suricata
detect-ftpbounce.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2010 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Pablo Rincon <pablo.rincon.crespo@gmail.com>
22  *
23  * ftpbounce keyword, part of the detection engine.
24  */
25 
26 #include "suricata-common.h"
27 #include "debug.h"
28 #include "decode.h"
29 #include "detect.h"
30 #include "detect-parse.h"
31 #include "detect-engine.h"
32 #include "detect-engine-mpm.h"
33 #include "detect-engine-state.h"
34 #include "detect-content.h"
35 
36 #include "app-layer.h"
37 #include "app-layer-parser.h"
38 #include "app-layer-ftp.h"
39 #include "util-unittest.h"
40 #include "util-unittest-helper.h"
41 #include "util-debug.h"
42 #include "flow.h"
43 #include "flow-var.h"
44 #include "flow-util.h"
45 #include "threads.h"
46 #include "detect-ftpbounce.h"
47 #include "stream-tcp.h"
48 #include "util-byte.h"
49 
50 static int DetectFtpbounceALMatch(DetectEngineThreadCtx *,
51  Flow *, uint8_t, void *, void *,
52  const Signature *, const SigMatchCtx *);
53 
54 static int DetectFtpbounceSetup(DetectEngineCtx *, Signature *, const char *);
55 static void DetectFtpbounceRegisterTests(void);
56 static int g_ftp_request_list_id = 0;
57 
58 static int InspectFtpRequest(ThreadVars *tv,
59  DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx,
60  const Signature *s, const SigMatchData *smd,
61  Flow *f, uint8_t flags, void *alstate,
62  void *txv, uint64_t tx_id);
63 
64 /**
65  * \brief Registration function for ftpbounce: keyword
66  * \todo add support for no_stream and stream_only
67  */
69 {
70  sigmatch_table[DETECT_FTPBOUNCE].name = "ftpbounce";
71  sigmatch_table[DETECT_FTPBOUNCE].desc = "detect FTP bounce attacks";
72  sigmatch_table[DETECT_FTPBOUNCE].Setup = DetectFtpbounceSetup;
73  sigmatch_table[DETECT_FTPBOUNCE].AppLayerTxMatch = DetectFtpbounceALMatch;
74  sigmatch_table[DETECT_FTPBOUNCE].RegisterTests = DetectFtpbounceRegisterTests;
75  sigmatch_table[DETECT_FTPBOUNCE].url = DOC_URL DOC_VERSION "/rules/ftp-keywords.html#ftpbounce";
77 
78  g_ftp_request_list_id = DetectBufferTypeRegister("ftp_request");
79 
82  InspectFtpRequest);
83 }
84 
85 static int InspectFtpRequest(ThreadVars *tv,
86  DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx,
87  const Signature *s, const SigMatchData *smd,
88  Flow *f, uint8_t flags, void *alstate,
89  void *txv, uint64_t tx_id)
90 {
91  return DetectEngineInspectGenericList(tv, de_ctx, det_ctx, s, smd,
92  f, flags, alstate, txv, tx_id);
93 }
94 
95 /**
96  * \brief This function is used to match ftpbounce attacks
97  *
98  * \param payload Payload of the PORT command
99  * \param payload_len Length of the payload
100  * \param ip_orig IP source to check the ftpbounce condition
101  * \param offset offset to the arguments of the PORT command
102  *
103  * \retval 1 if ftpbounce detected, 0 if not
104  */
105 static int DetectFtpbounceMatchArgs(uint8_t *payload, uint16_t payload_len,
106  uint32_t ip_orig, uint16_t offset)
107 {
108  SCEnter();
109  SCLogDebug("Checking ftpbounce condition");
110  char *c = NULL;
111  uint16_t i = 0;
112  int octet = 0;
113  int octet_ascii_len = 0;
114  int noctet = 0;
115  uint32_t ip = 0;
116  /* PrintRawDataFp(stdout, payload, payload_len); */
117 
118  if (payload_len < 7) {
119  /* we need at least a differet ip address
120  * in the format 1,2,3,4,x,y where x,y is the port
121  * in two byte representation so let's look at
122  * least for the IP octets in comma separated */
123  return 0;
124  }
125 
126  if (offset + 7 >= payload_len)
127  return 0;
128 
129  c =(char*) payload;
130  if (c == NULL) {
131  SCLogDebug("No payload to check");
132  return 0;
133  }
134 
135  i = offset;
136  /* Search for the first IP octect(Skips "PORT ") */
137  while (i < payload_len && !isdigit((unsigned char)c[i])) i++;
138 
139  for (;i < payload_len && octet_ascii_len < 4 ;i++) {
140  if (isdigit((unsigned char)c[i])) {
141  octet =(c[i] - '0') + octet * 10;
142  octet_ascii_len++;
143  } else {
144  if (octet > 256) {
145  SCLogDebug("Octet not in ip format");
146  return 0;
147  }
148 
149  if (isspace((unsigned char)c[i]))
150  while (i < payload_len && isspace((unsigned char)c[i]) ) i++;
151 
152  if (i < payload_len && c[i] == ',') { /* we have an octet */
153  noctet++;
154  octet_ascii_len = 0;
155  ip =(ip << 8) + octet;
156  octet = 0;
157  } else {
158  SCLogDebug("Unrecognized character '%c'", c[i]);
159  return 0;
160  }
161  if (noctet == 4) {
162  /* Different IP than src, ftp bounce scan */
163  ip = SCByteSwap32(ip);
164 
165  if (ip != ip_orig) {
166  SCLogDebug("Different ip, so Matched ip:%d <-> ip_orig:%d",
167  ip, ip_orig);
168  return 1;
169  }
170  SCLogDebug("Same ip, so no match here");
171  return 0;
172  }
173  }
174  }
175  SCLogDebug("No match");
176  return 0;
177 }
178 
179 /**
180  * \brief This function is used to check matches from the FTP App Layer Parser
181  *
182  * \param t pointer to thread vars
183  * \param det_ctx pointer to the pattern matcher thread
184  * \param p pointer to the current packet
185  * \param m pointer to the sigmatch but we don't use it since ftpbounce
186  * has no options
187  * \retval 0 no match
188  * \retval 1 match
189  */
190 static int DetectFtpbounceALMatch(DetectEngineThreadCtx *det_ctx,
191  Flow *f, uint8_t flags,
192  void *state, void *txv,
193  const Signature *s, const SigMatchCtx *m)
194 {
195  SCEnter();
196 
197  FtpState *ftp_state = (FtpState *)state;
198  if (ftp_state == NULL) {
199  SCLogDebug("no ftp state, no match");
200  SCReturnInt(0);
201  }
202 
203  int ret = 0;
204  if (ftp_state->command == FTP_COMMAND_PORT) {
205  ret = DetectFtpbounceMatchArgs(ftp_state->port_line,
206  ftp_state->port_line_len, f->src.address.address_un_data32[0],
207  ftp_state->arg_offset);
208  }
209 
210  SCReturnInt(ret);
211 }
212 
213 /**
214  * \brief this function is used to add the parsed ftpbounce
215  *
216  * \param de_ctx pointer to the Detection Engine Context
217  * \param s pointer to the Current Signature
218  * \param m pointer to the Current SigMatch
219  * \param ftpbouncestr pointer to the user provided ftpbounce options
220  * currently there are no options.
221  *
222  * \retval 0 on Success
223  * \retval -1 on Failure
224  */
225 int DetectFtpbounceSetup(DetectEngineCtx *de_ctx, Signature *s, const char *ftpbouncestr)
226 {
227  SCEnter();
228 
229  SigMatch *sm = NULL;
230 
232  return -1;
233 
234  sm = SigMatchAlloc();
235  if (sm == NULL) {
236  return -1;
237  }
238 
239  sm->type = DETECT_FTPBOUNCE;
240 
241  /* We don't need to allocate any data for ftpbounce here.
242  *
243  * TODO: As a suggestion, maybe we can add a flag in the flow
244  * to set the stream as "bounce detected" for fast Match.
245  * When you do a ftp bounce attack you usually use the same
246  * communication control stream to "setup" various destinations
247  * whithout breaking the connection, so I guess we can make it a bit faster
248  * with a flow flag set lookup in the Match function.
249  */
250  sm->ctx = NULL;
251 
252  SigMatchAppendSMToList(s, sm, g_ftp_request_list_id);
253  SCReturnInt(0);
254 }
255 
256 #ifdef UNITTESTS
257 
258 /**
259  * \test DetectFtpbounceTestSetup01 is a test for the Setup ftpbounce
260  */
261 static int DetectFtpbounceTestSetup01(void)
262 {
263  DetectEngineCtx *de_ctx = NULL;
264  Signature *s = SigAlloc();
265  FAIL_IF (s == NULL);
266 
267  /* ftpbounce doesn't accept options so the str is NULL */
268  FAIL_IF_NOT(DetectFtpbounceSetup(de_ctx, s, NULL) == 0);
269  FAIL_IF(s->sm_lists[g_ftp_request_list_id] == NULL);
270  FAIL_IF_NOT(s->sm_lists[g_ftp_request_list_id]->type & DETECT_FTPBOUNCE);
271 
272  SigFree(s);
273  PASS;
274 }
275 
276 #include "stream-tcp-reassemble.h"
277 
278 /**
279  * \test Check the ftpbounce match, send a get request in three chunks
280  * + more data.
281  * \brief This test tests the ftpbounce condition match, based on the
282  * ftp layer parser
283  */
284 static int DetectFtpbounceTestALMatch02(void)
285 {
286  int result = 0;
287 
288  uint8_t ftpbuf1[] = { 'P','O' };
289  uint32_t ftplen1 = sizeof(ftpbuf1);
290  uint8_t ftpbuf2[] = { 'R', 'T' };
291  uint32_t ftplen2 = sizeof(ftpbuf2);
292  uint8_t ftpbuf3[] = { ' ', '8','0',',','5' };
293  uint32_t ftplen3 = sizeof(ftpbuf3);
294  uint8_t ftpbuf4[] = "8,0,33,10,20\r\n";
295  uint32_t ftplen4 = sizeof(ftpbuf4);
296 
297  TcpSession ssn;
298  Flow f;
299  Packet *p = NULL;
300  Signature *s = NULL;
301  ThreadVars th_v;
302  DetectEngineThreadCtx *det_ctx = NULL;
304 
305  memset(&th_v, 0, sizeof(th_v));
306  memset(&f, 0, sizeof(f));
307  memset(&ssn, 0, sizeof(ssn));
308 
309  p = UTHBuildPacketSrcDst(NULL, 0, IPPROTO_TCP, "1.2.3.4", "5.6.7.8");
310 
311  FLOW_INITIALIZE(&f);
312  f.src.address.address_un_data32[0]=0x01020304;
313  f.protoctx =(void *)&ssn;
314  f.proto = IPPROTO_TCP;
315 
316  p->flow = &f;
320  f.alproto = ALPROTO_FTP;
321 
323 
325  if (de_ctx == NULL) {
326  goto end;
327  }
328 
329  de_ctx->flags |= DE_QUIET;
330 
331  s = de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any "
332  "(msg:\"Ftp Bounce\"; ftpbounce; sid:1;)");
333  if (s == NULL) {
334  goto end;
335  }
336 
337  SigGroupBuild(de_ctx);
338  DetectEngineThreadCtxInit(&th_v,(void *)de_ctx,(void *)&det_ctx);
339 
340  FLOWLOCK_WRLOCK(&f);
341  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_FTP,
342  STREAM_TOSERVER, ftpbuf1, ftplen1);
343  if (r != 0) {
344  SCLogDebug("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
345  result = 0;
346  FLOWLOCK_UNLOCK(&f);
347  goto end;
348  }
349 
350  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_FTP, STREAM_TOSERVER,
351  ftpbuf2, ftplen2);
352  if (r != 0) {
353  SCLogDebug("toserver chunk 2 returned %" PRId32 ", expected 0: ", r);
354  result = 0;
355  FLOWLOCK_UNLOCK(&f);
356  goto end;
357  }
358 
359  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_FTP, STREAM_TOSERVER,
360  ftpbuf3, ftplen3);
361  if (r != 0) {
362  SCLogDebug("toserver chunk 3 returned %" PRId32 ", expected 0: ", r);
363  result = 0;
364  FLOWLOCK_UNLOCK(&f);
365  goto end;
366  }
367 
368  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_FTP, STREAM_TOSERVER,
369  ftpbuf4, ftplen4);
370  if (r != 0) {
371  SCLogDebug("toserver chunk 4 returned %" PRId32 ", expected 0: ", r);
372  result = 0;
373  FLOWLOCK_UNLOCK(&f);
374  goto end;
375  }
376 
377  FLOWLOCK_UNLOCK(&f);
378 
379  FtpState *ftp_state = f.alstate;
380  if (ftp_state == NULL) {
381  SCLogDebug("no ftp state: ");
382  result = 0;
383  goto end;
384  }
385 
386  if (ftp_state->command != FTP_COMMAND_PORT) {
387  SCLogDebug("expected command port not detected");
388  result = 0;
389  goto end;
390  }
391 
392  /* do detect */
393  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
394 
395  if (!(PacketAlertCheck(p, 1))) {
396  goto end;
397  }
398 
399  result = 1;
400 end:
401  if (alp_tctx != NULL)
402  AppLayerParserThreadCtxFree(alp_tctx);
403  SigGroupCleanup(de_ctx);
404  SigCleanSignatures(de_ctx);
405 
406  DetectEngineThreadCtxDeinit(&th_v,(void *)det_ctx);
407  DetectEngineCtxFree(de_ctx);
408 
410  FLOW_DESTROY(&f);
411 
412  UTHFreePackets(&p, 1);
413  return result;
414 }
415 
416 /**
417  * \test Check the ftpbounce match
418  * \brief This test tests the ftpbounce condition match, based on
419  * the ftp layer parser
420  */
421 static int DetectFtpbounceTestALMatch03(void)
422 {
423  int result = 0;
424 
425  uint8_t ftpbuf1[] = { 'P','O' };
426  uint32_t ftplen1 = sizeof(ftpbuf1);
427  uint8_t ftpbuf2[] = { 'R', 'T' };
428  uint32_t ftplen2 = sizeof(ftpbuf2);
429  uint8_t ftpbuf3[] = { ' ', '1',',','2',',' };
430  uint32_t ftplen3 = sizeof(ftpbuf3);
431  uint8_t ftpbuf4[] = "3,4,10,20\r\n";
432  uint32_t ftplen4 = sizeof(ftpbuf4);
433 
434  TcpSession ssn;
435  Flow f;
437  if (unlikely(p == NULL))
438  return 0;
439  Signature *s = NULL;
440  ThreadVars th_v;
441  DetectEngineThreadCtx *det_ctx = NULL;
443 
444  memset(&th_v, 0, sizeof(th_v));
445  memset(p, 0, SIZE_OF_PACKET);
446  memset(&f, 0, sizeof(f));
447  memset(&ssn, 0, sizeof(ssn));
448 
449  p->src.family = AF_INET;
450  p->dst.family = AF_INET;
451  p->src.addr_data32[0] = 0x04030201;
452  p->payload = NULL;
453  p->payload_len = 0;
454  p->proto = IPPROTO_TCP;
455 
456  FLOW_INITIALIZE(&f);
457  f.src.address.address_un_data32[0]=0x04030201;
458  f.protoctx =(void *)&ssn;
459  f.proto = IPPROTO_TCP;
460 
461  p->flow = &f;
465  f.alproto = ALPROTO_FTP;
466 
468 
470  if (de_ctx == NULL) {
471  goto end;
472  }
473 
474  de_ctx->flags |= DE_QUIET;
475 
476  s = de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any "
477  "(msg:\"Ftp Bounce\"; ftpbounce; sid:1;)");
478  if (s == NULL) {
479  goto end;
480  }
481 
482  SigGroupBuild(de_ctx);
483  DetectEngineThreadCtxInit(&th_v,(void *)de_ctx,(void *)&det_ctx);
484 
485  FLOWLOCK_WRLOCK(&f);
486  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_FTP,
487  STREAM_TOSERVER, ftpbuf1, ftplen1);
488  if (r != 0) {
489  SCLogDebug("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
490  result = 0;
491  FLOWLOCK_UNLOCK(&f);
492  goto end;
493  }
494 
495  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_FTP, STREAM_TOSERVER,
496  ftpbuf2, ftplen2);
497  if (r != 0) {
498  SCLogDebug("toserver chunk 2 returned %" PRId32 ", expected 0: ", r);
499  result = 0;
500  FLOWLOCK_UNLOCK(&f);
501  goto end;
502  }
503 
504  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_FTP, STREAM_TOSERVER,
505  ftpbuf3, ftplen3);
506  if (r != 0) {
507  SCLogDebug("toserver chunk 3 returned %" PRId32 ", expected 0: ", r);
508  result = 0;
509  FLOWLOCK_UNLOCK(&f);
510  goto end;
511  }
512 
513  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_FTP, STREAM_TOSERVER,
514  ftpbuf4, ftplen4);
515  if (r != 0) {
516  SCLogDebug("toserver chunk 4 returned %" PRId32 ", expected 0: ", r);
517  result = 0;
518  FLOWLOCK_UNLOCK(&f);
519  goto end;
520  }
521  FLOWLOCK_UNLOCK(&f);
522 
523  FtpState *ftp_state = f.alstate;
524  if (ftp_state == NULL) {
525  SCLogDebug("no ftp state: ");
526  result = 0;
527  goto end;
528  }
529 
530  if (ftp_state->command != FTP_COMMAND_PORT) {
531  SCLogDebug("expected command port not detected");
532  result = 0;
533  goto end;
534  }
535 
536  /* do detect */
537  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
538 
539  /* It should not match */
540  if (!(PacketAlertCheck(p, 1))) {
541  result = 1;
542  } else {
543  SCLogDebug("It should not match here!");
544  }
545 
546 end:
547  if (alp_tctx != NULL)
548  AppLayerParserThreadCtxFree(alp_tctx);
549  SigGroupCleanup(de_ctx);
550  SigCleanSignatures(de_ctx);
551 
552  DetectEngineThreadCtxDeinit(&th_v,(void *)det_ctx);
553  DetectEngineCtxFree(de_ctx);
554 
556  FLOW_DESTROY(&f);
557  SCFree(p);
558  return result;
559 }
560 
561 #endif /* UNITTESTS */
562 
563 /**
564  * \brief this function registers unit tests for DetectFtpbounce
565  */
566 void DetectFtpbounceRegisterTests(void)
567 {
568 #ifdef UNITTESTS
569  UtRegisterTest("DetectFtpbounceTestSetup01", DetectFtpbounceTestSetup01);
570  UtRegisterTest("DetectFtpbounceTestALMatch02",
571  DetectFtpbounceTestALMatch02);
572  UtRegisterTest("DetectFtpbounceTestALMatch03",
573  DetectFtpbounceTestALMatch03);
574 #endif /* UNITTESTS */
575 }
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
Definition: detect.h:1448
uint16_t flags
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1186
#define SCLogDebug(...)
Definition: util-debug.h:335
int DetectSignatureSetAppProto(Signature *s, AppProto alproto)
struct Flow_ * flow
Definition: decode.h:446
int PacketAlertCheck(Packet *p, uint32_t sid)
Check if a certain sid alerted, this is used in the test functions.
uint8_t proto
Definition: flow.h:344
#define FLOWLOCK_UNLOCK(fb)
Definition: flow.h:243
#define unlikely(expr)
Definition: util-optimize.h:35
#define PASS
Pass the test.
Signature * SigInit(DetectEngineCtx *, const char *)
Parses a signature and adds it to the Detection Engine Context.
Signature * sig_list
Definition: detect.h:767
uint64_t offset
#define FAIL_IF(expr)
Fail a test if expression evaluates to false.
Definition: util-unittest.h:71
void AppLayerParserThreadCtxFree(AppLayerParserThreadCtx *tctx)
Destroys the app layer parser thread context obtained using AppLayerParserThreadCtxAlloc().
Address dst
Definition: decode.h:414
#define FLOW_PKT_ESTABLISHED
Definition: flow.h:203
Data needed for Match()
Definition: detect.h:327
void SigCleanSignatures(DetectEngineCtx *de_ctx)
void StreamTcpFreeConfig(char quiet)
Definition: stream-tcp.c:668
#define FLOWLOCK_WRLOCK(fb)
Definition: flow.h:240
TmEcode DetectEngineThreadCtxInit(ThreadVars *, void *, void **)
initialize thread specific detection engine context
const char * name
Definition: detect.h:1200
int DetectEngineInspectGenericList(ThreadVars *tv, const DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const Signature *s, const SigMatchData *smd, Flow *f, const uint8_t flags, void *alstate, void *txv, uint64_t tx_id)
Do the content inspection & validation for a signature.
Signature container.
Definition: detect.h:522
#define TRUE
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
Definition: detect.h:313
void * protoctx
Definition: flow.h:400
main detection engine ctx
Definition: detect.h:761
FtpRequestCommand command
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *, void *)
void * alstate
Definition: flow.h:438
#define DE_QUIET
Definition: detect.h:292
#define SIZE_OF_PACKET
Definition: decode.h:619
char family
Definition: decode.h:112
uint8_t proto
Definition: decode.h:431
uint8_t flags
Definition: detect.h:762
Data structures and function prototypes for keeping state for the detection engine.
void SigFree(Signature *)
#define FLOW_DESTROY(f)
Definition: flow-util.h:121
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
void SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
Definition: detect.c:1670
#define SIG_FLAG_TOSERVER
Definition: detect.h:236
#define SCEnter(...)
Definition: util-debug.h:337
void StreamTcpInitConfig(char)
To initialize the stream global configuration data.
Definition: stream-tcp.c:364
uint8_t flowflags
Definition: decode.h:440
#define FLOW_PKT_TOSERVER
Definition: flow.h:201
#define SCByteSwap32(x)
Definition: util-byte.h:70
uint8_t * port_line
AppLayerParserThreadCtx * AppLayerParserThreadCtxAlloc(void)
Gets a new app layer protocol&#39;s parser thread context.
int SigGroupCleanup(DetectEngineCtx *de_ctx)
uint8_t type
Definition: detect.h:319
#define SCReturnInt(x)
Definition: util-debug.h:341
const char * desc
Definition: detect.h:1202
void SigMatchAppendSMToList(Signature *s, SigMatch *new, int list)
Append a SigMatch to the list type.
Definition: detect-parse.c:346
int DetectBufferTypeRegister(const char *name)
Signature * SigAlloc(void)
SigMatchCtx * ctx
Definition: detect.h:321
#define SCMalloc(a)
Definition: util-mem.h:222
void DetectFtpbounceRegister(void)
Registration function for ftpbounce: keyword.
uint16_t payload_len
#define SCFree(a)
Definition: util-mem.h:322
FtpRequestCommandArgOfs arg_offset
union FlowAddress_::@120 address
uint16_t tx_id
uint32_t address_un_data32[4]
Definition: flow.h:290
uint32_t port_line_len
int AppLayerParserParse(ThreadVars *tv, AppLayerParserThreadCtx *alp_tctx, Flow *f, AppProto alproto, uint8_t flags, const uint8_t *input, uint32_t input_len)
#define SIGMATCH_NOOPT
Definition: detect.h:1369
const char * url
Definition: detect.h:1203
int(* AppLayerTxMatch)(DetectEngineThreadCtx *, Flow *, uint8_t flags, void *alstate, void *txv, const Signature *, const SigMatchCtx *)
Definition: detect.h:1173
#define FLOW_INITIALIZE(f)
Definition: flow-util.h:39
#define STREAM_TOSERVER
Definition: stream.h:31
SCMutex m
Definition: flow-hash.h:105
#define PKT_HAS_FLOW
Definition: decode.h:1094
FlowAddress src
Definition: flow.h:329
#define DOC_URL
Definition: suricata.h:86
SigMatch * SigMatchAlloc(void)
Definition: detect-parse.c:232
Per thread variable structure.
Definition: threadvars.h:57
AppProto alproto
application level protocol
Definition: flow.h:409
uint32_t flags
Definition: decode.h:444
uint16_t payload_len
Definition: decode.h:542
#define DOC_VERSION
Definition: suricata.h:91
Packet * UTHBuildPacketSrcDst(uint8_t *payload, uint16_t payload_len, uint8_t ipproto, const char *src, const char *dst)
UTHBuildPacketSrcDst is a wrapper that build packets specifying IPs and defaulting ports...
uint16_t flags
Definition: detect.h:1194
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
void UTHFreePackets(Packet **p, int numpkts)
UTHFreePackets: function to release the allocated data from UTHBuildPacket and the packet itself...
Flow data structure.
Definition: flow.h:325
uint8_t * payload
Definition: decode.h:541
#define PKT_STREAM_EST
Definition: decode.h:1092
void DetectAppLayerInspectEngineRegister(const char *name, AppProto alproto, uint32_t dir, int progress, InspectEngineFuncPtr Callback)
register inspect engine at start up time
void(* RegisterTests)(void)
Definition: detect.h:1192
a single match condition for a signature
Definition: detect.h:318
#define FAIL_IF_NOT(expr)
Fail a test if expression to true.
Definition: util-unittest.h:82
Address src
Definition: decode.h:413
DetectEngineCtx * DetectEngineCtxInit(void)