre > 0 && rule_content == 0 && rule_content_http == 0) {
1870  rule_warning += 1;
1871  warn_pcre_no_content = 1;
1872  }
1873 
1874  if (rule_content_http > 0 && rule_pcre > 0 && rule_pcre_http == 0) {
1875  rule_warning += 1;
1876  warn_pcre_http_content = 1;
1877  } else if (s->alproto == ALPROTO_HTTP1 && rule_pcre > 0 && rule_pcre_http == 0) {
1878  rule_warning += 1;
1879  warn_pcre_http = 1;
1880  }
1881 
1882  if (rule_content > 0 && rule_content_http > 0) {
1883  rule_warning += 1;
1884  warn_content_http_content = 1;
1885  }
1886  if (s->alproto == ALPROTO_HTTP1 && rule_content > 0 && rule_content_http == 0) {
1887  rule_warning += 1;
1888  warn_content_http = 1;
1889  }
1890  if (rule_content == 1) {
1891  //todo: warning if content is weak, separate warning for pcre + weak content
1892  }
1893  if (rule_flow == 0 && rule_flags == 0 && !(s->init_data->proto.flags & DETECT_PROTO_ANY) &&
1894  DetectProtoContainsProto(&s->init_data->proto, IPPROTO_TCP) &&
1895  (rule_content || rule_content_http || rule_pcre || rule_pcre_http || rule_flowbits ||
1896  rule_flowint)) {
1897  rule_warning += 1;
1898  warn_tcp_no_flow = 1;
1899  }
1900  if (rule_flow && !rule_bidirectional && (rule_flow_toserver || rule_flow_toclient)
1901  && !((s->flags & SIG_FLAG_SP_ANY) && (s->flags & SIG_FLAG_DP_ANY))) {
1902  if (((s->flags & SIG_FLAG_TOSERVER) && !(s->flags & SIG_FLAG_SP_ANY) && (s->flags & SIG_FLAG_DP_ANY))
1903  || ((s->flags & SIG_FLAG_TOCLIENT) && !(s->flags & SIG_FLAG_DP_ANY) && (s->flags & SIG_FLAG_SP_ANY))) {
1904  rule_warning += 1;
1905  warn_client_ports = 1;
1906  }
1907  }
1908  if (rule_flow && rule_bidirectional && (rule_flow_toserver || rule_flow_toclient)) {
1909  rule_warning += 1;
1910  warn_direction = 1;
1911  }
1912 
1913  if (*http_method_item_seen_ptr) {
1914  if (rule_flow && rule_flow_toclient) {
1915  rule_warning += 1;
1916  warn_method_toclient = 1;
1917  }
1918  if (*http_server_body_item_seen_ptr) {
1919  rule_warning += 1;
1920  warn_method_serverbody = 1;
1921  }
1922  if (rule_content == 0 && rule_content_http == 0 && (rule_pcre > 0 || rule_pcre_http > 0)) {
1923  rule_warning += 1;
1924  warn_pcre_method = 1;
1925  }
1926  }
1927  if (rule_content_offset_depth > 0 && stream_buf && packet_buf) {
1928  rule_warning += 1;
1929  warn_offset_depth_pkt_stream = 1;
1930  }
1931  if (rule_content_offset_depth > 0 && !stream_buf && packet_buf && s->alproto != ALPROTO_UNKNOWN) {
1932  rule_warning += 1;
1933  warn_offset_depth_alproto = 1;
1934  }
1935  if (s->init_data->mpm_sm != NULL && s->alproto == ALPROTO_HTTP1 &&
1937  rule_warning += 1;
1938  warn_non_alproto_fp_for_alproto_sig = 1;
1939  }
1940 
1941  if ((s->flags & (SIG_FLAG_TOSERVER|SIG_FLAG_TOCLIENT)) == 0) {
1942  warn_no_direction += 1;
1943  rule_warning += 1;
1944  }
1945 
1946  /* No warning about direction for ICMP protos */
1947  if (!(DetectProtoContainsProto(&s->init_data->proto, IPPROTO_ICMPV6) &&
1948  DetectProtoContainsProto(&s->init_data->proto, IPPROTO_ICMP))) {
1950  warn_both_direction += 1;
1951  rule_warning += 1;
1952  }
1953  }
1954 
1955  if (!rule_warnings_only || (rule_warnings_only && rule_warning > 0)) {
1956  FILE *fp = de_ctx->ea->rule_engine_analysis_fp;
1957  fprintf(fp, "== Sid: %u ==\n", s->id);
1958  fprintf(fp, "%s\n", line);
1959 
1960  switch (s->type) {
1961  case SIG_TYPE_NOT_SET:
1962  break;
1963  case SIG_TYPE_IPONLY:
1964  fprintf(fp, " Rule is ip only.\n");
1965  break;
1966  case SIG_TYPE_LIKE_IPONLY:
1967  fprintf(fp, " Rule is like ip only.\n");
1968  break;
1969  case SIG_TYPE_PDONLY:
1970  fprintf(fp, " Rule is PD only.\n");
1971  break;
1972  case SIG_TYPE_DEONLY:
1973  fprintf(fp, " Rule is DE only.\n");
1974  break;
1975  case SIG_TYPE_PKT:
1976  fprintf(fp, " Rule is packet inspecting.\n");
1977  break;
1978  case SIG_TYPE_PKT_STREAM:
1979  fprintf(fp, " Rule is packet and stream inspecting.\n");
1980  break;
1981  case SIG_TYPE_STREAM:
1982  fprintf(fp, " Rule is stream inspecting.\n");
1983  break;
1984  case SIG_TYPE_APPLAYER:
1985  fprintf(fp, " Rule is app-layer inspecting.\n");
1986  break;
1987  case SIG_TYPE_APP_TX:
1988  fprintf(fp, " Rule is App-layer TX inspecting.\n");
1989  break;
1990  case SIG_TYPE_MAX:
1991  break;
1992  }
1993  if (rule_ipv6_only)
1994  fprintf(fp, " Rule is IPv6 only.\n");
1995  if (rule_ipv4_only)
1996  fprintf(fp, " Rule is IPv4 only.\n");
1997  if (packet_buf)
1998  fprintf(fp, " Rule matches on packets.\n");
1999  if (!rule_flow_nostream && stream_buf &&
2000  (rule_flow || rule_flowbits || rule_flowint || rule_content || rule_pcre)) {
2001  fprintf(fp, " Rule matches on reassembled stream.\n");
2002  }
2003  for(size_t i = 0; i < ARRAY_SIZE(analyzer_items); i++) {
2005  if (ai->item_seen) {
2006  fprintf(fp, " Rule matches on %s buffer.\n", ai->display_name);
2007  }
2008  }
2009  if (s->alproto != ALPROTO_UNKNOWN) {
2010  fprintf(fp, " App layer protocol is %s.\n", AppProtoToString(s->alproto));
2011  }
2012  if (rule_content || rule_content_http || rule_pcre || rule_pcre_http) {
2013  fprintf(fp,
2014  " Rule contains %u content options, %u http content options, %u pcre "
2015  "options, and %u pcre options with http modifiers.\n",
2016  rule_content, rule_content_http, rule_pcre, rule_pcre_http);
2017  }
2018 
2019  /* print fast pattern info */
2020  if (s->init_data->prefilter_sm) {
2021  fprintf(fp, " Prefilter on: %s.\n",
2023  } else {
2024  EngineAnalysisRulesPrintFP(de_ctx, s);
2025  }
2026 
2027  /* this is where the warnings start */
2028  if (warn_pcre_no_content /*rule_pcre > 0 && rule_content == 0 && rule_content_http == 0*/) {
2029  fprintf(fp, " Warning: Rule uses pcre without a content option present.\n"
2030  " -Consider adding a content to improve performance of this "
2031  "rule.\n");
2032  }
2033  if (warn_pcre_http_content /*rule_content_http > 0 && rule_pcre > 0 && rule_pcre_http == 0*/) {
2034  fprintf(fp, " Warning: Rule uses content options with http_* and pcre options "
2035  "without http modifiers.\n"
2036  " -Consider adding http pcre modifier.\n");
2037  }
2038  else if (warn_pcre_http /*s->alproto == ALPROTO_HTTP1 && rule_pcre > 0 && rule_pcre_http == 0*/) {
2039  fprintf(fp, " Warning: Rule app layer protocol is http, but pcre options do not "
2040  "have http modifiers.\n"
2041  " -Consider adding http pcre modifiers.\n");
2042  }
2043  if (warn_content_http_content /*rule_content > 0 && rule_content_http > 0*/) {
2044  fprintf(fp,
2045  " Warning: Rule contains content with http_* and content without http_*.\n"
2046  " -Consider adding http content modifiers.\n");
2047  }
2048  if (warn_content_http /*s->alproto == ALPROTO_HTTP1 && rule_content > 0 && rule_content_http == 0*/) {
2049  fprintf(fp, " Warning: Rule app layer protocol is http, but content options do not "
2050  "have http_* modifiers.\n"
2051  " -Consider adding http content modifiers.\n");
2052  }
2053  if (rule_content == 1) {
2054  //todo: warning if content is weak, separate warning for pcre + weak content
2055  }
2056  if (warn_encoding_norm_http_buf) {
2057  fprintf(fp, " Warning: Rule may contain percent encoded content for a normalized "
2058  "http buffer match.\n");
2059  }
2060  if (warn_tcp_no_flow /*rule_flow == 0 && rule_flags == 0
2061  && !(s->proto.flags & DETECT_PROTO_ANY) && DetectProtoContainsProto(&s->proto, IPPROTO_TCP)*/) {
2062  fprintf(fp, " Warning: TCP rule without a flow or flags option.\n"
2063  " -Consider adding flow or flags to improve performance of "
2064  "this rule.\n");
2065  }
2066  if (warn_client_ports /*rule_flow && !rule_bidirectional && (rule_flow_toserver || rule_flow_toclient)
2067  && !((s->flags & SIG_FLAG_SP_ANY) && (s->flags & SIG_FLAG_DP_ANY)))
2068  if (((s->flags & SIG_FLAG_TOSERVER) && !(s->flags & SIG_FLAG_SP_ANY) && (s->flags & SIG_FLAG_DP_ANY))
2069  || ((s->flags & SIG_FLAG_TOCLIENT) && !(s->flags & SIG_FLAG_DP_ANY) && (s->flags & SIG_FLAG_SP_ANY))*/) {
2070  fprintf(fp,
2071  " Warning: Rule contains ports or port variables only on the client side.\n"
2072  " -Flow direction possibly inconsistent with rule.\n");
2073  }
2074  if (warn_direction /*rule_flow && rule_bidirectional && (rule_flow_toserver || rule_flow_toclient)*/) {
2075  fprintf(fp, " Warning: Rule is bidirectional and has a flow option with a specific "
2076  "direction.\n");
2077  }
2078  if (warn_method_toclient /*http_method_buf && rule_flow && rule_flow_toclient*/) {
2079  fprintf(fp, " Warning: Rule uses content or pcre for http_method with "
2080  "flow:to_client or from_server\n");
2081  }
2082  if (warn_method_serverbody /*http_method_buf && http_server_body_buf*/) {
2083  fprintf(fp, " Warning: Rule uses content or pcre for http_method with content or "
2084  "pcre for http_server_body.\n");
2085  }
2086  if (warn_pcre_method /*http_method_buf && rule_content == 0 && rule_content_http == 0
2087  && (rule_pcre > 0 || rule_pcre_http > 0)*/) {
2088  fprintf(fp, " Warning: Rule uses pcre with only a http_method content; possible "
2089  "performance issue.\n");
2090  }
2091  if (warn_offset_depth_pkt_stream) {
2092  fprintf(fp, " Warning: Rule has depth"
2093  "/offset with raw content keywords. Please note the "
2094  "offset/depth will be checked against both packet "
2095  "payloads and stream. If you meant to have the offset/"
2096  "depth checked against just the payload, you can update "
2097  "the signature as \"alert tcp-pkt...\"\n");
2098  }
2099  if (warn_offset_depth_alproto) {
2100  fprintf(fp,
2101  " Warning: Rule has "
2102  "offset/depth set along with a match on a specific "
2103  "app layer protocol - %d. This can lead to FNs if we "
2104  "have a offset/depth content match on a packet payload "
2105  "before we can detect the app layer protocol for the "
2106  "flow.\n",
2107  s->alproto);
2108  }
2109  if (warn_non_alproto_fp_for_alproto_sig) {
2110  fprintf(fp, " Warning: Rule app layer "
2111  "protocol is http, but the fast_pattern is set on the raw "
2112  "stream. Consider adding fast_pattern over a http "
2113  "buffer for increased performance.");
2114  }
2115  if (warn_no_direction) {
2116  fprintf(fp, " Warning: Rule has no direction indicator.\n");
2117  }
2118  if (warn_both_direction) {
2119  fprintf(fp, " Warning: Rule is inspecting both the request and the response.\n");
2120  }
2121  if (warn_file_store_not_present) {
2122  fprintf(fp, " Warning: Rule requires file-store but the output file-store is not "
2123  "enabled.\n");
2124  }
2125  if (rule_warning == 0) {
2126  fprintf(fp, " No warnings for this rule.\n");
2127  }
2128  fprintf(fp, "\n");
2129  }
2130 }
2131 
2132 #include "app-layer-parser.h"
2133 
2134 static void AddPolicy(const DetectEngineCtx *de_ctx, RuleAnalyzer *ctx, const AppProto a,
2135  const uint8_t sub_state, const uint8_t state, const uint8_t direction)
2136 {
2137  char policy_string[64] = "";
2138  const struct DetectFirewallPolicies *fw_policies = de_ctx->fw_policies;
2139  const struct DetectFirewallAppPolicy lookup = {
2140  .alproto = a, .sub_state = sub_state, .progress = state, .direction = direction
2141  };
2142  const struct DetectFirewallAppPolicy *ap =
2143  HashTableLookup(fw_policies->app_policies, (void *)&lookup, 0);
2144  if (ap == NULL)
2145  return;
2146  const struct DetectFirewallPolicy *p = &ap->policy;
2147 
2148  const char *as = ActionScopeToString(p->action_scope);
2149  DEBUG_VALIDATE_BUG_ON(as == NULL);
2150  if (as == NULL)
2151  return;
2152  if (p->action & ACTION_REJECT_ANY) {
2153  if (p->action & ACTION_REJECT_DST) {
2154  snprintf(policy_string, sizeof(policy_string), "rejectdst:%s", as);
2155  } else if (p->action & ACTION_REJECT_BOTH) {
2156  snprintf(policy_string, sizeof(policy_string), "rejectboth:%s", as);
2157  } else {
2158  snprintf(policy_string, sizeof(policy_string), "rejectsrc:%s", as);
2159  }
2160  } else if (p->action & ACTION_DROP) {
2161  snprintf(policy_string, sizeof(policy_string), "drop:%s", as);
2162  } else if (p->action & ACTION_ACCEPT) {
2163  snprintf(policy_string, sizeof(policy_string), "accept:%s", as);
2164  } else {
2166  }
2167  if (p->action & ACTION_PASS) {
2168  if (p->action_scope == ACTION_SCOPE_FLOW) {
2169  strlcat(policy_string, ",pass:flow", sizeof(policy_string));
2170  } else {
2172  }
2173  }
2174  SCJbSetString(ctx->js, "policy", policy_string);
2175 }
2176 
2177 static void FirewallAddRulesForState(const DetectEngineCtx *de_ctx, const AppProto a,
2178  const uint8_t sub_state, const uint8_t state, const uint8_t direction, RuleAnalyzer *ctx)
2179 {
2180  uint32_t accept_rules = 0;
2181  AddPolicy(de_ctx, ctx, a, sub_state, state, direction);
2182  SCJbOpenArray(ctx->js, "rules");
2183  for (const Signature *s = de_ctx->sig_list; s != NULL; s = s->next) {
2184  if ((s->flags & SIG_FLAG_FIREWALL) == 0)
2185  break;
2186  if (s->type != SIG_TYPE_APP_TX)
2187  continue;
2188  if (s->alproto != a)
2189  continue;
2190 
2191  if (direction == STREAM_TOSERVER) {
2192  if (s->flags & SIG_FLAG_TOCLIENT) {
2193  continue;
2194  }
2195  } else {
2196  if (s->flags & SIG_FLAG_TOSERVER) {
2197  continue;
2198  }
2199  }
2200 
2201  /* sig has no sub_state field, so check the app inspect engines (if any).
2202  * We assume that the only engines we have either:
2203  * - are unknown/substate 0
2204  * - matching the rule's substate */
2205  if (s->app_inspect != NULL) {
2206  bool skip_rule = false;
2207  for (const DetectEngineAppInspectionEngine *engine = s->app_inspect; engine != NULL;
2208  engine = engine->next) {
2209  if (engine->alproto == ALPROTO_UNKNOWN) {
2210  // skip engines targeting unknown, like stream or app-layer-event
2211  } else if (engine->sub_state != sub_state) {
2212  skip_rule = true;
2213  break;
2214  }
2215  }
2216  if (skip_rule) {
2217  continue;
2218  }
2219  }
2220  if ((s->flags & SIG_FLAG_FW_HOOK_LTE) && state < s->app_progress_hook) {
2221  SCJbAppendString(ctx->js, s->sig_str);
2222  accept_rules += ((s->action & ACTION_ACCEPT) != 0);
2223  }
2224 
2225  if (s->app_progress_hook == state) {
2226  SCJbAppendString(ctx->js, s->sig_str);
2227  accept_rules += ((s->action & ACTION_ACCEPT) != 0);
2228  }
2229  }
2230  SCJbClose(ctx->js);
2231 
2232  if (accept_rules == 0) {
2233  AnalyzerWarning(ctx, (char *)"no accept rules for state, default policy will be applied");
2234  }
2235 }
2236 
2238 {
2239  RuleAnalyzer ctx = { NULL, NULL, NULL };
2240  ctx.js = SCJbNewObject();
2241  if (ctx.js == NULL)
2242  return -1;
2243 
2244  SCJbOpenObject(ctx.js, "tables");
2245  SCJbOpenObject(ctx.js, "packet:filter");
2246  SCJbSetString(ctx.js, "policy", "drop:packet");
2247  SCJbOpenArray(ctx.js, "rules");
2248  uint32_t accept_rules = 0;
2249  uint32_t last_sid = 0;
2250  for (Signature *s = de_ctx->sig_list; s != NULL; s = s->next) {
2251  if ((s->flags & SIG_FLAG_FIREWALL) == 0)
2252  break;
2253  if (s->type != SIG_TYPE_PKT)
2254  continue;
2255  /* don't double list <> sigs */
2256  if (last_sid == s->id)
2257  continue;
2258  last_sid = s->id;
2259  SCJbAppendString(ctx.js, s->sig_str);
2260  accept_rules += ((s->action & ACTION_ACCEPT) != 0);
2261  }
2262  SCJbClose(ctx.js);
2263  if (accept_rules == 0) {
2264  AnalyzerWarning(&ctx,
2265  (char *)"no accept rules for \'packet:filter\', default policy will be applied");
2266  }
2267  if (ctx.js_warnings) {
2268  SCJbClose(ctx.js_warnings);
2269  SCJbSetObject(ctx.js, "warnings", ctx.js_warnings);
2270  SCJbFree(ctx.js_warnings);
2271  ctx.js_warnings = NULL;
2272  }
2273  SCJbClose(ctx.js); // packet_filter
2274 
2275  for (AppProto a = 0; a < g_alproto_max; a++) {
2276  if (!AppProtoIsValid(a))
2277  continue;
2278 
2280  SCJbOpenObject(ctx.js, AppProtoToString(a));
2281  const uint8_t max_sub_state = AppLayerParserGetMaxSubState(a);
2282  for (uint8_t sub_state = 1; sub_state <= max_sub_state; sub_state++) {
2283  const char *sub_state_name = AppLayerParserGetSubStateName(a, sub_state);
2284  const uint8_t max_progress = AppLayerParserGetSubStateCompletion(a, sub_state);
2285  for (uint8_t state = 0; state <= max_progress; state++) {
2287  a, sub_state, state, STREAM_TOSERVER);
2288  if (name == NULL)
2289  continue;
2290 
2291  char table_name[256];
2292  snprintf(table_name, sizeof(table_name), "app:%s:%s:%s", AppProtoToString(a),
2293  sub_state_name, name);
2294  SCJbOpenObject(ctx.js, table_name);
2295  FirewallAddRulesForState(de_ctx, a, sub_state, state, STREAM_TOSERVER, &ctx);
2296  if (ctx.js_warnings) {
2297  SCJbClose(ctx.js_warnings);
2298  SCJbSetObject(ctx.js, "warnings", ctx.js_warnings);
2299  SCJbFree(ctx.js_warnings);
2300  ctx.js_warnings = NULL;
2301  }
2302  SCJbClose(ctx.js);
2303  }
2304  for (uint8_t state = 0; state <= max_progress; state++) {
2306  a, sub_state, state, STREAM_TOCLIENT);
2307  if (name == NULL)
2308  continue;
2309 
2310  char table_name[256];
2311  snprintf(table_name, sizeof(table_name), "app:%s:%s:%s", AppProtoToString(a),
2312  sub_state_name, name);
2313  SCJbOpenObject(ctx.js, table_name);
2314  FirewallAddRulesForState(de_ctx, a, sub_state, state, STREAM_TOCLIENT, &ctx);
2315  if (ctx.js_warnings) {
2316  SCJbClose(ctx.js_warnings);
2317  SCJbSetObject(ctx.js, "warnings", ctx.js_warnings);
2318  SCJbFree(ctx.js_warnings);
2319  ctx.js_warnings = NULL;
2320  }
2321  SCJbClose(ctx.js);
2322  }
2323  }
2324  SCJbClose(ctx.js); // app layer
2325  continue;
2326  }
2327 
2328  /* no sub state follows */
2329 
2330  const uint8_t complete_state_ts =
2331  (const uint8_t)AppLayerParserGetStateProgressCompletionStatus(a, STREAM_TOSERVER);
2332  SCJbOpenObject(ctx.js, AppProtoToString(a));
2333  for (uint8_t state = 0; state <= complete_state_ts; state++) {
2334  const char *name =
2335  AppLayerParserGetStateNameById(IPPROTO_TCP, a, state, STREAM_TOSERVER);
2336  if (name == NULL) {
2337  if (state == 0)
2338  name = "request-started";
2339  else if (state == complete_state_ts)
2340  name = "request-complete";
2341  else
2342  name = "unknown";
2343  }
2344 
2345  char table_name[128];
2346  snprintf(table_name, sizeof(table_name), "app:%s:%s", AppProtoToString(a), name);
2347  SCJbOpenObject(ctx.js, table_name);
2348  FirewallAddRulesForState(de_ctx, a, 0, state, STREAM_TOSERVER, &ctx);
2349  if (ctx.js_warnings) {
2350  SCJbClose(ctx.js_warnings);
2351  SCJbSetObject(ctx.js, "warnings", ctx.js_warnings);
2352  SCJbFree(ctx.js_warnings);
2353  ctx.js_warnings = NULL;
2354  }
2355  SCJbClose(ctx.js);
2356  }
2357  const uint8_t complete_state_tc =
2358  (const uint8_t)AppLayerParserGetStateProgressCompletionStatus(a, STREAM_TOCLIENT);
2359  for (uint8_t state = 0; state <= complete_state_tc; state++) {
2360  const char *name =
2361  AppLayerParserGetStateNameById(IPPROTO_TCP, a, state, STREAM_TOCLIENT);
2362  if (name == NULL) {
2363  if (state == 0)
2364  name = "response-started";
2365  else if (state == complete_state_tc)
2366  name = "response-complete";
2367  else
2368  name = "unknown";
2369  }
2370  char table_name[128];
2371  snprintf(table_name, sizeof(table_name), "app:%s:%s", AppProtoToString(a), name);
2372  SCJbOpenObject(ctx.js, table_name);
2373  FirewallAddRulesForState(de_ctx, a, 0, state, STREAM_TOCLIENT, &ctx);
2374  if (ctx.js_warnings) {
2375  SCJbClose(ctx.js_warnings);
2376  SCJbSetObject(ctx.js, "warnings", ctx.js_warnings);
2377  SCJbFree(ctx.js_warnings);
2378  ctx.js_warnings = NULL;
2379  }
2380  SCJbClose(ctx.js);
2381  }
2382  SCJbClose(ctx.js); // app layer
2383  }
2384  SCJbOpenObject(ctx.js, "packet:td");
2385  SCJbSetString(ctx.js, "policy", "accept:hook");
2386  last_sid = 0;
2387  SCJbOpenArray(ctx.js, "rules");
2388  for (Signature *s = de_ctx->sig_list; s != NULL; s = s->next) {
2389  if ((s->flags & SIG_FLAG_FIREWALL) != 0)
2390  continue;
2391  if (s->type == SIG_TYPE_APP_TX)
2392  continue;
2393  if (last_sid == s->id)
2394  continue;
2395  last_sid = s->id;
2396  SCJbAppendString(ctx.js, s->sig_str);
2397  }
2398  SCJbClose(ctx.js); // rules
2399  SCJbClose(ctx.js); // packet:td
2400  SCJbOpenObject(ctx.js, "app:td");
2401  SCJbSetString(ctx.js, "policy", "accept:hook");
2402  last_sid = 0;
2403  SCJbOpenArray(ctx.js, "rules");
2404  for (Signature *s = de_ctx->sig_list; s != NULL; s = s->next) {
2405  if ((s->flags & SIG_FLAG_FIREWALL) != 0)
2406  continue;
2407  if (s->type != SIG_TYPE_APP_TX)
2408  continue;
2409  if (last_sid == s->id)
2410  continue;
2411  last_sid = s->id;
2412  SCJbAppendString(ctx.js, s->sig_str);
2413  }
2414  SCJbClose(ctx.js); // rules
2415  SCJbClose(ctx.js); // app:td
2416  SCJbClose(ctx.js); // tables
2417 
2418  SCJbOpenObject(ctx.js, "lists");
2419  SCJbOpenObject(ctx.js, "firewall");
2420  last_sid = 0;
2421  SCJbOpenArray(ctx.js, "rules");
2422  for (Signature *s = de_ctx->sig_list; s != NULL; s = s->next) {
2423  if ((s->flags & SIG_FLAG_FIREWALL) == 0)
2424  continue;
2425  if (last_sid == s->id)
2426  continue;
2427  last_sid = s->id;
2428  SCJbAppendString(ctx.js, s->sig_str);
2429  }
2430  SCJbClose(ctx.js); // rules
2431  SCJbClose(ctx.js); // firewall
2432 
2433  SCJbOpenObject(ctx.js, "td");
2434  last_sid = 0;
2435  SCJbOpenArray(ctx.js, "rules");
2436  for (Signature *s = de_ctx->sig_list; s != NULL; s = s->next) {
2437  if ((s->flags & SIG_FLAG_FIREWALL) != 0)
2438  continue;
2439  if (last_sid == s->id)
2440  continue;
2441  last_sid = s->id;
2442  SCJbAppendString(ctx.js, s->sig_str);
2443  }
2444  SCJbClose(ctx.js); // rules
2445  SCJbClose(ctx.js); // td
2446 
2447  SCJbOpenObject(ctx.js, "all");
2448  last_sid = 0;
2449  SCJbOpenArray(ctx.js, "rules");
2450  for (Signature *s = de_ctx->sig_list; s != NULL; s = s->next) {
2451  if (last_sid == s->id)
2452  continue;
2453  last_sid = s->id;
2454  SCJbAppendString(ctx.js, s->sig_str);
2455  }
2456  SCJbClose(ctx.js); // rules
2457  SCJbClose(ctx.js); // all
2458 
2459  SCJbClose(ctx.js); // lists
2460 
2461  SCJbClose(ctx.js); // top level object
2462 
2463  const char *filename = "firewall.json";
2464  const char *log_dir = SCConfigGetLogDirectory();
2465  char json_path[PATH_MAX] = "";
2466  snprintf(json_path, sizeof(json_path), "%s/%s", log_dir, filename);
2467 
2469  FILE *fp = fopen(json_path, "w");
2470  if (fp != NULL) {
2471  fwrite(SCJbPtr(ctx.js), SCJbLen(ctx.js), 1, fp);
2472  fprintf(fp, "\n");
2473  fclose(fp);
2474  }
2476  SCJbFree(ctx.js);
2477  return 0;
2478 }
detect-tcp-flags.h
DETECT_PCRE_CASELESS
#define DETECT_PCRE_CASELESS
Definition: detect-pcre.h:32
DETECT_CONTENT_NOCASE
#define DETECT_CONTENT_NOCASE
Definition: detect-content.h:29
SignatureHasPacketContent
int SignatureHasPacketContent(const Signature *s)
check if a signature has patterns that are to be inspected against a packets payload (as opposed to t...
Definition: detect-engine-mpm.c:878
DetectBytejumpData_::post_offset
int32_t post_offset
Definition: detect-bytejump.h:52
HashListTableGetListData
#define HashListTableGetListData(hb)
Definition: util-hashlist.h:56
SIG_TYPE_STREAM
@ SIG_TYPE_STREAM
Definition: detect.h:74
DetectContentData_::offset
uint16_t offset
Definition: detect-content.h:107
DetectBytetestData_::flags
uint16_t flags
Definition: detect-bytetest.h:58
detect-engine-uint.h
DetectFirewallPolicies
Definition: detect.h:948
DetectPatternTracker
Definition: detect.h:824
SignatureInitData_::rule_state_dependant_sids_idx
uint32_t rule_state_dependant_sids_idx
Definition: detect.h:673
DetectEngineAppInspectionEngine_
Definition: detect.h:416
DETECT_CONTENT_RELATIVE_NEXT
#define DETECT_CONTENT_RELATIVE_NEXT
Definition: detect-content.h:66
DetectEngineAppInspectionEngine_::mpm
bool mpm
Definition: detect.h:420
DETECT_TTL
@ DETECT_TTL
Definition: detect-engine-register.h:45
detect-content.h
DetectFlowbitsData_::or_list_size
uint8_t or_list_size
Definition: detect-flowbits.h:37
len
uint8_t len
Definition: app-layer-dnp3.h:2
DetectEngineAppInspectionEngine_::v2
struct DetectEngineAppInspectionEngine_::@82 v2
SCConfValIsTrue
int SCConfValIsTrue(const char *val)
Check if a value is true.
Definition: conf.c:578
detect-engine.h
detect-app-layer-protocol.h
DETECT_SM_LIST_PMATCH
@ DETECT_SM_LIST_PMATCH
Definition: detect.h:119
SIG_MASK_REQUIRE_REAL_PKT
#define SIG_MASK_REQUIRE_REAL_PKT
Definition: detect.h:316
DETECT_CONTENT_FAST_PATTERN_CHOP
#define DETECT_CONTENT_FAST_PATTERN_CHOP
Definition: detect-content.h:36
SignatureInitData_::smlists
struct SigMatch_ * smlists[DETECT_SM_LIST_MAX]
Definition: detect.h:656
DetectContentData_::fp_chop_len
uint16_t fp_chop_len
Definition: detect-content.h:98
SIG_FLAG_FW_HOOK_LTE
#define SIG_FLAG_FW_HOOK_LTE
Definition: detect.h:251
sigmatch_table
SigTableElmt * sigmatch_table
Definition: detect-parse.c:79
DetectXbitsData_::expire
uint32_t expire
Definition: detect-xbits.h:45
Signature_::sig_str
char * sig_str
Definition: detect.h:759
SIG_TYPE_APP_TX
@ SIG_TYPE_APP_TX
Definition: detect.h:77
AppLayerParserGetStateNameById
const char * AppLayerParserGetStateNameById(uint8_t ipproto, AppProto alproto, const int id, const uint8_t direction)
Definition: app-layer-parser.c:1873
DetectFirewallAppPolicy
Definition: detect.h:937
DetectEnginePktInspectionEngine
Definition: detect.h:485
DetectEngineAppInspectionEngine_::next
struct DetectEngineAppInspectionEngine_ * next
Definition: detect.h:442
DetectAppLayerProtocolData_::mode
uint8_t mode
Definition: detect-app-layer-protocol.h:50
DETECT_PROTO_IPV6
#define DETECT_PROTO_IPV6
Definition: detect-engine-proto.h:32
DetectFlowData_
Definition: detect-flow.h:37
DETECT_FLOW_FLAG_NOSTREAM
#define DETECT_FLOW_FLAG_NOSTREAM
Definition: detect-flow.h:33
SigTableElmt_::name
const char * name
Definition: detect.h:1518
DETECT_BYTEJUMP
@ DETECT_BYTEJUMP
Definition: detect-engine-register.h:90
DETECT_ABSENT
@ DETECT_ABSENT
Definition: detect-engine-register.h:102
DetectListToHumanString
const char * DetectListToHumanString(int list)
Definition: detect-parse.c:112
DetectEngineCtx_::pattern_hash_table
HashListTable * pattern_hash_table
Definition: detect.h:1018
DumpPatterns
void DumpPatterns(DetectEngineCtx *de_ctx)
Definition: detect-engine-analyzer.c:1580
FLOWINT_MODIFIER_ADD
@ FLOWINT_MODIFIER_ADD
Definition: detect-flowint.h:31
unlikely
#define unlikely(expr)
Definition: util-optimize.h:35
DetectContentData_::within
int32_t within
Definition: detect-content.h:109
ACTION_PASS
#define ACTION_PASS
Definition: action-globals.h:34
ACTION_REJECT
#define ACTION_REJECT
Definition: action-globals.h:31
DETECT_BYTEJUMP_LITTLE
#define DETECT_BYTEJUMP_LITTLE
Definition: detect-bytejump.h:35
SetupEngineAnalysis
void SetupEngineAnalysis(DetectEngineCtx *de_ctx, bool *fp_analysis, bool *rule_analysis)
Definition: detect-engine-analyzer.c:479
Signature_::app_progress_hook
uint8_t app_progress_hook
Definition: detect.h:719
DETECT_CONTENT
@ DETECT_CONTENT
Definition: detect-engine-register.h:76
SignatureInitData_::prefilter_sm
SigMatch * prefilter_sm
Definition: detect.h:632
EngineAnalysisCtx_::rule_engine_analysis_fp
FILE * rule_engine_analysis_fp
Definition: detect-engine-analyzer.c:90
DETECT_FLOW
@ DETECT_FLOW
Definition: detect-engine-register.h:61
Signature_::alproto
AppProto alproto
Definition: detect.h:687
SignatureInitData_::is_rule_state_dependant
bool is_rule_state_dependant
Definition: detect.h:670
detect-isdataat.h
FLOWINT_MODIFIER_NE
@ FLOWINT_MODIFIER_NE
Definition: detect-flowint.h:38
DETECT_BYTETEST_BASE_HEX
#define DETECT_BYTETEST_BASE_HEX
Definition: detect-bytetest.h:40
SigMatchData_::is_last
bool is_last
Definition: detect.h:367
ActionScopeToString
const char * ActionScopeToString(enum ActionScope s)
Definition: detect-parse.c:4022
DetectAppLayerProtocolData_
Per-rule keyword data for app-layer-protocol:.
Definition: detect-app-layer-protocol.h:45
name
const char * name
Definition: detect-engine-proto.c:48
DetectContentPatternPrettyPrint
void DetectContentPatternPrettyPrint(const uint8_t *pat, const uint16_t pat_len, char *str, size_t str_len)
Definition: detect-content.c:743
g_rules_analyzer_write_m
SCMutex g_rules_analyzer_write_m
Definition: detect-engine-analyzer.c:1128
DetectEngineAnalyzerItems::display_name
const char * display_name
Definition: detect-engine-analyzer.c:72
AppProto
uint16_t AppProto
Definition: app-layer-protos.h:87
DETECT_CONTENT_WITHIN2DEPTH
#define DETECT_CONTENT_WITHIN2DEPTH
Definition: detect-content.h:62
EngineAnalysisCtx_::percent_re
pcre2_code * percent_re
Definition: detect-engine-analyzer.c:95
DETECT_SM_LIST_DYNAMIC_START
@ DETECT_SM_LIST_DYNAMIC_START
Definition: detect.h:138
DETECT_FLOWBITS_CMD_ISNOTSET
#define DETECT_FLOWBITS_CMD_ISNOTSET
Definition: detect-flowbits.h:30
SIG_FLAG_DEST_IS_TARGET
#define SIG_FLAG_DEST_IS_TARGET
Definition: detect.h:284
SigMatchData_::ctx
SigMatchCtx * ctx
Definition: detect.h:368
DETECT_CONTENT_NO_DOUBLE_INSPECTION_REQUIRED
#define DETECT_CONTENT_NO_DOUBLE_INSPECTION_REQUIRED
Definition: detect-content.h:55
DetectFlowintData_::targettype
uint8_t targettype
Definition: detect-flowint.h:71
AppLayerParserGetStateProgressCompletionStatus
uint8_t AppLayerParserGetStateProgressCompletionStatus(AppProto alproto, uint8_t direction)
Definition: app-layer-parser.c:1252
action-globals.h
Packet_::flags
uint32_t flags
Definition: decode.h:562
Packet_::action
uint8_t action
Definition: decode.h:624
EngineAnalysisCtx_
Definition: detect-engine-analyzer.c:88
DETECT_IPOPTS
@ DETECT_IPOPTS
Definition: detect-engine-register.h:39
AppProtoToString
const char * AppProtoToString(AppProto alproto)
Maps the ALPROTO_*, to its string equivalent.
Definition: app-layer-protos.c:41
DetectFirewallAppPolicy::sub_state
uint8_t sub_state
Definition: detect.h:939
ctx
struct Thresholds ctx
DETECT_BYTEJUMP_BASE_OCT
#define DETECT_BYTEJUMP_BASE_OCT
Definition: detect-bytejump.h:29
DetectEngineFrameInspectionEngine::transforms
const DetectEngineTransforms * transforms
Definition: detect.h:520
DetectFlowData_::flags
uint16_t flags
Definition: detect-flow.h:38
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:981
DETECT_PROTO_ANY
#define DETECT_PROTO_ANY
Definition: detect-engine-proto.h:28
DetectFlowintData_
Definition: detect-flowint.h:61
DetectXbitsData_::cmd
uint8_t cmd
Definition: detect-xbits.h:43
DetectEnginePktInspectionEngine::smd
SigMatchData * smd
Definition: detect.h:486
SIG_TYPE_PKT_STREAM
@ SIG_TYPE_PKT_STREAM
Definition: detect.h:73
DetectFlowbitsData_::cmd
uint8_t cmd
Definition: detect-flowbits.h:36
DetectFirewallAppPolicy::policy
struct DetectFirewallPolicy policy
Definition: detect.h:942
DetectEngineFrameInspectionEngine::mpm
bool mpm
Definition: detect.h:514
DETECT_BYTETEST_DCE
#define DETECT_BYTETEST_DCE
Definition: detect-bytetest.h:47
HashListTableGetListHead
HashListTableBucket * HashListTableGetListHead(HashListTable *ht)
Definition: util-hashlist.c:287
detect-tcp-seq.h
EngineAnalysisCtx_::fp_pattern_stats
FpPatternStats fp_pattern_stats[DETECT_SM_LIST_MAX]
Definition: detect-engine-analyzer.c:107
DetectAppLayerProtocolModeName
const char * DetectAppLayerProtocolModeName(uint8_t mode)
Map a DETECT_ALPROTO_* mode value to its textual qualifier.
Definition: detect-app-layer-protocol.c:196
detect-flowint.h
DetectEngineBufferTypeGetNameById
const char * DetectEngineBufferTypeGetNameById(const DetectEngineCtx *de_ctx, const int id)
Definition: detect-engine.c:1485
SIG_FLAG_DST_ANY
#define SIG_FLAG_DST_ANY
Definition: detect.h:241
ACTION_SCOPE_FLOW
@ ACTION_SCOPE_FLOW
Definition: action-globals.h:45
SCMutexLock
#define SCMutexLock(mut)
Definition: threads-debug.h:117
util-var-name.h
SIG_FLAG_REQUIRE_STREAM
#define SIG_FLAG_REQUIRE_STREAM
Definition: detect.h:254
DETECT_XBITS_TRACK_IPDST
#define DETECT_XBITS_TRACK_IPDST
Definition: detect-xbits.h:35
rust.h
EngineAnalysisCtx_::fp_engine_analysis_fp
FILE * fp_engine_analysis_fp
Definition: detect-engine-analyzer.c:91
SCConfGetBool
int SCConfGetBool(const char *name, int *val)
Retrieve a configuration value as a boolean.
Definition: conf.c:524
EngineAnalysisCtx_::analyzer_initialized
bool analyzer_initialized
Definition: detect-engine-analyzer.c:114
ACTION_REJECT_ANY
#define ACTION_REJECT_ANY
Definition: action-globals.h:38
DetectEngineAnalyzerItems
Definition: detect-engine-analyzer.c:66
DETECT_BYTEJUMP_DCE
#define DETECT_BYTEJUMP_DCE
Definition: detect-bytejump.h:40
VarNameStoreSetupLookup
const char * VarNameStoreSetupLookup(const uint32_t id, const enum VarTypes type)
Definition: util-var-name.c:192
SCMUTEX_INITIALIZER
#define SCMUTEX_INITIALIZER
Definition: threads-debug.h:122
Signature_::sm_arrays
SigMatchData * sm_arrays[DETECT_SM_LIST_MAX]
Definition: detect.h:745
FpPatternStats_::max
uint16_t max
Definition: detect-engine-analyzer.c:77
SignatureInitData_::init_flags
uint32_t init_flags
Definition: detect.h:615
DetectBufferType_
Definition: detect.h:450
DetectContentData_
Definition: detect-content.h:93
DETECT_FLOWBITS_CMD_ISSET
#define DETECT_FLOWBITS_CMD_ISSET
Definition: detect-flowbits.h:31
p
Packet * p
Definition: fuzz_iprep.c:21
DetectPcreData_::flags
uint16_t flags
Definition: detect-pcre.h:52
SCConfNodeLookupChildValue
const char * SCConfNodeLookupChildValue(const SCConfNode *node, const char *name)
Lookup the value of a child configuration node by name.
Definition: conf.c:878
DetectContentData_::fp_chop_offset
uint16_t fp_chop_offset
Definition: detect-content.h:100
DetectBytetestData_::nbytes
uint8_t nbytes
Definition: detect-bytetest.h:54
DetectBytetestData_
Definition: detect-bytetest.h:53
EngineAnalysisCtx_::analyzer_item_map
int16_t analyzer_item_map[256]
Definition: detect-engine-analyzer.c:106
SIG_FLAG_TOCLIENT
#define SIG_FLAG_TOCLIENT
Definition: detect.h:271
DETECT_BYTEJUMP_BIG
#define DETECT_BYTEJUMP_BIG
Definition: detect-bytejump.h:36
SIG_FLAG_SRC_ANY
#define SIG_FLAG_SRC_ANY
Definition: detect.h:240
EngineAnalysisRulesFailure
void EngineAnalysisRulesFailure(const DetectEngineCtx *de_ctx, const char *line, const char *file, int lineno)
Definition: detect-engine-analyzer.c:627
SigMatchData_
Data needed for Match()
Definition: detect.h:365
DetectBytejumpData_::base
uint8_t base
Definition: detect-bytejump.h:49
detect-pcre.h
SIG_TYPE_APPLAYER
@ SIG_TYPE_APPLAYER
Definition: detect.h:76
SigMatchData_::type
uint16_t type
Definition: detect.h:366
DetectBytejumpData_
Definition: detect-bytejump.h:47
DetectXbitsData_
Definition: detect-xbits.h:41
DETECT_FLOW_ELEPHANT
@ DETECT_FLOW_ELEPHANT
Definition: detect-engine-register.h:143
Signature_::frame_inspect
DetectEngineFrameInspectionEngine * frame_inspect
Definition: detect.h:741
DetectBytejumpData_::offset
int32_t offset
Definition: detect-bytejump.h:51
DetectEnginePktInspectionEngine::transforms
const DetectEngineTransforms * transforms
Definition: detect.h:494
EngineAnalysisCtx_::analyzer_items
DetectEngineAnalyzerItems * analyzer_items
Definition: detect-engine-analyzer.c:93
DETECT_PERCENT_ENCODING_REGEX
#define DETECT_PERCENT_ENCODING_REGEX
FirewallAnalyzer
int FirewallAnalyzer(const DetectEngineCtx *de_ctx)
Definition: detect-engine-analyzer.c:2237
DetectBytejumpData_::multiplier
uint16_t multiplier
Definition: detect-bytejump.h:55
SIG_FLAG_APPLAYER
#define SIG_FLAG_APPLAYER
Definition: detect.h:248
DetectBufferTypeGetByName
int DetectBufferTypeGetByName(const char *name)
Definition: detect-engine.c:1455
DetectAppLayerProtocolGetValues
uint16_t DetectAppLayerProtocolGetValues(const DetectAppLayerProtocolData *data, AppProto *out, uint16_t max)
Fill out[] with the keyword's set protocol values.
Definition: detect-app-layer-protocol.c:217
SIG_FLAG_FIREWALL
#define SIG_FLAG_FIREWALL
Definition: detect.h:245
Signature_::gid
uint32_t gid
Definition: detect.h:728
DetectFlowintData_::idx
uint32_t idx
Definition: detect-flowint.h:66
Signature_::next
struct Signature_ * next
Definition: detect.h:764
ACTION_REJECT_DST
#define ACTION_REJECT_DST
Definition: action-globals.h:32
DetectEngineAppInspectionEngine_::sm_list
uint16_t sm_list
Definition: detect.h:424
ATTR_FMT_PRINTF
#define ATTR_FMT_PRINTF(x, y)
Definition: suricata-common.h:435
DetectFlowbitsData_
Definition: detect-flowbits.h:34
HashListTableGetListNext
#define HashListTableGetListNext(hb)
Definition: util-hashlist.h:55
DETECT_APP_LAYER_PROTOCOL
@ DETECT_APP_LAYER_PROTOCOL
Definition: detect-engine-register.h:35
DetectEngineAnalyzerItems::export_item_seen
bool export_item_seen
Definition: detect-engine-analyzer.c:69
SignaturePropertyFlowAction
SignaturePropertyFlowAction
Definition: detect.h:83
SIG_FLAG_TOSERVER
#define SIG_FLAG_TOSERVER
Definition: detect.h:270
detect-xbits.h
DETECT_XBITS_CMD_ISNOTSET
#define DETECT_XBITS_CMD_ISNOTSET
Definition: detect-xbits.h:30
DETECT_BYTETEST_RELATIVE
#define DETECT_BYTETEST_RELATIVE
Definition: detect-bytetest.h:46
SIG_TYPE_PKT
@ SIG_TYPE_PKT
Definition: detect.h:72
feature.h
AppLayerParserGetSubStateCompletion
uint8_t AppLayerParserGetSubStateCompletion(const AppProto alproto, const uint8_t sub_state)
Definition: app-layer-parser.c:1329
RuleAnalyzer::js
SCJsonBuilder * js
Definition: detect-engine-analyzer.c:643
IpOptsFlagToString
const char * IpOptsFlagToString(uint16_t flag)
Return human readable value for ipopts flag.
Definition: detect-ipopts.c:129
JB_SET_STRING
#define JB_SET_STRING(jb, key, val)
Definition: rust.h:36
EngineAnalysisCtx
struct EngineAnalysisCtx_ EngineAnalysisCtx
DetectEngineCtx_::fw_policies
struct DetectFirewallPolicies * fw_policies
Definition: detect.h:1012
DETECT_CONTENT_ENDS_WITH
#define DETECT_CONTENT_ENDS_WITH
Definition: detect-content.h:42
DETECT_PCRE_RAWBYTES
#define DETECT_PCRE_RAWBYTES
Definition: detect-pcre.h:31
DETECT_CONTENT_DISTANCE
#define DETECT_CONTENT_DISTANCE
Definition: detect-content.h:30
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:22
DetectEnginePktInspectionEngine::sm_list
uint16_t sm_list
Definition: detect.h:488
SIG_FLAG_INIT_BIDIREC
#define SIG_FLAG_INIT_BIDIREC
Definition: detect.h:292
g_alproto_max
AppProto g_alproto_max
Definition: app-layer-protos.c:30
DETECT_FLOWINT
@ DETECT_FLOWINT
Definition: detect-engine-register.h:69
strlcat
size_t strlcat(char *, const char *src, size_t siz)
Definition: util-strlcatu.c:45
SIG_MASK_REQUIRE_ENGINE_EVENT
#define SIG_MASK_REQUIRE_ENGINE_EVENT
Definition: detect.h:318
DETECT_ICODE
@ DETECT_ICODE
Definition: detect-engine-register.h:48
DETECT_FLOW_AGE
@ DETECT_FLOW_AGE
Definition: detect-engine-register.h:136
DETECT_BYTETEST_BASE_UNSET
#define DETECT_BYTETEST_BASE_UNSET
Definition: detect-bytetest.h:37
SIG_TYPE_IPONLY
@ SIG_TYPE_IPONLY
Definition: detect.h:66
FLOWINT_TARGET_VAL
@ FLOWINT_TARGET_VAL
Definition: detect-flowint.h:50
DETECT_BYTEJUMP_ALIGN
#define DETECT_BYTEJUMP_ALIGN
Definition: detect-bytejump.h:39
SignatureInitData_::mpm_sm
SigMatch * mpm_sm
Definition: detect.h:630
DetectEngineBufferTypeGetDescriptionById
const char * DetectEngineBufferTypeGetDescriptionById(const DetectEngineCtx *de_ctx, const int id)
Definition: detect-engine.c:1563
SCMutexUnlock
#define SCMutexUnlock(mut)
Definition: threads-debug.h:120
SIG_FLAG_FLUSH
#define SIG_FLAG_FLUSH
Definition: detect.h:258
DetectIpOptsData_::ipopt
uint16_t ipopt
Definition: detect-ipopts.h:38
SignatureInitData_::mpm_sm_list
int mpm_sm_list
Definition: detect.h:628
DETECT_BYTETEST_BASE_DEC
#define DETECT_BYTETEST_BASE_DEC
Definition: detect-bytetest.h:39
SIG_MASK_REQUIRE_FLOW
#define SIG_MASK_REQUIRE_FLOW
Definition: detect.h:312
SIG_FLAG_BYPASS
#define SIG_FLAG_BYPASS
Definition: detect.h:275
DETECT_CONTENT_DEPTH
#define DETECT_CONTENT_DEPTH
Definition: detect-content.h:33
DETECT_CONTENT_DISTANCE2OFFSET
#define DETECT_CONTENT_DISTANCE2OFFSET
Definition: detect-content.h:63
RuleAnalyzer
Definition: detect-engine-analyzer.c:642
DETECT_BYTEJUMP_END
#define DETECT_BYTEJUMP_END
Definition: detect-bytejump.h:42
Signature_::pkt_inspect
DetectEnginePktInspectionEngine * pkt_inspect
Definition: detect.h:740
DetectEngineAnalyzerItems
struct DetectEngineAnalyzerItems DetectEngineAnalyzerItems
util-print.h
SCEnter
#define SCEnter(...)
Definition: util-debug.h:284
detect-engine-mpm.h
HashTableLookup
void * HashTableLookup(HashTable *ht, void *data, uint16_t datalen)
Definition: util-hash.c:194
detect.h
SIG_MASK_REQUIRE_FLAGS_INITDEINIT
#define SIG_MASK_REQUIRE_FLAGS_INITDEINIT
Definition: detect.h:313
SignatureInitData_::rule_state_flowbits_ids_size
uint32_t rule_state_flowbits_ids_size
Definition: detect.h:675
DetectEngineFrameInspectionEngine::sm_list
uint16_t sm_list
Definition: detect.h:515
DETECT_XBITS_TRACK_IPPAIR
#define DETECT_XBITS_TRACK_IPPAIR
Definition: detect-xbits.h:36
detect-tcp-window.h
SigMatch_::next
struct SigMatch_ * next
Definition: detect.h:360
DetectEngineAnalyzerItems::item_seen
bool item_seen
Definition: detect-engine-analyzer.c:68
DETECT_CONTENT_NEGATED
#define DETECT_CONTENT_NEGATED
Definition: detect-content.h:40
SignatureInitData_::proto
DetectProto proto
Definition: detect.h:645
DetectU8Data
DetectUintData_u8 DetectU8Data
Definition: detect-engine-uint.h:43
util-time.h
DETECT_ICMP_ID
@ DETECT_ICMP_ID
Definition: detect-engine-register.h:49
DETECT_SM_LIST_MATCH
@ DETECT_SM_LIST_MATCH
Definition: detect.h:117
EngineAnalysisRules
void EngineAnalysisRules(const DetectEngineCtx *de_ctx, const Signature *s, const char *line)
Prints analysis of loaded rules.
Definition: detect-engine-analyzer.c:1728
app-layer-parser.h
Signature_::app_inspect
DetectEngineAppInspectionEngine * app_inspect
Definition: detect.h:739
DETECT_XBITS
@ DETECT_XBITS
Definition: detect-engine-register.h:71
DETECT_SEQ
@ DETECT_SEQ
Definition: detect-engine-register.h:37
SigMatch_::ctx
SigMatchCtx * ctx
Definition: detect.h:359
DETECT_ACK
@ DETECT_ACK
Definition: detect-engine-register.h:36
RuleAnalyzer::js_warnings
SCJsonBuilder * js_warnings
Definition: detect-engine-analyzer.c:645
SIG_FLAG_REQUIRE_FLOWVAR
#define SIG_FLAG_REQUIRE_FLOWVAR
Definition: detect.h:266
Signature_::action
uint8_t action
Definition: detect.h:697
FpPatternStats_::cnt
uint32_t cnt
Definition: detect-engine-analyzer.c:78
DetectXbitsData_::type
enum VarTypes type
Definition: detect-xbits.h:47
SCReturn
#define SCReturn
Definition: util-debug.h:286
Signature_::flags
uint32_t flags
Definition: detect.h:683
DetectContentData_::depth
uint16_t depth
Definition: detect-content.h:106
DetectEngineFrameInspectionEngine::v1
struct DetectEngineFrameInspectionEngine::@86 v1
ACTION_ALERT
#define ACTION_ALERT
Definition: action-globals.h:29
DETECT_BYTETEST_BIG
#define DETECT_BYTETEST_BIG
Definition: detect-bytetest.h:44
FLOWINT_MODIFIER_LE
@ FLOWINT_MODIFIER_LE
Definition: detect-flowint.h:36
SCLocalTime
struct tm * SCLocalTime(time_t timep, struct tm *result)
Definition: util-time.c:268
detect-bytejump.h
ACTION_SCOPE_TX
@ ACTION_SCOPE_TX
Definition: action-globals.h:47
SCConfigGetLogDirectory
const char * SCConfigGetLogDirectory(void)
Definition: util-conf.c:38
ACTION_SCOPE_AUTO
@ ACTION_SCOPE_AUTO
Definition: action-globals.h:43
conf.h
DetectContentData_::flags
uint32_t flags
Definition: detect-content.h:104
CHECK
#define CHECK(pat)
Definition: detect-engine-analyzer.c:679
DetectEngineFrameInspectionEngine
Definition: detect.h:510
DetectFlowbitsData_::idx
uint32_t idx
Definition: detect-flowbits.h:35
DetectEngineBufferTypeGetById
const DetectBufferType * DetectEngineBufferTypeGetById(const DetectEngineCtx *de_ctx, const int id)
Definition: detect-engine.c:1475
DETECT_BYTEJUMP_BASE_UNSET
#define DETECT_BYTEJUMP_BASE_UNSET
Definition: detect-bytejump.h:28
Signature_::init_data
SignatureInitData * init_data
Definition: detect.h:761
DetectFlowintData_::modifier
uint8_t modifier
Definition: detect-flowint.h:70
SIG_FLAG_SRC_IS_TARGET
#define SIG_FLAG_SRC_IS_TARGET
Definition: detect.h:282
SignatureInitData_::rule_state_dependant_sids_array
uint32_t * rule_state_dependant_sids_array
Definition: detect.h:671
fp_engine_analysis_set
bool fp_engine_analysis_set
Definition: fuzz_siginit.c:25
SignatureInitData_::rule_state_dependant_sids_size
uint32_t rule_state_dependant_sids_size
Definition: detect.h:672
DETECT_PCRE_HAS_UNICODE_CLUSTER
#define DETECT_PCRE_HAS_UNICODE_CLUSTER
Definition: detect-pcre.h:36
DetectEngineTransforms::transforms
TransformData transforms[DETECT_TRANSFORMS_MAX]
Definition: detect.h:392
DETECT_BYTEJUMP_BASE_HEX
#define DETECT_BYTEJUMP_BASE_HEX
Definition: detect-bytejump.h:31
SIG_TYPE_DEONLY
@ SIG_TYPE_DEONLY
Definition: detect.h:71
SIG_PROP_FLOW_ACTION_PACKET
@ SIG_PROP_FLOW_ACTION_PACKET
Definition: detect.h:84
signature_properties
const struct SignatureProperties signature_properties[SIG_TYPE_MAX]
Definition: detect-engine.c:119
detect-flowbits.h
SIG_MASK_REQUIRE_PAYLOAD
#define SIG_MASK_REQUIRE_PAYLOAD
Definition: detect.h:311
SCLogInfo
#define SCLogInfo(...)
Macro used to log INFORMATIONAL messages.
Definition: util-debug.h:232
DETECT_PCRE
@ DETECT_PCRE
Definition: detect-engine-register.h:78
DETECT_DSIZE
@ DETECT_DSIZE
Definition: detect-engine-register.h:59
SIG_TYPE_NOT_SET
@ SIG_TYPE_NOT_SET
Definition: detect.h:65
ExposedItemSeen::bufname
const char * bufname
Definition: detect-engine-analyzer.c:84
DETECT_BYTEJUMP_OFFSET_BE
#define DETECT_BYTEJUMP_OFFSET_BE
Definition: detect-bytejump.h:41
FLOWINT_MODIFIER_GT
@ FLOWINT_MODIFIER_GT
Definition: detect-flowint.h:40
detect-ttl.h
DetectEngineCtx_::config_prefix
char config_prefix[64]
Definition: detect.h:1107
DetectSigmatchListEnumToString
const char * DetectSigmatchListEnumToString(enum DetectSigmatchListEnum type)
Definition: detect-engine.c:5258
analyzer_items
const DetectEngineAnalyzerItems analyzer_items[]
Definition: detect-engine-analyzer.c:117
DetectEngineAppInspectionEngine_::alproto
AppProto alproto
Definition: detect.h:417
SIG_FLAG_MPM_NEG
#define SIG_FLAG_MPM_NEG
Definition: detect.h:256
detect-engine-analyzer.h
SIG_FLAG_INIT_STATE_MATCH
#define SIG_FLAG_INIT_STATE_MATCH
Definition: detect.h:296
DetectEngineAnalyzerItems::item_id
int16_t item_id
Definition: detect-engine-analyzer.c:67
DETECT_XBITS_TRACK_TX
#define DETECT_XBITS_TRACK_TX
Definition: detect-xbits.h:37
DetectEngineAppInspectionEngine_::smd
SigMatchData * smd
Definition: detect.h:440
EngineAnalysisRules2
void EngineAnalysisRules2(const DetectEngineCtx *de_ctx, const Signature *s)
Definition: detect-engine-analyzer.c:1129
ACTION_REJECT_BOTH
#define ACTION_REJECT_BOTH
Definition: action-globals.h:33
FLOWINT_MODIFIER_LT
@ FLOWINT_MODIFIER_LT
Definition: detect-flowint.h:35
DetectFlowintData_::target
union DetectFlowintData_::@68 target
ARRAY_SIZE
#define ARRAY_SIZE(arr)
Definition: suricata-common.h:569
DETECT_CONTENT_STARTS_WITH
#define DETECT_CONTENT_STARTS_WITH
Definition: detect-content.h:59
DetectProto_::flags
uint8_t flags
Definition: detect-engine-proto.h:40
DETECT_BYTETEST
@ DETECT_BYTETEST
Definition: detect-engine-register.h:89
DETECT_PROTO_IPV4
#define DETECT_PROTO_IPV4
Definition: detect-engine-proto.h:31
util-conf.h
SignatureHasStreamContent
int SignatureHasStreamContent(const Signature *s)
check if a signature has patterns that are to be inspected against the stream payload (as opposed to ...
Definition: detect-engine-mpm.c:908
FpPatternStats_::min
uint16_t min
Definition: detect-engine-analyzer.c:76
VAR_TYPE_FLOW_BIT
@ VAR_TYPE_FLOW_BIT
Definition: util-var.h:36
FLOWINT_TARGET_VAR
@ FLOWINT_TARGET_VAR
Definition: detect-flowint.h:51
suricata-common.h
SIG_MASK_REQUIRE_NO_PAYLOAD
#define SIG_MASK_REQUIRE_NO_PAYLOAD
Definition: detect.h:315
FLOWINT_MODIFIER_SET
@ FLOWINT_MODIFIER_SET
Definition: detect-flowint.h:30
DetectEnginePktInspectionEngine::v1
struct DetectEnginePktInspectionEngine::@85 v1
SIG_FLAG_SP_ANY
#define SIG_FLAG_SP_ANY
Definition: detect.h:242
SIG_PROP_FLOW_ACTION_FLOW_IF_STATEFUL
@ SIG_PROP_FLOW_ACTION_FLOW_IF_STATEFUL
Definition: detect.h:86
ActionScope
ActionScope
Definition: action-globals.h:42
FLOWINT_MODIFIER_ISSET
@ FLOWINT_MODIFIER_ISSET
Definition: detect-flowint.h:42
DetectAbsentData_
Definition: detect-isdataat.h:37
ExposedItemSeen
Definition: detect-engine-analyzer.c:83
SigMatch_::type
uint16_t type
Definition: detect.h:357
HashListTableFree
void HashListTableFree(HashListTable *ht)
Definition: util-hashlist.c:88
DetectEngineAnalyzerItems::check_encoding_match
bool check_encoding_match
Definition: detect-engine-analyzer.c:70
DetectContentData_::distance
int32_t distance
Definition: detect-content.h:108
ACTION_SCOPE_HOOK
@ ACTION_SCOPE_HOOK
Definition: action-globals.h:46
CleanupEngineAnalysis
void CleanupEngineAnalysis(DetectEngineCtx *de_ctx)
Definition: detect-engine-analyzer.c:515
DetectBytejumpData_::nbytes
uint8_t nbytes
Definition: detect-bytejump.h:48
Signature_::action_scope
uint8_t action_scope
Definition: detect.h:704
ALPROTO_HTTP1
@ ALPROTO_HTTP1
Definition: app-layer-protos.h:36
DetectEngineFrameInspectionEngine::next
struct DetectEngineFrameInspectionEngine * next
Definition: detect.h:523
DetectU32Data
DetectUintData_u32 DetectU32Data
Definition: detect-engine-uint.h:41
ACTION_DROP
#define ACTION_DROP
Definition: action-globals.h:30
DetectEnginePktInspectionEngine::next
struct DetectEnginePktInspectionEngine * next
Definition: detect.h:496
DetectContentData_::content
uint8_t * content
Definition: detect-content.h:94
DetectXbitsData_::idx
uint32_t idx
Definition: detect-xbits.h:42
Signature_::rev
uint32_t rev
Definition: detect.h:729
AppLayerParserGetSubStateProgressName
const char * AppLayerParserGetSubStateProgressName(const AppProto alproto, const uint8_t sub_state, const uint8_t state, const uint8_t dir_flag)
Definition: app-layer-parser.c:1303
Signature_::proto
DetectProto * proto
Definition: detect.h:701
SCStrdup
#define SCStrdup(s)
Definition: util-mem.h:56
FatalError
#define FatalError(...)
Definition: util-debug.h:517
DetectEngineCtx_::sig_list
Signature * sig_list
Definition: detect.h:991
DETECT_BYTEJUMP_BASE_DEC
#define DETECT_BYTEJUMP_BASE_DEC
Definition: detect-bytejump.h:30
DetectIpOptsData_
Definition: detect-ipopts.h:37
ACTION_CONFIG
#define ACTION_CONFIG
Definition: action-globals.h:35
PrintRawUriFp
void PrintRawUriFp(FILE *fp, const uint8_t *buf, uint32_t buflen)
Definition: util-print.c:69
SIG_MASK_REQUIRE_FLAGS_UNUSUAL
#define SIG_MASK_REQUIRE_FLAGS_UNUSUAL
Definition: detect.h:314
TransformData_::transform
int transform
Definition: detect.h:387
FLOWINT_MODIFIER_ISNOTSET
@ FLOWINT_MODIFIER_ISNOTSET
Definition: detect-flowint.h:43
DETECT_FLOWBITS
@ DETECT_FLOWBITS
Definition: detect-engine-register.h:66
SIG_TYPE_MAX
@ SIG_TYPE_MAX
Definition: detect.h:79
DetectEngineCtx_::ea
struct EngineAnalysisCtx_ * ea
Definition: detect.h:1185
DETECT_BYTETEST_BASE_OCT
#define DETECT_BYTETEST_BASE_OCT
Definition: detect-bytetest.h:38
util-validate.h
detect-flow.h
SCMalloc
#define SCMalloc(sz)
Definition: util-mem.h:47
EngineAnalysisFP
void EngineAnalysisFP(const DetectEngineCtx *de_ctx, const Signature *s, const char *line)
Definition: detect-engine-analyzer.c:174
SignatureInitData_::firewall_rule
bool firewall_rule
Definition: detect.h:678
FpPatternStats
struct FpPatternStats_ FpPatternStats
detect-tcp-ack.h
DetectXbitsData_::tracker
uint8_t tracker
Definition: detect-xbits.h:44
str
#define str(s)
Definition: suricata-common.h:316
DetectFirewallPolicy
Definition: detect.h:932
SCConfGetNode
SCConfNode * SCConfGetNode(const char *name)
Get a SCConfNode by name.
Definition: conf.c:184
SCLogError
#define SCLogError(...)
Macro used to log ERROR messages.
Definition: util-debug.h:274
SigMatchListSMBelongsTo
int SigMatchListSMBelongsTo(const Signature *s, const SigMatch *key_sm)
Definition: detect-parse.c:762
SCFree
#define SCFree(p)
Definition: util-mem.h:61
AppLayerParserGetSubStateName
const char * AppLayerParserGetSubStateName(const AppProto alproto, const uint8_t sub_state)
Definition: app-layer-parser.c:1352
DetectFlowbitsData_::or_list
uint32_t * or_list
Definition: detect-flowbits.h:41
DetectEngineAppInspectionEngine_::sub_state
uint8_t sub_state
Definition: detect.h:427
Signature_::id
uint32_t id
Definition: detect.h:727
DETECT_CONTENT_OFFSET
#define DETECT_CONTENT_OFFSET
Definition: detect-content.h:32
HashListTableBucket_
Definition: util-hashlist.h:28
DETECT_XBITS_TRACK_IPSRC
#define DETECT_XBITS_TRACK_IPSRC
Definition: detect-xbits.h:34
DETECT_FLOWBITS_CMD_UNSET
#define DETECT_FLOWBITS_CMD_UNSET
Definition: detect-flowbits.h:29
DETECT_CONTENT_FAST_PATTERN_ONLY
#define DETECT_CONTENT_FAST_PATTERN_ONLY
Definition: detect-content.h:35
DETECT_CONTENT_MPM
#define DETECT_CONTENT_MPM
Definition: detect-content.h:61
ACTION_SCOPE_PACKET
@ ACTION_SCOPE_PACKET
Definition: action-globals.h:44
DetectBufferType_::transforms
DetectEngineTransforms transforms
Definition: detect.h:464
detect-parse.h
Signature_
Signature container.
Definition: detect.h:682
SigMatch_
a single match condition for a signature
Definition: detect.h:356
DetectEngineAppInspectionEngine_::transforms
const DetectEngineTransforms * transforms
Definition: detect.h:437
DETECT_SM_LIST_MAX
@ DETECT_SM_LIST_MAX
Definition: detect.h:135
SCRequiresFeature
bool SCRequiresFeature(const char *feature_name)
Definition: feature.c:121
FpPatternStats_::tot
uint64_t tot
Definition: detect-engine-analyzer.c:79
DetectFlowintData_::tvar
TargetVar tvar
Definition: detect-flowint.h:77
DETECT_XBITS_CMD_ISSET
#define DETECT_XBITS_CMD_ISSET
Definition: detect-xbits.h:31
DETECT_BYTETEST_STRING
#define DETECT_BYTETEST_STRING
Definition: detect-bytetest.h:45
DetectBytetestData_::offset
int32_t offset
Definition: detect-bytetest.h:60
VAR_TYPE_FLOW_INT
@ VAR_TYPE_FLOW_INT
Definition: util-var.h:37
ALPROTO_UNKNOWN
@ ALPROTO_UNKNOWN
Definition: app-layer-protos.h:29
DETECT_PCRE_RELATIVE_NEXT
#define DETECT_PCRE_RELATIVE_NEXT
Definition: detect-pcre.h:34
detect-icmp-id.h
ACTION_ACCEPT
#define ACTION_ACCEPT
Definition: action-globals.h:36
DetectAppLayerProtocolData_::negated
bool negated
Definition: detect-app-layer-protocol.h:47
detect-ipopts.h
DetectEngineTransforms::cnt
int cnt
Definition: detect.h:393
suricata.h
DetectPcreData_
Definition: detect-pcre.h:48
DetectEngineAppInspectionEngine_::dir
uint8_t dir
Definition: detect.h:418
DetectEngineAnalyzerItems::item_name
const char * item_name
Definition: detect-engine-analyzer.c:71
DetectContentData_::content_len
uint16_t content_len
Definition: detect-content.h:95
ExposedItemSeen::item_seen_ptr
bool * item_seen_ptr
Definition: detect-engine-analyzer.c:85
DETECT_BYTEJUMP_STRING
#define DETECT_BYTEJUMP_STRING
Definition: detect-bytejump.h:37
DetectEngineCtx_::buffer_type_id
uint32_t buffer_type_id
Definition: detect.h:1137
AppLayerParserGetMaxSubState
uint8_t AppLayerParserGetMaxSubState(const AppProto alproto)
Definition: app-layer-parser.c:1375
EngineAnalysisCtx_::file_prefix
char * file_prefix
Definition: detect-engine-analyzer.c:94
DETECT_XBITS_CMD_SET
#define DETECT_XBITS_CMD_SET
Definition: detect-xbits.h:27
DetectEnginePktInspectionEngine::mpm
bool mpm
Definition: detect.h:487
DETECT_BYTEJUMP_BEGIN
#define DETECT_BYTEJUMP_BEGIN
Definition: detect-bytejump.h:34
SignatureInitData_::rule_state_flowbits_ids_array
uint32_t * rule_state_flowbits_ids_array
Definition: detect.h:674
AppLayerParserSupportsSubStates
bool AppLayerParserSupportsSubStates(const AppProto alproto)
Definition: app-layer-parser.c:1382
SIG_PROP_FLOW_ACTION_FLOW
@ SIG_PROP_FLOW_ACTION_FLOW
Definition: detect.h:85
DETECT_PCRE_RELATIVE
#define DETECT_PCRE_RELATIVE
Definition: detect-pcre.h:29
TargetVar_::name
char * name
Definition: detect-flowint.h:57
DetectFirewallAppPolicy::alproto
AppProto alproto
Definition: detect.h:938
DetectFirewallPolicies::app_policies
HashTable * app_policies
Definition: detect.h:954
FLOWINT_MODIFIER_EQ
@ FLOWINT_MODIFIER_EQ
Definition: detect-flowint.h:37
RuleAnalyzer
struct RuleAnalyzer RuleAnalyzer
DETECT_WINDOW
@ DETECT_WINDOW
Definition: detect-engine-register.h:38
SIG_FLAG_TLSSTORE
#define SIG_FLAG_TLSSTORE
Definition: detect.h:273
DETECT_XBITS_CMD_TOGGLE
#define DETECT_XBITS_CMD_TOGGLE
Definition: detect-xbits.h:28
DetectU16Data
DetectUintData_u16 DetectU16Data
Definition: detect-engine-uint.h:42
Signature_::msg
char * msg
Definition: detect.h:750
DETECT_XBITS_CMD_UNSET
#define DETECT_XBITS_CMD_UNSET
Definition: detect-xbits.h:29
DETECT_CONTENT_FAST_PATTERN
#define DETECT_CONTENT_FAST_PATTERN
Definition: detect-content.h:34
SCCalloc
#define SCCalloc(nm, sz)
Definition: util-mem.h:53
DetectAbsentData_::or_else
bool or_else
Definition: detect-isdataat.h:39
RuleAnalyzer::js_notes
SCJsonBuilder * js_notes
Definition: detect-engine-analyzer.c:646
DETECT_FLAGS
@ DETECT_FLAGS
Definition: detect-engine-register.h:42
DETECT_PCRE_NEGATE
#define DETECT_PCRE_NEGATE
Definition: detect-pcre.h:35
EngineAnalysisCtx_::exposed_item_seen_list
struct ExposedItemSeen exposed_item_seen_list[2]
Definition: detect-engine-analyzer.c:112
Signature_::type
enum SignatureType type
Definition: detect.h:685
SCConfNode_
Definition: conf.h:37
FpPatternStats_
Definition: detect-engine-analyzer.c:75
DetectBytetestData_::base
uint8_t base
Definition: detect-bytetest.h:56
DetectFirewallAppPolicy::direction
uint8_t direction
Definition: detect.h:941
FLOWINT_MODIFIER_SUB
@ FLOWINT_MODIFIER_SUB
Definition: detect-flowint.h:32
DETECT_BYTETEST_LITTLE
#define DETECT_BYTETEST_LITTLE
Definition: detect-bytetest.h:43
SCMutex
#define SCMutex
Definition: threads-debug.h:114
SIG_TYPE_PDONLY
@ SIG_TYPE_PDONLY
Definition: detect.h:70
DEBUG_VALIDATE_BUG_ON
#define DEBUG_VALIDATE_BUG_ON(exp)
Definition: util-validate.h:109
SIG_FLAG_PREFILTER
#define SIG_FLAG_PREFILTER
Definition: detect.h:277
SignatureProperties::flow_action
enum SignaturePropertyFlowAction flow_action
Definition: detect.h:90
DETECT_TCPMSS
@ DETECT_TCPMSS
Definition: detect-engine-register.h:271
SIG_FLAG_FILESTORE
#define SIG_FLAG_FILESTORE
Definition: detect.h:268
DETECT_CONTENT_WITHIN
#define DETECT_CONTENT_WITHIN
Definition: detect-content.h:31
DETECT_BYTEJUMP_RELATIVE
#define DETECT_BYTEJUMP_RELATIVE
Definition: detect-bytejump.h:38
SIG_FLAG_DP_ANY
#define SIG_FLAG_DP_ANY
Definition: detect.h:243
DETECT_FLOWBITS_CMD_SET
#define DETECT_FLOWBITS_CMD_SET
Definition: detect-flowbits.h:28
SIG_FLAG_DSIZE
#define SIG_FLAG_DSIZE
Definition: detect.h:247
FLOWINT_MODIFIER_GE
@ FLOWINT_MODIFIER_GE
Definition: detect-flowint.h:39
DetectBytejumpData_::flags
uint16_t flags
Definition: detect-bytejump.h:50
Signature_::mask
SignatureMask mask
Definition: detect.h:693
SIG_TYPE_LIKE_IPONLY
@ SIG_TYPE_LIKE_IPONLY
Definition: detect.h:67
DetectEngineAppInspectionEngine_::progress
uint8_t progress
Definition: detect.h:426
detect-bytetest.h
DetectFlowintData_::value
uint32_t value
Definition: detect-flowint.h:75
DetectProtoContainsProto
int DetectProtoContainsProto(const DetectProto *dp, int proto)
see if a DetectProto contains a certain proto
Definition: detect-engine-proto.c:115
SIG_FLAG_REQUIRE_PACKET
#define SIG_FLAG_REQUIRE_PACKET
Definition: detect.h:253
DetectEngineFrameInspectionEngine::smd
SigMatchData * smd
Definition: detect.h:522