suricata
detect-filesize.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2020 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Victor Julien <victor@inliniac.net>
22  *
23  * Implements the filesize keyword
24  */
25 
26 #include "suricata-common.h"
27 #include "app-layer-protos.h"
28 #include "app-layer-htp.h"
29 #include "util-unittest.h"
30 #include "util-unittest-helper.h"
31 #include "util-misc.h"
32 
33 #include "detect.h"
34 #include "detect-parse.h"
35 #include "detect-engine.h"
36 #include "detect-engine-state.h"
37 
38 #include "detect-filesize.h"
39 #include "util-debug.h"
40 #include "util-byte.h"
41 #include "flow-util.h"
42 #include "stream-tcp.h"
43 
44 /**
45  * \brief Regex for parsing our filesize
46  */
47 #define PARSE_REGEX "^(?:\\s*)(<|>)?(?:\\s*)([0-9]{1,23}[a-zA-Z]{0,2})(?:\\s*)(?:(<>)(?:\\s*)([0-9]{1,23}[a-zA-Z]{0,2}))?\\s*$"
48 
49 static DetectParseRegex parse_regex;
50 
51 /*prototypes*/
52 static int DetectFilesizeMatch (DetectEngineThreadCtx *det_ctx, Flow *f,
53  uint8_t flags, File *file, const Signature *s, const SigMatchCtx *m);
54 static int DetectFilesizeSetup (DetectEngineCtx *, Signature *, const char *);
55 static void DetectFilesizeFree (DetectEngineCtx *, void *);
56 #ifdef UNITTESTS
57 static void DetectFilesizeRegisterTests (void);
58 #endif
59 static int g_file_match_list_id = 0;
60 
61 /**
62  * \brief Registration function for filesize: keyword
63  */
64 
66 {
67  sigmatch_table[DETECT_FILESIZE].name = "filesize";
68  sigmatch_table[DETECT_FILESIZE].desc = "match on the size of the file as it is being transferred";
69  sigmatch_table[DETECT_FILESIZE].url = "/rules/file-keywords.html#filesize";
70  sigmatch_table[DETECT_FILESIZE].FileMatch = DetectFilesizeMatch;
71  sigmatch_table[DETECT_FILESIZE].Setup = DetectFilesizeSetup;
72  sigmatch_table[DETECT_FILESIZE].Free = DetectFilesizeFree;
73 #ifdef UNITTESTS
74  sigmatch_table[DETECT_FILESIZE].RegisterTests = DetectFilesizeRegisterTests;
75 #endif
76  DetectSetupParseRegexes(PARSE_REGEX, &parse_regex);
77 
78  g_file_match_list_id = DetectBufferTypeRegister("files");
79 }
80 
81 /**
82  * \brief This function is used to match filesize rule option.
83  *
84  * \param t thread local vars
85  * \param det_ctx pattern matcher thread local data
86  * \param f *LOCKED* flow
87  * \param flags direction flags
88  * \param file file being inspected
89  * \param s signature being inspected
90  * \param m sigmatch that we will cast into DetectFilesizeData
91  *
92  * \retval 0 no match
93  * \retval 1 match
94  */
95 static int DetectFilesizeMatch (DetectEngineThreadCtx *det_ctx, Flow *f,
96  uint8_t flags, File *file, const Signature *s, const SigMatchCtx *m)
97 {
98  SCEnter();
99 
101  int ret = 0;
102  uint64_t file_size = FileTrackedSize(file);
103 
104  SCLogDebug("file size %"PRIu64", check %"PRIu64, file_size, fsd->size1);
105 
106  if (file->state == FILE_STATE_CLOSED) {
107  switch (fsd->mode) {
108  case DETECT_FILESIZE_EQ:
109  if (file_size == fsd->size1)
110  ret = 1;
111  break;
112  case DETECT_FILESIZE_LT:
113  if (file_size < fsd->size1)
114  ret = 1;
115  break;
116  case DETECT_FILESIZE_GT:
117  if (file_size > fsd->size1)
118  ret = 1;
119  break;
120  case DETECT_FILESIZE_RA:
121  if (file_size > fsd->size1 && file_size < fsd->size2)
122  ret = 1;
123  break;
124  }
125  /* truncated, error: only see if what we have meets the GT condition */
126  } else if (file->state > FILE_STATE_CLOSED) {
127  if (fsd->mode == DETECT_FILESIZE_GT && file_size > fsd->size1)
128  ret = 1;
129  }
130  SCReturnInt(ret);
131 }
132 
133 /**
134  * \brief parse filesize options
135  *
136  * \param str pointer to the user provided filesize
137  *
138  * \retval fsd pointer to DetectFilesizeData on success
139  * \retval NULL on failure
140  */
141 static DetectFilesizeData *DetectFilesizeParse (const char *str)
142 {
143 
144  DetectFilesizeData *fsd = NULL;
145  char *arg1 = NULL;
146  char *arg2 = NULL;
147  char *arg3 = NULL;
148  char *arg4 = NULL;
149  int ret = 0, res = 0;
150  size_t pcre2_len;
151 
152  ret = DetectParsePcreExec(&parse_regex, str, 0, 0);
153  if (ret < 3 || ret > 5) {
154  SCLogError(SC_ERR_PCRE_PARSE, "filesize option pcre parse error: \"%s\"", str);
155  goto error;
156  }
157  const char *str_ptr;
158 
159  SCLogDebug("ret %d", ret);
160 
161  res = SC_Pcre2SubstringGet(parse_regex.match, 1, (PCRE2_UCHAR8 **)&str_ptr, &pcre2_len);
162  if (res < 0) {
163  SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre2_substring_get_bynumber failed");
164  goto error;
165  }
166  arg1 = (char *) str_ptr;
167  SCLogDebug("Arg1 \"%s\"", arg1);
168 
169  res = pcre2_substring_get_bynumber(parse_regex.match, 2, (PCRE2_UCHAR8 **)&str_ptr, &pcre2_len);
170  if (res < 0) {
171  SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre2_substring_get_bynumber failed");
172  goto error;
173  }
174  arg2 = (char *) str_ptr;
175  SCLogDebug("Arg2 \"%s\"", arg2);
176 
177  if (ret > 3) {
178  res = pcre2_substring_get_bynumber(
179  parse_regex.match, 3, (PCRE2_UCHAR8 **)&str_ptr, &pcre2_len);
180  if (res < 0) {
181  SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre2_substring_get_bynumber failed");
182  goto error;
183  }
184  arg3 = (char *) str_ptr;
185  SCLogDebug("Arg3 \"%s\"", arg3);
186 
187  if (ret > 4) {
188  res = pcre2_substring_get_bynumber(
189  parse_regex.match, 4, (PCRE2_UCHAR8 **)&str_ptr, &pcre2_len);
190  if (res < 0) {
191  SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre2_substring_get_bynumber failed");
192  goto error;
193  }
194  arg4 = (char *) str_ptr;
195  SCLogDebug("Arg4 \"%s\"", arg4);
196  }
197  }
198 
199  fsd = SCMalloc(sizeof (DetectFilesizeData));
200  if (unlikely(fsd == NULL))
201  goto error;
202  memset(fsd, 0, sizeof(DetectFilesizeData));
203 
204  if (arg1 != NULL && arg1[0] == '<')
205  fsd->mode = DETECT_FILESIZE_LT;
206  else if (arg1 != NULL && arg1[0] == '>')
207  fsd->mode = DETECT_FILESIZE_GT;
208  else
209  fsd->mode = DETECT_FILESIZE_EQ;
210 
211  if (arg3 != NULL && strcmp("<>", arg3) == 0) {
212  if (arg1 != NULL && strlen(arg1) != 0) {
213  SCLogError(SC_ERR_INVALID_ARGUMENT,"Range specified but mode also set");
214  goto error;
215  }
216  fsd->mode = DETECT_FILESIZE_RA;
217  }
218 
219  /** set the first value */
220  if (ParseSizeStringU64(arg2, &fsd->size1) < 0) {
221  SCLogError(SC_ERR_SIZE_PARSE, "Error parsing filesize value - %s", arg2);
222  goto error;
223  }
224 
225  /** set the second value if specified */
226  if (arg4 != NULL && strlen(arg4) > 0) {
227  if (fsd->mode != DETECT_FILESIZE_RA) {
228  SCLogError(SC_ERR_INVALID_ARGUMENT,"Multiple filesize values specified"
229  " but mode is not range");
230  goto error;
231  }
232 
233  if (ParseSizeStringU64(arg4, &fsd->size2) < 0) {
234  SCLogError(SC_ERR_SIZE_PARSE, "Error parsing filesize value - %s", arg4);
235  goto error;
236  }
237 
238  if (fsd->size2 <= fsd->size1){
239  SCLogError(SC_ERR_INVALID_ARGUMENT,"filesize2:%"PRIu64" <= filesize:"
240  "%"PRIu64"",fsd->size2,fsd->size1);
241  goto error;
242  }
243  }
244 
245  pcre2_substring_free((PCRE2_UCHAR *)arg1);
246  pcre2_substring_free((PCRE2_UCHAR *)arg2);
247  if (arg3 != NULL)
248  pcre2_substring_free((PCRE2_UCHAR *)arg3);
249  if (arg4 != NULL)
250  pcre2_substring_free((PCRE2_UCHAR *)arg4);
251  return fsd;
252 
253 error:
254  if (fsd)
255  SCFree(fsd);
256  if (arg1 != NULL)
257  pcre2_substring_free((PCRE2_UCHAR *)arg1);
258  if (arg2 != NULL)
259  pcre2_substring_free((PCRE2_UCHAR *)arg2);
260  if (arg3 != NULL)
261  pcre2_substring_free((PCRE2_UCHAR *)arg3);
262  if (arg4 != NULL)
263  pcre2_substring_free((PCRE2_UCHAR *)arg4);
264  return NULL;
265 }
266 
267 /**
268  * \brief this function is used to parse filesize data into the current signature
269  *
270  * \param de_ctx pointer to the Detection Engine Context
271  * \param s pointer to the Current Signature
272  * \param str pointer to the user provided options
273  *
274  * \retval 0 on Success
275  * \retval -1 on Failure
276  */
277 static int DetectFilesizeSetup (DetectEngineCtx *de_ctx, Signature *s, const char *str)
278 {
279  SCEnter();
280  DetectFilesizeData *fsd = NULL;
281  SigMatch *sm = NULL;
282 
283  fsd = DetectFilesizeParse(str);
284  if (fsd == NULL)
285  goto error;
286 
287  sm = SigMatchAlloc();
288  if (sm == NULL)
289  goto error;
290 
291  sm->type = DETECT_FILESIZE;
292  sm->ctx = (SigMatchCtx *)fsd;
293 
294  SigMatchAppendSMToList(s, sm, g_file_match_list_id);
295 
297  SCReturnInt(0);
298 
299 error:
300  if (fsd != NULL)
301  DetectFilesizeFree(de_ctx, fsd);
302  if (sm != NULL)
303  SCFree(sm);
304  SCReturnInt(-1);
305 }
306 
307 /**
308  * \brief this function will free memory associated with DetectFilesizeData
309  *
310  * \param ptr pointer to DetectFilesizeData
311  */
312 static void DetectFilesizeFree(DetectEngineCtx *de_ctx, void *ptr)
313 {
315  SCFree(fsd);
316 }
317 
318 #ifdef UNITTESTS
319 #include "stream.h"
320 #include "stream-tcp-private.h"
321 #include "stream-tcp-reassemble.h"
322 #include "detect-engine.h"
323 #include "detect-engine-mpm.h"
324 #include "app-layer-parser.h"
325 
326 /** \test Test the Filesize keyword setup */
327 static int DetectFilesizeParseTest01(void)
328 {
329  int ret = 0;
330  DetectFilesizeData *fsd = NULL;
331 
332  fsd = DetectFilesizeParse("10");
333  if (fsd != NULL) {
334  if (fsd->size1 == 10 && fsd->mode == DETECT_FILESIZE_EQ)
335  ret = 1;
336 
337  DetectFilesizeFree(NULL, fsd);
338  }
339  return ret;
340 }
341 
342 /** \test Test the Filesize keyword setup */
343 static int DetectFilesizeParseTest02(void)
344 {
345  int ret = 0;
346  DetectFilesizeData *fsd = NULL;
347 
348  fsd = DetectFilesizeParse(" < 10 ");
349  if (fsd != NULL) {
350  if (fsd->size1 == 10 && fsd->mode == DETECT_FILESIZE_LT)
351  ret = 1;
352 
353  DetectFilesizeFree(NULL, fsd);
354  }
355  return ret;
356 }
357 
358 /** \test Test the Filesize keyword setup */
359 static int DetectFilesizeParseTest03(void)
360 {
361  int ret = 0;
362  DetectFilesizeData *fsd = NULL;
363 
364  fsd = DetectFilesizeParse(" > 10 ");
365  if (fsd != NULL) {
366  if (fsd->size1 == 10 && fsd->mode == DETECT_FILESIZE_GT)
367  ret = 1;
368 
369  DetectFilesizeFree(NULL, fsd);
370  }
371  return ret;
372 }
373 
374 /** \test Test the Filesize keyword setup */
375 static int DetectFilesizeParseTest04(void)
376 {
377  int ret = 0;
378  DetectFilesizeData *fsd = NULL;
379 
380  fsd = DetectFilesizeParse(" 5 <> 10 ");
381  if (fsd != NULL) {
382  if (fsd->size1 == 5 && fsd->size2 == 10 &&
383  fsd->mode == DETECT_FILESIZE_RA)
384  ret = 1;
385 
386  DetectFilesizeFree(NULL, fsd);
387  }
388  return ret;
389 }
390 
391 /** \test Test the Filesize keyword setup */
392 static int DetectFilesizeParseTest05(void)
393 {
394  int ret = 0;
395  DetectFilesizeData *fsd = NULL;
396 
397  fsd = DetectFilesizeParse("5<>10");
398  if (fsd != NULL) {
399  if (fsd->size1 == 5 && fsd->size2 == 10 &&
400  fsd->mode == DETECT_FILESIZE_RA)
401  ret = 1;
402 
403  DetectFilesizeFree(NULL, fsd);
404  }
405  return ret;
406 }
407 
408 /**
409  * \brief this function is used to initialize the detection engine context and
410  * setup the signature with passed values.
411  *
412  */
413 
414 static int DetectFilesizeInitTest(DetectEngineCtx **de_ctx, Signature **sig,
415  DetectFilesizeData **fsd, const char *str)
416 {
417  char fullstr[1024];
418  int result = 0;
419 
420  *de_ctx = NULL;
421  *sig = NULL;
422 
423  if (snprintf(fullstr, 1024, "alert http any any -> any any (msg:\"Filesize "
424  "test\"; filesize:%s; sid:1;)", str) >= 1024) {
425  goto end;
426  }
427 
429  if (*de_ctx == NULL) {
430  goto end;
431  }
432 
433  (*de_ctx)->flags |= DE_QUIET;
434 
435  (*de_ctx)->sig_list = SigInit(*de_ctx, fullstr);
436  if ((*de_ctx)->sig_list == NULL) {
437  goto end;
438  }
439 
440  *sig = (*de_ctx)->sig_list;
441 
442  *fsd = DetectFilesizeParse(str);
443 
444  result = 1;
445 
446 end:
447  return result;
448 }
449 
450 /**
451  * \test DetectFilesizeSetpTest01 is a test for setting up an valid filesize values
452  * with valid "<>" operator and include spaces arround the given values.
453  * In the test the values are setup with initializing the detection engine
454  * context and setting up the signature itself.
455  */
456 
457 static int DetectFilesizeSetpTest01(void)
458 {
459 
460  DetectFilesizeData *fsd = NULL;
461  uint8_t res = 0;
462  Signature *sig = NULL;
463  DetectEngineCtx *de_ctx = NULL;
464 
465  res = DetectFilesizeInitTest(&de_ctx, &sig, &fsd, "1 <> 2 ");
466  if (res == 0) {
467  goto end;
468  }
469 
470  if(fsd == NULL)
471  goto cleanup;
472 
473  if (fsd != NULL) {
474  if (fsd->size1 == 1 && fsd->size2 == 2 &&
475  fsd->mode == DETECT_FILESIZE_RA)
476  res = 1;
477  }
478 
479 cleanup:
480  if (fsd)
481  SCFree(fsd);
485 end:
486  return res;
487 }
488 
489 /**
490  * \brief this function registers unit tests for DetectFilesize
491  */
492 void DetectFilesizeRegisterTests(void)
493 {
494  UtRegisterTest("DetectFilesizeParseTest01", DetectFilesizeParseTest01);
495  UtRegisterTest("DetectFilesizeParseTest02", DetectFilesizeParseTest02);
496  UtRegisterTest("DetectFilesizeParseTest03", DetectFilesizeParseTest03);
497  UtRegisterTest("DetectFilesizeParseTest04", DetectFilesizeParseTest04);
498  UtRegisterTest("DetectFilesizeParseTest05", DetectFilesizeParseTest05);
499  UtRegisterTest("DetectFilesizeSetpTest01", DetectFilesizeSetpTest01);
500 }
501 #endif /* UNITTESTS */
util-byte.h
DetectParseRegex::match
pcre2_match_data * match
Definition: detect-parse.h:45
SigTableElmt_::url
const char * url
Definition: detect.h:1270
detect-engine.h
SigTableElmt_::desc
const char * desc
Definition: detect.h:1269
DetectParsePcreExec
int DetectParsePcreExec(DetectParseRegex *parse_regex, const char *str, int start_offset, int options)
Definition: detect-parse.c:2474
SigTableElmt_::Free
void(* Free)(DetectEngineCtx *, void *)
Definition: detect.h:1257
flow-util.h
DetectParseRegex
Definition: detect-parse.h:42
SigTableElmt_::name
const char * name
Definition: detect.h:1267
stream-tcp.h
unlikely
#define unlikely(expr)
Definition: util-optimize.h:35
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:298
ParseSizeStringU64
int ParseSizeStringU64(const char *size, uint64_t *res)
Definition: util-misc.c:200
Flow_
Flow data structure.
Definition: flow.h:353
SigInit
Signature * SigInit(DetectEngineCtx *, const char *)
Parses a signature and adds it to the Detection Engine Context.
Definition: detect-parse.c:2115
SigTableElmt_::FileMatch
int(* FileMatch)(DetectEngineThreadCtx *, Flow *, uint8_t flags, File *, const Signature *, const SigMatchCtx *)
Definition: detect.h:1243
File_::state
FileState state
Definition: util-file.h:78
DetectFilesizeRegister
void DetectFilesizeRegister(void)
Registration function for filesize: keyword.
Definition: detect-filesize.c:65
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:811
DetectEngineCtxFree
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
Definition: detect-engine.c:2433
DETECT_FILESIZE_EQ
#define DETECT_FILESIZE_EQ
Definition: detect-filesize.h:30
DE_QUIET
#define DE_QUIET
Definition: detect.h:295
stream-tcp-reassemble.h
m
SCMutex m
Definition: flow-hash.h:6
PARSE_REGEX
#define PARSE_REGEX
Regex for parsing our filesize.
Definition: detect-filesize.c:47
SC_ERR_PCRE_GET_SUBSTRING
@ SC_ERR_PCRE_GET_SUBSTRING
Definition: util-error.h:34
SigCleanSignatures
void SigCleanSignatures(DetectEngineCtx *de_ctx)
Definition: detect-engine-build.c:42
SigTableElmt_::Setup
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1252
util-unittest.h
util-unittest-helper.h
SC_ERR_PCRE_PARSE
@ SC_ERR_PCRE_PARSE
Definition: util-error.h:37
DETECT_FILESIZE
@ DETECT_FILESIZE
Definition: detect-engine-register.h:210
SC_ERR_SIZE_PARSE
@ SC_ERR_SIZE_PARSE
Definition: util-error.h:230
app-layer-htp.h
DetectFilesizeData_::size2
uint64_t size2
Definition: detect-filesize.h:34
util-debug.h
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:17
DetectEngineThreadCtx_
Definition: detect.h:1060
res
PoolThreadReserved res
Definition: stream-tcp-private.h:0
DetectSetupParseRegexes
void DetectSetupParseRegexes(const char *parse_str, DetectParseRegex *detect_parse)
Definition: detect-parse.c:2597
SCEnter
#define SCEnter(...)
Definition: util-debug.h:300
detect-engine-mpm.h
detect.h
FileTrackedSize
uint64_t FileTrackedSize(const File *file)
get the size of the file
Definition: util-file.c:311
DetectFilesizeData_::size1
uint64_t size1
Definition: detect-filesize.h:33
SC_Pcre2SubstringGet
int SC_Pcre2SubstringGet(pcre2_match_data *match_data, uint32_t number, PCRE2_UCHAR **bufferptr, PCRE2_SIZE *bufflen)
Definition: detect-parse.c:2585
SC_ERR_INVALID_ARGUMENT
@ SC_ERR_INVALID_ARGUMENT
Definition: util-error.h:43
app-layer-parser.h
SigMatch_::ctx
SigMatchCtx * ctx
Definition: detect.h:324
SigGroupCleanup
int SigGroupCleanup(DetectEngineCtx *de_ctx)
Definition: detect-engine-build.c:2016
stream.h
stream-tcp-private.h
detect-engine-state.h
Data structures and function prototypes for keeping state for the detection engine.
SigMatchAlloc
SigMatch * SigMatchAlloc(void)
Definition: detect-parse.c:235
SigMatchCtx_
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
Definition: detect.h:316
FILE_STATE_CLOSED
@ FILE_STATE_CLOSED
Definition: util-file.h:67
File_
Definition: util-file.h:75
DetectBufferTypeRegister
int DetectBufferTypeRegister(const char *name)
Definition: detect-engine.c:1023
flags
uint8_t flags
Definition: decode-gre.h:0
suricata-common.h
SigMatch_::type
uint16_t type
Definition: detect.h:322
Signature_::file_flags
uint8_t file_flags
Definition: detect.h:563
DetectFilesizeData_
Definition: detect-filesize.h:32
sigmatch_table
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
Definition: detect-parse.c:73
SCLogError
#define SCLogError(err_code,...)
Macro used to log ERROR messages.
Definition: util-debug.h:257
SCMalloc
#define SCMalloc(sz)
Definition: util-mem.h:47
DetectFilesizeData_::mode
uint8_t mode
Definition: detect-filesize.h:35
str
#define str(s)
Definition: suricata-common.h:272
SCFree
#define SCFree(p)
Definition: util-mem.h:61
detect-parse.h
Signature_
Signature container.
Definition: detect.h:548
SigMatch_
a single match condition for a signature
Definition: detect.h:321
DetectEngineCtxInit
DetectEngineCtx * DetectEngineCtxInit(void)
Definition: detect-engine.c:2394
detect-filesize.h
app-layer-protos.h
DETECT_FILESIZE_LT
#define DETECT_FILESIZE_LT
Definition: detect-filesize.h:27
DETECT_FILESIZE_GT
#define DETECT_FILESIZE_GT
Definition: detect-filesize.h:28
FILE_SIG_NEED_FILE
#define FILE_SIG_NEED_FILE
Definition: detect.h:285
util-misc.h
DETECT_FILESIZE_RA
#define DETECT_FILESIZE_RA
Definition: detect-filesize.h:29
SCReturnInt
#define SCReturnInt(x)
Definition: util-debug.h:304
SigMatchAppendSMToList
void SigMatchAppendSMToList(Signature *s, SigMatch *new, int list)
Append a SigMatch to the list type.
Definition: detect-parse.c:349
FILE_SIG_NEED_SIZE
#define FILE_SIG_NEED_SIZE
Definition: detect.h:292
SigTableElmt_::RegisterTests
void(* RegisterTests)(void)
Definition: detect.h:1259