suricata
detect-ftpbounce.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2010 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Pablo Rincon <pablo.rincon.crespo@gmail.com>
22  *
23  * ftpbounce keyword, part of the detection engine.
24  */
25 
26 #include "suricata-common.h"
27 #include "debug.h"
28 #include "decode.h"
29 #include "detect.h"
30 #include "detect-parse.h"
31 #include "detect-engine.h"
32 #include "detect-engine-mpm.h"
33 #include "detect-engine-state.h"
34 #include "detect-content.h"
35 
36 #include "app-layer.h"
37 #include "app-layer-parser.h"
38 #include "app-layer-ftp.h"
39 #include "util-unittest.h"
40 #include "util-unittest-helper.h"
41 #include "util-debug.h"
42 #include "flow.h"
43 #include "flow-var.h"
44 #include "flow-util.h"
45 #include "threads.h"
46 #include "detect-ftpbounce.h"
47 #include "stream-tcp.h"
48 #include "util-byte.h"
49 
50 static int DetectFtpbounceALMatch(ThreadVars *, DetectEngineThreadCtx *,
51  Flow *, uint8_t, void *, void *,
52  const Signature *, const SigMatchCtx *);
53 
54 static int DetectFtpbounceSetup(DetectEngineCtx *, Signature *, const char *);
55 static void DetectFtpbounceRegisterTests(void);
56 static int g_ftp_request_list_id = 0;
57 
58 static int InspectFtpRequest(ThreadVars *tv,
59  DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx,
60  const Signature *s, const SigMatchData *smd,
61  Flow *f, uint8_t flags, void *alstate,
62  void *txv, uint64_t tx_id);
63 
64 /**
65  * \brief Registration function for ftpbounce: keyword
66  * \todo add support for no_stream and stream_only
67  */
69 {
70  sigmatch_table[DETECT_FTPBOUNCE].name = "ftpbounce";
71  sigmatch_table[DETECT_FTPBOUNCE].Setup = DetectFtpbounceSetup;
72  sigmatch_table[DETECT_FTPBOUNCE].AppLayerTxMatch = DetectFtpbounceALMatch;
73  sigmatch_table[DETECT_FTPBOUNCE].RegisterTests = DetectFtpbounceRegisterTests;
74  sigmatch_table[DETECT_FTPBOUNCE].url = DOC_URL DOC_VERSION "/rules/ftp-keywords.html#ftpbounce";
76 
77  g_ftp_request_list_id = DetectBufferTypeRegister("ftp_request");
78 
81  InspectFtpRequest);
82 }
83 
84 static int InspectFtpRequest(ThreadVars *tv,
85  DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx,
86  const Signature *s, const SigMatchData *smd,
87  Flow *f, uint8_t flags, void *alstate,
88  void *txv, uint64_t tx_id)
89 {
90  return DetectEngineInspectGenericList(tv, de_ctx, det_ctx, s, smd,
91  f, flags, alstate, txv, tx_id);
92 }
93 
94 /**
95  * \brief This function is used to match ftpbounce attacks
96  *
97  * \param payload Payload of the PORT command
98  * \param payload_len Length of the payload
99  * \param ip_orig IP source to check the ftpbounce condition
100  * \param offset offset to the arguments of the PORT command
101  *
102  * \retval 1 if ftpbounce detected, 0 if not
103  */
104 static int DetectFtpbounceMatchArgs(uint8_t *payload, uint16_t payload_len,
105  uint32_t ip_orig, uint16_t offset)
106 {
107  SCEnter();
108  SCLogDebug("Checking ftpbounce condition");
109  char *c = NULL;
110  uint16_t i = 0;
111  int octet = 0;
112  int octet_ascii_len = 0;
113  int noctet = 0;
114  uint32_t ip = 0;
115  /* PrintRawDataFp(stdout, payload, payload_len); */
116 
117  if (payload_len < 7) {
118  /* we need at least a differet ip address
119  * in the format 1,2,3,4,x,y where x,y is the port
120  * in two byte representation so let's look at
121  * least for the IP octets in comma separated */
122  return 0;
123  }
124 
125  if (offset + 7 >= payload_len)
126  return 0;
127 
128  c =(char*) payload;
129  if (c == NULL) {
130  SCLogDebug("No payload to check");
131  return 0;
132  }
133 
134  i = offset;
135  /* Search for the first IP octect(Skips "PORT ") */
136  while (i < payload_len && !isdigit((unsigned char)c[i])) i++;
137 
138  for (;i < payload_len && octet_ascii_len < 4 ;i++) {
139  if (isdigit((unsigned char)c[i])) {
140  octet =(c[i] - '0') + octet * 10;
141  octet_ascii_len++;
142  } else {
143  if (octet > 256) {
144  SCLogDebug("Octet not in ip format");
145  return 0;
146  }
147 
148  if (isspace((unsigned char)c[i]))
149  while (i < payload_len && isspace((unsigned char)c[i]) ) i++;
150 
151  if (i < payload_len && c[i] == ',') { /* we have an octet */
152  noctet++;
153  octet_ascii_len = 0;
154  ip =(ip << 8) + octet;
155  octet = 0;
156  } else {
157  SCLogDebug("Unrecognized character '%c'", c[i]);
158  return 0;
159  }
160  if (noctet == 4) {
161  /* Different IP than src, ftp bounce scan */
162  ip = SCByteSwap32(ip);
163 
164  if (ip != ip_orig) {
165  SCLogDebug("Different ip, so Matched ip:%d <-> ip_orig:%d",
166  ip, ip_orig);
167  return 1;
168  }
169  SCLogDebug("Same ip, so no match here");
170  return 0;
171  }
172  }
173  }
174  SCLogDebug("No match");
175  return 0;
176 }
177 
178 /**
179  * \brief This function is used to check matches from the FTP App Layer Parser
180  *
181  * \param t pointer to thread vars
182  * \param det_ctx pointer to the pattern matcher thread
183  * \param p pointer to the current packet
184  * \param m pointer to the sigmatch but we don't use it since ftpbounce
185  * has no options
186  * \retval 0 no match
187  * \retval 1 match
188  */
189 static int DetectFtpbounceALMatch(ThreadVars *t, DetectEngineThreadCtx *det_ctx,
190  Flow *f, uint8_t flags,
191  void *state, void *txv,
192  const Signature *s, const SigMatchCtx *m)
193 {
194  SCEnter();
195 
196  FtpState *ftp_state = (FtpState *)state;
197  if (ftp_state == NULL) {
198  SCLogDebug("no ftp state, no match");
199  SCReturnInt(0);
200  }
201 
202  int ret = 0;
203  if (ftp_state->command == FTP_COMMAND_PORT) {
204  ret = DetectFtpbounceMatchArgs(ftp_state->port_line,
205  ftp_state->port_line_len, f->src.address.address_un_data32[0],
206  ftp_state->arg_offset);
207  }
208 
209  SCReturnInt(ret);
210 }
211 
212 /**
213  * \brief this function is used to add the parsed ftpbounce
214  *
215  * \param de_ctx pointer to the Detection Engine Context
216  * \param s pointer to the Current Signature
217  * \param m pointer to the Current SigMatch
218  * \param ftpbouncestr pointer to the user provided ftpbounce options
219  * currently there are no options.
220  *
221  * \retval 0 on Success
222  * \retval -1 on Failure
223  */
224 int DetectFtpbounceSetup(DetectEngineCtx *de_ctx, Signature *s, const char *ftpbouncestr)
225 {
226  SCEnter();
227 
228  SigMatch *sm = NULL;
229 
231  return -1;
232 
233  sm = SigMatchAlloc();
234  if (sm == NULL) {
235  return -1;
236  }
237 
238  sm->type = DETECT_FTPBOUNCE;
239 
240  /* We don't need to allocate any data for ftpbounce here.
241  *
242  * TODO: As a suggestion, maybe we can add a flag in the flow
243  * to set the stream as "bounce detected" for fast Match.
244  * When you do a ftp bounce attack you usually use the same
245  * communication control stream to "setup" various destinations
246  * whithout breaking the connection, so I guess we can make it a bit faster
247  * with a flow flag set lookup in the Match function.
248  */
249  sm->ctx = NULL;
250 
251  SigMatchAppendSMToList(s, sm, g_ftp_request_list_id);
252  SCReturnInt(0);
253 }
254 
255 #ifdef UNITTESTS
256 
257 /**
258  * \test DetectFtpbounceTestSetup01 is a test for the Setup ftpbounce
259  */
260 static int DetectFtpbounceTestSetup01(void)
261 {
262  DetectEngineCtx *de_ctx = NULL;
263  Signature *s = SigAlloc();
264  FAIL_IF (s == NULL);
265 
266  /* ftpbounce doesn't accept options so the str is NULL */
267  FAIL_IF_NOT(DetectFtpbounceSetup(de_ctx, s, NULL) == 0);
268  FAIL_IF(s->sm_lists[g_ftp_request_list_id] == NULL);
269  FAIL_IF_NOT(s->sm_lists[g_ftp_request_list_id]->type & DETECT_FTPBOUNCE);
270 
271  SigFree(s);
272  PASS;
273 }
274 
275 #include "stream-tcp-reassemble.h"
276 
277 /**
278  * \test Check the ftpbounce match, send a get request in three chunks
279  * + more data.
280  * \brief This test tests the ftpbounce condition match, based on the
281  * ftp layer parser
282  */
283 static int DetectFtpbounceTestALMatch02(void)
284 {
285  int result = 0;
286 
287  uint8_t ftpbuf1[] = { 'P','O' };
288  uint32_t ftplen1 = sizeof(ftpbuf1);
289  uint8_t ftpbuf2[] = { 'R', 'T' };
290  uint32_t ftplen2 = sizeof(ftpbuf2);
291  uint8_t ftpbuf3[] = { ' ', '8','0',',','5' };
292  uint32_t ftplen3 = sizeof(ftpbuf3);
293  uint8_t ftpbuf4[] = "8,0,33,10,20\r\n";
294  uint32_t ftplen4 = sizeof(ftpbuf4);
295 
296  TcpSession ssn;
297  Flow f;
298  Packet *p = NULL;
299  Signature *s = NULL;
300  ThreadVars th_v;
301  DetectEngineThreadCtx *det_ctx = NULL;
303 
304  memset(&th_v, 0, sizeof(th_v));
305  memset(&f, 0, sizeof(f));
306  memset(&ssn, 0, sizeof(ssn));
307 
308  p = UTHBuildPacketSrcDst(NULL, 0, IPPROTO_TCP, "1.2.3.4", "5.6.7.8");
309 
310  FLOW_INITIALIZE(&f);
311  f.src.address.address_un_data32[0]=0x01020304;
312  f.protoctx =(void *)&ssn;
313  f.proto = IPPROTO_TCP;
314 
315  p->flow = &f;
319  f.alproto = ALPROTO_FTP;
320 
322 
324  if (de_ctx == NULL) {
325  goto end;
326  }
327 
328  de_ctx->flags |= DE_QUIET;
329 
330  s = de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any "
331  "(msg:\"Ftp Bounce\"; ftpbounce; sid:1;)");
332  if (s == NULL) {
333  goto end;
334  }
335 
336  SigGroupBuild(de_ctx);
337  DetectEngineThreadCtxInit(&th_v,(void *)de_ctx,(void *)&det_ctx);
338 
339  FLOWLOCK_WRLOCK(&f);
340  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_FTP,
341  STREAM_TOSERVER, ftpbuf1, ftplen1);
342  if (r != 0) {
343  SCLogDebug("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
344  result = 0;
345  FLOWLOCK_UNLOCK(&f);
346  goto end;
347  }
348 
349  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_FTP, STREAM_TOSERVER,
350  ftpbuf2, ftplen2);
351  if (r != 0) {
352  SCLogDebug("toserver chunk 2 returned %" PRId32 ", expected 0: ", r);
353  result = 0;
354  FLOWLOCK_UNLOCK(&f);
355  goto end;
356  }
357 
358  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_FTP, STREAM_TOSERVER,
359  ftpbuf3, ftplen3);
360  if (r != 0) {
361  SCLogDebug("toserver chunk 3 returned %" PRId32 ", expected 0: ", r);
362  result = 0;
363  FLOWLOCK_UNLOCK(&f);
364  goto end;
365  }
366 
367  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_FTP, STREAM_TOSERVER,
368  ftpbuf4, ftplen4);
369  if (r != 0) {
370  SCLogDebug("toserver chunk 4 returned %" PRId32 ", expected 0: ", r);
371  result = 0;
372  FLOWLOCK_UNLOCK(&f);
373  goto end;
374  }
375 
376  FLOWLOCK_UNLOCK(&f);
377 
378  FtpState *ftp_state = f.alstate;
379  if (ftp_state == NULL) {
380  SCLogDebug("no ftp state: ");
381  result = 0;
382  goto end;
383  }
384 
385  if (ftp_state->command != FTP_COMMAND_PORT) {
386  SCLogDebug("expected command port not detected");
387  result = 0;
388  goto end;
389  }
390 
391  /* do detect */
392  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
393 
394  if (!(PacketAlertCheck(p, 1))) {
395  goto end;
396  }
397 
398  result = 1;
399 end:
400  if (alp_tctx != NULL)
401  AppLayerParserThreadCtxFree(alp_tctx);
402  SigGroupCleanup(de_ctx);
403  SigCleanSignatures(de_ctx);
404 
405  DetectEngineThreadCtxDeinit(&th_v,(void *)det_ctx);
406  DetectEngineCtxFree(de_ctx);
407 
409  FLOW_DESTROY(&f);
410 
411  UTHFreePackets(&p, 1);
412  return result;
413 }
414 
415 /**
416  * \test Check the ftpbounce match
417  * \brief This test tests the ftpbounce condition match, based on
418  * the ftp layer parser
419  */
420 static int DetectFtpbounceTestALMatch03(void)
421 {
422  int result = 0;
423 
424  uint8_t ftpbuf1[] = { 'P','O' };
425  uint32_t ftplen1 = sizeof(ftpbuf1);
426  uint8_t ftpbuf2[] = { 'R', 'T' };
427  uint32_t ftplen2 = sizeof(ftpbuf2);
428  uint8_t ftpbuf3[] = { ' ', '1',',','2',',' };
429  uint32_t ftplen3 = sizeof(ftpbuf3);
430  uint8_t ftpbuf4[] = "3,4,10,20\r\n";
431  uint32_t ftplen4 = sizeof(ftpbuf4);
432 
433  TcpSession ssn;
434  Flow f;
436  if (unlikely(p == NULL))
437  return 0;
438  Signature *s = NULL;
439  ThreadVars th_v;
440  DetectEngineThreadCtx *det_ctx = NULL;
442 
443  memset(&th_v, 0, sizeof(th_v));
444  memset(p, 0, SIZE_OF_PACKET);
445  memset(&f, 0, sizeof(f));
446  memset(&ssn, 0, sizeof(ssn));
447 
448  p->src.family = AF_INET;
449  p->dst.family = AF_INET;
450  p->src.addr_data32[0] = 0x04030201;
451  p->payload = NULL;
452  p->payload_len = 0;
453  p->proto = IPPROTO_TCP;
454 
455  FLOW_INITIALIZE(&f);
456  f.src.address.address_un_data32[0]=0x04030201;
457  f.protoctx =(void *)&ssn;
458  f.proto = IPPROTO_TCP;
459 
460  p->flow = &f;
464  f.alproto = ALPROTO_FTP;
465 
467 
469  if (de_ctx == NULL) {
470  goto end;
471  }
472 
473  de_ctx->flags |= DE_QUIET;
474 
475  s = de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any "
476  "(msg:\"Ftp Bounce\"; ftpbounce; sid:1;)");
477  if (s == NULL) {
478  goto end;
479  }
480 
481  SigGroupBuild(de_ctx);
482  DetectEngineThreadCtxInit(&th_v,(void *)de_ctx,(void *)&det_ctx);
483 
484  FLOWLOCK_WRLOCK(&f);
485  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_FTP,
486  STREAM_TOSERVER, ftpbuf1, ftplen1);
487  if (r != 0) {
488  SCLogDebug("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
489  result = 0;
490  FLOWLOCK_UNLOCK(&f);
491  goto end;
492  }
493 
494  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_FTP, STREAM_TOSERVER,
495  ftpbuf2, ftplen2);
496  if (r != 0) {
497  SCLogDebug("toserver chunk 2 returned %" PRId32 ", expected 0: ", r);
498  result = 0;
499  FLOWLOCK_UNLOCK(&f);
500  goto end;
501  }
502 
503  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_FTP, STREAM_TOSERVER,
504  ftpbuf3, ftplen3);
505  if (r != 0) {
506  SCLogDebug("toserver chunk 3 returned %" PRId32 ", expected 0: ", r);
507  result = 0;
508  FLOWLOCK_UNLOCK(&f);
509  goto end;
510  }
511 
512  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_FTP, STREAM_TOSERVER,
513  ftpbuf4, ftplen4);
514  if (r != 0) {
515  SCLogDebug("toserver chunk 4 returned %" PRId32 ", expected 0: ", r);
516  result = 0;
517  FLOWLOCK_UNLOCK(&f);
518  goto end;
519  }
520  FLOWLOCK_UNLOCK(&f);
521 
522  FtpState *ftp_state = f.alstate;
523  if (ftp_state == NULL) {
524  SCLogDebug("no ftp state: ");
525  result = 0;
526  goto end;
527  }
528 
529  if (ftp_state->command != FTP_COMMAND_PORT) {
530  SCLogDebug("expected command port not detected");
531  result = 0;
532  goto end;
533  }
534 
535  /* do detect */
536  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
537 
538  /* It should not match */
539  if (!(PacketAlertCheck(p, 1))) {
540  result = 1;
541  } else {
542  SCLogDebug("It should not match here!");
543  }
544 
545 end:
546  if (alp_tctx != NULL)
547  AppLayerParserThreadCtxFree(alp_tctx);
548  SigGroupCleanup(de_ctx);
549  SigCleanSignatures(de_ctx);
550 
551  DetectEngineThreadCtxDeinit(&th_v,(void *)det_ctx);
552  DetectEngineCtxFree(de_ctx);
553 
555  FLOW_DESTROY(&f);
556  SCFree(p);
557  return result;
558 }
559 
560 #endif /* UNITTESTS */
561 
562 /**
563  * \brief this function registers unit tests for DetectFtpbounce
564  */
565 void DetectFtpbounceRegisterTests(void)
566 {
567 #ifdef UNITTESTS
568  UtRegisterTest("DetectFtpbounceTestSetup01", DetectFtpbounceTestSetup01);
569  UtRegisterTest("DetectFtpbounceTestALMatch02",
570  DetectFtpbounceTestALMatch02);
571  UtRegisterTest("DetectFtpbounceTestALMatch03",
572  DetectFtpbounceTestALMatch03);
573 #endif /* UNITTESTS */
574 }
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
Definition: detect.h:1409
uint16_t flags
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1150
int(* AppLayerTxMatch)(ThreadVars *, DetectEngineThreadCtx *, Flow *, uint8_t flags, void *alstate, void *txv, const Signature *, const SigMatchCtx *)
Definition: detect.h:1136
#define SCLogDebug(...)
Definition: util-debug.h:335
int DetectSignatureSetAppProto(Signature *s, AppProto alproto)
struct Flow_ * flow
Definition: decode.h:443
int PacketAlertCheck(Packet *p, uint32_t sid)
Check if a certain sid alerted, this is used in the test functions.
uint8_t proto
Definition: flow.h:344
#define FLOWLOCK_UNLOCK(fb)
Definition: flow.h:243
#define unlikely(expr)
Definition: util-optimize.h:35
#define PASS
Pass the test.
Signature * SigInit(DetectEngineCtx *, const char *)
Parses a signature and adds it to the Detection Engine Context.
Signature * sig_list
Definition: detect.h:730
uint64_t offset
#define FAIL_IF(expr)
Fail a test if expression evaluates to false.
Definition: util-unittest.h:71
void AppLayerParserThreadCtxFree(AppLayerParserThreadCtx *tctx)
Destroys the app layer parser thread context obtained using AppLayerParserThreadCtxAlloc().
Address dst
Definition: decode.h:411
#define FLOW_PKT_ESTABLISHED
Definition: flow.h:203
Data needed for Match()
Definition: detect.h:331
void SigCleanSignatures(DetectEngineCtx *de_ctx)
void StreamTcpFreeConfig(char quiet)
Definition: stream-tcp.c:669
#define FLOWLOCK_WRLOCK(fb)
Definition: flow.h:240
TmEcode DetectEngineThreadCtxInit(ThreadVars *, void *, void **)
initialize thread specific detection engine context
const char * name
Definition: detect.h:1164
int DetectEngineInspectGenericList(ThreadVars *tv, const DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const Signature *s, const SigMatchData *smd, Flow *f, const uint8_t flags, void *alstate, void *txv, uint64_t tx_id)
Do the content inspection & validation for a signature.
Signature container.
Definition: detect.h:496
#define TRUE
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
Definition: detect.h:317
void * protoctx
Definition: flow.h:400
main detection engine ctx
Definition: detect.h:724
FtpRequestCommand command
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *, void *)
void * alstate
Definition: flow.h:438
#define DE_QUIET
Definition: detect.h:296
#define SIZE_OF_PACKET
Definition: decode.h:618
char family
Definition: decode.h:109
union FlowAddress_::@115 address
uint8_t proto
Definition: decode.h:428
uint8_t flags
Definition: detect.h:725
Data structures and function prototypes for keeping state for the detection engine.
void SigFree(Signature *)
#define FLOW_DESTROY(f)
Definition: flow-util.h:119
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
void SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
Definition: detect.c:1742
#define SIG_FLAG_TOSERVER
Definition: detect.h:241
#define SCEnter(...)
Definition: util-debug.h:337
void StreamTcpInitConfig(char)
To initialize the stream global configuration data.
Definition: stream-tcp.c:365
uint8_t flowflags
Definition: decode.h:437
#define FLOW_PKT_TOSERVER
Definition: flow.h:201
#define SCByteSwap32(x)
Definition: util-byte.h:70
uint8_t * port_line
AppLayerParserThreadCtx * AppLayerParserThreadCtxAlloc(void)
Gets a new app layer protocol&#39;s parser thread context.
int SigGroupCleanup(DetectEngineCtx *de_ctx)
uint8_t type
Definition: detect.h:323
#define SCReturnInt(x)
Definition: util-debug.h:341
void SigMatchAppendSMToList(Signature *s, SigMatch *new, int list)
Append a SigMatch to the list type.
Definition: detect-parse.c:288
int DetectBufferTypeRegister(const char *name)
Signature * SigAlloc(void)
SigMatchCtx * ctx
Definition: detect.h:325
#define SCMalloc(a)
Definition: util-mem.h:166
void DetectFtpbounceRegister(void)
Registration function for ftpbounce: keyword.
uint16_t payload_len
#define SCFree(a)
Definition: util-mem.h:228
FtpRequestCommandArgOfs arg_offset
uint16_t tx_id
uint32_t address_un_data32[4]
Definition: flow.h:290
uint32_t port_line_len
#define SIGMATCH_NOOPT
Definition: detect.h:1332
const char * url
Definition: detect.h:1167
#define FLOW_INITIALIZE(f)
Definition: flow-util.h:39
#define STREAM_TOSERVER
Definition: stream.h:31
SCMutex m
Definition: flow-hash.h:105
#define PKT_HAS_FLOW
Definition: decode.h:1092
FlowAddress src
Definition: flow.h:329
#define DOC_URL
Definition: suricata.h:86
SigMatch * SigMatchAlloc(void)
Definition: detect-parse.c:232
Per thread variable structure.
Definition: threadvars.h:57
AppProto alproto
application level protocol
Definition: flow.h:409
uint32_t flags
Definition: decode.h:441
uint16_t payload_len
Definition: decode.h:541
#define DOC_VERSION
Definition: suricata.h:91
Packet * UTHBuildPacketSrcDst(uint8_t *payload, uint16_t payload_len, uint8_t ipproto, const char *src, const char *dst)
UTHBuildPacketSrcDst is a wrapper that build packets specifying IPs and defaulting ports...
uint16_t flags
Definition: detect.h:1158
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
void UTHFreePackets(Packet **p, int numpkts)
UTHFreePackets: function to release the allocated data from UTHBuildPacket and the packet itself...
Flow data structure.
Definition: flow.h:325
uint8_t * payload
Definition: decode.h:540
#define PKT_STREAM_EST
Definition: decode.h:1090
void DetectAppLayerInspectEngineRegister(const char *name, AppProto alproto, uint32_t dir, int progress, InspectEngineFuncPtr Callback)
register inspect engine at start up time
void(* RegisterTests)(void)
Definition: detect.h:1156
a single match condition for a signature
Definition: detect.h:322
#define FAIL_IF_NOT(expr)
Fail a test if expression to true.
Definition: util-unittest.h:82
int AppLayerParserParse(ThreadVars *tv, AppLayerParserThreadCtx *alp_tctx, Flow *f, AppProto alproto, uint8_t flags, uint8_t *input, uint32_t input_len)
Address src
Definition: decode.h:410
DetectEngineCtx * DetectEngineCtxInit(void)