58 static int rule_warnings_only = 0;
114 { 0,
false,
false,
true,
"http_uri",
"http uri" },
115 { 0,
false,
false,
false,
"http_raw_uri",
"http raw uri" },
116 { 0,
false,
true,
false,
"http_method",
"http method" },
117 { 0,
false,
false,
false,
"http_request_line",
"http request line" },
118 { 0,
false,
false,
false,
"http_client_body",
"http client body" },
119 { 0,
false,
false,
true,
"http_header",
"http header" },
120 { 0,
false,
false,
false,
"http_raw_header",
"http raw header" },
121 { 0,
false,
false,
true,
"http_cookie",
"http cookie" },
122 { 0,
false,
false,
false,
"http_user_agent",
"http user agent" },
123 { 0,
false,
false,
false,
"http_host",
"http host" },
124 { 0,
false,
false,
false,
"http_raw_host",
"http raw host" },
125 { 0,
false,
false,
false,
"http_accept_enc",
"http accept enc" },
126 { 0,
false,
false,
false,
"http_referer",
"http referer" },
127 { 0,
false,
false,
false,
"http_content_type",
"http content type" },
128 { 0,
false,
false,
false,
"http_header_names",
"http header names" },
131 { 0,
false,
false,
false,
"http_stat_msg",
"http stat msg" },
132 { 0,
false,
false,
false,
"http_stat_code",
"http stat code" },
133 { 0,
false,
true,
false,
"file_data",
"http server body" },
136 { 0,
false,
false,
false,
"http_request_line",
"http request line" },
137 { 0,
false,
false,
false,
"http_accept",
"http accept" },
138 { 0,
false,
false,
false,
"http_accept_lang",
"http accept lang" },
139 { 0,
false,
false,
false,
"http_connection",
"http connection" },
140 { 0,
false,
false,
false,
"http_content_len",
"http content len" },
141 { 0,
false,
false,
false,
"http_protocol",
"http protocol" },
142 { 0,
false,
false,
false,
"http_start",
"http start" },
145 { 0,
false,
false,
false,
"http_response_line",
"http response line" },
146 { 0,
false,
false,
false,
"http.server",
"http server" },
147 { 0,
false,
false,
false,
"http.location",
"http location" },
150 static void FpPatternStatsAdd(
FpPatternStats *fp,
int list, uint16_t patlen)
159 else if (patlen < f->min)
171 int fast_pattern_set = 0;
172 int fast_pattern_only_set = 0;
173 int fast_pattern_chop_set = 0;
178 if (mpm_sm != NULL) {
181 fast_pattern_set = 1;
183 fast_pattern_only_set = 1;
185 fast_pattern_chop_set = 1;
191 fprintf(fp,
"== Sid: %u ==\n", s->
id);
192 fprintf(fp,
"%s\n", line);
194 fprintf(fp,
" Fast Pattern analysis:\n");
196 fprintf(fp,
" Prefilter on: %s\n",
203 fprintf(fp,
" No content present\n");
208 fprintf(fp,
" Fast pattern matcher: ");
209 int list_type = mpm_sm_list;
211 fprintf(fp,
"content\n");
216 fprintf(fp,
"%s (%s)\n", desc,
name);
221 fprintf(fp,
" Flags:");
223 fprintf(fp,
" Offset");
226 fprintf(fp,
" Depth");
230 fprintf(fp,
" Within");
234 fprintf(fp,
" Distance");
238 fprintf(fp,
" Nocase");
242 fprintf(fp,
" Negated");
246 fprintf(fp,
" None");
249 fprintf(fp,
" Fast pattern set: %s\n", fast_pattern_set ?
"yes" :
"no");
250 fprintf(fp,
" Fast pattern only set: %s\n", fast_pattern_only_set ?
"yes" :
"no");
251 fprintf(fp,
" Fast pattern chop set: %s\n", fast_pattern_chop_set ?
"yes" :
"no");
252 if (fast_pattern_chop_set) {
253 fprintf(fp,
" Fast pattern offset, length: %u, %u\n", fp_cd->
fp_chop_offset,
264 fprintf(fp,
" Original content: ");
268 if (fast_pattern_chop_set) {
277 fprintf(fp,
" Final content: ");
283 fprintf(fp,
" Final content: ");
302 int fp_engine_analysis_set = 0;
304 if ((
SCConfGetBool(
"engine-analysis.rules-fast-pattern", &fp_engine_analysis_set)) == 0) {
308 if (fp_engine_analysis_set == 0)
312 char *log_path =
SCMalloc(PATH_MAX);
313 if (log_path == NULL) {
314 FatalError(
"Unable to allocate scratch memory for rule filename");
316 snprintf(log_path, PATH_MAX,
"%s/%s%s", log_dir,
319 FILE *fp = fopen(log_path,
"w");
321 SCLogError(
"failed to open %s: %s", log_path, strerror(errno));
328 SCLogInfo(
"Engine-Analysis for fast_pattern printed to file - %s",
333 gettimeofday(&tval, NULL);
335 struct tm *tms =
SCLocalTime(tval.tv_sec, &local_tm);
336 fprintf(fp,
"----------------------------------------------"
337 "---------------------\n");
339 "Date: %" PRId32
"/%" PRId32
"/%04d -- "
341 tms->tm_mday, tms->tm_mon + 1, tms->tm_year + 1900, tms->tm_hour, tms->tm_min,
343 fprintf(fp,
"----------------------------------------------"
344 "---------------------\n");
357 #define DETECT_PERCENT_ENCODING_REGEX "%[0-9|a-f|A-F]{2}"
363 PCRE2_ZERO_TERMINATED, opts, &en, &eo, NULL);
365 PCRE2_UCHAR errbuffer[256];
366 pcre2_get_error_message(en, errbuffer,
sizeof(errbuffer));
387 }
else if (value && strcasecmp(value,
"warnings-only") == 0) {
389 rule_warnings_only = 1;
394 char log_path[PATH_MAX];
395 snprintf(log_path,
sizeof(log_path),
"%s/%s%s", log_dir,
399 SCLogError(
"failed to open %s: %s", log_path, strerror(errno));
403 SCLogInfo(
"Engine-Analysis for rules printed to file - %s",
407 gettimeofday(&tval, NULL);
409 struct tm *tms =
SCLocalTime(tval.tv_sec, &local_tm);
411 "----------------------------------------------"
412 "---------------------\n");
414 "Date: %" PRId32
"/%" PRId32
"/%04d -- "
416 tms->tm_mday, tms->tm_mon + 1, tms->tm_year + 1900, tms->tm_hour, tms->tm_min,
419 "----------------------------------------------"
420 "---------------------\n");
423 if (!PerCentEncodingSetup(
de_ctx->
ea)) {
425 "Error compiling regex; can't check for percent encoding in normalized "
431 SCLogInfo(
"Conf parameter \"engine-analysis.rules\" not found. "
432 "Defaulting to not printing the rules analysis report.");
435 SCLogInfo(
"Engine-Analysis for rules disabled in conf file.");
444 fprintf(fp,
"============\n"
445 "Summary:\n============\n");
453 "%s, smallest pattern %u byte(s), longest pattern %u byte(s), number of patterns "
454 "%u, avg pattern len %.2f byte(s)\n",
456 (
float)((
double)f->
tot / (
float)f->
cnt));
476 *fp_analysis =
false;
477 *rule_analysis =
false;
481 FatalError(
"Unable to allocate per-engine analysis context");
486 if (cfg_prefix_len > 0) {
491 FatalError(
"Unable to allocate per-engine analysis context name buffer");
497 *fp_analysis = SetupFPAnalyzer(
de_ctx);
498 *rule_analysis = SetupRuleAnalyzer(
de_ctx);
500 if (!(*fp_analysis || *rule_analysis)) {
512 CleanupRuleAnalyzer(
de_ctx);
513 CleanupFPAnalyzer(
de_ctx);
530 static int PerCentEncodingMatch(
EngineAnalysisCtx *ea_ctx, uint8_t *content, uint16_t content_len)
534 pcre2_match_data *match = pcre2_match_data_create_from_pattern(ea_ctx->
percent_re, NULL);
535 ret = pcre2_match(ea_ctx->
percent_re, (PCRE2_SPTR8)content, content_len, 0, 0, match, NULL);
538 }
else if (ret < -1) {
539 SCLogError(
"Error parsing content - %s; error code is %d", content, ret);
542 pcre2_match_data_free(match);
552 if (mpm_sm != NULL) {
590 const int list_type = mpm_sm_list;
599 payload ? (stream ?
"payload and reassembled stream" :
"payload")
600 :
"reassembled stream");
607 }
else if (desc ||
name) {
627 fprintf(tmp_fp,
"== Sid: UNKNOWN ==\n");
628 fprintf(tmp_fp,
"%s\n", line);
629 fprintf(tmp_fp,
" FAILURE: invalid rule.\n");
630 fprintf(tmp_fp,
" File: %s.\n", file);
631 fprintf(tmp_fp,
" Line: %d.\n", lineno);
632 fprintf(tmp_fp,
"\n");
649 vsnprintf(
str,
sizeof(
str), fmt, ap);
653 ctx->js_notes = SCJbNewArray();
655 SCJbAppendString(
ctx->js_notes,
str);
664 vsnprintf(
str,
sizeof(
str), fmt, ap);
667 if (!
ctx->js_warnings)
668 ctx->js_warnings = SCJbNewArray();
669 if (
ctx->js_warnings)
670 SCJbAppendString(
ctx->js_warnings,
str);
673 #define CHECK(pat) if (strlen((pat)) <= len && memcmp((pat), buf, MIN(len, strlen((pat)))) == 0) return true;
675 static bool LooksLikeHTTPMethod(
const uint8_t *buf, uint16_t
len)
684 static bool LooksLikeHTTPUA(
const uint8_t *buf, uint16_t
len)
686 CHECK(
"User-Agent: ");
687 CHECK(
"\nUser-Agent: ");
693 char pattern_str[1024] =
"";
696 SCJbSetString(js,
"pattern", pattern_str);
705 SCJbSetUint(js,
"offset", cd->
offset);
708 SCJbSetUint(js,
"depth", cd->
depth);
711 SCJbSetInt(js,
"distance", cd->
distance);
714 SCJbSetInt(js,
"within", cd->
within);
733 SCJbOpenArray(js,
"matches");
737 SCJbSetString(js,
"name", mname);
743 SCJbOpenObject(js,
"content");
746 AnalyzerNote(
ctx, (
char *)
"'fast_pattern:only' option is silently ignored and "
747 "is interpreted as regular 'fast_pattern'");
751 (
char *)
"pattern looks like it inspects HTTP, use http.request_line or "
752 "http.method and http.uri instead for improved performance");
756 (
char *)
"pattern looks like it inspects HTTP, use http.user_agent "
757 "or http.header for improved performance");
760 AnalyzerNote(
ctx, (
char *)
"'within' option for pattern w/o previous content "
761 "was converted to 'depth'");
764 AnalyzerNote(
ctx, (
char *)
"'distance' option for pattern w/o previous content "
765 "was converted to 'offset'");
773 SCJbOpenObject(js,
"pcre");
778 (
char *)
"'/B' (rawbytes) option is a no-op and is silently ignored");
785 SCJbOpenObject(js,
"byte_jump");
786 SCJbSetUint(js,
"nbytes", cd->
nbytes);
787 SCJbSetInt(js,
"offset", cd->
offset);
788 SCJbSetUint(js,
"multiplier", cd->
multiplier);
792 SCJbSetString(js,
"base",
"unset");
795 SCJbSetString(js,
"base",
"oct");
798 SCJbSetString(js,
"base",
"dec");
801 SCJbSetString(js,
"base",
"hex");
804 SCJbOpenArray(js,
"flags");
806 SCJbAppendString(js,
"from_beginning");
808 SCJbAppendString(js,
"little_endian");
810 SCJbAppendString(js,
"big_endian");
812 SCJbAppendString(js,
"string");
814 SCJbAppendString(js,
"relative");
816 SCJbAppendString(js,
"align");
818 SCJbAppendString(js,
"dce");
820 SCJbAppendString(js,
"offset_be");
822 SCJbAppendString(js,
"from_end");
830 SCJbOpenObject(js,
"byte_test");
831 SCJbSetUint(js,
"nbytes", cd->
nbytes);
832 SCJbSetInt(js,
"offset", cd->
offset);
835 SCJbSetString(js,
"base",
"unset");
838 SCJbSetString(js,
"base",
"oct");
841 SCJbSetString(js,
"base",
"dec");
844 SCJbSetString(js,
"base",
"hex");
847 SCJbOpenArray(js,
"flags");
849 SCJbAppendString(js,
"little_endian");
851 SCJbAppendString(js,
"big_endian");
853 SCJbAppendString(js,
"string");
855 SCJbAppendString(js,
"relative");
857 SCJbAppendString(js,
"dce");
864 SCJbOpenObject(js,
"absent");
865 SCJbSetBool(js,
"or_else", dad->
or_else);
873 SCJbOpenObject(js,
"ipopts");
875 SCJbSetString(js,
"option", flag);
882 SCJbOpenObject(js,
"flowbits");
885 SCJbSetString(js,
"cmd",
"isset");
888 SCJbSetString(js,
"cmd",
"isnotset");
891 SCJbSetString(js,
"cmd",
"set");
894 SCJbSetString(js,
"cmd",
"unset");
897 SCJbSetString(js,
"cmd",
"toggle");
901 SCJbOpenArray(js,
"names");
907 const char *varname =
909 SCJbAppendString(js, varname);
914 SCJbSetString(js,
"operator",
"or");
922 SCJbOpenObject(js,
"ack");
923 SCJbSetUint(js,
"number", cd->
ack);
929 SCJbOpenObject(js,
"seq");
930 SCJbSetUint(js,
"number", cd->
seq);
936 SCJbOpenObject(js,
"tcp_mss");
937 SCDetectU16ToJson(js, cd);
943 SCJbOpenObject(js,
"dsize");
944 SCDetectU16ToJson(js, cd);
950 SCJbOpenObject(js,
"code");
951 SCDetectU8ToJson(js, cd);
957 SCJbOpenObject(js,
"id");
958 SCJbSetUint(js,
"number",
SCNtohs(cd->
id));
964 SCJbOpenObject(js,
"window");
965 SCJbSetUint(js,
"size", wd->
size);
966 SCJbSetBool(js,
"negated", wd->
negated);
972 SCJbOpenObject(js,
"flow_age");
973 SCDetectU32ToJson(js, cd);
994 ctx.js = SCJbNewObject();
1005 SCJbSetUint(
ctx.js,
"id", s->
id);
1006 SCJbSetUint(
ctx.js,
"gid", s->
gid);
1007 SCJbSetUint(
ctx.js,
"rev", s->
rev);
1008 SCJbSetString(
ctx.js,
"msg", s->
msg);
1011 SCJbSetString(
ctx.js,
"app_proto", alproto);
1013 SCJbOpenArray(
ctx.js,
"requirements");
1015 SCJbAppendString(
ctx.js,
"payload");
1018 SCJbAppendString(
ctx.js,
"no_payload");
1021 SCJbAppendString(
ctx.js,
"flow");
1024 SCJbAppendString(
ctx.js,
"tcp_flags_init_deinit");
1027 SCJbAppendString(
ctx.js,
"tcp_flags_unusual");
1030 SCJbAppendString(
ctx.js,
"engine_event");
1033 SCJbAppendString(
ctx.js,
"real_pkt");
1037 SCJbOpenObject(
ctx.js,
"match_policy");
1038 SCJbOpenArray(
ctx.js,
"actions");
1040 SCJbAppendString(
ctx.js,
"alert");
1043 SCJbAppendString(
ctx.js,
"drop");
1046 SCJbAppendString(
ctx.js,
"reject");
1049 SCJbAppendString(
ctx.js,
"reject_dst");
1052 SCJbAppendString(
ctx.js,
"reject_both");
1055 SCJbAppendString(
ctx.js,
"config");
1058 SCJbAppendString(
ctx.js,
"pass");
1061 SCJbAppendString(
ctx.js,
"accept");
1067 switch (flow_action) {
1069 SCJbSetString(
ctx.js,
"scope",
"packet");
1072 SCJbSetString(
ctx.js,
"scope",
"flow");
1075 SCJbSetString(
ctx.js,
"scope",
"flow_if_stateful");
1082 SCJbSetString(
ctx.js,
"scope",
"packet");
1085 SCJbSetString(
ctx.js,
"scope",
"flow");
1088 SCJbSetString(
ctx.js,
"scope",
"hook");
1091 SCJbSetString(
ctx.js,
"scope",
"tx");
1101 SCJbSetString(
ctx.js,
"type",
"unset");
1104 SCJbSetString(
ctx.js,
"type",
"ip_only");
1107 SCJbSetString(
ctx.js,
"type",
"like_ip_only");
1110 SCJbSetString(
ctx.js,
"type",
"pd_only");
1113 SCJbSetString(
ctx.js,
"type",
"de_only");
1116 SCJbSetString(
ctx.js,
"type",
"pkt");
1119 SCJbSetString(
ctx.js,
"type",
"pkt_stream");
1122 SCJbSetString(
ctx.js,
"type",
"stream");
1125 SCJbSetString(
ctx.js,
"type",
"app_layer");
1128 SCJbSetString(
ctx.js,
"type",
"app_tx");
1131 SCJbSetString(
ctx.js,
"type",
"error");
1137 SCJbOpenObject(
ctx.js,
"dependencies");
1138 SCJbOpenObject(
ctx.js,
"flowbits");
1139 SCJbOpenObject(
ctx.js,
"upstream");
1141 SCJbOpenObject(
ctx.js,
"state_modifying_rules");
1142 SCJbOpenArray(
ctx.js,
"sids");
1147 SCJbOpenArray(
ctx.js,
"names");
1150 SCJbAppendString(
ctx.js,
1163 SCJbOpenArray(
ctx.js,
"flags");
1165 SCJbAppendString(
ctx.js,
"src_any");
1168 SCJbAppendString(
ctx.js,
"dst_any");
1171 SCJbAppendString(
ctx.js,
"sp_any");
1174 SCJbAppendString(
ctx.js,
"dp_any");
1177 SCJbAppendString(
ctx.js,
"noalert");
1180 SCJbAppendString(
ctx.js,
"dsize");
1183 SCJbAppendString(
ctx.js,
"applayer");
1186 SCJbAppendString(
ctx.js,
"need_packet");
1189 SCJbAppendString(
ctx.js,
"need_stream");
1192 SCJbAppendString(
ctx.js,
"negated_mpm");
1195 SCJbAppendString(
ctx.js,
"flush");
1198 SCJbAppendString(
ctx.js,
"need_flowvar");
1201 SCJbAppendString(
ctx.js,
"filestore");
1204 SCJbAppendString(
ctx.js,
"toserver");
1207 SCJbAppendString(
ctx.js,
"toclient");
1210 SCJbAppendString(
ctx.js,
"tlsstore");
1213 SCJbAppendString(
ctx.js,
"bypass");
1216 SCJbAppendString(
ctx.js,
"prefilter");
1219 SCJbAppendString(
ctx.js,
"src_is_target");
1222 SCJbAppendString(
ctx.js,
"dst_is_target");
1229 SCJbOpenArray(
ctx.js,
"pkt_engines");
1231 for ( ; pkt != NULL; pkt = pkt->
next) {
1246 SCJbStartObject(
ctx.js);
1247 SCJbSetString(
ctx.js,
"name",
name);
1248 SCJbSetBool(
ctx.js,
"is_mpm", pkt->
mpm);
1250 SCJbOpenArray(
ctx.js,
"transforms");
1252 SCJbStartObject(
ctx.js);
1253 SCJbSetString(
ctx.js,
"name",
1266 SCJbOpenArray(
ctx.js,
"frame_engines");
1268 for (; frame != NULL; frame = frame->
next) {
1270 SCJbStartObject(
ctx.js);
1271 SCJbSetString(
ctx.js,
"name",
name);
1272 SCJbSetBool(
ctx.js,
"is_mpm", frame->
mpm);
1274 SCJbOpenArray(
ctx.js,
"transforms");
1276 SCJbStartObject(
ctx.js);
1277 SCJbSetString(
ctx.js,
"name",
1289 bool has_stream =
false;
1290 bool has_client_body_mpm =
false;
1291 bool has_file_data_mpm =
false;
1293 SCJbOpenArray(
ctx.js,
"engines");
1295 for ( ; app != NULL; app = app->
next) {
1310 }
else if (app->
mpm && strcmp(
name,
"http_client_body") == 0) {
1311 has_client_body_mpm =
true;
1312 }
else if (app->
mpm && strcmp(
name,
"file_data") == 0) {
1313 has_file_data_mpm =
true;
1316 SCJbStartObject(
ctx.js);
1317 SCJbSetString(
ctx.js,
"name",
name);
1318 const char *direction = app->
dir == 0 ?
"toserver" :
"toclient";
1319 SCJbSetString(
ctx.js,
"direction", direction);
1320 SCJbSetBool(
ctx.js,
"is_mpm", app->
mpm);
1325 SCJbOpenArray(
ctx.js,
"transforms");
1327 SCJbStartObject(
ctx.js);
1328 SCJbSetString(
ctx.js,
"name",
1342 if (has_stream && has_client_body_mpm)
1343 AnalyzerNote(&
ctx, (
char *)
"mpm in http_client_body combined with stream match leads to stream buffering");
1344 if (has_stream && has_file_data_mpm)
1345 AnalyzerNote(&
ctx, (
char *)
"mpm in file_data combined with stream match leads to stream buffering");
1348 SCJbOpenObject(
ctx.js,
"lists");
1358 if (pkt_mpm || app_mpm) {
1359 SCJbOpenObject(
ctx.js,
"mpm");
1367 SCJbSetString(
ctx.js,
"buffer",
name);
1374 switch (smd->
type) {
1378 DumpContent(
ctx.js, cd);
1390 SCJbOpenObject(
ctx.js,
"prefilter");
1397 SCJbSetString(
ctx.js,
"buffer",
name);
1399 SCJbSetString(
ctx.js,
"name", mname);
1403 if (
ctx.js_warnings) {
1404 SCJbClose(
ctx.js_warnings);
1405 SCJbSetObject(
ctx.js,
"warnings",
ctx.js_warnings);
1406 SCJbFree(
ctx.js_warnings);
1407 ctx.js_warnings = NULL;
1410 SCJbClose(
ctx.js_notes);
1411 SCJbSetObject(
ctx.js,
"notes",
ctx.js_notes);
1412 SCJbFree(
ctx.js_notes);
1413 ctx.js_notes = NULL;
1417 const char *filename =
"rules.json";
1419 char json_path[PATH_MAX] =
"";
1420 snprintf(json_path,
sizeof(json_path),
"%s/%s%s", log_dir,
1424 FILE *fp = fopen(json_path,
"a");
1426 fwrite(SCJbPtr(
ctx.js), SCJbLen(
ctx.js), 1, fp);
1440 SCJsonBuilder *root_jb = SCJbNewObject();
1444 SCJbOpenArray(root_jb,
"buffers");
1448 char str[1024] =
"";
1452 SCJsonBuilder *jb = arrays[p->
sm_list];
1453 if (arrays[p->
sm_list] == NULL) {
1454 jb = arrays[p->
sm_list] = SCJbNewObject();
1460 SCJbSetString(jb,
"name",
name);
1461 SCJbSetUint(jb,
"list_id", p->
sm_list);
1463 SCJbOpenArray(jb,
"patterns");
1466 SCJbStartObject(jb);
1467 SCJbSetString(jb,
"pattern",
str);
1469 SCJbSetUint(jb,
"cnt", p->
cnt);
1470 SCJbSetUint(jb,
"mpm", p->
mpm);
1471 SCJbOpenObject(jb,
"flags");
1482 SCJsonBuilder *jb = arrays[i];
1489 SCJbAppendObject(root_jb, jb);
1495 const char *filename =
"patterns.json";
1497 char json_path[PATH_MAX] =
"";
1498 snprintf(json_path,
sizeof(json_path),
"%s/%s%s", log_dir,
1502 FILE *fp = fopen(json_path,
"a");
1504 fwrite(SCJbPtr(root_jb), SCJbLen(root_jb), 1, fp);
1525 EngineAnalysisItemsReset(ea_ctx);
1533 FatalError(
"Unable to allocate analysis scratch pad");
1543 analyzer_item->
item_id = (uint16_t)item_id;
1544 if (analyzer_item->
item_id == -1) {
1546 FatalError(
"unable to initialize engine-analysis table: detect buffer \"%s\" not "
1579 uint32_t rule_bidirectional = 0;
1580 uint32_t rule_pcre = 0;
1581 uint32_t rule_pcre_http = 0;
1582 uint32_t rule_content = 0;
1583 uint32_t rule_flow = 0;
1584 uint32_t rule_flags = 0;
1585 uint32_t rule_flow_toserver = 0;
1586 uint32_t rule_flow_toclient = 0;
1587 uint32_t rule_flow_nostream = 0;
1588 uint32_t rule_ipv4_only = 0;
1589 uint32_t rule_ipv6_only = 0;
1590 uint32_t rule_flowbits = 0;
1591 uint32_t rule_flowint = 0;
1592 uint32_t rule_content_http = 0;
1593 uint32_t rule_content_offset_depth = 0;
1594 int32_t list_id = 0;
1595 uint32_t rule_warning = 0;
1596 uint32_t stream_buf = 0;
1597 uint32_t packet_buf = 0;
1598 uint32_t file_store = 0;
1599 uint32_t warn_pcre_no_content = 0;
1600 uint32_t warn_pcre_http_content = 0;
1601 uint32_t warn_pcre_http = 0;
1602 uint32_t warn_content_http_content = 0;
1603 uint32_t warn_content_http = 0;
1604 uint32_t warn_tcp_no_flow = 0;
1605 uint32_t warn_client_ports = 0;
1606 uint32_t warn_direction = 0;
1607 uint32_t warn_method_toclient = 0;
1608 uint32_t warn_method_serverbody = 0;
1609 uint32_t warn_pcre_method = 0;
1610 uint32_t warn_encoding_norm_http_buf = 0;
1611 uint32_t warn_file_store_not_present = 0;
1612 uint32_t warn_offset_depth_pkt_stream = 0;
1613 uint32_t warn_offset_depth_alproto = 0;
1614 uint32_t warn_non_alproto_fp_for_alproto_sig = 0;
1615 uint32_t warn_no_direction = 0;
1616 uint32_t warn_both_direction = 0;
1618 EngineAnalysisItemsInit(
de_ctx->
ea);
1624 rule_bidirectional = 1;
1638 rule_ipv4_only += 1;
1641 rule_ipv6_only += 1;
1649 if (item_slot == -1) {
1657 if (item_slot == -1) {
1662 rule_content_offset_depth++;
1668 rule_content_http++;
1675 warn_encoding_norm_http_buf += 1;
1682 rule_flow_toserver = 1;
1685 rule_flow_toclient = 1;
1690 rule_flow_nostream = 1;
1715 warn_file_store_not_present = 1;
1718 if (rule_pcre > 0 && rule_content == 0 && rule_content_http == 0) {
1720 warn_pcre_no_content = 1;
1723 if (rule_content_http > 0 && rule_pcre > 0 && rule_pcre_http == 0) {
1725 warn_pcre_http_content = 1;
1731 if (rule_content > 0 && rule_content_http > 0) {
1733 warn_content_http_content = 1;
1737 warn_content_http = 1;
1739 if (rule_content == 1) {
1744 (rule_content || rule_content_http || rule_pcre || rule_pcre_http || rule_flowbits ||
1747 warn_tcp_no_flow = 1;
1749 if (rule_flow && !rule_bidirectional && (rule_flow_toserver || rule_flow_toclient)
1754 warn_client_ports = 1;
1757 if (rule_flow && rule_bidirectional && (rule_flow_toserver || rule_flow_toclient)) {
1762 if (*http_method_item_seen_ptr) {
1763 if (rule_flow && rule_flow_toclient) {
1765 warn_method_toclient = 1;
1767 if (*http_server_body_item_seen_ptr) {
1769 warn_method_serverbody = 1;
1771 if (rule_content == 0 && rule_content_http == 0 && (rule_pcre > 0 || rule_pcre_http > 0)) {
1773 warn_pcre_method = 1;
1776 if (rule_content_offset_depth > 0 && stream_buf && packet_buf) {
1778 warn_offset_depth_pkt_stream = 1;
1782 warn_offset_depth_alproto = 1;
1787 warn_non_alproto_fp_for_alproto_sig = 1;
1791 warn_no_direction += 1;
1798 warn_both_direction += 1;
1803 if (!rule_warnings_only || (rule_warnings_only && rule_warning > 0)) {
1805 fprintf(fp,
"== Sid: %u ==\n", s->
id);
1806 fprintf(fp,
"%s\n", line);
1812 fprintf(fp,
" Rule is ip only.\n");
1815 fprintf(fp,
" Rule is like ip only.\n");
1818 fprintf(fp,
" Rule is PD only.\n");
1821 fprintf(fp,
" Rule is DE only.\n");
1824 fprintf(fp,
" Rule is packet inspecting.\n");
1827 fprintf(fp,
" Rule is packet and stream inspecting.\n");
1830 fprintf(fp,
" Rule is stream inspecting.\n");
1833 fprintf(fp,
" Rule is app-layer inspecting.\n");
1836 fprintf(fp,
" Rule is App-layer TX inspecting.\n");
1842 fprintf(fp,
" Rule is IPv6 only.\n");
1844 fprintf(fp,
" Rule is IPv4 only.\n");
1846 fprintf(fp,
" Rule matches on packets.\n");
1847 if (!rule_flow_nostream && stream_buf &&
1848 (rule_flow || rule_flowbits || rule_flowint || rule_content || rule_pcre)) {
1849 fprintf(fp,
" Rule matches on reassembled stream.\n");
1854 fprintf(fp,
" Rule matches on %s buffer.\n", ai->
display_name);
1860 if (rule_content || rule_content_http || rule_pcre || rule_pcre_http) {
1862 " Rule contains %u content options, %u http content options, %u pcre "
1863 "options, and %u pcre options with http modifiers.\n",
1864 rule_content, rule_content_http, rule_pcre, rule_pcre_http);
1869 fprintf(fp,
" Prefilter on: %s.\n",
1872 EngineAnalysisRulesPrintFP(
de_ctx, s);
1876 if (warn_pcre_no_content ) {
1877 fprintf(fp,
" Warning: Rule uses pcre without a content option present.\n"
1878 " -Consider adding a content to improve performance of this "
1881 if (warn_pcre_http_content ) {
1882 fprintf(fp,
" Warning: Rule uses content options with http_* and pcre options "
1883 "without http modifiers.\n"
1884 " -Consider adding http pcre modifier.\n");
1886 else if (warn_pcre_http ) {
1887 fprintf(fp,
" Warning: Rule app layer protocol is http, but pcre options do not "
1888 "have http modifiers.\n"
1889 " -Consider adding http pcre modifiers.\n");
1891 if (warn_content_http_content ) {
1893 " Warning: Rule contains content with http_* and content without http_*.\n"
1894 " -Consider adding http content modifiers.\n");
1896 if (warn_content_http ) {
1897 fprintf(fp,
" Warning: Rule app layer protocol is http, but content options do not "
1898 "have http_* modifiers.\n"
1899 " -Consider adding http content modifiers.\n");
1901 if (rule_content == 1) {
1904 if (warn_encoding_norm_http_buf) {
1905 fprintf(fp,
" Warning: Rule may contain percent encoded content for a normalized "
1906 "http buffer match.\n");
1908 if (warn_tcp_no_flow
1910 fprintf(fp,
" Warning: TCP rule without a flow or flags option.\n"
1911 " -Consider adding flow or flags to improve performance of "
1914 if (warn_client_ports
1919 " Warning: Rule contains ports or port variables only on the client side.\n"
1920 " -Flow direction possibly inconsistent with rule.\n");
1922 if (warn_direction ) {
1923 fprintf(fp,
" Warning: Rule is bidirectional and has a flow option with a specific "
1926 if (warn_method_toclient ) {
1927 fprintf(fp,
" Warning: Rule uses content or pcre for http_method with "
1928 "flow:to_client or from_server\n");
1930 if (warn_method_serverbody ) {
1931 fprintf(fp,
" Warning: Rule uses content or pcre for http_method with content or "
1932 "pcre for http_server_body.\n");
1934 if (warn_pcre_method
1936 fprintf(fp,
" Warning: Rule uses pcre with only a http_method content; possible "
1937 "performance issue.\n");
1939 if (warn_offset_depth_pkt_stream) {
1940 fprintf(fp,
" Warning: Rule has depth"
1941 "/offset with raw content keywords. Please note the "
1942 "offset/depth will be checked against both packet "
1943 "payloads and stream. If you meant to have the offset/"
1944 "depth checked against just the payload, you can update "
1945 "the signature as \"alert tcp-pkt...\"\n");
1947 if (warn_offset_depth_alproto) {
1949 " Warning: Rule has "
1950 "offset/depth set along with a match on a specific "
1951 "app layer protocol - %d. This can lead to FNs if we "
1952 "have a offset/depth content match on a packet payload "
1953 "before we can detect the app layer protocol for the "
1957 if (warn_non_alproto_fp_for_alproto_sig) {
1958 fprintf(fp,
" Warning: Rule app layer "
1959 "protocol is http, but the fast_pattern is set on the raw "
1960 "stream. Consider adding fast_pattern over a http "
1961 "buffer for increased performance.");
1963 if (warn_no_direction) {
1964 fprintf(fp,
" Warning: Rule has no direction indicator.\n");
1966 if (warn_both_direction) {
1967 fprintf(fp,
" Warning: Rule is inspecting both the request and the response.\n");
1969 if (warn_file_store_not_present) {
1970 fprintf(fp,
" Warning: Rule requires file-store but the output file-store is not "
1973 if (rule_warning == 0) {
1974 fprintf(fp,
" No warnings for this rule.\n");
1985 uint32_t accept_rules = 0;
1986 SCJbSetString(
ctx->js,
"policy",
"drop:flow");
1987 SCJbOpenArray(
ctx->js,
"rules");
1996 if (direction == STREAM_TOSERVER) {
2013 if (accept_rules == 0) {
2014 AnalyzerWarning(
ctx, (
char *)
"no accept rules for state, default policy will be applied");
2021 ctx.js = SCJbNewObject();
2025 SCJbOpenObject(
ctx.js,
"tables");
2026 SCJbOpenObject(
ctx.js,
"packet:filter");
2027 SCJbSetString(
ctx.js,
"policy",
"drop:packet");
2028 SCJbOpenArray(
ctx.js,
"rules");
2029 uint32_t accept_rules = 0;
2030 uint32_t last_sid = 0;
2037 if (last_sid == s->
id)
2044 if (accept_rules == 0) {
2045 AnalyzerWarning(&
ctx,
2046 (
char *)
"no accept rules for \'packet:filter\', default policy will be applied");
2048 if (
ctx.js_warnings) {
2049 SCJbClose(
ctx.js_warnings);
2050 SCJbSetObject(
ctx.js,
"warnings",
ctx.js_warnings);
2051 SCJbFree(
ctx.js_warnings);
2052 ctx.js_warnings = NULL;
2057 if (!AppProtoIsValid(a))
2066 const uint8_t complete_state_ts =
2068 for (uint8_t state = 0; state < complete_state_ts; state++) {
2071 char table_name[128];
2073 SCJbOpenObject(
ctx.js, table_name);
2074 FirewallAddRulesForState(
de_ctx, a, state, STREAM_TOSERVER, &
ctx);
2075 if (
ctx.js_warnings) {
2076 SCJbClose(
ctx.js_warnings);
2077 SCJbSetObject(
ctx.js,
"warnings",
ctx.js_warnings);
2078 SCJbFree(
ctx.js_warnings);
2079 ctx.js_warnings = NULL;
2083 const uint8_t complete_state_tc =
2085 for (uint8_t state = 0; state < complete_state_tc; state++) {
2088 char table_name[128];
2090 SCJbOpenObject(
ctx.js, table_name);
2091 FirewallAddRulesForState(
de_ctx, a, state, STREAM_TOCLIENT, &
ctx);
2092 if (
ctx.js_warnings) {
2093 SCJbClose(
ctx.js_warnings);
2094 SCJbSetObject(
ctx.js,
"warnings",
ctx.js_warnings);
2095 SCJbFree(
ctx.js_warnings);
2096 ctx.js_warnings = NULL;
2102 SCJbOpenObject(
ctx.js,
"packet:td");
2103 SCJbSetString(
ctx.js,
"policy",
"accept:hook");
2105 SCJbOpenArray(
ctx.js,
"rules");
2111 if (last_sid == s->
id)
2118 SCJbOpenObject(
ctx.js,
"app:td");
2119 SCJbSetString(
ctx.js,
"policy",
"accept:hook");
2121 SCJbOpenArray(
ctx.js,
"rules");
2127 if (last_sid == s->
id)
2136 SCJbOpenObject(
ctx.js,
"lists");
2137 SCJbOpenObject(
ctx.js,
"firewall");
2139 SCJbOpenArray(
ctx.js,
"rules");
2143 if (last_sid == s->
id)
2151 SCJbOpenObject(
ctx.js,
"td");
2153 SCJbOpenArray(
ctx.js,
"rules");
2157 if (last_sid == s->
id)
2165 SCJbOpenObject(
ctx.js,
"all");
2167 SCJbOpenArray(
ctx.js,
"rules");
2169 if (last_sid == s->
id)
2181 const char *filename =
"firewall.json";
2183 char json_path[PATH_MAX] =
"";
2184 snprintf(json_path,
sizeof(json_path),
"%s/%s", log_dir, filename);
2187 FILE *fp = fopen(json_path,
"w");
2189 fwrite(SCJbPtr(
ctx.js), SCJbLen(
ctx.js), 1, fp);