suricata
detect-ftpbounce.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2010 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Pablo Rincon <pablo.rincon.crespo@gmail.com>
22  *
23  * ftpbounce keyword, part of the detection engine.
24  */
25 
26 #include "suricata-common.h"
27 #include "debug.h"
28 #include "decode.h"
29 #include "detect.h"
30 #include "detect-parse.h"
31 #include "detect-engine.h"
32 #include "detect-engine-mpm.h"
33 #include "detect-engine-state.h"
34 #include "detect-content.h"
35 
36 #include "app-layer.h"
37 #include "app-layer-parser.h"
38 #include "app-layer-ftp.h"
39 #include "util-unittest.h"
40 #include "util-unittest-helper.h"
41 #include "util-debug.h"
42 #include "flow.h"
43 #include "flow-var.h"
44 #include "flow-util.h"
45 #include "threads.h"
46 #include "detect-ftpbounce.h"
47 #include "stream-tcp.h"
48 #include "util-byte.h"
49 
50 static int DetectFtpbounceALMatch(DetectEngineThreadCtx *,
51  Flow *, uint8_t, void *, void *,
52  const Signature *, const SigMatchCtx *);
53 
54 static int DetectFtpbounceSetup(DetectEngineCtx *, Signature *, const char *);
55 #ifdef UNITTESTS
56 static void DetectFtpbounceRegisterTests(void);
57 #endif
58 static int g_ftp_request_list_id = 0;
59 
60 static int InspectFtpRequest(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx,
61  const struct DetectEngineAppInspectionEngine_ *engine, const Signature *s, Flow *f,
62  uint8_t flags, void *alstate, void *txv, uint64_t tx_id);
63 
64 /**
65  * \brief Registration function for ftpbounce: keyword
66  * \todo add support for no_stream and stream_only
67  */
69 {
70  sigmatch_table[DETECT_FTPBOUNCE].name = "ftpbounce";
71  sigmatch_table[DETECT_FTPBOUNCE].desc = "detect FTP bounce attacks";
72  sigmatch_table[DETECT_FTPBOUNCE].Setup = DetectFtpbounceSetup;
73  sigmatch_table[DETECT_FTPBOUNCE].AppLayerTxMatch = DetectFtpbounceALMatch;
74 #ifdef UNITTESTS
75  sigmatch_table[DETECT_FTPBOUNCE].RegisterTests = DetectFtpbounceRegisterTests;
76 #endif
77  sigmatch_table[DETECT_FTPBOUNCE].url = "/rules/ftp-keywords.html#ftpbounce";
79 
80  g_ftp_request_list_id = DetectBufferTypeRegister("ftp_request");
81 
83  "ftp_request", ALPROTO_FTP, SIG_FLAG_TOSERVER, 0, InspectFtpRequest, NULL);
84 }
85 
86 static int InspectFtpRequest(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx,
87  const struct DetectEngineAppInspectionEngine_ *engine, const Signature *s, Flow *f,
88  uint8_t flags, void *alstate, void *txv, uint64_t tx_id)
89 {
91  de_ctx, det_ctx, s, engine->smd, f, flags, alstate, txv, tx_id);
92 }
93 
94 /**
95  * \brief This function is used to match ftpbounce attacks
96  *
97  * \param payload Payload of the PORT command
98  * \param payload_len Length of the payload
99  * \param ip_orig IP source to check the ftpbounce condition
100  * \param offset offset to the arguments of the PORT command
101  *
102  * \retval 1 if ftpbounce detected, 0 if not
103  */
104 static int DetectFtpbounceMatchArgs(uint8_t *payload, uint16_t payload_len,
105  uint32_t ip_orig, uint16_t offset)
106 {
107  SCEnter();
108  SCLogDebug("Checking ftpbounce condition");
109  char *c = NULL;
110  uint16_t i = 0;
111  int octet = 0;
112  int octet_ascii_len = 0;
113  int noctet = 0;
114  uint32_t ip = 0;
115  /* PrintRawDataFp(stdout, payload, payload_len); */
116 
117  if (payload_len < 7) {
118  /* we need at least a differet ip address
119  * in the format 1,2,3,4,x,y where x,y is the port
120  * in two byte representation so let's look at
121  * least for the IP octets in comma separated */
122  return 0;
123  }
124 
125  if (offset + 7 >= payload_len)
126  return 0;
127 
128  c =(char*) payload;
129  if (c == NULL) {
130  SCLogDebug("No payload to check");
131  return 0;
132  }
133 
134  i = offset;
135  /* Search for the first IP octect(Skips "PORT ") */
136  while (i < payload_len && !isdigit((unsigned char)c[i])) i++;
137 
138  for (;i < payload_len && octet_ascii_len < 4 ;i++) {
139  if (isdigit((unsigned char)c[i])) {
140  octet =(c[i] - '0') + octet * 10;
141  octet_ascii_len++;
142  } else {
143  if (octet > 256) {
144  SCLogDebug("Octet not in ip format");
145  return 0;
146  }
147 
148  if (isspace((unsigned char)c[i]))
149  while (i < payload_len && isspace((unsigned char)c[i]) ) i++;
150 
151  if (i < payload_len && c[i] == ',') { /* we have an octet */
152  noctet++;
153  octet_ascii_len = 0;
154  ip =(ip << 8) + octet;
155  octet = 0;
156  } else {
157  SCLogDebug("Unrecognized character '%c'", c[i]);
158  return 0;
159  }
160  if (noctet == 4) {
161  /* Different IP than src, ftp bounce scan */
162  ip = SCByteSwap32(ip);
163 
164  if (ip != ip_orig) {
165  SCLogDebug("Different ip, so Matched ip:%d <-> ip_orig:%d",
166  ip, ip_orig);
167  return 1;
168  }
169  SCLogDebug("Same ip, so no match here");
170  return 0;
171  }
172  }
173  }
174  SCLogDebug("No match");
175  return 0;
176 }
177 
178 /**
179  * \brief This function is used to check matches from the FTP App Layer Parser
180  *
181  * \param t pointer to thread vars
182  * \param det_ctx pointer to the pattern matcher thread
183  * \param p pointer to the current packet
184  * \param m pointer to the sigmatch but we don't use it since ftpbounce
185  * has no options
186  * \retval 0 no match
187  * \retval 1 match
188  */
189 static int DetectFtpbounceALMatch(DetectEngineThreadCtx *det_ctx,
190  Flow *f, uint8_t flags,
191  void *state, void *txv,
192  const Signature *s, const SigMatchCtx *m)
193 {
194  SCEnter();
195 
196  FtpState *ftp_state = (FtpState *)state;
197  if (ftp_state == NULL) {
198  SCLogDebug("no ftp state, no match");
199  SCReturnInt(0);
200  }
201 
202  int ret = 0;
203  if (ftp_state->command == FTP_COMMAND_PORT) {
204  ret = DetectFtpbounceMatchArgs(ftp_state->port_line,
205  ftp_state->port_line_len, f->src.address.address_un_data32[0],
206  ftp_state->arg_offset);
207  }
208 
209  SCReturnInt(ret);
210 }
211 
212 /**
213  * \brief this function is used to add the parsed ftpbounce
214  *
215  * \param de_ctx pointer to the Detection Engine Context
216  * \param s pointer to the Current Signature
217  * \param m pointer to the Current SigMatch
218  * \param ftpbouncestr pointer to the user provided ftpbounce options
219  * currently there are no options.
220  *
221  * \retval 0 on Success
222  * \retval -1 on Failure
223  */
224 int DetectFtpbounceSetup(DetectEngineCtx *de_ctx, Signature *s, const char *ftpbouncestr)
225 {
226  SCEnter();
227 
228  SigMatch *sm = NULL;
229 
231  return -1;
232 
233  sm = SigMatchAlloc();
234  if (sm == NULL) {
235  return -1;
236  }
237 
238  sm->type = DETECT_FTPBOUNCE;
239 
240  /* We don't need to allocate any data for ftpbounce here.
241  *
242  * TODO: As a suggestion, maybe we can add a flag in the flow
243  * to set the stream as "bounce detected" for fast Match.
244  * When you do a ftp bounce attack you usually use the same
245  * communication control stream to "setup" various destinations
246  * whithout breaking the connection, so I guess we can make it a bit faster
247  * with a flow flag set lookup in the Match function.
248  */
249  sm->ctx = NULL;
250 
251  SigMatchAppendSMToList(s, sm, g_ftp_request_list_id);
252  SCReturnInt(0);
253 }
254 
255 #ifdef UNITTESTS
256 
257 /**
258  * \test DetectFtpbounceTestSetup01 is a test for the Setup ftpbounce
259  */
260 static int DetectFtpbounceTestSetup01(void)
261 {
262  DetectEngineCtx *de_ctx = NULL;
263  Signature *s = SigAlloc();
264  FAIL_IF (s == NULL);
265 
266  /* ftpbounce doesn't accept options so the str is NULL */
267  FAIL_IF_NOT(DetectFtpbounceSetup(de_ctx, s, NULL) == 0);
268  FAIL_IF(s->sm_lists[g_ftp_request_list_id] == NULL);
269  FAIL_IF_NOT(s->sm_lists[g_ftp_request_list_id]->type & DETECT_FTPBOUNCE);
270 
271  SigFree(de_ctx, s);
272  PASS;
273 }
274 
275 #include "stream-tcp-reassemble.h"
276 
277 /**
278  * \test Check the ftpbounce match, send a get request in three chunks
279  * + more data.
280  * \brief This test tests the ftpbounce condition match, based on the
281  * ftp layer parser
282  */
283 static int DetectFtpbounceTestALMatch02(void)
284 {
285  int result = 0;
286 
287  uint8_t ftpbuf1[] = { 'P','O' };
288  uint32_t ftplen1 = sizeof(ftpbuf1);
289  uint8_t ftpbuf2[] = { 'R', 'T' };
290  uint32_t ftplen2 = sizeof(ftpbuf2);
291  uint8_t ftpbuf3[] = { ' ', '8','0',',','5' };
292  uint32_t ftplen3 = sizeof(ftpbuf3);
293  uint8_t ftpbuf4[] = "8,0,33,10,20\r\n";
294  uint32_t ftplen4 = sizeof(ftpbuf4);
295 
296  TcpSession ssn;
297  Flow f;
298  Packet *p = NULL;
299  Signature *s = NULL;
300  ThreadVars th_v;
301  DetectEngineThreadCtx *det_ctx = NULL;
303 
304  memset(&th_v, 0, sizeof(th_v));
305  memset(&f, 0, sizeof(f));
306  memset(&ssn, 0, sizeof(ssn));
307 
308  p = UTHBuildPacketSrcDst(NULL, 0, IPPROTO_TCP, "1.2.3.4", "5.6.7.8");
309 
310  FLOW_INITIALIZE(&f);
311  f.src.address.address_un_data32[0]=0x01020304;
312  f.protoctx =(void *)&ssn;
313  f.proto = IPPROTO_TCP;
314 
315  p->flow = &f;
319  f.alproto = ALPROTO_FTP;
320 
321  StreamTcpInitConfig(true);
322 
324  if (de_ctx == NULL) {
325  goto end;
326  }
327 
328  de_ctx->flags |= DE_QUIET;
329 
330  s = de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any "
331  "(msg:\"Ftp Bounce\"; ftpbounce; sid:1;)");
332  if (s == NULL) {
333  goto end;
334  }
335 
337  DetectEngineThreadCtxInit(&th_v,(void *)de_ctx,(void *)&det_ctx);
338 
339  FLOWLOCK_WRLOCK(&f);
340  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_FTP,
341  STREAM_TOSERVER, ftpbuf1, ftplen1);
342  if (r != 0) {
343  SCLogDebug("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
344  result = 0;
345  FLOWLOCK_UNLOCK(&f);
346  goto end;
347  }
348 
349  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_FTP, STREAM_TOSERVER,
350  ftpbuf2, ftplen2);
351  if (r != 0) {
352  SCLogDebug("toserver chunk 2 returned %" PRId32 ", expected 0: ", r);
353  result = 0;
354  FLOWLOCK_UNLOCK(&f);
355  goto end;
356  }
357 
358  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_FTP, STREAM_TOSERVER,
359  ftpbuf3, ftplen3);
360  if (r != 0) {
361  SCLogDebug("toserver chunk 3 returned %" PRId32 ", expected 0: ", r);
362  result = 0;
363  FLOWLOCK_UNLOCK(&f);
364  goto end;
365  }
366 
367  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_FTP, STREAM_TOSERVER,
368  ftpbuf4, ftplen4);
369  if (r != 0) {
370  SCLogDebug("toserver chunk 4 returned %" PRId32 ", expected 0: ", r);
371  result = 0;
372  FLOWLOCK_UNLOCK(&f);
373  goto end;
374  }
375 
376  FLOWLOCK_UNLOCK(&f);
377 
378  FtpState *ftp_state = f.alstate;
379  if (ftp_state == NULL) {
380  SCLogDebug("no ftp state: ");
381  result = 0;
382  goto end;
383  }
384 
385  if (ftp_state->command != FTP_COMMAND_PORT) {
386  SCLogDebug("expected command port not detected");
387  result = 0;
388  goto end;
389  }
390 
391  /* do detect */
392  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
393 
394  if (!(PacketAlertCheck(p, 1))) {
395  goto end;
396  }
397 
398  result = 1;
399 end:
400  if (alp_tctx != NULL)
404 
405  DetectEngineThreadCtxDeinit(&th_v,(void *)det_ctx);
407 
408  StreamTcpFreeConfig(true);
409  FLOW_DESTROY(&f);
410 
411  UTHFreePackets(&p, 1);
412  return result;
413 }
414 
415 /**
416  * \test Check the ftpbounce match
417  * \brief This test tests the ftpbounce condition match, based on
418  * the ftp layer parser
419  */
420 static int DetectFtpbounceTestALMatch03(void)
421 {
422  int result = 0;
423 
424  uint8_t ftpbuf1[] = { 'P','O' };
425  uint32_t ftplen1 = sizeof(ftpbuf1);
426  uint8_t ftpbuf2[] = { 'R', 'T' };
427  uint32_t ftplen2 = sizeof(ftpbuf2);
428  uint8_t ftpbuf3[] = { ' ', '1',',','2',',' };
429  uint32_t ftplen3 = sizeof(ftpbuf3);
430  uint8_t ftpbuf4[] = "3,4,10,20\r\n";
431  uint32_t ftplen4 = sizeof(ftpbuf4);
432 
433  TcpSession ssn;
434  Flow f;
435  Packet *p = PacketGetFromAlloc();
436  if (unlikely(p == NULL))
437  return 0;
438  Signature *s = NULL;
439  ThreadVars th_v;
440  DetectEngineThreadCtx *det_ctx = NULL;
442 
443  memset(&th_v, 0, sizeof(th_v));
444  memset(&f, 0, sizeof(f));
445  memset(&ssn, 0, sizeof(ssn));
446 
447  p->src.family = AF_INET;
448  p->dst.family = AF_INET;
449  p->src.addr_data32[0] = 0x04030201;
450  p->payload = NULL;
451  p->payload_len = 0;
452  p->proto = IPPROTO_TCP;
453 
454  FLOW_INITIALIZE(&f);
455  f.src.address.address_un_data32[0]=0x04030201;
456  f.protoctx =(void *)&ssn;
457  f.proto = IPPROTO_TCP;
458 
459  p->flow = &f;
463  f.alproto = ALPROTO_FTP;
464 
465  StreamTcpInitConfig(true);
466 
468  if (de_ctx == NULL) {
469  goto end;
470  }
471 
472  de_ctx->flags |= DE_QUIET;
473 
474  s = de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any "
475  "(msg:\"Ftp Bounce\"; ftpbounce; sid:1;)");
476  if (s == NULL) {
477  goto end;
478  }
479 
481  DetectEngineThreadCtxInit(&th_v,(void *)de_ctx,(void *)&det_ctx);
482 
483  FLOWLOCK_WRLOCK(&f);
484  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_FTP,
485  STREAM_TOSERVER, ftpbuf1, ftplen1);
486  if (r != 0) {
487  SCLogDebug("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
488  result = 0;
489  FLOWLOCK_UNLOCK(&f);
490  goto end;
491  }
492 
493  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_FTP, STREAM_TOSERVER,
494  ftpbuf2, ftplen2);
495  if (r != 0) {
496  SCLogDebug("toserver chunk 2 returned %" PRId32 ", expected 0: ", r);
497  result = 0;
498  FLOWLOCK_UNLOCK(&f);
499  goto end;
500  }
501 
502  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_FTP, STREAM_TOSERVER,
503  ftpbuf3, ftplen3);
504  if (r != 0) {
505  SCLogDebug("toserver chunk 3 returned %" PRId32 ", expected 0: ", r);
506  result = 0;
507  FLOWLOCK_UNLOCK(&f);
508  goto end;
509  }
510 
511  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_FTP, STREAM_TOSERVER,
512  ftpbuf4, ftplen4);
513  if (r != 0) {
514  SCLogDebug("toserver chunk 4 returned %" PRId32 ", expected 0: ", r);
515  result = 0;
516  FLOWLOCK_UNLOCK(&f);
517  goto end;
518  }
519  FLOWLOCK_UNLOCK(&f);
520 
521  FtpState *ftp_state = f.alstate;
522  if (ftp_state == NULL) {
523  SCLogDebug("no ftp state: ");
524  result = 0;
525  goto end;
526  }
527 
528  if (ftp_state->command != FTP_COMMAND_PORT) {
529  SCLogDebug("expected command port not detected");
530  result = 0;
531  goto end;
532  }
533 
534  /* do detect */
535  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
536 
537  /* It should not match */
538  if (!(PacketAlertCheck(p, 1))) {
539  result = 1;
540  } else {
541  SCLogDebug("It should not match here!");
542  }
543 
544 end:
545  if (alp_tctx != NULL)
549 
550  DetectEngineThreadCtxDeinit(&th_v,(void *)det_ctx);
552 
553  StreamTcpFreeConfig(true);
554  FLOW_DESTROY(&f);
555  SCFree(p);
556  return result;
557 }
558 
559 /**
560  * \brief this function registers unit tests for DetectFtpbounce
561  */
562 static void DetectFtpbounceRegisterTests(void)
563 {
564  UtRegisterTest("DetectFtpbounceTestSetup01", DetectFtpbounceTestSetup01);
565  UtRegisterTest("DetectFtpbounceTestALMatch02",
566  DetectFtpbounceTestALMatch02);
567  UtRegisterTest("DetectFtpbounceTestALMatch03",
568  DetectFtpbounceTestALMatch03);
569 }
570 #endif /* UNITTESTS */
util-byte.h
DetectEngineAppInspectionEngine_
Definition: detect.h:398
SigTableElmt_::url
const char * url
Definition: detect.h:1270
DetectSignatureSetAppProto
int DetectSignatureSetAppProto(Signature *s, AppProto alproto)
Definition: detect-parse.c:1490
Packet_::proto
uint8_t proto
Definition: decode.h:449
FlowAddress_::address
union FlowAddress_::@115 address
detect-content.h
detect-engine.h
SigTableElmt_::desc
const char * desc
Definition: detect.h:1269
PKT_HAS_FLOW
#define PKT_HAS_FLOW
Definition: decode.h:1175
offset
uint64_t offset
Definition: util-streaming-buffer.h:0
flow-util.h
DetectEngineInspectGenericList
int DetectEngineInspectGenericList(const DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const Signature *s, const SigMatchData *smd, Flow *f, const uint8_t flags, void *alstate, void *txv, uint64_t tx_id)
Do the content inspection & validation for a signature.
Definition: detect-engine.c:1941
SigTableElmt_::name
const char * name
Definition: detect.h:1267
stream-tcp.h
SigFree
void SigFree(DetectEngineCtx *, Signature *)
Definition: detect-parse.c:1389
unlikely
#define unlikely(expr)
Definition: util-optimize.h:35
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
FlowAddress_::address_un_data32
uint32_t address_un_data32[4]
Definition: flow.h:317
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:298
DETECT_FTPBOUNCE
@ DETECT_FTPBOUNCE
Definition: detect-engine-register.h:79
Flow_::proto
uint8_t proto
Definition: flow.h:375
Packet_::payload
uint8_t * payload
Definition: decode.h:567
FtpState_::command
FtpRequestCommand command
Definition: app-layer-ftp.h:183
PacketAlertCheck
int PacketAlertCheck(Packet *p, uint32_t sid)
Check if a certain sid alerted, this is used in the test functions.
Definition: detect-engine-alert.c:137
Packet_::flags
uint32_t flags
Definition: decode.h:462
threads.h
Flow_
Flow data structure.
Definition: flow.h:353
SigInit
Signature * SigInit(DetectEngineCtx *, const char *)
Parses a signature and adds it to the Detection Engine Context.
Definition: detect-parse.c:2115
UTHBuildPacketSrcDst
Packet * UTHBuildPacketSrcDst(uint8_t *payload, uint16_t payload_len, uint8_t ipproto, const char *src, const char *dst)
UTHBuildPacketSrcDst is a wrapper that build packets specifying IPs and defaulting ports.
Definition: util-unittest-helper.c:418
SigTableElmt_::flags
uint16_t flags
Definition: detect.h:1261
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:811
detect-ftpbounce.h
DetectEngineCtxFree
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
Definition: detect-engine.c:2433
SigTableElmt_::AppLayerTxMatch
int(* AppLayerTxMatch)(DetectEngineThreadCtx *, Flow *, uint8_t flags, void *alstate, void *txv, const Signature *, const SigMatchCtx *)
Definition: detect.h:1238
AppLayerParserThreadCtxFree
void AppLayerParserThreadCtxFree(AppLayerParserThreadCtx *tctx)
Destroys the app layer parser thread context obtained using AppLayerParserThreadCtxAlloc().
Definition: app-layer-parser.c:320
FLOW_PKT_TOSERVER
#define FLOW_PKT_TOSERVER
Definition: flow.h:225
DE_QUIET
#define DE_QUIET
Definition: detect.h:295
ALPROTO_FTP
@ ALPROTO_FTP
Definition: app-layer-protos.h:31
stream-tcp-reassemble.h
SigMatchSignatures
void SigMatchSignatures(ThreadVars *tv, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
Definition: detect.c:1790
m
SCMutex m
Definition: flow-hash.h:6
SigCleanSignatures
void SigCleanSignatures(DetectEngineCtx *de_ctx)
Definition: detect-engine-build.c:42
app-layer-ftp.h
Packet_::flowflags
uint8_t flowflags
Definition: decode.h:458
Flow_::protoctx
void * protoctx
Definition: flow.h:451
SigTableElmt_::Setup
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1252
Packet_::payload_len
uint16_t payload_len
Definition: decode.h:568
util-unittest.h
util-unittest-helper.h
FAIL_IF_NOT
#define FAIL_IF_NOT(expr)
Fail a test if expression evaluates to false.
Definition: util-unittest.h:82
FLOWLOCK_UNLOCK
#define FLOWLOCK_UNLOCK(fb)
Definition: flow.h:270
FtpState_
Definition: app-layer-ftp.h:162
StreamTcpInitConfig
void StreamTcpInitConfig(bool)
To initialize the stream global configuration data.
Definition: stream-tcp.c:357
FLOW_INITIALIZE
#define FLOW_INITIALIZE(f)
Definition: flow-util.h:39
SIG_FLAG_TOSERVER
#define SIG_FLAG_TOSERVER
Definition: detect.h:236
decode.h
util-debug.h
FtpState_::port_line
uint8_t * port_line
Definition: app-layer-ftp.h:187
PASS
#define PASS
Pass the test.
Definition: util-unittest.h:105
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:17
DetectEngineThreadCtx_
Definition: detect.h:1060
alp_tctx
AppLayerParserThreadCtx * alp_tctx
Definition: fuzz_applayerparserparse.c:20
FLOWLOCK_WRLOCK
#define FLOWLOCK_WRLOCK(fb)
Definition: flow.h:267
SCEnter
#define SCEnter(...)
Definition: util-debug.h:300
detect-engine-mpm.h
detect.h
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:58
FTP_COMMAND_PORT
@ FTP_COMMAND_PORT
Definition: app-layer-ftp.h:65
app-layer-parser.h
SigMatch_::ctx
SigMatchCtx * ctx
Definition: detect.h:324
SigGroupCleanup
int SigGroupCleanup(DetectEngineCtx *de_ctx)
Definition: detect-engine-build.c:2016
Packet_
Definition: decode.h:427
FtpState_::arg_offset
FtpRequestCommandArgOfs arg_offset
Definition: app-layer-ftp.h:184
DetectAppLayerInspectEngineRegister2
void DetectAppLayerInspectEngineRegister2(const char *name, AppProto alproto, uint32_t dir, int progress, InspectEngineFuncPtr2 Callback2, InspectionBufferGetDataPtr GetData)
register inspect engine at start up time
Definition: detect-engine.c:225
detect-engine-state.h
Data structures and function prototypes for keeping state for the detection engine.
DetectFtpbounceRegister
void DetectFtpbounceRegister(void)
Registration function for ftpbounce: keyword.
Definition: detect-ftpbounce.c:68
SigMatchAlloc
SigMatch * SigMatchAlloc(void)
Definition: detect-parse.c:235
Flow_::src
FlowAddress src
Definition: flow.h:356
SigGroupBuild
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
Definition: detect-engine-build.c:1948
AppLayerParserThreadCtxAlloc
AppLayerParserThreadCtx * AppLayerParserThreadCtxAlloc(void)
Gets a new app layer protocol's parser thread context.
Definition: app-layer-parser.c:299
SigMatchCtx_
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
Definition: detect.h:316
DetectEngineAppInspectionEngine_::smd
SigMatchData * smd
Definition: detect.h:415
Packet_::flow
struct Flow_ * flow
Definition: decode.h:464
DetectEngineThreadCtxInit
TmEcode DetectEngineThreadCtxInit(ThreadVars *, void *, void **)
initialize thread specific detection engine context
Definition: detect-engine.c:3142
FAIL_IF
#define FAIL_IF(expr)
Fail a test if expression evaluates to true.
Definition: util-unittest.h:71
DetectBufferTypeRegister
int DetectBufferTypeRegister(const char *name)
Definition: detect-engine.c:1023
StreamTcpFreeConfig
void StreamTcpFreeConfig(bool quiet)
Definition: stream-tcp.c:662
flags
uint8_t flags
Definition: decode-gre.h:0
AppLayerParserParse
int AppLayerParserParse(ThreadVars *tv, AppLayerParserThreadCtx *alp_tctx, Flow *f, AppProto alproto, uint8_t flags, const uint8_t *input, uint32_t input_len)
Definition: app-layer-parser.c:1237
suricata-common.h
DetectEngineThreadCtxDeinit
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *, void *)
Definition: detect-engine.c:3354
SigMatch_::type
uint16_t type
Definition: detect.h:322
sigmatch_table
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
Definition: detect-parse.c:73
FtpState_::port_line_len
uint32_t port_line_len
Definition: app-layer-ftp.h:185
DetectEngineCtx_::sig_list
Signature * sig_list
Definition: detect.h:817
PacketGetFromAlloc
Packet * PacketGetFromAlloc(void)
Get a malloced packet.
Definition: decode.c:173
SCByteSwap32
#define SCByteSwap32(x)
Definition: util-byte.h:70
SCFree
#define SCFree(p)
Definition: util-mem.h:61
Flow_::alstate
void * alstate
Definition: flow.h:486
detect-parse.h
Signature_
Signature container.
Definition: detect.h:548
SigMatch_
a single match condition for a signature
Definition: detect.h:321
payload_len
uint16_t payload_len
Definition: stream-tcp-private.h:1
FLOW_PKT_ESTABLISHED
#define FLOW_PKT_ESTABLISHED
Definition: flow.h:227
DetectEngineCtxInit
DetectEngineCtx * DetectEngineCtxInit(void)
Definition: detect-engine.c:2394
Address_::family
char family
Definition: decode.h:123
Packet_::dst
Address dst
Definition: decode.h:432
SIGMATCH_NOOPT
#define SIGMATCH_NOOPT
Definition: detect.h:1453
DetectEngineCtx_::flags
uint8_t flags
Definition: detect.h:812
AppLayerParserThreadCtx_
Definition: app-layer-parser.c:86
SigAlloc
Signature * SigAlloc(void)
Definition: detect-parse.c:1264
TcpSession_
Definition: stream-tcp-private.h:260
flow.h
Flow_::alproto
AppProto alproto
application level protocol
Definition: flow.h:460
SCReturnInt
#define SCReturnInt(x)
Definition: util-debug.h:304
flow-var.h
SigMatchAppendSMToList
void SigMatchAppendSMToList(Signature *s, SigMatch *new, int list)
Append a SigMatch to the list type.
Definition: detect-parse.c:349
FLOW_DESTROY
#define FLOW_DESTROY(f)
Definition: flow-util.h:130
Packet_::src
Address src
Definition: decode.h:431
debug.h
PKT_STREAM_EST
#define PKT_STREAM_EST
Definition: decode.h:1172
SigTableElmt_::RegisterTests
void(* RegisterTests)(void)
Definition: detect.h:1259
app-layer.h
UTHFreePackets
void UTHFreePackets(Packet **p, int numpkts)
UTHFreePackets: function to release the allocated data from UTHBuildPacket and the packet itself.
Definition: util-unittest-helper.c:468