63 static int rule_warnings_only = 0;
119 { 0,
false,
false,
true,
"http_uri",
"http uri" },
120 { 0,
false,
false,
false,
"http_raw_uri",
"http raw uri" },
121 { 0,
false,
true,
false,
"http_method",
"http method" },
122 { 0,
false,
false,
false,
"http_request_line",
"http request line" },
123 { 0,
false,
false,
false,
"http_client_body",
"http client body" },
124 { 0,
false,
false,
true,
"http_header",
"http header" },
125 { 0,
false,
false,
false,
"http_raw_header",
"http raw header" },
126 { 0,
false,
false,
true,
"http_cookie",
"http cookie" },
127 { 0,
false,
false,
false,
"http_user_agent",
"http user agent" },
128 { 0,
false,
false,
false,
"http_host",
"http host" },
129 { 0,
false,
false,
false,
"http_raw_host",
"http raw host" },
130 { 0,
false,
false,
false,
"http_accept_enc",
"http accept enc" },
131 { 0,
false,
false,
false,
"http_referer",
"http referer" },
132 { 0,
false,
false,
false,
"http_content_type",
"http content type" },
133 { 0,
false,
false,
false,
"http_header_names",
"http header names" },
136 { 0,
false,
false,
false,
"http_stat_msg",
"http stat msg" },
137 { 0,
false,
false,
false,
"http_stat_code",
"http stat code" },
138 { 0,
false,
true,
false,
"file_data",
"http server body" },
141 { 0,
false,
false,
false,
"http_request_line",
"http request line" },
142 { 0,
false,
false,
false,
"http_accept",
"http accept" },
143 { 0,
false,
false,
false,
"http_accept_lang",
"http accept lang" },
144 { 0,
false,
false,
false,
"http_connection",
"http connection" },
145 { 0,
false,
false,
false,
"http_content_len",
"http content len" },
146 { 0,
false,
false,
false,
"http_protocol",
"http protocol" },
147 { 0,
false,
false,
false,
"http_start",
"http start" },
150 { 0,
false,
false,
false,
"http_response_line",
"http response line" },
151 { 0,
false,
false,
false,
"http.server",
"http server" },
152 { 0,
false,
false,
false,
"http.location",
"http location" },
155 static void FpPatternStatsAdd(
FpPatternStats *fp,
int list, uint16_t patlen)
164 else if (patlen < f->min)
176 int fast_pattern_set = 0;
177 int fast_pattern_only_set = 0;
178 int fast_pattern_chop_set = 0;
183 if (mpm_sm != NULL) {
186 fast_pattern_set = 1;
188 fast_pattern_only_set = 1;
190 fast_pattern_chop_set = 1;
196 fprintf(fp,
"== Sid: %u ==\n", s->
id);
197 fprintf(fp,
"%s\n", line);
199 fprintf(fp,
" Fast Pattern analysis:\n");
201 fprintf(fp,
" Prefilter on: %s\n",
208 fprintf(fp,
" No content present\n");
213 fprintf(fp,
" Fast pattern matcher: ");
214 int list_type = mpm_sm_list;
216 fprintf(fp,
"content\n");
221 fprintf(fp,
"%s (%s)\n", desc,
name);
226 fprintf(fp,
" Flags:");
228 fprintf(fp,
" Offset");
231 fprintf(fp,
" Depth");
235 fprintf(fp,
" Within");
239 fprintf(fp,
" Distance");
243 fprintf(fp,
" Nocase");
247 fprintf(fp,
" Negated");
251 fprintf(fp,
" None");
254 fprintf(fp,
" Fast pattern set: %s\n", fast_pattern_set ?
"yes" :
"no");
255 fprintf(fp,
" Fast pattern only set: %s\n", fast_pattern_only_set ?
"yes" :
"no");
256 fprintf(fp,
" Fast pattern chop set: %s\n", fast_pattern_chop_set ?
"yes" :
"no");
257 if (fast_pattern_chop_set) {
258 fprintf(fp,
" Fast pattern offset, length: %u, %u\n", fp_cd->
fp_chop_offset,
269 fprintf(fp,
" Original content: ");
273 if (fast_pattern_chop_set) {
282 fprintf(fp,
" Final content: ");
288 fprintf(fp,
" Final content: ");
317 char *log_path =
SCMalloc(PATH_MAX);
318 if (log_path == NULL) {
319 FatalError(
"Unable to allocate scratch memory for rule filename");
321 snprintf(log_path, PATH_MAX,
"%s/%s%s", log_dir,
324 FILE *fp = fopen(log_path,
"w");
326 SCLogError(
"failed to open %s: %s", log_path, strerror(errno));
333 SCLogInfo(
"Engine-Analysis for fast_pattern printed to file - %s",
338 gettimeofday(&tval, NULL);
340 struct tm *tms =
SCLocalTime(tval.tv_sec, &local_tm);
341 fprintf(fp,
"----------------------------------------------"
342 "---------------------\n");
344 "Date: %" PRId32
"/%" PRId32
"/%04d -- "
346 tms->tm_mday, tms->tm_mon + 1, tms->tm_year + 1900, tms->tm_hour, tms->tm_min,
348 fprintf(fp,
"----------------------------------------------"
349 "---------------------\n");
362 #define DETECT_PERCENT_ENCODING_REGEX "%[0-9|a-f|A-F]{2}"
368 PCRE2_ZERO_TERMINATED, opts, &en, &eo, NULL);
370 PCRE2_UCHAR errbuffer[256];
371 pcre2_get_error_message(en, errbuffer,
sizeof(errbuffer));
392 }
else if (value && strcasecmp(value,
"warnings-only") == 0) {
394 rule_warnings_only = 1;
399 char log_path[PATH_MAX];
400 snprintf(log_path,
sizeof(log_path),
"%s/%s%s", log_dir,
404 SCLogError(
"failed to open %s: %s", log_path, strerror(errno));
408 SCLogInfo(
"Engine-Analysis for rules printed to file - %s",
412 gettimeofday(&tval, NULL);
414 struct tm *tms =
SCLocalTime(tval.tv_sec, &local_tm);
416 "----------------------------------------------"
417 "---------------------\n");
419 "Date: %" PRId32
"/%" PRId32
"/%04d -- "
421 tms->tm_mday, tms->tm_mon + 1, tms->tm_year + 1900, tms->tm_hour, tms->tm_min,
424 "----------------------------------------------"
425 "---------------------\n");
428 if (!PerCentEncodingSetup(
de_ctx->
ea)) {
430 "Error compiling regex; can't check for percent encoding in normalized "
436 SCLogInfo(
"Conf parameter \"engine-analysis.rules\" not found. "
437 "Defaulting to not printing the rules analysis report.");
440 SCLogInfo(
"Engine-Analysis for rules disabled in conf file.");
449 fprintf(fp,
"============\n"
450 "Summary:\n============\n");
458 "%s, smallest pattern %u byte(s), longest pattern %u byte(s), number of patterns "
459 "%u, avg pattern len %.2f byte(s)\n",
461 (
float)((
double)f->
tot / (
float)f->
cnt));
481 *fp_analysis =
false;
482 *rule_analysis =
false;
486 FatalError(
"Unable to allocate per-engine analysis context");
491 if (cfg_prefix_len > 0) {
496 FatalError(
"Unable to allocate per-engine analysis context name buffer");
502 *fp_analysis = SetupFPAnalyzer(
de_ctx);
503 *rule_analysis = SetupRuleAnalyzer(
de_ctx);
505 if (!(*fp_analysis || *rule_analysis)) {
518 CleanupRuleAnalyzer(
de_ctx);
519 CleanupFPAnalyzer(
de_ctx);
536 static int PerCentEncodingMatch(
EngineAnalysisCtx *ea_ctx, uint8_t *content, uint16_t content_len)
540 pcre2_match_data *match = pcre2_match_data_create_from_pattern(ea_ctx->
percent_re, NULL);
541 ret = pcre2_match(ea_ctx->
percent_re, (PCRE2_SPTR8)content, content_len, 0, 0, match, NULL);
544 }
else if (ret < -1) {
545 SCLogError(
"Error parsing content - %s; error code is %d", content, ret);
548 pcre2_match_data_free(match);
558 if (mpm_sm != NULL) {
596 const int list_type = mpm_sm_list;
605 payload ? (stream ?
"payload and reassembled stream" :
"payload")
606 :
"reassembled stream");
613 }
else if (desc ||
name) {
633 fprintf(tmp_fp,
"== Sid: UNKNOWN ==\n");
634 fprintf(tmp_fp,
"%s\n", line);
635 fprintf(tmp_fp,
" FAILURE: invalid rule.\n");
636 fprintf(tmp_fp,
" File: %s.\n", file);
637 fprintf(tmp_fp,
" Line: %d.\n", lineno);
638 fprintf(tmp_fp,
"\n");
655 vsnprintf(
str,
sizeof(
str), fmt, ap);
659 ctx->js_notes = SCJbNewArray();
661 SCJbAppendString(
ctx->js_notes,
str);
670 vsnprintf(
str,
sizeof(
str), fmt, ap);
673 if (!
ctx->js_warnings)
674 ctx->js_warnings = SCJbNewArray();
675 if (
ctx->js_warnings)
676 SCJbAppendString(
ctx->js_warnings,
str);
679 #define CHECK(pat) if (strlen((pat)) <= len && memcmp((pat), buf, MIN(len, strlen((pat)))) == 0) return true;
681 static bool LooksLikeHTTPMethod(
const uint8_t *buf, uint16_t
len)
690 static bool LooksLikeHTTPUA(
const uint8_t *buf, uint16_t
len)
692 CHECK(
"User-Agent: ");
693 CHECK(
"\nUser-Agent: ");
699 char pattern_str[1024] =
"";
702 SCJbSetString(js,
"pattern", pattern_str);
711 SCJbSetUint(js,
"offset", cd->
offset);
714 SCJbSetUint(js,
"depth", cd->
depth);
717 SCJbSetInt(js,
"distance", cd->
distance);
720 SCJbSetInt(js,
"within", cd->
within);
739 SCJbOpenArray(js,
"matches");
743 SCJbSetString(js,
"name", mname);
749 SCJbOpenObject(js,
"content");
752 AnalyzerNote(
ctx, (
char *)
"'fast_pattern:only' option is silently ignored and "
753 "is interpreted as regular 'fast_pattern'");
757 (
char *)
"pattern looks like it inspects HTTP, use http.request_line or "
758 "http.method and http.uri instead for improved performance");
762 (
char *)
"pattern looks like it inspects HTTP, use http.user_agent "
763 "or http.header for improved performance");
766 AnalyzerNote(
ctx, (
char *)
"'within' option for pattern w/o previous content "
767 "was converted to 'depth'");
770 AnalyzerNote(
ctx, (
char *)
"'distance' option for pattern w/o previous content "
771 "was converted to 'offset'");
779 SCJbOpenObject(js,
"pcre");
784 (
char *)
"'/B' (rawbytes) option is a no-op and is silently ignored");
787 AnalyzerNote(
ctx, (
char *)
"pcre with \\X (Unicode extended grapheme cluster) "
795 SCJbOpenObject(js,
"byte_jump");
796 SCJbSetUint(js,
"nbytes", cd->
nbytes);
797 SCJbSetInt(js,
"offset", cd->
offset);
798 SCJbSetUint(js,
"multiplier", cd->
multiplier);
802 SCJbSetString(js,
"base",
"unset");
805 SCJbSetString(js,
"base",
"oct");
808 SCJbSetString(js,
"base",
"dec");
811 SCJbSetString(js,
"base",
"hex");
814 SCJbOpenArray(js,
"flags");
816 SCJbAppendString(js,
"from_beginning");
818 SCJbAppendString(js,
"little_endian");
820 SCJbAppendString(js,
"big_endian");
822 SCJbAppendString(js,
"string");
824 SCJbAppendString(js,
"relative");
826 SCJbAppendString(js,
"align");
828 SCJbAppendString(js,
"dce");
830 SCJbAppendString(js,
"offset_be");
832 SCJbAppendString(js,
"from_end");
840 SCJbOpenObject(js,
"byte_test");
841 SCJbSetUint(js,
"nbytes", cd->
nbytes);
842 SCJbSetInt(js,
"offset", cd->
offset);
845 SCJbSetString(js,
"base",
"unset");
848 SCJbSetString(js,
"base",
"oct");
851 SCJbSetString(js,
"base",
"dec");
854 SCJbSetString(js,
"base",
"hex");
857 SCJbOpenArray(js,
"flags");
859 SCJbAppendString(js,
"little_endian");
861 SCJbAppendString(js,
"big_endian");
863 SCJbAppendString(js,
"string");
865 SCJbAppendString(js,
"relative");
867 SCJbAppendString(js,
"dce");
874 SCJbOpenObject(js,
"absent");
875 SCJbSetBool(js,
"or_else", dad->
or_else);
883 SCJbOpenObject(js,
"ipopts");
885 SCJbSetString(js,
"option", flag);
892 SCJbOpenObject(js,
"flowbits");
895 SCJbSetString(js,
"cmd",
"isset");
898 SCJbSetString(js,
"cmd",
"isnotset");
901 SCJbSetString(js,
"cmd",
"set");
904 SCJbSetString(js,
"cmd",
"unset");
908 SCJbOpenArray(js,
"names");
914 const char *varname =
916 SCJbAppendString(js, varname);
921 SCJbSetString(js,
"operator",
"or");
929 SCJbOpenObject(js,
"xbits");
932 SCJbSetString(js,
"cmd",
"isset");
935 SCJbSetString(js,
"cmd",
"isnotset");
938 SCJbSetString(js,
"cmd",
"set");
941 SCJbSetString(js,
"cmd",
"unset");
944 SCJbSetString(js,
"cmd",
"toggle");
950 SCJbSetString(js,
"track",
"ip_src");
953 SCJbSetString(js,
"track",
"ip_dst");
956 SCJbSetString(js,
"track",
"ip_pair");
959 SCJbSetString(js,
"track",
"tx");
963 SCJbSetUint(js,
"expire", xd->
expire);
970 SCJbOpenObject(js,
"flowint");
973 SCJbSetString(js,
"cmd",
"set");
976 SCJbSetString(js,
"cmd",
"add");
979 SCJbSetString(js,
"cmd",
"sub");
982 SCJbSetString(js,
"cmd",
"lt");
985 SCJbSetString(js,
"cmd",
"lte");
988 SCJbSetString(js,
"cmd",
"eq");
991 SCJbSetString(js,
"cmd",
"ne");
994 SCJbSetString(js,
"cmd",
"gte");
997 SCJbSetString(js,
"cmd",
"gt");
1000 SCJbSetString(js,
"cmd",
"isset");
1003 SCJbSetString(js,
"cmd",
"isnotset");
1007 if (varname != NULL) {
1008 SCJbSetString(js,
"var", varname);
1022 SCJbOpenObject(js,
"ack");
1023 SCDetectU32ToJson(js, cd);
1029 SCJbOpenObject(js,
"seq");
1030 SCDetectU32ToJson(js, cd);
1036 SCJbOpenObject(js,
"tcp_mss");
1037 SCDetectU16ToJson(js, cd);
1043 SCJbOpenObject(js,
"dsize");
1044 SCDetectU16ToJson(js, cd);
1050 SCJbOpenObject(js,
"code");
1051 SCDetectU8ToJson(js, cd);
1057 SCJbOpenObject(js,
"ttl");
1058 SCDetectU8ToJson(js, cd);
1064 SCJbOpenObject(js,
"id");
1065 SCDetectU16ToJson(js, cd);
1071 SCJbOpenObject(js,
"window");
1072 SCDetectU16ToJson(js, cd);
1078 SCJbOpenObject(js,
"flow_age");
1079 SCDetectU32ToJson(js, cd);
1084 const uint8_t *dfd = (
const uint8_t *)smd->
ctx;
1085 SCJbOpenObject(js,
"flow_elephant");
1087 case DETECT_FLOW_TOSERVER:
1088 SCJbSetString(js,
"dir",
"toserver");
1090 case DETECT_FLOW_TOCLIENT:
1091 SCJbSetString(js,
"dir",
"toclient");
1093 case DETECT_FLOW_TOEITHER:
1094 SCJbSetString(js,
"dir",
"either");
1096 case DETECT_FLOW_TOBOTH:
1097 SCJbSetString(js,
"dir",
"both");
1105 SCJbOpenObject(js,
"app_layer_protocol");
1108 SCJbOpenArray(js,
"protocols");
1109 for (uint16_t i = 0; i < n; i++) {
1114 SCJbSetBool(js,
"negated", ad->
negated);
1135 ctx.js = SCJbNewObject();
1146 SCJbSetUint(
ctx.js,
"id", s->
id);
1147 SCJbSetUint(
ctx.js,
"gid", s->
gid);
1148 SCJbSetUint(
ctx.js,
"rev", s->
rev);
1149 SCJbSetString(
ctx.js,
"msg", s->
msg);
1152 SCJbSetString(
ctx.js,
"app_proto", alproto);
1154 SCJbOpenArray(
ctx.js,
"requirements");
1156 SCJbAppendString(
ctx.js,
"payload");
1159 SCJbAppendString(
ctx.js,
"no_payload");
1162 SCJbAppendString(
ctx.js,
"flow");
1165 SCJbAppendString(
ctx.js,
"tcp_flags_init_deinit");
1168 SCJbAppendString(
ctx.js,
"tcp_flags_unusual");
1171 SCJbAppendString(
ctx.js,
"engine_event");
1174 SCJbAppendString(
ctx.js,
"real_pkt");
1178 SCJbOpenObject(
ctx.js,
"match_policy");
1179 SCJbOpenArray(
ctx.js,
"actions");
1181 SCJbAppendString(
ctx.js,
"alert");
1184 SCJbAppendString(
ctx.js,
"drop");
1187 SCJbAppendString(
ctx.js,
"reject");
1190 SCJbAppendString(
ctx.js,
"reject_dst");
1193 SCJbAppendString(
ctx.js,
"reject_both");
1196 SCJbAppendString(
ctx.js,
"config");
1199 SCJbAppendString(
ctx.js,
"pass");
1202 SCJbAppendString(
ctx.js,
"accept");
1208 switch (flow_action) {
1210 SCJbSetString(
ctx.js,
"scope",
"packet");
1213 SCJbSetString(
ctx.js,
"scope",
"flow");
1216 SCJbSetString(
ctx.js,
"scope",
"flow_if_stateful");
1223 SCJbSetString(
ctx.js,
"scope",
"packet");
1226 SCJbSetString(
ctx.js,
"scope",
"flow");
1229 SCJbSetString(
ctx.js,
"scope",
"hook");
1232 SCJbSetString(
ctx.js,
"scope",
"tx");
1242 SCJbSetString(
ctx.js,
"type",
"unset");
1245 SCJbSetString(
ctx.js,
"type",
"ip_only");
1248 SCJbSetString(
ctx.js,
"type",
"like_ip_only");
1251 SCJbSetString(
ctx.js,
"type",
"pd_only");
1254 SCJbSetString(
ctx.js,
"type",
"de_only");
1257 SCJbSetString(
ctx.js,
"type",
"pkt");
1260 SCJbSetString(
ctx.js,
"type",
"pkt_stream");
1263 SCJbSetString(
ctx.js,
"type",
"stream");
1266 SCJbSetString(
ctx.js,
"type",
"app_layer");
1269 SCJbSetString(
ctx.js,
"type",
"app_tx");
1272 SCJbSetString(
ctx.js,
"type",
"error");
1278 SCJbOpenObject(
ctx.js,
"dependencies");
1279 SCJbOpenObject(
ctx.js,
"flowbits");
1280 SCJbOpenObject(
ctx.js,
"upstream");
1282 SCJbOpenObject(
ctx.js,
"state_modifying_rules");
1283 SCJbOpenArray(
ctx.js,
"sids");
1288 SCJbOpenArray(
ctx.js,
"names");
1291 SCJbAppendString(
ctx.js,
1304 SCJbOpenArray(
ctx.js,
"flags");
1306 SCJbAppendString(
ctx.js,
"src_any");
1309 SCJbAppendString(
ctx.js,
"dst_any");
1312 SCJbAppendString(
ctx.js,
"sp_any");
1315 SCJbAppendString(
ctx.js,
"dp_any");
1318 SCJbAppendString(
ctx.js,
"noalert");
1321 SCJbAppendString(
ctx.js,
"dsize");
1324 SCJbAppendString(
ctx.js,
"applayer");
1327 SCJbAppendString(
ctx.js,
"need_packet");
1330 SCJbAppendString(
ctx.js,
"need_stream");
1333 SCJbAppendString(
ctx.js,
"negated_mpm");
1336 SCJbAppendString(
ctx.js,
"flush");
1339 SCJbAppendString(
ctx.js,
"need_flowvar");
1342 SCJbAppendString(
ctx.js,
"filestore");
1345 SCJbAppendString(
ctx.js,
"toserver");
1348 SCJbAppendString(
ctx.js,
"toclient");
1351 SCJbAppendString(
ctx.js,
"tlsstore");
1354 SCJbAppendString(
ctx.js,
"bypass");
1357 SCJbAppendString(
ctx.js,
"prefilter");
1360 SCJbAppendString(
ctx.js,
"src_is_target");
1363 SCJbAppendString(
ctx.js,
"dst_is_target");
1370 SCJbOpenArray(
ctx.js,
"pkt_engines");
1372 for ( ; pkt != NULL; pkt = pkt->
next) {
1387 SCJbStartObject(
ctx.js);
1388 SCJbSetString(
ctx.js,
"name",
name);
1389 SCJbSetBool(
ctx.js,
"is_mpm", pkt->
mpm);
1391 SCJbOpenArray(
ctx.js,
"transforms");
1393 SCJbStartObject(
ctx.js);
1394 SCJbSetString(
ctx.js,
"name",
1407 SCJbOpenArray(
ctx.js,
"frame_engines");
1409 for (; frame != NULL; frame = frame->
next) {
1411 SCJbStartObject(
ctx.js);
1412 SCJbSetString(
ctx.js,
"name",
name);
1413 SCJbSetBool(
ctx.js,
"is_mpm", frame->
mpm);
1415 SCJbOpenArray(
ctx.js,
"transforms");
1417 SCJbStartObject(
ctx.js);
1418 SCJbSetString(
ctx.js,
"name",
1430 bool has_stream =
false;
1431 bool has_client_body_mpm =
false;
1432 bool has_file_data_mpm =
false;
1434 SCJbOpenArray(
ctx.js,
"engines");
1436 for ( ; app != NULL; app = app->
next) {
1451 }
else if (app->
mpm && strcmp(
name,
"http_client_body") == 0) {
1452 has_client_body_mpm =
true;
1453 }
else if (app->
mpm && strcmp(
name,
"file_data") == 0) {
1454 has_file_data_mpm =
true;
1457 SCJbStartObject(
ctx.js);
1458 SCJbSetString(
ctx.js,
"name",
name);
1459 const char *direction = app->
dir == 0 ?
"toserver" :
"toclient";
1460 SCJbSetString(
ctx.js,
"direction", direction);
1461 SCJbSetBool(
ctx.js,
"is_mpm", app->
mpm);
1465 SCJbSetString(
ctx.js,
"sub_state",
1469 SCJbOpenArray(
ctx.js,
"transforms");
1471 SCJbStartObject(
ctx.js);
1472 SCJbSetString(
ctx.js,
"name",
1486 if (has_stream && has_client_body_mpm)
1487 AnalyzerNote(&
ctx, (
char *)
"mpm in http_client_body combined with stream match leads to stream buffering");
1488 if (has_stream && has_file_data_mpm)
1489 AnalyzerNote(&
ctx, (
char *)
"mpm in file_data combined with stream match leads to stream buffering");
1492 SCJbOpenObject(
ctx.js,
"lists");
1502 if (pkt_mpm || app_mpm) {
1503 SCJbOpenObject(
ctx.js,
"mpm");
1511 SCJbSetString(
ctx.js,
"buffer",
name);
1519 switch (smd->
type) {
1523 DumpContent(
ctx.js, cd);
1535 SCJbOpenObject(
ctx.js,
"prefilter");
1542 SCJbSetString(
ctx.js,
"buffer",
name);
1544 SCJbSetString(
ctx.js,
"name", mname);
1548 if (
ctx.js_warnings) {
1549 SCJbClose(
ctx.js_warnings);
1550 SCJbSetObject(
ctx.js,
"warnings",
ctx.js_warnings);
1551 SCJbFree(
ctx.js_warnings);
1552 ctx.js_warnings = NULL;
1555 SCJbClose(
ctx.js_notes);
1556 SCJbSetObject(
ctx.js,
"notes",
ctx.js_notes);
1557 SCJbFree(
ctx.js_notes);
1558 ctx.js_notes = NULL;
1562 const char *filename =
"rules.json";
1564 char json_path[PATH_MAX] =
"";
1565 snprintf(json_path,
sizeof(json_path),
"%s/%s%s", log_dir,
1569 FILE *fp = fopen(json_path,
"a");
1571 fwrite(SCJbPtr(
ctx.js), SCJbLen(
ctx.js), 1, fp);
1585 SCJsonBuilder *root_jb = SCJbNewObject();
1586 if (root_jb == NULL) {
1590 if (arrays == NULL) {
1595 SCJbOpenArray(root_jb,
"buffers");
1599 char str[1024] =
"";
1603 SCJsonBuilder *jb = arrays[
p->sm_list];
1604 if (arrays[
p->sm_list] == NULL) {
1605 jb = arrays[
p->sm_list] = SCJbNewObject();
1611 SCJbSetString(jb,
"name",
name);
1612 SCJbSetUint(jb,
"list_id",
p->sm_list);
1614 SCJbOpenArray(jb,
"patterns");
1617 SCJbStartObject(jb);
1618 SCJbSetString(jb,
"pattern",
str);
1619 SCJbSetUint(jb,
"patlen",
p->cd->content_len);
1620 SCJbSetUint(jb,
"cnt",
p->cnt);
1621 SCJbSetUint(jb,
"mpm",
p->mpm);
1622 SCJbOpenObject(jb,
"flags");
1633 SCJsonBuilder *jb = arrays[i];
1640 SCJbAppendObject(root_jb, jb);
1646 const char *filename =
"patterns.json";
1648 char json_path[PATH_MAX] =
"";
1649 snprintf(json_path,
sizeof(json_path),
"%s/%s%s", log_dir,
1653 FILE *fp = fopen(json_path,
"a");
1655 fwrite(SCJbPtr(root_jb), SCJbLen(root_jb), 1, fp);
1677 EngineAnalysisItemsReset(ea_ctx);
1685 FatalError(
"Unable to allocate analysis scratch pad");
1695 analyzer_item->
item_id = (uint16_t)item_id;
1696 if (analyzer_item->
item_id == -1) {
1698 FatalError(
"unable to initialize engine-analysis table: detect buffer \"%s\" not "
1731 uint32_t rule_bidirectional = 0;
1732 uint32_t rule_pcre = 0;
1733 uint32_t rule_pcre_http = 0;
1734 uint32_t rule_content = 0;
1735 uint32_t rule_flow = 0;
1736 uint32_t rule_flags = 0;
1737 uint32_t rule_flow_toserver = 0;
1738 uint32_t rule_flow_toclient = 0;
1739 uint32_t rule_flow_nostream = 0;
1740 uint32_t rule_ipv4_only = 0;
1741 uint32_t rule_ipv6_only = 0;
1742 uint32_t rule_flowbits = 0;
1743 uint32_t rule_flowint = 0;
1744 uint32_t rule_content_http = 0;
1745 uint32_t rule_content_offset_depth = 0;
1746 int32_t list_id = 0;
1747 uint32_t rule_warning = 0;
1748 uint32_t stream_buf = 0;
1749 uint32_t packet_buf = 0;
1750 uint32_t file_store = 0;
1751 uint32_t warn_pcre_no_content = 0;
1752 uint32_t warn_pcre_http_content = 0;
1753 uint32_t warn_pcre_http = 0;
1754 uint32_t warn_content_http_content = 0;
1755 uint32_t warn_content_http = 0;
1756 uint32_t warn_tcp_no_flow = 0;
1757 uint32_t warn_client_ports = 0;
1758 uint32_t warn_direction = 0;
1759 uint32_t warn_method_toclient = 0;
1760 uint32_t warn_method_serverbody = 0;
1761 uint32_t warn_pcre_method = 0;
1762 uint32_t warn_encoding_norm_http_buf = 0;
1763 uint32_t warn_file_store_not_present = 0;
1764 uint32_t warn_offset_depth_pkt_stream = 0;
1765 uint32_t warn_offset_depth_alproto = 0;
1766 uint32_t warn_non_alproto_fp_for_alproto_sig = 0;
1767 uint32_t warn_no_direction = 0;
1768 uint32_t warn_both_direction = 0;
1770 EngineAnalysisItemsInit(
de_ctx->
ea);
1776 rule_bidirectional = 1;
1790 rule_ipv4_only += 1;
1793 rule_ipv6_only += 1;
1801 if (item_slot == -1) {
1809 if (item_slot == -1) {
1814 rule_content_offset_depth++;
1820 rule_content_http++;
1827 warn_encoding_norm_http_buf += 1;
1834 rule_flow_toserver = 1;
1837 rule_flow_toclient = 1;
1842 rule_flow_nostream = 1;
1856 if (sm->
ctx != NULL) {
1866 warn_file_store_not_present = 1;
1869 if (rule_pcre > 0 && rule_content == 0 && rule_content_http == 0) {
1871 warn_pcre_no_content = 1;
1874 if (rule_content_http > 0 && rule_pcre > 0 && rule_pcre_http == 0) {
1876 warn_pcre_http_content = 1;
1882 if (rule_content > 0 && rule_content_http > 0) {
1884 warn_content_http_content = 1;
1888 warn_content_http = 1;
1890 if (rule_content == 1) {
1895 (rule_content || rule_content_http || rule_pcre || rule_pcre_http || rule_flowbits ||
1898 warn_tcp_no_flow = 1;
1900 if (rule_flow && !rule_bidirectional && (rule_flow_toserver || rule_flow_toclient)
1905 warn_client_ports = 1;
1908 if (rule_flow && rule_bidirectional && (rule_flow_toserver || rule_flow_toclient)) {
1913 if (*http_method_item_seen_ptr) {
1914 if (rule_flow && rule_flow_toclient) {
1916 warn_method_toclient = 1;
1918 if (*http_server_body_item_seen_ptr) {
1920 warn_method_serverbody = 1;
1922 if (rule_content == 0 && rule_content_http == 0 && (rule_pcre > 0 || rule_pcre_http > 0)) {
1924 warn_pcre_method = 1;
1927 if (rule_content_offset_depth > 0 && stream_buf && packet_buf) {
1929 warn_offset_depth_pkt_stream = 1;
1933 warn_offset_depth_alproto = 1;
1938 warn_non_alproto_fp_for_alproto_sig = 1;
1942 warn_no_direction += 1;
1950 warn_both_direction += 1;
1955 if (!rule_warnings_only || (rule_warnings_only && rule_warning > 0)) {
1957 fprintf(fp,
"== Sid: %u ==\n", s->
id);
1958 fprintf(fp,
"%s\n", line);
1964 fprintf(fp,
" Rule is ip only.\n");
1967 fprintf(fp,
" Rule is like ip only.\n");
1970 fprintf(fp,
" Rule is PD only.\n");
1973 fprintf(fp,
" Rule is DE only.\n");
1976 fprintf(fp,
" Rule is packet inspecting.\n");
1979 fprintf(fp,
" Rule is packet and stream inspecting.\n");
1982 fprintf(fp,
" Rule is stream inspecting.\n");
1985 fprintf(fp,
" Rule is app-layer inspecting.\n");
1988 fprintf(fp,
" Rule is App-layer TX inspecting.\n");
1994 fprintf(fp,
" Rule is IPv6 only.\n");
1996 fprintf(fp,
" Rule is IPv4 only.\n");
1998 fprintf(fp,
" Rule matches on packets.\n");
1999 if (!rule_flow_nostream && stream_buf &&
2000 (rule_flow || rule_flowbits || rule_flowint || rule_content || rule_pcre)) {
2001 fprintf(fp,
" Rule matches on reassembled stream.\n");
2006 fprintf(fp,
" Rule matches on %s buffer.\n", ai->
display_name);
2012 if (rule_content || rule_content_http || rule_pcre || rule_pcre_http) {
2014 " Rule contains %u content options, %u http content options, %u pcre "
2015 "options, and %u pcre options with http modifiers.\n",
2016 rule_content, rule_content_http, rule_pcre, rule_pcre_http);
2021 fprintf(fp,
" Prefilter on: %s.\n",
2024 EngineAnalysisRulesPrintFP(
de_ctx, s);
2028 if (warn_pcre_no_content ) {
2029 fprintf(fp,
" Warning: Rule uses pcre without a content option present.\n"
2030 " -Consider adding a content to improve performance of this "
2033 if (warn_pcre_http_content ) {
2034 fprintf(fp,
" Warning: Rule uses content options with http_* and pcre options "
2035 "without http modifiers.\n"
2036 " -Consider adding http pcre modifier.\n");
2038 else if (warn_pcre_http ) {
2039 fprintf(fp,
" Warning: Rule app layer protocol is http, but pcre options do not "
2040 "have http modifiers.\n"
2041 " -Consider adding http pcre modifiers.\n");
2043 if (warn_content_http_content ) {
2045 " Warning: Rule contains content with http_* and content without http_*.\n"
2046 " -Consider adding http content modifiers.\n");
2048 if (warn_content_http ) {
2049 fprintf(fp,
" Warning: Rule app layer protocol is http, but content options do not "
2050 "have http_* modifiers.\n"
2051 " -Consider adding http content modifiers.\n");
2053 if (rule_content == 1) {
2056 if (warn_encoding_norm_http_buf) {
2057 fprintf(fp,
" Warning: Rule may contain percent encoded content for a normalized "
2058 "http buffer match.\n");
2060 if (warn_tcp_no_flow
2062 fprintf(fp,
" Warning: TCP rule without a flow or flags option.\n"
2063 " -Consider adding flow or flags to improve performance of "
2066 if (warn_client_ports
2071 " Warning: Rule contains ports or port variables only on the client side.\n"
2072 " -Flow direction possibly inconsistent with rule.\n");
2074 if (warn_direction ) {
2075 fprintf(fp,
" Warning: Rule is bidirectional and has a flow option with a specific "
2078 if (warn_method_toclient ) {
2079 fprintf(fp,
" Warning: Rule uses content or pcre for http_method with "
2080 "flow:to_client or from_server\n");
2082 if (warn_method_serverbody ) {
2083 fprintf(fp,
" Warning: Rule uses content or pcre for http_method with content or "
2084 "pcre for http_server_body.\n");
2086 if (warn_pcre_method
2088 fprintf(fp,
" Warning: Rule uses pcre with only a http_method content; possible "
2089 "performance issue.\n");
2091 if (warn_offset_depth_pkt_stream) {
2092 fprintf(fp,
" Warning: Rule has depth"
2093 "/offset with raw content keywords. Please note the "
2094 "offset/depth will be checked against both packet "
2095 "payloads and stream. If you meant to have the offset/"
2096 "depth checked against just the payload, you can update "
2097 "the signature as \"alert tcp-pkt...\"\n");
2099 if (warn_offset_depth_alproto) {
2101 " Warning: Rule has "
2102 "offset/depth set along with a match on a specific "
2103 "app layer protocol - %d. This can lead to FNs if we "
2104 "have a offset/depth content match on a packet payload "
2105 "before we can detect the app layer protocol for the "
2109 if (warn_non_alproto_fp_for_alproto_sig) {
2110 fprintf(fp,
" Warning: Rule app layer "
2111 "protocol is http, but the fast_pattern is set on the raw "
2112 "stream. Consider adding fast_pattern over a http "
2113 "buffer for increased performance.");
2115 if (warn_no_direction) {
2116 fprintf(fp,
" Warning: Rule has no direction indicator.\n");
2118 if (warn_both_direction) {
2119 fprintf(fp,
" Warning: Rule is inspecting both the request and the response.\n");
2121 if (warn_file_store_not_present) {
2122 fprintf(fp,
" Warning: Rule requires file-store but the output file-store is not "
2125 if (rule_warning == 0) {
2126 fprintf(fp,
" No warnings for this rule.\n");
2135 const uint8_t sub_state,
const uint8_t state,
const uint8_t direction)
2137 char policy_string[64] =
"";
2154 snprintf(policy_string,
sizeof(policy_string),
"rejectdst:%s", as);
2156 snprintf(policy_string,
sizeof(policy_string),
"rejectboth:%s", as);
2158 snprintf(policy_string,
sizeof(policy_string),
"rejectsrc:%s", as);
2161 snprintf(policy_string,
sizeof(policy_string),
"drop:%s", as);
2163 snprintf(policy_string,
sizeof(policy_string),
"accept:%s", as);
2169 strlcat(policy_string,
",pass:flow",
sizeof(policy_string));
2174 SCJbSetString(
ctx->js,
"policy", policy_string);
2178 const uint8_t sub_state,
const uint8_t state,
const uint8_t direction,
RuleAnalyzer *
ctx)
2180 uint32_t accept_rules = 0;
2181 AddPolicy(
de_ctx,
ctx, a, sub_state, state, direction);
2182 SCJbOpenArray(
ctx->js,
"rules");
2191 if (direction == STREAM_TOSERVER) {
2206 bool skip_rule =
false;
2208 engine = engine->
next) {
2211 }
else if (engine->sub_state != sub_state) {
2232 if (accept_rules == 0) {
2233 AnalyzerWarning(
ctx, (
char *)
"no accept rules for state, default policy will be applied");
2240 ctx.js = SCJbNewObject();
2244 SCJbOpenObject(
ctx.js,
"tables");
2245 SCJbOpenObject(
ctx.js,
"packet:filter");
2246 SCJbSetString(
ctx.js,
"policy",
"drop:packet");
2247 SCJbOpenArray(
ctx.js,
"rules");
2248 uint32_t accept_rules = 0;
2249 uint32_t last_sid = 0;
2256 if (last_sid == s->
id)
2263 if (accept_rules == 0) {
2264 AnalyzerWarning(&
ctx,
2265 (
char *)
"no accept rules for \'packet:filter\', default policy will be applied");
2267 if (
ctx.js_warnings) {
2268 SCJbClose(
ctx.js_warnings);
2269 SCJbSetObject(
ctx.js,
"warnings",
ctx.js_warnings);
2270 SCJbFree(
ctx.js_warnings);
2271 ctx.js_warnings = NULL;
2276 if (!AppProtoIsValid(a))
2282 for (uint8_t sub_state = 1; sub_state <= max_sub_state; sub_state++) {
2285 for (uint8_t state = 0; state <= max_progress; state++) {
2287 a, sub_state, state, STREAM_TOSERVER);
2291 char table_name[256];
2292 snprintf(table_name,
sizeof(table_name),
"app:%s:%s:%s",
AppProtoToString(a),
2293 sub_state_name,
name);
2294 SCJbOpenObject(
ctx.js, table_name);
2295 FirewallAddRulesForState(
de_ctx, a, sub_state, state, STREAM_TOSERVER, &
ctx);
2296 if (
ctx.js_warnings) {
2297 SCJbClose(
ctx.js_warnings);
2298 SCJbSetObject(
ctx.js,
"warnings",
ctx.js_warnings);
2299 SCJbFree(
ctx.js_warnings);
2300 ctx.js_warnings = NULL;
2304 for (uint8_t state = 0; state <= max_progress; state++) {
2306 a, sub_state, state, STREAM_TOCLIENT);
2310 char table_name[256];
2311 snprintf(table_name,
sizeof(table_name),
"app:%s:%s:%s",
AppProtoToString(a),
2312 sub_state_name,
name);
2313 SCJbOpenObject(
ctx.js, table_name);
2314 FirewallAddRulesForState(
de_ctx, a, sub_state, state, STREAM_TOCLIENT, &
ctx);
2315 if (
ctx.js_warnings) {
2316 SCJbClose(
ctx.js_warnings);
2317 SCJbSetObject(
ctx.js,
"warnings",
ctx.js_warnings);
2318 SCJbFree(
ctx.js_warnings);
2319 ctx.js_warnings = NULL;
2330 const uint8_t complete_state_ts =
2333 for (uint8_t state = 0; state <= complete_state_ts; state++) {
2338 name =
"request-started";
2339 else if (state == complete_state_ts)
2340 name =
"request-complete";
2345 char table_name[128];
2347 SCJbOpenObject(
ctx.js, table_name);
2348 FirewallAddRulesForState(
de_ctx, a, 0, state, STREAM_TOSERVER, &
ctx);
2349 if (
ctx.js_warnings) {
2350 SCJbClose(
ctx.js_warnings);
2351 SCJbSetObject(
ctx.js,
"warnings",
ctx.js_warnings);
2352 SCJbFree(
ctx.js_warnings);
2353 ctx.js_warnings = NULL;
2357 const uint8_t complete_state_tc =
2359 for (uint8_t state = 0; state <= complete_state_tc; state++) {
2364 name =
"response-started";
2365 else if (state == complete_state_tc)
2366 name =
"response-complete";
2370 char table_name[128];
2372 SCJbOpenObject(
ctx.js, table_name);
2373 FirewallAddRulesForState(
de_ctx, a, 0, state, STREAM_TOCLIENT, &
ctx);
2374 if (
ctx.js_warnings) {
2375 SCJbClose(
ctx.js_warnings);
2376 SCJbSetObject(
ctx.js,
"warnings",
ctx.js_warnings);
2377 SCJbFree(
ctx.js_warnings);
2378 ctx.js_warnings = NULL;
2384 SCJbOpenObject(
ctx.js,
"packet:td");
2385 SCJbSetString(
ctx.js,
"policy",
"accept:hook");
2387 SCJbOpenArray(
ctx.js,
"rules");
2393 if (last_sid == s->
id)
2400 SCJbOpenObject(
ctx.js,
"app:td");
2401 SCJbSetString(
ctx.js,
"policy",
"accept:hook");
2403 SCJbOpenArray(
ctx.js,
"rules");
2409 if (last_sid == s->
id)
2418 SCJbOpenObject(
ctx.js,
"lists");
2419 SCJbOpenObject(
ctx.js,
"firewall");
2421 SCJbOpenArray(
ctx.js,
"rules");
2425 if (last_sid == s->
id)
2433 SCJbOpenObject(
ctx.js,
"td");
2435 SCJbOpenArray(
ctx.js,
"rules");
2439 if (last_sid == s->
id)
2447 SCJbOpenObject(
ctx.js,
"all");
2449 SCJbOpenArray(
ctx.js,
"rules");
2451 if (last_sid == s->
id)
2463 const char *filename =
"firewall.json";
2465 char json_path[PATH_MAX] =
"";
2466 snprintf(json_path,
sizeof(json_path),
"%s/%s", log_dir, filename);
2469 FILE *fp = fopen(json_path,
"w");
2471 fwrite(SCJbPtr(
ctx.js), SCJbLen(
ctx.js), 1, fp);