suricata
detect-filestore.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2020 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Victor Julien <victor@inliniac.net>
22  *
23  * Implements the filestore keyword
24  */
25 
26 #include "suricata-common.h"
27 #include "threads.h"
28 #include "debug.h"
29 #include "decode.h"
30 
31 #include "detect.h"
32 #include "detect-parse.h"
33 
34 #include "detect-engine.h"
35 #include "detect-engine-mpm.h"
36 #include "detect-engine-state.h"
37 
38 #include "feature.h"
39 
40 #include "flow.h"
41 #include "flow-var.h"
42 #include "flow-util.h"
43 
44 #include "util-debug.h"
45 #include "util-spm-bm.h"
46 #include "util-unittest.h"
47 #include "util-unittest-helper.h"
48 
49 #include "app-layer.h"
50 #include "app-layer-parser.h"
51 #include "app-layer-htp.h"
52 
53 #include "stream-tcp.h"
54 
55 #include "detect-filestore.h"
56 
57 /**
58  * \brief Regex for parsing our flow options
59  */
60 #define PARSE_REGEX "^\\s*([A-z_]+)\\s*(?:,\\s*([A-z_]+))?\\s*(?:,\\s*([A-z_]+))?\\s*$"
61 
62 static DetectParseRegex parse_regex;
63 
64 static int DetectFilestoreMatch (DetectEngineThreadCtx *,
65  Flow *, uint8_t, File *, const Signature *, const SigMatchCtx *);
66 static int DetectFilestorePostMatch(DetectEngineThreadCtx *det_ctx,
67  Packet *p, const Signature *s, const SigMatchCtx *ctx);
68 static int DetectFilestoreSetup (DetectEngineCtx *, Signature *, const char *);
69 static void DetectFilestoreFree(void *);
70 static void DetectFilestoreRegisterTests(void);
71 static int g_file_match_list_id = 0;
72 
73 /**
74  * \brief Registration function for keyword: filestore
75  */
77 {
78  sigmatch_table[DETECT_FILESTORE].name = "filestore";
79  sigmatch_table[DETECT_FILESTORE].desc = "stores files to disk if the rule matched";
80  sigmatch_table[DETECT_FILESTORE].url = DOC_URL DOC_VERSION "/rules/file-keywords.html#filestore";
81  sigmatch_table[DETECT_FILESTORE].FileMatch = DetectFilestoreMatch;
82  sigmatch_table[DETECT_FILESTORE].Setup = DetectFilestoreSetup;
83  sigmatch_table[DETECT_FILESTORE].Free = DetectFilestoreFree;
84  sigmatch_table[DETECT_FILESTORE].RegisterTests = DetectFilestoreRegisterTests;
86 
87  sigmatch_table[DETECT_FILESTORE_POSTMATCH].name = "__filestore__postmatch__";
88  sigmatch_table[DETECT_FILESTORE_POSTMATCH].Match = DetectFilestorePostMatch;
89  sigmatch_table[DETECT_FILESTORE_POSTMATCH].Free = DetectFilestoreFree;
90 
91  DetectSetupParseRegexes(PARSE_REGEX, &parse_regex);
92 
93  g_file_match_list_id = DetectBufferTypeRegister("files");
94 }
95 
96 /**
97  * \brief apply the post match filestore with options
98  */
99 static int FilestorePostMatchWithOptions(Packet *p, Flow *f, const DetectFilestoreData *filestore,
100  FileContainer *fc, uint32_t file_id, uint64_t tx_id)
101 {
102  if (filestore == NULL) {
103  SCReturnInt(0);
104  }
105 
106  int this_file = 0;
107  int this_tx = 0;
108  int this_flow = 0;
109  int rule_dir = 0;
110  int toserver_dir = 0;
111  int toclient_dir = 0;
112 
113  switch (filestore->direction) {
115  rule_dir = 1;
116  break;
117  case FILESTORE_DIR_BOTH:
118  toserver_dir = 1;
119  toclient_dir = 1;
120  break;
122  toserver_dir = 1;
123  break;
125  toclient_dir = 1;
126  break;
127  }
128 
129  switch (filestore->scope) {
131  if (rule_dir) {
132  this_file = 1;
133  } else if ((p->flowflags & FLOW_PKT_TOCLIENT) && toclient_dir) {
134  this_file = 1;
135  } else if ((p->flowflags & FLOW_PKT_TOSERVER) && toserver_dir) {
136  this_file = 1;
137  }
138  break;
139  case FILESTORE_SCOPE_TX:
140  this_tx = 1;
141  break;
142  case FILESTORE_SCOPE_SSN:
143  this_flow = 1;
144  break;
145  }
146 
147  if (this_file) {
148  FileStoreFileById(fc, file_id);
149  } else if (this_tx) {
150  /* flag tx all files will be stored */
151  if (f->alproto == ALPROTO_HTTP && f->alstate != NULL) {
152  HtpState *htp_state = f->alstate;
153  if (toserver_dir) {
154  htp_state->flags |= HTP_FLAG_STORE_FILES_TX_TS;
155  FileStoreAllFilesForTx(htp_state->files_ts, tx_id);
156  }
157  if (toclient_dir) {
158  htp_state->flags |= HTP_FLAG_STORE_FILES_TX_TC;
159  FileStoreAllFilesForTx(htp_state->files_tc, tx_id);
160  }
161  htp_state->store_tx_id = tx_id;
162  }
163  } else if (this_flow) {
164  /* flag flow all files will be stored */
165  if (f->alproto == ALPROTO_HTTP && f->alstate != NULL) {
166  HtpState *htp_state = f->alstate;
167  if (toserver_dir) {
168  htp_state->flags |= HTP_FLAG_STORE_FILES_TS;
169  FileStoreAllFiles(htp_state->files_ts);
170  }
171  if (toclient_dir) {
172  htp_state->flags |= HTP_FLAG_STORE_FILES_TC;
173  FileStoreAllFiles(htp_state->files_tc);
174  }
175  }
176  } else {
177  FileStoreFileById(fc, file_id);
178  }
179 
180  SCReturnInt(0);
181 }
182 
183 /**
184  * \brief post-match function for filestore
185  *
186  * \param t thread local vars
187  * \param det_ctx pattern matcher thread local data
188  * \param p packet
189  *
190  * The match function for filestore records store candidates in the det_ctx.
191  * When we are sure all parts of the signature matched, we run this function
192  * to finalize the filestore.
193  */
194 static int DetectFilestorePostMatch(DetectEngineThreadCtx *det_ctx,
195  Packet *p, const Signature *s, const SigMatchCtx *ctx)
196 {
197  uint8_t flags = 0;
198 
199  SCEnter();
200 
201  if (det_ctx->filestore_cnt == 0) {
202  SCReturnInt(0);
203  }
204 
205  if ((s->filestore_ctx == NULL && !(s->flags & SIG_FLAG_FILESTORE)) || p->flow == NULL) {
206 #ifndef DEBUG
207  SCReturnInt(0);
208 #else
209  BUG_ON(1);
210 #endif
211  }
212 
213  if (p->proto == IPPROTO_TCP && p->flow->protoctx != NULL) {
214  /* set filestore depth for stream reassembling */
215  TcpSession *ssn = (TcpSession *)p->flow->protoctx;
217  }
218  if (p->flowflags & FLOW_PKT_TOCLIENT)
220  else
222 
223  for (uint16_t u = 0; u < det_ctx->filestore_cnt; u++) {
225  FlowGetAppState(p->flow),
226  det_ctx->filestore[u].tx_id,
227  flags);
228  }
229 
231 
232  /* filestore for single files only */
233  if (s->filestore_ctx == NULL) {
234  for (uint16_t u = 0; u < det_ctx->filestore_cnt; u++) {
235  FileStoreFileById(ffc, det_ctx->filestore[u].file_id);
236  }
237  } else {
238  for (uint16_t u = 0; u < det_ctx->filestore_cnt; u++) {
239  FilestorePostMatchWithOptions(p, p->flow, s->filestore_ctx, ffc,
240  det_ctx->filestore[u].file_id, det_ctx->filestore[u].tx_id);
241  }
242  }
243 
244  SCReturnInt(0);
245 }
246 
247 /**
248  * \brief match the specified filestore
249  *
250  * \param t thread local vars
251  * \param det_ctx pattern matcher thread local data
252  * \param f *LOCKED* flow
253  * \param flags direction flags
254  * \param file file being inspected
255  * \param s signature being inspected
256  * \param m sigmatch that we will cast into DetectFilestoreData
257  *
258  * \retval 0 no match
259  * \retval 1 match
260  *
261  * \todo when we start supporting more protocols, the logic in this function
262  * needs to be put behind a api.
263  */
264 static int DetectFilestoreMatch (DetectEngineThreadCtx *det_ctx, Flow *f,
265  uint8_t flags, File *file, const Signature *s, const SigMatchCtx *m)
266 {
267  uint32_t file_id = 0;
268 
269  SCEnter();
270 
271  if (det_ctx->filestore_cnt >= DETECT_FILESTORE_MAX) {
272  SCReturnInt(1);
273  }
274 
275  /* file can be NULL when a rule with filestore scope > file
276  * matches. */
277  if (file != NULL) {
278  file_id = file->file_track_id;
279  if (file->sid != NULL && s->id > 0) {
280  if (file->sid_cnt >= file->sid_max) {
281  void *p = SCRealloc(file->sid, sizeof(uint32_t) * (file->sid_max + 8));
282  if (p == NULL) {
283  SCFree(file->sid);
284  file->sid = NULL;
285  file->sid_cnt = 0;
286  file->sid_max = 0;
287  goto continue_after_realloc_fail;
288  } else {
289  file->sid = p;
290  file->sid_max += 8;
291  }
292  }
293  file->sid[file->sid_cnt] = s->id;
294  file->sid_cnt++;
295  }
296  }
297 
298 continue_after_realloc_fail:
299 
300  det_ctx->filestore[det_ctx->filestore_cnt].file_id = file_id;
301  det_ctx->filestore[det_ctx->filestore_cnt].tx_id = det_ctx->tx_id;
302 
303  SCLogDebug("%u, file %u, tx %"PRIu64, det_ctx->filestore_cnt,
304  det_ctx->filestore[det_ctx->filestore_cnt].file_id,
305  det_ctx->filestore[det_ctx->filestore_cnt].tx_id);
306 
307  det_ctx->filestore_cnt++;
308  SCReturnInt(1);
309 }
310 
311 /**
312  * \brief this function is used to parse filestore options
313  * \brief into the current signature
314  *
315  * \param de_ctx pointer to the Detection Engine Context
316  * \param s pointer to the Current Signature
317  * \param str pointer to the user provided "filestore" option
318  *
319  * \retval 0 on Success
320  * \retval -1 on Failure
321  */
322 static int DetectFilestoreSetup (DetectEngineCtx *de_ctx, Signature *s, const char *str)
323 {
324  SCEnter();
325 
326  static bool warn_not_configured = false;
327  static uint32_t de_version = 0;
328 
329  /* Check on first-time loads (includes following a reload) */
330  if (!warn_not_configured || (de_ctx->version != de_version)) {
331  if (de_version != de_ctx->version) {
332  SCLogDebug("reload-detected; re-checking feature presence; DE version now %"PRIu32,
333  de_ctx->version);
334  }
336  SCLogWarning(SC_WARN_ALERT_CONFIG, "One or more rule(s) depends on the "
337  "file-store output log which is not enabled. "
338  "Enable the output \"file-store\".");
339  }
340  warn_not_configured = true;
341  de_version = de_ctx->version;
342  }
343 
344  DetectFilestoreData *fd = NULL;
345  SigMatch *sm = NULL;
346  char *args[3] = {NULL,NULL,NULL};
347  int ret = 0, res = 0;
348  int ov[MAX_SUBSTRINGS];
349 
350  /* filestore and bypass keywords can't work together */
351  if (s->flags & SIG_FLAG_BYPASS) {
353  "filestore can't work with bypass keyword");
354  return -1;
355  }
356 
357  sm = SigMatchAlloc();
358  if (sm == NULL)
359  goto error;
360 
361  sm->type = DETECT_FILESTORE;
362 
363  if (str != NULL && strlen(str) > 0) {
364  char str_0[32];
365  char str_1[32];
366  char str_2[32];
367  SCLogDebug("str %s", str);
368 
369  ret = DetectParsePcreExec(&parse_regex, str, 0, 0, ov, MAX_SUBSTRINGS);
370  if (ret < 1 || ret > 4) {
371  SCLogError(SC_ERR_PCRE_MATCH, "parse error, ret %" PRId32 ", string %s", ret, str);
372  goto error;
373  }
374 
375  if (ret > 1) {
376  res = pcre_copy_substring((char *)str, ov, MAX_SUBSTRINGS, 1, str_0, sizeof(str_0));
377  if (res < 0) {
378  SCLogError(SC_ERR_PCRE_COPY_SUBSTRING, "pcre_copy_substring failed");
379  goto error;
380  }
381  args[0] = (char *)str_0;
382 
383  if (ret > 2) {
384  res = pcre_copy_substring((char *)str, ov, MAX_SUBSTRINGS, 2, str_1, sizeof(str_1));
385  if (res < 0) {
386  SCLogError(SC_ERR_PCRE_COPY_SUBSTRING, "pcre_copy_substring failed");
387  goto error;
388  }
389  args[1] = (char *)str_1;
390  }
391  if (ret > 3) {
392  res = pcre_copy_substring((char *)str, ov, MAX_SUBSTRINGS, 3, str_2, sizeof(str_2));
393  if (res < 0) {
394  SCLogError(SC_ERR_PCRE_COPY_SUBSTRING, "pcre_copy_substring failed");
395  goto error;
396  }
397  args[2] = (char *)str_2;
398  }
399  }
400 
401  fd = SCMalloc(sizeof(DetectFilestoreData));
402  if (unlikely(fd == NULL))
403  goto error;
404  memset(fd, 0x00, sizeof(DetectFilestoreData));
405 
406  if (args[0] != NULL) {
407  SCLogDebug("first arg %s", args[0]);
408 
409  if (strcasecmp(args[0], "request") == 0 ||
410  strcasecmp(args[0], "to_server") == 0)
411  {
414  }
415  else if (strcasecmp(args[0], "response") == 0 ||
416  strcasecmp(args[0], "to_client") == 0)
417  {
420  }
421  else if (strcasecmp(args[0], "both") == 0)
422  {
425  }
426  } else {
428  }
429 
430  if (args[1] != NULL) {
431  SCLogDebug("second arg %s", args[1]);
432 
433  if (strcasecmp(args[1], "file") == 0)
434  {
436  } else if (strcasecmp(args[1], "tx") == 0)
437  {
439  } else if (strcasecmp(args[1], "ssn") == 0 ||
440  strcasecmp(args[1], "flow") == 0)
441  {
443  }
444  } else {
445  if (fd->scope == 0)
447  }
448 
449  sm->ctx = (SigMatchCtx*)fd;
450  } else {
451  sm->ctx = (SigMatchCtx*)NULL;
452  }
453 
454  if (s->alproto == ALPROTO_HTTP) {
456  }
457 
458  SigMatchAppendSMToList(s, sm, g_file_match_list_id);
459  s->filestore_ctx = (const DetectFilestoreData *)sm->ctx;
460 
461  sm = SigMatchAlloc();
462  if (unlikely(sm == NULL))
463  goto error;
465  sm->ctx = NULL;
467 
468 
470  return 0;
471 
472 error:
473  if (sm != NULL)
474  SCFree(sm);
475  return -1;
476 }
477 
478 static void DetectFilestoreFree(void *ptr)
479 {
480  if (ptr != NULL) {
481  SCFree(ptr);
482  }
483 }
484 
485 #ifdef UNITTESTS
486 /*
487  * The purpose of this test is to confirm that
488  * filestore and bypass keywords can't
489  * can't work together
490  */
491 static int DetectFilestoreTest01(void)
492 {
493  DetectEngineCtx *de_ctx = NULL;
494  int result = 1;
495 
497  FAIL_IF(de_ctx == NULL);
498 
499  de_ctx->flags |= DE_QUIET;
500 
501  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
502  "(bypass; filestore; "
503  "content:\"message\"; http_host; "
504  "sid:1;)");
506 
508 
509  return result;
510 }
511 #endif /* UNITTESTS */
512 
513 void DetectFilestoreRegisterTests(void)
514 {
515 #ifdef UNITTESTS
516  UtRegisterTest("DetectFilestoreTest01", DetectFilestoreTest01);
517 #endif /* UNITTESTS */
518 }
FileStoreAllFilesForTx
void FileStoreAllFilesForTx(FileContainer *fc, uint64_t tx_id)
Definition: util-file.c:1200
SigTableElmt_::url
const char * url
Definition: detect.h:1204
Packet_::proto
uint8_t proto
Definition: decode.h:431
FileContainer_
Definition: util-file.h:100
AppLayerHtpNeedFileInspection
void AppLayerHtpNeedFileInspection(void)
Sets a flag that informs the HTP app layer that some module in the engine needs the http request file...
Definition: app-layer-htp.c:505
detect-engine.h
SigTableElmt_::desc
const char * desc
Definition: detect.h:1203
flow-util.h
Signature_::filestore_ctx
const struct DetectFilestoreData_ * filestore_ctx
Definition: detect.h:578
AppLayerParserSetStreamDepthFlag
void AppLayerParserSetStreamDepthFlag(uint8_t ipproto, AppProto alproto, void *state, uint64_t tx_id, uint8_t flags)
Definition: app-layer-parser.c:1435
DetectFilestoreData_::scope
int16_t scope
Definition: detect-filestore.h:38
SigTableElmt_::name
const char * name
Definition: detect.h:1201
stream-tcp.h
MAX_SUBSTRINGS
#define MAX_SUBSTRINGS
SCFree
#define SCFree(a)
Definition: util-mem.h:322
unlikely
#define unlikely(expr)
Definition: util-optimize.h:35
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
FILESTORE_DIR_DEFAULT
#define FILESTORE_DIR_DEFAULT
Definition: detect-filestore.h:27
Signature_::alproto
AppProto alproto
Definition: detect.h:526
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:335
Flow_::proto
uint8_t proto
Definition: flow.h:361
DetectEngineThreadCtx_::tx_id
uint64_t tx_id
Definition: detect.h:1074
threads.h
Flow_
Flow data structure.
Definition: flow.h:342
SigInit
Signature * SigInit(DetectEngineCtx *, const char *)
Parses a signature and adds it to the Detection Engine Context.
Definition: detect-parse.c:2023
SigTableElmt_::FileMatch
int(* FileMatch)(DetectEngineThreadCtx *, Flow *, uint8_t flags, File *, const Signature *, const SigMatchCtx *)
Definition: detect.h:1179
HtpState_::flags
uint16_t flags
Definition: app-layer-htp.h:256
DETECT_FILESTORE
@ DETECT_FILESTORE
Definition: detect-engine-register.h:184
SigTableElmt_::flags
uint16_t flags
Definition: detect.h:1195
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:761
DetectEngineCtxFree
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
Definition: detect-engine.c:2030
FLOW_PKT_TOSERVER
#define FLOW_PKT_TOSERVER
Definition: flow.h:218
DetectEngineThreadCtx_::filestore
struct DetectEngineThreadCtx_::@107 filestore[DETECT_FILESTORE_MAX]
DE_QUIET
#define DE_QUIET
Definition: detect.h:292
AppLayerParserGetFiles
FileContainer * AppLayerParserGetFiles(const Flow *f, const uint8_t direction)
Definition: app-layer-parser.c:874
HTP_FLAG_STORE_FILES_TX_TC
#define HTP_FLAG_STORE_FILES_TX_TC
Definition: app-layer-htp.h:72
m
SCMutex m
Definition: flow-hash.h:5
SigTableElmt_::Free
void(* Free)(void *)
Definition: detect.h:1192
Packet_::flowflags
uint8_t flowflags
Definition: decode.h:440
Flow_::protoctx
void * protoctx
Definition: flow.h:416
SigTableElmt_::Setup
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1187
DetectEngineCtx_::version
uint32_t version
Definition: detect.h:855
util-unittest.h
HtpState_
Definition: app-layer-htp.h:245
FlowGetAppState
void * FlowGetAppState(const Flow *f)
Definition: flow.c:1087
util-unittest-helper.h
FILESTORE_SCOPE_TX
#define FILESTORE_SCOPE_TX
Definition: detect-filestore.h:33
DETECT_SM_LIST_POSTMATCH
@ DETECT_SM_LIST_POSTMATCH
Definition: detect.h:98
RequiresFeature
bool RequiresFeature(const char *feature_name)
Definition: feature.c:124
app-layer-htp.h
File_::file_track_id
uint32_t file_track_id
Definition: util-file.h:69
feature.h
decode.h
FAIL_IF_NOT_NULL
#define FAIL_IF_NOT_NULL(expr)
Fail a test if expression evaluates to non-NULL.
Definition: util-unittest.h:96
util-debug.h
DETECT_FILESTORE_MAX
#define DETECT_FILESTORE_MAX
Definition: detect.h:978
SC_ERR_PCRE_MATCH
@ SC_ERR_PCRE_MATCH
Definition: util-error.h:32
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:16
DetectEngineThreadCtx_
Definition: detect.h:1004
FILESTORE_SCOPE_SSN
#define FILESTORE_SCOPE_SSN
Definition: detect-filestore.h:34
STREAM_TOSERVER
#define STREAM_TOSERVER
Definition: stream.h:31
res
PoolThreadReserved res
Definition: stream-tcp-private.h:60
SIG_FLAG_BYPASS
#define SIG_FLAG_BYPASS
Definition: detect.h:241
DetectSetupParseRegexes
void DetectSetupParseRegexes(const char *parse_str, DetectParseRegex *detect_parse)
Definition: detect-parse.c:2440
File_::sid_max
uint32_t sid_max
Definition: util-file.h:97
SC_ERR_PCRE_COPY_SUBSTRING
@ SC_ERR_PCRE_COPY_SUBSTRING
Definition: util-error.h:358
SCEnter
#define SCEnter(...)
Definition: util-debug.h:337
detect-engine-mpm.h
detect.h
SCRealloc
#define SCRealloc(x, a)
Definition: util-mem.h:238
FileStoreFileById
void FileStoreFileById(FileContainer *fc, uint32_t file_id)
flag a file with id "file_id" to be stored.
Definition: util-file.c:1185
app-layer-parser.h
SigMatch_::ctx
SigMatchCtx * ctx
Definition: detect.h:321
SCMalloc
#define SCMalloc(a)
Definition: util-mem.h:222
BUG_ON
#define BUG_ON(x)
Definition: suricata-common.h:265
SC_WARN_ALERT_CONFIG
@ SC_WARN_ALERT_CONFIG
Definition: util-error.h:357
FileReassemblyDepth
uint32_t FileReassemblyDepth(void)
Definition: util-file.c:135
Signature_::flags
uint32_t flags
Definition: detect.h:523
DetectParsePcreExec
int DetectParsePcreExec(DetectParseRegex *parse_regex, const char *str, int start_offset, int options, int *ovector, int ovector_size)
Definition: detect-parse.c:2372
Packet_
Definition: decode.h:408
DetectEngineThreadCtx_::filestore_cnt
uint16_t filestore_cnt
Definition: detect.h:1038
FILESTORE_DIR_TOCLIENT
#define FILESTORE_DIR_TOCLIENT
Definition: detect-filestore.h:29
detect-engine-state.h
Data structures and function prototypes for keeping state for the detection engine.
detect-filestore.h
SigTableElmt_::Match
int(* Match)(DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *)
Definition: detect.h:1171
File_::sid
uint32_t * sid
Definition: util-file.h:95
FLOW_PKT_TOCLIENT
#define FLOW_PKT_TOCLIENT
Definition: flow.h:219
File_::sid_cnt
uint32_t sid_cnt
Definition: util-file.h:96
HTP_FLAG_STORE_FILES_TS
#define HTP_FLAG_STORE_FILES_TS
Definition: app-layer-htp.h:69
SigMatchAlloc
SigMatch * SigMatchAlloc(void)
Definition: detect-parse.c:235
HTP_FLAG_STORE_FILES_TX_TS
#define HTP_FLAG_STORE_FILES_TX_TS
Definition: app-layer-htp.h:71
SigMatch_::type
uint8_t type
Definition: detect.h:319
SigMatchCtx_
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
Definition: detect.h:313
FILESTORE_DIR_BOTH
#define FILESTORE_DIR_BOTH
Definition: detect-filestore.h:30
FILESTORE_DIR_TOSERVER
#define FILESTORE_DIR_TOSERVER
Definition: detect-filestore.h:28
DetectFilestoreRegister
void DetectFilestoreRegister(void)
Registration function for keyword: filestore.
Definition: detect-filestore.c:76
File_
Definition: util-file.h:63
Packet_::flow
struct Flow_ * flow
Definition: decode.h:446
FEATURE_OUTPUT_FILESTORE
#define FEATURE_OUTPUT_FILESTORE
Definition: feature.h:28
FAIL_IF
#define FAIL_IF(expr)
Fail a test if expression evaluates to false.
Definition: util-unittest.h:71
DetectBufferTypeRegister
int DetectBufferTypeRegister(const char *name)
Definition: detect-engine.c:816
flags
uint8_t flags
Definition: decode-gre.h:2
suricata-common.h
sigmatch_table
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
Definition: detect-parse.c:73
DetectParseRegex_
Definition: detect-parse.h:42
STREAM_TOCLIENT
#define STREAM_TOCLIENT
Definition: stream.h:32
SCLogError
#define SCLogError(err_code,...)
Macro used to log ERROR messages.
Definition: util-debug.h:294
DOC_URL
#define DOC_URL
Definition: suricata.h:86
util-spm-bm.h
DetectEngineCtx_::sig_list
Signature * sig_list
Definition: detect.h:767
SIGMATCH_OPTIONAL_OPT
#define SIGMATCH_OPTIONAL_OPT
Definition: detect.h:1379
DetectFilestoreData_
Definition: detect-filestore.h:36
str
#define str(s)
Definition: suricata-common.h:256
HtpState_::files_tc
FileContainer * files_tc
Definition: app-layer-htp.h:254
SCLogWarning
#define SCLogWarning(err_code,...)
Macro used to log WARNING messages.
Definition: util-debug.h:281
PARSE_REGEX
#define PARSE_REGEX
Regex for parsing our flow options.
Definition: detect-filestore.c:60
TcpSessionSetReassemblyDepth
void TcpSessionSetReassemblyDepth(TcpSession *ssn, uint32_t size)
Definition: stream-tcp.c:6268
Flow_::alstate
void * alstate
Definition: flow.h:454
Signature_::id
uint32_t id
Definition: detect.h:555
DetectFilestoreData_::direction
int16_t direction
Definition: detect-filestore.h:37
detect-parse.h
Signature_
Signature container.
Definition: detect.h:522
SigMatch_
a single match condition for a signature
Definition: detect.h:318
ALPROTO_HTTP
@ ALPROTO_HTTP
Definition: app-layer-protos.h:30
DetectEngineCtxInit
DetectEngineCtx * DetectEngineCtxInit(void)
Definition: detect-engine.c:1985
HtpState_::files_ts
FileContainer * files_ts
Definition: app-layer-htp.h:253
FILESTORE_SCOPE_DEFAULT
#define FILESTORE_SCOPE_DEFAULT
Definition: detect-filestore.h:32
DetectEngineCtx_::flags
uint8_t flags
Definition: detect.h:762
TcpSession_
Definition: stream-tcp-private.h:260
HTP_FLAG_STORE_FILES_TC
#define HTP_FLAG_STORE_FILES_TC
Definition: app-layer-htp.h:70
flow.h
Flow_::alproto
AppProto alproto
application level protocol
Definition: flow.h:425
SCReturnInt
#define SCReturnInt(x)
Definition: util-debug.h:341
flow-var.h
HtpState_::store_tx_id
uint64_t store_tx_id
Definition: app-layer-htp.h:252
SigMatchAppendSMToList
void SigMatchAppendSMToList(Signature *s, SigMatch *new, int list)
Append a SigMatch to the list type.
Definition: detect-parse.c:349
DOC_VERSION
#define DOC_VERSION
Definition: suricata.h:91
SIG_FLAG_FILESTORE
#define SIG_FLAG_FILESTORE
Definition: detect.h:234
debug.h
SigTableElmt_::RegisterTests
void(* RegisterTests)(void)
Definition: detect.h:1193
DetectEngineThreadCtx_::file_id
uint32_t file_id
Definition: detect.h:1124
FileStoreAllFiles
void FileStoreAllFiles(FileContainer *fc)
Definition: util-file.c:1215
app-layer.h
DETECT_FILESTORE_POSTMATCH
@ DETECT_FILESTORE_POSTMATCH
Definition: detect-engine-register.h:185
SC_ERR_CONFLICTING_RULE_KEYWORDS
@ SC_ERR_CONFLICTING_RULE_KEYWORDS
Definition: util-error.h:171