suricata
detect-filestore.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2021 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Victor Julien <victor@inliniac.net>
22  *
23  * Implements the filestore keyword
24  */
25 
26 #include "suricata-common.h"
27 #include "threads.h"
28 #include "decode.h"
29 
30 #include "detect.h"
31 #include "detect-parse.h"
32 
33 #include "detect-engine.h"
34 #include "detect-engine-mpm.h"
35 #include "detect-engine-state.h"
36 
37 #include "feature.h"
38 
39 #include "flow.h"
40 #include "flow-var.h"
41 #include "flow-util.h"
42 
43 #include "util-debug.h"
44 #include "util-spm-bm.h"
45 #include "util-unittest.h"
46 #include "util-unittest-helper.h"
47 
48 #include "app-layer.h"
49 #include "app-layer-parser.h"
50 #include "app-layer-htp.h"
51 
52 #include "stream-tcp.h"
53 
54 #include "detect-filestore.h"
55 
56 #include "util-validate.h"
57 
58 /**
59  * \brief Regex for parsing our flow options
60  */
61 #define PARSE_REGEX "^\\s*([A-z_]+)\\s*(?:,\\s*([A-z_]+))?\\s*(?:,\\s*([A-z_]+))?\\s*$"
62 
63 static DetectParseRegex parse_regex;
64 
65 static int DetectFilestoreMatch (DetectEngineThreadCtx *,
66  Flow *, uint8_t, File *, const Signature *, const SigMatchCtx *);
67 static int DetectFilestorePostMatch(DetectEngineThreadCtx *det_ctx,
68  Packet *p, const Signature *s, const SigMatchCtx *ctx);
69 static int DetectFilestoreSetup (DetectEngineCtx *, Signature *, const char *);
70 static void DetectFilestoreFree(DetectEngineCtx *, void *);
71 #ifdef UNITTESTS
72 static void DetectFilestoreRegisterTests(void);
73 #endif
74 static int g_file_match_list_id = 0;
75 
76 /**
77  * \brief Registration function for keyword: filestore
78  */
80 {
81  sigmatch_table[DETECT_FILESTORE].name = "filestore";
82  sigmatch_table[DETECT_FILESTORE].desc = "stores files to disk if the rule matched";
83  sigmatch_table[DETECT_FILESTORE].url = "/rules/file-keywords.html#filestore";
84  sigmatch_table[DETECT_FILESTORE].FileMatch = DetectFilestoreMatch;
85  sigmatch_table[DETECT_FILESTORE].Setup = DetectFilestoreSetup;
86  sigmatch_table[DETECT_FILESTORE].Free = DetectFilestoreFree;
87 #ifdef UNITTESTS
88  sigmatch_table[DETECT_FILESTORE].RegisterTests = DetectFilestoreRegisterTests;
89 #endif
91 
92  sigmatch_table[DETECT_FILESTORE_POSTMATCH].name = "__filestore__postmatch__";
93  sigmatch_table[DETECT_FILESTORE_POSTMATCH].Match = DetectFilestorePostMatch;
94  sigmatch_table[DETECT_FILESTORE_POSTMATCH].Free = DetectFilestoreFree;
95 
96  DetectSetupParseRegexes(PARSE_REGEX, &parse_regex);
97 
98  g_file_match_list_id = DetectBufferTypeRegister("files");
99 }
100 
101 /**
102  * \brief apply the post match filestore with options
103  */
104 static int FilestorePostMatchWithOptions(Packet *p, Flow *f, const DetectFilestoreData *filestore,
105  FileContainer *fc, uint32_t file_id, uint64_t tx_id)
106 {
107  if (filestore == NULL) {
108  SCReturnInt(0);
109  }
110 
111  int this_file = 0;
112  int this_tx = 0;
113  int this_flow = 0;
114  int rule_dir = 0;
115  int toserver_dir = 0;
116  int toclient_dir = 0;
117 
118  switch (filestore->direction) {
120  rule_dir = 1;
121  // will use both sides if scope is not default
122  // fallthrough
123  case FILESTORE_DIR_BOTH:
124  toserver_dir = 1;
125  toclient_dir = 1;
126  break;
128  toserver_dir = 1;
129  break;
131  toclient_dir = 1;
132  break;
133  }
134 
135  switch (filestore->scope) {
137  if (rule_dir) {
138  this_file = 1;
139  } else if ((p->flowflags & FLOW_PKT_TOCLIENT) && toclient_dir) {
140  this_file = 1;
141  } else if ((p->flowflags & FLOW_PKT_TOSERVER) && toserver_dir) {
142  this_file = 1;
143  }
144  break;
145  case FILESTORE_SCOPE_TX:
146  this_tx = 1;
147  break;
148  case FILESTORE_SCOPE_SSN:
149  this_flow = 1;
150  break;
151  }
152 
153  if (this_file) {
154  FileStoreFileById(fc, file_id);
155  } else if (this_tx) {
156  /* set in AppLayerTxData. Parsers and logger will propagate it to the
157  * individual files, both new and current. */
158  void *txv = AppLayerParserGetTx(f->proto, f->alproto, f->alstate, tx_id);
159  DEBUG_VALIDATE_BUG_ON(txv == NULL);
160  if (txv != NULL) {
162  DEBUG_VALIDATE_BUG_ON(txd == NULL);
163  if (txd != NULL) {
164  if (toclient_dir) {
165  txd->file_flags |= FLOWFILE_STORE_TC;
166  }
167  if (toserver_dir) {
168  txd->file_flags |= FLOWFILE_STORE_TS;
169  }
170  }
171  }
172  } else if (this_flow) {
173  /* set in flow and AppLayerStateData */
174  AppLayerStateData *sd = AppLayerParserGetStateData(f->proto, f->alproto, f->alstate);
175  if (toclient_dir) {
177  if (sd != NULL) {
178  sd->file_flags |= FLOWFILE_STORE_TC;
179  }
180  }
181  if (toserver_dir) {
183  if (sd != NULL) {
184  sd->file_flags |= FLOWFILE_STORE_TS;
185  }
186  }
187  } else {
188  FileStoreFileById(fc, file_id);
189  }
190 
191  SCReturnInt(0);
192 }
193 
194 /**
195  * \brief post-match function for filestore
196  *
197  * \param t thread local vars
198  * \param det_ctx pattern matcher thread local data
199  * \param p packet
200  *
201  * The match function for filestore records store candidates in the det_ctx.
202  * When we are sure all parts of the signature matched, we run this function
203  * to finalize the filestore.
204  */
205 static int DetectFilestorePostMatch(DetectEngineThreadCtx *det_ctx,
206  Packet *p, const Signature *s, const SigMatchCtx *ctx)
207 {
208  SCEnter();
209 
210  if (det_ctx->filestore_cnt == 0) {
211  SCReturnInt(0);
212  }
213 
214  if ((s->filestore_ctx == NULL && !(s->flags & SIG_FLAG_FILESTORE)) || p->flow == NULL) {
215 #ifndef DEBUG
216  SCReturnInt(0);
217 #else
218  BUG_ON(1);
219 #endif
220  }
221 
222  if (p->flow->proto == IPPROTO_TCP && p->flow->protoctx != NULL) {
223  /* set filestore depth for stream reassembling */
224  TcpSession *ssn = (TcpSession *)p->flow->protoctx;
226  }
227 
228  SCLogDebug("s->filestore_ctx %p", s->filestore_ctx);
229 
230  const uint8_t flags = STREAM_FLAGS_FOR_PACKET(p);
231  for (uint16_t u = 0; u < det_ctx->filestore_cnt; u++) {
232  void *alstate = FlowGetAppState(p->flow);
234  p->flow->proto, p->flow->alproto, alstate, det_ctx->filestore[u].tx_id, flags);
235 
236  void *txv = AppLayerParserGetTx(
237  p->flow->proto, p->flow->alproto, alstate, det_ctx->filestore[u].tx_id);
238  DEBUG_VALIDATE_BUG_ON(txv == NULL);
239  if (txv) {
240  AppLayerGetFileState files = AppLayerParserGetTxFiles(p->flow, txv, flags);
241  FileContainer *ffc_tx = files.fc;
242  DEBUG_VALIDATE_BUG_ON(ffc_tx == NULL);
243  if (ffc_tx) {
244  SCLogDebug("u %u txv %p ffc_tx %p file_id %u", u, txv, ffc_tx,
245  det_ctx->filestore[u].file_id);
246 
247  /* filestore for single files only */
248  if (s->filestore_ctx == NULL) {
249  FileStoreFileById(ffc_tx, det_ctx->filestore[u].file_id);
250  } else {
251  FilestorePostMatchWithOptions(p, p->flow, s->filestore_ctx, ffc_tx,
252  det_ctx->filestore[u].file_id, det_ctx->filestore[u].tx_id);
253  }
254  }
255  }
256  }
257  SCReturnInt(0);
258 }
259 
260 /**
261  * \brief match the specified filestore
262  *
263  * \param t thread local vars
264  * \param det_ctx pattern matcher thread local data
265  * \param f *LOCKED* flow
266  * \param flags direction flags
267  * \param file file being inspected
268  * \param s signature being inspected
269  * \param m sigmatch that we will cast into DetectFilestoreData
270  *
271  * \retval 0 no match
272  * \retval 1 match
273  *
274  * \todo when we start supporting more protocols, the logic in this function
275  * needs to be put behind a api.
276  */
277 static int DetectFilestoreMatch (DetectEngineThreadCtx *det_ctx, Flow *f,
278  uint8_t flags, File *file, const Signature *s, const SigMatchCtx *m)
279 {
280  uint32_t file_id = 0;
281 
282  SCEnter();
283 
284  if (!RunmodeIsUnittests()) {
285  extern bool g_filedata_logger_enabled;
287  SCLogDebug("not storing file match: no filedata logger enabled");
288  SCReturnInt(1);
289  }
290  }
291  if (det_ctx->filestore_cnt >= DETECT_FILESTORE_MAX) {
292  SCReturnInt(1);
293  }
294 
295  /* file can be NULL when a rule with filestore scope > file
296  * matches. */
297  if (file != NULL) {
298  file_id = file->file_track_id;
299  if (file->sid != NULL && s->id > 0) {
300  if (file->sid_cnt >= file->sid_max) {
301  void *p = SCRealloc(file->sid, sizeof(uint32_t) * (file->sid_max + 8));
302  if (p == NULL) {
303  SCFree(file->sid);
304  file->sid = NULL;
305  file->sid_cnt = 0;
306  file->sid_max = 0;
307  goto continue_after_realloc_fail;
308  } else {
309  file->sid = p;
310  file->sid_max += 8;
311  }
312  }
313  file->sid[file->sid_cnt] = s->id;
314  file->sid_cnt++;
315  }
316  }
317 
318 continue_after_realloc_fail:
319 
320  det_ctx->filestore[det_ctx->filestore_cnt].file_id = file_id;
321  det_ctx->filestore[det_ctx->filestore_cnt].tx_id = det_ctx->tx_id;
322 
323  SCLogDebug("%u, file %u, tx %"PRIu64, det_ctx->filestore_cnt,
324  det_ctx->filestore[det_ctx->filestore_cnt].file_id,
325  det_ctx->filestore[det_ctx->filestore_cnt].tx_id);
326 
327  det_ctx->filestore_cnt++;
328  SCReturnInt(1);
329 }
330 
331 /**
332  * \brief this function is used to parse filestore options
333  * \brief into the current signature
334  *
335  * \param de_ctx pointer to the Detection Engine Context
336  * \param s pointer to the Current Signature
337  * \param str pointer to the user provided "filestore" option
338  *
339  * \retval 0 on Success
340  * \retval -1 on Failure
341  */
342 static int DetectFilestoreSetup (DetectEngineCtx *de_ctx, Signature *s, const char *str)
343 {
344  SCEnter();
345 
346  static bool warn_not_configured = false;
347  static uint32_t de_version = 0;
348 
349  if (de_ctx->filestore_cnt == UINT16_MAX) {
350  SCLogError("Cannot have more than 65535 filestore signatures");
351  return -1;
352  }
353 
354  /* Check on first-time loads (includes following a reload) */
355  if (!warn_not_configured || (de_ctx->version != de_version)) {
356  if (de_version != de_ctx->version) {
357  SCLogDebug("reload-detected; re-checking feature presence; DE version now %"PRIu32,
358  de_ctx->version);
359  }
361  SCLogWarning("One or more rule(s) depends on the "
362  "file-store output log which is not enabled. "
363  "Enable the output \"file-store\".");
364  }
365  warn_not_configured = true;
366  de_version = de_ctx->version;
367  }
368 
369  DetectFilestoreData *fd = NULL;
370  char *args[3] = {NULL,NULL,NULL};
371  int res = 0;
372  size_t pcre2len;
373  pcre2_match_data *match = NULL;
374 
375  /* filestore and bypass keywords can't work together */
376  if (s->flags & SIG_FLAG_BYPASS) {
377  SCLogError("filestore can't work with bypass keyword");
378  return -1;
379  }
380 
381  if (str != NULL && strlen(str) > 0) {
382  char str_0[32];
383  char str_1[32];
384  char str_2[32];
385  SCLogDebug("str %s", str);
386 
387  int ret = DetectParsePcreExec(&parse_regex, &match, str, 0, 0);
388  if (ret < 1 || ret > 4) {
389  SCLogError("parse error, ret %" PRId32 ", string %s", ret, str);
390  goto error;
391  }
392 
393  if (ret > 1) {
394  pcre2len = sizeof(str_0);
395  res = pcre2_substring_copy_bynumber(match, 1, (PCRE2_UCHAR8 *)str_0, &pcre2len);
396  if (res < 0) {
397  SCLogError("pcre2_substring_copy_bynumber failed");
398  goto error;
399  }
400  args[0] = (char *)str_0;
401 
402  if (ret > 2) {
403  pcre2len = sizeof(str_1);
404  res = pcre2_substring_copy_bynumber(match, 2, (PCRE2_UCHAR8 *)str_1, &pcre2len);
405  if (res < 0) {
406  SCLogError("pcre2_substring_copy_bynumber failed");
407  goto error;
408  }
409  args[1] = (char *)str_1;
410  }
411  if (ret > 3) {
412  pcre2len = sizeof(str_2);
413  res = pcre2_substring_copy_bynumber(match, 3, (PCRE2_UCHAR8 *)str_2, &pcre2len);
414  if (res < 0) {
415  SCLogError("pcre2_substring_copy_bynumber failed");
416  goto error;
417  }
418  args[2] = (char *)str_2;
419  }
420  }
421 
422  fd = SCCalloc(1, sizeof(DetectFilestoreData));
423  if (unlikely(fd == NULL))
424  goto error;
425 
426  if (args[0] != NULL) {
427  SCLogDebug("first arg %s", args[0]);
428 
429  if (strcasecmp(args[0], "request") == 0 ||
430  strcasecmp(args[0], "to_server") == 0)
431  {
434  }
435  else if (strcasecmp(args[0], "response") == 0 ||
436  strcasecmp(args[0], "to_client") == 0)
437  {
440  }
441  else if (strcasecmp(args[0], "both") == 0)
442  {
445  }
446  } else {
448  }
449 
450  if (args[1] != NULL) {
451  SCLogDebug("second arg %s", args[1]);
452 
453  if (strcasecmp(args[1], "file") == 0)
454  {
456  } else if (strcasecmp(args[1], "tx") == 0)
457  {
459  } else if (strcasecmp(args[1], "ssn") == 0 ||
460  strcasecmp(args[1], "flow") == 0)
461  {
463  }
464  } else {
465  if (fd->scope == 0)
467  }
468  }
469 
470  if (s->alproto == ALPROTO_HTTP1 || s->alproto == ALPROTO_HTTP) {
472  }
473 
475  de_ctx, s, DETECT_FILESTORE, (SigMatchCtx *)fd, g_file_match_list_id) == NULL) {
476  DetectFilestoreFree(de_ctx, fd);
477  goto error;
478  }
479  s->filestore_ctx = fd;
480 
483  goto error;
484  }
485 
488 
489  if (match)
490  pcre2_match_data_free(match);
491 
492  return 0;
493 
494 error:
495  if (match) {
496  pcre2_match_data_free(match);
497  }
498  return -1;
499 }
500 
501 static void DetectFilestoreFree(DetectEngineCtx *de_ctx, void *ptr)
502 {
503  if (ptr != NULL) {
504  SCFree(ptr);
505  }
506 }
507 
508 #ifdef UNITTESTS
509 /*
510  * The purpose of this test is to confirm that
511  * filestore and bypass keywords can't
512  * can't work together
513  */
514 static int DetectFilestoreTest01(void)
515 {
516  DetectEngineCtx *de_ctx = NULL;
517  int result = 1;
518 
520  FAIL_IF(de_ctx == NULL);
521 
522  de_ctx->flags |= DE_QUIET;
523 
524  de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
525  "(bypass; filestore; "
526  "content:\"message\"; http_host; "
527  "sid:1;)");
529 
531 
532  return result;
533 }
534 
535 void DetectFilestoreRegisterTests(void)
536 {
537  UtRegisterTest("DetectFilestoreTest01", DetectFilestoreTest01);
538 }
539 #endif /* UNITTESTS */
SigTableElmt_::url
const char * url
Definition: detect.h:1312
FileContainer_
Definition: util-file.h:113
AppLayerHtpNeedFileInspection
void AppLayerHtpNeedFileInspection(void)
Sets a flag that informs the HTP app layer that some module in the engine needs the http request file...
Definition: app-layer-htp.c:499
detect-engine.h
SigTableElmt_::desc
const char * desc
Definition: detect.h:1311
sigmatch_table
SigTableElmt * sigmatch_table
Definition: detect-parse.c:128
SigTableElmt_::Free
void(* Free)(DetectEngineCtx *, void *)
Definition: detect.h:1299
flow-util.h
Signature_::filestore_ctx
const struct DetectFilestoreData_ * filestore_ctx
Definition: detect.h:659
AppLayerParserSetStreamDepthFlag
void AppLayerParserSetStreamDepthFlag(uint8_t ipproto, AppProto alproto, void *state, uint64_t tx_id, uint8_t flags)
Definition: app-layer-parser.c:1565
DetectEngineThreadCtx_::filestore
struct DetectEngineThreadCtx_::@97 filestore[DETECT_FILESTORE_MAX]
DetectParseRegex
Definition: detect-parse.h:62
g_filedata_logger_enabled
bool g_filedata_logger_enabled
Definition: output-filedata.c:37
DetectFilestoreData_::scope
int16_t scope
Definition: detect-filestore.h:38
SigTableElmt_::name
const char * name
Definition: detect.h:1309
stream-tcp.h
unlikely
#define unlikely(expr)
Definition: util-optimize.h:35
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
FILESTORE_DIR_DEFAULT
#define FILESTORE_DIR_DEFAULT
Definition: detect-filestore.h:27
Signature_::alproto
AppProto alproto
Definition: detect.h:608
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:269
Flow_::proto
uint8_t proto
Definition: flow.h:378
DetectEngineThreadCtx_::tx_id
uint64_t tx_id
Definition: detect.h:1179
threads.h
Flow_
Flow data structure.
Definition: flow.h:356
SigTableElmt_::FileMatch
int(* FileMatch)(DetectEngineThreadCtx *, Flow *, uint8_t flags, File *, const Signature *, const SigMatchCtx *)
Definition: detect.h:1285
DETECT_FILESTORE
@ DETECT_FILESTORE
Definition: detect-engine-register.h:232
SigTableElmt_::flags
uint16_t flags
Definition: detect.h:1303
ctx
struct Thresholds ctx
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:843
DetectEngineCtxFree
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
Definition: detect-engine.c:2623
FLOW_PKT_TOSERVER
#define FLOW_PKT_TOSERVER
Definition: flow.h:232
DE_QUIET
#define DE_QUIET
Definition: detect.h:323
DetectParsePcreExec
int DetectParsePcreExec(DetectParseRegex *parse_regex, pcre2_match_data **match, const char *str, int start_offset, int options)
Definition: detect-parse.c:2645
m
SCMutex m
Definition: flow-hash.h:6
AppLayerParserGetStateData
AppLayerStateData * AppLayerParserGetStateData(uint8_t ipproto, AppProto alproto, void *state)
Definition: app-layer-parser.c:1171
FLOWFILE_STORE_TS
#define FLOWFILE_STORE_TS
Definition: flow.h:152
Packet_::flowflags
uint8_t flowflags
Definition: decode.h:507
Flow_::protoctx
void * protoctx
Definition: flow.h:446
SigTableElmt_::Setup
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1294
DetectEngineCtx_::version
uint32_t version
Definition: detect.h:927
util-unittest.h
util-unittest-helper.h
AppLayerParserGetTxFiles
AppLayerGetFileState AppLayerParserGetTxFiles(const Flow *f, void *tx, const uint8_t direction)
Definition: app-layer-parser.c:854
FILESTORE_SCOPE_TX
#define FILESTORE_SCOPE_TX
Definition: detect-filestore.h:33
DETECT_SM_LIST_POSTMATCH
@ DETECT_SM_LIST_POSTMATCH
Definition: detect.h:124
RequiresFeature
bool RequiresFeature(const char *feature_name)
Definition: feature.c:126
app-layer-htp.h
File_::file_track_id
uint32_t file_track_id
Definition: util-file.h:84
feature.h
decode.h
FAIL_IF_NOT_NULL
#define FAIL_IF_NOT_NULL(expr)
Fail a test if expression evaluates to non-NULL.
Definition: util-unittest.h:96
util-debug.h
DETECT_FILESTORE_MAX
#define DETECT_FILESTORE_MAX
Definition: detect.h:1072
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:17
DetectEngineThreadCtx_
Definition: detect.h:1098
FLOWFILE_STORE_TC
#define FLOWFILE_STORE_TC
Definition: flow.h:153
FILESTORE_SCOPE_SSN
#define FILESTORE_SCOPE_SSN
Definition: detect-filestore.h:34
SIG_FLAG_BYPASS
#define SIG_FLAG_BYPASS
Definition: detect.h:272
DetectSetupParseRegexes
void DetectSetupParseRegexes(const char *parse_str, DetectParseRegex *detect_parse)
Definition: detect-parse.c:2771
File_::sid_max
uint32_t sid_max
Definition: util-file.h:110
STREAM_FLAGS_FOR_PACKET
#define STREAM_FLAGS_FOR_PACKET(p)
Definition: stream.h:30
SCEnter
#define SCEnter(...)
Definition: util-debug.h:271
detect-engine-mpm.h
detect.h
FileStoreFileById
void FileStoreFileById(FileContainer *fc, uint32_t file_id)
flag a file with id "file_id" to be stored.
Definition: util-file.c:1177
DetectEngineCtx_::filestore_cnt
uint16_t filestore_cnt
Definition: detect.h:1052
SCLogWarning
#define SCLogWarning(...)
Macro used to log WARNING messages.
Definition: util-debug.h:249
SigInit
Signature * SigInit(DetectEngineCtx *de_ctx, const char *sigstr)
Parses a signature and adds it to the Detection Engine Context.
Definition: detect-parse.c:2289
app-layer-parser.h
BUG_ON
#define BUG_ON(x)
Definition: suricata-common.h:300
FileReassemblyDepth
uint32_t FileReassemblyDepth(void)
Definition: util-file.c:133
Signature_::flags
uint32_t flags
Definition: detect.h:604
Packet_
Definition: decode.h:476
DetectEngineThreadCtx_::filestore_cnt
uint16_t filestore_cnt
Definition: detect.h:1145
FILESTORE_DIR_TOCLIENT
#define FILESTORE_DIR_TOCLIENT
Definition: detect-filestore.h:29
detect-engine-state.h
Data structures and function prototypes for keeping state for the detection engine.
detect-filestore.h
SigTableElmt_::Match
int(* Match)(DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *)
Definition: detect.h:1277
File_::sid
uint32_t * sid
Definition: util-file.h:108
FLOW_PKT_TOCLIENT
#define FLOW_PKT_TOCLIENT
Definition: flow.h:233
File_::sid_cnt
uint32_t sid_cnt
Definition: util-file.h:109
RunmodeIsUnittests
int RunmodeIsUnittests(void)
Definition: suricata.c:251
AppLayerParserGetTx
void * AppLayerParserGetTx(uint8_t ipproto, AppProto alproto, void *alstate, uint64_t tx_id)
Definition: app-layer-parser.c:1094
SCRealloc
#define SCRealloc(ptr, sz)
Definition: util-mem.h:50
SigMatchCtx_
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
Definition: detect.h:344
FILESTORE_DIR_BOTH
#define FILESTORE_DIR_BOTH
Definition: detect-filestore.h:30
FILESTORE_DIR_TOSERVER
#define FILESTORE_DIR_TOSERVER
Definition: detect-filestore.h:28
DetectFilestoreRegister
void DetectFilestoreRegister(void)
Registration function for keyword: filestore.
Definition: detect-filestore.c:79
File_
Definition: util-file.h:79
AppLayerTxData
struct AppLayerTxData AppLayerTxData
Definition: detect.h:1372
Packet_::flow
struct Flow_ * flow
Definition: decode.h:515
FEATURE_OUTPUT_FILESTORE
#define FEATURE_OUTPUT_FILESTORE
Definition: feature.h:28
FAIL_IF
#define FAIL_IF(expr)
Fail a test if expression evaluates to true.
Definition: util-unittest.h:71
DetectBufferTypeRegister
int DetectBufferTypeRegister(const char *name)
Definition: detect-engine.c:1030
flags
uint8_t flags
Definition: decode-gre.h:0
suricata-common.h
ALPROTO_HTTP1
@ ALPROTO_HTTP1
Definition: app-layer-protos.h:30
AppLayerParserGetTxData
AppLayerTxData * AppLayerParserGetTxData(uint8_t ipproto, AppProto alproto, void *tx)
Definition: app-layer-parser.c:1164
util-spm-bm.h
DetectEngineCtx_::sig_list
Signature * sig_list
Definition: detect.h:851
SIGMATCH_OPTIONAL_OPT
#define SIGMATCH_OPTIONAL_OPT
Definition: detect.h:1502
util-validate.h
DetectFilestoreData_
Definition: detect-filestore.h:36
str
#define str(s)
Definition: suricata-common.h:291
SCLogError
#define SCLogError(...)
Macro used to log ERROR messages.
Definition: util-debug.h:261
PARSE_REGEX
#define PARSE_REGEX
Regex for parsing our flow options.
Definition: detect-filestore.c:61
SCFree
#define SCFree(p)
Definition: util-mem.h:61
TcpSessionSetReassemblyDepth
void TcpSessionSetReassemblyDepth(TcpSession *ssn, uint32_t size)
Definition: stream-tcp.c:7143
Flow_::alstate
void * alstate
Definition: flow.h:481
Signature_::id
uint32_t id
Definition: detect.h:638
DetectFilestoreData_::direction
int16_t direction
Definition: detect-filestore.h:37
detect-parse.h
Signature_
Signature container.
Definition: detect.h:603
ALPROTO_HTTP
@ ALPROTO_HTTP
Definition: app-layer-protos.h:70
DetectEngineCtxInit
DetectEngineCtx * DetectEngineCtxInit(void)
Definition: detect-engine.c:2584
FILESTORE_SCOPE_DEFAULT
#define FILESTORE_SCOPE_DEFAULT
Definition: detect-filestore.h:32
SigMatchAppendSMToList
SigMatch * SigMatchAppendSMToList(DetectEngineCtx *de_ctx, Signature *s, uint16_t type, SigMatchCtx *ctx, const int list)
Append a SigMatch to the list type.
Definition: detect-parse.c:437
DetectEngineCtx_::flags
uint8_t flags
Definition: detect.h:845
TcpSession_
Definition: stream-tcp-private.h:283
flow.h
Flow_::file_flags
uint16_t file_flags
Definition: flow.h:428
Flow_::alproto
AppProto alproto
application level protocol
Definition: flow.h:455
SCCalloc
#define SCCalloc(nm, sz)
Definition: util-mem.h:53
SCReturnInt
#define SCReturnInt(x)
Definition: util-debug.h:275
flow-var.h
DEBUG_VALIDATE_BUG_ON
#define DEBUG_VALIDATE_BUG_ON(exp)
Definition: util-validate.h:102
SIG_FLAG_FILESTORE
#define SIG_FLAG_FILESTORE
Definition: detect.h:265
SigTableElmt_::RegisterTests
void(* RegisterTests)(void)
Definition: detect.h:1301
DetectEngineThreadCtx_::file_id
uint32_t file_id
Definition: detect.h:1216
app-layer.h
DETECT_FILESTORE_POSTMATCH
@ DETECT_FILESTORE_POSTMATCH
Definition: detect-engine-register.h:233