suricata
detect-engine-helper.h
Go to the documentation of this file.
1 /* Copyright (C) 2023 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Philippe Antoine <p.antoine@catenacyber.fr>
22  */
23 
24 #ifndef SURICATA_DETECT_ENGINE_HELPER_H
25 #define SURICATA_DETECT_ENGINE_HELPER_H
26 
27 #include "app-layer-protos.h"
28 #include "detect-engine-inspect-buffer.h"
29 
30 // type from flow.h with only forward declarations for bindgen
31 typedef struct Flow_ Flow;
32 // types from detect.h with only forward declarations for bindgen
33 // could be #ifndef SURICATA_BINDGEN_H #include "detect.h" #endif
34 typedef struct DetectEngineCtx_ DetectEngineCtx;
35 typedef struct Signature_ Signature;
36 typedef struct SigMatchCtx_ SigMatchCtx;
37 typedef struct DetectEngineThreadCtx_ DetectEngineThreadCtx;
38 typedef struct DetectEngineTransforms DetectEngineTransforms;
39 typedef InspectionBuffer *(*InspectionBufferGetDataPtr)(struct DetectEngineThreadCtx_ *det_ctx,
40  const DetectEngineTransforms *transforms, Flow *f, const uint8_t flow_flags, void *txv,
41  const int list_id);
42 typedef bool (*InspectionMultiBufferGetDataPtr)(struct DetectEngineThreadCtx_ *det_ctx,
43  const void *txv, const uint8_t flow_flags, uint32_t local_id, const uint8_t **buf,
44  uint32_t *buf_len);
45 typedef bool (*InspectionSingleBufferGetDataPtr)(
46  const void *txv, const uint8_t flow_flags, const uint8_t **buf, uint32_t *buf_len);
47 
48 /// App-layer light version of SigTableElmt
49 typedef struct SCSigTableAppLiteElmt {
50  /// keyword name
51  const char *name;
52  /// keyword description
53  const char *desc;
54  /// keyword documentation url
55  const char *url;
56  /// flags SIGMATCH_*
57  uint16_t flags;
58  /// function callback to parse and setup keyword in rule
59  int (*Setup)(DetectEngineCtx *, Signature *, const char *);
60  /// function callback to free structure allocated by setup if any
61  void (*Free)(DetectEngineCtx *, void *);
62  /// function callback to match on an app-layer transaction
63  int (*AppLayerTxMatch)(DetectEngineThreadCtx *, Flow *, uint8_t flags, void *alstate, void *txv,
64  const Signature *, const SigMatchCtx *);
65 } SCSigTableAppLiteElmt;
66 
67 typedef struct SCTransformTableElmt {
68  const char *name;
69  const char *desc;
70  const char *url;
71  uint16_t flags;
72  int (*Setup)(DetectEngineCtx *, Signature *, const char *);
73  void (*Free)(DetectEngineCtx *, void *);
74  void (*Transform)(DetectEngineThreadCtx *, InspectionBuffer *, void *context);
75  bool (*TransformValidate)(const uint8_t *content, uint16_t content_len, void *context);
76  void (*TransformId)(const uint8_t **id_data, uint32_t *id_length, void *context);
77 } SCTransformTableElmt;
78 
79 int SCDetectHelperNewKeywordId(void);
80 
81 uint16_t SCDetectHelperKeywordRegister(const SCSigTableAppLiteElmt *kw);
82 void SCDetectHelperKeywordAliasRegister(uint16_t kwid, const char *alias);
83 int SCDetectHelperBufferRegister(const char *name, AppProto alproto, uint8_t direction);
84 
85 int SCDetectHelperBufferMpmRegister(const char *name, const char *desc, AppProto alproto,
86  uint8_t direction, InspectionSingleBufferGetDataPtr GetData);
87 int SCDetectHelperMultiBufferMpmRegister(const char *name, const char *desc, AppProto alproto,
88  uint8_t direction, InspectionMultiBufferGetDataPtr GetData);
89 int SCDetectHelperMultiBufferProgressMpmRegister(const char *name, const char *desc,
90  AppProto alproto, uint8_t direction, InspectionMultiBufferGetDataPtr GetData, int progress);
91 
92 int SCDetectHelperTransformRegister(const SCTransformTableElmt *kw);
93 
94 #endif /* SURICATA_DETECT_ENGINE_HELPER_H */
SCSigTableAppLiteElmt::AppLayerTxMatch
int(* AppLayerTxMatch)(DetectEngineThreadCtx *, Flow *, uint8_t flags, void *alstate, void *txv, const Signature *, const SigMatchCtx *)
function callback to match on an app-layer transaction
Definition: detect-engine-helper.h:63
SCSigTableAppLiteElmt::url
const char * url
keyword documentation url
Definition: detect-engine-helper.h:55
SCSigTableAppLiteElmt::name
const char * name
keyword name
Definition: detect-engine-helper.h:51
DetectEngineTransforms
Definition: detect.h:392
SCTransformTableElmt::url
const char * url
Definition: detect-engine-helper.h:70
SCTransformTableElmt::TransformValidate
bool(* TransformValidate)(const uint8_t *content, uint16_t content_len, void *context)
Definition: detect-engine-helper.h:75
AppProto
uint16_t AppProto
Definition: app-layer-protos.h:86
SCDetectHelperBufferRegister
int SCDetectHelperBufferRegister(const char *name, AppProto alproto, uint8_t direction)
Definition: detect-engine-helper.c:34
SCDetectHelperMultiBufferProgressMpmRegister
int SCDetectHelperMultiBufferProgressMpmRegister(const char *name, const char *desc, AppProto alproto, uint8_t direction, InspectionMultiBufferGetDataPtr GetData, int progress)
Definition: detect-engine-helper.c:66
InspectionBuffer
Definition: detect-engine-inspect-buffer.h:34
SCTransformTableElmt::Setup
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect-engine-helper.h:72
SCTransformTableElmt
Definition: detect-engine-helper.h:67
Flow_
Flow data structure.
Definition: flow.h:356
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:919
SCDetectHelperTransformRegister
int SCDetectHelperTransformRegister(const SCTransformTableElmt *kw)
Definition: detect-engine-helper.c:129
SCTransformTableElmt::TransformId
void(* TransformId)(const uint8_t **id_data, uint32_t *id_length, void *context)
Definition: detect-engine-helper.h:76
SCSigTableAppLiteElmt::desc
const char * desc
keyword description
Definition: detect-engine-helper.h:53
SCTransformTableElmt
struct SCTransformTableElmt SCTransformTableElmt
SCTransformTableElmt::desc
const char * desc
Definition: detect-engine-helper.h:69
SCTransformTableElmt::name
const char * name
Definition: detect-engine-helper.h:68
SCSigTableAppLiteElmt
App-layer light version of SigTableElmt.
Definition: detect-engine-helper.h:49
detect-engine-inspect-buffer.h
DetectEngineThreadCtx_
Definition: detect.h:1211
SCDetectHelperKeywordAliasRegister
void SCDetectHelperKeywordAliasRegister(uint16_t kwid, const char *alias)
Definition: detect-engine-helper.c:124
SCDetectHelperMultiBufferMpmRegister
int SCDetectHelperMultiBufferMpmRegister(const char *name, const char *desc, AppProto alproto, uint8_t direction, InspectionMultiBufferGetDataPtr GetData)
Definition: detect-engine-helper.c:80
InspectionSingleBufferGetDataPtr
bool(* InspectionSingleBufferGetDataPtr)(const void *txv, const uint8_t flow_flags, const uint8_t **buf, uint32_t *buf_len)
Definition: detect-engine-helper.h:45
SCSigTableAppLiteElmt
struct SCSigTableAppLiteElmt SCSigTableAppLiteElmt
App-layer light version of SigTableElmt.
SCDetectHelperNewKeywordId
int SCDetectHelperNewKeywordId(void)
Definition: detect-engine-helper.c:86
SCSigTableAppLiteElmt::Free
void(* Free)(DetectEngineCtx *, void *)
function callback to free structure allocated by setup if any
Definition: detect-engine-helper.h:61
name
const char * name
Definition: tm-threads.c:2123
SCDetectHelperKeywordRegister
uint16_t SCDetectHelperKeywordRegister(const SCSigTableAppLiteElmt *kw)
Definition: detect-engine-helper.c:103
InspectionMultiBufferGetDataPtr
bool(* InspectionMultiBufferGetDataPtr)(struct DetectEngineThreadCtx_ *det_ctx, const void *txv, const uint8_t flow_flags, uint32_t local_id, const uint8_t **buf, uint32_t *buf_len)
Definition: detect-engine-helper.h:42
SigMatchCtx_
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
Definition: detect.h:352
SCSigTableAppLiteElmt::Setup
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
function callback to parse and setup keyword in rule
Definition: detect-engine-helper.h:59
SCDetectHelperBufferMpmRegister
int SCDetectHelperBufferMpmRegister(const char *name, const char *desc, AppProto alproto, uint8_t direction, InspectionSingleBufferGetDataPtr GetData)
Definition: detect-engine-helper.c:47
Signature_
Signature container.
Definition: detect.h:657
SCSigTableAppLiteElmt::flags
uint16_t flags
flags SIGMATCH_*
Definition: detect-engine-helper.h:57
SCTransformTableElmt::Free
void(* Free)(DetectEngineCtx *, void *)
Definition: detect-engine-helper.h:73
app-layer-protos.h
SCTransformTableElmt::flags
uint16_t flags
Definition: detect-engine-helper.h:71
SCTransformTableElmt::Transform
void(* Transform)(DetectEngineThreadCtx *, InspectionBuffer *, void *context)
Definition: detect-engine-helper.h:74