suricata
detect-ftpbounce.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2010 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Pablo Rincon <pablo.rincon.crespo@gmail.com>
22  *
23  * ftpbounce keyword, part of the detection engine.
24  */
25 
26 #include "suricata-common.h"
27 #include "decode.h"
28 #include "detect.h"
29 #include "detect-parse.h"
30 #include "detect-engine.h"
31 #include "detect-engine-mpm.h"
32 #include "detect-engine-state.h"
33 #include "detect-content.h"
34 #include "detect-engine-build.h"
35 
36 #include "app-layer.h"
37 #include "app-layer-parser.h"
38 #include "app-layer-ftp.h"
39 #include "util-unittest.h"
40 #include "util-unittest-helper.h"
41 #include "util-debug.h"
42 #include "flow.h"
43 #include "flow-var.h"
44 #include "flow-util.h"
45 #include "threads.h"
46 #include "detect-ftpbounce.h"
47 #include "stream-tcp.h"
48 #include "util-byte.h"
49 
50 static int DetectFtpbounceALMatch(DetectEngineThreadCtx *,
51  Flow *, uint8_t, void *, void *,
52  const Signature *, const SigMatchCtx *);
53 
54 static int DetectFtpbounceSetup(DetectEngineCtx *, Signature *, const char *);
55 #ifdef UNITTESTS
56 static void DetectFtpbounceRegisterTests(void);
57 #endif
58 static int g_ftp_request_list_id = 0;
59 
60 /**
61  * \brief Registration function for ftpbounce: keyword
62  * \todo add support for no_stream and stream_only
63  */
65 {
66  sigmatch_table[DETECT_FTPBOUNCE].name = "ftpbounce";
67  sigmatch_table[DETECT_FTPBOUNCE].desc = "detect FTP bounce attacks";
68  sigmatch_table[DETECT_FTPBOUNCE].Setup = DetectFtpbounceSetup;
69  sigmatch_table[DETECT_FTPBOUNCE].AppLayerTxMatch = DetectFtpbounceALMatch;
70 #ifdef UNITTESTS
71  sigmatch_table[DETECT_FTPBOUNCE].RegisterTests = DetectFtpbounceRegisterTests;
72 #endif
73  sigmatch_table[DETECT_FTPBOUNCE].url = "/rules/ftp-keywords.html#ftpbounce";
75 
76  g_ftp_request_list_id = DetectBufferTypeRegister("ftp_request");
77 
80 }
81 
82 /**
83  * \brief This function is used to match ftpbounce attacks
84  *
85  * \param payload Payload of the PORT command
86  * \param payload_len Length of the payload
87  * \param ip_orig IP source to check the ftpbounce condition
88  * \param offset offset to the arguments of the PORT command
89  *
90  * \retval 1 if ftpbounce detected, 0 if not
91  */
92 static int DetectFtpbounceMatchArgs(
93  uint8_t *payload, uint32_t payload_len, uint32_t ip_orig, uint32_t offset)
94 {
95  SCEnter();
96  SCLogDebug("Checking ftpbounce condition");
97  char *c = NULL;
98  uint32_t i = 0;
99  int octet = 0;
100  int octet_ascii_len = 0;
101  int noctet = 0;
102  uint32_t ip = 0;
103  /* PrintRawDataFp(stdout, payload, payload_len); */
104 
105  if (payload_len < 7) {
106  /* we need at least a differet ip address
107  * in the format 1,2,3,4,x,y where x,y is the port
108  * in two byte representation so let's look at
109  * least for the IP octets in comma separated */
110  return 0;
111  }
112 
113  if (offset + 7 >= payload_len)
114  return 0;
115 
116  c =(char*) payload;
117  if (c == NULL) {
118  SCLogDebug("No payload to check");
119  return 0;
120  }
121 
122  i = offset;
123  /* Search for the first IP octect(Skips "PORT ") */
124  while (i < payload_len && !isdigit((unsigned char)c[i])) i++;
125 
126  for (;i < payload_len && octet_ascii_len < 4 ;i++) {
127  if (isdigit((unsigned char)c[i])) {
128  octet =(c[i] - '0') + octet * 10;
129  octet_ascii_len++;
130  } else {
131  if (octet > 256) {
132  SCLogDebug("Octet not in ip format");
133  return 0;
134  }
135 
136  if (isspace((unsigned char)c[i]))
137  while (i < payload_len && isspace((unsigned char)c[i]) ) i++;
138 
139  if (i < payload_len && c[i] == ',') { /* we have an octet */
140  noctet++;
141  octet_ascii_len = 0;
142  ip =(ip << 8) + octet;
143  octet = 0;
144  } else {
145  SCLogDebug("Unrecognized character '%c'", c[i]);
146  return 0;
147  }
148  if (noctet == 4) {
149  /* Different IP than src, ftp bounce scan */
150  ip = SCByteSwap32(ip);
151 
152  if (ip != ip_orig) {
153  SCLogDebug("Different ip, so Matched ip:%d <-> ip_orig:%d",
154  ip, ip_orig);
155  return 1;
156  }
157  SCLogDebug("Same ip, so no match here");
158  return 0;
159  }
160  }
161  }
162  SCLogDebug("No match");
163  return 0;
164 }
165 
166 /**
167  * \brief This function is used to check matches from the FTP App Layer Parser
168  *
169  * \param t pointer to thread vars
170  * \param det_ctx pointer to the pattern matcher thread
171  * \param p pointer to the current packet
172  * \param m pointer to the sigmatch but we don't use it since ftpbounce
173  * has no options
174  * \retval 0 no match
175  * \retval 1 match
176  */
177 static int DetectFtpbounceALMatch(DetectEngineThreadCtx *det_ctx,
178  Flow *f, uint8_t flags,
179  void *state, void *txv,
180  const Signature *s, const SigMatchCtx *m)
181 {
182  SCEnter();
183 
184  FtpState *ftp_state = (FtpState *)state;
185  if (ftp_state == NULL) {
186  SCLogDebug("no ftp state, no match");
187  SCReturnInt(0);
188  }
189 
190  int ret = 0;
191  if (ftp_state->command == FTP_COMMAND_PORT) {
192  ret = DetectFtpbounceMatchArgs(ftp_state->port_line,
193  ftp_state->port_line_len, f->src.address.address_un_data32[0],
194  ftp_state->arg_offset);
195  }
196 
197  SCReturnInt(ret);
198 }
199 
200 /**
201  * \brief this function is used to add the parsed ftpbounce
202  *
203  * \param de_ctx pointer to the Detection Engine Context
204  * \param s pointer to the Current Signature
205  * \param m pointer to the Current SigMatch
206  * \param ftpbouncestr pointer to the user provided ftpbounce options
207  * currently there are no options.
208  *
209  * \retval 0 on Success
210  * \retval -1 on Failure
211  */
212 int DetectFtpbounceSetup(DetectEngineCtx *de_ctx, Signature *s, const char *ftpbouncestr)
213 {
214  SCEnter();
215 
216  SigMatch *sm = NULL;
217 
219  return -1;
220 
221  sm = SigMatchAlloc();
222  if (sm == NULL) {
223  return -1;
224  }
225 
226  sm->type = DETECT_FTPBOUNCE;
227 
228  /* We don't need to allocate any data for ftpbounce here.
229  *
230  * TODO: As a suggestion, maybe we can add a flag in the flow
231  * to set the stream as "bounce detected" for fast Match.
232  * When you do a ftp bounce attack you usually use the same
233  * communication control stream to "setup" various destinations
234  * whithout breaking the connection, so I guess we can make it a bit faster
235  * with a flow flag set lookup in the Match function.
236  */
237  sm->ctx = NULL;
238 
239  SigMatchAppendSMToList(s, sm, g_ftp_request_list_id);
240  SCReturnInt(0);
241 }
242 
243 #ifdef UNITTESTS
244 #include "detect-engine-alert.h"
245 
246 /**
247  * \test DetectFtpbounceTestSetup01 is a test for the Setup ftpbounce
248  */
249 static int DetectFtpbounceTestSetup01(void)
250 {
251  DetectEngineCtx *de_ctx = NULL;
252  Signature *s = SigAlloc();
253  FAIL_IF (s == NULL);
254 
255  /* ftpbounce doesn't accept options so the str is NULL */
256  FAIL_IF_NOT(DetectFtpbounceSetup(de_ctx, s, NULL) == 0);
257  FAIL_IF(s->sm_lists[g_ftp_request_list_id] == NULL);
258  FAIL_IF_NOT(s->sm_lists[g_ftp_request_list_id]->type & DETECT_FTPBOUNCE);
259 
260  SigFree(de_ctx, s);
261  PASS;
262 }
263 
264 #include "stream-tcp-reassemble.h"
265 
266 /**
267  * \test Check the ftpbounce match, send a get request in three chunks
268  * + more data.
269  * \brief This test tests the ftpbounce condition match, based on the
270  * ftp layer parser
271  */
272 static int DetectFtpbounceTestALMatch02(void)
273 {
274  int result = 0;
275 
276  uint8_t ftpbuf1[] = { 'P','O' };
277  uint32_t ftplen1 = sizeof(ftpbuf1);
278  uint8_t ftpbuf2[] = { 'R', 'T' };
279  uint32_t ftplen2 = sizeof(ftpbuf2);
280  uint8_t ftpbuf3[] = { ' ', '8','0',',','5' };
281  uint32_t ftplen3 = sizeof(ftpbuf3);
282  uint8_t ftpbuf4[] = "8,0,33,10,20\r\n";
283  uint32_t ftplen4 = sizeof(ftpbuf4);
284 
285  TcpSession ssn;
286  Flow f;
287  Packet *p = NULL;
288  Signature *s = NULL;
289  ThreadVars th_v;
290  DetectEngineThreadCtx *det_ctx = NULL;
292 
293  memset(&th_v, 0, sizeof(th_v));
294  memset(&f, 0, sizeof(f));
295  memset(&ssn, 0, sizeof(ssn));
296 
297  p = UTHBuildPacketSrcDst(NULL, 0, IPPROTO_TCP, "1.2.3.4", "5.6.7.8");
298 
299  FLOW_INITIALIZE(&f);
300  f.src.address.address_un_data32[0]=0x01020304;
301  f.protoctx =(void *)&ssn;
302  f.proto = IPPROTO_TCP;
303 
304  p->flow = &f;
308  f.alproto = ALPROTO_FTP;
309 
310  StreamTcpInitConfig(true);
311 
313  if (de_ctx == NULL) {
314  goto end;
315  }
316 
317  de_ctx->flags |= DE_QUIET;
318 
319  s = de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any "
320  "(msg:\"Ftp Bounce\"; ftpbounce; sid:1;)");
321  if (s == NULL) {
322  goto end;
323  }
324 
326  DetectEngineThreadCtxInit(&th_v,(void *)de_ctx,(void *)&det_ctx);
327 
328  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_FTP,
329  STREAM_TOSERVER, ftpbuf1, ftplen1);
330  if (r != 0) {
331  SCLogDebug("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
332  result = 0;
333  goto end;
334  }
335 
336  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_FTP, STREAM_TOSERVER,
337  ftpbuf2, ftplen2);
338  if (r != 0) {
339  SCLogDebug("toserver chunk 2 returned %" PRId32 ", expected 0: ", r);
340  result = 0;
341  goto end;
342  }
343 
344  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_FTP, STREAM_TOSERVER,
345  ftpbuf3, ftplen3);
346  if (r != 0) {
347  SCLogDebug("toserver chunk 3 returned %" PRId32 ", expected 0: ", r);
348  result = 0;
349  goto end;
350  }
351 
352  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_FTP, STREAM_TOSERVER,
353  ftpbuf4, ftplen4);
354  if (r != 0) {
355  SCLogDebug("toserver chunk 4 returned %" PRId32 ", expected 0: ", r);
356  result = 0;
357  goto end;
358  }
359 
360 
361  FtpState *ftp_state = f.alstate;
362  if (ftp_state == NULL) {
363  SCLogDebug("no ftp state: ");
364  result = 0;
365  goto end;
366  }
367 
368  if (ftp_state->command != FTP_COMMAND_PORT) {
369  SCLogDebug("expected command port not detected");
370  result = 0;
371  goto end;
372  }
373 
374  /* do detect */
375  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
376 
377  if (!(PacketAlertCheck(p, 1))) {
378  goto end;
379  }
380 
381  result = 1;
382 end:
383  if (alp_tctx != NULL)
387 
388  DetectEngineThreadCtxDeinit(&th_v,(void *)det_ctx);
390 
391  StreamTcpFreeConfig(true);
392  FLOW_DESTROY(&f);
393 
394  UTHFreePackets(&p, 1);
395  return result;
396 }
397 
398 /**
399  * \test Check the ftpbounce match
400  * \brief This test tests the ftpbounce condition match, based on
401  * the ftp layer parser
402  */
403 static int DetectFtpbounceTestALMatch03(void)
404 {
405  int result = 0;
406 
407  uint8_t ftpbuf1[] = { 'P','O' };
408  uint32_t ftplen1 = sizeof(ftpbuf1);
409  uint8_t ftpbuf2[] = { 'R', 'T' };
410  uint32_t ftplen2 = sizeof(ftpbuf2);
411  uint8_t ftpbuf3[] = { ' ', '1',',','2',',' };
412  uint32_t ftplen3 = sizeof(ftpbuf3);
413  uint8_t ftpbuf4[] = "3,4,10,20\r\n";
414  uint32_t ftplen4 = sizeof(ftpbuf4);
415 
416  TcpSession ssn;
417  Flow f;
418  Packet *p = PacketGetFromAlloc();
419  if (unlikely(p == NULL))
420  return 0;
421  Signature *s = NULL;
422  ThreadVars th_v;
423  DetectEngineThreadCtx *det_ctx = NULL;
425 
426  memset(&th_v, 0, sizeof(th_v));
427  memset(&f, 0, sizeof(f));
428  memset(&ssn, 0, sizeof(ssn));
429 
430  p->src.family = AF_INET;
431  p->dst.family = AF_INET;
432  p->src.addr_data32[0] = 0x04030201;
433  p->payload = NULL;
434  p->payload_len = 0;
435  p->proto = IPPROTO_TCP;
436 
437  FLOW_INITIALIZE(&f);
438  f.src.address.address_un_data32[0]=0x04030201;
439  f.protoctx =(void *)&ssn;
440  f.proto = IPPROTO_TCP;
441 
442  p->flow = &f;
446  f.alproto = ALPROTO_FTP;
447 
448  StreamTcpInitConfig(true);
449 
451  if (de_ctx == NULL) {
452  goto end;
453  }
454 
455  de_ctx->flags |= DE_QUIET;
456 
457  s = de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any "
458  "(msg:\"Ftp Bounce\"; ftpbounce; sid:1;)");
459  if (s == NULL) {
460  goto end;
461  }
462 
464  DetectEngineThreadCtxInit(&th_v,(void *)de_ctx,(void *)&det_ctx);
465 
466  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_FTP,
467  STREAM_TOSERVER, ftpbuf1, ftplen1);
468  if (r != 0) {
469  SCLogDebug("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
470  result = 0;
471  goto end;
472  }
473 
474  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_FTP, STREAM_TOSERVER,
475  ftpbuf2, ftplen2);
476  if (r != 0) {
477  SCLogDebug("toserver chunk 2 returned %" PRId32 ", expected 0: ", r);
478  result = 0;
479  goto end;
480  }
481 
482  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_FTP, STREAM_TOSERVER,
483  ftpbuf3, ftplen3);
484  if (r != 0) {
485  SCLogDebug("toserver chunk 3 returned %" PRId32 ", expected 0: ", r);
486  result = 0;
487  goto end;
488  }
489 
490  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_FTP, STREAM_TOSERVER,
491  ftpbuf4, ftplen4);
492  if (r != 0) {
493  SCLogDebug("toserver chunk 4 returned %" PRId32 ", expected 0: ", r);
494  result = 0;
495  goto end;
496  }
497 
498  FtpState *ftp_state = f.alstate;
499  if (ftp_state == NULL) {
500  SCLogDebug("no ftp state: ");
501  result = 0;
502  goto end;
503  }
504 
505  if (ftp_state->command != FTP_COMMAND_PORT) {
506  SCLogDebug("expected command port not detected");
507  result = 0;
508  goto end;
509  }
510 
511  /* do detect */
512  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
513 
514  /* It should not match */
515  if (!(PacketAlertCheck(p, 1))) {
516  result = 1;
517  } else {
518  SCLogDebug("It should not match here!");
519  }
520 
521 end:
522  if (alp_tctx != NULL)
526 
527  DetectEngineThreadCtxDeinit(&th_v,(void *)det_ctx);
529 
530  StreamTcpFreeConfig(true);
531  FLOW_DESTROY(&f);
532  SCFree(p);
533  return result;
534 }
535 
536 /**
537  * \brief this function registers unit tests for DetectFtpbounce
538  */
539 static void DetectFtpbounceRegisterTests(void)
540 {
541  UtRegisterTest("DetectFtpbounceTestSetup01", DetectFtpbounceTestSetup01);
542  UtRegisterTest("DetectFtpbounceTestALMatch02",
543  DetectFtpbounceTestALMatch02);
544  UtRegisterTest("DetectFtpbounceTestALMatch03",
545  DetectFtpbounceTestALMatch03);
546 }
547 #endif /* UNITTESTS */
util-byte.h
SigTableElmt_::url
const char * url
Definition: detect.h:1238
DetectSignatureSetAppProto
int DetectSignatureSetAppProto(Signature *s, AppProto alproto)
Definition: detect-parse.c:1493
Packet_::proto
uint8_t proto
Definition: decode.h:447
detect-content.h
detect-engine.h
SigTableElmt_::desc
const char * desc
Definition: detect.h:1237
PKT_HAS_FLOW
#define PKT_HAS_FLOW
Definition: decode.h:996
offset
uint64_t offset
Definition: util-streaming-buffer.h:0
flow-util.h
SigTableElmt_::name
const char * name
Definition: detect.h:1235
stream-tcp.h
SigFree
void SigFree(DetectEngineCtx *, Signature *)
Definition: detect-parse.c:1392
unlikely
#define unlikely(expr)
Definition: util-optimize.h:35
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
FlowAddress_::address_un_data32
uint32_t address_un_data32[4]
Definition: flow.h:320
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:296
DETECT_FTPBOUNCE
@ DETECT_FTPBOUNCE
Definition: detect-engine-register.h:81
Flow_::proto
uint8_t proto
Definition: flow.h:378
Packet_::payload
uint8_t * payload
Definition: decode.h:567
FtpState_::command
FtpRequestCommand command
Definition: app-layer-ftp.h:180
PacketAlertCheck
int PacketAlertCheck(Packet *p, uint32_t sid)
Check if a certain sid alerted, this is used in the test functions.
Definition: detect-engine-alert.c:141
Packet_::flags
uint32_t flags
Definition: decode.h:460
threads.h
Flow_
Flow data structure.
Definition: flow.h:356
SigInit
Signature * SigInit(DetectEngineCtx *, const char *)
Parses a signature and adds it to the Detection Engine Context.
Definition: detect-parse.c:2129
UTHBuildPacketSrcDst
Packet * UTHBuildPacketSrcDst(uint8_t *payload, uint16_t payload_len, uint8_t ipproto, const char *src, const char *dst)
UTHBuildPacketSrcDst is a wrapper that build packets specifying IPs and defaulting ports.
Definition: util-unittest-helper.c:420
SigTableElmt_::flags
uint16_t flags
Definition: detect.h:1229
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:784
detect-ftpbounce.h
DetectEngineCtxFree
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
Definition: detect-engine.c:2445
SigTableElmt_::AppLayerTxMatch
int(* AppLayerTxMatch)(DetectEngineThreadCtx *, Flow *, uint8_t flags, void *alstate, void *txv, const Signature *, const SigMatchCtx *)
Definition: detect.h:1206
AppLayerParserThreadCtxFree
void AppLayerParserThreadCtxFree(AppLayerParserThreadCtx *tctx)
Destroys the app layer parser thread context obtained using AppLayerParserThreadCtxAlloc().
Definition: app-layer-parser.c:316
FLOW_PKT_TOSERVER
#define FLOW_PKT_TOSERVER
Definition: flow.h:226
DE_QUIET
#define DE_QUIET
Definition: detect.h:287
ALPROTO_FTP
@ ALPROTO_FTP
Definition: app-layer-protos.h:31
stream-tcp-reassemble.h
SigMatchSignatures
void SigMatchSignatures(ThreadVars *tv, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
Definition: detect.c:1788
m
SCMutex m
Definition: flow-hash.h:6
SigCleanSignatures
void SigCleanSignatures(DetectEngineCtx *de_ctx)
Definition: detect-engine-build.c:46
app-layer-ftp.h
Packet_::flowflags
uint8_t flowflags
Definition: decode.h:456
Flow_::protoctx
void * protoctx
Definition: flow.h:454
SigTableElmt_::Setup
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1220
Packet_::payload_len
uint16_t payload_len
Definition: decode.h:568
util-unittest.h
util-unittest-helper.h
FAIL_IF_NOT
#define FAIL_IF_NOT(expr)
Fail a test if expression evaluates to false.
Definition: util-unittest.h:82
FtpState_
Definition: app-layer-ftp.h:162
StreamTcpInitConfig
void StreamTcpInitConfig(bool)
To initialize the stream global configuration data.
Definition: stream-tcp.c:361
FLOW_INITIALIZE
#define FLOW_INITIALIZE(f)
Definition: flow-util.h:39
SIG_FLAG_TOSERVER
#define SIG_FLAG_TOSERVER
Definition: detect.h:228
decode.h
util-debug.h
FtpState_::port_line
uint8_t * port_line
Definition: app-layer-ftp.h:184
PASS
#define PASS
Pass the test.
Definition: util-unittest.h:105
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:17
DetectEngineThreadCtx_
Definition: detect.h:1024
alp_tctx
AppLayerParserThreadCtx * alp_tctx
Definition: fuzz_applayerparserparse.c:22
SCEnter
#define SCEnter(...)
Definition: util-debug.h:298
detect-engine-mpm.h
detect.h
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:57
FTP_COMMAND_PORT
@ FTP_COMMAND_PORT
Definition: app-layer-ftp.h:65
app-layer-parser.h
SigMatch_::ctx
SigMatchCtx * ctx
Definition: detect.h:316
SigGroupCleanup
int SigGroupCleanup(DetectEngineCtx *de_ctx)
Definition: detect-engine-build.c:2022
Packet_
Definition: decode.h:425
detect-engine-build.h
FtpState_::arg_offset
FtpRequestCommandArgOfs arg_offset
Definition: app-layer-ftp.h:181
DetectAppLayerInspectEngineRegister2
void DetectAppLayerInspectEngineRegister2(const char *name, AppProto alproto, uint32_t dir, int progress, InspectEngineFuncPtr2 Callback2, InspectionBufferGetDataPtr GetData)
register inspect engine at start up time
Definition: detect-engine.c:228
detect-engine-alert.h
detect-engine-state.h
Data structures and function prototypes for keeping state for the detection engine.
DetectFtpbounceRegister
void DetectFtpbounceRegister(void)
Registration function for ftpbounce: keyword.
Definition: detect-ftpbounce.c:64
SigMatchAlloc
SigMatch * SigMatchAlloc(void)
Definition: detect-parse.c:238
Flow_::src
FlowAddress src
Definition: flow.h:359
SigGroupBuild
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
Definition: detect-engine-build.c:1954
AppLayerParserThreadCtxAlloc
AppLayerParserThreadCtx * AppLayerParserThreadCtxAlloc(void)
Gets a new app layer protocol's parser thread context.
Definition: app-layer-parser.c:295
SigMatchCtx_
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
Definition: detect.h:308
Packet_::flow
struct Flow_ * flow
Definition: decode.h:462
DetectEngineThreadCtxInit
TmEcode DetectEngineThreadCtxInit(ThreadVars *, void *, void **)
initialize thread specific detection engine context
Definition: detect-engine.c:3154
FAIL_IF
#define FAIL_IF(expr)
Fail a test if expression evaluates to true.
Definition: util-unittest.h:71
DetectBufferTypeRegister
int DetectBufferTypeRegister(const char *name)
Definition: detect-engine.c:1032
StreamTcpFreeConfig
void StreamTcpFreeConfig(bool quiet)
Definition: stream-tcp.c:669
flags
uint8_t flags
Definition: decode-gre.h:0
AppLayerParserParse
int AppLayerParserParse(ThreadVars *tv, AppLayerParserThreadCtx *alp_tctx, Flow *f, AppProto alproto, uint8_t flags, const uint8_t *input, uint32_t input_len)
Definition: app-layer-parser.c:1280
suricata-common.h
DetectEngineThreadCtxDeinit
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *, void *)
Definition: detect-engine.c:3368
SigMatch_::type
uint16_t type
Definition: detect.h:314
sigmatch_table
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
Definition: detect-parse.c:76
FtpState_::port_line_len
uint32_t port_line_len
Definition: app-layer-ftp.h:182
DetectEngineCtx_::sig_list
Signature * sig_list
Definition: detect.h:790
DetectEngineInspectGenericList
uint8_t DetectEngineInspectGenericList(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const struct DetectEngineAppInspectionEngine_ *engine, const Signature *s, Flow *f, uint8_t flags, void *alstate, void *txv, uint64_t tx_id)
Do the content inspection & validation for a signature.
Definition: detect-engine.c:1951
PacketGetFromAlloc
Packet * PacketGetFromAlloc(void)
Get a malloced packet.
Definition: decode.c:173
SCByteSwap32
#define SCByteSwap32(x)
Definition: util-byte.h:70
SCFree
#define SCFree(p)
Definition: util-mem.h:61
Flow_::alstate
void * alstate
Definition: flow.h:489
detect-parse.h
Signature_
Signature container.
Definition: detect.h:539
SigMatch_
a single match condition for a signature
Definition: detect.h:313
payload_len
uint16_t payload_len
Definition: stream-tcp-private.h:1
FLOW_PKT_ESTABLISHED
#define FLOW_PKT_ESTABLISHED
Definition: flow.h:228
DetectEngineCtxInit
DetectEngineCtx * DetectEngineCtxInit(void)
Definition: detect-engine.c:2406
Address_::family
char family
Definition: decode.h:112
Packet_::dst
Address dst
Definition: decode.h:430
SIGMATCH_NOOPT
#define SIGMATCH_NOOPT
Definition: detect.h:1421
DetectEngineCtx_::flags
uint8_t flags
Definition: detect.h:785
AppLayerParserThreadCtx_
Definition: app-layer-parser.c:68
SigAlloc
Signature * SigAlloc(void)
Definition: detect-parse.c:1267
TcpSession_
Definition: stream-tcp-private.h:272
flow.h
FlowAddress_::address
union FlowAddress_::@116 address
Flow_::alproto
AppProto alproto
application level protocol
Definition: flow.h:463
SCReturnInt
#define SCReturnInt(x)
Definition: util-debug.h:302
flow-var.h
SigMatchAppendSMToList
void SigMatchAppendSMToList(Signature *s, SigMatch *new, int list)
Append a SigMatch to the list type.
Definition: detect-parse.c:352
FLOW_DESTROY
#define FLOW_DESTROY(f)
Definition: flow-util.h:130
Packet_::src
Address src
Definition: decode.h:429
PKT_STREAM_EST
#define PKT_STREAM_EST
Definition: decode.h:993
SigTableElmt_::RegisterTests
void(* RegisterTests)(void)
Definition: detect.h:1227
app-layer.h
UTHFreePackets
void UTHFreePackets(Packet **p, int numpkts)
UTHFreePackets: function to release the allocated data from UTHBuildPacket and the packet itself.
Definition: util-unittest-helper.c:470