suricata
detect-filestore.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2020 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Victor Julien <victor@inliniac.net>
22  *
23  * Implements the filestore keyword
24  */
25 
26 #include "suricata-common.h"
27 #include "threads.h"
28 #include "debug.h"
29 #include "decode.h"
30 
31 #include "detect.h"
32 #include "detect-parse.h"
33 
34 #include "detect-engine.h"
35 #include "detect-engine-mpm.h"
36 #include "detect-engine-state.h"
37 
38 #include "feature.h"
39 
40 #include "flow.h"
41 #include "flow-var.h"
42 #include "flow-util.h"
43 
44 #include "util-debug.h"
45 #include "util-spm-bm.h"
46 #include "util-unittest.h"
47 #include "util-unittest-helper.h"
48 
49 #include "app-layer.h"
50 #include "app-layer-parser.h"
51 #include "app-layer-htp.h"
52 
53 #include "stream-tcp.h"
54 
55 #include "detect-filestore.h"
56 
57 /**
58  * \brief Regex for parsing our flow options
59  */
60 #define PARSE_REGEX "^\\s*([A-z_]+)\\s*(?:,\\s*([A-z_]+))?\\s*(?:,\\s*([A-z_]+))?\\s*$"
61 
62 static DetectParseRegex parse_regex;
63 
64 static int DetectFilestoreMatch (DetectEngineThreadCtx *,
65  Flow *, uint8_t, File *, const Signature *, const SigMatchCtx *);
66 static int DetectFilestorePostMatch(DetectEngineThreadCtx *det_ctx,
67  Packet *p, const Signature *s, const SigMatchCtx *ctx);
68 static int DetectFilestoreSetup (DetectEngineCtx *, Signature *, const char *);
69 static void DetectFilestoreFree(DetectEngineCtx *, void *);
70 #ifdef UNITTESTS
71 static void DetectFilestoreRegisterTests(void);
72 #endif
73 static int g_file_match_list_id = 0;
74 
75 /**
76  * \brief Registration function for keyword: filestore
77  */
79 {
80  sigmatch_table[DETECT_FILESTORE].name = "filestore";
81  sigmatch_table[DETECT_FILESTORE].desc = "stores files to disk if the rule matched";
82  sigmatch_table[DETECT_FILESTORE].url = "/rules/file-keywords.html#filestore";
83  sigmatch_table[DETECT_FILESTORE].FileMatch = DetectFilestoreMatch;
84  sigmatch_table[DETECT_FILESTORE].Setup = DetectFilestoreSetup;
85  sigmatch_table[DETECT_FILESTORE].Free = DetectFilestoreFree;
86 #ifdef UNITTESTS
87  sigmatch_table[DETECT_FILESTORE].RegisterTests = DetectFilestoreRegisterTests;
88 #endif
90 
91  sigmatch_table[DETECT_FILESTORE_POSTMATCH].name = "__filestore__postmatch__";
92  sigmatch_table[DETECT_FILESTORE_POSTMATCH].Match = DetectFilestorePostMatch;
93  sigmatch_table[DETECT_FILESTORE_POSTMATCH].Free = DetectFilestoreFree;
94 
95  DetectSetupParseRegexes(PARSE_REGEX, &parse_regex);
96 
97  g_file_match_list_id = DetectBufferTypeRegister("files");
98 }
99 
100 /**
101  * \brief apply the post match filestore with options
102  */
103 static int FilestorePostMatchWithOptions(Packet *p, Flow *f, const DetectFilestoreData *filestore,
104  FileContainer *fc, uint32_t file_id, uint64_t tx_id)
105 {
106  if (filestore == NULL) {
107  SCReturnInt(0);
108  }
109 
110  int this_file = 0;
111  int this_tx = 0;
112  int this_flow = 0;
113  int rule_dir = 0;
114  int toserver_dir = 0;
115  int toclient_dir = 0;
116 
117  switch (filestore->direction) {
119  rule_dir = 1;
120  break;
121  case FILESTORE_DIR_BOTH:
122  toserver_dir = 1;
123  toclient_dir = 1;
124  break;
126  toserver_dir = 1;
127  break;
129  toclient_dir = 1;
130  break;
131  }
132 
133  switch (filestore->scope) {
135  if (rule_dir) {
136  this_file = 1;
137  } else if ((p->flowflags & FLOW_PKT_TOCLIENT) && toclient_dir) {
138  this_file = 1;
139  } else if ((p->flowflags & FLOW_PKT_TOSERVER) && toserver_dir) {
140  this_file = 1;
141  }
142  break;
143  case FILESTORE_SCOPE_TX:
144  this_tx = 1;
145  break;
146  case FILESTORE_SCOPE_SSN:
147  this_flow = 1;
148  break;
149  }
150 
151  if (this_file) {
152  FileStoreFileById(fc, file_id);
153  } else if (this_tx) {
154  /* flag tx all files will be stored */
155  if (f->alproto == ALPROTO_HTTP && f->alstate != NULL) {
156  HtpState *htp_state = f->alstate;
157  if (toserver_dir) {
158  htp_state->flags |= HTP_FLAG_STORE_FILES_TX_TS;
159  FileStoreAllFilesForTx(htp_state->files_ts, tx_id);
160  }
161  if (toclient_dir) {
162  htp_state->flags |= HTP_FLAG_STORE_FILES_TX_TC;
163  FileStoreAllFilesForTx(htp_state->files_tc, tx_id);
164  }
165  htp_state->store_tx_id = tx_id;
166  }
167  } else if (this_flow) {
168  /* flag flow all files will be stored */
169  if (f->alproto == ALPROTO_HTTP && f->alstate != NULL) {
170  HtpState *htp_state = f->alstate;
171  if (toserver_dir) {
172  htp_state->flags |= HTP_FLAG_STORE_FILES_TS;
173  FileStoreAllFiles(htp_state->files_ts);
174  }
175  if (toclient_dir) {
176  htp_state->flags |= HTP_FLAG_STORE_FILES_TC;
177  FileStoreAllFiles(htp_state->files_tc);
178  }
179  }
180  } else {
181  FileStoreFileById(fc, file_id);
182  }
183 
184  SCReturnInt(0);
185 }
186 
187 /**
188  * \brief post-match function for filestore
189  *
190  * \param t thread local vars
191  * \param det_ctx pattern matcher thread local data
192  * \param p packet
193  *
194  * The match function for filestore records store candidates in the det_ctx.
195  * When we are sure all parts of the signature matched, we run this function
196  * to finalize the filestore.
197  */
198 static int DetectFilestorePostMatch(DetectEngineThreadCtx *det_ctx,
199  Packet *p, const Signature *s, const SigMatchCtx *ctx)
200 {
201  uint8_t flags = 0;
202 
203  SCEnter();
204 
205  if (det_ctx->filestore_cnt == 0) {
206  SCReturnInt(0);
207  }
208 
209  if ((s->filestore_ctx == NULL && !(s->flags & SIG_FLAG_FILESTORE)) || p->flow == NULL) {
210 #ifndef DEBUG
211  SCReturnInt(0);
212 #else
213  BUG_ON(1);
214 #endif
215  }
216 
217  if (p->proto == IPPROTO_TCP && p->flow->protoctx != NULL) {
218  /* set filestore depth for stream reassembling */
219  TcpSession *ssn = (TcpSession *)p->flow->protoctx;
221  }
222  if (p->flowflags & FLOW_PKT_TOCLIENT)
224  else
226 
227  for (uint16_t u = 0; u < det_ctx->filestore_cnt; u++) {
229  FlowGetAppState(p->flow),
230  det_ctx->filestore[u].tx_id,
231  flags);
232  }
233 
235 
236  /* filestore for single files only */
237  if (s->filestore_ctx == NULL) {
238  for (uint16_t u = 0; u < det_ctx->filestore_cnt; u++) {
239  FileStoreFileById(ffc, det_ctx->filestore[u].file_id);
240  }
241  } else {
242  for (uint16_t u = 0; u < det_ctx->filestore_cnt; u++) {
243  FilestorePostMatchWithOptions(p, p->flow, s->filestore_ctx, ffc,
244  det_ctx->filestore[u].file_id, det_ctx->filestore[u].tx_id);
245  }
246  }
247 
248  SCReturnInt(0);
249 }
250 
251 /**
252  * \brief match the specified filestore
253  *
254  * \param t thread local vars
255  * \param det_ctx pattern matcher thread local data
256  * \param f *LOCKED* flow
257  * \param flags direction flags
258  * \param file file being inspected
259  * \param s signature being inspected
260  * \param m sigmatch that we will cast into DetectFilestoreData
261  *
262  * \retval 0 no match
263  * \retval 1 match
264  *
265  * \todo when we start supporting more protocols, the logic in this function
266  * needs to be put behind a api.
267  */
268 static int DetectFilestoreMatch (DetectEngineThreadCtx *det_ctx, Flow *f,
269  uint8_t flags, File *file, const Signature *s, const SigMatchCtx *m)
270 {
271  uint32_t file_id = 0;
272 
273  SCEnter();
274 
275  if (det_ctx->filestore_cnt >= DETECT_FILESTORE_MAX) {
276  SCReturnInt(1);
277  }
278 
279  /* file can be NULL when a rule with filestore scope > file
280  * matches. */
281  if (file != NULL) {
282  file_id = file->file_track_id;
283  if (file->sid != NULL && s->id > 0) {
284  if (file->sid_cnt >= file->sid_max) {
285  void *p = SCRealloc(file->sid, sizeof(uint32_t) * (file->sid_max + 8));
286  if (p == NULL) {
287  SCFree(file->sid);
288  file->sid = NULL;
289  file->sid_cnt = 0;
290  file->sid_max = 0;
291  goto continue_after_realloc_fail;
292  } else {
293  file->sid = p;
294  file->sid_max += 8;
295  }
296  }
297  file->sid[file->sid_cnt] = s->id;
298  file->sid_cnt++;
299  }
300  }
301 
302 continue_after_realloc_fail:
303 
304  det_ctx->filestore[det_ctx->filestore_cnt].file_id = file_id;
305  det_ctx->filestore[det_ctx->filestore_cnt].tx_id = det_ctx->tx_id;
306 
307  SCLogDebug("%u, file %u, tx %"PRIu64, det_ctx->filestore_cnt,
308  det_ctx->filestore[det_ctx->filestore_cnt].file_id,
309  det_ctx->filestore[det_ctx->filestore_cnt].tx_id);
310 
311  det_ctx->filestore_cnt++;
312  SCReturnInt(1);
313 }
314 
315 /**
316  * \brief this function is used to parse filestore options
317  * \brief into the current signature
318  *
319  * \param de_ctx pointer to the Detection Engine Context
320  * \param s pointer to the Current Signature
321  * \param str pointer to the user provided "filestore" option
322  *
323  * \retval 0 on Success
324  * \retval -1 on Failure
325  */
326 static int DetectFilestoreSetup (DetectEngineCtx *de_ctx, Signature *s, const char *str)
327 {
328  SCEnter();
329 
330  static bool warn_not_configured = false;
331  static uint32_t de_version = 0;
332 
333  /* Check on first-time loads (includes following a reload) */
334  if (!warn_not_configured || (de_ctx->version != de_version)) {
335  if (de_version != de_ctx->version) {
336  SCLogDebug("reload-detected; re-checking feature presence; DE version now %"PRIu32,
337  de_ctx->version);
338  }
340  SCLogWarning(SC_WARN_ALERT_CONFIG, "One or more rule(s) depends on the "
341  "file-store output log which is not enabled. "
342  "Enable the output \"file-store\".");
343  }
344  warn_not_configured = true;
345  de_version = de_ctx->version;
346  }
347 
348  DetectFilestoreData *fd = NULL;
349  SigMatch *sm = NULL;
350  char *args[3] = {NULL,NULL,NULL};
351  int ret = 0, res = 0;
352  int ov[MAX_SUBSTRINGS];
353 
354  /* filestore and bypass keywords can't work together */
355  if (s->flags & SIG_FLAG_BYPASS) {
357  "filestore can't work with bypass keyword");
358  return -1;
359  }
360 
361  sm = SigMatchAlloc();
362  if (sm == NULL)
363  goto error;
364 
365  sm->type = DETECT_FILESTORE;
366 
367  if (str != NULL && strlen(str) > 0) {
368  char str_0[32];
369  char str_1[32];
370  char str_2[32];
371  SCLogDebug("str %s", str);
372 
373  ret = DetectParsePcreExec(&parse_regex, str, 0, 0, ov, MAX_SUBSTRINGS);
374  if (ret < 1 || ret > 4) {
375  SCLogError(SC_ERR_PCRE_MATCH, "parse error, ret %" PRId32 ", string %s", ret, str);
376  goto error;
377  }
378 
379  if (ret > 1) {
380  res = pcre_copy_substring((char *)str, ov, MAX_SUBSTRINGS, 1, str_0, sizeof(str_0));
381  if (res < 0) {
382  SCLogError(SC_ERR_PCRE_COPY_SUBSTRING, "pcre_copy_substring failed");
383  goto error;
384  }
385  args[0] = (char *)str_0;
386 
387  if (ret > 2) {
388  res = pcre_copy_substring((char *)str, ov, MAX_SUBSTRINGS, 2, str_1, sizeof(str_1));
389  if (res < 0) {
390  SCLogError(SC_ERR_PCRE_COPY_SUBSTRING, "pcre_copy_substring failed");
391  goto error;
392  }
393  args[1] = (char *)str_1;
394  }
395  if (ret > 3) {
396  res = pcre_copy_substring((char *)str, ov, MAX_SUBSTRINGS, 3, str_2, sizeof(str_2));
397  if (res < 0) {
398  SCLogError(SC_ERR_PCRE_COPY_SUBSTRING, "pcre_copy_substring failed");
399  goto error;
400  }
401  args[2] = (char *)str_2;
402  }
403  }
404 
405  fd = SCMalloc(sizeof(DetectFilestoreData));
406  if (unlikely(fd == NULL))
407  goto error;
408  memset(fd, 0x00, sizeof(DetectFilestoreData));
409 
410  if (args[0] != NULL) {
411  SCLogDebug("first arg %s", args[0]);
412 
413  if (strcasecmp(args[0], "request") == 0 ||
414  strcasecmp(args[0], "to_server") == 0)
415  {
418  }
419  else if (strcasecmp(args[0], "response") == 0 ||
420  strcasecmp(args[0], "to_client") == 0)
421  {
424  }
425  else if (strcasecmp(args[0], "both") == 0)
426  {
429  }
430  } else {
432  }
433 
434  if (args[1] != NULL) {
435  SCLogDebug("second arg %s", args[1]);
436 
437  if (strcasecmp(args[1], "file") == 0)
438  {
440  } else if (strcasecmp(args[1], "tx") == 0)
441  {
443  } else if (strcasecmp(args[1], "ssn") == 0 ||
444  strcasecmp(args[1], "flow") == 0)
445  {
447  }
448  } else {
449  if (fd->scope == 0)
451  }
452 
453  sm->ctx = (SigMatchCtx*)fd;
454  } else {
455  sm->ctx = (SigMatchCtx*)NULL;
456  }
457 
458  if (s->alproto == ALPROTO_HTTP) {
460  }
461 
462  SigMatchAppendSMToList(s, sm, g_file_match_list_id);
463  s->filestore_ctx = (const DetectFilestoreData *)sm->ctx;
464 
465  sm = SigMatchAlloc();
466  if (unlikely(sm == NULL))
467  goto error;
469  sm->ctx = NULL;
471 
472 
474  return 0;
475 
476 error:
477  if (sm != NULL)
478  SCFree(sm);
479  return -1;
480 }
481 
482 static void DetectFilestoreFree(DetectEngineCtx *de_ctx, void *ptr)
483 {
484  if (ptr != NULL) {
485  SCFree(ptr);
486  }
487 }
488 
489 #ifdef UNITTESTS
490 /*
491  * The purpose of this test is to confirm that
492  * filestore and bypass keywords can't
493  * can't work together
494  */
495 static int DetectFilestoreTest01(void)
496 {
497  DetectEngineCtx *de_ctx = NULL;
498  int result = 1;
499 
501  FAIL_IF(de_ctx == NULL);
502 
503  de_ctx->flags |= DE_QUIET;
504 
505  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
506  "(bypass; filestore; "
507  "content:\"message\"; http_host; "
508  "sid:1;)");
510 
512 
513  return result;
514 }
515 
516 void DetectFilestoreRegisterTests(void)
517 {
518  UtRegisterTest("DetectFilestoreTest01", DetectFilestoreTest01);
519 }
520 #endif /* UNITTESTS */
FileStoreAllFilesForTx
void FileStoreAllFilesForTx(FileContainer *fc, uint64_t tx_id)
Definition: util-file.c:1215
SigTableElmt_::url
const char * url
Definition: detect.h:1214
Packet_::proto
uint8_t proto
Definition: decode.h:436
FileContainer_
Definition: util-file.h:100
AppLayerHtpNeedFileInspection
void AppLayerHtpNeedFileInspection(void)
Sets a flag that informs the HTP app layer that some module in the engine needs the http request file...
Definition: app-layer-htp.c:515
detect-engine.h
SigTableElmt_::desc
const char * desc
Definition: detect.h:1213
SigTableElmt_::Free
void(* Free)(DetectEngineCtx *, void *)
Definition: detect.h:1201
flow-util.h
Signature_::filestore_ctx
const struct DetectFilestoreData_ * filestore_ctx
Definition: detect.h:584
AppLayerParserSetStreamDepthFlag
void AppLayerParserSetStreamDepthFlag(uint8_t ipproto, AppProto alproto, void *state, uint64_t tx_id, uint8_t flags)
Definition: app-layer-parser.c:1461
DetectFilestoreData_::scope
int16_t scope
Definition: detect-filestore.h:38
SigTableElmt_::name
const char * name
Definition: detect.h:1211
stream-tcp.h
MAX_SUBSTRINGS
#define MAX_SUBSTRINGS
unlikely
#define unlikely(expr)
Definition: util-optimize.h:35
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
FILESTORE_DIR_DEFAULT
#define FILESTORE_DIR_DEFAULT
Definition: detect-filestore.h:27
Signature_::alproto
AppProto alproto
Definition: detect.h:532
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:298
Flow_::proto
uint8_t proto
Definition: flow.h:365
DetectEngineThreadCtx_::tx_id
uint64_t tx_id
Definition: detect.h:1082
threads.h
Flow_
Flow data structure.
Definition: flow.h:347
SigInit
Signature * SigInit(DetectEngineCtx *, const char *)
Parses a signature and adds it to the Detection Engine Context.
Definition: detect-parse.c:2056
SigTableElmt_::FileMatch
int(* FileMatch)(DetectEngineThreadCtx *, Flow *, uint8_t flags, File *, const Signature *, const SigMatchCtx *)
Definition: detect.h:1187
HtpState_::flags
uint16_t flags
Definition: app-layer-htp.h:254
DETECT_FILESTORE
@ DETECT_FILESTORE
Definition: detect-engine-register.h:200
SigTableElmt_::flags
uint16_t flags
Definition: detect.h:1205
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:767
DetectEngineCtxFree
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
Definition: detect-engine.c:2093
FLOW_PKT_TOSERVER
#define FLOW_PKT_TOSERVER
Definition: flow.h:219
DE_QUIET
#define DE_QUIET
Definition: detect.h:294
AppLayerParserGetFiles
FileContainer * AppLayerParserGetFiles(const Flow *f, const uint8_t direction)
Definition: app-layer-parser.c:858
HTP_FLAG_STORE_FILES_TX_TC
#define HTP_FLAG_STORE_FILES_TX_TC
Definition: app-layer-htp.h:74
m
SCMutex m
Definition: flow-hash.h:6
Packet_::flowflags
uint8_t flowflags
Definition: decode.h:445
Flow_::protoctx
void * protoctx
Definition: flow.h:441
SigTableElmt_::Setup
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1196
DetectEngineCtx_::version
uint32_t version
Definition: detect.h:861
util-unittest.h
HtpState_
Definition: app-layer-htp.h:243
FlowGetAppState
void * FlowGetAppState(const Flow *f)
Definition: flow.c:1102
util-unittest-helper.h
FILESTORE_SCOPE_TX
#define FILESTORE_SCOPE_TX
Definition: detect-filestore.h:33
DETECT_SM_LIST_POSTMATCH
@ DETECT_SM_LIST_POSTMATCH
Definition: detect.h:98
RequiresFeature
bool RequiresFeature(const char *feature_name)
Definition: feature.c:124
app-layer-htp.h
File_::file_track_id
uint32_t file_track_id
Definition: util-file.h:69
feature.h
decode.h
FAIL_IF_NOT_NULL
#define FAIL_IF_NOT_NULL(expr)
Fail a test if expression evaluates to non-NULL.
Definition: util-unittest.h:96
util-debug.h
DETECT_FILESTORE_MAX
#define DETECT_FILESTORE_MAX
Definition: detect.h:984
SC_ERR_PCRE_MATCH
@ SC_ERR_PCRE_MATCH
Definition: util-error.h:32
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:17
DetectEngineThreadCtx_
Definition: detect.h:1010
FILESTORE_SCOPE_SSN
#define FILESTORE_SCOPE_SSN
Definition: detect-filestore.h:34
STREAM_TOSERVER
#define STREAM_TOSERVER
Definition: stream.h:31
res
PoolThreadReserved res
Definition: stream-tcp-private.h:0
SIG_FLAG_BYPASS
#define SIG_FLAG_BYPASS
Definition: detect.h:241
DetectSetupParseRegexes
void DetectSetupParseRegexes(const char *parse_str, DetectParseRegex *detect_parse)
Definition: detect-parse.c:2493
File_::sid_max
uint32_t sid_max
Definition: util-file.h:97
SC_ERR_PCRE_COPY_SUBSTRING
@ SC_ERR_PCRE_COPY_SUBSTRING
Definition: util-error.h:358
SCEnter
#define SCEnter(...)
Definition: util-debug.h:300
detect-engine-mpm.h
detect.h
FileStoreFileById
void FileStoreFileById(FileContainer *fc, uint32_t file_id)
flag a file with id "file_id" to be stored.
Definition: util-file.c:1200
app-layer-parser.h
SigMatch_::ctx
SigMatchCtx * ctx
Definition: detect.h:323
BUG_ON
#define BUG_ON(x)
Definition: suricata-common.h:282
SC_WARN_ALERT_CONFIG
@ SC_WARN_ALERT_CONFIG
Definition: util-error.h:357
FileReassemblyDepth
uint32_t FileReassemblyDepth(void)
Definition: util-file.c:135
Signature_::flags
uint32_t flags
Definition: detect.h:529
DetectParsePcreExec
int DetectParsePcreExec(DetectParseRegex *parse_regex, const char *str, int start_offset, int options, int *ovector, int ovector_size)
Definition: detect-parse.c:2423
Packet_
Definition: decode.h:414
DetectEngineThreadCtx_::filestore_cnt
uint16_t filestore_cnt
Definition: detect.h:1046
FILESTORE_DIR_TOCLIENT
#define FILESTORE_DIR_TOCLIENT
Definition: detect-filestore.h:29
detect-engine-state.h
Data structures and function prototypes for keeping state for the detection engine.
detect-filestore.h
SigTableElmt_::Match
int(* Match)(DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *)
Definition: detect.h:1179
File_::sid
uint32_t * sid
Definition: util-file.h:95
FLOW_PKT_TOCLIENT
#define FLOW_PKT_TOCLIENT
Definition: flow.h:220
File_::sid_cnt
uint32_t sid_cnt
Definition: util-file.h:96
HTP_FLAG_STORE_FILES_TS
#define HTP_FLAG_STORE_FILES_TS
Definition: app-layer-htp.h:71
SigMatchAlloc
SigMatch * SigMatchAlloc(void)
Definition: detect-parse.c:235
HTP_FLAG_STORE_FILES_TX_TS
#define HTP_FLAG_STORE_FILES_TX_TS
Definition: app-layer-htp.h:73
SigMatch_::type
uint8_t type
Definition: detect.h:321
SCRealloc
#define SCRealloc(ptr, sz)
Definition: util-mem.h:50
SigMatchCtx_
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
Definition: detect.h:315
FILESTORE_DIR_BOTH
#define FILESTORE_DIR_BOTH
Definition: detect-filestore.h:30
FILESTORE_DIR_TOSERVER
#define FILESTORE_DIR_TOSERVER
Definition: detect-filestore.h:28
DetectFilestoreRegister
void DetectFilestoreRegister(void)
Registration function for keyword: filestore.
Definition: detect-filestore.c:78
File_
Definition: util-file.h:63
Packet_::flow
struct Flow_ * flow
Definition: decode.h:451
FEATURE_OUTPUT_FILESTORE
#define FEATURE_OUTPUT_FILESTORE
Definition: feature.h:28
FAIL_IF
#define FAIL_IF(expr)
Fail a test if expression evaluates to false.
Definition: util-unittest.h:71
DetectBufferTypeRegister
int DetectBufferTypeRegister(const char *name)
Definition: detect-engine.c:836
flags
uint8_t flags
Definition: decode-gre.h:0
suricata-common.h
sigmatch_table
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
Definition: detect-parse.c:73
DetectParseRegex_
Definition: detect-parse.h:42
STREAM_TOCLIENT
#define STREAM_TOCLIENT
Definition: stream.h:32
SCLogError
#define SCLogError(err_code,...)
Macro used to log ERROR messages.
Definition: util-debug.h:257
util-spm-bm.h
DetectEngineCtx_::sig_list
Signature * sig_list
Definition: detect.h:773
SIGMATCH_OPTIONAL_OPT
#define SIGMATCH_OPTIONAL_OPT
Definition: detect.h:1389
SCMalloc
#define SCMalloc(sz)
Definition: util-mem.h:47
DetectFilestoreData_
Definition: detect-filestore.h:36
str
#define str(s)
Definition: suricata-common.h:273
HtpState_::files_tc
FileContainer * files_tc
Definition: app-layer-htp.h:252
SCLogWarning
#define SCLogWarning(err_code,...)
Macro used to log WARNING messages.
Definition: util-debug.h:244
DetectEngineThreadCtx_::filestore
struct DetectEngineThreadCtx_::@104 filestore[DETECT_FILESTORE_MAX]
PARSE_REGEX
#define PARSE_REGEX
Regex for parsing our flow options.
Definition: detect-filestore.c:60
SCFree
#define SCFree(p)
Definition: util-mem.h:61
TcpSessionSetReassemblyDepth
void TcpSessionSetReassemblyDepth(TcpSession *ssn, uint32_t size)
Definition: stream-tcp.c:6247
Flow_::alstate
void * alstate
Definition: flow.h:476
Signature_::id
uint32_t id
Definition: detect.h:561
DetectFilestoreData_::direction
int16_t direction
Definition: detect-filestore.h:37
detect-parse.h
Signature_
Signature container.
Definition: detect.h:528
SigMatch_
a single match condition for a signature
Definition: detect.h:320
ALPROTO_HTTP
@ ALPROTO_HTTP
Definition: app-layer-protos.h:30
DetectEngineCtxInit
DetectEngineCtx * DetectEngineCtxInit(void)
Definition: detect-engine.c:2048
HtpState_::files_ts
FileContainer * files_ts
Definition: app-layer-htp.h:251
FILESTORE_SCOPE_DEFAULT
#define FILESTORE_SCOPE_DEFAULT
Definition: detect-filestore.h:32
DetectEngineCtx_::flags
uint8_t flags
Definition: detect.h:768
TcpSession_
Definition: stream-tcp-private.h:260
HTP_FLAG_STORE_FILES_TC
#define HTP_FLAG_STORE_FILES_TC
Definition: app-layer-htp.h:72
flow.h
Flow_::alproto
AppProto alproto
application level protocol
Definition: flow.h:450
SCReturnInt
#define SCReturnInt(x)
Definition: util-debug.h:304
flow-var.h
HtpState_::store_tx_id
uint64_t store_tx_id
Definition: app-layer-htp.h:250
SigMatchAppendSMToList
void SigMatchAppendSMToList(Signature *s, SigMatch *new, int list)
Append a SigMatch to the list type.
Definition: detect-parse.c:349
SIG_FLAG_FILESTORE
#define SIG_FLAG_FILESTORE
Definition: detect.h:234
debug.h
SigTableElmt_::RegisterTests
void(* RegisterTests)(void)
Definition: detect.h:1203
DetectEngineThreadCtx_::file_id
uint32_t file_id
Definition: detect.h:1132
FileStoreAllFiles
void FileStoreAllFiles(FileContainer *fc)
Definition: util-file.c:1230
app-layer.h
DETECT_FILESTORE_POSTMATCH
@ DETECT_FILESTORE_POSTMATCH
Definition: detect-engine-register.h:201
SC_ERR_CONFLICTING_RULE_KEYWORDS
@ SC_ERR_CONFLICTING_RULE_KEYWORDS
Definition: util-error.h:171