Go to the documentation of this file.
40 #define PARSE_REGEX "^\\s*(stor|appe|stou|retr|nlst|list|mlsd)\\s*$"
45 Flow *, uint8_t,
void *,
void *,
50 static void DetectFtpdataRegisterTests (
void);
52 static int g_ftpdata_buffer_id = 0;
100 void *state,
void *txv,
106 if (ftp_state == NULL)
125 pcre2_match_data *match = NULL;
129 SCLogError(
"parse error, ret %" PRId32
"", ret);
133 pcre2len =
sizeof(arg1);
134 int res = pcre2_substring_copy_bynumber(match, 1, (PCRE2_UCHAR8 *)arg1, &pcre2len);
136 SCLogError(
"pcre2_substring_copy_bynumber failed");
144 if (!strcmp(arg1,
"stor")) {
145 ftpcommandd->
command = FTP_COMMAND_STOR;
146 }
else if (!strcmp(arg1,
"appe")) {
147 ftpcommandd->
command = FTP_COMMAND_APPE;
148 }
else if (!strcmp(arg1,
"stou")) {
149 ftpcommandd->
command = FTP_COMMAND_STOU;
150 }
else if (!strcmp(arg1,
"retr")) {
151 ftpcommandd->
command = FTP_COMMAND_RETR;
152 }
else if (!strcmp(arg1,
"nlst")) {
153 ftpcommandd->
command = FTP_COMMAND_NLST;
154 }
else if (!strcmp(arg1,
"list")) {
155 ftpcommandd->
command = FTP_COMMAND_LIST;
156 }
else if (!strcmp(arg1,
"mlsd")) {
157 ftpcommandd->
command = FTP_COMMAND_MLSD;
163 pcre2_match_data_free(match);
168 pcre2_match_data_free(match);
192 if (ftpcommandd == NULL)
196 g_ftpdata_buffer_id) == NULL) {
197 DetectFtpdataFree(
de_ctx, ftpcommandd);
218 static int DetectFtpdataParseTest01(
void)
223 DetectFtpdataFree(NULL, ftpcommandd);
225 ftpcommandd = DetectFtpdataParse(
"appe");
228 DetectFtpdataFree(NULL, ftpcommandd);
230 ftpcommandd = DetectFtpdataParse(
"stou");
233 DetectFtpdataFree(NULL, ftpcommandd);
235 ftpcommandd = DetectFtpdataParse(
"list");
238 DetectFtpdataFree(NULL, ftpcommandd);
240 ftpcommandd = DetectFtpdataParse(
"mlsd");
243 DetectFtpdataFree(NULL, ftpcommandd);
247 static int DetectFtpdataSignatureTest01(
void)
257 de_ctx,
"alert ip any any -> any any (ftpdata_command:appe; sid:3; rev:1;)");
260 de_ctx,
"alert ip any any -> any any (ftpdata_command:stou; sid:4; rev:1;)");
263 de_ctx,
"alert ip any any -> any any (ftpdata_command:list; sid:5; rev:1;)");
266 de_ctx,
"alert ip any any -> any any (ftpdata_command:mlsd; sid:6; rev:1;)");
269 de_ctx,
"alert ip any any -> any any (ftpdata_command:xxx; sid:7; rev:1;)");
279 static void DetectFtpdataRegisterTests(
void)
281 UtRegisterTest(
"DetectFtpdataParseTest01", DetectFtpdataParseTest01);
283 DetectFtpdataSignatureTest01);
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
SigTableElmt * sigmatch_table
#define PARSE_REGEX
Regex for parsing our keyword options.
void(* Free)(DetectEngineCtx *, void *)
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
FtpRequestCommand command
main detection engine ctx
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
FtpRequestCommand command
int(* AppLayerTxMatch)(DetectEngineThreadCtx *, Flow *, uint8_t flags, void *alstate, void *txv, const Signature *, const SigMatchCtx *)
int DetectParsePcreExec(DetectParseRegex *parse_regex, pcre2_match_data **match, const char *str, int start_offset, int options)
int SCDetectSignatureSetAppProto(Signature *s, AppProto alproto)
Signature * DetectEngineAppendSig(DetectEngineCtx *, const char *)
Parse and append a Signature into the Detection Engine Context signature list.
#define SIG_FLAG_TOCLIENT
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
void DetectAppLayerInspectEngineRegister(const char *name, AppProto alproto, uint32_t dir, uint8_t progress, InspectEngineFuncPtr Callback, InspectionBufferGetDataPtr GetData)
Registers an app inspection engine.
int DetectBufferTypeGetByName(const char *name)
#define SIG_FLAG_TOSERVER
#define FAIL_IF_NOT_NULL(expr)
Fail a test if expression evaluates to non-NULL.
#define PASS
Pass the test.
void DetectSetupParseRegexes(const char *parse_str, DetectParseRegex *detect_parse)
SigMatch * SCSigMatchAppendSMToList(DetectEngineCtx *de_ctx, Signature *s, uint16_t type, SigMatchCtx *ctx, const int list)
Append a SigMatch to the list type.
Data structures and function prototypes for keeping state for the detection engine.
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
#define FAIL_IF(expr)
Fail a test if expression evaluates to true.
uint8_t DetectEngineInspectGenericList(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const struct DetectEngineAppInspectionEngine_ *engine, const Signature *s, Flow *f, uint8_t flags, void *alstate, void *txv, uint64_t tx_id)
Do the content inspection & validation for a signature.
#define SCLogError(...)
Macro used to log ERROR messages.
DetectEngineCtx * DetectEngineCtxInit(void)
#define SIGMATCH_SUPPORT_FIREWALL
void DetectFtpdataRegister(void)
Registration function for ftpcommand: keyword.
void(* RegisterTests)(void)