suricata
detect-ftpbounce.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2010 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Pablo Rincon <pablo.rincon.crespo@gmail.com>
22  *
23  * ftpbounce keyword, part of the detection engine.
24  */
25 
26 #include "suricata-common.h"
27 #include "debug.h"
28 #include "decode.h"
29 #include "detect.h"
30 #include "detect-parse.h"
31 #include "detect-engine.h"
32 #include "detect-engine-mpm.h"
33 #include "detect-engine-state.h"
34 #include "detect-content.h"
35 
36 #include "app-layer.h"
37 #include "app-layer-parser.h"
38 #include "app-layer-ftp.h"
39 #include "util-unittest.h"
40 #include "util-unittest-helper.h"
41 #include "util-debug.h"
42 #include "flow.h"
43 #include "flow-var.h"
44 #include "flow-util.h"
45 #include "threads.h"
46 #include "detect-ftpbounce.h"
47 #include "stream-tcp.h"
48 #include "util-byte.h"
49 
50 static int DetectFtpbounceALMatch(DetectEngineThreadCtx *,
51  Flow *, uint8_t, void *, void *,
52  const Signature *, const SigMatchCtx *);
53 
54 static int DetectFtpbounceSetup(DetectEngineCtx *, Signature *, const char *);
55 #ifdef UNITTESTS
56 static void DetectFtpbounceRegisterTests(void);
57 #endif
58 static int g_ftp_request_list_id = 0;
59 
60 static int InspectFtpRequest(ThreadVars *tv,
62  const Signature *s, const SigMatchData *smd,
63  Flow *f, uint8_t flags, void *alstate,
64  void *txv, uint64_t tx_id);
65 
66 /**
67  * \brief Registration function for ftpbounce: keyword
68  * \todo add support for no_stream and stream_only
69  */
71 {
72  sigmatch_table[DETECT_FTPBOUNCE].name = "ftpbounce";
73  sigmatch_table[DETECT_FTPBOUNCE].desc = "detect FTP bounce attacks";
74  sigmatch_table[DETECT_FTPBOUNCE].Setup = DetectFtpbounceSetup;
75  sigmatch_table[DETECT_FTPBOUNCE].AppLayerTxMatch = DetectFtpbounceALMatch;
76 #ifdef UNITTESTS
77  sigmatch_table[DETECT_FTPBOUNCE].RegisterTests = DetectFtpbounceRegisterTests;
78 #endif
79  sigmatch_table[DETECT_FTPBOUNCE].url = "/rules/ftp-keywords.html#ftpbounce";
81 
82  g_ftp_request_list_id = DetectBufferTypeRegister("ftp_request");
83 
86  InspectFtpRequest);
87 }
88 
89 static int InspectFtpRequest(ThreadVars *tv,
91  const Signature *s, const SigMatchData *smd,
92  Flow *f, uint8_t flags, void *alstate,
93  void *txv, uint64_t tx_id)
94 {
95  return DetectEngineInspectGenericList(tv, de_ctx, det_ctx, s, smd,
96  f, flags, alstate, txv, tx_id);
97 }
98 
99 /**
100  * \brief This function is used to match ftpbounce attacks
101  *
102  * \param payload Payload of the PORT command
103  * \param payload_len Length of the payload
104  * \param ip_orig IP source to check the ftpbounce condition
105  * \param offset offset to the arguments of the PORT command
106  *
107  * \retval 1 if ftpbounce detected, 0 if not
108  */
109 static int DetectFtpbounceMatchArgs(uint8_t *payload, uint16_t payload_len,
110  uint32_t ip_orig, uint16_t offset)
111 {
112  SCEnter();
113  SCLogDebug("Checking ftpbounce condition");
114  char *c = NULL;
115  uint16_t i = 0;
116  int octet = 0;
117  int octet_ascii_len = 0;
118  int noctet = 0;
119  uint32_t ip = 0;
120  /* PrintRawDataFp(stdout, payload, payload_len); */
121 
122  if (payload_len < 7) {
123  /* we need at least a differet ip address
124  * in the format 1,2,3,4,x,y where x,y is the port
125  * in two byte representation so let's look at
126  * least for the IP octets in comma separated */
127  return 0;
128  }
129 
130  if (offset + 7 >= payload_len)
131  return 0;
132 
133  c =(char*) payload;
134  if (c == NULL) {
135  SCLogDebug("No payload to check");
136  return 0;
137  }
138 
139  i = offset;
140  /* Search for the first IP octect(Skips "PORT ") */
141  while (i < payload_len && !isdigit((unsigned char)c[i])) i++;
142 
143  for (;i < payload_len && octet_ascii_len < 4 ;i++) {
144  if (isdigit((unsigned char)c[i])) {
145  octet =(c[i] - '0') + octet * 10;
146  octet_ascii_len++;
147  } else {
148  if (octet > 256) {
149  SCLogDebug("Octet not in ip format");
150  return 0;
151  }
152 
153  if (isspace((unsigned char)c[i]))
154  while (i < payload_len && isspace((unsigned char)c[i]) ) i++;
155 
156  if (i < payload_len && c[i] == ',') { /* we have an octet */
157  noctet++;
158  octet_ascii_len = 0;
159  ip =(ip << 8) + octet;
160  octet = 0;
161  } else {
162  SCLogDebug("Unrecognized character '%c'", c[i]);
163  return 0;
164  }
165  if (noctet == 4) {
166  /* Different IP than src, ftp bounce scan */
167  ip = SCByteSwap32(ip);
168 
169  if (ip != ip_orig) {
170  SCLogDebug("Different ip, so Matched ip:%d <-> ip_orig:%d",
171  ip, ip_orig);
172  return 1;
173  }
174  SCLogDebug("Same ip, so no match here");
175  return 0;
176  }
177  }
178  }
179  SCLogDebug("No match");
180  return 0;
181 }
182 
183 /**
184  * \brief This function is used to check matches from the FTP App Layer Parser
185  *
186  * \param t pointer to thread vars
187  * \param det_ctx pointer to the pattern matcher thread
188  * \param p pointer to the current packet
189  * \param m pointer to the sigmatch but we don't use it since ftpbounce
190  * has no options
191  * \retval 0 no match
192  * \retval 1 match
193  */
194 static int DetectFtpbounceALMatch(DetectEngineThreadCtx *det_ctx,
195  Flow *f, uint8_t flags,
196  void *state, void *txv,
197  const Signature *s, const SigMatchCtx *m)
198 {
199  SCEnter();
200 
201  FtpState *ftp_state = (FtpState *)state;
202  if (ftp_state == NULL) {
203  SCLogDebug("no ftp state, no match");
204  SCReturnInt(0);
205  }
206 
207  int ret = 0;
208  if (ftp_state->command == FTP_COMMAND_PORT) {
209  ret = DetectFtpbounceMatchArgs(ftp_state->port_line,
210  ftp_state->port_line_len, f->src.address.address_un_data32[0],
211  ftp_state->arg_offset);
212  }
213 
214  SCReturnInt(ret);
215 }
216 
217 /**
218  * \brief this function is used to add the parsed ftpbounce
219  *
220  * \param de_ctx pointer to the Detection Engine Context
221  * \param s pointer to the Current Signature
222  * \param m pointer to the Current SigMatch
223  * \param ftpbouncestr pointer to the user provided ftpbounce options
224  * currently there are no options.
225  *
226  * \retval 0 on Success
227  * \retval -1 on Failure
228  */
229 int DetectFtpbounceSetup(DetectEngineCtx *de_ctx, Signature *s, const char *ftpbouncestr)
230 {
231  SCEnter();
232 
233  SigMatch *sm = NULL;
234 
236  return -1;
237 
238  sm = SigMatchAlloc();
239  if (sm == NULL) {
240  return -1;
241  }
242 
243  sm->type = DETECT_FTPBOUNCE;
244 
245  /* We don't need to allocate any data for ftpbounce here.
246  *
247  * TODO: As a suggestion, maybe we can add a flag in the flow
248  * to set the stream as "bounce detected" for fast Match.
249  * When you do a ftp bounce attack you usually use the same
250  * communication control stream to "setup" various destinations
251  * whithout breaking the connection, so I guess we can make it a bit faster
252  * with a flow flag set lookup in the Match function.
253  */
254  sm->ctx = NULL;
255 
256  SigMatchAppendSMToList(s, sm, g_ftp_request_list_id);
257  SCReturnInt(0);
258 }
259 
260 #ifdef UNITTESTS
261 
262 /**
263  * \test DetectFtpbounceTestSetup01 is a test for the Setup ftpbounce
264  */
265 static int DetectFtpbounceTestSetup01(void)
266 {
267  DetectEngineCtx *de_ctx = NULL;
268  Signature *s = SigAlloc();
269  FAIL_IF (s == NULL);
270 
271  /* ftpbounce doesn't accept options so the str is NULL */
272  FAIL_IF_NOT(DetectFtpbounceSetup(de_ctx, s, NULL) == 0);
273  FAIL_IF(s->sm_lists[g_ftp_request_list_id] == NULL);
274  FAIL_IF_NOT(s->sm_lists[g_ftp_request_list_id]->type & DETECT_FTPBOUNCE);
275 
276  SigFree(de_ctx, s);
277  PASS;
278 }
279 
280 #include "stream-tcp-reassemble.h"
281 
282 /**
283  * \test Check the ftpbounce match, send a get request in three chunks
284  * + more data.
285  * \brief This test tests the ftpbounce condition match, based on the
286  * ftp layer parser
287  */
288 static int DetectFtpbounceTestALMatch02(void)
289 {
290  int result = 0;
291 
292  uint8_t ftpbuf1[] = { 'P','O' };
293  uint32_t ftplen1 = sizeof(ftpbuf1);
294  uint8_t ftpbuf2[] = { 'R', 'T' };
295  uint32_t ftplen2 = sizeof(ftpbuf2);
296  uint8_t ftpbuf3[] = { ' ', '8','0',',','5' };
297  uint32_t ftplen3 = sizeof(ftpbuf3);
298  uint8_t ftpbuf4[] = "8,0,33,10,20\r\n";
299  uint32_t ftplen4 = sizeof(ftpbuf4);
300 
301  TcpSession ssn;
302  Flow f;
303  Packet *p = NULL;
304  Signature *s = NULL;
305  ThreadVars th_v;
306  DetectEngineThreadCtx *det_ctx = NULL;
308 
309  memset(&th_v, 0, sizeof(th_v));
310  memset(&f, 0, sizeof(f));
311  memset(&ssn, 0, sizeof(ssn));
312 
313  p = UTHBuildPacketSrcDst(NULL, 0, IPPROTO_TCP, "1.2.3.4", "5.6.7.8");
314 
315  FLOW_INITIALIZE(&f);
316  f.src.address.address_un_data32[0]=0x01020304;
317  f.protoctx =(void *)&ssn;
318  f.proto = IPPROTO_TCP;
319 
320  p->flow = &f;
324  f.alproto = ALPROTO_FTP;
325 
327 
329  if (de_ctx == NULL) {
330  goto end;
331  }
332 
333  de_ctx->flags |= DE_QUIET;
334 
335  s = de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any "
336  "(msg:\"Ftp Bounce\"; ftpbounce; sid:1;)");
337  if (s == NULL) {
338  goto end;
339  }
340 
342  DetectEngineThreadCtxInit(&th_v,(void *)de_ctx,(void *)&det_ctx);
343 
344  FLOWLOCK_WRLOCK(&f);
345  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_FTP,
346  STREAM_TOSERVER, ftpbuf1, ftplen1);
347  if (r != 0) {
348  SCLogDebug("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
349  result = 0;
350  FLOWLOCK_UNLOCK(&f);
351  goto end;
352  }
353 
355  ftpbuf2, ftplen2);
356  if (r != 0) {
357  SCLogDebug("toserver chunk 2 returned %" PRId32 ", expected 0: ", r);
358  result = 0;
359  FLOWLOCK_UNLOCK(&f);
360  goto end;
361  }
362 
364  ftpbuf3, ftplen3);
365  if (r != 0) {
366  SCLogDebug("toserver chunk 3 returned %" PRId32 ", expected 0: ", r);
367  result = 0;
368  FLOWLOCK_UNLOCK(&f);
369  goto end;
370  }
371 
373  ftpbuf4, ftplen4);
374  if (r != 0) {
375  SCLogDebug("toserver chunk 4 returned %" PRId32 ", expected 0: ", r);
376  result = 0;
377  FLOWLOCK_UNLOCK(&f);
378  goto end;
379  }
380 
381  FLOWLOCK_UNLOCK(&f);
382 
383  FtpState *ftp_state = f.alstate;
384  if (ftp_state == NULL) {
385  SCLogDebug("no ftp state: ");
386  result = 0;
387  goto end;
388  }
389 
390  if (ftp_state->command != FTP_COMMAND_PORT) {
391  SCLogDebug("expected command port not detected");
392  result = 0;
393  goto end;
394  }
395 
396  /* do detect */
397  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
398 
399  if (!(PacketAlertCheck(p, 1))) {
400  goto end;
401  }
402 
403  result = 1;
404 end:
405  if (alp_tctx != NULL)
409 
410  DetectEngineThreadCtxDeinit(&th_v,(void *)det_ctx);
412 
414  FLOW_DESTROY(&f);
415 
416  UTHFreePackets(&p, 1);
417  return result;
418 }
419 
420 /**
421  * \test Check the ftpbounce match
422  * \brief This test tests the ftpbounce condition match, based on
423  * the ftp layer parser
424  */
425 static int DetectFtpbounceTestALMatch03(void)
426 {
427  int result = 0;
428 
429  uint8_t ftpbuf1[] = { 'P','O' };
430  uint32_t ftplen1 = sizeof(ftpbuf1);
431  uint8_t ftpbuf2[] = { 'R', 'T' };
432  uint32_t ftplen2 = sizeof(ftpbuf2);
433  uint8_t ftpbuf3[] = { ' ', '1',',','2',',' };
434  uint32_t ftplen3 = sizeof(ftpbuf3);
435  uint8_t ftpbuf4[] = "3,4,10,20\r\n";
436  uint32_t ftplen4 = sizeof(ftpbuf4);
437 
438  TcpSession ssn;
439  Flow f;
441  if (unlikely(p == NULL))
442  return 0;
443  Signature *s = NULL;
444  ThreadVars th_v;
445  DetectEngineThreadCtx *det_ctx = NULL;
447 
448  memset(&th_v, 0, sizeof(th_v));
449  memset(p, 0, SIZE_OF_PACKET);
450  memset(&f, 0, sizeof(f));
451  memset(&ssn, 0, sizeof(ssn));
452 
453  p->src.family = AF_INET;
454  p->dst.family = AF_INET;
455  p->src.addr_data32[0] = 0x04030201;
456  p->payload = NULL;
457  p->payload_len = 0;
458  p->proto = IPPROTO_TCP;
459 
460  FLOW_INITIALIZE(&f);
461  f.src.address.address_un_data32[0]=0x04030201;
462  f.protoctx =(void *)&ssn;
463  f.proto = IPPROTO_TCP;
464 
465  p->flow = &f;
469  f.alproto = ALPROTO_FTP;
470 
472 
474  if (de_ctx == NULL) {
475  goto end;
476  }
477 
478  de_ctx->flags |= DE_QUIET;
479 
480  s = de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any "
481  "(msg:\"Ftp Bounce\"; ftpbounce; sid:1;)");
482  if (s == NULL) {
483  goto end;
484  }
485 
487  DetectEngineThreadCtxInit(&th_v,(void *)de_ctx,(void *)&det_ctx);
488 
489  FLOWLOCK_WRLOCK(&f);
490  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_FTP,
491  STREAM_TOSERVER, ftpbuf1, ftplen1);
492  if (r != 0) {
493  SCLogDebug("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
494  result = 0;
495  FLOWLOCK_UNLOCK(&f);
496  goto end;
497  }
498 
500  ftpbuf2, ftplen2);
501  if (r != 0) {
502  SCLogDebug("toserver chunk 2 returned %" PRId32 ", expected 0: ", r);
503  result = 0;
504  FLOWLOCK_UNLOCK(&f);
505  goto end;
506  }
507 
509  ftpbuf3, ftplen3);
510  if (r != 0) {
511  SCLogDebug("toserver chunk 3 returned %" PRId32 ", expected 0: ", r);
512  result = 0;
513  FLOWLOCK_UNLOCK(&f);
514  goto end;
515  }
516 
518  ftpbuf4, ftplen4);
519  if (r != 0) {
520  SCLogDebug("toserver chunk 4 returned %" PRId32 ", expected 0: ", r);
521  result = 0;
522  FLOWLOCK_UNLOCK(&f);
523  goto end;
524  }
525  FLOWLOCK_UNLOCK(&f);
526 
527  FtpState *ftp_state = f.alstate;
528  if (ftp_state == NULL) {
529  SCLogDebug("no ftp state: ");
530  result = 0;
531  goto end;
532  }
533 
534  if (ftp_state->command != FTP_COMMAND_PORT) {
535  SCLogDebug("expected command port not detected");
536  result = 0;
537  goto end;
538  }
539 
540  /* do detect */
541  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
542 
543  /* It should not match */
544  if (!(PacketAlertCheck(p, 1))) {
545  result = 1;
546  } else {
547  SCLogDebug("It should not match here!");
548  }
549 
550 end:
551  if (alp_tctx != NULL)
555 
556  DetectEngineThreadCtxDeinit(&th_v,(void *)det_ctx);
558 
560  FLOW_DESTROY(&f);
561  SCFree(p);
562  return result;
563 }
564 
565 /**
566  * \brief this function registers unit tests for DetectFtpbounce
567  */
568 static void DetectFtpbounceRegisterTests(void)
569 {
570  UtRegisterTest("DetectFtpbounceTestSetup01", DetectFtpbounceTestSetup01);
571  UtRegisterTest("DetectFtpbounceTestALMatch02",
572  DetectFtpbounceTestALMatch02);
573  UtRegisterTest("DetectFtpbounceTestALMatch03",
574  DetectFtpbounceTestALMatch03);
575 }
576 #endif /* UNITTESTS */
util-byte.h
SigTableElmt_::url
const char * url
Definition: detect.h:1214
DetectSignatureSetAppProto
int DetectSignatureSetAppProto(Signature *s, AppProto alproto)
Definition: detect-parse.c:1480
Packet_::proto
uint8_t proto
Definition: decode.h:436
detect-content.h
detect-engine.h
SigTableElmt_::desc
const char * desc
Definition: detect.h:1213
PKT_HAS_FLOW
#define PKT_HAS_FLOW
Definition: decode.h:1109
offset
uint64_t offset
Definition: util-streaming-buffer.h:0
flow-util.h
SigTableElmt_::name
const char * name
Definition: detect.h:1211
stream-tcp.h
SigFree
void SigFree(DetectEngineCtx *, Signature *)
Definition: detect-parse.c:1381
unlikely
#define unlikely(expr)
Definition: util-optimize.h:35
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
FlowAddress_::address_un_data32
uint32_t address_un_data32[4]
Definition: flow.h:311
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:298
DETECT_FTPBOUNCE
@ DETECT_FTPBOUNCE
Definition: detect-engine-register.h:78
Flow_::proto
uint8_t proto
Definition: flow.h:365
Packet_::payload
uint8_t * payload
Definition: decode.h:549
FtpState_::command
FtpRequestCommand command
Definition: app-layer-ftp.h:182
PacketAlertCheck
int PacketAlertCheck(Packet *p, uint32_t sid)
Check if a certain sid alerted, this is used in the test functions.
Definition: detect-engine-alert.c:138
Packet_::flags
uint32_t flags
Definition: decode.h:449
threads.h
Flow_
Flow data structure.
Definition: flow.h:347
SigInit
Signature * SigInit(DetectEngineCtx *, const char *)
Parses a signature and adds it to the Detection Engine Context.
Definition: detect-parse.c:2056
UTHBuildPacketSrcDst
Packet * UTHBuildPacketSrcDst(uint8_t *payload, uint16_t payload_len, uint8_t ipproto, const char *src, const char *dst)
UTHBuildPacketSrcDst is a wrapper that build packets specifying IPs and defaulting ports.
Definition: util-unittest-helper.c:418
SigTableElmt_::flags
uint16_t flags
Definition: detect.h:1205
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:767
detect-ftpbounce.h
DetectEngineCtxFree
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
Definition: detect-engine.c:2093
SigTableElmt_::AppLayerTxMatch
int(* AppLayerTxMatch)(DetectEngineThreadCtx *, Flow *, uint8_t flags, void *alstate, void *txv, const Signature *, const SigMatchCtx *)
Definition: detect.h:1182
AppLayerParserThreadCtxFree
void AppLayerParserThreadCtxFree(AppLayerParserThreadCtx *tctx)
Destroys the app layer parser thread context obtained using AppLayerParserThreadCtxAlloc().
Definition: app-layer-parser.c:278
FLOW_PKT_TOSERVER
#define FLOW_PKT_TOSERVER
Definition: flow.h:219
DE_QUIET
#define DE_QUIET
Definition: detect.h:294
ALPROTO_FTP
@ ALPROTO_FTP
Definition: app-layer-protos.h:31
stream-tcp-reassemble.h
m
SCMutex m
Definition: flow-hash.h:6
SigCleanSignatures
void SigCleanSignatures(DetectEngineCtx *de_ctx)
Definition: detect-engine-build.c:39
app-layer-ftp.h
Packet_::flowflags
uint8_t flowflags
Definition: decode.h:445
Flow_::protoctx
void * protoctx
Definition: flow.h:441
SigMatchData_
Data needed for Match()
Definition: detect.h:329
SigTableElmt_::Setup
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1196
Packet_::payload_len
uint16_t payload_len
Definition: decode.h:550
util-unittest.h
util-unittest-helper.h
FAIL_IF_NOT
#define FAIL_IF_NOT(expr)
Fail a test if expression to true.
Definition: util-unittest.h:82
DetectEngineInspectGenericList
int DetectEngineInspectGenericList(ThreadVars *tv, const DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const Signature *s, const SigMatchData *smd, Flow *f, const uint8_t flags, void *alstate, void *txv, uint64_t tx_id)
Do the content inspection & validation for a signature.
Definition: detect-engine.c:1596
FLOWLOCK_UNLOCK
#define FLOWLOCK_UNLOCK(fb)
Definition: flow.h:264
FtpState_
Definition: app-layer-ftp.h:162
FLOW_INITIALIZE
#define FLOW_INITIALIZE(f)
Definition: flow-util.h:39
SIG_FLAG_TOSERVER
#define SIG_FLAG_TOSERVER
Definition: detect.h:236
decode.h
util-debug.h
FtpState_::port_line
uint8_t * port_line
Definition: app-layer-ftp.h:186
PASS
#define PASS
Pass the test.
Definition: util-unittest.h:105
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:17
DetectEngineThreadCtx_
Definition: detect.h:1010
STREAM_TOSERVER
#define STREAM_TOSERVER
Definition: stream.h:31
alp_tctx
AppLayerParserThreadCtx * alp_tctx
Definition: fuzz_applayerparserparse.c:19
FLOWLOCK_WRLOCK
#define FLOWLOCK_WRLOCK(fb)
Definition: flow.h:261
SCEnter
#define SCEnter(...)
Definition: util-debug.h:300
detect-engine-mpm.h
detect.h
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:58
FTP_COMMAND_PORT
@ FTP_COMMAND_PORT
Definition: app-layer-ftp.h:65
SIZE_OF_PACKET
#define SIZE_OF_PACKET
Definition: decode.h:627
app-layer-parser.h
TRUE
#define TRUE
Definition: suricata-common.h:33
SigMatch_::ctx
SigMatchCtx * ctx
Definition: detect.h:323
SigMatchSignatures
void SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
Definition: detect.c:1688
SigGroupCleanup
int SigGroupCleanup(DetectEngineCtx *de_ctx)
Definition: detect-engine-build.c:1953
Packet_
Definition: decode.h:414
StreamTcpFreeConfig
void StreamTcpFreeConfig(char quiet)
Definition: stream-tcp.c:668
FtpState_::arg_offset
FtpRequestCommandArgOfs arg_offset
Definition: app-layer-ftp.h:183
detect-engine-state.h
Data structures and function prototypes for keeping state for the detection engine.
FlowAddress_::address
union FlowAddress_::@119 address
DetectFtpbounceRegister
void DetectFtpbounceRegister(void)
Registration function for ftpbounce: keyword.
Definition: detect-ftpbounce.c:70
SigMatchAlloc
SigMatch * SigMatchAlloc(void)
Definition: detect-parse.c:235
Flow_::src
FlowAddress src
Definition: flow.h:350
SigGroupBuild
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
Definition: detect-engine-build.c:1888
SigMatch_::type
uint8_t type
Definition: detect.h:321
AppLayerParserThreadCtxAlloc
AppLayerParserThreadCtx * AppLayerParserThreadCtxAlloc(void)
Gets a new app layer protocol's parser thread context.
Definition: app-layer-parser.c:252
SigMatchCtx_
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
Definition: detect.h:315
Packet_::flow
struct Flow_ * flow
Definition: decode.h:451
DetectEngineThreadCtxInit
TmEcode DetectEngineThreadCtxInit(ThreadVars *, void *, void **)
initialize thread specific detection engine context
Definition: detect-engine.c:2797
FAIL_IF
#define FAIL_IF(expr)
Fail a test if expression evaluates to false.
Definition: util-unittest.h:71
DetectBufferTypeRegister
int DetectBufferTypeRegister(const char *name)
Definition: detect-engine.c:836
flags
uint8_t flags
Definition: decode-gre.h:0
AppLayerParserParse
int AppLayerParserParse(ThreadVars *tv, AppLayerParserThreadCtx *alp_tctx, Flow *f, AppProto alproto, uint8_t flags, const uint8_t *input, uint32_t input_len)
Definition: app-layer-parser.c:1203
suricata-common.h
DetectEngineThreadCtxDeinit
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *, void *)
Definition: detect-engine.c:3005
sigmatch_table
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
Definition: detect-parse.c:73
FtpState_::port_line_len
uint32_t port_line_len
Definition: app-layer-ftp.h:184
DetectEngineCtx_::sig_list
Signature * sig_list
Definition: detect.h:773
tv
ThreadVars * tv
Definition: fuzz_decodepcapfile.c:29
SCMalloc
#define SCMalloc(sz)
Definition: util-mem.h:47
SCByteSwap32
#define SCByteSwap32(x)
Definition: util-byte.h:70
SCFree
#define SCFree(p)
Definition: util-mem.h:61
Flow_::alstate
void * alstate
Definition: flow.h:476
detect-parse.h
Signature_
Signature container.
Definition: detect.h:528
SigMatch_
a single match condition for a signature
Definition: detect.h:320
payload_len
uint16_t payload_len
Definition: stream-tcp-private.h:1
StreamTcpInitConfig
void StreamTcpInitConfig(char)
To initialize the stream global configuration data.
Definition: stream-tcp.c:365
FLOW_PKT_ESTABLISHED
#define FLOW_PKT_ESTABLISHED
Definition: flow.h:221
DetectEngineCtxInit
DetectEngineCtx * DetectEngineCtxInit(void)
Definition: detect-engine.c:2048
Address_::family
char family
Definition: decode.h:117
Packet_::dst
Address dst
Definition: decode.h:419
SIGMATCH_NOOPT
#define SIGMATCH_NOOPT
Definition: detect.h:1380
DetectEngineCtx_::flags
uint8_t flags
Definition: detect.h:768
AppLayerParserThreadCtx_
Definition: app-layer-parser.c:87
SigAlloc
Signature * SigAlloc(void)
Definition: detect-parse.c:1257
TcpSession_
Definition: stream-tcp-private.h:260
flow.h
DetectAppLayerInspectEngineRegister
void DetectAppLayerInspectEngineRegister(const char *name, AppProto alproto, uint32_t dir, int progress, InspectEngineFuncPtr Callback)
register inspect engine at start up time
Definition: detect-engine.c:171
Flow_::alproto
AppProto alproto
application level protocol
Definition: flow.h:450
SCReturnInt
#define SCReturnInt(x)
Definition: util-debug.h:304
flow-var.h
SigMatchAppendSMToList
void SigMatchAppendSMToList(Signature *s, SigMatch *new, int list)
Append a SigMatch to the list type.
Definition: detect-parse.c:349
FLOW_DESTROY
#define FLOW_DESTROY(f)
Definition: flow-util.h:130
Packet_::src
Address src
Definition: decode.h:418
debug.h
PKT_STREAM_EST
#define PKT_STREAM_EST
Definition: decode.h:1107
SigTableElmt_::RegisterTests
void(* RegisterTests)(void)
Definition: detect.h:1203
app-layer.h
UTHFreePackets
void UTHFreePackets(Packet **p, int numpkts)
UTHFreePackets: function to release the allocated data from UTHBuildPacket and the packet itself.
Definition: util-unittest-helper.c:468